1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for BLE device control utilities, and LE
22  *  security functions.
23  *
24  ******************************************************************************/
25 #include "bt_target.h"
26 
27 #if BLE_INCLUDED == TRUE
28 
29 #include <string.h>
30 
31 #include "bt_types.h"
32 #include "hcimsgs.h"
33 #include "btu.h"
34 #include "btm_int.h"
35 #include "btm_ble_api.h"
36 #include "smp_api.h"
37 #include "l2c_int.h"
38 #include "gap_api.h"
39 #include "bt_utils.h"
40 #include "device/include/controller.h"
41 
42 #define LOG_TAG "bt_btm_ble"
43 #include "osi/include/log.h"
44 
45 #if SMP_INCLUDED == TRUE
46 extern BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length,
47                                                  UINT16 tlen, UINT8 *p_signature);
48 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable);
49 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda);
50 #endif
51 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr);
52 /*******************************************************************************/
53 /* External Function to be called by other modules                             */
54 /*******************************************************************************/
55 /********************************************************
56 **
57 ** Function         BTM_SecAddBleDevice
58 **
59 ** Description      Add/modify device.  This function will be normally called
60 **                  during host startup to restore all required information
61 **                  for a LE device stored in the NVRAM.
62 **
63 ** Parameters:      bd_addr          - BD address of the peer
64 **                  bd_name          - Name of the peer device.  NULL if unknown.
65 **                  dev_type         - Remote device's device type.
66 **                  addr_type        - LE device address type.
67 **
68 ** Returns          TRUE if added OK, else FALSE
69 **
70 *******************************************************************************/
BTM_SecAddBleDevice(BD_ADDR bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)71 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type,
72                              tBLE_ADDR_TYPE addr_type)
73 {
74     tBTM_SEC_DEV_REC  *p_dev_rec;
75     UINT8               i = 0;
76     tBTM_INQ_INFO      *p_info=NULL;
77 
78     BTM_TRACE_DEBUG ("BTM_SecAddBleDevice dev_type=0x%x", dev_type);
79     p_dev_rec = btm_find_dev (bd_addr);
80 
81     if (!p_dev_rec)
82     {
83         BTM_TRACE_DEBUG("Add a new device");
84 
85         /* There is no device record, allocate one.
86          * If we can not find an empty spot for this one, let it fail. */
87         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++)
88         {
89             if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE))
90             {
91                 BTM_TRACE_DEBUG ("allocate a new dev rec idx=0x%x ", i );
92                 p_dev_rec = &btm_cb.sec_dev_rec[i];
93 
94                 /* Mark this record as in use and initialize */
95                 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC));
96                 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
97                 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
98                 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_BR_EDR);
99                 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_LE);
100 
101                 /* update conn params, use default value for background connection params */
102                 p_dev_rec->conn_params.min_conn_int     =
103                 p_dev_rec->conn_params.max_conn_int     =
104                 p_dev_rec->conn_params.supervision_tout =
105                 p_dev_rec->conn_params.slave_latency    = BTM_BLE_CONN_PARAM_UNDEF;
106 
107                 BTM_TRACE_DEBUG ("hci_handl=0x%x ",  p_dev_rec->ble_hci_handle );
108                 break;
109             }
110         }
111 
112         if (!p_dev_rec)
113             return(FALSE);
114     }
115     else
116     {
117         BTM_TRACE_DEBUG("Device already exist");
118     }
119 
120     memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
121 
122     if (bd_name && bd_name[0])
123     {
124         p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
125         BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name),
126                        (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN);
127     }
128     p_dev_rec->device_type |= dev_type;
129     p_dev_rec->ble.ble_addr_type = addr_type;
130 
131     memcpy (p_dev_rec->ble.pseudo_addr, bd_addr, BD_ADDR_LEN);
132     /* sync up with the Inq Data base*/
133     p_info = BTM_InqDbRead(bd_addr);
134     if (p_info)
135     {
136         p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ;
137         p_info->results.device_type = p_dev_rec->device_type;
138         BTM_TRACE_DEBUG ("InqDb  device_type =0x%x  addr_type=0x%x",
139                           p_info->results.device_type, p_info->results.ble_addr_type);
140     }
141 
142     return(TRUE);
143 }
144 
145 /*******************************************************************************
146 **
147 ** Function         BTM_SecAddBleKey
148 **
149 ** Description      Add/modify LE device information.  This function will be
150 **                  normally called during host startup to restore all required
151 **                  information stored in the NVRAM.
152 **
153 ** Parameters:      bd_addr          - BD address of the peer
154 **                  p_le_key         - LE key values.
155 **                  key_type         - LE SMP key type.
156 *
157 ** Returns          TRUE if added OK, else FALSE
158 **
159 *******************************************************************************/
BTM_SecAddBleKey(BD_ADDR bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)160 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type)
161 {
162 #if SMP_INCLUDED == TRUE
163     tBTM_SEC_DEV_REC  *p_dev_rec;
164     BTM_TRACE_DEBUG ("BTM_SecAddBleKey");
165     p_dev_rec = btm_find_dev (bd_addr);
166     if (!p_dev_rec || !p_le_key ||
167         (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
168          key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
169          key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID))
170     {
171         BTM_TRACE_WARNING ("BTM_SecAddBleKey()  Wrong Type, or No Device record \
172                         for bdaddr: %08x%04x, Type: %d",
173                             (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
174                             (bd_addr[4]<<8)+bd_addr[5], key_type);
175         return(FALSE);
176     }
177 
178     BTM_TRACE_DEBUG ("BTM_SecAddLeKey()  BDA: %08x%04x, Type: 0x%02x",
179                       (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
180                       (bd_addr[4]<<8)+bd_addr[5], key_type);
181 
182     btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE);
183 
184 #if (BLE_PRIVACY_SPT == TRUE)
185     if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID)
186         btm_ble_resolving_list_load_dev (p_dev_rec);
187 #endif
188 
189 #endif
190 
191     return(TRUE);
192 }
193 
194 /*******************************************************************************
195 **
196 ** Function         BTM_BleLoadLocalKeys
197 **
198 ** Description      Local local identity key, encryption root or sign counter.
199 **
200 ** Parameters:      key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER
201 **                            or BTM_BLE_KEY_TYPE_COUNTER.
202 **                  p_key: pointer to the key.
203 *
204 ** Returns          non2.
205 **
206 *******************************************************************************/
BTM_BleLoadLocalKeys(UINT8 key_type,tBTM_BLE_LOCAL_KEYS * p_key)207 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key)
208 {
209     tBTM_DEVCB *p_devcb = &btm_cb.devcb;
210     BTM_TRACE_DEBUG ("%s", __func__);
211     if (p_key != NULL)
212     {
213         switch (key_type)
214         {
215             case BTM_BLE_KEY_TYPE_ID:
216                 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
217                 break;
218 
219             case BTM_BLE_KEY_TYPE_ER:
220                 memcpy(p_devcb->ble_encryption_key_value, p_key->er, sizeof(BT_OCTET16));
221                 break;
222 
223             default:
224                 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
225                 break;
226         }
227     }
228 }
229 
230 /*******************************************************************************
231 **
232 ** Function         BTM_GetDeviceEncRoot
233 **
234 ** Description      This function is called to read the local device encryption
235 **                  root.
236 **
237 ** Returns          void
238 **                  the local device ER is copied into ble_encr_key_value
239 **
240 *******************************************************************************/
BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value)241 void BTM_GetDeviceEncRoot (BT_OCTET16 ble_encr_key_value)
242 {
243     BTM_TRACE_DEBUG ("%s", __func__);
244     memcpy (ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value, BT_OCTET16_LEN);
245 }
246 
247 /*******************************************************************************
248 **
249 ** Function         BTM_GetDeviceIDRoot
250 **
251 ** Description      This function is called to read the local device identity
252 **                  root.
253 **
254 ** Returns          void
255 **                  the local device IR is copied into irk
256 **
257 *******************************************************************************/
BTM_GetDeviceIDRoot(BT_OCTET16 irk)258 void BTM_GetDeviceIDRoot (BT_OCTET16 irk)
259 {
260     BTM_TRACE_DEBUG ("BTM_GetDeviceIDRoot ");
261 
262     memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
263 }
264 
265 /*******************************************************************************
266 **
267 ** Function         BTM_GetDeviceDHK
268 **
269 ** Description      This function is called to read the local device DHK.
270 **
271 ** Returns          void
272 **                  the local device DHK is copied into dhk
273 **
274 *******************************************************************************/
BTM_GetDeviceDHK(BT_OCTET16 dhk)275 void BTM_GetDeviceDHK (BT_OCTET16 dhk)
276 {
277     BTM_TRACE_DEBUG ("BTM_GetDeviceDHK");
278     memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
279 }
280 
281 /*******************************************************************************
282 **
283 ** Function         BTM_ReadConnectionAddr
284 **
285 ** Description      This function is called to get the local device address information
286 **                  .
287 **
288 ** Returns          void
289 **
290 *******************************************************************************/
BTM_ReadConnectionAddr(BD_ADDR remote_bda,BD_ADDR local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)291 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type)
292 {
293     tACL_CONN       *p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
294 
295     if (p_acl == NULL)
296     {
297         BTM_TRACE_ERROR("No connection exist!");
298         return;
299     }
300     memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN);
301     * p_addr_type = p_acl->conn_addr_type;
302 
303     BTM_TRACE_DEBUG ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
304                     p_acl->conn_addr_type, p_acl->conn_addr[0]);
305 }
306 
307 /*******************************************************************************
308 **
309 ** Function         BTM_IsBleConnection
310 **
311 ** Description      This function is called to check if the connection handle
312 **                  for an LE link
313 **
314 ** Returns          TRUE if connection is LE link, otherwise FALSE.
