1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the Bluetooth Security Manager
22  *
23  ******************************************************************************/
24 
25 #define LOG_TAG "bt_btm_sec"
26 
27 #include <stdarg.h>
28 #include <string.h>
29 
30 #include "bt_types.h"
31 #include "device/include/controller.h"
32 #include "hcimsgs.h"
33 #include "btu.h"
34 #include "btm_int.h"
35 #include "l2c_int.h"
36 #include "bt_utils.h"
37 #include "osi/include/log.h"
38 
39 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
40 /* needed for sprintf() */
41 #include <stdio.h>
42 #endif
43 
44 #if BLE_INCLUDED == TRUE
45     #include "gatt_int.h"
46 #endif
47 
48 #define BTM_SEC_MAX_COLLISION_DELAY     (5000)
49 
50 #ifdef APPL_AUTH_WRITE_EXCEPTION
51 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
52 #endif
53 
54 
55 /********************************************************************************
56 **              L O C A L    F U N C T I O N     P R O T O T Y P E S            *
57 *********************************************************************************/
58 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
59 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
60 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
61                                                 UINT32 mx_proto_id,
62                                                 UINT32 mx_chan_id);
63 
64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN  btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN  btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
67 static BOOLEAN  btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
68 static void     btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
69 static void     btm_restore_mode(void);
70 static void     btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
72 static void     btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73 
74 #if (BT_USE_TRACES == TRUE)
75 static char     *btm_pair_state_descr (tBTM_PAIRING_STATE state);
76 #endif
77 
78 static void     btm_sec_check_pending_reqs(void);
79 static BOOLEAN  btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
80                                           UINT32 mx_proto_id, UINT32 mx_chan_id,
81                                           tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
82 static void     btm_sec_bond_cancel_complete (void);
83 static void     btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
84 static BOOLEAN  btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec);
85 
86 static UINT8    btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
87 BOOLEAN         btm_sec_are_all_trusted(UINT32 p_mask[]);
88 
89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
90 UINT8           btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
91 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
92 
93 static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
94                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
95                                             UINT32 mx_chan_id);
96 
97 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
98 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
100 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
101 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
102 static UINT16  btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
103 
104 static BOOLEAN btm_sec_queue_encrypt_request  (BD_ADDR bd_addr, tBT_TRANSPORT transport,
105                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
106 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ;
107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
108                                             UINT8 encr_enable);
109 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec);
110 
111 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
112 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
113 
114 /* TRUE - authenticated link key is possible */
115 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
116 {
117     /*   OUT,    IO,     IN,     NONE */
118 /* OUT  */ {FALSE,  FALSE,  TRUE,   FALSE},
119 /* IO   */ {FALSE,  TRUE,   TRUE,   FALSE},
120 /* IN   */ {TRUE,   TRUE,   TRUE,   FALSE},
121 /* NONE */ {FALSE,  FALSE,  FALSE,  FALSE}
122 };
123 /*  BTM_IO_CAP_OUT      0   DisplayOnly */
124 /*  BTM_IO_CAP_IO       1   DisplayYesNo */
125 /*  BTM_IO_CAP_IN       2   KeyboardOnly */
126 /*  BTM_IO_CAP_NONE     3   NoInputNoOutput */
127 
128 /*******************************************************************************
129 **
130 ** Function         btm_dev_authenticated
131 **
132 ** Description      check device is authenticated
133 **
134 ** Returns          BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
140     {
141         return(TRUE);
142     }
143     return(FALSE);
144 }
145 
146 /*******************************************************************************
147 **
148 ** Function         btm_dev_encrypted
149 **
150 ** Description      check device is encrypted
151 **
152 ** Returns          BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157     if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
158     {
159         return(TRUE);
160     }
161     return(FALSE);
162 }
163 
164 /*******************************************************************************
165 **
166 ** Function         btm_dev_authorized
167 **
168 ** Description      check device is authorized
169 **
170 ** Returns          BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)173 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
174 {
175     if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
176     {
177         return(TRUE);
178     }
179     return(FALSE);
180 }
181 
182 /*******************************************************************************
183 **
184 ** Function         btm_dev_16_digit_authenticated
185 **
186 ** Description      check device is authenticated by using 16 digit pin or MITM
187 **
188 ** Returns          BOOLEAN TRUE or FALSE
189 **
190 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)191 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
192 {
193     // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
194     if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
195     {
196         return(TRUE);
197     }
198     return(FALSE);
199 }
200 
201 /*******************************************************************************
202 **
203 ** Function         btm_serv_trusted
204 **
205 ** Description      check service is trusted
206 **
207 ** Returns          BOOLEAN TRUE or FALSE
208 **
209 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)210 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
211 {
212     if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
213     {
214         return(TRUE);
215     }
216     return(FALSE);
217 }
218 
219 /*******************************************************************************
220 **
221 ** Function         BTM_SecRegister
222 **
223 ** Description      Application manager calls this function to register for
224 **                  security services.  There can be one and only one application
225 **                  saving link keys.  BTM allows only first registration.
226 **
227 ** Returns          TRUE if registered OK, else FALSE
228 **
229 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)230 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
231 {
232 #if BLE_INCLUDED == TRUE
233     BT_OCTET16      temp_value = {0};
234 #endif
235 
236     BTM_TRACE_EVENT("%s application registered", __func__);
237 
238 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
239     LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
240     if (p_cb_info->p_le_callback)
241     {
242 #if SMP_INCLUDED == TRUE
243       BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
244       SMP_Register(btm_proc_smp_cback);
245 #endif
246       /* if no IR is loaded, need to regenerate all the keys */
247       if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
248       {
249         btm_ble_reset_id();
250       }
251     }
252     else
253     {
254       LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__);
255     }
256 #endif
257 
258     btm_cb.api = *p_cb_info;
259 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
260      LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
261 #endif
262     BTM_TRACE_EVENT("%s application registered", __func__);
263     return(TRUE);
264 }
265 
266 /*******************************************************************************
267 **
268 ** Function         BTM_SecRegisterLinkKeyNotificationCallback
269 **
270 ** Description      Application manager calls this function to register for
271 **                  link key notification.  When there is nobody registered
272 **                  we should avoid changing link key
273 **
274 ** Returns          TRUE if registered OK, else FALSE
275 **
276 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)277 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
278 {
279     btm_cb.api.p_link_key_callback = p_callback;
280     return TRUE;
281 }
282 
283 /*******************************************************************************
284 **
285 ** Function         BTM_SecAddRmtNameNotifyCallback
286 **
287 ** Description      Any profile can register to be notified when name of the
288 **                  remote device is resolved.
289 **
290 ** Returns          TRUE if registered OK, else FALSE
291 **
292 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)293 BOOLEAN  BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
294 {
295     int i;
296 
297     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
298     {
299         if (btm_cb.p_rmt_name_callback[i] == NULL)
300         {
301             btm_cb.p_rmt_name_callback[i] = p_callback;
302             return(TRUE);
303         }
304     }
305 
306     return(FALSE);
307 }
308 
309 
310 /*******************************************************************************
311 **
312 ** Function         BTM_SecDeleteRmtNameNotifyCallback
313 **
314 ** Description      Any profile can deregister notification when a new Link Key
315 **                  is generated per connection.
316 **
317 ** Returns          TRUE if OK, else FALSE
318 **
319 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)320 BOOLEAN  BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
321 {
322     int i;
323 
324     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
325     {
326         if (btm_cb.p_rmt_name_callback[i] == p_callback)
327         {
328             btm_cb.p_rmt_name_callback[i] = NULL;
329             return(TRUE);
330         }
331     }
332 
333     return(FALSE);
334 }
335 
336 /*******************************************************************************
337 **
338 ** Function         BTM_GetSecurityFlags
339 **
340 ** Description      Get security flags for the device
341 **
342 ** Returns          BOOLEAN TRUE or FALSE is device found
343 **
344 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)345 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
346 {
347     tBTM_SEC_DEV_REC *p_dev_rec;
348 
349     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
350     {
351         *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
352         return(TRUE);
353     }
354     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
355     return(FALSE);
356 }
357 
358 /*******************************************************************************
359 **
360 ** Function         BTM_GetSecurityFlagsByTransport
361 **
362 ** Description      Get security flags for the device on a particular transport
363 **
364 ** Returns          BOOLEAN TRUE or FALSE is device found
365 **
366 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)367 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
368                                                 tBT_TRANSPORT transport)
369 {
370     tBTM_SEC_DEV_REC *p_dev_rec;
371 
372     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
373     {
374         if (transport == BT_TRANSPORT_BR_EDR)
375             *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
376         else
377             *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
378 
379         return(TRUE);
380     }
381     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
382     return(FALSE);
383 }
384 
385 /*******************************************************************************
386 **
387 ** Function         BTM_SetPinType
388 **
389 ** Description      Set PIN type for the device.
390 **
391 ** Returns          void
392 **
393 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)394 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
395 {
396     BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
397                     pin_type, (char *) pin_code, pin_code_len);
398 
399     /* If device is not up security mode will be set as a part of startup */
400     if ( (btm_cb.cfg.pin_type != pin_type)
401          && controller_get_interface()->get_is_ready() )
402     {
403         btsnd_hcic_write_pin_type (pin_type);
404     }
405 
406     btm_cb.cfg.pin_type     = pin_type;
407     btm_cb.cfg.pin_code_len = pin_code_len;
408     memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
409 }
410 
411 /*******************************************************************************
412 **
413 ** Function         BTM_SetPairableMode
414 **
415 ** Description      Enable or disable pairing
416 **
417 ** Parameters       allow_pairing - (TRUE or FALSE) whether or not the device
418 **                      allows pairing.
419 **                  connect_only_paired - (TRUE or FALSE) whether or not to
420 **                      only allow paired devices to connect.
421 **
422 ** Returns          void
423 **
424 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)425 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
426 {
427     BTM_TRACE_API ("BTM_SetPairableMode()  allow_pairing: %u   connect_only_paired: %u", allow_pairing, connect_only_paired);
428 
429     btm_cb.pairing_disabled    = !allow_pairing;
430     btm_cb.connect_only_paired = connect_only_paired;
431 }
432 
433 /*******************************************************************************
434 **
435 ** Function         BTM_SetSecureConnectionsOnly
436 **
437 ** Description      Enable or disable default treatment for Mode 4 Level 0 services
438 **
439 ** Parameter        secure_connections_only_mode - (TRUE or FALSE) whether or not the device
440 **                  TRUE means that the device should treat Mode 4 Level 0 services as
441 **                  services of other levels. (Secure_connections_only_mode)
442 **                  FALSE means that the device should provide default treatment for
443 **                  Mode 4 Level 0 services.
444 **
445 ** Returns          void
446 **
447 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)448 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
449 {
450     BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
451                    secure_connections_only_mode);
452 
453     btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
454     btm_cb.security_mode = BTM_SEC_MODE_SC;
455 }
456 #define BTM_NO_AVAIL_SEC_SERVICES   ((UINT16) 0xffff)
457 
458 /*******************************************************************************
459 **
460 ** Function         BTM_SetSecurityLevel
461 **
462 ** Description      Register service security level with Security Manager
463 **
464 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
465 **                  p_name      - Name of the service relevant only if
466 **                                authorization will show this name to user. ignored
467 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
468 **                  service_id  - service ID for the service passed to authorization callback
469 **                  sec_level   - bit mask of the security features
470 **                  psm         - L2CAP PSM
471 **                  mx_proto_id - protocol ID of multiplexing proto below
472 **                  mx_chan_id  - channel ID of multiplexing proto below
473 **
474 ** Returns          TRUE if registered OK, else FALSE
475 **
476 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)477 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
478                               UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
479                               UINT32 mx_chan_id)
480 {
481 #if (L2CAP_UCD_INCLUDED == TRUE)
482     CONNECTION_TYPE conn_type;
483 
484     if (is_originator)
485         conn_type = CONN_ORIENT_ORIG;
486     else
487         conn_type = CONN_ORIENT_TERM;
488 
489     return(btm_sec_set_security_level (conn_type, p_name, service_id,
490                                        sec_level, psm, mx_proto_id, mx_chan_id));
491 #else
492     return(btm_sec_set_security_level (is_originator, p_name, service_id,
493                                        sec_level, psm, mx_proto_id, mx_chan_id));
494 #endif
495 }
496 
497 /*******************************************************************************
498 **
499 ** Function         btm_sec_set_security_level
500 **
501 ** Description      Register service security level with Security Manager
502 **
503 ** Parameters:      conn_type   - TRUE if originating the connection, FALSE if not
504 **                  p_name      - Name of the service relevant only if
505 **                                authorization will show this name to user. ignored
506 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
507 **                  service_id  - service ID for the service passed to authorization callback
508 **                  sec_level   - bit mask of the security features
509 **                  psm         - L2CAP PSM
510 **                  mx_proto_id - protocol ID of multiplexing proto below
511 **                  mx_chan_id  - channel ID of multiplexing proto below
512 **
513 ** Returns          TRUE if registered OK, else FALSE
514 **
515 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)516 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
517                                            UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
518                                            UINT32 mx_chan_id)
519 {
520     tBTM_SEC_SERV_REC   *p_srec;
521     UINT16               index;
522     UINT16               first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
523     BOOLEAN              record_allocated = FALSE;
524     BOOLEAN              is_originator;
525 #if (L2CAP_UCD_INCLUDED == TRUE)
526     BOOLEAN              is_ucd;
527 
528     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
529         is_originator = TRUE;
530     else
531         is_originator = FALSE;
532 
533     if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
534     {
535         is_ucd = TRUE;
536     }
537     else
538     {
539         is_ucd = FALSE;
540     }
541 #else
542     is_originator = conn_type;
543 #endif
544 
545     BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
546 
547     /* See if the record can be reused (same service name, psm, mx_proto_id,
548        service_id, and mx_chan_id), or obtain the next unused record */
549 
550     p_srec = &btm_cb.sec_serv_rec[0];
551 
552 
553     for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554     {
555         /* Check if there is already a record for this service */
556         if (p_srec->security_flags & BTM_SEC_IN_USE)
557         {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559             if (p_srec->psm == psm                  &&
560                 p_srec->mx_proto_id == mx_proto_id  &&
561                 service_id == p_srec->service_id    &&
562                 (!strncmp (p_name, (char *) p_srec->orig_service_name,
563                            BTM_SEC_SERVICE_NAME_LEN) ||
564                  !strncmp (p_name, (char *) p_srec->term_service_name,
565                            BTM_SEC_SERVICE_NAME_LEN)))
566 #else
567             if (p_srec->psm == psm                  &&
568                 p_srec->mx_proto_id == mx_proto_id  &&
569                 service_id == p_srec->service_id)
570 #endif
571             {
572                 record_allocated = TRUE;
573                 break;
574             }
575         }
576         /* Mark the first available service record */
577         else if (!record_allocated)
578         {
579             memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
580             record_allocated = TRUE;
581             first_unused_record = index;
582         }
583     }
584 
585     if (!record_allocated)
586     {
587         BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)",  BTM_SEC_MAX_SERVICE_RECORDS);
588         return(record_allocated);
589     }
590 
591     /* Process the request if service record is valid */
592     /* If a duplicate service wasn't found, use the first available */
593     if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
594     {
595         index = first_unused_record;
596         p_srec = &btm_cb.sec_serv_rec[index];
597     }
598 
599     p_srec->psm         = psm;
600     p_srec->service_id  = service_id;
601     p_srec->mx_proto_id = mx_proto_id;
602 
603     if (is_originator)
604     {
605         p_srec->orig_mx_chan_id = mx_chan_id;
606 #if BTM_SEC_SERVICE_NAME_LEN > 0
607         BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
608 #endif
609         /* clear out the old setting, just in case it exists */
610 #if (L2CAP_UCD_INCLUDED == TRUE)
611         if ( is_ucd )
612         {
613             p_srec->ucd_security_flags &=
614             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
615               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
616         }
617         else
618 #endif
619         {
620             p_srec->security_flags &=
621             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
622               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
623         }
624 
625         /* Parameter validation.  Originator should not set requirements for incoming connections */
626         sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
627                 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
628 
629         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
630             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
631             btm_cb.security_mode == BTM_SEC_MODE_SC)
632         {
633             if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
634                 sec_level |= BTM_SEC_OUT_MITM;
635         }
636 
637         /* Make sure the authenticate bit is set, when encrypt bit is set */
638         if (sec_level & BTM_SEC_OUT_ENCRYPT)
639             sec_level |= BTM_SEC_OUT_AUTHENTICATE;
640 
641         /* outgoing connections usually set the security level right before
642          * the connection is initiated.
643          * set it to be the outgoing service */
644 #if (L2CAP_UCD_INCLUDED == TRUE)
645         if ( is_ucd == FALSE )
646 #endif
647         {
648             btm_cb.p_out_serv = p_srec;
649         }
650     }
651     else
652     {
653         p_srec->term_mx_chan_id = mx_chan_id;
654 #if BTM_SEC_SERVICE_NAME_LEN > 0
655         BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
656 #endif
657         /* clear out the old setting, just in case it exists */
658 #if (L2CAP_UCD_INCLUDED == TRUE)
659         if ( is_ucd )
660         {
661             p_srec->ucd_security_flags &=
662             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
663               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
664               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
665         }
666         else
667 #endif
668         {
669             p_srec->security_flags &=
670             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
671               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
672               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
673         }
674 
675         /* Parameter validation.  Acceptor should not set requirements for outgoing connections */
676         sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
677 
678         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
679             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
680             btm_cb.security_mode == BTM_SEC_MODE_SC)
681         {
682             if (sec_level & BTM_SEC_IN_AUTHENTICATE)
683                 sec_level |= BTM_SEC_IN_MITM;
684         }
685 
686         /* Make sure the authenticate bit is set, when encrypt bit is set */
687         if (sec_level & BTM_SEC_IN_ENCRYPT)
688             sec_level |= BTM_SEC_IN_AUTHENTICATE;
689     }
690 
691 #if (L2CAP_UCD_INCLUDED == TRUE)
692     if ( is_ucd )
693     {
694         p_srec->security_flags     |= (UINT16)(BTM_SEC_IN_USE);
695         p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
696     }
697     else
698     {
699         p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
700     }
701 
702     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
703                    index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
704 
705     BTM_TRACE_API("               : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
706                    p_srec->security_flags, p_srec->ucd_security_flags);
707 
708 #if BTM_SEC_SERVICE_NAME_LEN > 0
709     BTM_TRACE_API("               : service name [%s] (up to %d chars saved)",
710                    p_name, BTM_SEC_SERVICE_NAME_LEN);
711 #endif
712 #else
713     p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
714 
715     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
716                    index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
717 
718 #if BTM_SEC_SERVICE_NAME_LEN > 0
719     BTM_TRACE_API("               : sec: 0x%x, service name [%s] (up to %d chars saved)",
720                    p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
721 #endif
722 #endif
723 
724 
725     return(record_allocated);
726 }
727 
728 /*******************************************************************************
729 **
730 ** Function         BTM_SecClrService
731 **
732 ** Description      Removes specified service record(s) from the security database.
733 **                  All service records with the specified name are removed.
734 **                  Typically used only by devices with limited RAM so that it can
735 **                  reuse an old security service record.
736 **
737 **                  Note: Unpredictable results may occur if a service is cleared
738 **                      that is still in use by an application/profile.
739 **
740 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
741 **                          records (except SDP).
742 **
743 ** Returns          Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
749     UINT8   num_freed = 0;
750     int     i;
751 
752     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753     {
754         /* Delete services with specified name (if in use and not SDP) */
755         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756             (!service_id || (service_id == p_srec->service_id)))
757         {
758             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759             p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761             p_srec->ucd_security_flags = 0;
762 #endif
763             num_freed++;
764         }
765     }
766 
767     return(num_freed);
768 }
769 
770 /*******************************************************************************
771 **
772 ** Function         btm_sec_clr_service_by_psm
773 **
774 ** Description      Removes specified service record from the security database.
775 **                  All service records with the specified psm are removed.
776 **                  Typically used by L2CAP to free up the service record used
777 **                  by dynamic PSM clients when the channel is closed.
778 **                  The given psm must be a virtual psm.
779 **
780 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
781 **                          records (except SDP).
782 **
783 ** Returns          Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
789     UINT8   num_freed = 0;
790     int     i;
791 
792     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793     {
794         /* Delete services with specified name (if in use and not SDP) */
795         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796         {
797             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798             p_srec->security_flags = 0;
799             num_freed++;
800         }
801     }
802     BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803 
804     return(num_freed);
805 }
806 
807 /*******************************************************************************
808 **
809 ** Function         btm_sec_clr_temp_auth_service
810 **
811 ** Description      Removes specified device record's temporary authorization
812 **                  flag from the security database.
813 **
814 ** Parameters       Device address to be cleared
815 **
816 ** Returns          void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821     tBTM_SEC_DEV_REC   *p_dev_rec;
822 
823     if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824     {
825         BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826         return;
827     }
828 
829     /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830     if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831     {
832         BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833                     bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834 
835         p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836     }
837 }
838 
839 /*******************************************************************************
840 **
841 ** Function         BTM_PINCodeReply
842 **
843 ** Description      This function is called after Security Manager submitted
844 **                  PIN code request to the UI.
