1 /*
2  * Copyright (c) 2017-2021 Nordic Semiconductor ASA
3  * Copyright (c) 2015-2016 Intel Corporation
4  *
5  * SPDX-License-Identifier: Apache-2.0
6  */
7 
8 #include <zephyr/sys/byteorder.h>
9 
10 
11 #include <zephyr/bluetooth/bluetooth.h>
12 #include <zephyr/bluetooth/hci.h>
13 #include <zephyr/bluetooth/buf.h>
14 
15 #include "common/bt_str.h"
16 
17 #include "hci_core.h"
18 #include "conn_internal.h"
19 #include "keys.h"
20 
21 #define LOG_LEVEL CONFIG_BT_HCI_CORE_LOG_LEVEL
22 #include <zephyr/logging/log.h>
23 LOG_MODULE_REGISTER(bt_br);
24 
25 static bt_br_discovery_cb_t *discovery_cb;
26 struct bt_br_discovery_result *discovery_results;
27 static size_t discovery_results_size;
28 static size_t discovery_results_count;
29 
reject_conn(const bt_addr_t * bdaddr,uint8_t reason)30 static int reject_conn(const bt_addr_t *bdaddr, uint8_t reason)
31 {
32 	struct bt_hci_cp_reject_conn_req *cp;
33 	struct net_buf *buf;
34 	int err;
35 
36 	buf = bt_hci_cmd_create(BT_HCI_OP_REJECT_CONN_REQ, sizeof(*cp));
37 	if (!buf) {
38 		return -ENOBUFS;
39 	}
40 
41 	cp = net_buf_add(buf, sizeof(*cp));
42 	bt_addr_copy(&cp->bdaddr, bdaddr);
43 	cp->reason = reason;
44 
45 	err = bt_hci_cmd_send_sync(BT_HCI_OP_REJECT_CONN_REQ, buf, NULL);
46 	if (err) {
47 		return err;
48 	}
49 
50 	return 0;
51 }
52 
accept_sco_conn(const bt_addr_t * bdaddr,struct bt_conn * sco_conn)53 static int accept_sco_conn(const bt_addr_t *bdaddr, struct bt_conn *sco_conn)
54 {
55 	struct bt_hci_cp_accept_sync_conn_req *cp;
56 	struct net_buf *buf;
57 	int err;
58 
59 	buf = bt_hci_cmd_create(BT_HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(*cp));
60 	if (!buf) {
61 		return -ENOBUFS;
62 	}
63 
64 	cp = net_buf_add(buf, sizeof(*cp));
65 	bt_addr_copy(&cp->bdaddr, bdaddr);
66 	cp->pkt_type = sco_conn->sco.pkt_type;
67 	cp->tx_bandwidth = 0x00001f40;
68 	cp->rx_bandwidth = 0x00001f40;
69 	cp->max_latency = 0x0007;
70 	cp->retrans_effort = 0x01;
71 	cp->content_format = BT_VOICE_CVSD_16BIT;
72 
73 	err = bt_hci_cmd_send_sync(BT_HCI_OP_ACCEPT_SYNC_CONN_REQ, buf, NULL);
74 	if (err) {
75 		return err;
76 	}
77 
78 	return 0;
79 }
80 
accept_conn(const bt_addr_t * bdaddr)81 static int accept_conn(const bt_addr_t *bdaddr)
82 {
83 	struct bt_hci_cp_accept_conn_req *cp;
84 	struct net_buf *buf;
85 	int err;
86 
87 	buf = bt_hci_cmd_create(BT_HCI_OP_ACCEPT_CONN_REQ, sizeof(*cp));
88 	if (!buf) {
89 		return -ENOBUFS;
90 	}
91 
92 	cp = net_buf_add(buf, sizeof(*cp));
93 	bt_addr_copy(&cp->bdaddr, bdaddr);
94 	cp->role = BT_HCI_ROLE_PERIPHERAL;
95 
96 	err = bt_hci_cmd_send_sync(BT_HCI_OP_ACCEPT_CONN_REQ, buf, NULL);
97 	if (err) {
98 		return err;
99 	}
100 
101 	return 0;
102 }
103 
bt_esco_conn_req(struct bt_hci_evt_conn_request * evt)104 static void bt_esco_conn_req(struct bt_hci_evt_conn_request *evt)
105 {
106 	struct bt_conn *sco_conn;
107 
108 	sco_conn = bt_conn_add_sco(&evt->bdaddr, evt->link_type);
109 	if (!sco_conn) {
110 		reject_conn(&evt->bdaddr, BT_HCI_ERR_INSUFFICIENT_RESOURCES);
111 		return;
112 	}
113 
114 	if (accept_sco_conn(&evt->bdaddr, sco_conn)) {
115 		LOG_ERR("Error accepting connection from %s", bt_addr_str(&evt->bdaddr));
116 		reject_conn(&evt->bdaddr, BT_HCI_ERR_UNSPECIFIED);
117 		bt_sco_cleanup(sco_conn);
118 		return;
119 	}
120 
121 	sco_conn->role = BT_HCI_ROLE_PERIPHERAL;
122 	bt_conn_set_state(sco_conn, BT_CONN_CONNECTING);
123 	bt_conn_unref(sco_conn);
124 }
125 
bt_hci_conn_req(struct net_buf * buf)126 void bt_hci_conn_req(struct net_buf *buf)
127 {
128 	struct bt_hci_evt_conn_request *evt = (void *)buf->data;
129 	struct bt_conn *conn;
130 
131 	LOG_DBG("conn req from %s, type 0x%02x", bt_addr_str(&evt->bdaddr), evt->link_type);
132 