315 **
316 *******************************************************************************/
BTM_IsBleConnection(UINT16 conn_handle)317 BOOLEAN BTM_IsBleConnection (UINT16 conn_handle)
318 {
319 #if (BLE_INCLUDED == TRUE)
320     UINT8                xx;
321     tACL_CONN            *p;
322 
323     BTM_TRACE_API ("BTM_IsBleConnection: conn_handle: %d", conn_handle);
324 
325     xx = btm_handle_to_acl_index (conn_handle);
326     if (xx >= MAX_L2CAP_LINKS)
327         return FALSE;
328 
329     p = &btm_cb.acl_db[xx];
330 
331     return (p->transport == BT_TRANSPORT_LE);
332 #else
333     return FALSE;
334 #endif
335 }
336 
337 /*******************************************************************************
338 **
339 ** Function         BTM_ReadRemoteConnectionAddr
340 **
341 ** Description      This function is read the remote device address currently used
342 **
343 ** Parameters     pseudo_addr: pseudo random address available
344 **                conn_addr:connection address used
345 **                p_addr_type : BD Address type, Public or Random of the address used
346 **
347 ** Returns          BOOLEAN , TRUE if connection to remote device exists, else FALSE
348 **
349 *******************************************************************************/
BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr,BD_ADDR conn_addr,tBLE_ADDR_TYPE * p_addr_type)350 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr,
351                                                tBLE_ADDR_TYPE *p_addr_type)
352 {
353  BOOLEAN         st = TRUE;
354 #if (BLE_PRIVACY_SPT == TRUE)
355     tACL_CONN       *p = btm_bda_to_acl (pseudo_addr, BT_TRANSPORT_LE);
356 
357     if (p == NULL)
358     {
359         BTM_TRACE_ERROR("BTM_ReadRemoteConnectionAddr can not find connection"
360                         " with matching address");
361         return FALSE;
362     }
363 
364     memcpy(conn_addr, p->active_remote_addr, BD_ADDR_LEN);
365     *p_addr_type = p->active_remote_addr_type;
366 #else
367     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr);
368 
369     memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN);
370     if (p_dev_rec != NULL)
371     {
372         *p_addr_type = p_dev_rec->ble.ble_addr_type;
373     }
374 #endif
375     return st;
376 
377 }
378 /*******************************************************************************
379 **
380 ** Function         BTM_SecurityGrant
381 **
382 ** Description      This function is called to grant security process.
383 **
384 ** Parameters       bd_addr - peer device bd address.
385 **                  res     - result of the operation BTM_SUCCESS if success.
386 **                            Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts.
387 **
388 ** Returns          None
389 **
390 *******************************************************************************/
BTM_SecurityGrant(BD_ADDR bd_addr,UINT8 res)391 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res)
392 {
393 #if SMP_INCLUDED == TRUE
394     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
395     BTM_TRACE_DEBUG ("BTM_SecurityGrant");
396     SMP_SecurityGrant(bd_addr, res_smp);
397 #endif
398 }
399 
400 /*******************************************************************************
401 **
402 ** Function         BTM_BlePasskeyReply
403 **
404 ** Description      This function is called after Security Manager submitted
405 **                  passkey request to the application.
406 **
407 ** Parameters:      bd_addr      - Address of the device for which passkey was requested
408 **                  res          - result of the operation BTM_SUCCESS if success
409 **                  key_len      - length in bytes of the Passkey
410 **                  p_passkey        - pointer to array with the passkey
411 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
412 **
413 *******************************************************************************/
BTM_BlePasskeyReply(BD_ADDR bd_addr,UINT8 res,UINT32 passkey)414 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
415 {
416 #if SMP_INCLUDED == TRUE
417     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
418     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
419 
420     if (p_dev_rec == NULL)
421     {
422         BTM_TRACE_ERROR("Passkey reply to Unknown device");
423         return;
424     }
425 
426     p_dev_rec->sec_flags   |= BTM_SEC_LE_AUTHENTICATED;
427     BTM_TRACE_DEBUG ("BTM_BlePasskeyReply");
428     SMP_PasskeyReply(bd_addr, res_smp, passkey);
429 #endif
430 }
431 
432 /*******************************************************************************
433 **
434 ** Function         BTM_BleConfirmReply
435 **
436 ** Description      This function is called after Security Manager submitted
437 **                  numeric comparison request to the application.
438 **
439 ** Parameters:      bd_addr      - Address of the device with which numeric
440 **                                 comparison was requested
441 **                  res          - comparison result BTM_SUCCESS if success
442 **
443 *******************************************************************************/
BTM_BleConfirmReply(BD_ADDR bd_addr,UINT8 res)444 void BTM_BleConfirmReply (BD_ADDR bd_addr, UINT8 res)
445 {
446     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
447     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
448 
449     if (p_dev_rec == NULL)
450     {
451         BTM_TRACE_ERROR("Passkey reply to Unknown device");
452         return;
453     }
454 
455     p_dev_rec->sec_flags   |= BTM_SEC_LE_AUTHENTICATED;
456     BTM_TRACE_DEBUG ("%s", __func__);
457     SMP_ConfirmReply(bd_addr, res_smp);
458 }
459 
460 /*******************************************************************************
461 **
462 ** Function         BTM_BleOobDataReply
463 **
464 ** Description      This function is called to provide the OOB data for
465 **                  SMP in response to BTM_LE_OOB_REQ_EVT
466 **
467 ** Parameters:      bd_addr     - Address of the peer device
468 **                  res         - result of the operation SMP_SUCCESS if success
469 **                  p_data      - simple pairing Randomizer  C.
470 **
471 *******************************************************************************/
BTM_BleOobDataReply(BD_ADDR bd_addr,UINT8 res,UINT8 len,UINT8 * p_data)472 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data)
473 {
474 #if SMP_INCLUDED == TRUE
475     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
476     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
477 
478     BTM_TRACE_DEBUG ("BTM_BleOobDataReply");
479 
480     if (p_dev_rec == NULL)
481     {
482         BTM_TRACE_ERROR("BTM_BleOobDataReply() to Unknown device");
483         return;
484     }
485 
486     p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
487     SMP_OobDataReply(bd_addr, res_smp, len, p_data);
488 #endif
489 }
490 
491 /******************************************************************************
492 **
493 ** Function         BTM_BleSetConnScanParams
494 **
495 ** Description      Set scan parameter used in BLE connection request
496 **
497 ** Parameters:      scan_interval: scan interval
498 **                  scan_window: scan window
499 **
500 ** Returns          void
501 **
502 *******************************************************************************/
BTM_BleSetConnScanParams(UINT32 scan_interval,UINT32 scan_window)503 void BTM_BleSetConnScanParams (UINT32 scan_interval, UINT32 scan_window)
504 {
505 #if SMP_INCLUDED == TRUE
506     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
507     BOOLEAN     new_param = FALSE;
508 
509     if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) &&
510         BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX))
511     {
512         if (p_ble_cb->scan_int != scan_interval)
513         {
514             p_ble_cb->scan_int = scan_interval;
515             new_param = TRUE;
516         }
517 
518         if (p_ble_cb->scan_win != scan_window)
519         {
520             p_ble_cb->scan_win = scan_window;
521             new_param = TRUE;
522         }
523 
524         if (new_param && p_ble_cb->conn_state == BLE_BG_CONN)
525         {
526             btm_ble_suspend_bg_conn();
527         }
528     }
529     else
530     {
531         BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
532     }
533 #endif
534 }
535 
536 /********************************************************
537 **
538 ** Function         BTM_BleSetPrefConnParams
539 **
540 ** Description      Set a peripheral's preferred connection parameters
541 **
542 ** Parameters:      bd_addr          - BD address of the peripheral
543 **                  scan_interval: scan interval
544 **                  scan_window: scan window
545 **                  min_conn_int     - minimum preferred connection interval
546 **                  max_conn_int     - maximum preferred connection interval
547 **                  slave_latency    - preferred slave latency
548 **                  supervision_tout - preferred supervision timeout
549 **
550 ** Returns          void
551 **
552 *******************************************************************************/
BTM_BleSetPrefConnParams(BD_ADDR bd_addr,UINT16 min_conn_int,UINT16 max_conn_int,UINT16 slave_latency,UINT16 supervision_tout)553 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr,
554                                UINT16 min_conn_int, UINT16 max_conn_int,
555                                UINT16 slave_latency, UINT16 supervision_tout)
556 {
557     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
558 
559     BTM_TRACE_API ("BTM_BleSetPrefConnParams min: %u  max: %u  latency: %u  \
560                     tout: %u",
561                     min_conn_int, max_conn_int, slave_latency, supervision_tout);
562 
563     if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
564         BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
565         BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) &&
566         (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF))
567     {
568         if (p_dev_rec)
569         {
570             /* expect conn int and stout and slave latency to be updated all together */
571             if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
572             {
573                 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
574                     p_dev_rec->conn_params.min_conn_int = min_conn_int;
575                 else
576                     p_dev_rec->conn_params.min_conn_int = max_conn_int;
577 
578                 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
579                     p_dev_rec->conn_params.max_conn_int = max_conn_int;
580                 else
581                     p_dev_rec->conn_params.max_conn_int = min_conn_int;
582 
583                 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
584                     p_dev_rec->conn_params.slave_latency = slave_latency;
585                 else
586                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
587 
588                 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
589                     p_dev_rec->conn_params.supervision_tout = supervision_tout;
590                 else
591                     p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
592 
593             }
594 
595         }
596         else
597         {
598             BTM_TRACE_ERROR("Unknown Device, setting rejected");
599         }
600     }
601     else
602     {
603         BTM_TRACE_ERROR("Illegal Connection Parameters");
604     }
605 }
606 
607 /*******************************************************************************
608 **
609 ** Function         BTM_ReadDevInfo
610 **
611 ** Description      This function is called to read the device/address type
612 **                  of BD address.
613 **
614 ** Parameter        remote_bda: remote device address
615 **                  p_dev_type: output parameter to read the device type.
616 **                  p_addr_type: output parameter to read the address type.
