1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bt_btm_sec"
26
27 #include <stdarg.h>
28 #include <string.h>
29
30 #include "bt_types.h"
31 #include "device/include/controller.h"
32 #include "hcimsgs.h"
33 #include "btu.h"
34 #include "btm_int.h"
35 #include "l2c_int.h"
36 #include "bt_utils.h"
37 #include "osi/include/log.h"
38
39 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
40 /* needed for sprintf() */
41 #include <stdio.h>
42 #endif
43
44 #if BLE_INCLUDED == TRUE
45 #include "gatt_int.h"
46 #endif
47
48 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
49
50 #ifdef APPL_AUTH_WRITE_EXCEPTION
51 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
52 #endif
53
54
55 /********************************************************************************
56 ** L O C A L F U N C T I O N P R O T O T Y P E S *
57 *********************************************************************************/
58 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
59 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
60 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
61 UINT32 mx_proto_id,
62 UINT32 mx_chan_id);
63
64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
67 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
68 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
69 static void btm_restore_mode(void);
70 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
72 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73
74 #if (BT_USE_TRACES == TRUE)
75 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
76 #endif
77
78 static void btm_sec_check_pending_reqs(void);
79 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
80 UINT32 mx_proto_id, UINT32 mx_chan_id,
81 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
82 static void btm_sec_bond_cancel_complete (void);
83 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
84 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
85
86 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
87 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
88
89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
90 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
91 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
92
93 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
94 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
95 UINT32 mx_chan_id);
96
97 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
98 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
100 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
101 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
102 static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
103
104 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
105 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
106 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ;
107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
108 UINT8 encr_enable);
109 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec);
110
111 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
112 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
113
114 /* TRUE - authenticated link key is possible */
115 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
116 {
117 /* OUT, IO, IN, NONE */
118 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
119 /* IO */ {FALSE, TRUE, TRUE, FALSE},
120 /* IN */ {TRUE, TRUE, TRUE, FALSE},
121 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
122 };
123 /* BTM_IO_CAP_OUT 0 DisplayOnly */
124 /* BTM_IO_CAP_IO 1 DisplayYesNo */
125 /* BTM_IO_CAP_IN 2 KeyboardOnly */
126 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
127
128 /*******************************************************************************
129 **
130 ** Function btm_dev_authenticated
131 **
132 ** Description check device is authenticated
133 **
134 ** Returns BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
140 {
141 return(TRUE);
142 }
143 return(FALSE);
144 }
145
146 /*******************************************************************************
147 **
148 ** Function btm_dev_encrypted
149 **
150 ** Description check device is encrypted
151 **
152 ** Returns BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
158 {
159 return(TRUE);
160 }
161 return(FALSE);
162 }
163
164 /*******************************************************************************
165 **
166 ** Function btm_dev_authorized
167 **
168 ** Description check device is authorized
169 **
170 ** Returns BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)173 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
174 {
175 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
176 {
177 return(TRUE);
178 }
179 return(FALSE);
180 }
181
182 /*******************************************************************************
183 **
184 ** Function btm_dev_16_digit_authenticated
185 **
186 ** Description check device is authenticated by using 16 digit pin or MITM
187 **
188 ** Returns BOOLEAN TRUE or FALSE
189 **
190 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)191 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
192 {
193 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
194 if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
195 {
196 return(TRUE);
197 }
198 return(FALSE);
199 }
200
201 /*******************************************************************************
202 **
203 ** Function btm_serv_trusted
204 **
205 ** Description check service is trusted
206 **
207 ** Returns BOOLEAN TRUE or FALSE
208 **
209 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)210 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
211 {
212 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
213 {
214 return(TRUE);
215 }
216 return(FALSE);
217 }
218
219 /*******************************************************************************
220 **
221 ** Function BTM_SecRegister
222 **
223 ** Description Application manager calls this function to register for
224 ** security services. There can be one and only one application
225 ** saving link keys. BTM allows only first registration.
226 **
227 ** Returns TRUE if registered OK, else FALSE
228 **
229 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)230 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
231 {
232 #if BLE_INCLUDED == TRUE
233 BT_OCTET16 temp_value = {0};
234 #endif
235
236 BTM_TRACE_EVENT("%s application registered", __func__);
237
238 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
239 LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
240 if (p_cb_info->p_le_callback)
241 {
242 #if SMP_INCLUDED == TRUE
243 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
244 SMP_Register(btm_proc_smp_cback);
245 #endif
246 /* if no IR is loaded, need to regenerate all the keys */
247 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
248 {
249 btm_ble_reset_id();
250 }
251 }
252 else
253 {
254 LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__);
255 }
256 #endif
257
258 btm_cb.api = *p_cb_info;
259 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
260 LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
261 #endif
262 BTM_TRACE_EVENT("%s application registered", __func__);
263 return(TRUE);
264 }
265
266 /*******************************************************************************
267 **
268 ** Function BTM_SecRegisterLinkKeyNotificationCallback
269 **
270 ** Description Application manager calls this function to register for
271 ** link key notification. When there is nobody registered
272 ** we should avoid changing link key
273 **
274 ** Returns TRUE if registered OK, else FALSE
275 **
276 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)277 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
278 {
279 btm_cb.api.p_link_key_callback = p_callback;
280 return TRUE;
281 }
282
283 /*******************************************************************************
284 **
285 ** Function BTM_SecAddRmtNameNotifyCallback
286 **
287 ** Description Any profile can register to be notified when name of the
288 ** remote device is resolved.
289 **
290 ** Returns TRUE if registered OK, else FALSE
291 **
292 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)293 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
294 {
295 int i;
296
297 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
298 {
299 if (btm_cb.p_rmt_name_callback[i] == NULL)
300 {
301 btm_cb.p_rmt_name_callback[i] = p_callback;
302 return(TRUE);
303 }
304 }
305
306 return(FALSE);
307 }
308
309
310 /*******************************************************************************
311 **
312 ** Function BTM_SecDeleteRmtNameNotifyCallback
313 **
314 ** Description Any profile can deregister notification when a new Link Key
315 ** is generated per connection.
316 **
317 ** Returns TRUE if OK, else FALSE
318 **
319 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)320 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
321 {
322 int i;
323
324 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
325 {
326 if (btm_cb.p_rmt_name_callback[i] == p_callback)
327 {
328 btm_cb.p_rmt_name_callback[i] = NULL;
329 return(TRUE);
330 }
331 }
332
333 return(FALSE);
334 }
335
336 /*******************************************************************************
337 **
338 ** Function BTM_GetSecurityFlags
339 **
340 ** Description Get security flags for the device
341 **
342 ** Returns BOOLEAN TRUE or FALSE is device found
343 **
344 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)345 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
346 {
347 tBTM_SEC_DEV_REC *p_dev_rec;
348
349 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
350 {
351 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
352 return(TRUE);
353 }
354 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
355 return(FALSE);
356 }
357
358 /*******************************************************************************
359 **
360 ** Function BTM_GetSecurityFlagsByTransport
361 **
362 ** Description Get security flags for the device on a particular transport
363 **
364 ** Returns BOOLEAN TRUE or FALSE is device found
365 **
366 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)367 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
368 tBT_TRANSPORT transport)
369 {
370 tBTM_SEC_DEV_REC *p_dev_rec;
371
372 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
373 {
374 if (transport == BT_TRANSPORT_BR_EDR)
375 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
376 else
377 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
378
379 return(TRUE);
380 }
381 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
382 return(FALSE);
383 }
384
385 /*******************************************************************************
386 **
387 ** Function BTM_SetPinType
388 **
389 ** Description Set PIN type for the device.
390 **
391 ** Returns void
392 **
393 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)394 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
395 {
396 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
397 pin_type, (char *) pin_code, pin_code_len);
398
399 /* If device is not up security mode will be set as a part of startup */
400 if ( (btm_cb.cfg.pin_type != pin_type)
401 && controller_get_interface()->get_is_ready() )
402 {
403 btsnd_hcic_write_pin_type (pin_type);
404 }
405
406 btm_cb.cfg.pin_type = pin_type;
407 btm_cb.cfg.pin_code_len = pin_code_len;
408 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
409 }
410
411 /*******************************************************************************
412 **
413 ** Function BTM_SetPairableMode
414 **
415 ** Description Enable or disable pairing
416 **
417 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
418 ** allows pairing.
419 ** connect_only_paired - (TRUE or FALSE) whether or not to
420 ** only allow paired devices to connect.
421 **
422 ** Returns void
423 **
424 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)425 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
426 {
427 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
428
429 btm_cb.pairing_disabled = !allow_pairing;
430 btm_cb.connect_only_paired = connect_only_paired;
431 }
432
433 /*******************************************************************************
434 **
435 ** Function BTM_SetSecureConnectionsOnly
436 **
437 ** Description Enable or disable default treatment for Mode 4 Level 0 services
438 **
439 ** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device
440 ** TRUE means that the device should treat Mode 4 Level 0 services as
441 ** services of other levels. (Secure_connections_only_mode)
442 ** FALSE means that the device should provide default treatment for
443 ** Mode 4 Level 0 services.
444 **
445 ** Returns void
446 **
447 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)448 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
449 {
450 BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
451 secure_connections_only_mode);
452
453 btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
454 btm_cb.security_mode = BTM_SEC_MODE_SC;
455 }
456 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
457
458 /*******************************************************************************
459 **
460 ** Function BTM_SetSecurityLevel
461 **
462 ** Description Register service security level with Security Manager
463 **
464 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
465 ** p_name - Name of the service relevant only if
466 ** authorization will show this name to user. ignored
467 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
468 ** service_id - service ID for the service passed to authorization callback
469 ** sec_level - bit mask of the security features
470 ** psm - L2CAP PSM
471 ** mx_proto_id - protocol ID of multiplexing proto below
472 ** mx_chan_id - channel ID of multiplexing proto below
473 **
474 ** Returns TRUE if registered OK, else FALSE
475 **
476 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)477 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
478 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
479 UINT32 mx_chan_id)
480 {
481 #if (L2CAP_UCD_INCLUDED == TRUE)
482 CONNECTION_TYPE conn_type;
483
484 if (is_originator)
485 conn_type = CONN_ORIENT_ORIG;
486 else
487 conn_type = CONN_ORIENT_TERM;
488
489 return(btm_sec_set_security_level (conn_type, p_name, service_id,
490 sec_level, psm, mx_proto_id, mx_chan_id));
491 #else
492 return(btm_sec_set_security_level (is_originator, p_name, service_id,
493 sec_level, psm, mx_proto_id, mx_chan_id));
494 #endif
495 }
496
497 /*******************************************************************************
498 **
499 ** Function btm_sec_set_security_level
500 **
501 ** Description Register service security level with Security Manager
502 **
503 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
504 ** p_name - Name of the service relevant only if
505 ** authorization will show this name to user. ignored
506 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
507 ** service_id - service ID for the service passed to authorization callback
508 ** sec_level - bit mask of the security features
509 ** psm - L2CAP PSM
510 ** mx_proto_id - protocol ID of multiplexing proto below
511 ** mx_chan_id - channel ID of multiplexing proto below
512 **
513 ** Returns TRUE if registered OK, else FALSE
514 **
515 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)516 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
517 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
518 UINT32 mx_chan_id)
519 {
520 tBTM_SEC_SERV_REC *p_srec;
521 UINT16 index;
522 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
523 BOOLEAN record_allocated = FALSE;
524 BOOLEAN is_originator;
525 #if (L2CAP_UCD_INCLUDED == TRUE)
526 BOOLEAN is_ucd;
527
528 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
529 is_originator = TRUE;
530 else
531 is_originator = FALSE;
532
533 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
534 {
535 is_ucd = TRUE;
536 }
537 else
538 {
539 is_ucd = FALSE;
540 }
541 #else
542 is_originator = conn_type;
543 #endif
544
545 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
546
547 /* See if the record can be reused (same service name, psm, mx_proto_id,
548 service_id, and mx_chan_id), or obtain the next unused record */
549
550 p_srec = &btm_cb.sec_serv_rec[0];
551
552
553 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554 {
555 /* Check if there is already a record for this service */
556 if (p_srec->security_flags & BTM_SEC_IN_USE)
557 {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559 if (p_srec->psm == psm &&
560 p_srec->mx_proto_id == mx_proto_id &&
561 service_id == p_srec->service_id &&
562 (!strncmp (p_name, (char *) p_srec->orig_service_name,
563 BTM_SEC_SERVICE_NAME_LEN) ||
564 !strncmp (p_name, (char *) p_srec->term_service_name,
565 BTM_SEC_SERVICE_NAME_LEN)))
566 #else
567 if (p_srec->psm == psm &&
568 p_srec->mx_proto_id == mx_proto_id &&
569 service_id == p_srec->service_id)
570 #endif
571 {
572 record_allocated = TRUE;
573 break;
574 }
575 }
576 /* Mark the first available service record */
577 else if (!record_allocated)
578 {
579 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
580 record_allocated = TRUE;
581 first_unused_record = index;
582 }
583 }
584
585 if (!record_allocated)
586 {
587 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
588 return(record_allocated);
589 }
590
591 /* Process the request if service record is valid */
592 /* If a duplicate service wasn't found, use the first available */
593 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
594 {
595 index = first_unused_record;
596 p_srec = &btm_cb.sec_serv_rec[index];
597 }
598
599 p_srec->psm = psm;
600 p_srec->service_id = service_id;
601 p_srec->mx_proto_id = mx_proto_id;
602
603 if (is_originator)
604 {
605 p_srec->orig_mx_chan_id = mx_chan_id;
606 #if BTM_SEC_SERVICE_NAME_LEN > 0
607 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
608 #endif
609 /* clear out the old setting, just in case it exists */
610 #if (L2CAP_UCD_INCLUDED == TRUE)
611 if ( is_ucd )
612 {
613 p_srec->ucd_security_flags &=
614 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
615 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
616 }
617 else
618 #endif
619 {
620 p_srec->security_flags &=
621 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
622 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
623 }
624
625 /* Parameter validation. Originator should not set requirements for incoming connections */
626 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
627 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
628
629 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
630 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
631 btm_cb.security_mode == BTM_SEC_MODE_SC)
632 {
633 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
634 sec_level |= BTM_SEC_OUT_MITM;
635 }
636
637 /* Make sure the authenticate bit is set, when encrypt bit is set */
638 if (sec_level & BTM_SEC_OUT_ENCRYPT)
639 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
640
641 /* outgoing connections usually set the security level right before
642 * the connection is initiated.