133 	if (evt->link_type != BT_HCI_ACL) {
134 		bt_esco_conn_req(evt);
135 		return;
136 	}
137 
138 	conn = bt_conn_add_br(&evt->bdaddr);
139 	if (!conn) {
140 		reject_conn(&evt->bdaddr, BT_HCI_ERR_INSUFFICIENT_RESOURCES);
141 		return;
142 	}
143 
144 	accept_conn(&evt->bdaddr);
145 	conn->role = BT_HCI_ROLE_PERIPHERAL;
146 	bt_conn_set_state(conn, BT_CONN_CONNECTING);
147 	bt_conn_unref(conn);
148 }
149 
br_sufficient_key_size(struct bt_conn * conn)150 static bool br_sufficient_key_size(struct bt_conn *conn)
151 {
152 	struct bt_hci_cp_read_encryption_key_size *cp;
153 	struct bt_hci_rp_read_encryption_key_size *rp;
154 	struct net_buf *buf, *rsp;
155 	uint8_t key_size;
156 	int err;
157 
158 	buf = bt_hci_cmd_create(BT_HCI_OP_READ_ENCRYPTION_KEY_SIZE,
159 				sizeof(*cp));
160 	if (!buf) {
161 		LOG_ERR("Failed to allocate command buffer");
162 		return false;
163 	}
164 
165 	cp = net_buf_add(buf, sizeof(*cp));
166 	cp->handle = sys_cpu_to_le16(conn->handle);
167 
168 	err = bt_hci_cmd_send_sync(BT_HCI_OP_READ_ENCRYPTION_KEY_SIZE,
169 				   buf, &rsp);
170 	if (err) {
171 		LOG_ERR("Failed to read encryption key size (err %d)", err);
172 		return false;
173 	}
174 
175 	if (rsp->len < sizeof(*rp)) {
176 		LOG_ERR("Too small command complete for encryption key size");
177 		net_buf_unref(rsp);
178 		return false;
179 	}
180 
181 	rp = (void *)rsp->data;
182 	key_size = rp->key_size;
183 	net_buf_unref(rsp);
184 
185 	LOG_DBG("Encryption key size is %u", key_size);
186 
187 	if (conn->sec_level == BT_SECURITY_L4) {
188 		return key_size == BT_HCI_ENCRYPTION_KEY_SIZE_MAX;
189 	}
190 
191 	return key_size >= BT_HCI_ENCRYPTION_KEY_SIZE_MIN;
192 }
193 
bt_br_update_sec_level(struct bt_conn * conn)194 bool bt_br_update_sec_level(struct bt_conn *conn)
195 {
196 	if (!conn->encrypt) {
197 		conn->sec_level = BT_SECURITY_L1;
198 		return true;
199 	}
200 
201 	if (conn->br.link_key) {
202 		if (conn->br.link_key->flags & BT_LINK_KEY_AUTHENTICATED) {
203 			if (conn->encrypt == 0x02) {
204 				conn->sec_level = BT_SECURITY_L4;
205 			} else {
206 				conn->sec_level = BT_SECURITY_L3;
207 			}
208 		} else {
209 			conn->sec_level = BT_SECURITY_L2;
210 		}
211 	} else {
212 		LOG_WRN("No BR/EDR link key found");
213 		conn->sec_level = BT_SECURITY_L2;
214 	}
215 
216 	if (!br_sufficient_key_size(conn)) {
217 		LOG_ERR("Encryption key size is not sufficient");
218 		bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
219 		return false;
220 	}
221 
222 	if (conn->required_sec_level > conn->sec_level) {
223 		LOG_ERR("Failed to set required security level");
224 		bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
225 		return false;
226 	}
227 
228 	return true;
229 }
230 
bt_hci_synchronous_conn_complete(struct net_buf * buf)231 void bt_hci_synchronous_conn_complete(struct net_buf *buf)
232 {
233 	struct bt_hci_evt_sync_conn_complete *evt = (void *)buf->data;
234 	struct bt_conn *sco_conn;
235 	uint16_t handle = sys_le16_to_cpu(evt->handle);
236 
237 	LOG_DBG("status 0x%02x, handle %u, type 0x%02x", evt->status, handle, evt->link_type);
238 
239 	sco_conn = bt_conn_lookup_addr_sco(&evt->bdaddr);
240 	if (!sco_conn) {
241 		LOG_ERR("Unable to find conn for %s", bt_addr_str(&evt->bdaddr));
242 		return;
243 	}
244 
245 	if (evt->status) {
246 		sco_conn->err = evt->status;
247 		bt_conn_set_state(sco_conn, BT_CONN_DISCONNECTED);
248 		bt_conn_unref(sco_conn);
249 		return;
250 	}
251 
252 	sco_conn->handle = handle;
253 	bt_conn_set_state(sco_conn, BT_CONN_CONNECTED);
254 	bt_conn_unref(sco_conn);
255 }
256 
bt_hci_conn_complete(struct net_buf * buf)257 void bt_hci_conn_complete(struct net_buf *buf)
258 {
259 	struct bt_hci_evt_conn_complete *evt = (void *)buf->data;