617 **
618 *******************************************************************************/
BTM_ReadDevInfo(BD_ADDR remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)619 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type)
620 {
621     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (remote_bda);
622     tBTM_INQ_INFO     *p_inq_info = BTM_InqDbRead(remote_bda);
623 
624     *p_addr_type = BLE_ADDR_PUBLIC;
625 
626     if (!p_dev_rec)
627     {
628         *p_dev_type = BT_DEVICE_TYPE_BREDR;
629         /* Check with the BT manager if details about remote device are known */
630         if (p_inq_info != NULL)
631         {
632             *p_dev_type = p_inq_info->results.device_type ;
633             *p_addr_type = p_inq_info->results.ble_addr_type;
634         } else {
635             /* unknown device, assume BR/EDR */
636             BTM_TRACE_DEBUG ("btm_find_dev_type - unknown device, BR/EDR assumed");
637         }
638     }
639     else /* there is a security device record exisitng */
640     {
641         /* new inquiry result, overwrite device type in security device record */
642         if (p_inq_info)
643         {
644             p_dev_rec->device_type          = p_inq_info->results.device_type;
645             p_dev_rec->ble.ble_addr_type    = p_inq_info->results.ble_addr_type;
646         }
647         if (memcmp(p_dev_rec->bd_addr, remote_bda, BD_ADDR_LEN) == 0 &&
648             memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0)
649         {
650             *p_dev_type = p_dev_rec->device_type;
651             *p_addr_type = p_dev_rec->ble.ble_addr_type;
652         }
653         else if (memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0)
654         {
655             *p_dev_type = BT_DEVICE_TYPE_BLE;
656             *p_addr_type = p_dev_rec->ble.ble_addr_type;
657         }
658         else  /* matching static adddress only */
659         {
660             *p_dev_type = BT_DEVICE_TYPE_BREDR;
661             *p_addr_type = BLE_ADDR_PUBLIC;
662         }
663 
664     }
665 
666     BTM_TRACE_DEBUG ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type);
667 }
668 
669 
670 /*******************************************************************************
671 **
672 ** Function         BTM_ReadConnectedTransportAddress
673 **
674 ** Description      This function is called to read the paired device/address type of other device paired
675 **                  corresponding to the BD_address
676 **
677 ** Parameter        remote_bda: remote device address, carry out the transport address
678 **                  transport: active transport
679 **
680 ** Return           TRUE if an active link is identified; FALSE otherwise
681 **
682 *******************************************************************************/
BTM_ReadConnectedTransportAddress(BD_ADDR remote_bda,tBT_TRANSPORT transport)683 BOOLEAN BTM_ReadConnectedTransportAddress(BD_ADDR remote_bda, tBT_TRANSPORT transport)
684 {
685     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(remote_bda);
686     tACL_CONN *p = btm_bda_to_acl(remote_bda, transport);
687 
688     /* if no device can be located, return */
689     if (p_dev_rec == NULL)
690         return FALSE;
691 
692     if (transport == BT_TRANSPORT_BR_EDR)
693     {
694         if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL)
695         {
696             memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
697             return TRUE;
698         }
699         else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR)
700         {
701             memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
702         }
703         else
704             memset(remote_bda, 0, BD_ADDR_LEN);
705         return FALSE;
706     }
707 
708     if (transport == BT_TRANSPORT_LE)
709     {
710         memcpy(remote_bda, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN);
711         if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL)
712             return TRUE;
713         else
714             return FALSE;
715     }
716 
717     return FALSE;
718 }
719 
720 /*******************************************************************************
721 **
722 ** Function         BTM_BleReceiverTest
723 **
724 ** Description      This function is called to start the LE Receiver test
725 **
726 ** Parameter       rx_freq - Frequency Range
727 **               p_cmd_cmpl_cback - Command Complete callback
728 **
729 *******************************************************************************/
BTM_BleReceiverTest(UINT8 rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)730 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback)
731 {
732      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
733 
734      if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE)
735      {
736           BTM_TRACE_ERROR("%s: Unable to Trigger LE receiver test", __FUNCTION__);
737      }
738 }
739 
740 /*******************************************************************************
741 **
742 ** Function         BTM_BleTransmitterTest
743 **
744 ** Description      This function is called to start the LE Transmitter test
745 **
746 ** Parameter       tx_freq - Frequency Range
747 **                       test_data_len - Length in bytes of payload data in each packet
748 **                       packet_payload - Pattern to use in the payload
749 **                       p_cmd_cmpl_cback - Command Complete callback
750 **
751 *******************************************************************************/
BTM_BleTransmitterTest(UINT8 tx_freq,UINT8 test_data_len,UINT8 packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)752 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len,
753                                  UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback)
754 {
755      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
756      if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE)
757      {
758           BTM_TRACE_ERROR("%s: Unable to Trigger LE transmitter test", __FUNCTION__);
759      }
760 }
761 
762 /*******************************************************************************
763 **
764 ** Function         BTM_BleTestEnd
765 **
766 ** Description      This function is called to stop the in-progress TX or RX test
767 **
768 ** Parameter       p_cmd_cmpl_cback - Command complete callback
769 **
770 *******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)771 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback)
772 {
773      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
774 
775      if (btsnd_hcic_ble_test_end() == FALSE)
776      {
777           BTM_TRACE_ERROR("%s: Unable to End the LE TX/RX test", __FUNCTION__);
778      }
779 }
780 
781 /*******************************************************************************
782 ** Internal Functions
783 *******************************************************************************/
btm_ble_test_command_complete(UINT8 * p)784 void btm_ble_test_command_complete(UINT8 *p)
785 {
786     tBTM_CMPL_CB   *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
787 
788     btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
789 
790     if (p_cb)
791     {
792         (*p_cb)(p);
793     }
794 }
795 
796 /*******************************************************************************
797 **
798 ** Function         BTM_UseLeLink
799 **
800 ** Description      This function is to select the underneath physical link to use.
801 **
802 ** Returns          TRUE to use LE, FALSE use BR/EDR.
803 **
804 *******************************************************************************/
BTM_UseLeLink(BD_ADDR bd_addr)805 BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr)
806 {
807     tACL_CONN         *p;
808     tBT_DEVICE_TYPE     dev_type;
809     tBLE_ADDR_TYPE      addr_type;
810     BOOLEAN             use_le = FALSE;
811 
812     if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR)) != NULL)
813     {
814         return use_le;
815     }
816     else if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE)) != NULL)
817     {
818         use_le = TRUE;
819     }
820     else
821     {
822         BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
823         use_le = (dev_type == BT_DEVICE_TYPE_BLE);
824     }
825     return use_le;
826 }
827 
828 
829 /*******************************************************************************
830 **
831 ** Function         BTM_SetBleDataLength
832 **
833 ** Description      This function is to set maximum BLE transmission packet size
834 **
835 ** Returns          BTM_SUCCESS if success; otherwise failed.
836 **
837 *******************************************************************************/
BTM_SetBleDataLength(BD_ADDR bd_addr,UINT16 tx_pdu_length)838 tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
839 {
840     tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
841     BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length);
842 
843     if (!controller_get_interface()->supports_ble_packet_extension())
844     {
845         BTM_TRACE_ERROR("%s failed, request not supported", __FUNCTION__);
846         return BTM_ILLEGAL_VALUE;
847     }
848 
849     if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features))
850     {
851         BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
852         return BTM_ILLEGAL_VALUE;
853     }
854 
855     if (p_acl != NULL)
856     {
857         if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
858             tx_pdu_length =  BTM_BLE_DATA_SIZE_MAX;
859         else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
860             tx_pdu_length =  BTM_BLE_DATA_SIZE_MIN;
861 
862         /* always set the TxTime to be max, as controller does not care for now */
863         btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length,
864                                             BTM_BLE_DATA_TX_TIME_MAX);
865 
866         return BTM_SUCCESS;
867     }
868     else
869     {
870         BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",__FUNCTION__);
871         return BTM_WRONG_MODE;
872     }
873 }
874 
875 /*******************************************************************************
876 **
877 ** Function         btm_ble_rand_enc_complete
878 **
879 ** Description      This function is the callback functions for HCI_Rand command
880 **                  and HCI_Encrypt command is completed.
881 **                  This message is received from the HCI.
882 **
883 ** Returns          void
884 **
885 *******************************************************************************/
btm_ble_rand_enc_complete(UINT8 * p,UINT16 op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)886 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback)
887 {
888     tBTM_RAND_ENC   params;
889     UINT8           *p_dest = params.param_buf;
890 
891     BTM_TRACE_DEBUG ("btm_ble_rand_enc_complete");
892 
893     memset(&params, 0, sizeof(tBTM_RAND_ENC));
894 
895     /* If there was a callback address for vcs complete, call it */
896     if (p_enc_cplt_cback && p)
897     {
898         /* Pass paramters to the callback function */
899         STREAM_TO_UINT8(params.status, p); /* command status */
900 
901         if (params.status == HCI_SUCCESS)
902         {
903             params.opcode = op_code;
904 
905             if (op_code == HCI_BLE_RAND)
906                 params.param_len = BT_OCTET8_LEN;
907             else
908                 params.param_len = BT_OCTET16_LEN;
909 
910             memcpy(p_dest, p, params.param_len);  /* Fetch return info from HCI event message */
911         }
912         if (p_enc_cplt_cback)
913             (*p_enc_cplt_cback)(&params);  /* Call the Encryption complete callback function */
914     }
915 }
916 
917 
918     #if (SMP_INCLUDED == TRUE)
919 
920 /*******************************************************************************
921 **
922 ** Function         btm_ble_get_enc_key_type
923 **
924 ** Description      This function is to increment local sign counter
925 ** Returns         None
926 **
927 *******************************************************************************/
btm_ble_increment_sign_ctr(BD_ADDR bd_addr,BOOLEAN is_local)928 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local )
929 {
930     tBTM_SEC_DEV_REC *p_dev_rec;
931 
932     BTM_TRACE_DEBUG ("btm_ble_increment_sign_ctr is_local=%d", is_local);
933 
934     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
935     {
936         if (is_local)
937             p_dev_rec->ble.keys.local_counter++;
938         else
939             p_dev_rec->ble.keys.counter++;
940         BTM_TRACE_DEBUG ("is_local=%d local sign counter=%d peer sign counter=%d",
941                           is_local,
942                           p_dev_rec->ble.keys.local_counter,
943                           p_dev_rec->ble.keys.counter);
944     }
945 }
946 
947 /*******************************************************************************
948 **
949 ** Function         btm_ble_get_enc_key_type
950 **
951 ** Description      This function is to get the BLE key type that has been exchanged
952 **                  in betweem local device and peer device.
953 **
954 ** Returns          p_key_type: output parameter to carry the key type value.
955 **
956 *******************************************************************************/
btm_ble_get_enc_key_type(BD_ADDR bd_addr,UINT8 * p_key_types)957 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types)
958 {
959     tBTM_SEC_DEV_REC *p_dev_rec;
960 
961     BTM_TRACE_DEBUG ("btm_ble_get_enc_key_type");
962 
963     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
964     {
965         *p_key_types = p_dev_rec->ble.key_type;
966         return TRUE;
967     }
968     return FALSE;
969 }
970 
971 /*******************************************************************************
972 **
973 ** Function         btm_get_local_div
974 **
975 ** Description      This function is called to read the local DIV
976 **
977 ** Returns          TURE - if a valid DIV is availavle
978 *******************************************************************************/
btm_get_local_div(BD_ADDR bd_addr,UINT16 * p_div)979 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div)
980 {
981     tBTM_SEC_DEV_REC   *p_dev_rec;
982     BOOLEAN            status = FALSE;
983     BTM_TRACE_DEBUG ("btm_get_local_div");
984 
985     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
986                      bd_addr[0],bd_addr[1],
987                      bd_addr[2],bd_addr[3],
988                      bd_addr[4],bd_addr[5]);
989 
990     *p_div = 0;
991     p_dev_rec = btm_find_dev (bd_addr);
992 
993     if (p_dev_rec && p_dev_rec->ble.keys.div)
994     {
995         status = TRUE;
996         *p_div = p_dev_rec->ble.keys.div;
997     }
998     BTM_TRACE_DEBUG ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div);
999     return status;
1000 }
1001 
1002 /*******************************************************************************
1003 **
1004 ** Function         btm_sec_save_le_key
1005 **
1006 ** Description      This function is called by the SMP to update
1007 **                  an  BLE key.  SMP is internal, whereas all the keys shall
1008 **                  be sent to the application.  The function is also called
1009 **                  when application passes ble key stored in NVRAM to the btm_sec.