643 * set it to be the outgoing service */
644 #if (L2CAP_UCD_INCLUDED == TRUE)
645 if ( is_ucd == FALSE )
646 #endif
647 {
648 btm_cb.p_out_serv = p_srec;
649 }
650 }
651 else
652 {
653 p_srec->term_mx_chan_id = mx_chan_id;
654 #if BTM_SEC_SERVICE_NAME_LEN > 0
655 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
656 #endif
657 /* clear out the old setting, just in case it exists */
658 #if (L2CAP_UCD_INCLUDED == TRUE)
659 if ( is_ucd )
660 {
661 p_srec->ucd_security_flags &=
662 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
663 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
664 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
665 }
666 else
667 #endif
668 {
669 p_srec->security_flags &=
670 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
671 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
672 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
673 }
674
675 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
676 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
677
678 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
679 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
680 btm_cb.security_mode == BTM_SEC_MODE_SC)
681 {
682 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
683 sec_level |= BTM_SEC_IN_MITM;
684 }
685
686 /* Make sure the authenticate bit is set, when encrypt bit is set */
687 if (sec_level & BTM_SEC_IN_ENCRYPT)
688 sec_level |= BTM_SEC_IN_AUTHENTICATE;
689 }
690
691 #if (L2CAP_UCD_INCLUDED == TRUE)
692 if ( is_ucd )
693 {
694 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
695 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
696 }
697 else
698 {
699 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
700 }
701
702 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
703 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
704
705 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
706 p_srec->security_flags, p_srec->ucd_security_flags);
707
708 #if BTM_SEC_SERVICE_NAME_LEN > 0
709 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)",
710 p_name, BTM_SEC_SERVICE_NAME_LEN);
711 #endif
712 #else
713 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
714
715 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
716 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
717
718 #if BTM_SEC_SERVICE_NAME_LEN > 0
719 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
720 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
721 #endif
722 #endif
723
724
725 return(record_allocated);
726 }
727
728 /*******************************************************************************
729 **
730 ** Function BTM_SecClrService
731 **
732 ** Description Removes specified service record(s) from the security database.
733 ** All service records with the specified name are removed.
734 ** Typically used only by devices with limited RAM so that it can
735 ** reuse an old security service record.
736 **
737 ** Note: Unpredictable results may occur if a service is cleared
738 ** that is still in use by an application/profile.
739 **
740 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
741 ** records (except SDP).
742 **
743 ** Returns Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
749 UINT8 num_freed = 0;
750 int i;
751
752 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753 {
754 /* Delete services with specified name (if in use and not SDP) */
755 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756 (!service_id || (service_id == p_srec->service_id)))
757 {
758 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759 p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761 p_srec->ucd_security_flags = 0;
762 #endif
763 num_freed++;
764 }
765 }
766
767 return(num_freed);
768 }
769
770 /*******************************************************************************
771 **
772 ** Function btm_sec_clr_service_by_psm
773 **
774 ** Description Removes specified service record from the security database.
775 ** All service records with the specified psm are removed.
776 ** Typically used by L2CAP to free up the service record used
777 ** by dynamic PSM clients when the channel is closed.
778 ** The given psm must be a virtual psm.
779 **
780 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
781 ** records (except SDP).
782 **
783 ** Returns Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
789 UINT8 num_freed = 0;
790 int i;
791
792 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793 {
794 /* Delete services with specified name (if in use and not SDP) */
795 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796 {
797 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798 p_srec->security_flags = 0;
799 num_freed++;
800 }
801 }
802 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803
804 return(num_freed);
805 }
806
807 /*******************************************************************************
808 **
809 ** Function btm_sec_clr_temp_auth_service
810 **
811 ** Description Removes specified device record's temporary authorization
812 ** flag from the security database.
813 **
814 ** Parameters Device address to be cleared
815 **
816 ** Returns void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821 tBTM_SEC_DEV_REC *p_dev_rec;
822
823 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824 {
825 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826 return;
827 }
828
829 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831 {
832 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834
835 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836 }
837 }
838
839 /*******************************************************************************
840 **
841 ** Function BTM_PINCodeReply
842 **
843 ** Description This function is called after Security Manager submitted
844 ** PIN code request to the UI.
845 **
846 ** Parameters: bd_addr - Address of the device for which PIN was requested
847 ** res - result of the operation BTM_SUCCESS if success
848 ** pin_len - length in bytes of the PIN Code
849 ** p_pin - pointer to array with the PIN Code
850 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855 tBTM_SEC_DEV_REC *p_dev_rec;
856
857 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
858 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859
860 /* If timeout already expired or has been canceled, ignore the reply */
861 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862 {
863 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864 return;
865 }
866
867 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868 {
869 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870 return;
871 }
872
873 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874 {
875 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876 return;
877 }
878
879 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880 res = BTM_ILLEGAL_VALUE;
881
882 if (res != BTM_SUCCESS)
883 {
884 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888 {
889 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892
893 btsnd_hcic_pin_code_neg_reply (bd_addr);
894 }
895 else
896 {
897 p_dev_rec->security_required = BTM_SEC_NONE;
898 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899 }
900 return;
901 }
902 if (trusted_mask)
903 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
905 if (pin_len >= 16) {
906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907 }
908
909 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911 && (btm_cb.security_mode_changed == FALSE) )
912 {
913 /* This is start of the dedicated bonding if local device is 2.0 */
914 btm_cb.pin_code_len = pin_len;
915 p_dev_rec->pin_code_length = pin_len;
916 memcpy (btm_cb.pin_code, p_pin, pin_len);
917
918 btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922 btsnd_hcic_write_auth_enable (TRUE);
923
924 btm_cb.acl_disc_reason = 0xff ;
925
926 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927 /* before originating */
928 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929 {
930 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931 /* we change state little bit early so btm_sec_connected() will originate connection */
932 /* when existing ACL link is down completely */
933 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934 }
935 /* if we already accepted incoming connection from pairing device */
936 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937 {
938 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940 }
941 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942 {
943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945
946 if (btm_cb.api.p_auth_complete_callback)
947 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
948 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949 }
950 return;
951 }
952
953 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954 btm_cb.acl_disc_reason = HCI_SUCCESS;
955
956 #ifdef PORCHE_PAIRING_CONFLICT
957 BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
958 /* if this was not pre-fetched, save the PIN */
959 if (btm_cb.pin_code_len == 0)
960 memcpy (btm_cb.pin_code, p_pin, pin_len);
961 btm_cb.pin_code_len_saved = pin_len;
962 #endif
963 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
964 }
965
966 /*******************************************************************************
967 **
968 ** Function btm_sec_bond_by_transport
969 **
970 ** Description this is the bond function that will start either SSP or SMP.
971 **
972 ** Parameters: bd_addr - Address of the device to bond
973 ** pin_len - length in bytes of the PIN Code
974 ** p_pin - pointer to array with the PIN Code
975 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
976 **
977 ** Note: After 2.1 parameters are not used and preserved here not to change API
978 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])979 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
980 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
981 {
982 tBTM_SEC_DEV_REC *p_dev_rec;
983 tBTM_STATUS status;
984 UINT8 *p_features;
985 UINT8 ii;
986 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport);
987 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
988 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
989
990 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
991
992
993 /* Other security process is in progress */
994 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
995 {
996 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
997 return(BTM_WRONG_MODE);
998 }
999
1000 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
1001 {
1002 return(BTM_NO_RESOURCES);
1003 }
1004
1005 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1006
1007 /* Finished if connection is active and already paired */
1008 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1009 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1010 #if (BLE_INCLUDED == TRUE)
1011 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1012 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1013 #endif
1014
1015 )
1016 {
1017 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1018 return(BTM_SUCCESS);
1019 }
1020
1021 /* Tell controller to get rid of the link key if it has one stored */
1022 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1023 return(BTM_NO_RESOURCES);
1024
1025 /* Save the PIN code if we got a valid one */
1026 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1027 {
1028 btm_cb.pin_code_len = pin_len;
1029 p_dev_rec->pin_code_length = pin_len;
1030 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1031 }
1032
1033 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1034
1035 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1036
1037 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1038 p_dev_rec->is_originator = TRUE;
1039 if (trusted_mask)
1040 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1041
1042 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1043 if (transport == BT_TRANSPORT_LE)
1044 {
1045 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1046 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1047
1048 if (SMP_Pair(bd_addr) == SMP_STARTED)
1049 {
1050 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1051 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1052 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1053 return BTM_CMD_STARTED;
1054 }
1055
1056 btm_cb.pairing_flags = 0;
1057 return(BTM_NO_RESOURCES);
1058 }
1059 #endif
1060
1061 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1062 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1063
1064
1065 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1066 if (!controller_get_interface()->supports_simple_pairing())
1067 {
1068 /* The special case when we authenticate keyboard. Set pin type to fixed */
1069 /* It would be probably better to do it from the application, but it is */
1070 /* complicated */
1071 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1072 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1073 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1074 {
1075 btm_cb.pin_type_changed = TRUE;
1076 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1077 }
1078 }
1079
1080 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1081 {
1082 p_features = p_dev_rec->features[ii];
1083 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1084 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1085 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
1086 p_features[4], p_features[5], p_features[6], p_features[7]);
1087 }
1088
1089 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1090
1091 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1092 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1093 #endif
1094
1095 /* If connection already exists... */
1096 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1097 {
1098 if (!btm_sec_start_authentication (p_dev_rec))
1099 return(BTM_NO_RESOURCES);
1100
1101 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1102
1103 /* Mark lcb as bonding */
1104 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1105 return(BTM_CMD_STARTED);
1106 }
1107
1108 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1109 if (!controller_get_interface()->supports_simple_pairing()
1110 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1111 {
1112 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1113 return (BTM_CMD_STARTED);
1114 }
1115 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1116 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1117 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1118 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1119 {
1120 /* local is 2.1 and peer is unknown */
1121 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1122 {
1123 /* we are not accepting connection request from peer
1124 * -> RNR (to learn if peer is 2.1)
1125 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1126 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1127 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1128 }
1129 else
1130 {
1131 /* We are accepting connection request from peer */
1132 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1133 }
1134 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1135 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1136 return BTM_CMD_STARTED;
1137 }
1138
1139 /* both local and peer are 2.1 */
1140 status = btm_sec_dd_create_conn(p_dev_rec);
1141
1142 if (status != BTM_CMD_STARTED)
1143 {
1144 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1145 }
1146
1147 return status;
1148 }
1149
1150 /*******************************************************************************
1151 **
1152 ** Function BTM_SecBondByTransport
1153 **
1154 ** Description This function is called to perform bonding with peer device.
1155 ** If the connection is already up, but not secure, pairing
1156 ** is attempted. If already paired BTM_SUCCESS is returned.
1157 **
1158 ** Parameters: bd_addr - Address of the device to bond
1159 ** transport - doing SSP over BR/EDR or SMP over LE
1160 ** pin_len - length in bytes of the PIN Code
1161 ** p_pin - pointer to array with the PIN Code
1162 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1163 **
1164 ** Note: After 2.1 parameters are not used and preserved here not to change API
1165 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1166 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1167 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1168 {
1169 #if SMP_INCLUDED == TRUE
1170 tBT_DEVICE_TYPE dev_type;
1171 tBLE_ADDR_TYPE addr_type;
1172
1173 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1174 /* LE device, do SMP pairing */
1175 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1176 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1177 {
1178 return BTM_ILLEGAL_ACTION;
1179 }
1180 #endif
1181 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1182 }
1183
1184 /*******************************************************************************
1185 **
1186 ** Function BTM_SecBond
1187 **
1188 ** Description This function is called to perform bonding with peer device.
1189 ** If the connection is already up, but not secure, pairing
1190 ** is attempted. If already paired BTM_SUCCESS is returned.
1191 **
1192 ** Parameters: bd_addr - Address of the device to bond
1193 ** pin_len - length in bytes of the PIN Code
1194 ** p_pin - pointer to array with the PIN Code
1195 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1196 **
1197 ** Note: After 2.1 parameters are not used and preserved here not to change API
1198 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1199 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1200 {
1201 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1202 #if BLE_INCLUDED == TRUE
1203 if (BTM_UseLeLink(bd_addr))
1204 transport = BT_TRANSPORT_LE;
1205 #endif
1206 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1207 }
1208 /*******************************************************************************
1209 **
1210 ** Function BTM_SecBondCancel
1211 **
1212 ** Description This function is called to cancel ongoing bonding process
1213 ** with peer device.