260 	struct bt_conn *conn;
261 	struct bt_hci_cp_read_remote_features *cp;
262 	uint16_t handle = sys_le16_to_cpu(evt->handle);
263 
264 	LOG_DBG("status 0x%02x, handle %u, type 0x%02x", evt->status, handle, evt->link_type);
265 
266 	conn = bt_conn_lookup_addr_br(&evt->bdaddr);
267 	if (!conn) {
268 		LOG_ERR("Unable to find conn for %s", bt_addr_str(&evt->bdaddr));
269 		return;
270 	}
271 
272 	if (evt->status) {
273 		conn->err = evt->status;
274 		bt_conn_set_state(conn, BT_CONN_DISCONNECTED);
275 		bt_conn_unref(conn);
276 		return;
277 	}
278 
279 	conn->handle = handle;
280 	conn->err = 0U;
281 	conn->encrypt = evt->encr_enabled;
282 
283 	if (!bt_br_update_sec_level(conn)) {
284 		bt_conn_unref(conn);
285 		return;
286 	}
287 
288 	bt_conn_set_state(conn, BT_CONN_CONNECTED);
289 	bt_conn_unref(conn);
290 
291 	buf = bt_hci_cmd_create(BT_HCI_OP_READ_REMOTE_FEATURES, sizeof(*cp));
292 	if (!buf) {
293 		return;
294 	}
295 
296 	cp = net_buf_add(buf, sizeof(*cp));
297 	cp->handle = evt->handle;
298 
299 	bt_hci_cmd_send_sync(BT_HCI_OP_READ_REMOTE_FEATURES, buf, NULL);
300 }
301 
302 struct discovery_priv {
303 	uint16_t clock_offset;
304 	uint8_t pscan_rep_mode;
305 	uint8_t resolving;
306 } __packed;
307 
request_name(const bt_addr_t * addr,uint8_t pscan,uint16_t offset)308 static int request_name(const bt_addr_t *addr, uint8_t pscan, uint16_t offset)
309 {
310 	struct bt_hci_cp_remote_name_request *cp;
311 	struct net_buf *buf;
312 
313 	buf = bt_hci_cmd_create(BT_HCI_OP_REMOTE_NAME_REQUEST, sizeof(*cp));
314 	if (!buf) {
315 		return -ENOBUFS;
316 	}
317 
318 	cp = net_buf_add(buf, sizeof(*cp));
319 
320 	bt_addr_copy(&cp->bdaddr, addr);
321 	cp->pscan_rep_mode = pscan;
322 	cp->reserved = 0x00; /* reserved, should be set to 0x00 */
323 	cp->clock_offset = offset;
324 
325 	return bt_hci_cmd_send_sync(BT_HCI_OP_REMOTE_NAME_REQUEST, buf, NULL);
326 }
327 
328 #define EIR_SHORT_NAME		0x08
329 #define EIR_COMPLETE_NAME	0x09
330 
eir_has_name(const uint8_t * eir)331 static bool eir_has_name(const uint8_t *eir)
332 {
333 	int len = 240;
334 
335 	while (len) {
336 		if (len < 2) {
337 			break;
338 		}
339 
340 		/* Look for early termination */
341 		if (!eir[0]) {
342 			break;
343 		}
344 
345 		/* Check if field length is correct */
346 		if (eir[0] > len - 1) {
347 			break;
348 		}
349 
350 		switch (eir[1]) {
351 		case EIR_SHORT_NAME:
352 		case EIR_COMPLETE_NAME:
353 			if (eir[0] > 1) {
354 				return true;
355 			}
356 			break;
357 		default:
358 			break;
359 		}
360 
361 		/* Parse next AD Structure */
362 		len -= eir[0] + 1;
363 		eir += eir[0] + 1;
364 	}
365 
366 	return false;
367 }
368 
bt_br_discovery_reset(void)369 void bt_br_discovery_reset(void)
370 {
371 	discovery_cb = NULL;
372 	discovery_results = NULL;
373 	discovery_results_size = 0;
374 	discovery_results_count = 0;
375 }
376 
report_discovery_results(void)377 static void report_discovery_results(void)
378 {
379 	bool resolving_names = false;
380 	int i;
381 
382 	for (i = 0; i < discovery_results_count; i++) {
383 		struct discovery_priv *priv;
384 
385 		priv = (struct discovery_priv *)&discovery_results[i]._priv;
386 
387 		if (eir_has_name(discovery_results[i].eir)) {
388 			continue;
389 		}
390 
391 		if (request_name(&discovery_results[i].addr,
392 				 priv->pscan_rep_mode, priv->clock_offset)) {
393 			continue;
394 		}
395 
396 		priv->resolving = 1U;
397 		resolving_names = true;
398 	}
399 
400 	if (resolving_names) {
401 		return;
402 	}
403 
404 	atomic_clear_bit(bt_dev.flags, BT_DEV_INQUIRY);
405 
406 	if (discovery_cb) {
407 		discovery_cb(discovery_results, discovery_results_count);
408 	}
409 	bt_br_discovery_reset();