1010 **                  pass_to_application parameter is false in this case.
1011 **
1012 ** Returns          void
1013 **
1014 *******************************************************************************/
btm_sec_save_le_key(BD_ADDR bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,BOOLEAN pass_to_application)1015 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys,
1016                          BOOLEAN pass_to_application)
1017 {
1018     tBTM_SEC_DEV_REC *p_rec;
1019     tBTM_LE_EVT_DATA    cb_data;
1020     UINT8 i;
1021 
1022     BTM_TRACE_DEBUG ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application);
1023     /* Store the updated key in the device database */
1024 
1025     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
1026                      bd_addr[0],bd_addr[1],
1027                      bd_addr[2],bd_addr[3],
1028                      bd_addr[4],bd_addr[5]);
1029 
1030     if ((p_rec = btm_find_dev (bd_addr)) != NULL && (p_keys || key_type== BTM_LE_KEY_LID))
1031     {
1032         btm_ble_init_pseudo_addr (p_rec, bd_addr);
1033 
1034         switch (key_type)
1035         {
1036             case BTM_LE_KEY_PENC:
1037                 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
1038                 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1039                 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1040                 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1041                 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1042                 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1043                 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1044                 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1045                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1046                 else
1047                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1048                 BTM_TRACE_DEBUG("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1049                                  p_rec->ble.key_type,
1050                                  p_rec->sec_flags,
1051                                  p_rec->ble.keys.sec_level);
1052                 break;
1053 
1054             case BTM_LE_KEY_PID:
1055                 for (i=0; i<BT_OCTET16_LEN; i++)
1056                 {
1057                     p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
1058                 }
1059 
1060                  //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system
1061                 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
1062                 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
1063                 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1064                 BTM_TRACE_DEBUG("BTM_LE_KEY_PID key_type=0x%x save peer IRK",  p_rec->ble.key_type);
1065                  /* update device record address as static address */
1066                 memcpy(p_rec->bd_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
1067                 /* combine DUMO device security record if needed */
1068                 btm_consolidate_dev(p_rec);
1069                 break;
1070 
1071             case BTM_LE_KEY_PCSRK:
1072                 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
1073                 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1074                 p_rec->ble.keys.counter  = p_keys->pcsrk_key.counter;
1075                 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1076                 p_rec->sec_flags |=  BTM_SEC_LE_LINK_KEY_KNOWN;
1077                 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED)
1078                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1079                 else
1080                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1081 
1082                 BTM_TRACE_DEBUG("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d",
1083                                  p_rec->ble.key_type,
1084                                  p_rec->sec_flags,
1085                                  p_rec->ble.keys.srk_sec_level,
1086                                  p_rec->ble.keys.counter );
1087                 break;
1088 
1089             case BTM_LE_KEY_LENC:
1090                 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN);
1091                 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1092                 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1093                 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1094                 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1095 
1096                 BTM_TRACE_DEBUG("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x",
1097                                  p_rec->ble.key_type,
1098                                  p_rec->ble.keys.div,
1099                                  p_rec->ble.keys.key_size,
1100                                  p_rec->ble.keys.sec_level );
1101                 break;
1102 
1103             case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */
1104                 memcpy (p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN);
1105                 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1106                 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1107                 p_rec->ble.keys.local_counter  = p_keys->lcsrk_key.counter;
1108                 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1109                 BTM_TRACE_DEBUG("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d",
1110                                  p_rec->ble.key_type,
1111                                  p_rec->ble.keys.div,
1112                                  p_rec->ble.keys.local_csrk_sec_level,
1113                                  p_rec->ble.keys.local_counter );
1114                 break;
1115 
1116             case BTM_LE_KEY_LID:
1117                p_rec->ble.key_type |= BTM_LE_KEY_LID;
1118                break;
1119             default:
1120                 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type);
1121                 return;
1122         }
1123 
1124         BTM_TRACE_DEBUG ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type,
1125                           (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
1126                           (bd_addr[4]<<8)+bd_addr[5]);
1127 
1128         /* Notify the application that one of the BLE keys has been updated
1129            If link key is in progress, it will get sent later.*/
1130         if (pass_to_application && btm_cb.api.p_le_callback)
1131         {
1132             cb_data.key.p_key_value = p_keys;
1133             cb_data.key.key_type = key_type;
1134 
1135             (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data);
1136         }
1137         return;
1138     }
1139 
1140     BTM_TRACE_WARNING ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type,
1141                         (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
1142                         (bd_addr[4]<<8)+bd_addr[5]);
1143 
1144     if (p_rec)
1145     {
1146         BTM_TRACE_DEBUG ("sec_flags=0x%x", p_rec->sec_flags);
1147     }
1148 }
1149 
1150 /*******************************************************************************
1151 **
1152 ** Function         btm_ble_update_sec_key_size
1153 **
1154 ** Description      update the current lin kencryption key size
1155 **
1156 ** Returns          void
1157 **
1158 *******************************************************************************/
btm_ble_update_sec_key_size(BD_ADDR bd_addr,UINT8 enc_key_size)1159 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size)
1160 {
1161     tBTM_SEC_DEV_REC *p_rec;
1162 
1163     BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size);
1164 
1165     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
1166     {
1167         p_rec->enc_key_size = enc_key_size;
1168     }
1169 }
1170 
1171 /*******************************************************************************
1172 **
1173 ** Function         btm_ble_read_sec_key_size
1174 **
1175 ** Description      update the current lin kencryption key size
1176 **
1177 ** Returns          void
1178 **
1179 *******************************************************************************/
btm_ble_read_sec_key_size(BD_ADDR bd_addr)1180 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr)
1181 {
1182     tBTM_SEC_DEV_REC *p_rec;
1183 
1184     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
1185     {
1186         return p_rec->enc_key_size;
1187     }
1188     else
1189         return 0;
1190 }
1191 
1192 /*******************************************************************************
1193 **
1194 ** Function         btm_ble_link_sec_check
1195 **
1196 ** Description      Check BLE link security level match.
1197 **
1198 ** Returns          TRUE: check is OK and the *p_sec_req_act contain the action
1199 **
1200 *******************************************************************************/
btm_ble_link_sec_check(BD_ADDR bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1201 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act)
1202 {
1203     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1204     UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1205 
1206     BTM_TRACE_DEBUG ("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1207 
1208     if (p_dev_rec == NULL)
1209     {
1210         BTM_TRACE_ERROR ("btm_ble_link_sec_check received for unknown device");
1211         return;
1212     }
1213 
1214     if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1215         p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1216     {
1217         /* race condition: discard the security request while master is encrypting the link */
1218         *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1219     }
1220     else
1221     {
1222         req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1223         if (auth_req & BTM_LE_AUTH_REQ_MITM)
1224         {
1225             req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1226         }
1227 
1228         BTM_TRACE_DEBUG ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1229 
1230         /* currently encrpted  */
1231         if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED)
1232         {
1233             if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1234                 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1235             else
1236                 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1237         }
1238         else /* unencrypted link */
1239         {
1240             /* if bonded, get the key security level */
1241             if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1242                 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1243             else
1244                 cur_sec_level = BTM_LE_SEC_NONE;
1245         }
1246 
1247         if (cur_sec_level >= req_sec_level)
1248         {
1249             /* To avoid re-encryption on an encrypted link for an equal condition encryption */
1250             *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1251         }
1252         else
1253         {
1254             *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/
1255         }
1256     }
1257 
1258     BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1259                      cur_sec_level,
1260                      req_sec_level,
1261                      *p_sec_req_act);
1262 
1263 }
1264 
1265 /*******************************************************************************
1266 **
1267 ** Function         btm_ble_set_encryption
1268 **
1269 ** Description      This function is called to ensure that LE connection is
1270 **                  encrypted.  Should be called only on an open connection.
1271 **                  Typically only needed for connections that first want to
1272 **                  bring up unencrypted links, then later encrypt them.
1273 **
1274 ** Returns          void
1275 **                  the local device ER is copied into er
1276 **
1277 *******************************************************************************/
btm_ble_set_encryption(BD_ADDR bd_addr,void * p_ref_data,UINT8 link_role)1278 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role)
1279 {
1280     tBTM_STATUS         cmd = BTM_NO_RESOURCES;
1281     tBTM_BLE_SEC_ACT    sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ;
1282     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
1283     tBTM_BLE_SEC_REQ_ACT sec_req_act;
1284     tBTM_LE_AUTH_REQ    auth_req;
1285 
1286     if (p_rec == NULL)
1287     {
1288         BTM_TRACE_WARNING ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1289         return(BTM_WRONG_MODE);
1290     }
1291 
1292     BTM_TRACE_DEBUG ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master);
1293 
1294     if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM)
1295     {
1296         p_rec->security_required |= BTM_SEC_IN_MITM;
1297     }
1298 
1299     switch (sec_act)
1300     {
1301         case BTM_BLE_SEC_ENCRYPT:
1302             if (link_role == BTM_ROLE_MASTER)
1303             {
1304                     /* start link layer encryption using the security info stored */
1305                 cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL);
1306                 break;
1307             }
1308             /* if salve role then fall through to call SMP_Pair below which will send a
1309                sec_request to request the master to encrypt the link */
1310         case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1311         case BTM_BLE_SEC_ENCRYPT_MITM:
1312             if (link_role == BTM_ROLE_MASTER)
1313             {
1314                 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1315                            ? SMP_AUTH_GEN_BOND : (SMP_AUTH_GEN_BOND | SMP_AUTH_YN_BIT);
1316                 btm_ble_link_sec_check (bd_addr, auth_req, &sec_req_act);
1317 
1318                 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT)
1319                 {
1320                    cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL);
1321                    break;
1322                 }
1323             }
1324 
1325             if (SMP_Pair(bd_addr) == SMP_STARTED)
1326             {
1327                 cmd = BTM_CMD_STARTED;
1328                 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1329             }
1330             break;
1331 
1332         default:
1333             cmd = BTM_WRONG_MODE;
1334             break;
1335     }
1336     return cmd;
1337 }
1338 
1339 /*******************************************************************************
1340 **
1341 ** Function         btm_ble_ltk_request
1342 **
1343 ** Description      This function is called when encryption request is received
1344 **                  on a slave device.