1214 **
1215 ** Parameters: bd_addr - Address of the peer device
1216 ** transport - FALSE for BR/EDR link; TRUE for LE link
1217 **
1218 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1219 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1220 {
1221 tBTM_SEC_DEV_REC *p_dev_rec;
1222
1223 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x",
1224 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1225
1226 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1227 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1228 return BTM_UNKNOWN_ADDR;
1229
1230 #if SMP_INCLUDED == TRUE
1231 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1232 {
1233 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1234 {
1235 BTM_TRACE_DEBUG ("Cancel LE pairing");
1236 if (SMP_PairCancel(bd_addr))
1237 {
1238 return BTM_CMD_STARTED;
1239 }
1240 }
1241 return BTM_WRONG_MODE;
1242 }
1243
1244 #endif
1245 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1246 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1247 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1248 {
1249 /* pre-fetching pin for dedicated bonding */
1250 btm_sec_bond_cancel_complete();
1251 return BTM_SUCCESS;
1252 }
1253
1254 /* If this BDA is in a bonding procedure */
1255 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1256 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1257 {
1258 /* If the HCI link is up */
1259 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1260 {
1261 /* If some other thread disconnecting, we do not send second command */
1262 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1263 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1264 return(BTM_CMD_STARTED);
1265
1266 /* If the HCI link was set up by Bonding process */
1267 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1268 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1269 else
1270 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1271
1272 return BTM_NOT_AUTHORIZED;
1273 }
1274 else /*HCI link is not up */
1275 {
1276 /* If the HCI link creation was started by Bonding process */
1277 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1278 {
1279 if (btsnd_hcic_create_conn_cancel(bd_addr))
1280 return BTM_CMD_STARTED;
1281
1282 return BTM_NO_RESOURCES;
1283 }
1284 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1285 {
1286 BTM_CancelRemoteDeviceName();
1287 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1288 return BTM_CMD_STARTED;
1289 }
1290 return BTM_NOT_AUTHORIZED;
1291 }
1292 }
1293
1294 return BTM_WRONG_MODE;
1295 }
1296
1297 /*******************************************************************************
1298 **
1299 ** Function BTM_SecGetDeviceLinkKey
1300 **
1301 ** Description This function is called to obtain link key for the device
1302 ** it returns BTM_SUCCESS if link key is available, or
1303 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1304 ** the device or device record does not contain link key info
1305 **
1306 ** Parameters: bd_addr - Address of the device
1307 ** link_key - Link Key is copied into this array
1308 **
1309 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1310 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1311 {
1312 tBTM_SEC_DEV_REC *p_dev_rec;
1313
1314 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1315 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1316 {
1317 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1318 return(BTM_SUCCESS);
1319 }
1320 return(BTM_UNKNOWN_ADDR);
1321 }
1322
1323 /*******************************************************************************
1324 **
1325 ** Function BTM_SecGetDeviceLinkKeyType
1326 **
1327 ** Description This function is called to obtain link key type for the
1328 ** device.
1329 ** it returns BTM_SUCCESS if link key is available, or
1330 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1331 ** the device or device record does not contain link key info
1332 **
1333 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1334 ** otherwise.
1335 **
1336 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1337 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1338 {
1339 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1340
1341 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1342 {
1343 return p_dev_rec->link_key_type;
1344 }
1345 return BTM_LKEY_TYPE_IGNORE;
1346 }
1347
1348 /*******************************************************************************
1349 **
1350 ** Function BTM_SetEncryption
1351 **
1352 ** Description This function is called to ensure that connection is
1353 ** encrypted. Should be called only on an open connection.
1354 ** Typically only needed for connections that first want to
1355 ** bring up unencrypted links, then later encrypt them.
1356 **
1357 ** Parameters: bd_addr - Address of the peer device
1358 ** p_callback - Pointer to callback function called if
1359 ** this function returns PENDING after required
1360 ** procedures are completed. Can be set to NULL
1361 ** if status is not desired.
1362 ** p_ref_data - pointer to any data the caller wishes to receive
1363 ** in the callback function upon completion.
1364 * can be set to NULL if not used.
1365 ** transport - TRUE to encryption the link over LE transport
1366 ** or FALSE for BR/EDR transport
1367 **
1368 ** Returns BTM_SUCCESS - already encrypted
1369 ** BTM_PENDING - command will be returned in the callback
1370 ** BTM_WRONG_MODE- connection not up.
1371 ** BTM_BUSY - security procedures are currently active
1372 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1373 **
1374 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1375 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1376 void *p_ref_data)
1377 {
1378 tBTM_STATUS rc = 0;
1379
1380 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1381 if (!p_dev_rec ||
1382 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1383 #if BLE_INCLUDED == TRUE
1384 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1385 #endif
1386 )
1387 {
1388 /* Connection should be up and runnning */
1389 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1390
1391 if (p_callback)
1392 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1393
1394 return(BTM_WRONG_MODE);
1395 }
1396
1397 if ((transport == BT_TRANSPORT_BR_EDR &&
1398 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1399 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1400 || (transport == BT_TRANSPORT_LE &&
1401 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1402 #endif
1403 )
1404 {
1405 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1406
1407 if (p_callback)
1408 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1409
1410 return(BTM_SUCCESS);
1411 }
1412
1413 /* enqueue security request if security is active */
1414 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1415 {
1416 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1417
1418 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data))
1419 {
1420 return BTM_CMD_STARTED;
1421 }
1422 else
1423 {
1424 if (p_callback)
1425 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1426 return BTM_NO_RESOURCES;
1427 }
1428 }
1429
1430 p_dev_rec->p_callback = p_callback;
1431 p_dev_rec->p_ref_data = p_ref_data;
1432 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1433 p_dev_rec->is_originator = FALSE;
1434
1435 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1436 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1437 p_dev_rec->security_required);
1438
1439 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1440 if (transport == BT_TRANSPORT_LE)
1441 {
1442 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1443 if (p)
1444 {
1445 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1446 }
1447 else
1448 {
1449 rc = BTM_WRONG_MODE;
1450 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1451 }
1452 }
1453 else
1454 #endif
1455 rc = btm_sec_execute_procedure (p_dev_rec);
1456
1457 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1458 {
1459 if (p_callback)
1460 {
1461 p_dev_rec->p_callback = NULL;
1462 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1463 }
1464 }
1465
1466 return(rc);
1467 }
1468
1469 /*******************************************************************************
1470 * disconnect the ACL link, if it's not done yet.
1471 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1472 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1473 {
1474 UINT8 old_state = p_dev_rec->sec_state;
1475 tBTM_STATUS status = BTM_CMD_STARTED;
1476
1477 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1478 conn_handle, reason);
1479
1480 /* send HCI_Disconnect on a transport only once */
1481 switch (old_state)
1482 {
1483 case BTM_SEC_STATE_DISCONNECTING:
1484 if (conn_handle == p_dev_rec->hci_handle)
1485 return status;
1486
1487 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1488 break;
1489
1490 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1491 case BTM_SEC_STATE_DISCONNECTING_BLE:
1492 if (conn_handle == p_dev_rec->ble_hci_handle)
1493 return status;
1494
1495 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1496 break;
1497
1498 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1499 return status;
1500 #endif
1501
1502 default:
1503 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1504 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1505
1506 break;
1507 }
1508
1509 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1510 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1511 {
1512 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1513 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1514 status = BTM_SUCCESS;
1515 }
1516 /* Tear down the HCI link */
1517 else if (!btsnd_hcic_disconnect (conn_handle, reason))
1518 {
1519 /* could not send disconnect. restore old state */
1520 p_dev_rec->sec_state = old_state;
1521 status = BTM_NO_RESOURCES;
1522 }
1523
1524 return status;
1525 }
1526
1527 /*******************************************************************************
1528 **
1529 ** Function BTM_ConfirmReqReply
1530 **
1531 ** Description This function is called to confirm the numeric value for
1532 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1533 **
1534 ** Parameters: res - result of the operation BTM_SUCCESS if success
1535 ** bd_addr - Address of the peer device
1536 **
1537 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1538 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1539 {
1540 tBTM_SEC_DEV_REC *p_dev_rec;
1541
1542 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1543 btm_pair_state_descr(btm_cb.pairing_state), res);
1544
1545 /* If timeout already expired or has been canceled, ignore the reply */
1546 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1547 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1548 return;
1549
1550 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1551
1552 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1553 {
1554 btm_cb.acl_disc_reason = HCI_SUCCESS;
1555
1556 if (res == BTM_SUCCESS)
1557 {
1558 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1559 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1560 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1561 }
1562
1563 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1564 }
1565 else
1566 {
1567 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1568 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1569 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1570 }
1571 }
1572
1573 /*******************************************************************************
1574 **
1575 ** Function BTM_PasskeyReqReply
1576 **
1577 ** Description This function is called to provide the passkey for
1578 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1579 **
1580 ** Parameters: res - result of the operation BTM_SUCCESS if success
1581 ** bd_addr - Address of the peer device
1582 ** passkey - numeric value in the range of
1583 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1584 **
1585 *******************************************************************************/
1586 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1587 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1588 {
1589 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d",
1590 btm_pair_state_descr(btm_cb.pairing_state), res);
1591
1592 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1593 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1594 {
1595 return;
1596 }
1597
1598 /* If timeout already expired or has been canceled, ignore the reply */
1599 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1600 {
1601 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1602 if (p_dev_rec != NULL)
1603 {
1604 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1605
1606 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1607 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1608 else
1609 BTM_SecBondCancel(bd_addr);
1610
1611 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1612
1613 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1614 return;
1615 }
1616 }
1617 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1618 return;
1619
1620 if (passkey > BTM_MAX_PASSKEY_VAL)
1621 res = BTM_ILLEGAL_VALUE;
1622
1623 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1624
1625 if (res != BTM_SUCCESS)
1626 {
1627 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1628 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1629 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1630 } else {
1631 btm_cb.acl_disc_reason = HCI_SUCCESS;
1632 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1633 }
1634 }
1635 #endif
1636
1637 /*******************************************************************************
1638 **
1639 ** Function BTM_SendKeypressNotif
1640 **
1641 ** Description This function is used during the passkey entry model
1642 ** by a device with KeyboardOnly IO capabilities
1643 ** (very likely to be a HID Device).
1644 ** It is called by a HID Device to inform the remote device when
1645 ** a key has been entered or erased.
1646 **
1647 ** Parameters: bd_addr - Address of the peer device
1648 ** type - notification type
1649 **
1650 *******************************************************************************/
1651 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1652 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1653 {
1654 /* This API only make sense between PASSKEY_REQ and SP complete */
1655 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1656 btsnd_hcic_send_keypress_notif (bd_addr, type);
1657 }
1658 #endif
1659
1660 #if BTM_OOB_INCLUDED == TRUE
1661 /*******************************************************************************
1662 **
1663 ** Function BTM_IoCapRsp
1664 **
1665 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1666 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1667 ** by the tBTM_SP_CALLBACK implementation, this function is
1668 ** called to provide the actual response
1669 **
1670 ** Parameters: bd_addr - Address of the peer device
1671 ** io_cap - The IO capability of local device.
1672 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1673 ** auth_req- MITM protection required or not.
1674 **
1675 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1676 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1677 {
1678 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1679 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1680
1681 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1682 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1683 return;
1684
1685 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1686 {
1687 btm_cb.devcb.loc_auth_req = auth_req;
1688 btm_cb.devcb.loc_io_caps = io_cap;
1689
1690 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1691 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1692
1693 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1694 }
1695 }
1696
1697 /*******************************************************************************
1698 **
1699 ** Function BTM_ReadLocalOobData
1700 **
1701 ** Description This function is called to read the local OOB data from
1702 ** LM
1703 **
1704 *******************************************************************************/
BTM_ReadLocalOobData(void)1705 tBTM_STATUS BTM_ReadLocalOobData(void)
1706 {
1707 tBTM_STATUS status = BTM_SUCCESS;
1708
1709 if (btsnd_hcic_read_local_oob_data() == FALSE)
1710 status = BTM_NO_RESOURCES;
1711
1712 return status;
1713 }
1714
1715 /*******************************************************************************
1716 **
1717 ** Function BTM_RemoteOobDataReply
1718 **
1719 ** Description This function is called to provide the remote OOB data for
1720 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1721 **
1722 ** Parameters: bd_addr - Address of the peer device
1723 ** c - simple pairing Hash C.
1724 ** r - simple pairing Randomizer C.
1725 **
1726 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1727 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1728 {
1729 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1730 btm_pair_state_descr(btm_cb.pairing_state), res);
1731
1732 /* If timeout already expired or has been canceled, ignore the reply */
1733 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1734 return;
1735
1736 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1737
1738 if (res != BTM_SUCCESS)
1739 {
1740 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1741 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1742 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1743 } else {
1744 btm_cb.acl_disc_reason = HCI_SUCCESS;
1745 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1746 }
1747 }
1748
1749 /*******************************************************************************
1750 **
1751 ** Function BTM_BuildOobData
1752 **
1753 ** Description This function is called to build the OOB data payload to
1754 ** be sent over OOB (non-Bluetooth) link
1755 **
1756 ** Parameters: p_data - the location for OOB data
1757 ** max_len - p_data size.
1758 ** c - simple pairing Hash C.
1759 ** r - simple pairing Randomizer C.
1760 ** name_len- 0, local device name would not be included.
1761 ** otherwise, the local device name is included for
1762 ** up to this specified length
1763 **
1764 ** Returns Number of bytes in p_data.