410 }
411 
bt_hci_inquiry_complete(struct net_buf * buf)412 void bt_hci_inquiry_complete(struct net_buf *buf)
413 {
414 	struct bt_hci_evt_inquiry_complete *evt = (void *)buf->data;
415 
416 	if (evt->status) {
417 		LOG_ERR("Failed to complete inquiry");
418 	}
419 
420 	report_discovery_results();
421 }
422 
get_result_slot(const bt_addr_t * addr,int8_t rssi)423 static struct bt_br_discovery_result *get_result_slot(const bt_addr_t *addr,
424 						      int8_t rssi)
425 {
426 	struct bt_br_discovery_result *result = NULL;
427 	size_t i;
428 
429 	/* check if already present in results */
430 	for (i = 0; i < discovery_results_count; i++) {
431 		if (bt_addr_eq(addr, &discovery_results[i].addr)) {
432 			return &discovery_results[i];
433 		}
434 	}
435 
436 	/* Pick a new slot (if available) */
437 	if (discovery_results_count < discovery_results_size) {
438 		bt_addr_copy(&discovery_results[discovery_results_count].addr,
439 			     addr);
440 		return &discovery_results[discovery_results_count++];
441 	}
442 
443 	/* ignore if invalid RSSI */
444 	if (rssi == 0xff) {
445 		return NULL;
446 	}
447 
448 	/*
449 	 * Pick slot with smallest RSSI that is smaller then passed RSSI
450 	 * TODO handle TX if present
451 	 */
452 	for (i = 0; i < discovery_results_size; i++) {
453 		if (discovery_results[i].rssi > rssi) {
454 			continue;
455 		}
456 
457 		if (!result || result->rssi > discovery_results[i].rssi) {
458 			result = &discovery_results[i];
459 		}
460 	}
461 
462 	if (result) {
463 		LOG_DBG("Reusing slot (old %s rssi %d dBm)", bt_addr_str(&result->addr),
464 			result->rssi);
465 
466 		bt_addr_copy(&result->addr, addr);
467 	}
468 
469 	return result;
470 }
471 
bt_hci_inquiry_result_with_rssi(struct net_buf * buf)472 void bt_hci_inquiry_result_with_rssi(struct net_buf *buf)
473 {
474 	uint8_t num_reports = net_buf_pull_u8(buf);
475 
476 	if (!atomic_test_bit(bt_dev.flags, BT_DEV_INQUIRY)) {
477 		return;
478 	}
479 
480 	LOG_DBG("number of results: %u", num_reports);
481 
482 	while (num_reports--) {
483 		struct bt_hci_evt_inquiry_result_with_rssi *evt;
484 		struct bt_br_discovery_result *result;
485 		struct discovery_priv *priv;
486 
487 		if (buf->len < sizeof(*evt)) {
488 			LOG_ERR("Unexpected end to buffer");
489 			return;
490 		}
491 
492 		evt = net_buf_pull_mem(buf, sizeof(*evt));
493 		LOG_DBG("%s rssi %d dBm", bt_addr_str(&evt->addr), evt->rssi);
494 
495 		result = get_result_slot(&evt->addr, evt->rssi);
496 		if (!result) {
497 			return;
498 		}
499 
500 		priv = (struct discovery_priv *)&result->_priv;
501 		priv->pscan_rep_mode = evt->pscan_rep_mode;
502 		priv->clock_offset = evt->clock_offset;
503 
504 		memcpy(result->cod, evt->cod, 3);
505 		result->rssi = evt->rssi;
506 
507 		/* we could reuse slot so make sure EIR is cleared */
508 		(void)memset(result->eir, 0, sizeof(result->eir));
509 	}
510 }
511 
bt_hci_extended_inquiry_result(struct net_buf * buf)512 void bt_hci_extended_inquiry_result(struct net_buf *buf)
513 {
514 	struct bt_hci_evt_extended_inquiry_result *evt = (void *)buf->data;
515 	struct bt_br_discovery_result *result;
516 	struct discovery_priv *priv;
517 
518 	if (!atomic_test_bit(bt_dev.flags, BT_DEV_INQUIRY)) {
519 		return;
520 	}
521 
522 	LOG_DBG("%s rssi %d dBm", bt_addr_str(&evt->addr), evt->rssi);
523 
524 	result = get_result_slot(&evt->addr, evt->rssi);
525 	if (!result) {
526 		return;
527 	}
528 
529 	priv = (struct discovery_priv *)&result->_priv;
530 	priv->pscan_rep_mode = evt->pscan_rep_mode;
531 	priv->clock_offset = evt->clock_offset;
532 
533 	result->rssi = evt->rssi;
534 	memcpy(result->cod, evt->cod, 3);
535 	memcpy(result->eir, evt->eir, sizeof(result->eir));
536 }
537 