845 **
846 ** Parameters:      bd_addr      - Address of the device for which PIN was requested
847 **                  res          - result of the operation BTM_SUCCESS if success
848 **                  pin_len      - length in bytes of the PIN Code
849 **                  p_pin        - pointer to array with the PIN Code
850 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855     tBTM_SEC_DEV_REC *p_dev_rec;
856 
857     BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s   PairFlags: 0x%02x  PinLen:%d  Result:%d",
858                     btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859 
860     /* If timeout already expired or has been canceled, ignore the reply */
861     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862     {
863         BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864         return;
865     }
866 
867     if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868     {
869         BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870         return;
871     }
872 
873     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874     {
875         BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876         return;
877     }
878 
879     if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880         res = BTM_ILLEGAL_VALUE;
881 
882     if (res != BTM_SUCCESS)
883     {
884         /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887             (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888         {
889             /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892 
893             btsnd_hcic_pin_code_neg_reply (bd_addr);
894         }
895         else
896         {
897             p_dev_rec->security_required = BTM_SEC_NONE;
898             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899         }
900         return;
901     }
902     if (trusted_mask)
903         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
905     if (pin_len >= 16) {
906         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907     }
908 
909     if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910          &&  (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911          &&  (btm_cb.security_mode_changed == FALSE) )
912     {
913         /* This is start of the dedicated bonding if local device is 2.0 */
914         btm_cb.pin_code_len = pin_len;
915         p_dev_rec->pin_code_length = pin_len;
916         memcpy (btm_cb.pin_code, p_pin, pin_len);
917 
918         btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920         if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922         btsnd_hcic_write_auth_enable (TRUE);
923 
924         btm_cb.acl_disc_reason = 0xff ;
925 
926         /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927         /*  before originating  */
928         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929         {
930             BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931             /* we change state little bit early so btm_sec_connected() will originate connection */
932             /*   when existing ACL link is down completely */
933             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934         }
935         /* if we already accepted incoming connection from pairing device */
936         else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937         {
938             BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940         }
941         else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942         {
943             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945 
946             if (btm_cb.api.p_auth_complete_callback)
947                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
948                                                     p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949         }
950         return;
951     }
952 
953     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954     btm_cb.acl_disc_reason = HCI_SUCCESS;
955 
956 #ifdef PORCHE_PAIRING_CONFLICT
957     BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
958     /* if this was not pre-fetched, save the PIN */
959     if (btm_cb.pin_code_len == 0)
960         memcpy (btm_cb.pin_code, p_pin, pin_len);
961     btm_cb.pin_code_len_saved = pin_len;
962 #endif
963     btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
964 }
965 
966 /*******************************************************************************
967 **
968 ** Function         btm_sec_bond_by_transport
969 **
970 ** Description      this is the bond function that will start either SSP or SMP.
971 **
972 ** Parameters:      bd_addr      - Address of the device to bond
973 **                  pin_len      - length in bytes of the PIN Code
974 **                  p_pin        - pointer to array with the PIN Code
975 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
976 **
977 **  Note: After 2.1 parameters are not used and preserved here not to change API
978 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])979 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
980                                        UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
981 {
982     tBTM_SEC_DEV_REC *p_dev_rec;
983     tBTM_STATUS      status;
984     UINT8            *p_features;
985     UINT8            ii;
986     tACL_CONN        *p= btm_bda_to_acl(bd_addr, transport);
987     BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
988                     bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
989 
990     BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
991 
992 
993     /* Other security process is in progress */
994     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
995     {
996         BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
997         return(BTM_WRONG_MODE);
998     }
999 
1000     if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
1001     {
1002         return(BTM_NO_RESOURCES);
1003     }
1004 
1005     BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1006 
1007     /* Finished if connection is active and already paired */
1008     if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1009          &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1010 #if (BLE_INCLUDED == TRUE)
1011         ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1012          &&  (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1013 #endif
1014 
1015          )
1016     {
1017         BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1018         return(BTM_SUCCESS);
1019     }
1020 
1021     /* Tell controller to get rid of the link key if it has one stored */
1022     if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1023         return(BTM_NO_RESOURCES);
1024 
1025     /* Save the PIN code if we got a valid one */
1026     if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1027     {
1028         btm_cb.pin_code_len = pin_len;
1029         p_dev_rec->pin_code_length = pin_len;
1030         memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1031     }
1032 
1033     memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1034 
1035     btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1036 
1037     p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1038     p_dev_rec->is_originator     = TRUE;
1039     if (trusted_mask)
1040         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1041 
1042 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1043     if (transport == BT_TRANSPORT_LE)
1044     {
1045         btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1046         p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1047 
1048         if (SMP_Pair(bd_addr) == SMP_STARTED)
1049         {
1050             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1051             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1052             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1053             return BTM_CMD_STARTED;
1054         }
1055 
1056         btm_cb.pairing_flags = 0;
1057         return(BTM_NO_RESOURCES);
1058     }
1059 #endif
1060 
1061     p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1062                                   | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1063 
1064 
1065     BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1066     if (!controller_get_interface()->supports_simple_pairing())
1067     {
1068         /* The special case when we authenticate keyboard.  Set pin type to fixed */
1069         /* It would be probably better to do it from the application, but it is */
1070         /* complicated */
1071         if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1072             && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1073             && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1074         {
1075             btm_cb.pin_type_changed = TRUE;
1076             btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1077         }
1078     }
1079 
1080     for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1081     {
1082         p_features = p_dev_rec->features[ii];
1083         BTM_TRACE_EVENT("  remote_features page[%1d] = %02x-%02x-%02x-%02x",
1084                          ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1085         BTM_TRACE_EVENT("                              %02x-%02x-%02x-%02x",
1086                              p_features[4], p_features[5], p_features[6], p_features[7]);
1087     }
1088 
1089     BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x  HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1090 
1091 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1092     p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1093 #endif
1094 
1095     /* If connection already exists... */
1096     if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1097     {
1098         if (!btm_sec_start_authentication (p_dev_rec))
1099             return(BTM_NO_RESOURCES);
1100 
1101         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1102 
1103         /* Mark lcb as bonding */
1104         l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1105         return(BTM_CMD_STARTED);
1106     }
1107 
1108     BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1109     if (!controller_get_interface()->supports_simple_pairing()
1110         || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1111     {
1112         if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1113             return (BTM_CMD_STARTED);
1114     }
1115     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1116          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1117          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1118          BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1119     {
1120         /* local is 2.1 and peer is unknown */
1121         if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1122         {
1123             /* we are not accepting connection request from peer
1124              * -> RNR (to learn if peer is 2.1)
1125              * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1126             btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1127             BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1128         }
1129         else
1130         {
1131             /* We are accepting connection request from peer */
1132             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1133         }
1134         BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1135             btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1136         return BTM_CMD_STARTED;
1137     }
1138 
1139     /* both local and peer are 2.1  */
1140     status = btm_sec_dd_create_conn(p_dev_rec);
1141 
1142     if (status != BTM_CMD_STARTED)
1143     {
1144         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1145     }
1146 
1147     return status;
1148 }
1149 
1150 /*******************************************************************************
1151 **
1152 ** Function         BTM_SecBondByTransport
1153 **
1154 ** Description      This function is called to perform bonding with peer device.
1155 **                  If the connection is already up, but not secure, pairing
1156 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1157 **
1158 ** Parameters:      bd_addr      - Address of the device to bond
1159 **                  transport    - doing SSP over BR/EDR or SMP over LE
1160 **                  pin_len      - length in bytes of the PIN Code
1161 **                  p_pin        - pointer to array with the PIN Code
1162 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1163 **
1164 **  Note: After 2.1 parameters are not used and preserved here not to change API
1165 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1166 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1167                                     UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1168 {
1169 #if SMP_INCLUDED == TRUE
1170     tBT_DEVICE_TYPE     dev_type;
1171     tBLE_ADDR_TYPE      addr_type;
1172 
1173     BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1174     /* LE device, do SMP pairing */
1175     if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1176         (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1177     {
1178         return BTM_ILLEGAL_ACTION;
1179     }
1180 #endif
1181     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1182 }
1183 
1184 /*******************************************************************************
1185 **
1186 ** Function         BTM_SecBond
1187 **
1188 ** Description      This function is called to perform bonding with peer device.
1189 **                  If the connection is already up, but not secure, pairing
1190 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1191 **
1192 ** Parameters:      bd_addr      - Address of the device to bond
1193 **                  pin_len      - length in bytes of the PIN Code
1194 **                  p_pin        - pointer to array with the PIN Code
1195 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1196 **
1197 **  Note: After 2.1 parameters are not used and preserved here not to change API
1198 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1199 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1200 {
1201     tBT_TRANSPORT   transport = BT_TRANSPORT_BR_EDR;
1202 #if BLE_INCLUDED == TRUE
1203     if (BTM_UseLeLink(bd_addr))
1204         transport = BT_TRANSPORT_LE;
1205 #endif
1206     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1207 }
1208 /*******************************************************************************
1209 **
1210 ** Function         BTM_SecBondCancel
1211 **
1212 ** Description      This function is called to cancel ongoing bonding process
1213 **                  with peer device.
1214 **
1215 ** Parameters:      bd_addr      - Address of the peer device
1216 **                         transport    - FALSE for BR/EDR link; TRUE for LE link
1217 **
1218 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1219 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1220 {
1221     tBTM_SEC_DEV_REC *p_dev_rec;
1222 
1223     BTM_TRACE_API ("BTM_SecBondCancel()  State: %s flags:0x%x",
1224                     btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1225 
1226     if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1227         ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1228         return BTM_UNKNOWN_ADDR;
1229 
1230 #if SMP_INCLUDED == TRUE
1231     if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1232     {
1233         if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1234         {
1235             BTM_TRACE_DEBUG ("Cancel LE pairing");
1236             if (SMP_PairCancel(bd_addr))
1237             {
1238                 return BTM_CMD_STARTED;
1239             }
1240         }
1241         return BTM_WRONG_MODE;
1242     }
1243 
1244 #endif
1245     BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1246     if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1247         BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1248     {
1249         /* pre-fetching pin for dedicated bonding */
1250         btm_sec_bond_cancel_complete();
1251         return BTM_SUCCESS;
1252     }
1253 
1254     /* If this BDA is in a bonding procedure */
1255     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1256          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1257     {
1258         /* If the HCI link is up */
1259         if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1260         {
1261             /* If some other thread disconnecting, we do not send second command */
1262             if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1263                 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1264                 return(BTM_CMD_STARTED);
1265 
1266             /* If the HCI link was set up by Bonding process */
1267             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1268                 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1269             else
1270                 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1271 
1272             return BTM_NOT_AUTHORIZED;
1273         }
1274         else /*HCI link is not up */
1275         {
1276             /* If the HCI link creation was started by Bonding process */
1277             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1278             {
1279                 if (btsnd_hcic_create_conn_cancel(bd_addr))
1280                     return BTM_CMD_STARTED;
1281 
1282                 return BTM_NO_RESOURCES;
1283             }
1284             if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1285             {
1286                 BTM_CancelRemoteDeviceName();
1287                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1288                 return BTM_CMD_STARTED;
1289             }
1290             return BTM_NOT_AUTHORIZED;
1291         }
1292     }
1293 
1294     return BTM_WRONG_MODE;
1295 }
1296 
1297 /*******************************************************************************
1298 **
1299 ** Function         BTM_SecGetDeviceLinkKey
1300 **
1301 ** Description      This function is called to obtain link key for the device
1302 **                  it returns BTM_SUCCESS if link key is available, or
1303 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1304 **                  the device or device record does not contain link key info
1305 **
1306 ** Parameters:      bd_addr      - Address of the device
1307 **                  link_key     - Link Key is copied into this array
1308 **
1309 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1310 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1311 {
1312     tBTM_SEC_DEV_REC *p_dev_rec;
1313 
1314     if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1315         && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1316     {
1317         memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1318         return(BTM_SUCCESS);
1319     }
1320     return(BTM_UNKNOWN_ADDR);
1321 }
1322 
1323 /*******************************************************************************
1324 **
1325 ** Function         BTM_SecGetDeviceLinkKeyType
1326 **
1327 ** Description      This function is called to obtain link key type for the
1328 **                  device.
1329 **                  it returns BTM_SUCCESS if link key is available, or
1330 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1331 **                  the device or device record does not contain link key info
1332 **
1333 ** Returns          BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1334 **                  otherwise.
1335 **
1336 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1337 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1338 {
1339     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1340 
1341     if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1342     {
1343         return p_dev_rec->link_key_type;
1344     }
1345     return BTM_LKEY_TYPE_IGNORE;
1346 }
1347 
1348 /*******************************************************************************
1349 **
1350 ** Function         BTM_SetEncryption
1351 **
1352 ** Description      This function is called to ensure that connection is
1353 **                  encrypted.  Should be called only on an open connection.
1354 **                  Typically only needed for connections that first want to
1355 **                  bring up unencrypted links, then later encrypt them.
1356 **
1357 ** Parameters:      bd_addr       - Address of the peer device
1358 **                  p_callback    - Pointer to callback function called if
1359 **                                  this function returns PENDING after required
1360 **                                  procedures are completed.  Can be set to NULL
1361 **                                  if status is not desired.
1362 **                  p_ref_data    - pointer to any data the caller wishes to receive
1363 **                                  in the callback function upon completion.
1364 *                                   can be set to NULL if not used.
1365 **                  transport  -    TRUE to encryption the link over LE transport
1366 **                                  or FALSE for BR/EDR transport
1367 **
1368 ** Returns          BTM_SUCCESS   - already encrypted
1369 **                  BTM_PENDING   - command will be returned in the callback
1370 **                  BTM_WRONG_MODE- connection not up.
1371 **                  BTM_BUSY      - security procedures are currently active
1372 **                  BTM_MODE_UNSUPPORTED - if security manager not linked in.
1373 **
1374 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1375 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1376                                void *p_ref_data)
1377 {
1378     tBTM_STATUS rc = 0;
1379 
1380     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
1381     if (!p_dev_rec ||
1382         (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1383 #if BLE_INCLUDED == TRUE
1384         || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1385 #endif
1386         )
1387     {
1388         /* Connection should be up and runnning */
1389         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1390 
1391         if (p_callback)
1392             (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1393 
1394         return(BTM_WRONG_MODE);
1395     }
1396 
1397     if ((transport == BT_TRANSPORT_BR_EDR &&
1398          (p_dev_rec->sec_flags &  BTM_SEC_ENCRYPTED))
1399 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1400          || (transport == BT_TRANSPORT_LE &&
1401            (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1402 #endif
1403           )
1404     {
1405         BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1406 
1407         if (p_callback)
1408             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1409 
1410         return(BTM_SUCCESS);
1411     }
1412 
1413     /* enqueue security request if security is active */
1414     if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1415     {
1416         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1417 
1418         if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data))
1419         {
1420             return BTM_CMD_STARTED;
1421         }
1422         else
1423         {
1424             if (p_callback)
1425                 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1426             return BTM_NO_RESOURCES;
1427         }
1428     }
1429 
1430     p_dev_rec->p_callback        = p_callback;
1431     p_dev_rec->p_ref_data        = p_ref_data;
1432     p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1433     p_dev_rec->is_originator     = FALSE;
1434 
1435     BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1436                     p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1437                     p_dev_rec->security_required);
1438 
1439 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1440     if (transport == BT_TRANSPORT_LE)
1441     {
1442         tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1443         if (p)
1444         {
1445            rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1446         }
1447         else
1448         {
1449             rc = BTM_WRONG_MODE;
1450             BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1451         }
1452     }
1453     else
1454 #endif
1455         rc = btm_sec_execute_procedure (p_dev_rec);
1456 
1457     if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1458     {
1459         if (p_callback)
1460         {
1461             p_dev_rec->p_callback = NULL;
1462             (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1463         }
1464     }
1465 
1466     return(rc);
1467 }
1468 
1469 /*******************************************************************************
1470  * disconnect the ACL link, if it's not done yet.
1471 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1472 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1473 {
1474     UINT8       old_state = p_dev_rec->sec_state;
1475     tBTM_STATUS status = BTM_CMD_STARTED;
1476 
1477     BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect:  handle:0x%x, reason=0x%x",
1478                       conn_handle, reason);
1479 
1480     /* send HCI_Disconnect on a transport only once */
1481     switch (old_state)
1482     {
1483         case BTM_SEC_STATE_DISCONNECTING:
1484             if (conn_handle == p_dev_rec->hci_handle)
1485                 return status;
1486 
1487             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1488             break;
1489 
1490 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1491         case BTM_SEC_STATE_DISCONNECTING_BLE:
1492             if (conn_handle == p_dev_rec->ble_hci_handle)
1493                 return status;
1494 
1495             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1496             break;
1497 
1498         case BTM_SEC_STATE_DISCONNECTING_BOTH:
1499             return status;
1500 #endif
1501 
1502         default:
1503             p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1504                     BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1505 
1506             break;
1507     }
1508 
1509     /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1510     if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1511     {
1512         BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1513               p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1514         status = BTM_SUCCESS;
1515     }
1516     /* Tear down the HCI link */
1517     else if (!btsnd_hcic_disconnect (conn_handle, reason))
1518     {
1519          /* could not send disconnect. restore old state */
1520          p_dev_rec->sec_state = old_state;
1521          status = BTM_NO_RESOURCES;
1522     }
1523 
1524     return status;
1525 }
1526 
1527 /*******************************************************************************
1528 **
1529 ** Function         BTM_ConfirmReqReply
1530 **
1531 ** Description      This function is called to confirm the numeric value for
1532 **                  Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1533 **
1534 ** Parameters:      res           - result of the operation BTM_SUCCESS if success
1535 **                  bd_addr       - Address of the peer device
1536 **
1537 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1538 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1539 {
1540     tBTM_SEC_DEV_REC *p_dev_rec;
1541 
1542     BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s  Res: %u",
1543                       btm_pair_state_descr(btm_cb.pairing_state), res);
1544 
1545     /* If timeout already expired or has been canceled, ignore the reply */
1546     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1547          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1548         return;
1549 
1550     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1551 
1552     if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1553     {
1554         btm_cb.acl_disc_reason = HCI_SUCCESS;
1555 
1556         if (res == BTM_SUCCESS)
1557         {
1558             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1559                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1560                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1561         }
1562 
1563         btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1564     }
1565     else
1566     {
1567         /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1568         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1569         btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1570     }
1571 }
1572 
1573 /*******************************************************************************
1574 **
1575 ** Function         BTM_PasskeyReqReply
1576 **
1577 ** Description      This function is called to provide the passkey for
1578 **                  Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1579 **
1580 ** Parameters:      res     - result of the operation BTM_SUCCESS if success
1581 **                  bd_addr - Address of the peer device
1582 **                  passkey - numeric value in the range of
1583 **                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1584 **
1585 *******************************************************************************/
1586 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1587 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1588 {
1589     BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s  res:%d",
1590                     btm_pair_state_descr(btm_cb.pairing_state), res);
1591 
1592     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1593          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1594     {
1595         return;
1596     }
1597 
1598     /* If timeout already expired or has been canceled, ignore the reply */
1599     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1600     {
1601         tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1602         if (p_dev_rec != NULL)
1603         {
1604             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1605 
1606             if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1607                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1608             else
1609                 BTM_SecBondCancel(bd_addr);
1610 
1611             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1612 
1613             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1614             return;
1615         }
1616     }
1617     else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1618         return;
1619 
1620     if (passkey > BTM_MAX_PASSKEY_VAL)
1621         res = BTM_ILLEGAL_VALUE;
1622 
1623     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1624 
1625     if (res != BTM_SUCCESS)
1626     {
1627         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1628         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1629         btsnd_hcic_user_passkey_neg_reply (bd_addr);
1630     } else {
1631         btm_cb.acl_disc_reason = HCI_SUCCESS;
1632         btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1633     }
1634 }
1635 #endif
1636 
1637 /*******************************************************************************
1638 **
1639 ** Function         BTM_SendKeypressNotif
1640 **
1641 ** Description      This function is used during the passkey entry model
1642 **                  by a device with KeyboardOnly IO capabilities
1643 **                  (very likely to be a HID Device).
1644 **                  It is called by a HID Device to inform the remote device when
1645 **                  a key has been entered or erased.
1646 **
1647 ** Parameters:      bd_addr - Address of the peer device
1648 **                  type - notification type
1649 **
1650 *******************************************************************************/
1651 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1652 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1653 {
1654     /* This API only make sense between PASSKEY_REQ and SP complete */
1655     if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1656         btsnd_hcic_send_keypress_notif (bd_addr, type);
1657 }
1658 #endif
1659 
1660 #if BTM_OOB_INCLUDED == TRUE
1661 /*******************************************************************************
1662 **
1663 ** Function         BTM_IoCapRsp
1664 **
1665 ** Description      This function is called in response to BTM_SP_IO_REQ_EVT
1666 **                  When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1667 **                  by the tBTM_SP_CALLBACK implementation, this function is
1668 **                  called to provide the actual response
1669 **
1670 ** Parameters:      bd_addr - Address of the peer device
1671 **                  io_cap  - The IO capability of local device.