1765 **
1766 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1767 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1768 BT_OCTET16 r, UINT8 name_len)
1769 {
1770 UINT8 *p = p_data;
1771 UINT16 len = 0;
1772 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1773 UINT16 name_size;
1774 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1775 #endif
1776
1777 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1778 {
1779 /* add mandatory part */
1780 UINT16_TO_STREAM(p, len);
1781 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1782
1783 len = BTM_OOB_MANDATORY_SIZE;
1784 max_len -= len;
1785
1786 /* now optional part */
1787
1788 /* add Hash C */
1789 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1790 if (max_len >= delta)
1791 {
1792 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1793 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1794 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1795 len += delta;
1796 max_len -= delta;
1797 }
1798
1799 /* add Rand R */
1800 delta = BTM_OOB_RAND_R_SIZE + 2;
1801 if (max_len >= delta)
1802 {
1803 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1804 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1805 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1806 len += delta;
1807 max_len -= delta;
1808 }
1809
1810 /* add class of device */
1811 delta = BTM_OOB_COD_SIZE + 2;
1812 if (max_len >= delta)
1813 {
1814 *p++ = BTM_OOB_COD_SIZE + 1;
1815 *p++ = BTM_EIR_OOB_COD_TYPE;
1816 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1817 len += delta;
1818 max_len -= delta;
1819 }
1820 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1821 name_size = name_len;
1822 if (name_size > strlen(btm_cb.cfg.bd_name))
1823 {
1824 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1825 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1826 }
1827 delta = name_size + 2;
1828 if (max_len >= delta)
1829 {
1830 *p++ = name_size + 1;
1831 *p++ = name_type;
1832 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1833 len += delta;
1834 max_len -= delta;
1835 }
1836 #endif
1837 /* update len */
1838 p = p_data;
1839 UINT16_TO_STREAM(p, len);
1840 }
1841 return len;
1842 }
1843
1844 /*******************************************************************************
1845 **
1846 ** Function BTM_BothEndsSupportSecureConnections
1847 **
1848 ** Description This function is called to check if both the local device and the peer device
1849 ** specified by bd_addr support BR/EDR Secure Connections.
1850 **
1851 ** Parameters: bd_addr - address of the peer
1852 **
1853 ** Returns TRUE if BR/EDR Secure Connections are supported by both local
1854 ** and the remote device.
1855 ** else FALSE.
1856 **
1857 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1858 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1859 {
1860 return ((controller_get_interface()->supports_secure_connections()) &&
1861 (BTM_PeerSupportsSecureConnections(bd_addr)));
1862 }
1863
1864 /*******************************************************************************
1865 **
1866 ** Function BTM_PeerSupportsSecureConnections
1867 **
1868 ** Description This function is called to check if the peer supports
1869 ** BR/EDR Secure Connections.
1870 **
1871 ** Parameters: bd_addr - address of the peer
1872 **
1873 ** Returns TRUE if BR/EDR Secure Connections are supported by the peer,
1874 ** else FALSE.
1875 **
1876 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1877 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1878 {
1879 tBTM_SEC_DEV_REC *p_dev_rec;
1880
1881 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1882 {
1883 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1884 (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1885 (bd_addr[4]<< 8) + bd_addr[5]);
1886 return FALSE;
1887 }
1888
1889 return (p_dev_rec->remote_supports_secure_connections);
1890 }
1891
1892 /*******************************************************************************
1893 **
1894 ** Function BTM_ReadOobData
1895 **
1896 ** Description This function is called to parse the OOB data payload
1897 ** received over OOB (non-Bluetooth) link
1898 **
1899 ** Parameters: p_data - the location for OOB data
1900 ** eir_tag - The associated EIR tag to read the data.
1901 ** *p_len(output) - the length of the data with the given tag.
1902 **
1903 ** Returns the beginning of the data with the given tag.
1904 ** NULL, if the tag is not found.
1905 **
1906 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1907 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1908 {
1909 UINT8 *p = p_data;
1910 UINT16 max_len;
1911 UINT8 len, type;
1912 UINT8 *p_ret = NULL;
1913 UINT8 ret_len = 0;
1914
1915 if (p_data)
1916 {
1917 STREAM_TO_UINT16(max_len, p);
1918 if (max_len >= BTM_OOB_MANDATORY_SIZE)
1919 {
1920 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1921 {
1922 p_ret = p; /* the location for bd_addr */
1923 ret_len = BTM_OOB_BD_ADDR_SIZE;
1924 }
1925 else
1926 {
1927 p += BD_ADDR_LEN;
1928 max_len -= BTM_OOB_MANDATORY_SIZE;
1929 /* now the optional data in EIR format */
1930 while (max_len > 0)
1931 {
1932 len = *p++; /* tag data len + 1 */
1933 type = *p++;
1934 if (eir_tag == type)
1935 {
1936 p_ret = p;
1937 ret_len = len - 1;
1938 break;
1939 }
1940 /* the data size of this tag is len + 1 (tag data len + 2) */
1941 if (max_len > len)
1942 {
1943 max_len -= len;
1944 max_len--;
1945 len--;
1946 p += len;
1947 }
1948 else
1949 max_len = 0;
1950 }
1951 }
1952 }
1953 }
1954
1955 if (p_len)
1956 *p_len = ret_len;
1957
1958 return p_ret;
1959 }
1960 #endif
1961
1962 /*******************************************************************************
1963 **
1964 ** Function BTM_SetOutService
1965 **
1966 ** Description This function is called to set the service for
1967 ** outgoing connections.
1968 **
1969 ** If the profile/application calls BTM_SetSecurityLevel
1970 ** before initiating a connection, this function does not
1971 ** need to be called.
1972 **
1973 ** Returns void
1974 **
1975 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1976 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1977 {
1978 tBTM_SEC_DEV_REC *p_dev_rec;
1979 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1980
1981 btm_cb.p_out_serv = p_serv_rec;
1982 p_dev_rec = btm_find_dev (bd_addr);
1983
1984 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1985 {
1986 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1987 && (p_serv_rec->service_id == service_id)
1988 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1989 {
1990 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1991 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1992 btm_cb.p_out_serv = p_serv_rec;
1993 if (p_dev_rec)
1994 p_dev_rec->p_cur_service = p_serv_rec;
1995 break;
1996 }
1997 }
1998 }
1999
2000 /************************************************************************
2001 ** I N T E R N A L F U N C T I O N S
2002 *************************************************************************/
2003 /*******************************************************************************
2004 **
2005 ** Function btm_sec_is_upgrade_possible
2006 **
2007 ** Description This function returns TRUE if the existing link key
2008 ** can be upgraded or if the link key does not exist.
2009 **
2010 ** Returns BOOLEAN
2011 **
2012 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2013 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2014 {
2015 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2016 BOOLEAN is_possible = TRUE;
2017
2018 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2019 {
2020 is_possible = FALSE;
2021 if(p_dev_rec->p_cur_service)
2022 {
2023 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2024 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2025 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2026 }
2027 else
2028 {
2029 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2030 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2031 }
2032 /* Already have a link key to the connected peer. Is the link key secure enough?
2033 ** Is a link key upgrade even possible?
2034 */
2035 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
2036 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2037 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2038 /* has unauthenticated
2039 link key */
2040 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
2041 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2042 /* authenticated
2043 link key is possible */
2044 {
2045 /* upgrade is possible: check if the application wants the upgrade.
2046 * If the application is configured to use a global MITM flag,
2047 * it probably would not want to upgrade the link key based on the security level database */
2048 is_possible = TRUE;
2049 }
2050 }
2051 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2052 return is_possible;
2053 }
2054
2055 /*******************************************************************************
2056 **
2057 ** Function btm_sec_check_upgrade
2058 **
2059 ** Description This function is called to check if the existing link key
2060 ** needs to be upgraded.
2061 **
2062 ** Returns void
2063 **
2064 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2065 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2066 {
2067
2068 BTM_TRACE_DEBUG ("%s()", __func__);
2069
2070 /* Only check if link key already exists */
2071 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2072 return;
2073
2074 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2075 {
2076 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2077 /* upgrade is possible: check if the application wants the upgrade.
2078 * If the application is configured to use a global MITM flag,
2079 * it probably would not want to upgrade the link key based on the security level database */
2080 tBTM_SP_UPGRADE evt_data;
2081 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2082 evt_data.upgrade = TRUE;
2083 if (btm_cb.api.p_sp_callback)
2084 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2085
2086 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2087 if (evt_data.upgrade)
2088 {
2089 /* if the application confirms the upgrade, set the upgrade bit */
2090 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2091
2092 /* Clear the link key known to go through authentication/pairing again */
2093 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2094 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2095 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2096 }
2097 }
2098 }
2099
2100 /*******************************************************************************
2101 **
2102 ** Function btm_sec_l2cap_access_req
2103 **
2104 ** Description This function is called by the L2CAP to grant permission to
2105 ** establish L2CAP connection to or from the peer device.
2106 **
2107 ** Parameters: bd_addr - Address of the peer device
2108 ** psm - L2CAP PSM
2109 ** is_originator - TRUE if protocol above L2CAP originates
2110 ** connection
2111 ** p_callback - Pointer to callback function called if
2112 ** this function returns PENDING after required
2113 ** procedures are complete. MUST NOT BE NULL.
2114 **
2115 ** Returns tBTM_STATUS
2116 **
2117 *******************************************************************************/
2118 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2119 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2120
2121 #define BTM_SEC_OUT_LEVEL4_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | \
2122 BTM_SEC_OUT_MITM | BTM_SEC_MODE4_LEVEL4)
2123
2124 #define BTM_SEC_IN_LEVEL4_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | \
2125 BTM_SEC_IN_MITM | BTM_SEC_MODE4_LEVEL4)
2126
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2127 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2128 CONNECTION_TYPE conn_type,
2129 tBTM_SEC_CALLBACK *p_callback,
2130 void *p_ref_data)
2131 {
2132 tBTM_SEC_DEV_REC *p_dev_rec;
2133 tBTM_SEC_SERV_REC *p_serv_rec;
2134 UINT16 security_required;
2135 UINT16 old_security_required;
2136 BOOLEAN old_is_originator;
2137 tBTM_STATUS rc = BTM_SUCCESS;
2138 BOOLEAN chk_acp_auth_done = FALSE;
2139 BOOLEAN is_originator;
2140 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2141
2142 #if (L2CAP_UCD_INCLUDED == TRUE)
2143 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2144 is_originator = TRUE;
2145 else
2146 is_originator = FALSE;
2147
2148 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2149 #else
2150 is_originator = conn_type;
2151
2152 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2153 #endif
2154
2155 /* Find or get oldest record */
2156 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2157
2158 p_dev_rec->hci_handle = handle;
2159
2160 /* Find the service record for the PSM */
2161 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2162
2163 /* If there is no application registered with this PSM do not allow connection */
2164 if (!p_serv_rec)
2165 {
2166 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2167 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2168 return(BTM_MODE_UNSUPPORTED);
2169 }
2170
2171 /* Services level0 by default have no security */
2172 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2173 {
2174 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2175 return(BTM_SUCCESS);
2176 }
2177 #if (L2CAP_UCD_INCLUDED == TRUE)
2178 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2179 {
2180 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2181 {
2182 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2183 is_originator);
2184 }
2185 else
2186 {
2187 security_required = p_serv_rec->ucd_security_flags;
2188 }
2189
2190 rc = BTM_CMD_STARTED;
2191 if (is_originator)
2192 {
2193 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2194 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2195 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2196 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2197 {
2198 rc = BTM_SUCCESS;
2199 }
2200 }
2201 else
2202 {
2203 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2204 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2205 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2206 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2207 {
2208 // Check for 16 digits (or MITM)
2209 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2210 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2211 btm_dev_16_digit_authenticated(p_dev_rec))) {
2212 rc = BTM_SUCCESS;
2213 }
2214 }
2215 }
2216
2217 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2218 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2219 {
2220 rc = BTM_CMD_STARTED;
2221 }
2222
2223 if (rc == BTM_SUCCESS)
2224 {
2225 if (p_callback)
2226 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2227
2228 return(BTM_SUCCESS);
2229 }
2230 }
2231 else
2232 #endif
2233 {
2234 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2235 {
2236 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2237 is_originator);
2238 }
2239 else
2240 {
2241 security_required = p_serv_rec->security_flags;
2242 }
2243 }
2244
2245 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x",
2246 __FUNCTION__, security_required, is_originator, psm);
2247
2248 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2249 {
2250 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2251 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2252 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2253 {
2254 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2255 "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2256 local_supports_sc,
2257 p_dev_rec->remote_supports_secure_connections);
2258 if (p_callback)
2259 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2260 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2261
2262 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2263 }
2264 }
2265
2266 /* there are some devices (moto KRZR) which connects to several services at the same time */
2267 /* we will process one after another */
2268 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2269 {
2270 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__,
2271 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2272 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2273 rc = BTM_CMD_STARTED;
2274 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2275 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2276 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2277 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2278 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2279 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2280 {
2281 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2282 * or SM4 with no possibility of link key upgrade */
2283 if (is_originator)
2284 {
2285 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2286 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2287 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2288 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) )
2289 {
2290 rc = BTM_SUCCESS;
2291 }
2292 }
2293 else
2294 {
2295 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2296 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2297 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2298 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2299 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2300 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2301 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2302 {
2303 // Check for 16 digits (or MITM)
2304 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2305 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2306 rc = BTM_SUCCESS;
2307 }
2308 }
2309 }
2310
2311 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2312 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2313 {
2314 rc = BTM_CMD_STARTED;
2315 }
2316
2317 if (rc == BTM_SUCCESS)
2318 {
2319 if (p_callback)
2320 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2321 return(BTM_SUCCESS);
2322 }
2323 }
2324
2325 btm_cb.sec_req_pending = TRUE;
2326 return(BTM_CMD_STARTED);
2327 }
2328
2329 /* Save pointer to service record */
2330 p_dev_rec->p_cur_service = p_serv_rec;
2331
2332 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2333 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2334 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2335 btm_cb.security_mode == BTM_SEC_MODE_SC)
2336 {
2337 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2338 {
2339 if (is_originator)
2340 {
2341 /* SM4 to SM4 -> always authenticate & encrypt */
2342 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2343 }
2344 else /* acceptor */
2345 {
2346 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2347 chk_acp_auth_done = TRUE;
2348 /* SM4 to SM4 -> always authenticate & encrypt */
2349 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2350 }
2351 }
2352 else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2353 {
2354 /* the remote features are not known yet */
2355 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2356 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2357
2358 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2359 return (BTM_CMD_STARTED);
2360 }
2361 }
2362
2363 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2364 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2365
2366 old_security_required = p_dev_rec->security_required;
2367 old_is_originator = p_dev_rec->is_originator;
2368 p_dev_rec->security_required = security_required;
2369 p_dev_rec->p_ref_data = p_ref_data;
2370 p_dev_rec->is_originator = is_originator;
2371
2372 #if (L2CAP_UCD_INCLUDED == TRUE)
2373 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2374 p_dev_rec->is_ucd = TRUE;
2375 else
2376 p_dev_rec->is_ucd = FALSE;
2377 #endif
2378
2379 /* If there are multiple service records used through the same PSM */
2380 /* leave security decision for the multiplexor on the top */
2381 #if (L2CAP_UCD_INCLUDED == TRUE)
2382 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2383 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2384 #else
2385 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2386 #endif
2387 {
2388 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2389 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2390 {
2391 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2392 /* pre-Lisbon: restore the old settings */
2393 p_dev_rec->security_required = old_security_required;
2394 p_dev_rec->is_originator = old_is_originator;
2395
2396 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2397
2398 return(BTM_SUCCESS);
2399 }
2400 }
2401
2402 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2403 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2404 * response is received */
2405 if (is_originator &&
2406 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2407 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2408 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2409 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2410 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2411 {
2412 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2413 /* restore the old settings */
2414 p_dev_rec->security_required = old_security_required;
2415 p_dev_rec->is_originator = old_is_originator;
2416
2417 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2418
2419 return(BTM_SUCCESS);
2420 }
2421
2422 if (chk_acp_auth_done)
2423 {
2424 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2425 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2426 /* SM4, but we do not know for sure which level of security we need.