bt_hci_remote_name_request_complete(struct net_buf * buf)538 void bt_hci_remote_name_request_complete(struct net_buf *buf)
539 {
540 	struct bt_hci_evt_remote_name_req_complete *evt = (void *)buf->data;
541 	struct bt_br_discovery_result *result;
542 	struct discovery_priv *priv;
543 	int eir_len = 240;
544 	uint8_t *eir;
545 	int i;
546 
547 	result = get_result_slot(&evt->bdaddr, 0xff);
548 	if (!result) {
549 		return;
550 	}
551 
552 	priv = (struct discovery_priv *)&result->_priv;
553 	priv->resolving = 0U;
554 
555 	if (evt->status) {
556 		goto check_names;
557 	}
558 
559 	eir = result->eir;
560 
561 	while (eir_len) {
562 		if (eir_len < 2) {
563 			break;
564 		}
565 
566 		/* Look for early termination */
567 		if (!eir[0]) {
568 			size_t name_len;
569 
570 			eir_len -= 2;
571 
572 			/* name is null terminated */
573 			name_len = strlen((const char *)evt->name);
574 
575 			if (name_len > eir_len) {
576 				eir[0] = eir_len + 1;
577 				eir[1] = EIR_SHORT_NAME;
578 			} else {
579 				eir[0] = name_len + 1;
580 				eir[1] = EIR_SHORT_NAME;
581 			}
582 
583 			memcpy(&eir[2], evt->name, eir[0] - 1);
584 
585 			break;
586 		}
587 
588 		/* Check if field length is correct */
589 		if (eir[0] > eir_len - 1) {
590 			break;
591 		}
592 
593 		/* next EIR Structure */
594 		eir_len -= eir[0] + 1;
595 		eir += eir[0] + 1;
596 	}
597 
598 check_names:
599 	/* if still waiting for names */
600 	for (i = 0; i < discovery_results_count; i++) {
601 		struct discovery_priv *dpriv;
602 
603 		dpriv = (struct discovery_priv *)&discovery_results[i]._priv;
604 
605 		if (dpriv->resolving) {
606 			return;
607 		}
608 	}
609 
610 	/* all names resolved, report discovery results */
611 	atomic_clear_bit(bt_dev.flags, BT_DEV_INQUIRY);
612 
613 	if (discovery_cb) {
614 		discovery_cb(discovery_results, discovery_results_count);
615 	}
616 
617 }
618 
bt_hci_read_remote_features_complete(struct net_buf * buf)619 void bt_hci_read_remote_features_complete(struct net_buf *buf)
620 {
621 	struct bt_hci_evt_remote_features *evt = (void *)buf->data;
622 	uint16_t handle = sys_le16_to_cpu(evt->handle);
623 	struct bt_hci_cp_read_remote_ext_features *cp;
624 	struct bt_conn *conn;
625 
626 	LOG_DBG("status 0x%02x handle %u", evt->status, handle);
627 
628 	conn = bt_conn_lookup_handle(handle, BT_CONN_TYPE_BR);
629 	if (!conn) {
630 		LOG_ERR("Can't find conn for handle %u", handle);
631 		return;
632 	}
633 
634 	if (evt->status) {
635 		goto done;
636 	}
637 
638 	memcpy(conn->br.features[0], evt->features, sizeof(evt->features));
639 
640 	if (!BT_FEAT_EXT_FEATURES(conn->br.features)) {
641 		goto done;
642 	}
643 
644 	buf = bt_hci_cmd_create(BT_HCI_OP_READ_REMOTE_EXT_FEATURES,
645 				sizeof(*cp));
646 	if (!buf) {
647 		goto done;
648 	}
649 
650 	/* Read remote host features (page 1) */
651 	cp = net_buf_add(buf, sizeof(*cp));
652 	cp->handle = evt->handle;
653 	cp->page = 0x01;
654 
655 	bt_hci_cmd_send_sync(BT_HCI_OP_READ_REMOTE_EXT_FEATURES, buf, NULL);
656 
657 done:
658 	bt_conn_unref(conn);
659 }
660 
bt_hci_read_remote_ext_features_complete(struct net_buf * buf)661 void bt_hci_read_remote_ext_features_complete(struct net_buf *buf)
662 {
663 	struct bt_hci_evt_remote_ext_features *evt = (void *)buf->data;
664 	uint16_t handle = sys_le16_to_cpu(evt->handle);
665 	struct bt_conn *conn;
666 
667 	LOG_DBG("status 0x%02x handle %u", evt->status, handle);
668 
669 	conn = bt_conn_lookup_handle(handle, BT_CONN_TYPE_BR);
670 	if (!conn) {
671 		LOG_ERR("Can't find conn for handle %u", handle);
672 		return;
673 	}
674 
675 	if (!evt->status && evt->page == 0x01) {
676 		memcpy(conn->br.features[1], evt->features,
677 		       sizeof(conn->br.features[1]));