1345 **
1346 **
1347 ** Returns          void
1348 **
1349 *******************************************************************************/
btm_ble_ltk_request(UINT16 handle,UINT8 rand[8],UINT16 ediv)1350 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv)
1351 {
1352     tBTM_CB *p_cb = &btm_cb;
1353     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
1354     BT_OCTET8 dummy_stk = {0};
1355 
1356     BTM_TRACE_DEBUG ("btm_ble_ltk_request");
1357 
1358     p_cb->ediv = ediv;
1359 
1360     memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1361 
1362     if (p_dev_rec != NULL)
1363     {
1364         if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
1365             btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk);
1366     }
1367 
1368 }
1369 
1370 /*******************************************************************************
1371 **
1372 ** Function         btm_ble_start_encrypt
1373 **
1374 ** Description      This function is called to start LE encryption.
1375 **
1376 **
1377 ** Returns          BTM_SUCCESS if encryption was started successfully
1378 **
1379 *******************************************************************************/
btm_ble_start_encrypt(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1380 tBTM_STATUS btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk)
1381 {
1382     tBTM_CB *p_cb = &btm_cb;
1383     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1384     BT_OCTET8    dummy_rand = {0};
1385     tBTM_STATUS  rt = BTM_NO_RESOURCES;
1386 
1387     BTM_TRACE_DEBUG ("btm_ble_start_encrypt");
1388 
1389     if (!p_rec )
1390     {
1391         BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1392         return BTM_WRONG_MODE;
1393     }
1394 
1395     if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
1396     {
1397         BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1398         return BTM_BUSY;
1399     }
1400 
1401     p_cb->enc_handle = p_rec->ble_hci_handle;
1402 
1403     if (use_stk)
1404     {
1405         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk))
1406             rt = BTM_CMD_STARTED;
1407     }
1408     else if (p_rec->ble.key_type & BTM_LE_KEY_PENC)
1409     {
1410         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1411                                      p_rec->ble.keys.ediv, p_rec->ble.keys.pltk))
1412             rt = BTM_CMD_STARTED;
1413     }
1414     else
1415     {
1416         BTM_TRACE_ERROR("No key available to encrypt the link");
1417     }
1418     if (rt == BTM_CMD_STARTED)
1419     {
1420         if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1421             p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1422     }
1423 
1424     return rt;
1425 }
1426 
1427 /*******************************************************************************
1428 **
1429 ** Function         btm_ble_link_encrypted
1430 **
1431 ** Description      This function is called when LE link encrption status is changed.
1432 **
1433 ** Returns          void
1434 **
1435 *******************************************************************************/
btm_ble_link_encrypted(BD_ADDR bd_addr,UINT8 encr_enable)1436 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
1437 {
1438     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
1439     BOOLEAN             enc_cback;
1440 
1441     if (!p_dev_rec)
1442     {
1443         BTM_TRACE_WARNING ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable);
1444         return;
1445     }
1446 
1447     BTM_TRACE_DEBUG ("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1448 
1449     enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1450 
1451     smp_link_encrypted(bd_addr, encr_enable);
1452 
1453     BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1454 
1455     if (encr_enable && p_dev_rec->enc_key_size == 0)
1456         p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1457 
1458     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1459     if (p_dev_rec->p_callback && enc_cback)
1460     {
1461         if (encr_enable)
1462             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE);
1463         else if (p_dev_rec->role_master)
1464             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE);
1465 
1466     }
1467     /* to notify GATT to send data if any request is pending */
1468     gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1469 }
1470 
1471 /*******************************************************************************
1472 ** Function         btm_enc_proc_ltk
1473 ** Description      send LTK reply when it's ready.
1474 *******************************************************************************/
btm_enc_proc_ltk(tSMP_ENC * p)1475 static void btm_enc_proc_ltk(tSMP_ENC *p)
1476 {
1477     UINT8   i;
1478     BTM_TRACE_DEBUG ("btm_enc_proc_ltk");
1479     if (p && p->param_len == BT_OCTET16_LEN)
1480     {
1481         for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++)
1482             p->param_buf[BT_OCTET16_LEN - i - 1] = 0;
1483         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf);
1484     }
1485 }
1486 
1487 /*******************************************************************************
1488 ** Function         btm_enc_proc_slave_y
1489 ** Description      calculate LTK when Y is ready
1490 *******************************************************************************/
btm_enc_proc_slave_y(tSMP_ENC * p)1491 static void btm_enc_proc_slave_y(tSMP_ENC *p)
1492 {
1493     UINT16  div, y;
1494     UINT8   *pp = p->param_buf;
1495     tBTM_CB *p_cb = &btm_cb;
1496     tSMP_ENC output;
1497     tBTM_SEC_DEV_REC *p_dev_rec;
1498 
1499     BTM_TRACE_DEBUG ("btm_enc_proc_slave_y");
1500     if (p != NULL)
1501     {
1502         STREAM_TO_UINT16(y, pp);
1503 
1504         div = p_cb->ediv ^ y;
1505         p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle);
1506 
1507         if ( p_dev_rec &&
1508              p_dev_rec->ble.keys.div == div )
1509         {
1510             BTM_TRACE_DEBUG ("LTK request OK");
1511             /* calculating LTK , LTK = E er(div) */
1512             SMP_Encrypt(p_cb->devcb.ble_encryption_key_value, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output);
1513             btm_enc_proc_ltk(&output);
1514         }
1515         else
1516         {
1517             BTM_TRACE_DEBUG ("LTK request failed - send negative reply");
1518             btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle);
1519             if (p_dev_rec)
1520                 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0);
1521 
1522         }
1523     }
1524 }
1525 
1526 /*******************************************************************************
1527 **
1528 ** Function         btm_ble_ltk_request_reply
1529 **
1530 ** Description      This function is called to send a LTK request reply on a slave
1531 **                  device.
1532 **
1533 ** Returns          void
1534 **
1535 *******************************************************************************/
btm_ble_ltk_request_reply(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1536 void btm_ble_ltk_request_reply(BD_ADDR bda,  BOOLEAN use_stk, BT_OCTET16 stk)
1537 {
1538     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1539     tBTM_CB *p_cb = &btm_cb;
1540     tSMP_ENC output;
1541 
1542     if (p_rec == NULL)
1543     {
1544         BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1545         return;
1546     }
1547 
1548     BTM_TRACE_DEBUG ("btm_ble_ltk_request_reply");
1549     p_cb->enc_handle = p_rec->ble_hci_handle;
1550     p_cb->key_size = p_rec->ble.keys.key_size;
1551 
1552     BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1553     if (use_stk)
1554     {
1555         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1556     }
1557     else /* calculate LTK using peer device  */
1558     {
1559         if (p_rec->ble.key_type & BTM_LE_KEY_LENC)
1560             btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1561         else
1562             btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1563     }
1564 }
1565 
1566 /*******************************************************************************
1567 **
1568 ** Function         btm_ble_io_capabilities_req
1569 **
1570 ** Description      This function is called to handle SMP get IO capability request.
1571 **
1572 ** Returns          void
1573 **
1574 *******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1575 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
1576 {
1577     UINT8           callback_rc = BTM_SUCCESS;
1578     BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req");
1579     if (btm_cb.api.p_le_callback)
1580     {
1581         /* the callback function implementation may change the IO capability... */
1582         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data);
1583     }
1584 #if BTM_OOB_INCLUDED == TRUE
1585     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data))
1586 #else
1587     if (callback_rc == BTM_SUCCESS)
1588 #endif
1589     {
1590 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1591         if (btm_cb.devcb.keep_rfu_in_auth_req)
1592         {
1593             BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1594                 btm_cb.devcb.keep_rfu_in_auth_req);
1595             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1596             btm_cb.devcb.keep_rfu_in_auth_req = FALSE;
1597         }
1598         else
1599         {   /* default */
1600             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1601         }
1602 #else
1603         p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1604 #endif
1605 
1606         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d",
1607                           p_dev_rec->security_required, p_data->auth_req);
1608         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)",
1609                           p_data->init_keys,
1610                           p_data->resp_keys);
1611 
1612         /* if authentication requires MITM protection, put on the mask */
1613         if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1614             p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1615 
1616         if (!(p_data->auth_req & SMP_AUTH_BOND))
1617         {
1618             BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1619             p_data->init_keys = 0;
1620             p_data->resp_keys = 0;
1621         }
1622 
1623         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req);
1624         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1625                           p_data->init_keys,
1626                           p_data->resp_keys);
1627 
1628         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1629                           p_data->io_cap, p_data->auth_req);
1630 
1631         /* remove MITM protection requirement if IO cap does not allow it */
1632         if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1633             p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1634 
1635         if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT))
1636         {
1637             /* if Secure Connections are not supported then remove LK derivation,
1638             ** and keypress notifications.
1639             */
1640             BTM_TRACE_DEBUG("%s-SC not supported -> No LK derivation, no keypress notifications",
1641                             __func__);
1642             p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1643             p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1644             p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1645         }
1646 
1647         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1648                           p_data->io_cap, p_data->oob_data, p_data->auth_req);
1649     }
1650     return callback_rc;
1651 }
1652 
1653 /*******************************************************************************
1654 **
1655 ** Function         btm_ble_br_keys_req
1656 **
1657 ** Description      This function is called to handle SMP request for keys sent
1658 **                  over BR/EDR.
1659 **
1660 ** Returns          void
1661 **
1662 *******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1663 UINT8 btm_ble_br_keys_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
1664 {
1665     UINT8           callback_rc = BTM_SUCCESS;
1666     BTM_TRACE_DEBUG ("%s", __func__);
1667     if (btm_cb.api.p_le_callback)
1668     {
1669         /* the callback function implementation may change the IO capability... */
1670         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr,
1671                                                   (tBTM_LE_EVT_DATA *)p_data);
1672     }
1673 
1674     return callback_rc;
1675 }
1676 
1677 #if (BLE_PRIVACY_SPT == TRUE )
1678 /*******************************************************************************
1679 **
1680 ** Function         btm_ble_resolve_random_addr_on_conn_cmpl
1681 **
1682 ** Description      resolve random address complete on connection complete event.