2427 * as long as we have a link key, it's OK */
2428 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2429 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2430 {
2431 rc = BTM_DELAY_CHECK;
2432 /*
2433 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2434 because of data path issues. Delay this disconnect a little bit
2435 */
2436 LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2437 p_dev_rec->p_callback = p_callback;
2438 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2439 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2440
2441 return BTM_SUCCESS;
2442 }
2443 }
2444
2445 p_dev_rec->p_callback = p_callback;
2446
2447 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2448 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2449 {
2450 /* Although authentication and encryption are per connection
2451 ** authorization is per access request. For example when serial connection
2452 ** is up and authorized and client requests to read file (access to other
2453 ** scn), we need to request user's permission again.
2454 */
2455 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2456 }
2457
2458 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2459 {
2460 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2461 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2462 {
2463 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2464 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2465 {
2466 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2467 }
2468 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2469 BTM_SEC_AUTHENTICATED);
2470 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2471 }
2472 else
2473 {
2474 /* If we already have a link key to the connected peer, is it secure enough? */
2475 btm_sec_check_upgrade(p_dev_rec, is_originator);
2476 }
2477 }
2478
2479 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2480 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2481 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2482
2483 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2484 {
2485 p_dev_rec->p_callback = NULL;
2486 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2487 }
2488
2489 return(rc);
2490 }
2491
2492 /*******************************************************************************
2493 **
2494 ** Function btm_sec_mx_access_request
2495 **
2496 ** Description This function is called by all Multiplexing Protocols during
2497 ** establishing connection to or from peer device to grant
2498 ** permission to establish application connection.
2499 **
2500 ** Parameters: bd_addr - Address of the peer device
2501 ** psm - L2CAP PSM
2502 ** is_originator - TRUE if protocol above L2CAP originates
2503 ** connection
2504 ** mx_proto_id - protocol ID of the multiplexer
2505 ** mx_chan_id - multiplexer channel to reach application
2506 ** p_callback - Pointer to callback function called if
2507 ** this function returns PENDING after required
2508 ** procedures are completed
2509 ** p_ref_data - Pointer to any reference data needed by the
2510 ** the callback function.
2511 **
2512 ** Returns BTM_CMD_STARTED
2513 **
2514 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2515 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2516 UINT32 mx_proto_id, UINT32 mx_chan_id,
2517 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2518 {
2519 tBTM_SEC_DEV_REC *p_dev_rec;
2520 tBTM_SEC_SERV_REC *p_serv_rec;
2521 tBTM_STATUS rc;
2522 UINT16 security_required;
2523 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2524
2525 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2526 /* Find or get oldest record */
2527 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2528
2529 /* Find the service record for the PSM */
2530 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2531
2532 /* If there is no application registered with this PSM do not allow connection */
2533 if (!p_serv_rec)
2534 {
2535 if (p_callback)
2536 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2537
2538 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2539 psm, mx_proto_id, mx_chan_id);
2540 return BTM_NO_RESOURCES;
2541 }
2542
2543 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2544 {
2545 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2546 is_originator);
2547 }
2548 else
2549 {
2550 security_required = p_serv_rec->security_flags;
2551 }
2552
2553 /* there are some devices (moto phone) which connects to several services at the same time */
2554 /* we will process one after another */
2555 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2556 {
2557 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__,
2558 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2559
2560 rc = BTM_CMD_STARTED;
2561
2562 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2563 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2564 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2565 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2566 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2567 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2568 {
2569 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2570 * or SM4 with no possibility of link key upgrade */
2571 if (is_originator)
2572 {
2573 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2574 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2575 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2576 )
2577 {
2578 rc = BTM_SUCCESS;
2579 }
2580 }
2581 else
2582 {
2583 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2584 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2585 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2586 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2587 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2588 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2589 )
2590 {
2591 // Check for 16 digits (or MITM)
2592 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2593 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2594 rc = BTM_SUCCESS;
2595 }
2596 }
2597 }
2598 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2599 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2600 {
2601 rc = BTM_CMD_STARTED;
2602 }
2603 }
2604
2605 if (rc == BTM_SUCCESS)
2606 {
2607 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2608 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2609 /* btm_sec_execute_procedure */
2610 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2611 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2612 {
2613 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2614 rc = BTM_CMD_STARTED;
2615 }
2616 }
2617
2618 /* Check whether there is a pending security procedure, if so we should always queue */
2619 /* the new security request */
2620 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2621 {
2622 BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2623 rc = BTM_CMD_STARTED;
2624 }
2625 if (rc == BTM_CMD_STARTED)
2626 {
2627 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2628 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id,
2629 mx_chan_id, p_callback, p_ref_data);
2630 }
2631 else /* rc == BTM_SUCCESS */
2632 {
2633 /* access granted */
2634 if (p_callback)
2635 {
2636 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2637 }
2638 }
2639
2640 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2641 btm_pair_state_descr(btm_cb.pairing_state));
2642 return rc;
2643 }
2644
2645 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2646 (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2647 {
2648 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2649 /* acceptor receives service connection establishment Request for */
2650 /* Secure Connections Only service */
2651 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2652 {
2653 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2654 "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2655 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2656
2657 if (p_callback)
2658 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2659 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2660
2661 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2662 }
2663 }
2664
2665 p_dev_rec->p_cur_service = p_serv_rec;
2666 p_dev_rec->security_required = security_required;
2667
2668 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2669 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2670 btm_cb.security_mode == BTM_SEC_MODE_SC)
2671 {
2672 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2673 {
2674 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2675 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2676 {
2677 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2678 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2679 {
2680 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2681 }
2682
2683 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2684 BTM_SEC_AUTHENTICATED);
2685 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2686 }
2687 else
2688 {
2689 /* If we already have a link key, check if that link key is good enough */
2690 btm_sec_check_upgrade(p_dev_rec, is_originator);
2691 }
2692 }
2693 }
2694
2695 p_dev_rec->is_originator = is_originator;
2696 p_dev_rec->p_callback = p_callback;
2697 p_dev_rec->p_ref_data = p_ref_data;
2698
2699 /* Although authentication and encryption are per connection */
2700 /* authorization is per access request. For example when serial connection */
2701 /* is up and authorized and client requests to read file (access to other */
2702 /* scn, we need to request user's permission again. */
2703 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2704
2705 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2706 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2707 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2708
2709 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2710 {
2711 if (p_callback)
2712 {
2713 p_dev_rec->p_callback = NULL;
2714 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2715 }
2716 }
2717
2718 return rc;
2719 }
2720
2721 /*******************************************************************************
2722 **
2723 ** Function btm_sec_conn_req
2724 **
2725 ** Description This function is when the peer device is requesting
2726 ** connection
2727 **
2728 ** Returns void
2729 **
2730 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2731 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2732 {
2733 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2734
2735 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2736 if (!controller_get_interface()->get_is_ready())
2737 {
2738 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2739 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2740 return;
2741 }
2742
2743 /* Security guys wants us not to allow connection from not paired devices */
2744
2745 /* Check if connection is allowed for only paired devices */
2746 if (btm_cb.connect_only_paired)
2747 {
2748 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2749 {
2750 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2751 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2752 return;
2753 }
2754 }
2755
2756 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2757 /* If non-discoverable, only allow known devices to connect */
2758 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2759 {
2760 if (!p_dev_rec)
2761 {
2762 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2763 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2764 return;
2765 }
2766 }
2767 #endif
2768
2769 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2770 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2771 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2772 {
2773 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2774
2775 /* incoming connection from bonding device is rejected */
2776 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2777 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2778 return;
2779 }
2780
2781 /* Host is not interested or approved connection. Save BDA and DC and */
2782 /* pass request to L2CAP */
2783 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2784 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2785
2786 if (l2c_link_hci_conn_req (bda))
2787 {
2788 if (!p_dev_rec)
2789 {
2790 /* accept the connection -> allocate a device record */
2791 p_dev_rec = btm_sec_alloc_dev (bda);
2792 }
2793 if (p_dev_rec)
2794 {
2795 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2796 }
2797 }
2798 }
2799
2800 /*******************************************************************************
2801 **
2802 ** Function btm_sec_bond_cancel_complete
2803 **
2804 ** Description This function is called to report bond cancel complete
2805 ** event.
2806 **
2807 ** Returns void
2808 **
2809 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2810 static void btm_sec_bond_cancel_complete (void)
2811 {
2812 tBTM_SEC_DEV_REC *p_dev_rec;
2813
2814 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2815 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2816 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2817 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2818 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2819 {
2820 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2821 * btm_sec_connected is called with failed status.
2822 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2823 * However, this function may clean out the security related flags and btm_sec_connected would not know
2824 * this function also needs to do proper clean up.
2825 */
2826 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2827 p_dev_rec->security_required = BTM_SEC_NONE;
2828 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2829
2830 /* Notify application that the cancel succeeded */
2831 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2832 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2833 }
2834 }
2835
2836 /*******************************************************************************
2837 **
2838 ** Function btm_create_conn_cancel_complete
2839 **
2840 ** Description This function is called when the command complete message
2841 ** is received from the HCI for the create connection cancel
2842 ** command.
2843 **
2844 ** Returns void
2845 **
2846 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2847 void btm_create_conn_cancel_complete (UINT8 *p)
2848 {
2849 UINT8 status;
2850
2851 STREAM_TO_UINT8 (status, p);
2852 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2853 btm_pair_state_descr(btm_cb.pairing_state), status);
2854
2855 /* if the create conn cancel cmd was issued by the bond cancel,
2856 ** the application needs to be notified that bond cancel succeeded
2857 */
2858 switch (status)
2859 {
2860 case HCI_SUCCESS:
2861 btm_sec_bond_cancel_complete();
2862 break;
2863 case HCI_ERR_CONNECTION_EXISTS:
2864 case HCI_ERR_NO_CONNECTION:
2865 default:
2866 /* Notify application of the error */
2867 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2868 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2869 break;
2870 }
2871 }
2872
2873 /*******************************************************************************
2874 **
2875 ** Function btm_sec_check_pending_reqs
2876 **
2877 ** Description This function is called at the end of the security procedure
2878 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2879 **
2880 ** Returns void
2881 **
2882 *******************************************************************************/
btm_sec_check_pending_reqs(void)2883 void btm_sec_check_pending_reqs (void)
2884 {
2885 tBTM_SEC_QUEUE_ENTRY *p_e;
2886 BUFFER_Q bq;
2887
2888 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2889 {
2890 /* First, resubmit L2CAP requests */
2891 if (btm_cb.sec_req_pending)
2892 {
2893 btm_cb.sec_req_pending = FALSE;
2894 l2cu_resubmit_pending_sec_req (NULL);
2895 }
2896
2897 /* Now, re-submit anything in the mux queue */
2898 bq = btm_cb.sec_pending_q;
2899
2900 GKI_init_q (&btm_cb.sec_pending_q);
2901
2902 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2903 {
2904 /* Check that the ACL is still up before starting security procedures */
2905 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2906 {
2907 if (p_e->psm != 0)
2908 {
2909 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2910 __FUNCTION__, p_e->psm, p_e->is_orig,
2911 p_e->mx_proto_id, p_e->mx_chan_id);
2912
2913 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2914 p_e->mx_proto_id, p_e->mx_chan_id,
2915 p_e->p_callback, p_e->p_ref_data);
2916 }
2917 else
2918 {
2919 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2920 p_e->p_ref_data);
2921 }
2922 }
2923
2924 GKI_freebuf (p_e);
2925 }
2926 }
2927 }
2928
2929 /*******************************************************************************
2930 **
2931 ** Function btm_sec_init
2932 **
2933 ** Description This function is on the SEC startup
2934 **
2935 ** Returns void
2936 **
2937 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2938 void btm_sec_init (UINT8 sec_mode)
2939 {
2940 btm_cb.security_mode = sec_mode;
2941 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2942 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2943 }
2944
2945 /*******************************************************************************
2946 **
2947 ** Function btm_sec_device_down
2948 **
2949 ** Description This function should be called when device is disabled or
2950 ** turned off
2951 **
2952 ** Returns void
2953 **
2954 *******************************************************************************/
btm_sec_device_down(void)2955 void btm_sec_device_down (void)
2956 {
2957 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2958 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2959 }
2960
2961 /*******************************************************************************
2962 **
2963 ** Function btm_sec_dev_reset
2964 **
2965 ** Description This function should be called after device reset
2966 **
2967 ** Returns void
2968 **
2969 *******************************************************************************/
btm_sec_dev_reset(void)2970 void btm_sec_dev_reset (void)
2971 {
2972 if (controller_get_interface()->supports_simple_pairing())
2973 {
2974 /* set the default IO capabilities */
2975 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2976 /* add mx service to use no security */
2977 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2978 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2979 }
2980 else
2981 {
2982 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2983 }
2984
2985 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2986 }
2987
2988 /*******************************************************************************
2989 **
2990 ** Function btm_sec_abort_access_req
2991 **
2992 ** Description This function is called by the L2CAP or RFCOMM to abort
2993 ** the pending operation.