1672 **                  oob     - BTM_OOB_NONE or BTM_OOB_PRESENT.
1673 **                  auth_req- MITM protection required or not.
1674 **
1675 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1676 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1677 {
1678     BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s  oob: %d io_cap: %d",
1679                       btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1680 
1681     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1682          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1683         return;
1684 
1685     if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1686     {
1687         btm_cb.devcb.loc_auth_req   = auth_req;
1688         btm_cb.devcb.loc_io_caps    = io_cap;
1689 
1690         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1691             auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1692 
1693         btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1694     }
1695 }
1696 
1697 /*******************************************************************************
1698 **
1699 ** Function         BTM_ReadLocalOobData
1700 **
1701 ** Description      This function is called to read the local OOB data from
1702 **                  LM
1703 **
1704 *******************************************************************************/
BTM_ReadLocalOobData(void)1705 tBTM_STATUS BTM_ReadLocalOobData(void)
1706 {
1707     tBTM_STATUS status = BTM_SUCCESS;
1708 
1709     if (btsnd_hcic_read_local_oob_data() == FALSE)
1710         status = BTM_NO_RESOURCES;
1711 
1712     return status;
1713 }
1714 
1715 /*******************************************************************************
1716 **
1717 ** Function         BTM_RemoteOobDataReply
1718 **
1719 ** Description      This function is called to provide the remote OOB data for
1720 **                  Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1721 **
1722 ** Parameters:      bd_addr     - Address of the peer device
1723 **                  c           - simple pairing Hash C.
1724 **                  r           - simple pairing Randomizer  C.
1725 **
1726 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1727 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1728 {
1729     BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1730                       btm_pair_state_descr(btm_cb.pairing_state), res);
1731 
1732     /* If timeout already expired or has been canceled, ignore the reply */
1733     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1734         return;
1735 
1736     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1737 
1738     if (res != BTM_SUCCESS)
1739     {
1740         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1741         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1742         btsnd_hcic_rem_oob_neg_reply (bd_addr);
1743     } else {
1744         btm_cb.acl_disc_reason = HCI_SUCCESS;
1745         btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1746     }
1747 }
1748 
1749 /*******************************************************************************
1750 **
1751 ** Function         BTM_BuildOobData
1752 **
1753 ** Description      This function is called to build the OOB data payload to
1754 **                  be sent over OOB (non-Bluetooth) link
1755 **
1756 ** Parameters:      p_data  - the location for OOB data
1757 **                  max_len - p_data size.
1758 **                  c       - simple pairing Hash C.
1759 **                  r       - simple pairing Randomizer  C.
1760 **                  name_len- 0, local device name would not be included.
1761 **                            otherwise, the local device name is included for
1762 **                            up to this specified length
1763 **
1764 ** Returns          Number of bytes in p_data.
1765 **
1766 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1767 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1768                         BT_OCTET16 r, UINT8 name_len)
1769 {
1770     UINT8   *p = p_data;
1771     UINT16  len = 0;
1772 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1773     UINT16  name_size;
1774     UINT8   name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1775 #endif
1776 
1777     if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1778     {
1779         /* add mandatory part */
1780         UINT16_TO_STREAM(p, len);
1781         BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1782 
1783         len = BTM_OOB_MANDATORY_SIZE;
1784         max_len -= len;
1785 
1786         /* now optional part */
1787 
1788         /* add Hash C */
1789         UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1790         if (max_len >= delta)
1791         {
1792             *p++ = BTM_OOB_HASH_C_SIZE + 1;
1793             *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1794             ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1795             len     += delta;
1796             max_len -= delta;
1797         }
1798 
1799         /* add Rand R */
1800         delta = BTM_OOB_RAND_R_SIZE + 2;
1801         if (max_len >= delta)
1802         {
1803             *p++ = BTM_OOB_RAND_R_SIZE + 1;
1804             *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1805             ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1806             len     += delta;
1807             max_len -= delta;
1808         }
1809 
1810         /* add class of device */
1811         delta = BTM_OOB_COD_SIZE + 2;
1812         if (max_len >= delta)
1813         {
1814             *p++ = BTM_OOB_COD_SIZE + 1;
1815             *p++ = BTM_EIR_OOB_COD_TYPE;
1816             DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1817             len     += delta;
1818             max_len -= delta;
1819         }
1820 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1821         name_size = name_len;
1822         if (name_size > strlen(btm_cb.cfg.bd_name))
1823         {
1824             name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1825             name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1826         }
1827         delta = name_size + 2;
1828         if (max_len >= delta)
1829         {
1830             *p++ = name_size + 1;
1831             *p++ = name_type;
1832             ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1833             len     += delta;
1834             max_len -= delta;
1835         }
1836 #endif
1837         /* update len */
1838         p = p_data;
1839         UINT16_TO_STREAM(p, len);
1840     }
1841     return len;
1842 }
1843 
1844 /*******************************************************************************
1845 **
1846 ** Function         BTM_BothEndsSupportSecureConnections
1847 **
1848 ** Description      This function is called to check if both the local device and the peer device
1849 **                  specified by bd_addr support BR/EDR Secure Connections.
1850 **
1851 ** Parameters:      bd_addr - address of the peer
1852 **
1853 ** Returns          TRUE if BR/EDR Secure Connections are supported by both local
1854 **                  and the remote device.
1855 **                  else FALSE.
1856 **
1857 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1858 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1859 {
1860     return ((controller_get_interface()->supports_secure_connections()) &&
1861             (BTM_PeerSupportsSecureConnections(bd_addr)));
1862 }
1863 
1864 /*******************************************************************************
1865 **
1866 ** Function         BTM_PeerSupportsSecureConnections
1867 **
1868 ** Description      This function is called to check if the peer supports
1869 **                  BR/EDR Secure Connections.
1870 **
1871 ** Parameters:      bd_addr - address of the peer
1872 **
1873 ** Returns          TRUE if BR/EDR Secure Connections are supported by the peer,
1874 **                  else FALSE.
1875 **
1876 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1877 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1878 {
1879     tBTM_SEC_DEV_REC    *p_dev_rec;
1880 
1881     if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1882     {
1883         BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1884             (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1885             (bd_addr[4]<< 8) + bd_addr[5]);
1886         return FALSE;
1887     }
1888 
1889     return (p_dev_rec->remote_supports_secure_connections);
1890 }
1891 
1892 /*******************************************************************************
1893 **
1894 ** Function         BTM_ReadOobData
1895 **
1896 ** Description      This function is called to parse the OOB data payload
1897 **                  received over OOB (non-Bluetooth) link
1898 **
1899 ** Parameters:      p_data  - the location for OOB data
1900 **                  eir_tag - The associated EIR tag to read the data.
1901 **                  *p_len(output) - the length of the data with the given tag.
1902 **
1903 ** Returns          the beginning of the data with the given tag.
1904 **                  NULL, if the tag is not found.
1905 **
1906 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1907 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1908 {
1909     UINT8   *p = p_data;
1910     UINT16  max_len;
1911     UINT8   len, type;
1912     UINT8   *p_ret = NULL;
1913     UINT8   ret_len = 0;
1914 
1915     if (p_data)
1916     {
1917         STREAM_TO_UINT16(max_len, p);
1918         if (max_len >= BTM_OOB_MANDATORY_SIZE)
1919         {
1920             if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1921             {
1922                 p_ret = p; /* the location for bd_addr */
1923                 ret_len = BTM_OOB_BD_ADDR_SIZE;
1924             }
1925             else
1926             {
1927                 p += BD_ADDR_LEN;
1928                 max_len -= BTM_OOB_MANDATORY_SIZE;
1929                 /* now the optional data in EIR format */
1930                 while (max_len > 0)
1931                 {
1932                     len     = *p++; /* tag data len + 1 */
1933                     type    = *p++;
1934                     if (eir_tag == type)
1935                     {
1936                         p_ret = p;
1937                         ret_len = len - 1;
1938                         break;
1939                     }
1940                     /* the data size of this tag is len + 1 (tag data len + 2) */
1941                     if (max_len > len)
1942                     {
1943                         max_len -= len;
1944                         max_len--;
1945                         len--;
1946                         p += len;
1947                     }
1948                     else
1949                         max_len = 0;
1950                 }
1951             }
1952         }
1953     }
1954 
1955     if (p_len)
1956         *p_len = ret_len;
1957 
1958     return p_ret;
1959 }
1960 #endif
1961 
1962 /*******************************************************************************
1963 **
1964 ** Function         BTM_SetOutService
1965 **
1966 ** Description      This function is called to set the service for
1967 **                  outgoing connections.
1968 **
1969 **                  If the profile/application calls BTM_SetSecurityLevel
1970 **                  before initiating a connection, this function does not
1971 **                  need to be called.
1972 **
1973 ** Returns          void
1974 **
1975 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1976 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1977 {
1978     tBTM_SEC_DEV_REC *p_dev_rec;
1979     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1980 
1981     btm_cb.p_out_serv = p_serv_rec;
1982     p_dev_rec = btm_find_dev (bd_addr);
1983 
1984     for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1985     {
1986         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1987             && (p_serv_rec->service_id == service_id)
1988             && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1989         {
1990             BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1991                            p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1992             btm_cb.p_out_serv = p_serv_rec;
1993             if (p_dev_rec)
1994                 p_dev_rec->p_cur_service = p_serv_rec;
1995             break;
1996         }
1997     }
1998 }
1999 
2000 /************************************************************************
2001 **              I N T E R N A L     F U N C T I O N S
2002 *************************************************************************/
2003 /*******************************************************************************
2004 **
2005 ** Function         btm_sec_is_upgrade_possible
2006 **
2007 ** Description      This function returns TRUE if the existing link key
2008 **                  can be upgraded or if the link key does not exist.
2009 **
2010 ** Returns          BOOLEAN
2011 **
2012 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2013 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2014 {
2015     UINT16              mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2016     BOOLEAN             is_possible = TRUE;
2017 
2018     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2019     {
2020         is_possible = FALSE;
2021         if(p_dev_rec->p_cur_service)
2022         {
2023             BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2024                           __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2025                           p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2026         }
2027         else
2028         {
2029             BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2030                           __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2031         }
2032         /* Already have a link key to the connected peer. Is the link key secure enough?
2033         ** Is a link key upgrade even possible?
2034         */
2035         if ((p_dev_rec->security_required & mtm_check)    /* needs MITM */
2036             && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2037                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2038                                                           /* has unauthenticated
2039                                                           link key */
2040             && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX)  /* a valid peer IO cap */
2041             && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2042                                                           /* authenticated
2043                                                           link key is possible */
2044         {
2045             /* upgrade is possible: check if the application wants the upgrade.
2046              * If the application is configured to use a global MITM flag,
2047              * it probably would not want to upgrade the link key based on the security level database */
2048             is_possible = TRUE;
2049         }
2050     }
2051     BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2052     return is_possible;
2053 }
2054 
2055 /*******************************************************************************
2056 **
2057 ** Function         btm_sec_check_upgrade
2058 **
2059 ** Description      This function is called to check if the existing link key
2060 **                  needs to be upgraded.
2061 **
2062 ** Returns          void
2063 **
2064 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2065 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2066 {
2067 
2068     BTM_TRACE_DEBUG ("%s()", __func__);
2069 
2070     /* Only check if link key already exists */
2071     if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2072         return;
2073 
2074     if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2075     {
2076         BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2077         /* upgrade is possible: check if the application wants the upgrade.
2078          * If the application is configured to use a global MITM flag,
2079          * it probably would not want to upgrade the link key based on the security level database */
2080         tBTM_SP_UPGRADE evt_data;
2081         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2082         evt_data.upgrade = TRUE;
2083         if (btm_cb.api.p_sp_callback)
2084             (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2085 
2086         BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2087         if (evt_data.upgrade)
2088         {
2089             /* if the application confirms the upgrade, set the upgrade bit */
2090             p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2091 
2092             /* Clear the link key known to go through authentication/pairing again */
2093             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2094             p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2095             BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2096         }
2097     }
2098 }
2099 
2100 /*******************************************************************************
2101 **
2102 ** Function         btm_sec_l2cap_access_req
2103 **
2104 ** Description      This function is called by the L2CAP to grant permission to
2105 **                  establish L2CAP connection to or from the peer device.
2106 **
2107 ** Parameters:      bd_addr       - Address of the peer device
2108 **                  psm           - L2CAP PSM
2109 **                  is_originator - TRUE if protocol above L2CAP originates
2110 **                                  connection
2111 **                  p_callback    - Pointer to callback function called if
2112 **                                  this function returns PENDING after required
2113 **                                  procedures are complete. MUST NOT BE NULL.
2114 **
2115 ** Returns          tBTM_STATUS
2116 **
2117 *******************************************************************************/
2118 #define BTM_SEC_OUT_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2119 #define BTM_SEC_IN_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2120 
2121 #define BTM_SEC_OUT_LEVEL4_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | \
2122                                     BTM_SEC_OUT_MITM | BTM_SEC_MODE4_LEVEL4)
2123 
2124 #define BTM_SEC_IN_LEVEL4_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | \
2125                                     BTM_SEC_IN_MITM | BTM_SEC_MODE4_LEVEL4)
2126 
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2127 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2128                                       CONNECTION_TYPE conn_type,
2129                                       tBTM_SEC_CALLBACK *p_callback,
2130                                       void *p_ref_data)
2131 {
2132     tBTM_SEC_DEV_REC  *p_dev_rec;
2133     tBTM_SEC_SERV_REC *p_serv_rec;
2134     UINT16         security_required;
2135     UINT16         old_security_required;
2136     BOOLEAN       old_is_originator;
2137     tBTM_STATUS   rc = BTM_SUCCESS;
2138     BOOLEAN       chk_acp_auth_done = FALSE;
2139     BOOLEAN is_originator;
2140     BOOLEAN     transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2141 
2142 #if (L2CAP_UCD_INCLUDED == TRUE)
2143     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2144         is_originator = TRUE;
2145     else
2146         is_originator = FALSE;
2147 
2148     BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2149 #else
2150     is_originator = conn_type;
2151 
2152     BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2153 #endif
2154 
2155     /* Find or get oldest record */
2156     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2157 
2158     p_dev_rec->hci_handle = handle;
2159 
2160     /* Find the service record for the PSM */
2161     p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2162 
2163     /* If there is no application registered with this PSM do not allow connection */
2164     if (!p_serv_rec)
2165     {
2166         BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2167         (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2168         return(BTM_MODE_UNSUPPORTED);
2169     }
2170 
2171     /* Services level0 by default have no security */
2172     if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2173     {
2174         (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2175         return(BTM_SUCCESS);
2176     }
2177 #if (L2CAP_UCD_INCLUDED == TRUE)
2178     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2179     {
2180         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2181         {
2182             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2183                                                                is_originator);
2184         }
2185         else
2186         {
2187             security_required = p_serv_rec->ucd_security_flags;
2188         }
2189 
2190         rc = BTM_CMD_STARTED;
2191         if (is_originator)
2192         {
2193             if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2194                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2195                 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2196                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2197             {
2198                 rc = BTM_SUCCESS;
2199             }
2200         }
2201         else
2202         {
2203             if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2204                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2205                 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2206                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2207             {
2208                 // Check for 16 digits (or MITM)
2209                 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2210                     (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2211                      btm_dev_16_digit_authenticated(p_dev_rec))) {
2212                     rc = BTM_SUCCESS;
2213                 }
2214             }
2215         }
2216 
2217         if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2218             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2219         {
2220             rc = BTM_CMD_STARTED;
2221         }
2222 
2223         if (rc == BTM_SUCCESS)
2224         {
2225             if (p_callback)
2226                 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2227 
2228             return(BTM_SUCCESS);
2229         }
2230     }
2231     else
2232 #endif
2233     {
2234         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2235         {
2236             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2237                                                                 is_originator);
2238         }
2239         else
2240         {
2241             security_required = p_serv_rec->security_flags;
2242         }
2243     }
2244 
2245     BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm  0x%04x",
2246                     __FUNCTION__, security_required, is_originator, psm);
2247 
2248     if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2249     {
2250         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2251         /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2252         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2253         {
2254             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2255                             "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2256                             local_supports_sc,
2257                             p_dev_rec->remote_supports_secure_connections);
2258             if (p_callback)
2259                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2260                                                     BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2261 
2262             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2263         }
2264     }
2265 
2266     /* there are some devices (moto KRZR) which connects to several services at the same time */
2267     /* we will process one after another */
2268     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2269     {
2270         BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed  state: %s mode:%d, sm4:0x%x", __func__,
2271                           psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2272         BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2273         rc = BTM_CMD_STARTED;
2274         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2275              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2276              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2277              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2278             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2279             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2280         {
2281             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2282              * or SM4 with no possibility of link key upgrade */
2283             if (is_originator)
2284             {
2285                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2286                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2287                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2288                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec)  && btm_dev_encrypted(p_dev_rec))) )
2289                 {
2290                     rc = BTM_SUCCESS;
2291                 }
2292             }
2293             else
2294             {
2295                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2296                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2297                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2298                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2299                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2300                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2301                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS)  && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2302                 {
2303                     // Check for 16 digits (or MITM)
2304                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2305                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2306                         rc = BTM_SUCCESS;
2307                     }
2308                 }
2309             }
2310 
2311             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2312                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2313             {
2314                 rc = BTM_CMD_STARTED;
2315             }
2316 
2317             if (rc == BTM_SUCCESS)
2318             {
2319                 if (p_callback)
2320                     (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2321                 return(BTM_SUCCESS);
2322             }
2323         }
2324 
2325         btm_cb.sec_req_pending = TRUE;
2326         return(BTM_CMD_STARTED);
2327     }
2328 
2329     /* Save pointer to service record */
2330     p_dev_rec->p_cur_service = p_serv_rec;
2331 
2332     /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2333     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2334         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2335         btm_cb.security_mode == BTM_SEC_MODE_SC)
2336     {
2337         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2338         {
2339             if (is_originator)
2340             {
2341                 /* SM4 to SM4 -> always authenticate & encrypt */
2342                 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2343             }
2344             else /* acceptor */
2345             {
2346                 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2347                 chk_acp_auth_done = TRUE;
2348                 /* SM4 to SM4 -> always authenticate & encrypt */
2349                 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2350            }
2351         }
2352         else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2353         {
2354             /* the remote features are not known yet */
2355             BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2356                             (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2357 
2358             p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2359             return (BTM_CMD_STARTED);
2360         }
2361     }
2362 
2363     BTM_TRACE_DEBUG ("%s()  sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2364                       p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2365 
2366     old_security_required        = p_dev_rec->security_required;
2367     old_is_originator            = p_dev_rec->is_originator;
2368     p_dev_rec->security_required = security_required;
2369     p_dev_rec->p_ref_data        = p_ref_data;
2370     p_dev_rec->is_originator     = is_originator;
2371 
2372 #if (L2CAP_UCD_INCLUDED == TRUE)
2373     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2374         p_dev_rec->is_ucd = TRUE;
2375     else
2376         p_dev_rec->is_ucd = FALSE;
2377 #endif
2378 
2379     /* If there are multiple service records used through the same PSM */
2380     /* leave security decision for the multiplexor on the top */
2381 #if (L2CAP_UCD_INCLUDED == TRUE)
2382     if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2383         &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2384 #else
2385     if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2386 #endif
2387     {
2388         BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2389         if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2390         {
2391             BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2392             /* pre-Lisbon: restore the old settings */
2393             p_dev_rec->security_required = old_security_required;
2394             p_dev_rec->is_originator     = old_is_originator;
2395 
2396             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2397 
2398             return(BTM_SUCCESS);
2399         }
2400     }
2401 
2402     /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2403      * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2404      * response is received */
2405     if (is_originator &&
2406         ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2407           btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2408           btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2409           btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2410          !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2411     {
2412         BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2413         /* restore the old settings */
2414         p_dev_rec->security_required = old_security_required;
2415         p_dev_rec->is_originator     = old_is_originator;
2416 
2417         (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2418 
2419         return(BTM_SUCCESS);
2420     }
2421 
2422     if (chk_acp_auth_done)
2423     {
2424         BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2425                           (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2426         /* SM4, but we do not know for sure which level of security we need.
2427          * as long as we have a link key, it's OK */
2428         if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2429             ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2430         {
2431             rc = BTM_DELAY_CHECK;
2432             /*
2433             2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2434             because of data path issues. Delay this disconnect a little bit
2435             */
2436             LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2437             p_dev_rec->p_callback        = p_callback;
2438             p_dev_rec->sec_state         = BTM_SEC_STATE_DELAY_FOR_ENC;
2439             (*p_callback) (bd_addr, transport, p_ref_data, rc);
2440 
2441             return BTM_SUCCESS;
2442         }
2443     }
2444 
2445     p_dev_rec->p_callback        = p_callback;
2446 
2447     if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2448         || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2449     {
2450         /* Although authentication and encryption are per connection
2451         ** authorization is per access request.  For example when serial connection
2452         ** is up and authorized and client requests to read file (access to other
2453         ** scn), we need to request user's permission again.