1683 **
1684 ** Returns          void
1685 **
1686 *******************************************************************************/
btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec,void * p_data)1687 static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data)
1688 {
1689     UINT8   *p = (UINT8 *)p_data;
1690     tBTM_SEC_DEV_REC    *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
1691     UINT8       role, bda_type;
1692     UINT16      handle;
1693     BD_ADDR     bda;
1694     UINT16      conn_interval, conn_latency, conn_timeout;
1695     BOOLEAN     match = FALSE;
1696 
1697     ++p;
1698     STREAM_TO_UINT16   (handle, p);
1699     STREAM_TO_UINT8    (role, p);
1700     STREAM_TO_UINT8    (bda_type, p);
1701     STREAM_TO_BDADDR   (bda, p);
1702     STREAM_TO_UINT16   (conn_interval, p);
1703     STREAM_TO_UINT16   (conn_latency, p);
1704     STREAM_TO_UINT16   (conn_timeout, p);
1705 
1706     handle = HCID_GET_HANDLE (handle);
1707 
1708     BTM_TRACE_EVENT ("%s", __func__);
1709 
1710     if (match_rec)
1711     {
1712         LOG_INFO("%s matched and resolved random address", __func__);
1713         match = TRUE;
1714         match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
1715         memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
1716         if (!btm_ble_init_pseudo_addr (match_rec, bda))
1717         {
1718             /* assign the original address to be the current report address */
1719             memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
1720         }
1721         else
1722         {
1723             memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
1724         }
1725     }
1726     else
1727     {
1728         LOG_INFO("%s unable to match and resolve random address", __func__);
1729     }
1730 
1731     btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
1732 
1733     l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
1734                       conn_latency, conn_timeout);
1735 
1736     return;
1737 }
1738 #endif
1739 
1740 /*******************************************************************************
1741 **
1742 ** Function         btm_ble_connected
1743 **
1744 ** Description      This function is when a LE connection to the peer device is
1745 **                  establsihed
1746 **
1747 ** Returns          void
1748 **
1749 *******************************************************************************/
btm_ble_connected(UINT8 * bda,UINT16 handle,UINT8 enc_mode,UINT8 role,tBLE_ADDR_TYPE addr_type,BOOLEAN addr_matched)1750 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
1751                         tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched)
1752 {
1753     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
1754     tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb;
1755     UNUSED(addr_matched);
1756 
1757     BTM_TRACE_EVENT ("btm_ble_connected");
1758 
1759     /* Commenting out trace due to obf/compilation problems.
1760     */
1761 #if (BT_USE_TRACES == TRUE)
1762     if (p_dev_rec)
1763     {
1764         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected :  handle:%d  enc_mode:%d  bda:%x RName:%s",
1765                           handle,  enc_mode,
1766                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
1767                           p_dev_rec->sec_bd_name);
1768 
1769         BTM_TRACE_DEBUG ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags);
1770     }
1771     else
1772     {
1773         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected:   handle:%d  enc_mode:%d  bda:%x ",
1774                           handle,  enc_mode,
1775                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
1776     }
1777 #endif
1778 
1779     if (!p_dev_rec)
1780     {
1781         /* There is no device record for new connection.  Allocate one */
1782         if ((p_dev_rec = btm_sec_alloc_dev (bda)) == NULL)
1783             return;
1784     }
1785     else    /* Update the timestamp for this device */
1786     {
1787         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1788     }
1789 
1790     /* update device information */
1791     p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1792     p_dev_rec->ble_hci_handle = handle;
1793     p_dev_rec->ble.ble_addr_type = addr_type;
1794     /* update pseudo address */
1795     memcpy(p_dev_rec->ble.pseudo_addr, bda, BD_ADDR_LEN);
1796 
1797     p_dev_rec->role_master = FALSE;
1798     if (role == HCI_ROLE_MASTER)
1799         p_dev_rec->role_master = TRUE;
1800 
1801 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1802     if (!addr_matched)
1803         p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1804 
1805     if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
1806         memcpy(p_dev_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
1807 #endif
1808 
1809     p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT;
1810 
1811     return;
1812 }
1813 
1814 /*****************************************************************************
1815 **  Function        btm_ble_conn_complete
1816 **
1817 **  Description     LE connection complete.
1818 **
1819 ******************************************************************************/
btm_ble_conn_complete(UINT8 * p,UINT16 evt_len,BOOLEAN enhanced)1820 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
1821 {
1822 #if (BLE_PRIVACY_SPT == TRUE )
1823     UINT8       *p_data = p, peer_addr_type;
1824 #endif
1825     UINT8       role, status, bda_type;
1826     UINT16      handle;
1827     BD_ADDR     bda, local_rpa, peer_rpa;
1828     UINT16      conn_interval, conn_latency, conn_timeout;
1829     BOOLEAN     match = FALSE;
1830     UNUSED(evt_len);
1831 
1832     STREAM_TO_UINT8   (status, p);
1833     STREAM_TO_UINT16   (handle, p);
1834     STREAM_TO_UINT8    (role, p);
1835     STREAM_TO_UINT8    (bda_type, p);
1836     STREAM_TO_BDADDR   (bda, p);
1837 
1838     if (status == 0)
1839     {
1840 #if (BLE_PRIVACY_SPT == TRUE )
1841         peer_addr_type = bda_type;
1842         match = btm_identity_addr_to_random_pseudo (bda, &bda_type, TRUE);
1843 
1844         if (enhanced)
1845         {
1846             STREAM_TO_BDADDR   (local_rpa, p);
1847             STREAM_TO_BDADDR   (peer_rpa, p);
1848         }
1849 
1850         /* possiblly receive connection complete with resolvable random on
1851            slave role while the device has been paired */
1852         if (!match && role == HCI_ROLE_SLAVE && BTM_BLE_IS_RESOLVE_BDA(bda))
1853         {
1854             btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data);
1855         }
1856         else
1857 #endif
1858         {
1859             STREAM_TO_UINT16   (conn_interval, p);
1860             STREAM_TO_UINT16   (conn_latency, p);
1861             STREAM_TO_UINT16   (conn_timeout, p);
1862             handle = HCID_GET_HANDLE (handle);
1863 
1864             btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
1865 
1866             l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
1867                               conn_latency, conn_timeout);
1868 
1869 #if (BLE_PRIVACY_SPT == TRUE)
1870             if (enhanced)
1871             {
1872                 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
1873 
1874                 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
1875                     btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
1876             }
1877 #endif
1878         }
1879     }
1880     else
1881     {
1882         role = HCI_ROLE_UNKNOWN;
1883         if (status != HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT)
1884         {
1885             btm_ble_set_conn_st(BLE_CONN_IDLE);
1886 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1887             btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, TRUE);
1888 #endif
1889         }
1890         else
1891         {
1892 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1893             btm_cb.ble_ctr_cb.inq_var.adv_mode  = BTM_BLE_ADV_DISABLE;
1894             btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, TRUE);
1895 #endif
1896         }
1897     }
1898 
1899     btm_ble_update_mode_operation(role, bda, status);
1900 }
1901 
1902 
1903 
1904 /*****************************************************************************
1905 ** Function btm_ble_create_ll_conn_complete
1906 **
1907 ** Description LE connection complete.
1908 **
1909 ******************************************************************************/
btm_ble_create_ll_conn_complete(UINT8 status)1910 void btm_ble_create_ll_conn_complete (UINT8 status)
1911 {
1912     if (status != HCI_SUCCESS)
1913     {
1914         btm_ble_set_conn_st(BLE_CONN_IDLE);
1915         btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status);
1916     }
1917 }
1918 /*****************************************************************************
1919 **  Function        btm_proc_smp_cback
1920 **
1921 **  Description     This function is the SMP callback handler.
1922 **
1923 ******************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,BD_ADDR bd_addr,tSMP_EVT_DATA * p_data)1924 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
1925 {
1926     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
1927     UINT8 res = 0;
1928 
1929     BTM_TRACE_DEBUG ("btm_proc_smp_cback event = %d", event);
1930 
1931     if (p_dev_rec != NULL)
1932     {
1933         switch (event)
1934         {
1935             case SMP_IO_CAP_REQ_EVT:
1936                 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
1937                 break;
1938 
1939             case SMP_BR_KEYS_REQ_EVT:
1940                 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
1941                 break;
1942 
1943             case SMP_PASSKEY_REQ_EVT:
1944             case SMP_PASSKEY_NOTIF_EVT:
1945             case SMP_OOB_REQ_EVT:
1946             case SMP_NC_REQ_EVT:
1947             case SMP_SC_OOB_REQ_EVT:
1948                 /* fall through */
1949                 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
1950 
1951             case SMP_SEC_REQUEST_EVT:
1952                 if (event == SMP_SEC_REQUEST_EVT && btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1953                 {
1954                     BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
1955                     break;
1956                 }
1957                 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1958                 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1959                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1960                 /* fall through */
1961 
1962             case SMP_COMPLT_EVT:
1963                 if (btm_cb.api.p_le_callback)
1964                 {
1965                     /* the callback function implementation may change the IO capability... */
1966                     BTM_TRACE_DEBUG ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback );
1967                    (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data);
1968                 }
1969 
1970                 if (event == SMP_COMPLT_EVT)
1971                 {
1972                     BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
1973 
1974                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;
1975 
1976                     BTM_TRACE_DEBUG ("after update result=%d sec_level=0x%x sec_flags=0x%x",
1977                                       res, p_data->cmplt.sec_level , p_dev_rec->sec_flags );
1978 
1979                     if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback )
1980                     {
1981                         BTM_TRACE_DEBUG ("Pairing Cancel completed");
1982                         (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
1983                     }
1984 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1985                     if (res != BTM_SUCCESS)
1986                     {
1987                         if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT)
1988                         {
1989                             BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL");
1990                             l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
1991                         }
1992                         else
1993                         {
1994                             BTM_TRACE_DEBUG ("Pairing failed - Not Removing ACL");
1995                             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1996                         }
1997                     }
1998 #else
1999                     if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT)
2000                     {
2001                         BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL");
2002                         l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2003                     }
2004 #endif
2005 
2006                     BTM_TRACE_DEBUG ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
2007                                       btm_cb.pairing_state,
2008                                       btm_cb.pairing_flags,
2009                                       btm_cb.pin_code_len  );
2010                     BTM_TRACE_DEBUG ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x",
2011                                       btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2],
2012                                       btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]);
2013 
2014                     /* Reset btm state only if the callback address matches pairing address*/
2015                     if(memcmp(bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)
2016                     {
2017                         memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2018                         btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
2019                         btm_cb.pairing_flags = 0;
2020                     }
2021 
2022                     if (res == BTM_SUCCESS)
2023                     {
2024                         p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2025 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
2026                         /* add all bonded device into resolving list if IRK is available*/
2027                         btm_ble_resolving_list_load_dev(p_dev_rec);
2028 #endif
2029                     }
2030 
2031                     btm_sec_dev_rec_cback_event(p_dev_rec, res, TRUE);
2032                 }
2033                 break;
2034 
2035             default:
2036                 BTM_TRACE_DEBUG ("unknown event = %d", event);
2037                 break;
2038 
2039 
2040         }
2041     }
2042     else
2043     {
2044         BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
2045     }
2046 
2047     return 0;
2048 }
2049 
2050     #endif  /* SMP_INCLUDED */
2051 
2052 /*******************************************************************************
2053 **
2054 ** Function         BTM_BleDataSignature
2055 **
2056 ** Description      This function is called to sign the data using AES128 CMAC
2057 **                  algorith.