2994 **
2995 ** Parameters: bd_addr - Address of the peer device
2996 **
2997 ** Returns void
2998 **
2999 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)3000 void btm_sec_abort_access_req (BD_ADDR bd_addr)
3001 {
3002 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
3003
3004 if (!p_dev_rec)
3005 return;
3006
3007 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
3008 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
3009 return;
3010
3011 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3012 p_dev_rec->p_callback = NULL;
3013 }
3014
3015 /*******************************************************************************
3016 **
3017 ** Function btm_sec_dd_create_conn
3018 **
3019 ** Description This function is called to create the ACL connection for
3020 ** the dedicated boding process
3021 **
3022 ** Returns void
3023 **
3024 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3025 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3026 {
3027 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3028 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3029 {
3030 BTM_TRACE_WARNING("%s Connection already exists", __func__);
3031 return BTM_CMD_STARTED;
3032 }
3033
3034 /* Make sure an L2cap link control block is available */
3035 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3036 {
3037 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3038 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3039 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3040
3041 return(BTM_NO_RESOURCES);
3042 }
3043
3044 /* set up the control block to indicated dedicated bonding */
3045 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3046
3047 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3048 {
3049 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
3050 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3051 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3052
3053 l2cu_release_lcb(p_lcb);
3054 return(BTM_NO_RESOURCES);
3055 }
3056
3057 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3058
3059 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3060 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3061 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3062
3063 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3064
3065 return(BTM_CMD_STARTED);
3066 }
3067
3068 /*******************************************************************************
3069 **
3070 ** Function btm_sec_rmt_name_request_complete
3071 **
3072 ** Description This function is called when remote name was obtained from
3073 ** the peer device
3074 **
3075 ** Returns void
3076 **
3077 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3078 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3079 {
3080 tBTM_SEC_DEV_REC *p_dev_rec;
3081 int i;
3082 DEV_CLASS dev_class;
3083 UINT8 old_sec_state;
3084
3085 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3086 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3087 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3088 {
3089 btm_acl_resubmit_page();
3090 }
3091
3092 /* If remote name request failed, p_bd_addr is null and we need to search */
3093 /* based on state assuming that we are doing 1 at a time */
3094 if (p_bd_addr)
3095 p_dev_rec = btm_find_dev (p_bd_addr);
3096 else
3097 {
3098 p_dev_rec = &btm_cb.sec_dev_rec[0];
3099
3100 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3101 {
3102 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3103 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3104 {
3105 p_bd_addr = p_dev_rec->bd_addr;
3106 break;
3107 }
3108 }
3109
3110 if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3111 p_dev_rec = NULL;
3112 }
3113
3114
3115 /* Commenting out trace due to obf/compilation problems.
3116 */
3117 #if (BT_USE_TRACES == TRUE)
3118 if (!p_bd_name)
3119 p_bd_name = (UINT8 *)"";
3120
3121 if (p_dev_rec)
3122 {
3123 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ",
3124 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3125 status, p_dev_rec->sec_state, p_dev_rec);
3126 }
3127 else
3128 {
3129 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d",
3130 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3131 status);
3132 }
3133 #endif
3134
3135 if (p_dev_rec)
3136 {
3137 old_sec_state = p_dev_rec->sec_state;
3138 if (status == HCI_SUCCESS)
3139 {
3140 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3141 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3142 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3143 }
3144 else
3145 {
3146 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3147 p_dev_rec->sec_bd_name[0] = 0;
3148 }
3149
3150 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3151 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3152
3153 /* Notify all clients waiting for name to be resolved */
3154 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3155 {
3156 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3157 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3158 p_dev_rec->sec_bd_name);
3159 }
3160 }
3161 else
3162 {
3163 dev_class[0] = 0;
3164 dev_class[1] = 0;
3165 dev_class[2] = 0;
3166
3167 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3168 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3169 {
3170 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3171 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3172 }
3173
3174 return;
3175 }
3176
3177 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3178 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3179 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3180 {
3181 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3182
3183 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3184 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3185 btm_cb.api.p_pin_callback)
3186 {
3187 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3188 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3189 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3190 (p_dev_rec->p_cur_service==NULL) ? FALSE
3191 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3192 }
3193
3194 /* Set the same state again to force the timer to be restarted */
3195 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3196 return;
3197 }
3198
3199 /* Check if we were delaying bonding because name was not resolved */
3200 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3201 {
3202 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3203 {
3204 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3205 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3206 {
3207 btm_sec_bond_cancel_complete();
3208 return;
3209 }
3210
3211 if (status != HCI_SUCCESS)
3212 {
3213 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3214
3215 if (btm_cb.api.p_auth_complete_callback)
3216 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3217 p_dev_rec->sec_bd_name, status);
3218 return;
3219 }
3220
3221 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3222 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3223 {
3224 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3225 /* If it is set, there may be a race condition */
3226 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x",
3227 btm_cb.pairing_flags);
3228 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3229 {
3230 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3231 }
3232 }
3233
3234 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3235 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3236 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3237
3238 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3239 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3240 */
3241 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3242 {
3243 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3244 /* before originating */
3245 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3246 {
3247 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3248 }
3249 /* Both we and the peer are 2.1 - continue to create connection */
3250 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3251 {
3252 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3253
3254 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3255
3256 if (btm_cb.api.p_auth_complete_callback)
3257 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3258 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3259 }
3260 }
3261 return;
3262 }
3263 else
3264 {
3265 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3266
3267 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3268 return;
3269 }
3270 }
3271
3272 /* check if we were delaying link_key_callback because name was not resolved */
3273 if (p_dev_rec->link_key_not_sent)
3274 {
3275 /* If HCI connection complete has not arrived, wait for it */
3276 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3277 return;
3278
3279 p_dev_rec->link_key_not_sent = FALSE;
3280 btm_send_link_key_notif(p_dev_rec);
3281
3282 /* If its not us who perform authentication, we should tell stackserver */
3283 /* that some authentication has been completed */
3284 /* This is required when different entities receive link notification and auth complete */
3285 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3286 {
3287 if (btm_cb.api.p_auth_complete_callback)
3288 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3289 p_dev_rec->dev_class,
3290 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3291
3292 }
3293 }
3294
3295 /* If this is a bonding procedure can disconnect the link now */
3296 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3297 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3298 {
3299 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3300 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3301 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3302 return;
3303 }
3304
3305 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3306 return;
3307
3308 /* If get name failed, notify the waiting layer */
3309 if (status != HCI_SUCCESS)
3310 {
3311 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3312 return;
3313 }
3314
3315 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3316 {
3317 BTM_TRACE_EVENT ("waiting for remote features!!");
3318 return;
3319 }
3320
3321 /* Remote Name succeeded, execute the next security procedure, if any */
3322 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3323
3324 /* If result is pending reply from the user or from the device is pending */
3325 if (status == BTM_CMD_STARTED)
3326 return;
3327
3328 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3329 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3330 }
3331
3332 /*******************************************************************************
3333 **
3334 ** Function btm_sec_rmt_host_support_feat_evt
3335 **
3336 ** Description This function is called when the
3337 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3338 **
3339 ** Returns void
3340 **
3341 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3342 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3343 {
3344 tBTM_SEC_DEV_REC *p_dev_rec;
3345 BD_ADDR bd_addr; /* peer address */
3346 BD_FEATURES features;
3347
3348 STREAM_TO_BDADDR (bd_addr, p);
3349 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3350
3351 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3352
3353 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3354 {
3355 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3356 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3357 if (HCI_SSP_HOST_SUPPORTED(features))
3358 {
3359 p_dev_rec->sm4 = BTM_SM4_TRUE;
3360 }
3361 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3362 }
3363 }
3364
3365 /*******************************************************************************
3366 **
3367 ** Function btm_io_capabilities_req
3368 **
3369 ** Description This function is called when LM request for the IO
3370 ** capability of the local device and
3371 ** if the OOB data is present for the device in the event
3372 **
3373 ** Returns void
3374 **
3375 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3376 void btm_io_capabilities_req (UINT8 *p)
3377 {
3378 tBTM_SP_IO_REQ evt_data;
3379 UINT8 err_code = 0;
3380 tBTM_SEC_DEV_REC *p_dev_rec;
3381 BOOLEAN is_orig = TRUE;
3382 UINT8 callback_rc = BTM_SUCCESS;
3383
3384 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3385
3386 /* setup the default response according to compile options */
3387 /* assume that the local IO capability does not change
3388 * loc_io_caps is initialized with the default value */
3389 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3390 evt_data.oob_data = BTM_OOB_NONE;
3391 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3392
3393 BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3394
3395 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3396
3397 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3398 btm_cb.security_mode, p_dev_rec->num_read_pages);
3399
3400 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3401 {
3402 BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3403 "To continue need to know remote features.", __FUNCTION__);
3404
3405 p_dev_rec->remote_features_needed = TRUE;
3406 return;
3407 }
3408
3409 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3410
3411 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3412 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3413 btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3414
3415 if (p_dev_rec->p_cur_service)
3416 {
3417 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3418 __FUNCTION__, p_dev_rec->p_cur_service->psm,
3419 p_dev_rec->p_cur_service->security_flags);
3420 }
3421
3422 switch (btm_cb.pairing_state)
3423 {
3424 /* initiator connecting */
3425 case BTM_PAIR_STATE_IDLE:
3426 //TODO: Handle Idle pairing state
3427 //security_required = p_dev_rec->security_required;
3428 break;
3429
3430 /* received IO capability response already->acceptor */
3431 case BTM_PAIR_STATE_INCOMING_SSP:
3432 is_orig = FALSE;
3433
3434 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3435 {
3436 /* acceptor in dedicated bonding */
3437 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3438 }
3439 break;
3440
3441 /* initiator, at this point it is expected to be dedicated bonding
3442 initiated by local device */
3443 case BTM_PAIR_STATE_WAIT_PIN_REQ:
3444 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3445 {
3446 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3447 }
3448 else
3449 {
3450 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3451 }
3452 break;
3453
3454 /* any other state is unexpected */
3455 default:
3456 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3457 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3458 btm_cb.pairing_state);
3459 break;
3460 }
3461
3462 if (btm_cb.pairing_disabled)
3463 {
3464 /* pairing is not allowed */
3465 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3466 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3467 }
3468 else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3469 {
3470 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3471 /* device in Secure Connections Only mode */
3472 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3473 {
3474 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3475 " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3476 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3477
3478 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3479 }
3480 }
3481
3482 if (err_code != 0)
3483 {
3484 /* coverity[uninit_use_in_call]
3485 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3486 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3487 */
3488 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3489 return;
3490 }
3491
3492 evt_data.is_orig = is_orig;
3493
3494 if (is_orig)
3495 {
3496 /* local device initiated the pairing non-bonding -> use p_cur_service */
3497 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3498 p_dev_rec->p_cur_service &&
3499 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3500 {
3501 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3502 {
3503 /* SC only mode device requires MITM protection */
3504 evt_data.auth_req = BTM_AUTH_SP_YES;
3505 }
3506 else
3507 {
3508 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3509 BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3510 }
3511 }
3512 }
3513
3514 /* Notify L2CAP to increase timeout */
3515 l2c_pin_code_request (evt_data.bd_addr);
3516
3517 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3518
3519 /* coverity[uninit_use_in_call]
3520 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3521 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3522 */
3523 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3524 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3525
3526 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3527
3528 callback_rc = BTM_SUCCESS;
3529 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3530 {
3531 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3532
3533 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3534 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3535 }
3536 else if (btm_cb.api.p_sp_callback)
3537 {
3538 /* the callback function implementation may change the IO capability... */
3539 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3540 }
3541
3542 #if BTM_OOB_INCLUDED == TRUE
3543 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3544 #else
3545 if (callback_rc == BTM_SUCCESS)
3546 #endif
3547 {
3548 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3549 {
3550 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3551 }
3552
3553 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3554 {
3555 /* At this moment we know that both sides are SC capable, device in */
3556 /* SC only mode requires MITM for any service so let's set MITM bit */
3557 evt_data.auth_req |= BTM_AUTH_YN_BIT;
3558 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3559 __FUNCTION__, evt_data.auth_req);
3560 }
3561
3562 /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3563 /* send the response right now. Save the current IO capability in the control block */
3564 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3565 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3566
3567 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3568 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3569 evt_data.oob_data, evt_data.auth_req);
3570
3571 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3572 evt_data.oob_data, evt_data.auth_req);
3573 }
3574 }
3575
3576 /*******************************************************************************
3577 **
3578 ** Function btm_io_capabilities_rsp
3579 **
3580 ** Description This function is called when the IO capability of the
3581 ** specified device is received
3582 **
3583 ** Returns void
3584 **
3585 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3586 void btm_io_capabilities_rsp (UINT8 *p)
3587 {
3588 tBTM_SEC_DEV_REC *p_dev_rec;
3589 tBTM_SP_IO_RSP evt_data;
3590
3591 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3592 STREAM_TO_UINT8 (evt_data.io_cap, p);
3593 STREAM_TO_UINT8 (evt_data.oob_data, p);
3594 STREAM_TO_UINT8 (evt_data.auth_req, p);
3595
3596 /* Allocate a new device record or reuse the oldest one */
3597 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3598
3599 /* If no security is in progress, this indicates incoming security */
3600 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3601 {
3602 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3603
3604 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3605
3606 /* Make sure we reset the trusted mask to help against attacks */
3607 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3608
3609 /* work around for FW bug */
3610 btm_inq_stop_on_ssp();
3611 }
3612
3613 /* Notify L2CAP to increase timeout */
3614 l2c_pin_code_request (evt_data.bd_addr);
3615
3616 /* We must have a device record here.