2454         */
2455         p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2456     }
2457 
2458     if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2459     {
2460         if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2461             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2462         {
2463             /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2464             if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2465             {
2466                 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2467             }
2468             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2469                                       BTM_SEC_AUTHENTICATED);
2470             BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2471         }
2472         else
2473         {
2474             /* If we already have a link key to the connected peer, is it secure enough? */
2475             btm_sec_check_upgrade(p_dev_rec, is_originator);
2476         }
2477     }
2478 
2479     BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2480            __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2481            p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2482 
2483     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2484     {
2485         p_dev_rec->p_callback = NULL;
2486         (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2487     }
2488 
2489     return(rc);
2490 }
2491 
2492 /*******************************************************************************
2493 **
2494 ** Function         btm_sec_mx_access_request
2495 **
2496 ** Description      This function is called by all Multiplexing Protocols during
2497 **                  establishing connection to or from peer device to grant
2498 **                  permission to establish application connection.
2499 **
2500 ** Parameters:      bd_addr       - Address of the peer device
2501 **                  psm           - L2CAP PSM
2502 **                  is_originator - TRUE if protocol above L2CAP originates
2503 **                                  connection
2504 **                  mx_proto_id   - protocol ID of the multiplexer
2505 **                  mx_chan_id    - multiplexer channel to reach application
2506 **                  p_callback    - Pointer to callback function called if
2507 **                                  this function returns PENDING after required
2508 **                                  procedures are completed
2509 **                  p_ref_data    - Pointer to any reference data needed by the
2510 **                                  the callback function.
2511 **
2512 ** Returns          BTM_CMD_STARTED
2513 **
2514 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2515 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2516                                        UINT32 mx_proto_id, UINT32 mx_chan_id,
2517                                        tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2518 {
2519     tBTM_SEC_DEV_REC  *p_dev_rec;
2520     tBTM_SEC_SERV_REC *p_serv_rec;
2521     tBTM_STATUS        rc;
2522     UINT16             security_required;
2523     BOOLEAN transport   = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2524 
2525     BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2526     /* Find or get oldest record */
2527     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2528 
2529     /* Find the service record for the PSM */
2530     p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2531 
2532     /* If there is no application registered with this PSM do not allow connection */
2533     if (!p_serv_rec)
2534     {
2535         if (p_callback)
2536             (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2537 
2538         BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2539                           psm, mx_proto_id, mx_chan_id);
2540         return BTM_NO_RESOURCES;
2541     }
2542 
2543     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2544     {
2545         security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2546                                                            is_originator);
2547     }
2548     else
2549     {
2550         security_required = p_serv_rec->security_flags;
2551     }
2552 
2553     /* there are some devices (moto phone) which connects to several services at the same time */
2554     /* we will process one after another */
2555     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2556     {
2557         BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed  state: %s", __func__,
2558                           psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2559 
2560         rc = BTM_CMD_STARTED;
2561 
2562         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2563              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2564              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2565              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2566             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2567             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2568         {
2569             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2570              * or SM4 with no possibility of link key upgrade */
2571             if (is_originator)
2572             {
2573                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2574                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2575                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2576                     )
2577                 {
2578                     rc = BTM_SUCCESS;
2579                 }
2580             }
2581             else
2582             {
2583                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2584                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2585                     (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2586                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2587                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2588                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2589                     )
2590                 {
2591                     // Check for 16 digits (or MITM)
2592                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2593                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2594                         rc = BTM_SUCCESS;
2595                     }
2596                 }
2597             }
2598             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2599                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2600             {
2601                 rc = BTM_CMD_STARTED;
2602             }
2603         }
2604 
2605         if (rc == BTM_SUCCESS)
2606         {
2607             BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2608             /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2609             /* btm_sec_execute_procedure */
2610             if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2611                 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2612             {
2613                 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2614                 rc = BTM_CMD_STARTED;
2615             }
2616         }
2617 
2618         /* Check whether there is a pending security procedure, if so we should always queue */
2619         /* the new security request */
2620         if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2621         {
2622             BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2623             rc = BTM_CMD_STARTED;
2624         }
2625         if (rc == BTM_CMD_STARTED)
2626         {
2627             BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2628             btm_sec_queue_mx_request (bd_addr, psm,  is_originator, mx_proto_id,
2629                                       mx_chan_id, p_callback, p_ref_data);
2630         }
2631         else /* rc == BTM_SUCCESS */
2632         {
2633             /* access granted */
2634              if (p_callback)
2635             {
2636                 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2637             }
2638         }
2639 
2640         BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2641                           btm_pair_state_descr(btm_cb.pairing_state));
2642         return rc;
2643     }
2644 
2645     if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2646         (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2647     {
2648         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2649         /* acceptor receives service connection establishment Request for */
2650         /* Secure Connections Only service */
2651         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2652         {
2653             BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2654                             "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2655                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2656 
2657             if (p_callback)
2658                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2659                                BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2660 
2661             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2662         }
2663     }
2664 
2665     p_dev_rec->p_cur_service     = p_serv_rec;
2666     p_dev_rec->security_required = security_required;
2667 
2668     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2669         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2670         btm_cb.security_mode == BTM_SEC_MODE_SC)
2671     {
2672         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2673         {
2674             if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2675                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2676             {
2677                 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2678                 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2679                 {
2680                     p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2681                 }
2682 
2683                 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2684                                           BTM_SEC_AUTHENTICATED);
2685                 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2686             }
2687             else
2688             {
2689                 /* If we already have a link key, check if that link key is good enough */
2690                 btm_sec_check_upgrade(p_dev_rec, is_originator);
2691             }
2692         }
2693     }
2694 
2695     p_dev_rec->is_originator     = is_originator;
2696     p_dev_rec->p_callback        = p_callback;
2697     p_dev_rec->p_ref_data        = p_ref_data;
2698 
2699     /* Although authentication and encryption are per connection */
2700     /* authorization is per access request.  For example when serial connection */
2701     /* is up and authorized and client requests to read file (access to other */
2702     /* scn, we need to request user's permission again. */
2703     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2704 
2705     BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2706                       __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2707                       p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2708 
2709     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2710     {
2711         if (p_callback)
2712         {
2713             p_dev_rec->p_callback = NULL;
2714             (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2715         }
2716     }
2717 
2718     return rc;
2719 }
2720 
2721 /*******************************************************************************
2722 **
2723 ** Function         btm_sec_conn_req
2724 **
2725 ** Description      This function is when the peer device is requesting
2726 **                  connection
2727 **
2728 ** Returns          void
2729 **
2730 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2731 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2732 {
2733     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bda);
2734 
2735     /* Some device may request a connection before we are done with the HCI_Reset sequence */
2736     if (!controller_get_interface()->get_is_ready())
2737     {
2738         BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2739         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2740         return;
2741     }
2742 
2743     /* Security guys wants us not to allow connection from not paired devices */
2744 
2745     /* Check if connection is allowed for only paired devices */
2746     if (btm_cb.connect_only_paired)
2747     {
2748         if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2749         {
2750             BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2751             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2752             return;
2753         }
2754     }
2755 
2756 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2757     /* If non-discoverable, only allow known devices to connect */
2758     if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2759     {
2760         if (!p_dev_rec)
2761         {
2762             BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2763             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2764             return;
2765         }
2766     }
2767 #endif
2768 
2769     if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2770         &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2771         &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2772     {
2773         BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2774 
2775         /* incoming connection from bonding device is rejected */
2776         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2777         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2778         return;
2779     }
2780 
2781     /* Host is not interested or approved connection.  Save BDA and DC and */
2782     /* pass request to L2CAP */
2783     memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2784     memcpy (btm_cb.connecting_dc,  dc,  DEV_CLASS_LEN);
2785 
2786     if (l2c_link_hci_conn_req (bda))
2787     {
2788         if (!p_dev_rec)
2789         {
2790             /* accept the connection -> allocate a device record */
2791             p_dev_rec = btm_sec_alloc_dev (bda);
2792         }
2793         if (p_dev_rec)
2794         {
2795             p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2796         }
2797     }
2798 }
2799 
2800 /*******************************************************************************
2801 **
2802 ** Function         btm_sec_bond_cancel_complete
2803 **
2804 ** Description      This function is called to report bond cancel complete
2805 **                  event.
2806 **
2807 ** Returns          void
2808 **
2809 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2810 static void btm_sec_bond_cancel_complete (void)
2811 {
2812     tBTM_SEC_DEV_REC *p_dev_rec;
2813 
2814     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2815         (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2816          BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2817          (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2818           BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2819     {
2820         /* for dedicated bonding in legacy mode, authentication happens at "link level"
2821          * btm_sec_connected is called with failed status.
2822          * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2823          * However, this function may clean out the security related flags and btm_sec_connected would not know
2824          * this function also needs to do proper clean up.
2825          */
2826         if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2827             p_dev_rec->security_required = BTM_SEC_NONE;
2828         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2829 
2830         /* Notify application that the cancel succeeded */
2831         if (btm_cb.api.p_bond_cancel_cmpl_callback)
2832             btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2833     }
2834 }
2835 
2836 /*******************************************************************************
2837 **
2838 ** Function         btm_create_conn_cancel_complete
2839 **
2840 ** Description      This function is called when the command complete message
2841 **                  is received from the HCI for the create connection cancel
2842 **                  command.
2843 **
2844 ** Returns          void
2845 **
2846 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2847 void btm_create_conn_cancel_complete (UINT8 *p)
2848 {
2849     UINT8       status;
2850 
2851     STREAM_TO_UINT8 (status, p);
2852     BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s  status:%d",
2853                       btm_pair_state_descr(btm_cb.pairing_state), status);
2854 
2855     /* if the create conn cancel cmd was issued by the bond cancel,
2856     ** the application needs to be notified that bond cancel succeeded
2857     */
2858     switch (status)
2859     {
2860         case HCI_SUCCESS:
2861             btm_sec_bond_cancel_complete();
2862             break;
2863         case HCI_ERR_CONNECTION_EXISTS:
2864         case HCI_ERR_NO_CONNECTION:
2865         default:
2866             /* Notify application of the error */
2867             if (btm_cb.api.p_bond_cancel_cmpl_callback)
2868                 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2869             break;
2870     }
2871 }
2872 
2873 /*******************************************************************************
2874 **
2875 ** Function         btm_sec_check_pending_reqs
2876 **
2877 ** Description      This function is called at the end of the security procedure
2878 **                  to let L2CAP and RFCOMM know to re-submit any pending requests
2879 **
2880 ** Returns          void
2881 **
2882 *******************************************************************************/
btm_sec_check_pending_reqs(void)2883 void btm_sec_check_pending_reqs (void)
2884 {
2885     tBTM_SEC_QUEUE_ENTRY    *p_e;
2886     BUFFER_Q                bq;
2887 
2888     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2889     {
2890         /* First, resubmit L2CAP requests */
2891         if (btm_cb.sec_req_pending)
2892         {
2893             btm_cb.sec_req_pending = FALSE;
2894             l2cu_resubmit_pending_sec_req (NULL);
2895         }
2896 
2897         /* Now, re-submit anything in the mux queue */
2898         bq = btm_cb.sec_pending_q;
2899 
2900         GKI_init_q (&btm_cb.sec_pending_q);
2901 
2902         while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2903         {
2904             /* Check that the ACL is still up before starting security procedures */
2905             if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2906             {
2907                 if (p_e->psm != 0)
2908                 {
2909                     BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2910                                     __FUNCTION__, p_e->psm, p_e->is_orig,
2911                                     p_e->mx_proto_id, p_e->mx_chan_id);
2912 
2913                     btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2914                                            p_e->mx_proto_id, p_e->mx_chan_id,
2915                                            p_e->p_callback, p_e->p_ref_data);
2916                 }
2917                 else
2918                 {
2919                     BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2920                                       p_e->p_ref_data);
2921                 }
2922             }
2923 
2924             GKI_freebuf (p_e);
2925         }
2926     }
2927 }
2928 
2929 /*******************************************************************************
2930 **
2931 ** Function         btm_sec_init
2932 **
2933 ** Description      This function is on the SEC startup
2934 **
2935 ** Returns          void
2936 **
2937 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2938 void btm_sec_init (UINT8 sec_mode)
2939 {
2940     btm_cb.security_mode = sec_mode;
2941     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2942     btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2943 }
2944 
2945 /*******************************************************************************
2946 **
2947 ** Function         btm_sec_device_down
2948 **
2949 ** Description      This function should be called when device is disabled or
2950 **                  turned off
2951 **
2952 ** Returns          void
2953 **
2954 *******************************************************************************/
btm_sec_device_down(void)2955 void btm_sec_device_down (void)
2956 {
2957     BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2958     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2959 }
2960 
2961 /*******************************************************************************
2962 **
2963 ** Function         btm_sec_dev_reset
2964 **
2965 ** Description      This function should be called after device reset
2966 **
2967 ** Returns          void
2968 **
2969 *******************************************************************************/
btm_sec_dev_reset(void)2970 void btm_sec_dev_reset (void)
2971 {
2972     if (controller_get_interface()->supports_simple_pairing())
2973     {
2974         /* set the default IO capabilities */
2975         btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2976         /* add mx service to use no security */
2977         BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2978                              BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2979     }
2980     else
2981     {
2982         btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2983     }
2984 
2985     BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2986 }
2987 
2988 /*******************************************************************************
2989 **
2990 ** Function         btm_sec_abort_access_req
2991 **
2992 ** Description      This function is called by the L2CAP or RFCOMM to abort
2993 **                  the pending operation.
2994 **
2995 ** Parameters:      bd_addr       - Address of the peer device
2996 **
2997 ** Returns          void
2998 **
2999 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)3000 void btm_sec_abort_access_req (BD_ADDR bd_addr)
3001 {
3002     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
3003 
3004     if (!p_dev_rec)
3005         return;
3006 
3007     if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
3008         && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
3009         return;
3010 
3011     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
3012     p_dev_rec->p_callback = NULL;
3013 }
3014 
3015 /*******************************************************************************
3016 **
3017 ** Function         btm_sec_dd_create_conn
3018 **
3019 ** Description      This function is called to create the ACL connection for
3020 **                  the dedicated boding process
3021 **
3022 ** Returns          void
3023 **
3024 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3025 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3026 {
3027     tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3028     if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3029     {
3030        BTM_TRACE_WARNING("%s Connection already exists", __func__);
3031        return BTM_CMD_STARTED;
3032     }
3033 
3034     /* Make sure an L2cap link control block is available */
3035     if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3036     {
3037         BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3038                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3039                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3040 
3041         return(BTM_NO_RESOURCES);
3042     }
3043 
3044     /* set up the control block to indicated dedicated bonding */
3045     btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3046 
3047     if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3048     {
3049         BTM_TRACE_WARNING ("Security Manager: failed create  [%02x%02x%02x%02x%02x%02x]",
3050                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3051                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3052 
3053         l2cu_release_lcb(p_lcb);
3054         return(BTM_NO_RESOURCES);
3055     }
3056 
3057     btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3058 
3059     BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3060                       p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3061                       p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3062 
3063     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3064 
3065     return(BTM_CMD_STARTED);
3066 }
3067 
3068 /*******************************************************************************
3069 **
3070 ** Function         btm_sec_rmt_name_request_complete
3071 **
3072 ** Description      This function is called when remote name was obtained from
3073 **                  the peer device
3074 **
3075 ** Returns          void
3076 **
3077 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3078 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3079 {
3080     tBTM_SEC_DEV_REC *p_dev_rec;
3081     int              i;
3082     DEV_CLASS        dev_class;
3083     UINT8            old_sec_state;
3084 
3085     BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3086     if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3087         || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3088     {
3089         btm_acl_resubmit_page();
3090     }
3091 
3092     /* If remote name request failed, p_bd_addr is null and we need to search */
3093     /* based on state assuming that we are doing 1 at a time */
3094     if (p_bd_addr)
3095         p_dev_rec = btm_find_dev (p_bd_addr);
3096     else
3097     {
3098         p_dev_rec = &btm_cb.sec_dev_rec[0];
3099 
3100         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3101         {
3102             if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3103                 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3104             {
3105                 p_bd_addr = p_dev_rec->bd_addr;
3106                 break;
3107             }
3108         }
3109 
3110         if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3111             p_dev_rec = NULL;
3112     }
3113 
3114 
3115     /* Commenting out trace due to obf/compilation problems.