2058 **
2059 ** Parameter        bd_addr: target device the data to be signed for.
2060 **                  p_text: singing data
2061 **                  len: length of the data to be signed.
2062 **                  signature: output parameter where data signature is going to
2063 **                             be stored.
2064 **
2065 ** Returns          TRUE if signing sucessul, otherwise FALSE.
2066 **
2067 *******************************************************************************/
BTM_BleDataSignature(BD_ADDR bd_addr,UINT8 * p_text,UINT16 len,BLE_SIGNATURE signature)2068 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len,
2069                               BLE_SIGNATURE signature)
2070 {
2071     tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr);
2072 
2073     BTM_TRACE_DEBUG ("%s", __func__);
2074     BOOLEAN ret = FALSE;
2075     if (p_rec == NULL)
2076     {
2077         BTM_TRACE_ERROR("%s-data signing can not be done from unknown device", __func__);
2078     }
2079     else
2080     {
2081         UINT8 *p_mac = (UINT8 *)signature;
2082         UINT8 *p_buf, *pp;
2083         if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL)
2084         {
2085             BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2086             pp = p_buf;
2087             /* prepare plain text */
2088             if (p_text)
2089             {
2090                 memcpy(p_buf, p_text, len);
2091                 pp = (p_buf + len);
2092             }
2093 
2094             UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2095             UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2096 
2097             if ((ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf, (UINT16)(len + 4),
2098                                         BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE)
2099             {
2100                   btm_ble_increment_sign_ctr(bd_addr, TRUE);
2101             }
2102 
2103             BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2104             BTM_TRACE_DEBUG("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
2105                              *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2106             BTM_TRACE_DEBUG("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
2107                             *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2108             GKI_freebuf(p_buf);
2109         }
2110     }
2111     return ret;
2112 }
2113 
2114 /*******************************************************************************
2115 **
2116 ** Function         BTM_BleVerifySignature
2117 **
2118 ** Description      This function is called to verify the data signature
2119 **
2120 ** Parameter        bd_addr: target device the data to be signed for.
2121 **                  p_orig:  original data before signature.
2122 **                  len: length of the signing data
2123 **                  counter: counter used when doing data signing
2124 **                  p_comp: signature to be compared against.
2125 
2126 ** Returns          TRUE if signature verified correctly; otherwise FALSE.
2127 **
2128 *******************************************************************************/
BTM_BleVerifySignature(BD_ADDR bd_addr,UINT8 * p_orig,UINT16 len,UINT32 counter,UINT8 * p_comp)2129 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter,
2130                                 UINT8 *p_comp)
2131 {
2132     BOOLEAN verified = FALSE;
2133 #if SMP_INCLUDED == TRUE
2134     tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr);
2135     UINT8 p_mac[BTM_CMAC_TLEN_SIZE];
2136 
2137     if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK)))
2138     {
2139         BTM_TRACE_ERROR("can not verify signature for unknown device");
2140     }
2141     else if (counter < p_rec->ble.keys.counter)
2142     {
2143         BTM_TRACE_ERROR("signature received with out dated sign counter");
2144     }
2145     else if (p_orig == NULL)
2146     {
2147         BTM_TRACE_ERROR("No signature to verify");
2148     }
2149     else
2150     {
2151         BTM_TRACE_DEBUG ("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2152                           p_rec->ble.keys.counter);
2153 
2154         if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac))
2155         {
2156             if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0)
2157             {
2158                 btm_ble_increment_sign_ctr(bd_addr, FALSE);
2159                 verified = TRUE;
2160             }
2161         }
2162     }
2163 #endif  /* SMP_INCLUDED */
2164     return verified;
2165 }
2166 
2167 /*******************************************************************************
2168 **
2169 ** Function         BTM_GetLeSecurityState
2170 **
2171 ** Description      This function is called to get security mode 1 flags and
2172 **                  encryption key size for LE peer.
2173 **
2174 ** Returns          BOOLEAN TRUE if LE device is found, FALSE otherwise.
2175 **
2176 *******************************************************************************/
BTM_GetLeSecurityState(BD_ADDR bd_addr,UINT8 * p_le_dev_sec_flags,UINT8 * p_le_key_size)2177 BOOLEAN BTM_GetLeSecurityState (BD_ADDR bd_addr, UINT8 *p_le_dev_sec_flags, UINT8 *p_le_key_size)
2178 {
2179 #if (BLE_INCLUDED == TRUE)
2180     tBTM_SEC_DEV_REC *p_dev_rec;
2181     UINT16 dev_rec_sec_flags;
2182 #endif
2183 
2184     *p_le_dev_sec_flags = 0;
2185     *p_le_key_size = 0;
2186 
2187 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
2188     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
2189     {
2190         BTM_TRACE_ERROR ("%s fails", __func__);
2191         return (FALSE);
2192     }
2193 
2194     if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
2195     {
2196         BTM_TRACE_ERROR ("%s-this is not LE device", __func__);
2197         return (FALSE);
2198     }
2199 
2200     dev_rec_sec_flags = p_dev_rec->sec_flags;
2201 
2202     if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED)
2203     {
2204         /* link is encrypted with LTK or STK */
2205         *p_le_key_size = p_dev_rec->enc_key_size;
2206         *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED;
2207 
2208         *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED)
2209             ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM      /* set auth LTK flag */
2210             : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM;  /* set unauth LTK flag */
2211     }
2212     else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
2213     {
2214         /* link is unencrypted, still LTK is available */
2215         *p_le_key_size = p_dev_rec->ble.keys.key_size;
2216 
2217         *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
2218             ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM      /* set auth LTK flag */
2219             : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM;  /* set unauth LTK flag */
2220     }
2221 
2222     BTM_TRACE_DEBUG ("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d",
2223         __func__, *p_le_dev_sec_flags, *p_le_key_size);
2224 
2225     return TRUE;
2226 #else
2227     return FALSE;
2228 #endif
2229 }
2230 
2231 /*******************************************************************************
2232 **
2233 ** Function         BTM_BleSecurityProcedureIsRunning
2234 **
2235 ** Description      This function indicates if LE security procedure is
2236 **                  currently running with the peer.
2237 **
2238 ** Returns          BOOLEAN TRUE if security procedure is running, FALSE otherwise.
2239 **
2240 *******************************************************************************/
BTM_BleSecurityProcedureIsRunning(BD_ADDR bd_addr)2241 BOOLEAN BTM_BleSecurityProcedureIsRunning(BD_ADDR bd_addr)
2242 {
2243 #if (BLE_INCLUDED == TRUE)
2244     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2245 
2246     if (p_dev_rec == NULL)
2247     {
2248         BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found",
2249                           __func__, (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
2250                           (bd_addr[4]<<8)+bd_addr[5]);
2251         return FALSE;
2252     }
2253 
2254     return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
2255             p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING);
2256 #else
2257     return FALSE;
2258 #endif
2259 }
2260 
2261 /*******************************************************************************
2262 **
2263 ** Function         BTM_BleGetSupportedKeySize
2264 **
2265 ** Description      This function gets the maximum encryption key size in bytes
2266 **                  the local device can suport.
2267 **                  record.
2268 **
2269 ** Returns          the key size or 0 if the size can't be retrieved.
2270 **
2271 *******************************************************************************/
BTM_BleGetSupportedKeySize(BD_ADDR bd_addr)2272 extern UINT8 BTM_BleGetSupportedKeySize (BD_ADDR bd_addr)
2273 {
2274 #if ((BLE_INCLUDED == TRUE) && (L2CAP_LE_COC_INCLUDED == TRUE))
2275     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2276     tBTM_LE_IO_REQ dev_io_cfg;
2277     UINT8 callback_rc;
2278 
2279     if (!p_dev_rec)
2280     {
2281         BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found",
2282                          __func__,(bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
2283                           (bd_addr[4]<<8)+bd_addr[5]);
2284         return 0;
2285     }
2286 
2287     if (btm_cb.api.p_le_callback == NULL)
2288     {
2289         BTM_TRACE_ERROR ("%s can't access supported key size",__func__);
2290         return 0;
2291     }
2292 
2293     callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr,
2294                                                (tBTM_LE_EVT_DATA *) &dev_io_cfg);
2295 
2296     if (callback_rc != BTM_SUCCESS)
2297     {
2298         BTM_TRACE_ERROR ("%s can't access supported key size",__func__);
2299         return 0;
2300     }
2301 
2302     BTM_TRACE_DEBUG ("%s device supports key size = %d", __func__, dev_io_cfg.max_key_size);
2303     return (dev_io_cfg.max_key_size);
2304 #else
2305     return 0;
2306 #endif
2307 }
2308 
2309 /*******************************************************************************
2310 **  Utility functions for LE device IR/ER generation
2311 *******************************************************************************/
2312 /*******************************************************************************
2313 **
2314 ** Function         btm_notify_new_key
2315 **
2316 ** Description      This function is to notify application new keys have been
2317 **                  generated.