678 	}
679 
680 	bt_conn_unref(conn);
681 }
682 
bt_hci_role_change(struct net_buf * buf)683 void bt_hci_role_change(struct net_buf *buf)
684 {
685 	struct bt_hci_evt_role_change *evt = (void *)buf->data;
686 	struct bt_conn *conn;
687 
688 	LOG_DBG("status 0x%02x role %u addr %s", evt->status, evt->role, bt_addr_str(&evt->bdaddr));
689 
690 	if (evt->status) {
691 		return;
692 	}
693 
694 	conn = bt_conn_lookup_addr_br(&evt->bdaddr);
695 	if (!conn) {
696 		LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
697 		return;
698 	}
699 
700 	if (evt->role) {
701 		conn->role = BT_CONN_ROLE_PERIPHERAL;
702 	} else {
703 		conn->role = BT_CONN_ROLE_CENTRAL;
704 	}
705 
706 	bt_conn_unref(conn);
707 }
708 
read_ext_features(void)709 static int read_ext_features(void)
710 {
711 	int i;
712 
713 	/* Read Local Supported Extended Features */
714 	for (i = 1; i < LMP_FEAT_PAGES_COUNT; i++) {
715 		struct bt_hci_cp_read_local_ext_features *cp;
716 		struct bt_hci_rp_read_local_ext_features *rp;
717 		struct net_buf *buf, *rsp;
718 		int err;
719 
720 		buf = bt_hci_cmd_create(BT_HCI_OP_READ_LOCAL_EXT_FEATURES,
721 					sizeof(*cp));
722 		if (!buf) {
723 			return -ENOBUFS;
724 		}
725 
726 		cp = net_buf_add(buf, sizeof(*cp));
727 		cp->page = i;
728 
729 		err = bt_hci_cmd_send_sync(BT_HCI_OP_READ_LOCAL_EXT_FEATURES,
730 					   buf, &rsp);
731 		if (err) {
732 			return err;
733 		}
734 
735 		rp = (void *)rsp->data;
736 
737 		memcpy(&bt_dev.features[i], rp->ext_features,
738 		       sizeof(bt_dev.features[i]));
739 
740 		if (rp->max_page <= i) {
741 			net_buf_unref(rsp);
742 			break;
743 		}
744 
745 		net_buf_unref(rsp);
746 	}
747 
748 	return 0;
749 }
750 
device_supported_pkt_type(void)751 void device_supported_pkt_type(void)
752 {
753 	/* Device supported features and sco packet types */
754 	if (BT_FEAT_HV2_PKT(bt_dev.features)) {
755 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_HV2);
756 	}
757 
758 	if (BT_FEAT_HV3_PKT(bt_dev.features)) {
759 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_HV3);
760 	}
761 
762 	if (BT_FEAT_LMP_ESCO_CAPABLE(bt_dev.features)) {
763 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_EV3);
764 	}
765 
766 	if (BT_FEAT_EV4_PKT(bt_dev.features)) {
767 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_EV4);
768 	}
769 
770 	if (BT_FEAT_EV5_PKT(bt_dev.features)) {
771 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_EV5);
772 	}
773 
774 	if (BT_FEAT_2EV3_PKT(bt_dev.features)) {
775 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_2EV3);
776 	}
777 
778 	if (BT_FEAT_3EV3_PKT(bt_dev.features)) {
779 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_3EV3);
780 	}
781 
782 	if (BT_FEAT_3SLOT_PKT(bt_dev.features)) {
783 		bt_dev.br.esco_pkt_type |= (HCI_PKT_TYPE_ESCO_2EV5 |
784 					    HCI_PKT_TYPE_ESCO_3EV5);
785 	}
786 }
787 
read_buffer_size_complete(struct net_buf * buf)788 static void read_buffer_size_complete(struct net_buf *buf)
789 {
790 	struct bt_hci_rp_read_buffer_size *rp = (void *)buf->data;
791 	uint16_t pkts;
792 
793 	LOG_DBG("status 0x%02x", rp->status);
794 
795 	bt_dev.br.mtu = sys_le16_to_cpu(rp->acl_max_len);
796 	pkts = sys_le16_to_cpu(rp->acl_max_num);
797 
798 	LOG_DBG("ACL BR/EDR buffers: pkts %u mtu %u", pkts, bt_dev.br.mtu);
799 
800 	k_sem_init(&bt_dev.br.pkts, pkts, pkts);
801 }
802 
bt_br_init(void)803 int bt_br_init(void)
804 {
805 	struct net_buf *buf;
806 	struct bt_hci_cp_write_ssp_mode *ssp_cp;
807 	struct bt_hci_cp_write_inquiry_mode *inq_cp;
808 	struct bt_hci_write_local_name *name_cp;
809 	int err;
810 
811 	/* Read extended local features */
812 	if (BT_FEAT_EXT_FEATURES(bt_dev.features)) {
813 		err = read_ext_features();