3116     */
3117 #if (BT_USE_TRACES == TRUE)
3118     if (!p_bd_name)
3119         p_bd_name = (UINT8 *)"";
3120 
3121     if (p_dev_rec)
3122     {
3123         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d State:%d  p_dev_rec: 0x%08x ",
3124                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3125                           status, p_dev_rec->sec_state, p_dev_rec);
3126     }
3127     else
3128     {
3129         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d",
3130                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3131                           status);
3132     }
3133 #endif
3134 
3135     if (p_dev_rec)
3136     {
3137         old_sec_state = p_dev_rec->sec_state;
3138         if (status == HCI_SUCCESS)
3139         {
3140             BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3141             p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3142             BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3143         }
3144         else
3145         {
3146             /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3147             p_dev_rec->sec_bd_name[0] = 0;
3148         }
3149 
3150         if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3151             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3152 
3153         /* Notify all clients waiting for name to be resolved */
3154         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3155         {
3156             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3157                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3158                                                  p_dev_rec->sec_bd_name);
3159         }
3160     }
3161     else
3162     {
3163         dev_class[0] = 0;
3164         dev_class[1] = 0;
3165         dev_class[2] = 0;
3166 
3167         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3168         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3169         {
3170             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3171                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3172         }
3173 
3174         return;
3175     }
3176 
3177     /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3178     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3179          &&  (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3180     {
3181         BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3182 
3183         if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3184             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3185             btm_cb.api.p_pin_callback)
3186         {
3187             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3188             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3189             (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3190                     (p_dev_rec->p_cur_service==NULL) ? FALSE
3191                      : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3192         }
3193 
3194         /* Set the same state again to force the timer to be restarted */
3195         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3196         return;
3197     }
3198 
3199     /* Check if we were delaying bonding because name was not resolved */
3200     if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3201     {
3202         if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3203         {
3204             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3205             if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3206             {
3207                 btm_sec_bond_cancel_complete();
3208                 return;
3209             }
3210 
3211             if (status != HCI_SUCCESS)
3212             {
3213                 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3214 
3215                 if (btm_cb.api.p_auth_complete_callback)
3216                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3217                                                             p_dev_rec->sec_bd_name, status);
3218                 return;
3219             }
3220 
3221             /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3222             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3223             {
3224                 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3225                 /* If it is set, there may be a race condition */
3226                 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete  IS_SM4_UNKNOWN Flags:0x%04x",
3227                                    btm_cb.pairing_flags);
3228                 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3229                 {
3230                     p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3231                 }
3232             }
3233 
3234             BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3235                 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3236                 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3237 
3238             /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3239             ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3240             */
3241             if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3242             {
3243                 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3244                 /*  before originating  */
3245                 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3246                 {
3247                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3248                 }
3249                 /* Both we and the peer are 2.1 - continue to create connection */
3250                 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3251                 {
3252                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3253 
3254                     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3255 
3256                     if (btm_cb.api.p_auth_complete_callback)
3257                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3258                                                             p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3259                 }
3260             }
3261             return;
3262         }
3263         else
3264         {
3265             BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3266 
3267             BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3268             return;
3269         }
3270     }
3271 
3272     /* check if we were delaying link_key_callback because name was not resolved */
3273     if (p_dev_rec->link_key_not_sent)
3274     {
3275         /* If HCI connection complete has not arrived, wait for it */
3276         if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3277             return;
3278 
3279         p_dev_rec->link_key_not_sent = FALSE;
3280         btm_send_link_key_notif(p_dev_rec);
3281 
3282         /* If its not us who perform authentication, we should tell stackserver */
3283         /* that some authentication has been completed                          */
3284         /* This is required when different entities receive link notification and auth complete */
3285         if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3286         {
3287             if (btm_cb.api.p_auth_complete_callback)
3288                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3289                                                         p_dev_rec->dev_class,
3290                                                         p_dev_rec->sec_bd_name, HCI_SUCCESS);
3291 
3292         }
3293     }
3294 
3295     /* If this is a bonding procedure can disconnect the link now */
3296     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3297         && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3298     {
3299         BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3300         p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3301         l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3302         return;
3303     }
3304 
3305     if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3306         return;
3307 
3308     /* If get name failed, notify the waiting layer */
3309     if (status != HCI_SUCCESS)
3310     {
3311         btm_sec_dev_rec_cback_event  (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3312         return;
3313     }
3314 
3315     if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3316     {
3317         BTM_TRACE_EVENT ("waiting for remote features!!");
3318         return;
3319     }
3320 
3321     /* Remote Name succeeded, execute the next security procedure, if any */
3322     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3323 
3324     /* If result is pending reply from the user or from the device is pending */
3325     if (status == BTM_CMD_STARTED)
3326         return;
3327 
3328     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3329     btm_sec_dev_rec_cback_event  (p_dev_rec, status, FALSE);
3330 }
3331 
3332 /*******************************************************************************
3333 **
3334 ** Function         btm_sec_rmt_host_support_feat_evt
3335 **
3336 ** Description      This function is called when the
3337 **                  HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3338 **
3339 ** Returns          void
3340 **
3341 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3342 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3343 {
3344     tBTM_SEC_DEV_REC *p_dev_rec;
3345     BD_ADDR         bd_addr;        /* peer address */
3346     BD_FEATURES     features;
3347 
3348     STREAM_TO_BDADDR (bd_addr, p);
3349     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3350 
3351     BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt  sm4: 0x%x  p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3352 
3353     if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3354     {
3355         p_dev_rec->sm4 = BTM_SM4_KNOWN;
3356         STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3357         if (HCI_SSP_HOST_SUPPORTED(features))
3358         {
3359             p_dev_rec->sm4 = BTM_SM4_TRUE;
3360         }
3361         BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3362     }
3363 }
3364 
3365 /*******************************************************************************
3366 **
3367 ** Function         btm_io_capabilities_req
3368 **
3369 ** Description      This function is called when LM request for the IO
3370 **                  capability of the local device and
3371 **                  if the OOB data is present for the device in the event
3372 **
3373 ** Returns          void
3374 **
3375 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3376 void btm_io_capabilities_req (UINT8 *p)
3377 {
3378     tBTM_SP_IO_REQ  evt_data;
3379     UINT8           err_code = 0;
3380     tBTM_SEC_DEV_REC *p_dev_rec;
3381     BOOLEAN         is_orig = TRUE;
3382     UINT8           callback_rc = BTM_SUCCESS;
3383 
3384     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3385 
3386     /* setup the default response according to compile options */
3387     /* assume that the local IO capability does not change
3388      * loc_io_caps is initialized with the default value */
3389     evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3390     evt_data.oob_data = BTM_OOB_NONE;
3391     evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3392 
3393     BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3394 
3395     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3396 
3397     BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3398                       btm_cb.security_mode, p_dev_rec->num_read_pages);
3399 
3400     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3401     {
3402         BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3403                          "To continue need to know remote features.", __FUNCTION__);
3404 
3405         p_dev_rec->remote_features_needed = TRUE;
3406         return;
3407     }
3408 
3409     p_dev_rec->sm4 |= BTM_SM4_TRUE;
3410 
3411     BTM_TRACE_EVENT("%s: State: %s  Flags: 0x%04x  p_cur_service: 0x%08x",
3412                      __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3413                      btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3414 
3415     if (p_dev_rec->p_cur_service)
3416     {
3417         BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3418                          __FUNCTION__, p_dev_rec->p_cur_service->psm,
3419                          p_dev_rec->p_cur_service->security_flags);
3420     }
3421 
3422     switch (btm_cb.pairing_state)
3423     {
3424         /* initiator connecting */
3425         case BTM_PAIR_STATE_IDLE:
3426             //TODO: Handle Idle pairing state
3427             //security_required = p_dev_rec->security_required;
3428             break;
3429 
3430         /* received IO capability response already->acceptor */
3431         case BTM_PAIR_STATE_INCOMING_SSP:
3432             is_orig = FALSE;
3433 
3434             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3435             {
3436                 /* acceptor in dedicated bonding */
3437                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3438             }
3439             break;
3440 
3441         /* initiator, at this point it is expected to be dedicated bonding
3442         initiated by local device */
3443         case BTM_PAIR_STATE_WAIT_PIN_REQ:
3444             if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3445             {
3446                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3447             }
3448             else
3449             {
3450                 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3451             }
3452             break;
3453 
3454         /* any other state is unexpected */
3455         default:
3456             err_code = HCI_ERR_HOST_BUSY_PAIRING;
3457             BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3458                              btm_cb.pairing_state);
3459             break;
3460     }
3461 
3462     if (btm_cb.pairing_disabled)
3463     {
3464         /* pairing is not allowed */
3465         BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3466         err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3467     }
3468     else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3469     {
3470         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3471         /* device in Secure Connections Only mode */
3472         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3473         {
3474             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3475                             " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3476                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3477 
3478             err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3479         }
3480     }
3481 
3482     if (err_code != 0)
3483     {
3484 /* coverity[uninit_use_in_call]
3485 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3486 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3487 */
3488         btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3489         return;
3490     }
3491 
3492     evt_data.is_orig = is_orig;
3493 
3494     if (is_orig)
3495     {
3496         /* local device initiated the pairing non-bonding -> use p_cur_service */
3497         if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3498             p_dev_rec->p_cur_service &&
3499             (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3500         {
3501             if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3502             {
3503                 /* SC only mode device requires MITM protection */
3504                 evt_data.auth_req = BTM_AUTH_SP_YES;
3505             }
3506             else
3507             {
3508                 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3509                                      BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3510             }
3511         }
3512     }
3513 
3514     /* Notify L2CAP to increase timeout */
3515     l2c_pin_code_request (evt_data.bd_addr);
3516 
3517     memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3518 
3519 /* coverity[uninit_use_in_call]
3520 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3521 False-positive: False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3522 */
3523     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3524         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3525 
3526     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3527 
3528     callback_rc = BTM_SUCCESS;
3529     if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3530     {
3531         p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3532 
3533         /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3534         evt_data.auth_req = BTM_AUTH_SPGB_YES;
3535     }
3536     else if (btm_cb.api.p_sp_callback)
3537     {
3538         /* the callback function implementation may change the IO capability... */
3539         callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3540     }
3541 
3542 #if BTM_OOB_INCLUDED == TRUE
3543     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3544 #else
3545     if (callback_rc == BTM_SUCCESS)
3546 #endif
3547     {
3548         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3549         {
3550             evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3551         }
3552 
3553         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3554         {
3555             /* At this moment we know that both sides are SC capable, device in */
3556             /* SC only mode requires MITM for any service so let's set MITM bit */
3557             evt_data.auth_req |= BTM_AUTH_YN_BIT;
3558             BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3559                              __FUNCTION__, evt_data.auth_req);
3560         }
3561 
3562         /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3563         /* send the response right now. Save the current IO capability in the control block */
3564         btm_cb.devcb.loc_auth_req   = evt_data.auth_req;
3565         btm_cb.devcb.loc_io_caps    = evt_data.io_cap;
3566 
3567         BTM_TRACE_EVENT("%s: State: %s  IO_CAP:%d oob_data:%d auth_req:%d",
3568                          __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3569                          evt_data.oob_data, evt_data.auth_req);
3570 
3571         btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3572                                     evt_data.oob_data, evt_data.auth_req);
3573     }
3574 }
3575 
3576 /*******************************************************************************
3577 **
3578 ** Function         btm_io_capabilities_rsp
3579 **
3580 ** Description      This function is called when the IO capability of the
3581 **                  specified device is received
3582 **
3583 ** Returns          void
3584 **
3585 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3586 void btm_io_capabilities_rsp (UINT8 *p)
3587 {
3588     tBTM_SEC_DEV_REC *p_dev_rec;
3589     tBTM_SP_IO_RSP evt_data;
3590 
3591     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3592     STREAM_TO_UINT8 (evt_data.io_cap, p);
3593     STREAM_TO_UINT8 (evt_data.oob_data, p);
3594     STREAM_TO_UINT8 (evt_data.auth_req, p);
3595 
3596     /* Allocate a new device record or reuse the oldest one */
3597     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3598 
3599     /* If no security is in progress, this indicates incoming security */
3600     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3601     {
3602         memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3603 
3604         btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3605 
3606         /* Make sure we reset the trusted mask to help against attacks */
3607         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3608 
3609         /* work around for FW bug */
3610         btm_inq_stop_on_ssp();
3611     }
3612 
3613     /* Notify L2CAP to increase timeout */
3614     l2c_pin_code_request (evt_data.bd_addr);
3615 
3616     /* We must have a device record here.
3617      * Use the connecting device's CoD for the connection */
3618 /* coverity[uninit_use_in_call]
3619 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3620 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3621 */
3622     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3623         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3624 
3625     /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3626     if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3627         && (evt_data.auth_req & BTM_AUTH_DD_BOND) )            /* and dedicated bonding bit is set */
3628     {
3629         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3630     }
3631 
3632     /* save the IO capability in the device record */
3633     p_dev_rec->rmt_io_caps  = evt_data.io_cap;
3634     p_dev_rec->rmt_auth_req = evt_data.auth_req;
3635 
3636     if (btm_cb.api.p_sp_callback)
3637         (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3638 }
3639 
3640 /*******************************************************************************
3641 **
3642 ** Function         btm_proc_sp_req_evt
3643 **
3644 ** Description      This function is called to process/report
3645 **                  HCI_USER_CONFIRMATION_REQUEST_EVT
3646 **                  or HCI_USER_PASSKEY_REQUEST_EVT
3647 **                  or HCI_USER_PASSKEY_NOTIFY_EVT
3648 **
3649 ** Returns          void
3650 **
3651 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3652 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3653 {
3654     tBTM_STATUS status = BTM_ERR_PROCESSING;
3655     tBTM_SP_EVT_DATA evt_data;
3656     UINT8               *p_bda = evt_data.cfm_req.bd_addr;
3657     tBTM_SEC_DEV_REC *p_dev_rec;
3658 
3659     /* All events start with bd_addr */
3660     STREAM_TO_BDADDR (p_bda, p);
3661 
3662     BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3663                       (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3664                       event, btm_pair_state_descr(btm_cb.pairing_state));
3665 
3666     if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3667          &&  (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3668          &&  (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3669     {
3670         memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3671         memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3672 
3673         BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3674 
3675         switch (event)
3676         {
3677             case BTM_SP_CFM_REQ_EVT:
3678                 /* Numeric confirmation. Need user to conf the passkey */
3679                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3680 
3681                 /* The device record must be allocated in the "IO cap exchange" step */
3682                 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3683 
3684                 evt_data.cfm_req.just_works = TRUE;
3685 
3686                 /* process user confirm req in association with the auth_req param */
3687 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3688                 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3689                      &&  (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3690                      &&  ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3691                 {
3692                     /* Both devices are DisplayYesNo and one or both devices want to authenticate
3693                        -> use authenticated link key */
3694                     evt_data.cfm_req.just_works = FALSE;
3695                 }
3696 #endif
3697                 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt()  just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3698                                   evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3699                                   btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3700 
3701                 evt_data.cfm_req.loc_auth_req   = btm_cb.devcb.loc_auth_req;
3702                 evt_data.cfm_req.rmt_auth_req   = p_dev_rec->rmt_auth_req;
3703                 evt_data.cfm_req.loc_io_caps    = btm_cb.devcb.loc_io_caps;
3704                 evt_data.cfm_req.rmt_io_caps    = p_dev_rec->rmt_io_caps;
3705                 break;
3706 
3707             case BTM_SP_KEY_NOTIF_EVT:
3708                 /* Passkey notification (other side is a keyboard) */
3709                 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3710 
3711                 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT:  passkey: %u", evt_data.key_notif.passkey);
3712 
3713                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3714                 break;
3715 
3716 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3717             case BTM_SP_KEY_REQ_EVT:
3718                 /* HCI_USER_PASSKEY_REQUEST_EVT */
3719                 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3720                 break;
3721 #endif
3722         }
3723 
3724         if (btm_cb.api.p_sp_callback)
3725         {
3726             status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3727             if (status != BTM_NOT_AUTHORIZED)
3728             {
3729                 return;
3730             }
3731             /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3732         }
3733         else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3734         {
3735             /* automatically reply with just works if no sp_cback */
3736             status = BTM_SUCCESS;
3737         }
3738 
3739         if (event == BTM_SP_CFM_REQ_EVT)
3740         {
3741             BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3742             BTM_ConfirmReqReply (status, p_bda);
3743         }
3744 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3745         else if (event == BTM_SP_KEY_REQ_EVT)
3746         {
3747             BTM_PasskeyReqReply(status, p_bda, 0);
3748         }
3749 #endif
3750         return;
3751     }
3752 
3753     /* Something bad. we can only fail this connection */
3754     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3755 
3756     if (BTM_SP_CFM_REQ_EVT == event)
3757     {
3758         btsnd_hcic_user_conf_reply (p_bda, FALSE);
3759     }
3760     else if (BTM_SP_KEY_NOTIF_EVT == event)
3761     {
3762         /* do nothing -> it very unlikely to happen.
3763         This event is most likely to be received by a HID host when it first connects to a HID device.
3764         Usually the Host initiated the connection in this case.
3765         On Mobile platforms, if there's a security process happening,
3766         the host probably can not initiate another connection.
3767         BTW (PC) is another story.  */
3768         if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3769         {
3770             btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3771         }
3772     }
3773 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3774     else
3775     {
3776         btsnd_hcic_user_passkey_neg_reply(p_bda);
3777     }
3778 #endif
3779 }
3780 
3781 /*******************************************************************************
3782 **
3783 ** Function         btm_keypress_notif_evt
3784 **
3785 ** Description      This function is called when a key press notification is
3786 **                  received
3787 **
3788 ** Returns          void
3789 **
3790 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3791 void  btm_keypress_notif_evt (UINT8 *p)
3792 {
3793     tBTM_SP_KEYPRESS    evt_data;
3794     UINT8 *p_bda;
3795 
3796     /* parse & report BTM_SP_KEYPRESS_EVT */
3797     if (btm_cb.api.p_sp_callback)
3798     {
3799         p_bda = evt_data.bd_addr;
3800 
3801         STREAM_TO_BDADDR (p_bda, p);
3802         evt_data.notif_type = *p;
3803 
3804         (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3805     }
3806 }
3807 
3808 /*******************************************************************************
3809 **
3810 ** Function         btm_simple_pair_complete
3811 **
3812 ** Description      This function is called when simple pairing process is
3813 **                  complete
3814 **
3815 ** Returns          void
3816 **
3817 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3818 void btm_simple_pair_complete (UINT8 *p)
3819 {
3820     tBTM_SP_COMPLT  evt_data;
3821     tBTM_SEC_DEV_REC *p_dev_rec;
3822     UINT8           status;
3823     BOOLEAN         disc = FALSE;
3824 
3825     status = *p++;
3826     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3827 
3828     if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3829     {
3830         BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3831                           (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3832                           (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3833         return;
3834     }
3835 
3836     BTM_TRACE_EVENT ("btm_simple_pair_complete()  Pair State: %s  Status:%d  sec_state: %u",
3837                       btm_pair_state_descr(btm_cb.pairing_state),  status, p_dev_rec->sec_state);
3838 
3839     evt_data.status = BTM_ERR_PROCESSING;
3840     if (status == HCI_SUCCESS)
3841     {
3842         evt_data.status = BTM_SUCCESS;
3843         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3844     }
3845     else
3846     {
3847         if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3848         {
3849             /* The test spec wants the peer device to get this failure code. */
3850             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3851 
3852             /* Change the timer to 1 second */
3853             btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3854         }
3855         else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3856         {
3857             /* stop the timer */
3858             btu_stop_timer (&btm_cb.pairing_tle);
3859 
3860             if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3861             {
3862                 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3863                 disc = TRUE;
3864             }
3865         }
3866         else
3867             disc = TRUE;
3868     }
3869 
3870     /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3871     memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3872     memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3873 
3874     if (btm_cb.api.p_sp_callback)
3875         (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3876 
3877     if (disc)
3878     {
3879         /* simple pairing failed */
3880         /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3881         if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3882         {
3883             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3884         }
3885     }
3886 }
3887 
3888 #if BTM_OOB_INCLUDED == TRUE
3889 /*******************************************************************************
3890 **
3891 ** Function         btm_rem_oob_req
3892 **
3893 ** Description      This function is called to process/report
3894 **                  HCI_REMOTE_OOB_DATA_REQUEST_EVT
3895 **
3896 ** Returns          void
3897 **
3898 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3899 void btm_rem_oob_req (UINT8 *p)
3900 {
3901     UINT8 *p_bda;
3902     tBTM_SP_RMT_OOB  evt_data;
3903     tBTM_SEC_DEV_REC *p_dev_rec;
3904     BT_OCTET16      c;
3905     BT_OCTET16      r;
3906 
3907     p_bda = evt_data.bd_addr;
3908 
3909     STREAM_TO_BDADDR (p_bda, p);
3910 
3911     BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3912                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3913 
3914     if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3915          btm_cb.api.p_sp_callback)
3916     {
3917         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3918         memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3919         BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3920         evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3921 
3922         btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3923         if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3924         {
3925             BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3926         }
3927         return;
3928     }
3929 
3930     /* something bad. we can only fail this connection */
3931     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3932     btsnd_hcic_rem_oob_neg_reply (p_bda);
3933 }
3934 
3935 /*******************************************************************************
3936 **
3937 ** Function         btm_read_local_oob_complete
3938 **
3939 ** Description      This function is called when read local oob data is
3940 **                  completed by the LM
3941 **
3942 ** Returns          void
3943 **
3944 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3945 void btm_read_local_oob_complete (UINT8 *p)
3946 {
3947     tBTM_SP_LOC_OOB evt_data;
3948     UINT8           status = *p++;
3949 
3950     BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3951     if (status == HCI_SUCCESS)
3952     {
3953         evt_data.status = BTM_SUCCESS;
3954         STREAM_TO_ARRAY16(evt_data.c, p);
3955         STREAM_TO_ARRAY16(evt_data.r, p);
3956     }
3957     else
3958         evt_data.status = BTM_ERR_PROCESSING;
3959 
3960     if (btm_cb.api.p_sp_callback)
3961         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3962 }
3963 #endif /* BTM_OOB_INCLUDED */
3964 
3965 /*******************************************************************************
3966 **
3967 ** Function         btm_sec_auth_collision
3968 **
3969 ** Description      This function is called when authentication or encryption
3970 **                  needs to be retried at a later time.
3971 **
3972 ** Returns          void
3973 **
3974 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3975 static void btm_sec_auth_collision (UINT16 handle)
3976 {
3977     tBTM_SEC_DEV_REC *p_dev_rec;
3978 
3979     if (!btm_cb.collision_start_time)
3980         btm_cb.collision_start_time = GKI_get_os_tick_count();
3981 
3982     if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3983     {
3984         if (handle == BTM_SEC_INVALID_HANDLE)
3985         {
3986             if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3987                 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3988         }
3989         else
3990             p_dev_rec = btm_find_dev_by_handle (handle);
3991 
3992         if (p_dev_rec != NULL)
3993         {
3994             BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3995             /* We will restart authentication after timeout */
3996             if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3997                 p_dev_rec->sec_state = 0;
3998 
3999             btm_cb.p_collided_dev_rec = p_dev_rec;
4000             btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
4001             btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
4002         }
4003     }
4004 }
4005 
4006 /*******************************************************************************
4007 **
4008 ** Function         btm_sec_auth_complete
4009 **
4010 ** Description      This function is when authentication of the connection is
4011 **                  completed by the LM
4012 **
4013 ** Returns          void
4014 **
4015 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)4016 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
4017 {
4018     UINT8            old_sm4;
4019     tBTM_PAIRING_STATE  old_state   = btm_cb.pairing_state;
4020     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4021     BOOLEAN             are_bonding = FALSE;
4022 
4023     /* Commenting out trace due to obf/compilation problems.
4024     */
4025 #if (BT_USE_TRACES == TRUE)
4026     if (p_dev_rec)
4027     {
4028         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d  dev->sec_state: %u  Bda:%08x, RName:%s",
4029                           btm_pair_state_descr (btm_cb.pairing_state),
4030                           handle, status,
4031                           p_dev_rec->sec_state,
4032                           (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
4033                           p_dev_rec->sec_bd_name);
4034     }
4035     else
4036     {
4037         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d",
4038                           btm_pair_state_descr (btm_cb.pairing_state),
4039                           handle, status);
4040     }
4041 #endif
4042 
4043     /* For transaction collision we need to wait and repeat.  There is no need */
4044     /* for random timeout because only slave should receive the result */
4045     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4046     {
4047         btm_sec_auth_collision(handle);
4048         return;
4049     }
4050     btm_cb.collision_start_time = 0;
4051 
4052     btm_restore_mode();
4053 
4054     /* Check if connection was made just to do bonding.  If we authenticate
4055        the connection that is up, this is the last event received.
4056     */
4057     if (p_dev_rec
4058         && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4059         && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4060     {
4061         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4062 
4063         l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4064     }
4065 
4066     if (!p_dev_rec)
4067         return;
4068 
4069     /* keep the old sm4 flag and clear the retry bit in control block */
4070     old_sm4 = p_dev_rec->sm4;
4071     p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4072 
4073     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4074          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4075          &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4076         are_bonding = TRUE;
4077 
4078     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4079           &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4080         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4081 
4082     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4083     {
4084         if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4085              &&  (old_state != BTM_PAIR_STATE_IDLE) )
4086         {
4087             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4088                                                     p_dev_rec->dev_class,
4089                                                     p_dev_rec->sec_bd_name, status);
4090         }
4091         return;
4092     }
4093 
4094     /* There can be a race condition, when we are starting authentication and
4095     ** the peer device is doing encryption.