2318 **
2319 ** Returns          void
2320 **
2321 *******************************************************************************/
btm_notify_new_key(UINT8 key_type)2322 static void btm_notify_new_key(UINT8 key_type)
2323 {
2324     tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL;
2325 
2326     BTM_TRACE_DEBUG ("btm_notify_new_key key_type=%d", key_type);
2327 
2328     if (btm_cb.api.p_le_key_callback)
2329     {
2330         switch (key_type)
2331         {
2332             case BTM_BLE_KEY_TYPE_ID:
2333                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ID");
2334                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys;
2335                 break;
2336 
2337             case BTM_BLE_KEY_TYPE_ER:
2338                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ER");
2339                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.ble_encryption_key_value;
2340                 break;
2341 
2342             default:
2343                 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2344                 break;
2345         }
2346         if (p_locak_keys != NULL)
2347             (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys);
2348     }
2349 }
2350 
2351 /*******************************************************************************
2352 **
2353 ** Function         btm_ble_process_er2
2354 **
2355 ** Description      This function is called when ER is generated, store it in
2356 **                  local control block.
2357 **
2358 ** Returns          void
2359 **
2360 *******************************************************************************/
btm_ble_process_er2(tBTM_RAND_ENC * p)2361 static void btm_ble_process_er2(tBTM_RAND_ENC *p)
2362 {
2363     BTM_TRACE_DEBUG ("btm_ble_process_er2");
2364 
2365     if (p &&p->opcode == HCI_BLE_RAND)
2366     {
2367         memcpy(&btm_cb.devcb.ble_encryption_key_value[8], p->param_buf, BT_OCTET8_LEN);
2368         btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2369     }
2370     else
2371     {
2372         BTM_TRACE_ERROR("Generating ER2 exception.");
2373         memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16));
2374     }
2375 }
2376 
2377 /*******************************************************************************
2378 **
2379 ** Function         btm_ble_process_er
2380 **
2381 ** Description      This function is called when ER is generated, store it in
2382 **                  local control block.
2383 **
2384 ** Returns          void
2385 **
2386 *******************************************************************************/
btm_ble_process_er(tBTM_RAND_ENC * p)2387 static void btm_ble_process_er(tBTM_RAND_ENC *p)
2388 {
2389     BTM_TRACE_DEBUG ("btm_ble_process_er");
2390 
2391     if (p &&p->opcode == HCI_BLE_RAND)
2392     {
2393         memcpy(&btm_cb.devcb.ble_encryption_key_value[0], p->param_buf, BT_OCTET8_LEN);
2394 
2395         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2))
2396         {
2397             memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16));
2398             BTM_TRACE_ERROR("Generating ER2 failed.");
2399         }
2400     }
2401     else
2402     {
2403         BTM_TRACE_ERROR("Generating ER1 exception.");
2404     }
2405 }
2406 
2407 /*******************************************************************************
2408 **
2409 ** Function         btm_ble_process_irk
2410 **
2411 ** Description      This function is called when IRK is generated, store it in
2412 **                  local control block.
2413 **
2414 ** Returns          void
2415 **
2416 *******************************************************************************/
btm_ble_process_irk(tSMP_ENC * p)2417 static void btm_ble_process_irk(tSMP_ENC *p)
2418 {
2419     BTM_TRACE_DEBUG ("btm_ble_process_irk");
2420     if (p &&p->opcode == HCI_BLE_ENCRYPT)
2421     {
2422         memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
2423         btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2424 
2425 #if BLE_PRIVACY_SPT == TRUE
2426         /* if privacy is enabled, new RPA should be calculated */
2427         if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE)
2428         {
2429             btm_gen_resolvable_private_addr((void *)btm_gen_resolve_paddr_low);
2430         }
2431 #endif
2432     }
2433     else
2434     {
2435         BTM_TRACE_ERROR("Generating IRK exception.");
2436     }
2437 
2438     /* proceed generate ER */
2439     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er))
2440     {
2441         BTM_TRACE_ERROR("Generating ER failed.");
2442     }
2443 }
2444 
2445 /*******************************************************************************
2446 **
2447 ** Function         btm_ble_process_dhk
2448 **
2449 ** Description      This function is called when DHK is calculated, store it in
2450 **                  local control block, and proceed to generate ER, a 128-bits
2451 **                  random number.
2452 **
2453 ** Returns          void
2454 **
2455 *******************************************************************************/
btm_ble_process_dhk(tSMP_ENC * p)2456 static void btm_ble_process_dhk(tSMP_ENC *p)
2457 {
2458 #if SMP_INCLUDED == TRUE
2459     UINT8 btm_ble_irk_pt = 0x01;
2460     tSMP_ENC output;
2461 
2462     BTM_TRACE_DEBUG ("btm_ble_process_dhk");
2463 
2464     if (p && p->opcode == HCI_BLE_ENCRYPT)
2465     {
2466         memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
2467         BTM_TRACE_DEBUG("BLE DHK generated.");
2468 
2469         /* IRK = D1(IR, 1) */
2470         if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
2471                          1,   &output))
2472         {
2473             /* reset all identity root related key */
2474             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2475         }
2476         else
2477         {
2478             btm_ble_process_irk(&output);
2479         }
2480     }
2481     else
2482     {
2483         /* reset all identity root related key */
2484         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2485     }
2486 #endif
2487 }
2488 
2489 /*******************************************************************************
2490 **
2491 ** Function         btm_ble_process_ir2
2492 **
2493 ** Description      This function is called when IR is generated, proceed to calculate
2494 **                  DHK = Eir({0x03, 0, 0 ...})
2495 **
2496 **
2497 ** Returns          void
2498 **
2499 *******************************************************************************/
btm_ble_process_ir2(tBTM_RAND_ENC * p)2500 static void btm_ble_process_ir2(tBTM_RAND_ENC *p)
2501 {
2502 #if SMP_INCLUDED == TRUE
2503     UINT8 btm_ble_dhk_pt = 0x03;
2504     tSMP_ENC output;
2505 
2506     BTM_TRACE_DEBUG ("btm_ble_process_ir2");
2507 
2508     if (p && p->opcode == HCI_BLE_RAND)
2509     {
2510         /* remembering in control block */
2511         memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN);
2512         /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2513 
2514 
2515         SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt,
2516                     1, &output);
2517         btm_ble_process_dhk(&output);
2518 
2519         BTM_TRACE_DEBUG("BLE IR generated.");
2520     }
2521     else
2522     {
2523         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2524     }
2525 #endif
2526 }
2527 
2528 /*******************************************************************************
2529 **
2530 ** Function         btm_ble_process_ir
2531 **
2532 ** Description      This function is called when IR is generated, proceed to calculate
2533 **                  DHK = Eir({0x02, 0, 0 ...})
2534 **
2535 **
2536 ** Returns          void
2537 **
2538 *******************************************************************************/
btm_ble_process_ir(tBTM_RAND_ENC * p)2539 static void btm_ble_process_ir(tBTM_RAND_ENC *p)
2540 {
2541     BTM_TRACE_DEBUG ("btm_ble_process_ir");
2542 
2543     if (p && p->opcode == HCI_BLE_RAND)
2544     {
2545         /* remembering in control block */
2546         memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN);
2547 
2548         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2))
2549         {
2550             BTM_TRACE_ERROR("Generating IR2 failed.");
2551             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2552         }
2553     }
2554 }
2555 
2556 /*******************************************************************************
2557 **
2558 ** Function         btm_ble_reset_id
2559 **
2560 ** Description      This function is called to reset LE device identity.
2561 **
2562 ** Returns          void
2563 **
2564 *******************************************************************************/
btm_ble_reset_id(void)2565 void btm_ble_reset_id( void )
2566 {
2567     BTM_TRACE_DEBUG ("btm_ble_reset_id");
2568 
2569     /* regenrate Identity Root*/
2570     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir))
2571     {
2572         BTM_TRACE_DEBUG("Generating IR failed.");
2573     }
2574 }
2575 
2576     #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2577 /*******************************************************************************
2578 **
2579 ** Function         btm_ble_set_no_disc_if_pair_fail
2580 **
2581 ** Description      This function indicates that whether no disconnect of the ACL
2582 **                  should be used if pairing failed
2583 **
2584 ** Returns          void
2585 **
2586 *******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc)2587 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc )
2588 {
2589     BTM_TRACE_DEBUG ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc);
2590     btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2591 }
2592 
2593 /*******************************************************************************
2594 **
2595 ** Function         btm_ble_set_test_mac_value
2596 **
2597 ** Description      This function set test MAC value
2598 **
2599 ** Returns          void
2600 **
2601 *******************************************************************************/
btm_ble_set_test_mac_value(BOOLEAN enable,UINT8 * p_test_mac_val)2602 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val )
2603 {
2604     BTM_TRACE_DEBUG ("btm_ble_set_test_mac_value enable=%d", enable);
2605     btm_cb.devcb.enable_test_mac_val = enable;
2606     memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2607 }
2608 
2609 /*******************************************************************************
2610 **
2611 ** Function         btm_ble_set_test_local_sign_cntr_value
2612 **
2613 ** Description      This function set test local sign counter value
2614 **
2615 ** Returns          void
2616 **
2617 *******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable,UINT32 test_local_sign_cntr)2618 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr )
2619 {
2620     BTM_TRACE_DEBUG ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2621                       enable, test_local_sign_cntr);
2622     btm_cb.devcb.enable_test_local_sign_cntr = enable;
2623     btm_cb.devcb.test_local_sign_cntr =  test_local_sign_cntr;
2624 }
2625 
2626 /*******************************************************************************
2627 **
2628 ** Function         btm_set_random_address
2629 **
2630 ** Description      This function set a random address to local controller.
2631 **
2632 ** Returns          void
2633 **
2634 *******************************************************************************/
btm_set_random_address(BD_ADDR random_bda)2635 void btm_set_random_address(BD_ADDR random_bda)
2636 {
2637     tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2638     BOOLEAN     adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ;
2639 
2640     BTM_TRACE_DEBUG ("btm_set_random_address");
2641 
2642     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2643         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE);
2644 
2645     memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN);
2646     btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2647 
2648     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2649         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE);
2650 
2651 
2652 }
2653 
2654 /*******************************************************************************
2655 **
2656 ** Function         btm_ble_set_keep_rfu_in_auth_req
2657 **
2658 ** Description      This function indicates if RFU bits have to be kept as is
2659 **                  (by default they have to be set to 0 by the sender).
2660 **
2661 ** Returns          void
2662 **
2663 *******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu)2664 void btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu)
2665 {
2666     BTM_TRACE_DEBUG ("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2667     btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2668 }
2669 
2670 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2671 
2672 #endif /* BLE_INCLUDED */
2673