3617 * Use the connecting device's CoD for the connection */
3618 /* coverity[uninit_use_in_call]
3619 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3620 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3621 */
3622 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3623 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3624
3625 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3626 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3627 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3628 {
3629 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3630 }
3631
3632 /* save the IO capability in the device record */
3633 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3634 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3635
3636 if (btm_cb.api.p_sp_callback)
3637 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3638 }
3639
3640 /*******************************************************************************
3641 **
3642 ** Function btm_proc_sp_req_evt
3643 **
3644 ** Description This function is called to process/report
3645 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3646 ** or HCI_USER_PASSKEY_REQUEST_EVT
3647 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3648 **
3649 ** Returns void
3650 **
3651 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3652 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3653 {
3654 tBTM_STATUS status = BTM_ERR_PROCESSING;
3655 tBTM_SP_EVT_DATA evt_data;
3656 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3657 tBTM_SEC_DEV_REC *p_dev_rec;
3658
3659 /* All events start with bd_addr */
3660 STREAM_TO_BDADDR (p_bda, p);
3661
3662 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3663 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3664 event, btm_pair_state_descr(btm_cb.pairing_state));
3665
3666 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3667 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3668 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3669 {
3670 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3671 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3672
3673 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3674
3675 switch (event)
3676 {
3677 case BTM_SP_CFM_REQ_EVT:
3678 /* Numeric confirmation. Need user to conf the passkey */
3679 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3680
3681 /* The device record must be allocated in the "IO cap exchange" step */
3682 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3683
3684 evt_data.cfm_req.just_works = TRUE;
3685
3686 /* process user confirm req in association with the auth_req param */
3687 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3688 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3689 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3690 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3691 {
3692 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3693 -> use authenticated link key */
3694 evt_data.cfm_req.just_works = FALSE;
3695 }
3696 #endif
3697 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3698 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3699 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3700
3701 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3702 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3703 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3704 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3705 break;
3706
3707 case BTM_SP_KEY_NOTIF_EVT:
3708 /* Passkey notification (other side is a keyboard) */
3709 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3710
3711 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3712
3713 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3714 break;
3715
3716 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3717 case BTM_SP_KEY_REQ_EVT:
3718 /* HCI_USER_PASSKEY_REQUEST_EVT */
3719 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3720 break;
3721 #endif
3722 }
3723
3724 if (btm_cb.api.p_sp_callback)
3725 {
3726 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3727 if (status != BTM_NOT_AUTHORIZED)
3728 {
3729 return;
3730 }
3731 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3732 }
3733 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3734 {
3735 /* automatically reply with just works if no sp_cback */
3736 status = BTM_SUCCESS;
3737 }
3738
3739 if (event == BTM_SP_CFM_REQ_EVT)
3740 {
3741 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3742 BTM_ConfirmReqReply (status, p_bda);
3743 }
3744 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3745 else if (event == BTM_SP_KEY_REQ_EVT)
3746 {
3747 BTM_PasskeyReqReply(status, p_bda, 0);
3748 }
3749 #endif
3750 return;
3751 }
3752
3753 /* Something bad. we can only fail this connection */
3754 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3755
3756 if (BTM_SP_CFM_REQ_EVT == event)
3757 {
3758 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3759 }
3760 else if (BTM_SP_KEY_NOTIF_EVT == event)
3761 {
3762 /* do nothing -> it very unlikely to happen.
3763 This event is most likely to be received by a HID host when it first connects to a HID device.
3764 Usually the Host initiated the connection in this case.
3765 On Mobile platforms, if there's a security process happening,
3766 the host probably can not initiate another connection.
3767 BTW (PC) is another story. */
3768 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3769 {
3770 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3771 }
3772 }
3773 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3774 else
3775 {
3776 btsnd_hcic_user_passkey_neg_reply(p_bda);
3777 }
3778 #endif
3779 }
3780
3781 /*******************************************************************************
3782 **
3783 ** Function btm_keypress_notif_evt
3784 **
3785 ** Description This function is called when a key press notification is
3786 ** received
3787 **
3788 ** Returns void
3789 **
3790 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3791 void btm_keypress_notif_evt (UINT8 *p)
3792 {
3793 tBTM_SP_KEYPRESS evt_data;
3794 UINT8 *p_bda;
3795
3796 /* parse & report BTM_SP_KEYPRESS_EVT */
3797 if (btm_cb.api.p_sp_callback)
3798 {
3799 p_bda = evt_data.bd_addr;
3800
3801 STREAM_TO_BDADDR (p_bda, p);
3802 evt_data.notif_type = *p;
3803
3804 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3805 }
3806 }
3807
3808 /*******************************************************************************
3809 **
3810 ** Function btm_simple_pair_complete
3811 **
3812 ** Description This function is called when simple pairing process is
3813 ** complete
3814 **
3815 ** Returns void
3816 **
3817 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3818 void btm_simple_pair_complete (UINT8 *p)
3819 {
3820 tBTM_SP_COMPLT evt_data;
3821 tBTM_SEC_DEV_REC *p_dev_rec;
3822 UINT8 status;
3823 BOOLEAN disc = FALSE;
3824
3825 status = *p++;
3826 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3827
3828 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3829 {
3830 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3831 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3832 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3833 return;
3834 }
3835
3836 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3837 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3838
3839 evt_data.status = BTM_ERR_PROCESSING;
3840 if (status == HCI_SUCCESS)
3841 {
3842 evt_data.status = BTM_SUCCESS;
3843 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3844 }
3845 else
3846 {
3847 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3848 {
3849 /* The test spec wants the peer device to get this failure code. */
3850 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3851
3852 /* Change the timer to 1 second */
3853 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3854 }
3855 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3856 {
3857 /* stop the timer */
3858 btu_stop_timer (&btm_cb.pairing_tle);
3859
3860 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3861 {
3862 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3863 disc = TRUE;
3864 }
3865 }
3866 else
3867 disc = TRUE;
3868 }
3869
3870 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3871 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3872 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3873
3874 if (btm_cb.api.p_sp_callback)
3875 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3876
3877 if (disc)
3878 {
3879 /* simple pairing failed */
3880 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3881 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3882 {
3883 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3884 }
3885 }
3886 }
3887
3888 #if BTM_OOB_INCLUDED == TRUE
3889 /*******************************************************************************
3890 **
3891 ** Function btm_rem_oob_req
3892 **
3893 ** Description This function is called to process/report
3894 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3895 **
3896 ** Returns void
3897 **
3898 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3899 void btm_rem_oob_req (UINT8 *p)
3900 {
3901 UINT8 *p_bda;
3902 tBTM_SP_RMT_OOB evt_data;
3903 tBTM_SEC_DEV_REC *p_dev_rec;
3904 BT_OCTET16 c;
3905 BT_OCTET16 r;
3906
3907 p_bda = evt_data.bd_addr;
3908
3909 STREAM_TO_BDADDR (p_bda, p);
3910
3911 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3912 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3913
3914 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3915 btm_cb.api.p_sp_callback)
3916 {
3917 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3918 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3919 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3920 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3921
3922 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3923 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3924 {
3925 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3926 }
3927 return;
3928 }
3929
3930 /* something bad. we can only fail this connection */
3931 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3932 btsnd_hcic_rem_oob_neg_reply (p_bda);
3933 }
3934
3935 /*******************************************************************************
3936 **
3937 ** Function btm_read_local_oob_complete
3938 **
3939 ** Description This function is called when read local oob data is
3940 ** completed by the LM
3941 **
3942 ** Returns void
3943 **
3944 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3945 void btm_read_local_oob_complete (UINT8 *p)
3946 {
3947 tBTM_SP_LOC_OOB evt_data;
3948 UINT8 status = *p++;
3949
3950 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3951 if (status == HCI_SUCCESS)
3952 {
3953 evt_data.status = BTM_SUCCESS;
3954 STREAM_TO_ARRAY16(evt_data.c, p);
3955 STREAM_TO_ARRAY16(evt_data.r, p);
3956 }
3957 else
3958 evt_data.status = BTM_ERR_PROCESSING;
3959
3960 if (btm_cb.api.p_sp_callback)
3961 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3962 }
3963 #endif /* BTM_OOB_INCLUDED */
3964
3965 /*******************************************************************************
3966 **
3967 ** Function btm_sec_auth_collision
3968 **
3969 ** Description This function is called when authentication or encryption
3970 ** needs to be retried at a later time.
3971 **
3972 ** Returns void
3973 **
3974 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3975 static void btm_sec_auth_collision (UINT16 handle)
3976 {
3977 tBTM_SEC_DEV_REC *p_dev_rec;
3978
3979 if (!btm_cb.collision_start_time)
3980 btm_cb.collision_start_time = GKI_get_os_tick_count();
3981
3982 if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3983 {
3984 if (handle == BTM_SEC_INVALID_HANDLE)
3985 {
3986 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3987 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3988 }
3989 else
3990 p_dev_rec = btm_find_dev_by_handle (handle);
3991
3992 if (p_dev_rec != NULL)
3993 {
3994 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3995 /* We will restart authentication after timeout */
3996 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3997 p_dev_rec->sec_state = 0;
3998
3999 btm_cb.p_collided_dev_rec = p_dev_rec;
4000 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
4001 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
4002 }
4003 }
4004 }
4005
4006 /*******************************************************************************
4007 **
4008 ** Function btm_sec_auth_complete
4009 **
4010 ** Description This function is when authentication of the connection is
4011 ** completed by the LM
4012 **
4013 ** Returns void
4014 **
4015 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)4016 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
4017 {
4018 UINT8 old_sm4;
4019 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
4020 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4021 BOOLEAN are_bonding = FALSE;
4022
4023 /* Commenting out trace due to obf/compilation problems.
4024 */
4025 #if (BT_USE_TRACES == TRUE)
4026 if (p_dev_rec)
4027 {
4028 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
4029 btm_pair_state_descr (btm_cb.pairing_state),
4030 handle, status,
4031 p_dev_rec->sec_state,
4032 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
4033 p_dev_rec->sec_bd_name);
4034 }
4035 else
4036 {
4037 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
4038 btm_pair_state_descr (btm_cb.pairing_state),
4039 handle, status);
4040 }
4041 #endif
4042
4043 /* For transaction collision we need to wait and repeat. There is no need */
4044 /* for random timeout because only slave should receive the result */
4045 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4046 {
4047 btm_sec_auth_collision(handle);
4048 return;
4049 }
4050 btm_cb.collision_start_time = 0;
4051
4052 btm_restore_mode();
4053
4054 /* Check if connection was made just to do bonding. If we authenticate
4055 the connection that is up, this is the last event received.
4056 */
4057 if (p_dev_rec
4058 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4059 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4060 {
4061 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4062
4063 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4064 }
4065
4066 if (!p_dev_rec)
4067 return;
4068
4069 /* keep the old sm4 flag and clear the retry bit in control block */
4070 old_sm4 = p_dev_rec->sm4;
4071 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4072
4073 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4074 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4075 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4076 are_bonding = TRUE;
4077
4078 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4079 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4080 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4081
4082 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4083 {
4084 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4085 && (old_state != BTM_PAIR_STATE_IDLE) )
4086 {
4087 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4088 p_dev_rec->dev_class,
4089 p_dev_rec->sec_bd_name, status);
4090 }
4091 return;
4092 }
4093
4094 /* There can be a race condition, when we are starting authentication and
4095 ** the peer device is doing encryption.
4096 ** If first we receive encryption change up, then initiated authentication
4097 ** can not be performed. According to the spec we can not do authentication
4098 ** on the encrypted link, so device is correct.