4096     ** If first we receive encryption change up, then initiated authentication
4097     ** can not be performed.  According to the spec we can not do authentication
4098     ** on the encrypted link, so device is correct.
4099     */
4100     if ((status == HCI_ERR_COMMAND_DISALLOWED)
4101         && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4102             (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4103     {
4104         status = HCI_SUCCESS;
4105     }
4106     /* Currently we do not notify user if it is a keyboard which connects */
4107     /* User probably Disabled the keyboard while it was asleap.  Let her try */
4108     if (btm_cb.api.p_auth_complete_callback)
4109     {
4110         /* report the suthentication status */
4111         if (old_state != BTM_PAIR_STATE_IDLE)
4112             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4113                                                     p_dev_rec->dev_class,
4114                                                     p_dev_rec->sec_bd_name, status);
4115     }
4116 
4117     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4118 
4119     /* If this is a bonding procedure can disconnect the link now */
4120     if (are_bonding)
4121     {
4122         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4123 
4124         if (status != HCI_SUCCESS)
4125         {
4126             if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4127                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4128         }
4129         else
4130         {
4131             BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4132             if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4133                 /* no LE keys are available, do deriving */
4134                  && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4135                 /* or BR key is higher security than existing LE keys */
4136                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4137                  (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4138             {
4139                 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4140 
4141                 if (btm_sec_is_master(p_dev_rec))
4142                 {
4143                     // Encryption is required to start SM over BR/EDR
4144                     // indicate that this is encryption after authentication
4145                     BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
4146                 }
4147             }
4148             l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4149         }
4150 
4151         return;
4152     }
4153 
4154     /* If authentication failed, notify the waiting layer */
4155     if (status != HCI_SUCCESS)
4156     {
4157         if ((old_sm4 & BTM_SM4_RETRY) == 0)
4158         {
4159             /* allow retry only once */
4160             if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4161             {
4162                 /* not retried yet. set the retry bit */
4163                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4164                 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4165             }
4166             /* this retry for missing key is for Lisbon or later only.
4167              * Legacy device do not need this. the controller will drive the retry automatically */
4168             else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4169             {
4170                 /* not retried yet. set the retry bit */
4171                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4172                 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4173                 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4174 
4175                 /* With BRCM controller, we do not need to delete the stored link key in controller.
4176                 If the stack may sit on top of other controller, we may need this
4177                 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4178             }
4179 
4180             if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4181             {
4182                 btm_sec_execute_procedure (p_dev_rec);
4183                 return;
4184             }
4185         }
4186 
4187         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4188 
4189         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4190         {
4191             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4192         }
4193         return;
4194     }
4195 
4196     p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4197 
4198     if (p_dev_rec->pin_code_length >= 16 ||
4199         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4200         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4201         // If we have MITM protection we have a higher level of security than
4202         // provided by 16 digits PIN
4203         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4204     }
4205 
4206     /* Authentication succeeded, execute the next security procedure, if any */
4207     status = btm_sec_execute_procedure (p_dev_rec);
4208 
4209     /* If there is no next procedure, or procedure failed to start, notify the caller */
4210     if (status != BTM_CMD_STARTED)
4211         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4212 }
4213 
4214 /*******************************************************************************
4215 **
4216 ** Function         btm_sec_encrypt_change
4217 **
4218 ** Description      This function is when encryption of the connection is
4219 **                  completed by the LM
4220 **
4221 ** Returns          void
4222 **
4223 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4224 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4225 {
4226     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4227 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4228     tACL_CONN       *p_acl = NULL;
4229     UINT8           acl_idx = btm_handle_to_acl_index(handle);
4230 #endif
4231     BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4232                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4233     BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4234 
4235     /* For transaction collision we need to wait and repeat.  There is no need */
4236     /* for random timeout because only slave should receive the result */
4237     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4238         (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4239     {
4240         btm_sec_auth_collision(handle);
4241         return;
4242     }
4243     btm_cb.collision_start_time = 0;
4244 
4245     if (!p_dev_rec)
4246         return;
4247 
4248     if ((status == HCI_SUCCESS) && encr_enable)
4249     {
4250         if (p_dev_rec->hci_handle == handle) {
4251             p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4252             if (p_dev_rec->pin_code_length >= 16 ||
4253                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4254                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4255                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4256             }
4257         }
4258         else
4259         {
4260             p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4261         }
4262     }
4263 
4264     /* It is possible that we decrypted the link to perform role switch */
4265     /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4266     if ((status == HCI_SUCCESS) && !encr_enable)
4267     {
4268         if (p_dev_rec->hci_handle == handle)
4269             p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4270         else
4271             p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4272     }
4273 
4274     BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4275 
4276 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4277     if (acl_idx != MAX_L2CAP_LINKS)
4278         p_acl = &btm_cb.acl_db[acl_idx];
4279 
4280     if (p_acl != NULL)
4281         btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4282 
4283     if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4284     {
4285         if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4286             status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4287         {
4288             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4289             p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4290         }
4291         btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4292         return;
4293     }
4294     else
4295     {
4296         /* BR/EDR connection, update the encryption key size to be 16 as always */
4297         p_dev_rec->enc_key_size = 16;
4298     }
4299 
4300      BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4301                        __func__, p_dev_rec->new_encryption_key_is_p256);
4302 
4303     if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4304     {
4305         if (p_dev_rec->new_encryption_key_is_p256)
4306         {
4307             if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4308                 btm_sec_is_master(p_dev_rec) &&
4309                 /* if LE key is not known, do deriving */
4310                 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4311                 /* or BR key is higher security than existing LE keys */
4312                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4313                  && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4314             {
4315                 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4316                 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4317 
4318                 if (p_dev_rec->no_smp_on_br)
4319                 {
4320                     BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4321                 }
4322                 else
4323                 {
4324                     BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4325                     SMP_BR_PairWith(p_dev_rec->bd_addr);
4326                 }
4327             }
4328         }
4329         else
4330         {
4331             // BR/EDR is successfully encrypted. Correct LK type if needed
4332             // (BR/EDR LK derived from LE LTK was used for encryption)
4333             if ((encr_enable == 1)  && /* encryption is ON for SSP */
4334                 /* LK type is for BR/EDR SC */
4335                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4336                  p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4337             {
4338                 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4339                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4340                 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4341                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4342 
4343                 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4344                 btm_send_link_key_notif(p_dev_rec);
4345             }
4346         }
4347     }
4348 #else
4349     btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4350 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4351 
4352     /* If this encryption was started by peer do not need to do anything */
4353     if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4354     {
4355         if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4356         {
4357             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4358             p_dev_rec->p_callback = NULL;
4359             l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4360         }
4361         return;
4362     }
4363 
4364     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4365     /* If encryption setup failed, notify the waiting layer */
4366     if (status != HCI_SUCCESS)
4367     {
4368         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4369         return;
4370     }
4371 
4372     /* Encryption setup succeeded, execute the next security procedure, if any */
4373     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4374     /* If there is no next procedure, or procedure failed to start, notify the caller */
4375     if (status != BTM_CMD_STARTED)
4376         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4377 }
4378 
4379 /*******************************************************************************
4380 **
4381 ** Function         btm_sec_connect_after_reject_timeout
4382 **
4383 ** Description      Connection for bonding could not start because of the collision
4384 **                  Initiate outgoing connection
4385 **
4386 ** Returns          Pointer to the TLE struct
4387 **
4388 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4389 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4390 {
4391     tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4392     UNUSED(p_tle);
4393 
4394     BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4395     btm_cb.sec_collision_tle.param = 0;
4396     btm_cb.p_collided_dev_rec = 0;
4397 
4398     if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4399     {
4400         BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4401 
4402         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4403 
4404         if (btm_cb.api.p_auth_complete_callback)
4405         (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
4406                                                 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4407     }
4408 }
4409 
4410 /*******************************************************************************
4411 **
4412 ** Function         btm_sec_connected
4413 **
4414 ** Description      This function is when a connection to the peer device is
4415 **                  establsihed
4416 **
4417 ** Returns          void
4418 **
4419 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4420 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4421 {
4422     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4423     UINT8            res;
4424     BOOLEAN          is_pairing_device = FALSE;
4425     tACL_CONN        *p_acl_cb;
4426     UINT8            bit_shift = 0;
4427 
4428     btm_acl_resubmit_page();
4429 
4430     /* Commenting out trace due to obf/compilation problems.
4431     */
4432 #if (BT_USE_TRACES == TRUE)
4433     if (p_dev_rec)
4434     {
4435         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x RName:%s",
4436                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4437                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4438                           p_dev_rec->sec_bd_name);
4439     }
4440     else
4441     {
4442         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x ",
4443                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4444                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4445     }
4446 #endif
4447 
4448     if (!p_dev_rec)
4449     {
4450         /* There is no device record for new connection.  Allocate one */
4451         if (status == HCI_SUCCESS)
4452         {
4453             p_dev_rec = btm_sec_alloc_dev (bda);
4454         }
4455         else
4456         {
4457             /* If the device matches with stored paring address
4458              * reset the paring state to idle */
4459             if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4460                 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4461             {
4462                 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4463             }
4464 
4465             /* can not find the device record and the status is error,
4466              * just ignore it */
4467             return;
4468         }
4469     }
4470     else    /* Update the timestamp for this device */
4471     {
4472 
4473 #if BLE_INCLUDED == TRUE
4474         bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4475 #endif
4476         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4477         if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4478         {
4479             /* tell L2CAP it's a bonding connection. */
4480             if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4481                  &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4482                  &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4483             {
4484                 /* if incoming connection failed while pairing, then try to connect and continue */
4485                 /* Motorola S9 disconnects without asking pin code */
4486                 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4487                 {
4488                     BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4489 
4490                     p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4491                     if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4492                     {
4493                         /* Start timer with 0 to initiate connection with new LCB */
4494                         /* because L2CAP will delete current LCB with this event  */
4495                         btm_cb.p_collided_dev_rec = p_dev_rec;
4496                         btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4497                         btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4498                     }
4499                     else
4500                     {
4501                         btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4502                         BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4503                     }
4504 #if BTM_DISC_DURING_RS == TRUE
4505                     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4506 #endif
4507                     return;
4508                 }
4509                 else
4510                 {
4511                     l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4512                 }
4513             }
4514             /* always clear the pending flag */
4515             p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4516         }
4517     }
4518 
4519 #if BLE_INCLUDED == TRUE
4520     p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4521 #endif
4522 
4523 #if BTM_DISC_DURING_RS == TRUE
4524     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4525 #endif
4526 
4527     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4528 
4529     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4530          && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4531     {
4532         /* if we rejected incoming connection from bonding device */
4533         if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4534             &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4535         {
4536             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4537                 btm_cb.pairing_flags, p_dev_rec->sm4);
4538 
4539             btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4540             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4541             {
4542                 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4543                 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4544                 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4545                 return;
4546             }
4547 
4548             /* if we already have pin code */
4549             if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4550             {
4551                 /* Start timer with 0 to initiate connection with new LCB */
4552                 /* because L2CAP will delete current LCB with this event  */
4553                 btm_cb.p_collided_dev_rec = p_dev_rec;
4554                 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4555                 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4556             }
4557 
4558             return;
4559         }
4560         /* wait for incoming connection without resetting pairing state */
4561         else if (status == HCI_ERR_CONNECTION_EXISTS)
4562         {
4563             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4564             return;
4565         }
4566 
4567         is_pairing_device = TRUE;
4568     }
4569 
4570     /* If connection was made to do bonding restore link security if changed */
4571     btm_restore_mode();
4572 
4573     /* if connection fails during pin request, notify application */
4574     if (status != HCI_SUCCESS)
4575     {
4576         /* If connection failed because of during pairing, need to tell user */
4577         if (is_pairing_device)
4578         {
4579             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4580             p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4581             BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4582 
4583             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4584 
4585             /* We need to notify host that the key is not known any more */
4586             if (btm_cb.api.p_auth_complete_callback)
4587             {
4588                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4589                                                         p_dev_rec->dev_class,
4590                                                         p_dev_rec->sec_bd_name, status);
4591             }
4592         }
4593  /*
4594      Do not send authentication failure, if following conditions hold good
4595       1.  BTM Sec Pairing state is idle
4596       2.  Link key for the remote device is present.
4597       3.  Remote is SSP capable.
4598   */
4599         else if  ((p_dev_rec->link_key_type  <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4600                  (((status == HCI_ERR_AUTH_FAILURE)                      ||
4601                  (status == HCI_ERR_KEY_MISSING)                         ||
4602                  (status == HCI_ERR_HOST_REJECT_SECURITY)                ||
4603                  (status == HCI_ERR_PAIRING_NOT_ALLOWED)                 ||
4604                  (status == HCI_ERR_UNIT_KEY_USED)                       ||
4605                  (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4606                  (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)           ||
4607                  (status == HCI_ERR_REPEATED_ATTEMPTS))))
4608         {
4609             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4610             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4611 
4612 
4613 #ifdef BRCM_NOT_4_BTE
4614             /* If we rejected pairing, pass this special result code */
4615             if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4616             {
4617                 status = HCI_ERR_HOST_REJECT_SECURITY;
4618             }
4619 #endif
4620 
4621             /* We need to notify host that the key is not known any more */
4622             if (btm_cb.api.p_auth_complete_callback)
4623             {
4624                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4625                                                         p_dev_rec->dev_class,
4626                                                         p_dev_rec->sec_bd_name, status);
4627             }
4628         }
4629 
4630         if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT  ||
4631             status == HCI_ERR_UNSPECIFIED     || status == HCI_ERR_PAGE_TIMEOUT)
4632             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4633         else
4634             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4635 
4636         return;
4637     }
4638 
4639     /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4640     /* If dedicated bonding, and we now have a link key, we are all done */
4641     if ( is_pairing_device
4642          && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4643     {
4644         if (p_dev_rec->link_key_not_sent)
4645         {
4646             p_dev_rec->link_key_not_sent = FALSE;
4647             btm_send_link_key_notif(p_dev_rec);
4648         }
4649 
4650         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4651 
4652         /* remember flag before it is initialized */
4653         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4654             res = TRUE;
4655         else
4656             res = FALSE;
4657 
4658         if (btm_cb.api.p_auth_complete_callback)
4659             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4660                                                     p_dev_rec->dev_class,
4661                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4662 
4663         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4664 
4665         if ( res )
4666         {
4667             /* Let l2cap start bond timer */
4668             l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4669         }
4670 
4671         return;
4672     }
4673 
4674     p_dev_rec->hci_handle = handle;
4675 
4676     /* role may not be correct here, it will be updated by l2cap, but we need to */
4677     /* notify btm_acl that link is up, so starting of rmt name request will not */
4678     /* set paging flag up */
4679     p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4680     if (p_acl_cb)
4681     {
4682         /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4683 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4684         /* For now there are a some devices that do not like sending */
4685         /* commands events and data at the same time. */
4686         /* Set the packet types to the default allowed by the device */
4687         btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4688 
4689         if (btm_cb.btm_def_link_policy)
4690             BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4691 #endif
4692     }
4693     btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4694 
4695     /* Initialize security flags.  We need to do that because some            */
4696     /* authorization complete could have come after the connection is dropped */
4697     /* and that would set wrong flag that link has been authorized already    */
4698     p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4699                               BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4700 
4701     if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4702         p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4703 
4704     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4705         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4706 
4707     if (p_dev_rec->pin_code_length >= 16 ||
4708         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4709         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4710         p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4711     }
4712 
4713     p_dev_rec->link_key_changed = FALSE;
4714 
4715     /* After connection is established we perform security if we do not know */
4716     /* the name, or if we are originator because some procedure can have */
4717     /* been scheduled while connection was down */
4718     BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4719     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4720     {
4721         if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4722             btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4723     }
4724     return;
4725 }
4726 
4727 /*******************************************************************************
4728 **
4729 ** Function         btm_sec_disconnect
4730 **
4731 ** Description      This function is called to disconnect HCI link
4732 **
4733 ** Returns          btm status
4734 **
4735 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4736 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4737 {
4738     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4739 
4740     /* In some weird race condition we may not have a record */
4741     if (!p_dev_rec)
4742     {
4743         btsnd_hcic_disconnect (handle, reason);
4744         return(BTM_SUCCESS);
4745     }
4746 
4747     /* If we are in the process of bonding we need to tell client that auth failed */
4748     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4749          &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4750          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4751     {
4752         /* we are currently doing bonding.  Link will be disconnected when done */
4753         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4754         return(BTM_BUSY);
4755     }
4756 
4757     return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4758 }
4759 
4760 /*******************************************************************************
4761 **
4762 ** Function         btm_sec_disconnected
4763 **
4764 ** Description      This function is when a connection to the peer device is
4765 **                  dropped
4766 **
4767 ** Returns          void
4768 **
4769 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4770 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4771 {
4772     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4773     UINT8             old_pairing_flags = btm_cb.pairing_flags;
4774     int               result = HCI_ERR_AUTH_FAILURE;
4775     tBTM_SEC_CALLBACK   *p_callback = NULL;
4776     tBT_TRANSPORT      transport = BT_TRANSPORT_BR_EDR;
4777 
4778     /* If page was delayed for disc complete, can do it now */
4779     btm_cb.discing = FALSE;
4780 
4781     btm_acl_resubmit_page();
4782 
4783     if (!p_dev_rec)
4784         return;
4785 
4786     transport  = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4787 
4788     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4789 
4790 #if BTM_DISC_DURING_RS == TRUE
4791     LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4792     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4793 #endif
4794 
4795     /* clear unused flags */
4796     p_dev_rec->sm4 &= BTM_SM4_TRUE;
4797 
4798     uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4799     BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4800             "  remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4801             reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4802 
4803     BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4804 
4805     /* If we are in the process of bonding we need to tell client that auth failed */
4806     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4807          && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4808     {
4809         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4810         p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4811         if (btm_cb.api.p_auth_complete_callback)
4812         {
4813             /* If the disconnection reason is REPEATED_ATTEMPTS,
4814                send this error message to complete callback function
4815                to display the error message of Repeated attempts.
4816                All others, send HCI_ERR_AUTH_FAILURE. */
4817             if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4818             {
4819                 result = HCI_ERR_REPEATED_ATTEMPTS;
4820             }
4821             else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4822             {
4823                 result = HCI_ERR_HOST_REJECT_SECURITY;
4824             }
4825             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,     p_dev_rec->dev_class,
4826                                                     p_dev_rec->sec_bd_name, result);
4827         }
4828     }
4829 
4830 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4831     btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4832     /* see sec_flags processing in btm_acl_removed */
4833 
4834     if (transport == BT_TRANSPORT_LE)
4835     {
4836         p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4837         p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4838         p_dev_rec->enc_key_size = 0;
4839     }
4840     else
4841 #endif
4842     {
4843         p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4844         p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4845                 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4846     }
4847 
4848 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4849     if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4850     {
4851         p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4852                                 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4853         return;
4854     }
4855 #endif
4856     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
4857     p_dev_rec->security_required = BTM_SEC_NONE;
4858 
4859     p_callback = p_dev_rec->p_callback;
4860 
4861     /* if security is pending, send callback to clean up the security state */
4862     if(p_callback)
4863     {
4864         p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4865                                          we do, this call back must be reset here */
4866         (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4867     }
4868 
4869     BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4870 }
4871 
4872 /*******************************************************************************
4873 **
4874 ** Function         btm_sec_link_key_notification
4875 **
4876 ** Description      This function is called when a new connection link key is
4877 **                  generated
4878 **
4879 ** Returns          Pointer to the record or NULL
4880 **
4881 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4882 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4883 {
4884     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4885     BOOLEAN         we_are_bonding = FALSE;
4886     BOOLEAN         ltk_derived_lk  = FALSE;
4887 
4888     BTM_TRACE_EVENT ("btm_sec_link_key_notification()  BDA:%04x%08x, TYPE: %d",
4889                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4890                       key_type);
4891 
4892     if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4893         (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4894     {
4895         ltk_derived_lk = TRUE;
4896         key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4897     }
4898     /* If connection was made to do bonding restore link security if changed */
4899     btm_restore_mode();
4900 
4901     if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4902         p_dev_rec->link_key_type = key_type;
4903 
4904     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4905 
4906     /*
4907      * Until this point in time, we do not know if MITM was enabled, hence we
4908      * add the extended security flag here.