814 		if (err) {
815 			return err;
816 		}
817 	}
818 
819 	/* Add local supported packet types to bt_dev */
820 	device_supported_pkt_type();
821 
822 	/* Get BR/EDR buffer size */
823 	err = bt_hci_cmd_send_sync(BT_HCI_OP_READ_BUFFER_SIZE, NULL, &buf);
824 	if (err) {
825 		return err;
826 	}
827 
828 	read_buffer_size_complete(buf);
829 	net_buf_unref(buf);
830 
831 	/* Set SSP mode */
832 	buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_SSP_MODE, sizeof(*ssp_cp));
833 	if (!buf) {
834 		return -ENOBUFS;
835 	}
836 
837 	ssp_cp = net_buf_add(buf, sizeof(*ssp_cp));
838 	ssp_cp->mode = 0x01;
839 	err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_SSP_MODE, buf, NULL);
840 	if (err) {
841 		return err;
842 	}
843 
844 	/* Enable Inquiry results with RSSI or extended Inquiry */
845 	buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_INQUIRY_MODE, sizeof(*inq_cp));
846 	if (!buf) {
847 		return -ENOBUFS;
848 	}
849 
850 	inq_cp = net_buf_add(buf, sizeof(*inq_cp));
851 	inq_cp->mode = 0x02;
852 	err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_INQUIRY_MODE, buf, NULL);
853 	if (err) {
854 		return err;
855 	}
856 
857 	/* Set local name */
858 	buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_LOCAL_NAME, sizeof(*name_cp));
859 	if (!buf) {
860 		return -ENOBUFS;
861 	}
862 
863 	name_cp = net_buf_add(buf, sizeof(*name_cp));
864 	strncpy((char *)name_cp->local_name, CONFIG_BT_DEVICE_NAME,
865 		sizeof(name_cp->local_name));
866 
867 	err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_LOCAL_NAME, buf, NULL);
868 	if (err) {
869 		return err;
870 	}
871 
872 	/* Set page timeout*/
873 	buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_PAGE_TIMEOUT, sizeof(uint16_t));
874 	if (!buf) {
875 		return -ENOBUFS;
876 	}
877 
878 	net_buf_add_le16(buf, CONFIG_BT_PAGE_TIMEOUT);
879 
880 	err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_PAGE_TIMEOUT, buf, NULL);
881 	if (err) {
882 		return err;
883 	}
884 
885 	/* Enable BR/EDR SC if supported */
886 	if (BT_FEAT_SC(bt_dev.features)) {
887 		struct bt_hci_cp_write_sc_host_supp *sc_cp;
888 
889 		buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_SC_HOST_SUPP,
890 					sizeof(*sc_cp));
891 		if (!buf) {
892 			return -ENOBUFS;
893 		}
894 
895 		sc_cp = net_buf_add(buf, sizeof(*sc_cp));
896 		sc_cp->sc_support = 0x01;
897 
898 		err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_SC_HOST_SUPP, buf,
899 					   NULL);
900 		if (err) {
901 			return err;
902 		}
903 	}
904 
905 	return 0;
906 }
907 
br_start_inquiry(const struct bt_br_discovery_param * param)908 static int br_start_inquiry(const struct bt_br_discovery_param *param)
909 {
910 	const uint8_t iac[3] = { 0x33, 0x8b, 0x9e };
911 	struct bt_hci_op_inquiry *cp;
912 	struct net_buf *buf;
913 
914 	buf = bt_hci_cmd_create(BT_HCI_OP_INQUIRY, sizeof(*cp));
915 	if (!buf) {
916 		return -ENOBUFS;
917 	}
918 
919 	cp = net_buf_add(buf, sizeof(*cp));
920 
921 	cp->length = param->length;
922 	cp->num_rsp = 0xff; /* we limit discovery only by time */
923 
924 	memcpy(cp->lap, iac, 3);
925 	if (param->limited) {
926 		cp->lap[0] = 0x00;
927 	}
928 
929 	return bt_hci_cmd_send_sync(BT_HCI_OP_INQUIRY, buf, NULL);
930 }
931 
valid_br_discov_param(const struct bt_br_discovery_param * param,size_t num_results)932 static bool valid_br_discov_param(const struct bt_br_discovery_param *param,
933 				  size_t num_results)
934 {
935 	if (!num_results || num_results > 255) {
936 		return false;
937 	}
938 
939 	if (!param->length || param->length > 0x30) {
940 		return false;
941 	}
942 
943 	return true;
944 }
945 