4909      */
4910     if (p_dev_rec->pin_code_length >= 16 ||
4911         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4912         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4913         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4914     }
4915 
4916 #if (BLE_INCLUDED == TRUE)
4917     /* BR/EDR connection, update the encryption key size to be 16 as always */
4918     p_dev_rec->enc_key_size = 16;
4919 #endif
4920     memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4921 
4922     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4923          && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4924     {
4925         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4926             we_are_bonding = TRUE;
4927         else
4928             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4929     }
4930 
4931     /* save LTK derived LK no matter what */
4932     if (ltk_derived_lk)
4933     {
4934         if (btm_cb.api.p_link_key_callback)
4935         {
4936                 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4937                                   __FUNCTION__, p_dev_rec->link_key_type);
4938                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4939                                                    p_dev_rec->sec_bd_name,
4940                                                    p_link_key, p_dev_rec->link_key_type);
4941         }
4942     }
4943     else
4944     {
4945         if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4946             (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4947         {
4948              p_dev_rec->new_encryption_key_is_p256 = TRUE;
4949              BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4950                                __func__, p_dev_rec->new_encryption_key_is_p256);
4951         }
4952     }
4953 
4954     /* If name is not known at this point delay calling callback until the name is   */
4955     /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4956     if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4957         &&  ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4958         && !ltk_derived_lk)
4959     {
4960         BTM_TRACE_EVENT ("btm_sec_link_key_notification()  Delayed BDA: %08x%04x Type:%d",
4961                           (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4962                           (p_bda[4] << 8) + p_bda[5], key_type);
4963 
4964         p_dev_rec->link_key_not_sent = TRUE;
4965 
4966         /* If it is for bonding nothing else will follow, so we need to start name resolution */
4967         if (we_are_bonding)
4968         {
4969             if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4970                 btm_inq_rmt_name_failed();
4971         }
4972 
4973         BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4974         return;
4975     }
4976 
4977     /* If its not us who perform authentication, we should tell stackserver */
4978     /* that some authentication has been completed                          */
4979     /* This is required when different entities receive link notification and auth complete */
4980     if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4981         /* for derived key, always send authentication callback for BR channel */
4982          || ltk_derived_lk)
4983     {
4984         if (btm_cb.api.p_auth_complete_callback)
4985             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4986                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4987     }
4988 
4989     /* We will save link key only if the user authorized it - BTE report link key in all cases */
4990 #ifdef BRCM_NONE_BTE
4991     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4992 #endif
4993     {
4994         if (btm_cb.api.p_link_key_callback)
4995         {
4996             if (ltk_derived_lk)
4997             {
4998                 BTM_TRACE_DEBUG ("btm_sec_link_key_notification()  LTK derived LK is saved already"
4999                                     " (key_type = %d)", p_dev_rec->link_key_type);
5000             }
5001             else
5002             {
5003                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
5004                                                    p_dev_rec->sec_bd_name,
5005                                                    p_link_key, p_dev_rec->link_key_type);
5006             }
5007         }
5008     }
5009 }
5010 
5011 /*******************************************************************************
5012 **
5013 ** Function         btm_sec_link_key_request
5014 **
5015 ** Description      This function is called when controller requests link key
5016 **
5017 ** Returns          Pointer to the record or NULL
5018 **
5019 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)5020 void btm_sec_link_key_request (UINT8 *p_bda)
5021 {
5022     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
5023 
5024     BTM_TRACE_EVENT ("btm_sec_link_key_request()  BDA: %02x:%02x:%02x:%02x:%02x:%02x",
5025                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
5026 
5027     if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
5028         (btm_cb.collision_start_time != 0) &&
5029         (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
5030     {
5031         BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
5032             "State: %d START_TIMEOUT : %d",
5033              btm_cb.pairing_state, btm_cb.collision_start_time);
5034         btsnd_hcic_link_key_neg_reply (p_bda);
5035         return;
5036     }
5037     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5038     {
5039         btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5040         return;
5041     }
5042 
5043     /* Notify L2CAP to increase timeout */
5044     l2c_pin_code_request (p_bda);
5045 
5046     /* The link key is not in the database and it is not known to the manager */
5047     btsnd_hcic_link_key_neg_reply (p_bda);
5048 }
5049 
5050 /*******************************************************************************
5051 **
5052 ** Function         btm_sec_pairing_timeout
5053 **
5054 ** Description      This function is called when host does not provide PIN
5055 **                  within requested time
5056 **
5057 ** Returns          Pointer to the TLE struct
5058 **
5059 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)5060 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
5061 {
5062     tBTM_CB *p_cb = &btm_cb;
5063     tBTM_SEC_DEV_REC *p_dev_rec;
5064 #if BTM_OOB_INCLUDED == TRUE
5065 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5066     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_NO;
5067 #else
5068     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_YES;
5069 #endif
5070 #endif
5071     UINT8   name[2];
5072     UNUSED(p_tle);
5073 
5074     p_cb->pairing_tle.param = 0;
5075 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5076 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5077 */
5078     p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5079 
5080     BTM_TRACE_EVENT ("btm_sec_pairing_timeout()  State: %s   Flags: %u",
5081                       btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5082 
5083     switch (p_cb->pairing_state)
5084     {
5085         case BTM_PAIR_STATE_WAIT_PIN_REQ:
5086             btm_sec_bond_cancel_complete();
5087             break;
5088 
5089         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5090             if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5091                 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5092             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5093             /* We need to notify the UI that no longer need the PIN */
5094             if (btm_cb.api.p_auth_complete_callback)
5095             {
5096                 if (p_dev_rec == NULL)
5097                 {
5098                     name[0] = 0;
5099                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5100                                                             NULL,
5101                                                             name, HCI_ERR_CONNECTION_TOUT);
5102                 }
5103                 else
5104                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5105                                                             p_dev_rec->dev_class,
5106                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5107             }
5108             break;
5109 
5110         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5111             btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5112             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5113             break;
5114 
5115 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5116         case BTM_PAIR_STATE_KEY_ENTRY:
5117             btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5118             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5119             break;
5120 #endif /* !BTM_IO_CAP_NONE */
5121 
5122 #if BTM_OOB_INCLUDED == TRUE
5123         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5124             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5125                 auth_req |= BTM_AUTH_DD_BOND;
5126 
5127             btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5128                                          BTM_OOB_NONE, auth_req);
5129             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5130             break;
5131 
5132         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5133             btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5134             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5135             break;
5136 #endif /* BTM_OOB_INCLUDED */
5137 
5138         case BTM_PAIR_STATE_WAIT_DISCONNECT:
5139             /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5140              * now it's time to tear down the ACL link*/
5141             if (p_dev_rec == NULL)
5142             {
5143                 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5144                                   (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5145                                   (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5146                 break;
5147             }
5148             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5149             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5150             break;
5151 
5152         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5153         case BTM_PAIR_STATE_GET_REM_NAME:
5154             /* We need to notify the UI that timeout has happened while waiting for authentication*/
5155             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5156             if (btm_cb.api.p_auth_complete_callback)
5157             {
5158                 if (p_dev_rec == NULL)
5159                 {
5160                     name[0] = 0;
5161                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5162                                                             NULL,
5163                                                             name, HCI_ERR_CONNECTION_TOUT);
5164                 }
5165                 else
5166                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5167                                                             p_dev_rec->dev_class,
5168                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5169             }
5170             break;
5171 
5172         default:
5173             BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5174             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5175             break;
5176     }
5177 }
5178 
5179 /*******************************************************************************
5180 **
5181 ** Function         btm_sec_pin_code_request
5182 **
5183 ** Description      This function is called when controller requests PIN code
5184 **
5185 ** Returns          Pointer to the record or NULL
5186 **
5187 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5188 void btm_sec_pin_code_request (UINT8 *p_bda)
5189 {
5190     tBTM_SEC_DEV_REC *p_dev_rec;
5191     tBTM_CB          *p_cb = &btm_cb;
5192 
5193 #ifdef PORCHE_PAIRING_CONFLICT
5194     UINT8 default_pin_code_len = 4;
5195     PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
5196 #endif
5197     BTM_TRACE_EVENT ("btm_sec_pin_code_request()  State: %s, BDA:%04x%08x",
5198                       btm_pair_state_descr(btm_cb.pairing_state),
5199                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5200 
5201     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5202     {
5203         if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)  &&
5204              (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5205         {
5206              /* fake this out - porshe carkit issue - */
5207 //            btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
5208              if(! btm_cb.pin_code_len_saved)
5209              {
5210                  btsnd_hcic_pin_code_neg_reply (p_bda);
5211                  return;
5212              }
5213              else
5214              {
5215                  btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5216                  return;
5217              }
5218         }
5219         else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5220                  || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5221         {
5222             BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5223                                 btm_pair_state_descr(btm_cb.pairing_state));
5224 
5225 #ifdef PORCHE_PAIRING_CONFLICT
5226             /* reply pin code again due to counter in_rand when local initiates pairing */
5227             BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
5228             if(! btm_cb.pin_code_len_saved)
5229             {
5230                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5231                 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
5232             }
5233             else
5234             {
5235                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5236                 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5237             }
5238 #else
5239             btsnd_hcic_pin_code_neg_reply (p_bda);
5240 #endif
5241             return;
5242         }
5243     }
5244 
5245     p_dev_rec = btm_find_or_alloc_dev (p_bda);
5246     /* received PIN code request. must be non-sm4 */
5247     p_dev_rec->sm4 = BTM_SM4_KNOWN;
5248 
5249     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5250     {
5251         memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5252 
5253         btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5254         /* Make sure we reset the trusted mask to help against attacks */
5255         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5256     }
5257 
5258     if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5259     {
5260         BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5261         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5262         btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5263         return;
5264     }
5265 
5266     /* Use the connecting device's CoD for the connection */
5267     if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5268          &&  (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5269         memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5270 
5271     /* We could have started connection after asking user for the PIN code */
5272     if (btm_cb.pin_code_len != 0)
5273     {
5274         BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5275         btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5276 
5277 #ifdef PORCHE_PAIRING_CONFLICT
5278         btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
5279 #endif
5280 
5281         /* Mark that we forwarded received from the user PIN code */
5282         btm_cb.pin_code_len = 0;
5283 
5284         /* We can change mode back right away, that other connection being established */
5285         /* is not forced to be secure - found a FW issue, so we can not do this
5286         btm_restore_mode(); */
5287 
5288         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5289     }
5290 
5291     /* If pairing disabled OR (no PIN callback and not bonding) */
5292     /* OR we could not allocate entry in the database reject pairing request */
5293     else if (p_cb->pairing_disabled
5294              || (p_cb->api.p_pin_callback == NULL)
5295 
5296              /* OR Microsoft keyboard can for some reason try to establish connection */
5297              /*  the only thing we can do here is to shut it up.  Normally we will be originator */
5298              /*  for keyboard bonding */
5299              || (!p_dev_rec->is_originator
5300                  && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5301                  &&  (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5302     {
5303         BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5304                            p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5305 
5306         btsnd_hcic_pin_code_neg_reply (p_bda);
5307     }
5308     /* Notify upper layer of PIN request and start expiration timer */
5309     else
5310     {
5311         btm_cb.pin_code_len_saved = 0;
5312         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5313         /* Pin code request can not come at the same time as connection request */
5314         memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5315         memcpy (p_cb->connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
5316 
5317         /* Check if the name is known */
5318         /* Even if name is not known we might not be able to get one */
5319         /* this is the case when we are already getting something from the */
5320         /* device, so HCI level is flow controlled */
5321         /* Also cannot send remote name request while paging, i.e. connection is not completed */
5322         if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5323         {
5324             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5325 
5326             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5327             if (p_cb->api.p_pin_callback) {
5328                 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5329                         (p_dev_rec->p_cur_service == NULL) ? FALSE
5330                                 : (p_dev_rec->p_cur_service->security_flags
5331                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5332             }
5333         }
5334         else
5335         {
5336             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5337 
5338             /* We received PIN code request for the device with unknown name */
5339             /* it is not user friendly just to ask for the PIN without name */
5340             /* try to get name at first */
5341             if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5342                                           HCI_PAGE_SCAN_REP_MODE_R1,
5343                                           HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5344             {
5345                 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5346                 p_dev_rec->sec_bd_name[0] = 'f';
5347                 p_dev_rec->sec_bd_name[1] = '0';
5348                 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5349 
5350                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5351                 if (p_cb->api.p_pin_callback)
5352                     (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5353                             p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5354                                     : (p_dev_rec->p_cur_service->security_flags
5355                                        & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5356             }
5357         }
5358     }
5359 
5360     return;
5361 }
5362 
5363 /*******************************************************************************
5364 **
5365 ** Function         btm_sec_update_clock_offset
5366 **
5367 ** Description      This function is called to update clock offset
5368 **
5369 ** Returns          void
5370 **
5371 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5372 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5373 {
5374     tBTM_SEC_DEV_REC  *p_dev_rec;
5375     tBTM_INQ_INFO     *p_inq_info;
5376 
5377     if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5378         return;
5379 
5380     p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5381 
5382     if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5383         return;
5384 
5385     p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5386 }
5387 
5388 
5389 /******************************************************************
5390 ** S T A T I C     F U N C T I O N S
5391 *******************************************************************/
5392 
5393 /*******************************************************************************
5394 **
5395 ** Function         btm_sec_execute_procedure
5396 **
5397 ** Description      This function is called to start required security
5398 **                  procedure.  There is a case when multiplexing protocol
5399 **                  calls this function on the originating side, connection to
5400 **                  the peer will not be established.  This function in this
5401 **                  case performs only authorization.
5402 **
5403 ** Returns          BTM_SUCCESS     - permission is granted
5404 **                  BTM_CMD_STARTED - in process
5405 **                  BTM_NO_RESOURCES  - permission declined
5406 **
5407 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5408 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5409 {
5410     BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5411                       p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5412 
5413     /* There is a chance that we are getting name.  Wait until done. */
5414     if (p_dev_rec->sec_state != 0)
5415         return(BTM_CMD_STARTED);
5416 
5417     /* If any security is required, get the name first */
5418     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5419         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5420     {
5421         BTM_TRACE_EVENT ("Security Manager: Start get name");
5422         if (!btm_sec_start_get_name (p_dev_rec))
5423         {
5424             return(BTM_NO_RESOURCES);
5425         }
5426         return(BTM_CMD_STARTED);
5427     }
5428 
5429     /* If connection is not authenticated and authentication is required */
5430     /* start authentication and return PENDING to the caller */
5431     if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5432         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5433             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5434         || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5435             && (!p_dev_rec->is_originator
5436                     && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5437         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5438     {
5439         /*
5440          * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5441          * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5442          * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5443          * authenticated connections, hence we cannot distinguish here.
5444          */
5445 
5446 #if (L2CAP_UCD_INCLUDED == TRUE)
5447         /* if incoming UCD packet, discard it */
5448         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5449             return(BTM_FAILED_ON_SECURITY);
5450 #endif
5451 
5452         BTM_TRACE_EVENT ("Security Manager: Start authentication");
5453 
5454         /*
5455          * If we do have a link-key, but we end up here because we need an
5456          * upgrade, then clear the link-key known and authenticated flag before
5457          * restarting authentication.
5458          * WARNING: If the controller has link-key, it is optional and
5459          * recommended for the controller to send a Link_Key_Request.
5460          * In case we need an upgrade, the only alternative would be to delete
5461          * the existing link-key. That could lead to very bad user experience
5462          * or even IOP issues, if a reconnect causes a new connection that
5463          * requires an upgrade.
5464          */
5465         if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5466                 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5467                     && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5468                             & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5469             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5470                     | BTM_SEC_AUTHENTICATED);
5471         }
5472 
5473         if (!btm_sec_start_authentication (p_dev_rec))
5474         {
5475             return(BTM_NO_RESOURCES);
5476         }
5477         return(BTM_CMD_STARTED);
5478     }
5479 
5480     /* If connection is not encrypted and encryption is required */
5481     /* start encryption and return PENDING to the caller */
5482     if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5483         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5484             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5485         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5486     {
5487 #if (L2CAP_UCD_INCLUDED == TRUE)
5488         /* if incoming UCD packet, discard it */
5489         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5490             return(BTM_FAILED_ON_SECURITY);
5491 #endif
5492 
5493         BTM_TRACE_EVENT ("Security Manager: Start encryption");
5494 
5495         if (!btm_sec_start_encryption (p_dev_rec))
5496         {
5497             return(BTM_NO_RESOURCES);
5498         }
5499         return(BTM_CMD_STARTED);
5500     }
5501 
5502     if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5503         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5504     {
5505         BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5506                         "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5507         return (BTM_FAILED_ON_SECURITY);
5508     }
5509 
5510     /* If connection is not authorized and authorization is required */
5511     /* start authorization and return PENDING to the caller */
5512     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5513         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5514             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5515     {
5516         BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5517                           p_dev_rec->p_cur_service->service_id,
5518                           (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5519                                                       p_dev_rec->p_cur_service->service_id)));
5520         if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5521             (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5522             (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5523                                         p_dev_rec->p_cur_service->service_id) == FALSE))
5524         {
5525             BTM_TRACE_EVENT ("Security Manager: Start authorization");
5526             return(btm_sec_start_authorization (p_dev_rec));
5527         }
5528     }
5529 
5530     /* All required  security procedures already established */
5531     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5532                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5533                                       BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5534                                       BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5535                                       BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5536 
5537     BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5538     BTM_TRACE_EVENT ("Security Manager: access granted");
5539 
5540     return(BTM_SUCCESS);
5541 }
5542 
5543 
5544 /*******************************************************************************
5545 **
5546 ** Function         btm_sec_start_get_name
5547 **
5548 ** Description      This function is called to start get name procedure
5549 **
5550 ** Returns          TRUE if started
5551 **
5552 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5553 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5554 {
5555     UINT8 tempstate = p_dev_rec->sec_state;
5556 
5557     p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5558 
5559     /* Device should be connected, no need to provide correct page params */
5560     /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5561     if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5562                                 0, NULL)) != BTM_CMD_STARTED)
5563     {
5564         p_dev_rec->sec_state = tempstate;
5565         return(FALSE);
5566     }
5567 
5568     return(TRUE);
5569 }
5570 
5571 /*******************************************************************************
5572 **
5573 ** Function         btm_sec_start_authentication
5574 **
5575 ** Description      This function is called to start authentication
5576 **
5577 ** Returns          TRUE if started
5578 **
5579 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5580 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5581 {
5582     p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5583 
5584     return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5585 }
5586 
5587 /*******************************************************************************
5588 **
5589 ** Function         btm_sec_start_encryption
5590 **
5591 ** Description      This function is called to start encryption
5592 **
5593 ** Returns          TRUE if started
5594 **
5595 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5596 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5597 {
5598     if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5599         return(FALSE);
5600 
5601     p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5602     return(TRUE);
5603 }
5604 
5605 
5606 /*******************************************************************************
5607 **
5608 ** Function         btm_sec_start_authorization
5609 **
5610 ** Description      This function is called to start authorization
5611 **
5612 ** Returns          TRUE if started
5613 **
5614 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5615 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5616 {
5617     UINT8    result;
5618     UINT8   *p_service_name = NULL;
5619     UINT8    service_id;
5620 
5621     if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5622         || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5623     {
5624         if (!btm_cb.api.p_authorize_callback)
5625             return(BTM_MODE_UNSUPPORTED);
5626 
5627         if (p_dev_rec->p_cur_service)
5628         {
5629 #if BTM_SEC_SERVICE_NAME_LEN > 0
5630             if (p_dev_rec->is_originator)
5631                 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5632             else
5633                 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5634 #endif
5635             service_id = p_dev_rec->p_cur_service->service_id;
5636         }
5637         else
5638             service_id = 0;
5639 
5640         /* Send authorization request if not already sent during this service connection */
5641         if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5642             || p_dev_rec->last_author_service_id != service_id)
5643         {
5644             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5645             result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5646                                                      p_dev_rec->dev_class,
5647                                                      p_dev_rec->sec_bd_name,
5648                                                      p_service_name,
5649                                                      service_id,
5650                                                      p_dev_rec->is_originator);
5651         }
5652 
5653         else    /* Already authorized once for this L2CAP bringup */
5654         {
5655             BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5656             return (BTM_SUCCESS);
5657         }
5658 
5659         if (result == BTM_SUCCESS)
5660         {
5661             p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5662 
5663             /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5664             if (!p_dev_rec->is_originator)
5665                 p_dev_rec->last_author_service_id = service_id;
5666 
5667             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5668         }
5669         return(result);
5670     }
5671     btm_sec_start_get_name (p_dev_rec);
5672     return(BTM_CMD_STARTED);
5673 }
5674 
5675 /*******************************************************************************
5676 **
5677 ** Function         btm_sec_are_all_trusted
5678 **
5679 ** Description      This function is called check if all services are trusted
5680 **
5681 ** Returns          TRUE if all are trusted, otherwise FALSE
5682 **
5683 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5684 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5685 {
5686     UINT32 trusted_inx;
5687     for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5688     {
5689         if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5690             return(FALSE);
5691     }
5692 
5693     return(TRUE);
5694 }
5695 
5696 /*******************************************************************************
5697 **
5698 ** Function         btm_sec_find_first_serv
5699 **
5700 ** Description      Look for the first record in the service database
5701 **                  with specified PSM
5702 **
5703 ** Returns          Pointer to the record or NULL
5704 **
5705 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5706 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5707 {
5708     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5709     int i;
5710     BOOLEAN is_originator;
5711 
5712 #if (L2CAP_UCD_INCLUDED == TRUE)
5713 
5714     if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5715         is_originator = TRUE;
5716     else
5717         is_originator = FALSE;
5718 #else
5719     is_originator = conn_type;
5720 #endif
5721 
5722     if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5723     {
5724         /* If this is outgoing connection and the PSM matches p_out_serv,
5725          * use it as the current service */
5726         return btm_cb.p_out_serv;
5727     }
5728 
5729     /* otherwise, just find the first record with the specified PSM */
5730     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5731     {
5732         if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5733             return(p_serv_rec);
5734     }
5735     return(NULL);
5736 }
5737 
5738 
5739 /*******************************************************************************
5740 **
5741 ** Function         btm_sec_find_next_serv
5742 **
5743 ** Description      Look for the next record in the service database
5744 **                  with specified PSM
5745 **
5746 ** Returns          Pointer to the record or NULL
5747 **
5748 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5749 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5750 {
5751     tBTM_SEC_SERV_REC *p_serv_rec   = &btm_cb.sec_serv_rec[0];
5752     int               i;
5753 
5754     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5755     {
5756         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5757             && (p_serv_rec->psm == p_cur->psm) )
5758         {
5759             if (p_cur != p_serv_rec)
5760             {
5761                 return(p_serv_rec);
5762             }
5763         }
5764     }
5765     return(NULL);
5766 }
5767 
5768 
5769 /*******************************************************************************
5770 **
5771 ** Function         btm_sec_find_mx_serv
5772 **
5773 ** Description      Look for the record in the service database with specified
5774 **                  PSM and multiplexor channel information
5775 **
5776 ** Returns          Pointer to the record or NULL
5777 **
5778 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5779 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5780                                                 UINT32 mx_proto_id, UINT32 mx_chan_id)
5781 {
5782     tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5783     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5784     int i;
5785 
5786     BTM_TRACE_DEBUG ("%s()", __func__);
5787     if (is_originator && p_out_serv && p_out_serv->psm == psm
5788         && p_out_serv->mx_proto_id == mx_proto_id
5789         && p_out_serv->orig_mx_chan_id == mx_chan_id)
5790     {
5791         /* If this is outgoing connection and the parameters match p_out_serv,
5792          * use it as the current service */
5793         return btm_cb.p_out_serv;
5794     }
5795 
5796     /* otherwise, the old way */
5797     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5798     {
5799         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5800             && (p_serv_rec->psm == psm)
5801             && (p_serv_rec->mx_proto_id == mx_proto_id)
5802             && (( is_originator && (p_serv_rec->orig_mx_chan_id  == mx_chan_id))
5803                 || (!is_originator && (p_serv_rec->term_mx_chan_id  == mx_chan_id))))
5804         {
5805             return(p_serv_rec);
5806         }
5807     }
5808     return(NULL);
5809 }
5810 
5811 
5812 /*******************************************************************************
5813 **
5814 ** Function         btm_sec_collision_timeout
5815 **
5816 ** Description      Encryption could not start because of the collision
5817 **                  try to do it again
5818 **
5819 ** Returns          Pointer to the TLE struct
5820 **
5821 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5822 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5823 {
5824     UNUSED(p_tle);
5825 
5826     BTM_TRACE_EVENT ("%s()", __func__);
5827     btm_cb.sec_collision_tle.param = 0;
5828 
5829     tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5830 
5831     /* If result is pending reply from the user or from the device is pending */
5832     if (status != BTM_CMD_STARTED)
5833     {
5834         /* There is no next procedure or start of procedure failed, notify the waiting layer */
5835         btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5836     }
5837 }
5838 
5839 /*******************************************************************************
5840 **
5841 ** Function         btm_sec_link_key_request
5842 **
5843 ** Description      This function is called when controller requests link key
5844 **
5845 ** Returns          Pointer to the record or NULL
5846 **
5847 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5848 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5849 {
5850     if (btm_cb.api.p_link_key_callback)
5851         (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5852                                            p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5853                                            p_dev_rec->link_key_type);
5854 }
5855 
5856 /*******************************************************************************
5857 **
5858 ** Function         BTM_ReadTrustedMask
5859 **
5860 ** Description      Get trusted mask for the peer device
5861 **
5862 ** Parameters:      bd_addr   - Address of the device
5863 **
5864 ** Returns          NULL, if the device record is not found.
5865 **                  otherwise, the trusted mask
5866 **
5867 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5868 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5869 {
5870     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5871     if (p_dev_rec != NULL)
5872         return(p_dev_rec->trusted_mask);
5873     return NULL;
5874 }
5875 
5876 /*******************************************************************************
5877 **
5878 ** Function         btm_restore_mode
5879 **
5880 ** Description      This function returns the security mode to previous setting
5881 **                  if it was changed during bonding.
5882 **
5883 **
5884 ** Parameters:      void
5885 **
5886 *******************************************************************************/
btm_restore_mode(void)5887 static void btm_restore_mode(void)
5888 {
5889     if (btm_cb.security_mode_changed)
5890     {
5891         btm_cb.security_mode_changed = FALSE;
5892         BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5893         btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5894     }
5895 
5896     if (btm_cb.pin_type_changed)
5897     {
5898         btm_cb.pin_type_changed = FALSE;
5899         btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5900     }
5901 }
5902 
5903 
5904 /*******************************************************************************
5905 **
5906 ** Function         btm_sec_find_dev_by_sec_state
5907 **
5908 ** Description      Look for the record in the device database for the device
5909 **                  which is being authenticated or encrypted
5910 **
5911 ** Returns          Pointer to the record or NULL
5912 **
5913 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5914 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5915 {
5916     tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5917 
5918     for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5919     {
5920         if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5921             && (p_dev_rec->sec_state == state))
5922             return(p_dev_rec);
5923     }
5924     return(NULL);
5925 }
5926 
5927 /*******************************************************************************
5928 **
5929 ** Function         btm_sec_change_pairing_state
5930 **
5931 ** Description      This function is called to change pairing state
5932 **
5933 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5934 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5935 {
5936     tBTM_PAIRING_STATE  old_state = btm_cb.pairing_state;
5937 
5938     BTM_TRACE_EVENT ("%s()  Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5939     BTM_TRACE_EVENT ("%s()  New: %s pairing_flags:0x%x", __func__,
5940             btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5941 
5942     btm_cb.pairing_state = new_state;
5943 
5944     if (new_state == BTM_PAIR_STATE_IDLE)
5945     {
5946         btu_stop_timer (&btm_cb.pairing_tle);
5947 
5948         btm_cb.pairing_flags = 0;
5949         btm_cb.pin_code_len  = 0;
5950 
5951         /* Make sure the the lcb shows we are not bonding */
5952         l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5953 
5954         btm_restore_mode();
5955         btm_sec_check_pending_reqs();
5956         btm_inq_clear_ssp();
5957 
5958         memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5959     }
5960     else
5961     {
5962         /* If transitionng out of idle, mark the lcb as bonding */
5963         if (old_state == BTM_PAIR_STATE_IDLE)
5964             l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5965 
5966         btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5967 
5968         btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5969     }
5970 }
5971 
5972 
5973 /*******************************************************************************
5974 **
5975 ** Function         btm_pair_state_descr
5976 **
5977 ** Description      Return state description for tracing
5978 **
5979 *******************************************************************************/
5980 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5981 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5982 {
5983 #if (BT_TRACE_VERBOSE == TRUE)
5984     switch (state)
5985     {
5986         case BTM_PAIR_STATE_IDLE:                   return("IDLE");
5987         case BTM_PAIR_STATE_GET_REM_NAME:           return("GET_REM_NAME");
5988         case BTM_PAIR_STATE_WAIT_PIN_REQ:           return("WAIT_PIN_REQ");
5989         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:         return("WAIT_LOCAL_PIN");
5990         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:   return("WAIT_NUM_CONFIRM");
5991         case BTM_PAIR_STATE_KEY_ENTRY:              return("KEY_ENTRY");
5992         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:     return("WAIT_LOCAL_OOB_RSP");
5993         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:      return("WAIT_LOCAL_IOCAPS");
5994         case BTM_PAIR_STATE_INCOMING_SSP:           return("INCOMING_SSP");
5995         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:     return("WAIT_AUTH_COMPLETE");
5996         case BTM_PAIR_STATE_WAIT_DISCONNECT:        return("WAIT_DISCONNECT");
5997     }
5998 
5999     return("???");
6000 #else
6001     sprintf(btm_cb.state_temp_buffer,"%hhu",state);
6002 
6003     return(btm_cb.state_temp_buffer);
6004 #endif
6005 }
6006 #endif
6007 
6008 /*******************************************************************************
6009 **
6010 ** Function         btm_sec_dev_rec_cback_event
6011 **
6012 ** Description      This function calls the callback function with the given
6013 **                  result and clear the callback function.
6014 **
6015 ** Parameters:      void
6016 **
6017 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)6018 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
6019 {
6020     tBTM_SEC_CALLBACK   *p_callback = p_dev_rec->p_callback;
6021 
6022     if (p_dev_rec->p_callback)
6023     {
6024         p_dev_rec->p_callback = NULL;
6025 
6026 #if BLE_INCLUDED == TRUE
6027         if (is_le_transport)
6028            (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
6029         else
6030 #endif
6031            (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
6032     }
6033 
6034     btm_sec_check_pending_reqs();
6035 }
6036 
6037 /*******************************************************************************
6038 **
6039 ** Function         btm_sec_queue_mx_request
6040 **
6041 ** Description      Return state description for tracing
6042 **
6043 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6044 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
6045                                          UINT32 mx_proto_id, UINT32 mx_chan_id,
6046                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6047 {
6048     tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
6049 
6050     if (p_e)
6051     {
6052         p_e->psm            = psm;
6053         p_e->is_orig        = is_orig;
6054         p_e->p_callback     = p_callback;
6055         p_e->p_ref_data     = p_ref_data;
6056         p_e->mx_proto_id    = mx_proto_id;
6057         p_e->mx_chan_id     = mx_chan_id;
6058         p_e->transport      = BT_TRANSPORT_BR_EDR;
6059 
6060         memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6061 
6062         BTM_TRACE_EVENT ("%s() PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
6063                           __func__, psm, is_orig, mx_proto_id, mx_chan_id);
6064 
6065         GKI_enqueue (&btm_cb.sec_pending_q, p_e);
6066 
6067         return(TRUE);
6068     }
6069 
6070     return(FALSE);
6071 }
6072 
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)6073 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec)
6074 {
6075     UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
6076     UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
6077     BOOLEAN rv = FALSE;
6078 
6079     if ((major == BTM_COD_MAJOR_AUDIO)
6080         &&  ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
6081     {
6082         BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6083             __func__, major, minor);
6084 
6085         if (btm_cb.security_mode_changed == FALSE)
6086         {
6087             btm_cb.security_mode_changed = TRUE;
6088 #ifdef APPL_AUTH_WRITE_EXCEPTION
6089             if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6090 #endif
6091                 btsnd_hcic_write_auth_enable (TRUE);
6092         }
6093     }
6094     else
6095     {
6096         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6097 
6098         /* If we got a PIN, use that, else try to get one */
6099         if (btm_cb.pin_code_len)
6100         {
6101             BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6102         }
6103         else
6104         {
6105             /* pin was not supplied - pre-fetch pin code now */
6106             if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6107             {
6108                 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6109                 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6110                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6111                 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6112                         p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6113                                 : (p_dev_rec->p_cur_service->security_flags
6114                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6115             }
6116         }
6117 
6118         rv = TRUE;
6119     }
6120 
6121     return rv;
6122 }
6123 
6124 /*******************************************************************************
6125 **
6126 ** Function         btm_sec_auth_payload_tout
6127 **
6128 ** Description      Processes the HCI Autheniticated Payload Timeout Event
6129 **                  indicating that a packet containing a valid MIC on the
6130 **                  connection handle was not received within the programmed
6131 **                  timeout value. (Spec Default is 30 secs, but can be
6132 **                  changed via the BTM_SecSetAuthPayloadTimeout() function.
6133 **
6134 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6135 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6136 {
6137     UINT16 handle;
6138 
6139     STREAM_TO_UINT16 (handle, p);
6140     handle = HCID_GET_HANDLE (handle);
6141 
6142     /* Will be exposed to upper layers in the future if/when determined necessary */
6143     BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6144 }
6145 
6146 /*******************************************************************************
6147 **
6148 ** Function         btm_sec_queue_encrypt_request
6149 **
6150 ** Description      encqueue encryption request when device has active security
6151 **                  process pending.
6152 **
6153 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6154 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6155                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6156 {
6157     tBTM_SEC_QUEUE_ENTRY  *p_e;
6158     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6159 
6160     if (p_e)
6161     {
6162         p_e->psm  = 0;  /* if PSM 0, encryption request */
6163         p_e->p_callback  = p_callback;
6164         p_e->p_ref_data = (void *)(p_e + 1);
6165         *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
6166         p_e->transport  = transport;
6167         memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6168         GKI_enqueue(&btm_cb.sec_pending_q, p_e);
6169         return TRUE;
6170     }
6171 
6172     return FALSE;
6173 }
6174 
6175 /*******************************************************************************
6176 **
6177 ** Function         btm_sec_set_peer_sec_caps
6178 **
6179 ** Description      This function is called to set sm4 and rmt_sec_caps fields
6180 **                  based on the available peer device features.
6181 **
6182 ** Returns          void
6183 **
6184 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6185 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6186 {
6187     BD_ADDR     rem_bd_addr;
6188     UINT8       *p_rem_bd_addr;
6189 
6190     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6191          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6192          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6193         HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6194     {
6195         p_dev_rec->sm4 = BTM_SM4_TRUE;
6196         p_dev_rec->remote_supports_secure_connections =
6197             (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6198     }
6199     else
6200     {
6201         p_dev_rec->sm4 = BTM_SM4_KNOWN;
6202         p_dev_rec->remote_supports_secure_connections = FALSE;
6203     }
6204 
6205     BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6206                   p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6207 
6208 
6209     if (p_dev_rec->remote_features_needed)
6210     {
6211         BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6212                         __FUNCTION__);
6213         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6214         BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6215         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6216         btm_io_capabilities_req(p_rem_bd_addr);
6217         p_dev_rec->remote_features_needed = FALSE;
6218     }
6219 }
6220 
6221 /*******************************************************************************
6222 **
6223 ** Function         btm_sec_clean_pending_req_queue
6224 **
6225 ** Description      This function cleans up the pending security request when the
6226 **                  link to the target device dropped.
6227 **
6228 ** Returns          void
6229 **
6230 *******************************************************************************/
btm_sec_clean_pending_req_queue(BD_ADDR remote_bda,tBT_TRANSPORT transport)6231 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport)
6232 {
6233     tBTM_SEC_QUEUE_ENTRY    *p_e;
6234     BUFFER_Q                *bq = &btm_cb.sec_pending_q;
6235 
6236     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6237 
6238     if (p_e != NULL)
6239     {
6240         if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0
6241 #if BLE_INCLUDED == TRUE
6242             && p_e->transport == transport
6243 #endif
6244             )
6245         {
6246             (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING);
6247             GKI_remove_from_queue(bq, (void *)p_e);
6248         }
6249         p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6250     }
6251 }
6252 
6253 /*******************************************************************************
6254 **
6255 ** Function         btm_sec_is_serv_level0
6256 **
6257 ** Description      This function is called to check if the service corresponding
6258 **                  to PSM is security mode 4 level 0 service.
6259 **
6260 ** Returns          TRUE if the service is security mode 4 level 0 service
6261 **
6262 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6263 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6264 {
6265     if (psm == BT_PSM_SDP)
6266     {
6267         BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6268         return TRUE;
6269     }
6270     return FALSE;
6271 }
6272 
6273 /*******************************************************************************
6274 **
6275 ** Function         btm_sec_check_pending_enc_req
6276 **
6277 ** Description      This function is called to send pending encryption callback if
6278 **                  waiting
6279 **
6280 ** Returns          void
6281 **
6282 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6283 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
6284                                             UINT8 encr_enable)
6285 {
6286     tBTM_SEC_QUEUE_ENTRY    *p_e;
6287     BUFFER_Q                *bq = &btm_cb.sec_pending_q;
6288     UINT8                   res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6289 
6290     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6291 
6292     while (p_e != NULL)
6293     {
6294         if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6295 #if BLE_INCLUDED == TRUE
6296             && p_e->transport == transport
6297 #endif
6298             )
6299         {
6300 #if BLE_INCLUDED == TRUE
6301             UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data);
6302 #endif
6303 
6304             if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6305 #if BLE_INCLUDED == TRUE
6306                 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
6307                 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6308                     & BTM_SEC_LE_AUTHENTICATED)
6309 #endif
6310                )
6311             {
6312                 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6313                 GKI_remove_from_queue(bq, (void *)p_e);
6314             }
6315         }
6316         p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6317     }
6318 }
6319 
6320 /*******************************************************************************
6321 **
6322 ** Function         btm_sec_set_serv_level4_flags
6323 **
6324 ** Description      This function is called to set security mode 4 level 4 flags.
6325 **
6326 ** Returns          service security requirements updated to include secure
6327 **                  connections only mode.
6328 **
6329 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6330 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6331 {
6332     UINT16  sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6333 
6334     return cur_security | sec_level4_flags;
6335 }
6336 
6337 /*******************************************************************************
6338 **
6339 ** Function         btm_sec_clear_ble_keys
6340 **
6341 ** Description      This function is called to clear out the BLE keys.
6342 **                  Typically when devices are removed in BTM_SecDeleteDevice,
6343 **                  or when a new BT Link key is generated.
6344 **
6345 ** Returns          void
6346 **
6347 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6348 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC  *p_dev_rec)
6349 {
6350 
6351     BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6352 #if (SMP_INCLUDED== TRUE)
6353     p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6354     memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6355 
6356 #if (BLE_PRIVACY_SPT == TRUE)
6357     btm_ble_resolving_list_remove_dev(p_dev_rec);
6358 #endif
6359 #endif
6360 }
6361 
6362 /*******************************************************************************
6363 **
6364 ** Function         btm_sec_is_a_bonded_dev
6365 **
6366 ** Description       Is the specified device is a bonded device
6367 **
6368 ** Returns          TRUE - dev is bonded
6369 **
6370 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6371 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6372 {
6373 
6374     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6375     BOOLEAN is_bonded= FALSE;
6376 
6377     if (p_dev_rec &&
6378 #if (SMP_INCLUDED == TRUE)
6379         ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6380 #else
6381         (
6382 #endif
6383          (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6384     {
6385         is_bonded = TRUE;
6386     }
6387     BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6388     return(is_bonded);
6389 }
6390 
6391 /*******************************************************************************
6392 **
6393 ** Function         btm_sec_is_le_capable_dev
6394 **
6395 ** Description       Is the specified device is dual mode or LE only device
6396 **
6397 ** Returns          TRUE - dev is a dual mode
6398 **
6399 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6400 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6401 {
6402     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6403     BOOLEAN le_capable = FALSE;
6404 
6405 #if (BLE_INCLUDED== TRUE)
6406     if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6407         le_capable  = TRUE;
6408 #endif
6409     return le_capable;
6410 }
6411 
6412 /*******************************************************************************
6413 **
6414 ** Function         btm_sec_find_bonded_dev
6415 **
6416 ** Description      Find a bonded device starting from the specified index
6417 **
6418 ** Returns          TRUE - found a bonded device
6419 **
6420 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6421 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6422 {
6423     BOOLEAN found= FALSE;
6424 
6425 #if (SMP_INCLUDED== TRUE)
6426     tBTM_SEC_DEV_REC *p_dev_rec;
6427     int i;
6428     if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6429     {
6430         BTM_TRACE_DEBUG ("LE bonded device not found");
6431         return found;
6432     }
6433 
6434     p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6435     for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6436     {
6437         if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6438         {
6439             *p_found_idx = i;
6440             *p_rec = p_dev_rec;
6441             break;
6442         }
6443     }
6444     BTM_TRACE_DEBUG ("%s() found=%d", __func__, found);
6445 #endif
6446     return(found);
6447 }
6448 
6449 /*******************************************************************************
6450 **
6451 ** Function         btm_sec_use_smp_br_chnl
6452 **
6453 ** Description      The function checks if SMP BR connection can be used with
6454 **                  the peer.
6455 **                  Is called when authentication for dedicated bonding is
6456 **                  successfully completed.
6457 **
6458 ** Returns          TRUE - if SMP BR connection can be used (the link key is
6459 **                         generated from P-256 and the peer supports Security
6460 **                         Manager over BR).
6461 **
6462 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6463 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6464 {
6465     UINT32  ext_feat;
6466     UINT8   chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6467 
6468     BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6469                       p_dev_rec->link_key_type);
6470 
6471     if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6472         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6473          return FALSE;
6474 
6475     if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6476         return FALSE;
6477 
6478     if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6479         return FALSE;
6480 
6481     return TRUE;
6482 }
6483 
6484 /*******************************************************************************
6485 **
6486 ** Function         btm_sec_is_master
6487 **
6488 ** Description      The function checks if the device is BR/EDR master after
6489 **                  pairing is completed.
6490 **
6491 ** Returns          TRUE - if the device is master.
6492 **
6493 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6494 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6495 {
6496     tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6497     return (p && (p->link_role == BTM_ROLE_MASTER));
6498 }
6499 
6500