bt_br_discovery_start(const struct bt_br_discovery_param * param,struct bt_br_discovery_result * results,size_t cnt,bt_br_discovery_cb_t cb)946 int bt_br_discovery_start(const struct bt_br_discovery_param *param,
947 			  struct bt_br_discovery_result *results, size_t cnt,
948 			  bt_br_discovery_cb_t cb)
949 {
950 	int err;
951 
952 	LOG_DBG("");
953 
954 	if (!valid_br_discov_param(param, cnt)) {
955 		return -EINVAL;
956 	}
957 
958 	if (atomic_test_bit(bt_dev.flags, BT_DEV_INQUIRY)) {
959 		return -EALREADY;
960 	}
961 
962 	err = br_start_inquiry(param);
963 	if (err) {
964 		return err;
965 	}
966 
967 	atomic_set_bit(bt_dev.flags, BT_DEV_INQUIRY);
968 
969 	(void)memset(results, 0, sizeof(*results) * cnt);
970 
971 	discovery_cb = cb;
972 	discovery_results = results;
973 	discovery_results_size = cnt;
974 	discovery_results_count = 0;
975 
976 	return 0;
977 }
978 
bt_br_discovery_stop(void)979 int bt_br_discovery_stop(void)
980 {
981 	int err;
982 	int i;
983 
984 	LOG_DBG("");
985 
986 	if (!atomic_test_bit(bt_dev.flags, BT_DEV_INQUIRY)) {
987 		return -EALREADY;
988 	}
989 
990 	err = bt_hci_cmd_send_sync(BT_HCI_OP_INQUIRY_CANCEL, NULL, NULL);
991 	if (err) {
992 		return err;
993 	}
994 
995 	for (i = 0; i < discovery_results_count; i++) {
996 		struct discovery_priv *priv;
997 		struct bt_hci_cp_remote_name_cancel *cp;
998 		struct net_buf *buf;
999 
1000 		priv = (struct discovery_priv *)&discovery_results[i]._priv;
1001 
1002 		if (!priv->resolving) {
1003 			continue;
1004 		}
1005 
1006 		buf = bt_hci_cmd_create(BT_HCI_OP_REMOTE_NAME_CANCEL,
1007 					sizeof(*cp));
1008 		if (!buf) {
1009 			continue;
1010 		}
1011 
1012 		cp = net_buf_add(buf, sizeof(*cp));
1013 		bt_addr_copy(&cp->bdaddr, &discovery_results[i].addr);
1014 
1015 		bt_hci_cmd_send_sync(BT_HCI_OP_REMOTE_NAME_CANCEL, buf, NULL);
1016 	}
1017 
1018 	atomic_clear_bit(bt_dev.flags, BT_DEV_INQUIRY);
1019 
1020 	discovery_cb = NULL;
1021 	discovery_results = NULL;
1022 	discovery_results_size = 0;
1023 	discovery_results_count = 0;
1024 
1025 	return 0;
1026 }
1027 
write_scan_enable(uint8_t scan)1028 static int write_scan_enable(uint8_t scan)
1029 {
1030 	struct net_buf *buf;
1031 	int err;
1032 
1033 	LOG_DBG("type %u", scan);
1034 
1035 	buf = bt_hci_cmd_create(BT_HCI_OP_WRITE_SCAN_ENABLE, 1);
1036 	if (!buf) {
1037 		return -ENOBUFS;
1038 	}
1039 
1040 	net_buf_add_u8(buf, scan);
1041 	err = bt_hci_cmd_send_sync(BT_HCI_OP_WRITE_SCAN_ENABLE, buf, NULL);
1042 	if (err) {
1043 		return err;
1044 	}
1045 
1046 	atomic_set_bit_to(bt_dev.flags, BT_DEV_ISCAN,
1047 			  (scan & BT_BREDR_SCAN_INQUIRY));
1048 	atomic_set_bit_to(bt_dev.flags, BT_DEV_PSCAN,
1049 			  (scan & BT_BREDR_SCAN_PAGE));
1050 
1051 	return 0;
1052 }
1053 
bt_br_set_connectable(bool enable)1054 int bt_br_set_connectable(bool enable)
1055 {
1056 	if (enable) {
1057 		if (atomic_test_bit(bt_dev.flags, BT_DEV_PSCAN)) {
1058 			return -EALREADY;
1059 		} else {
1060 			return write_scan_enable(BT_BREDR_SCAN_PAGE);
1061 		}
1062 	} else {
1063 		if (!atomic_test_bit(bt_dev.flags, BT_DEV_PSCAN)) {
1064 			return -EALREADY;
1065 		} else {
1066 			return write_scan_enable(BT_BREDR_SCAN_DISABLED);
1067 		}
1068 	}
1069 }
1070 
bt_br_set_discoverable(bool enable)1071 int bt_br_set_discoverable(bool enable)
1072 {
1073 	if (enable) {
1074 		if (atomic_test_bit(bt_dev.flags, BT_DEV_ISCAN)) {
1075 			return -EALREADY;
1076 		}
1077 
1078 		if (!atomic_test_bit(bt_dev.flags, BT_DEV_PSCAN)) {
1079 			return -EPERM;
1080 		}
1081 
1082 		return write_scan_enable(BT_BREDR_SCAN_INQUIRY |
1083 					 BT_BREDR_SCAN_PAGE);
1084 	} else {
1085 		if (!atomic_test_bit(bt_dev.flags, BT_DEV_ISCAN)) {
1086 			return -EALREADY;
1087 		}
1088 
1089 		return write_scan_enable(BT_BREDR_SCAN_PAGE);
1090 	}
1091 }
1092