4099 */
4100 if ((status == HCI_ERR_COMMAND_DISALLOWED)
4101 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4102 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4103 {
4104 status = HCI_SUCCESS;
4105 }
4106 /* Currently we do not notify user if it is a keyboard which connects */
4107 /* User probably Disabled the keyboard while it was asleap. Let her try */
4108 if (btm_cb.api.p_auth_complete_callback)
4109 {
4110 /* report the suthentication status */
4111 if (old_state != BTM_PAIR_STATE_IDLE)
4112 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4113 p_dev_rec->dev_class,
4114 p_dev_rec->sec_bd_name, status);
4115 }
4116
4117 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4118
4119 /* If this is a bonding procedure can disconnect the link now */
4120 if (are_bonding)
4121 {
4122 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4123
4124 if (status != HCI_SUCCESS)
4125 {
4126 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4127 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4128 }
4129 else
4130 {
4131 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4132 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4133 /* no LE keys are available, do deriving */
4134 && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4135 /* or BR key is higher security than existing LE keys */
4136 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4137 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4138 {
4139 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4140
4141 if (btm_sec_is_master(p_dev_rec))
4142 {
4143 // Encryption is required to start SM over BR/EDR
4144 // indicate that this is encryption after authentication
4145 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
4146 }
4147 }
4148 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4149 }
4150
4151 return;
4152 }
4153
4154 /* If authentication failed, notify the waiting layer */
4155 if (status != HCI_SUCCESS)
4156 {
4157 if ((old_sm4 & BTM_SM4_RETRY) == 0)
4158 {
4159 /* allow retry only once */
4160 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4161 {
4162 /* not retried yet. set the retry bit */
4163 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4164 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4165 }
4166 /* this retry for missing key is for Lisbon or later only.
4167 * Legacy device do not need this. the controller will drive the retry automatically */
4168 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4169 {
4170 /* not retried yet. set the retry bit */
4171 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4172 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4173 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4174
4175 /* With BRCM controller, we do not need to delete the stored link key in controller.
4176 If the stack may sit on top of other controller, we may need this
4177 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4178 }
4179
4180 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4181 {
4182 btm_sec_execute_procedure (p_dev_rec);
4183 return;
4184 }
4185 }
4186
4187 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4188
4189 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4190 {
4191 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4192 }
4193 return;
4194 }
4195
4196 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4197
4198 if (p_dev_rec->pin_code_length >= 16 ||
4199 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4200 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4201 // If we have MITM protection we have a higher level of security than
4202 // provided by 16 digits PIN
4203 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4204 }
4205
4206 /* Authentication succeeded, execute the next security procedure, if any */
4207 status = btm_sec_execute_procedure (p_dev_rec);
4208
4209 /* If there is no next procedure, or procedure failed to start, notify the caller */
4210 if (status != BTM_CMD_STARTED)
4211 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4212 }
4213
4214 /*******************************************************************************
4215 **
4216 ** Function btm_sec_encrypt_change
4217 **
4218 ** Description This function is when encryption of the connection is
4219 ** completed by the LM
4220 **
4221 ** Returns void
4222 **
4223 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4224 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4225 {
4226 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4227 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4228 tACL_CONN *p_acl = NULL;
4229 UINT8 acl_idx = btm_handle_to_acl_index(handle);
4230 #endif
4231 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4232 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4233 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4234
4235 /* For transaction collision we need to wait and repeat. There is no need */
4236 /* for random timeout because only slave should receive the result */
4237 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4238 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4239 {
4240 btm_sec_auth_collision(handle);
4241 return;
4242 }
4243 btm_cb.collision_start_time = 0;
4244
4245 if (!p_dev_rec)
4246 return;
4247
4248 if ((status == HCI_SUCCESS) && encr_enable)
4249 {
4250 if (p_dev_rec->hci_handle == handle) {
4251 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4252 if (p_dev_rec->pin_code_length >= 16 ||
4253 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4254 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4255 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4256 }
4257 }
4258 else
4259 {
4260 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4261 }
4262 }
4263
4264 /* It is possible that we decrypted the link to perform role switch */
4265 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4266 if ((status == HCI_SUCCESS) && !encr_enable)
4267 {
4268 if (p_dev_rec->hci_handle == handle)
4269 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4270 else
4271 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4272 }
4273
4274 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4275
4276 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4277 if (acl_idx != MAX_L2CAP_LINKS)
4278 p_acl = &btm_cb.acl_db[acl_idx];
4279
4280 if (p_acl != NULL)
4281 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4282
4283 if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4284 {
4285 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4286 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4287 {
4288 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4289 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4290 }
4291 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4292 return;
4293 }
4294 else
4295 {
4296 /* BR/EDR connection, update the encryption key size to be 16 as always */
4297 p_dev_rec->enc_key_size = 16;
4298 }
4299
4300 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4301 __func__, p_dev_rec->new_encryption_key_is_p256);
4302
4303 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4304 {
4305 if (p_dev_rec->new_encryption_key_is_p256)
4306 {
4307 if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4308 btm_sec_is_master(p_dev_rec) &&
4309 /* if LE key is not known, do deriving */
4310 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4311 /* or BR key is higher security than existing LE keys */
4312 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4313 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4314 {
4315 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4316 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4317
4318 if (p_dev_rec->no_smp_on_br)
4319 {
4320 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4321 }
4322 else
4323 {
4324 BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4325 SMP_BR_PairWith(p_dev_rec->bd_addr);
4326 }
4327 }
4328 }
4329 else
4330 {
4331 // BR/EDR is successfully encrypted. Correct LK type if needed
4332 // (BR/EDR LK derived from LE LTK was used for encryption)
4333 if ((encr_enable == 1) && /* encryption is ON for SSP */
4334 /* LK type is for BR/EDR SC */
4335 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4336 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4337 {
4338 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4339 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4340 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4341 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4342
4343 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4344 btm_send_link_key_notif(p_dev_rec);
4345 }
4346 }
4347 }
4348 #else
4349 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4350 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4351
4352 /* If this encryption was started by peer do not need to do anything */
4353 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4354 {
4355 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4356 {
4357 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4358 p_dev_rec->p_callback = NULL;
4359 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4360 }
4361 return;
4362 }
4363
4364 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4365 /* If encryption setup failed, notify the waiting layer */
4366 if (status != HCI_SUCCESS)
4367 {
4368 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4369 return;
4370 }
4371
4372 /* Encryption setup succeeded, execute the next security procedure, if any */
4373 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4374 /* If there is no next procedure, or procedure failed to start, notify the caller */
4375 if (status != BTM_CMD_STARTED)
4376 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4377 }
4378
4379 /*******************************************************************************
4380 **
4381 ** Function btm_sec_connect_after_reject_timeout
4382 **
4383 ** Description Connection for bonding could not start because of the collision
4384 ** Initiate outgoing connection
4385 **
4386 ** Returns Pointer to the TLE struct
4387 **
4388 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4389 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4390 {
4391 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4392 UNUSED(p_tle);
4393
4394 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4395 btm_cb.sec_collision_tle.param = 0;
4396 btm_cb.p_collided_dev_rec = 0;
4397
4398 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4399 {
4400 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4401
4402 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4403
4404 if (btm_cb.api.p_auth_complete_callback)
4405 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4406 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4407 }
4408 }
4409
4410 /*******************************************************************************
4411 **
4412 ** Function btm_sec_connected
4413 **
4414 ** Description This function is when a connection to the peer device is
4415 ** establsihed
4416 **
4417 ** Returns void
4418 **
4419 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4420 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4421 {
4422 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4423 UINT8 res;
4424 BOOLEAN is_pairing_device = FALSE;
4425 tACL_CONN *p_acl_cb;
4426 UINT8 bit_shift = 0;
4427
4428 btm_acl_resubmit_page();
4429
4430 /* Commenting out trace due to obf/compilation problems.
4431 */
4432 #if (BT_USE_TRACES == TRUE)
4433 if (p_dev_rec)
4434 {
4435 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4436 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4437 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4438 p_dev_rec->sec_bd_name);
4439 }
4440 else
4441 {
4442 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4443 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4444 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4445 }
4446 #endif
4447
4448 if (!p_dev_rec)
4449 {
4450 /* There is no device record for new connection. Allocate one */
4451 if (status == HCI_SUCCESS)
4452 {
4453 p_dev_rec = btm_sec_alloc_dev (bda);
4454 }
4455 else
4456 {
4457 /* If the device matches with stored paring address
4458 * reset the paring state to idle */
4459 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4460 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4461 {
4462 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4463 }
4464
4465 /* can not find the device record and the status is error,
4466 * just ignore it */
4467 return;
4468 }
4469 }
4470 else /* Update the timestamp for this device */
4471 {
4472
4473 #if BLE_INCLUDED == TRUE
4474 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4475 #endif
4476 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4477 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4478 {
4479 /* tell L2CAP it's a bonding connection. */
4480 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4481 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4482 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4483 {
4484 /* if incoming connection failed while pairing, then try to connect and continue */
4485 /* Motorola S9 disconnects without asking pin code */
4486 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4487 {
4488 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4489
4490 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4491 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4492 {
4493 /* Start timer with 0 to initiate connection with new LCB */
4494 /* because L2CAP will delete current LCB with this event */
4495 btm_cb.p_collided_dev_rec = p_dev_rec;
4496 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4497 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4498 }
4499 else
4500 {
4501 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4502 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4503 }
4504 #if BTM_DISC_DURING_RS == TRUE
4505 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4506 #endif
4507 return;
4508 }
4509 else
4510 {
4511 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4512 }
4513 }
4514 /* always clear the pending flag */
4515 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4516 }
4517 }
4518
4519 #if BLE_INCLUDED == TRUE
4520 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4521 #endif
4522
4523 #if BTM_DISC_DURING_RS == TRUE
4524 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4525 #endif
4526
4527 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4528
4529 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4530 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4531 {
4532 /* if we rejected incoming connection from bonding device */
4533 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4534 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4535 {
4536 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4537 btm_cb.pairing_flags, p_dev_rec->sm4);
4538
4539 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4540 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4541 {
4542 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4543 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4544 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4545 return;
4546 }
4547
4548 /* if we already have pin code */
4549 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4550 {
4551 /* Start timer with 0 to initiate connection with new LCB */
4552 /* because L2CAP will delete current LCB with this event */
4553 btm_cb.p_collided_dev_rec = p_dev_rec;
4554 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4555 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4556 }
4557
4558 return;
4559 }
4560 /* wait for incoming connection without resetting pairing state */
4561 else if (status == HCI_ERR_CONNECTION_EXISTS)
4562 {
4563 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4564 return;
4565 }
4566
4567 is_pairing_device = TRUE;
4568 }
4569
4570 /* If connection was made to do bonding restore link security if changed */
4571 btm_restore_mode();
4572
4573 /* if connection fails during pin request, notify application */
4574 if (status != HCI_SUCCESS)
4575 {
4576 /* If connection failed because of during pairing, need to tell user */
4577 if (is_pairing_device)
4578 {
4579 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4580 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4581 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4582
4583 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4584
4585 /* We need to notify host that the key is not known any more */
4586 if (btm_cb.api.p_auth_complete_callback)
4587 {
4588 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4589 p_dev_rec->dev_class,
4590 p_dev_rec->sec_bd_name, status);
4591 }
4592 }
4593 /*
4594 Do not send authentication failure, if following conditions hold good
4595 1. BTM Sec Pairing state is idle
4596 2. Link key for the remote device is present.
4597 3. Remote is SSP capable.
4598 */
4599 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4600 (((status == HCI_ERR_AUTH_FAILURE) ||
4601 (status == HCI_ERR_KEY_MISSING) ||
4602 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4603 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4604 (status == HCI_ERR_UNIT_KEY_USED) ||
4605 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4606 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4607 (status == HCI_ERR_REPEATED_ATTEMPTS))))
4608 {
4609 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4610 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4611
4612
4613 #ifdef BRCM_NOT_4_BTE
4614 /* If we rejected pairing, pass this special result code */
4615 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4616 {
4617 status = HCI_ERR_HOST_REJECT_SECURITY;
4618 }
4619 #endif
4620
4621 /* We need to notify host that the key is not known any more */
4622 if (btm_cb.api.p_auth_complete_callback)
4623 {
4624 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4625 p_dev_rec->dev_class,
4626 p_dev_rec->sec_bd_name, status);
4627 }
4628 }
4629
4630 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4631 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4632 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4633 else
4634 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4635
4636 return;
4637 }
4638
4639 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4640 /* If dedicated bonding, and we now have a link key, we are all done */
4641 if ( is_pairing_device
4642 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4643 {
4644 if (p_dev_rec->link_key_not_sent)
4645 {
4646 p_dev_rec->link_key_not_sent = FALSE;
4647 btm_send_link_key_notif(p_dev_rec);
4648 }
4649
4650 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4651
4652 /* remember flag before it is initialized */
4653 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4654 res = TRUE;
4655 else
4656 res = FALSE;
4657
4658 if (btm_cb.api.p_auth_complete_callback)
4659 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4660 p_dev_rec->dev_class,
4661 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4662
4663 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4664
4665 if ( res )
4666 {
4667 /* Let l2cap start bond timer */
4668 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4669 }
4670
4671 return;
4672 }
4673
4674 p_dev_rec->hci_handle = handle;
4675
4676 /* role may not be correct here, it will be updated by l2cap, but we need to */
4677 /* notify btm_acl that link is up, so starting of rmt name request will not */
4678 /* set paging flag up */
4679 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4680 if (p_acl_cb)
4681 {
4682 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4683 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4684 /* For now there are a some devices that do not like sending */
4685 /* commands events and data at the same time. */
4686 /* Set the packet types to the default allowed by the device */
4687 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4688
4689 if (btm_cb.btm_def_link_policy)
4690 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4691 #endif
4692 }
4693 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4694
4695 /* Initialize security flags. We need to do that because some */
4696 /* authorization complete could have come after the connection is dropped */
4697 /* and that would set wrong flag that link has been authorized already */
4698 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4699 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4700
4701 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4702 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4703
4704 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4705 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4706
4707 if (p_dev_rec->pin_code_length >= 16 ||
4708 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4709 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4710 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4711 }
4712
4713 p_dev_rec->link_key_changed = FALSE;
4714
4715 /* After connection is established we perform security if we do not know */
4716 /* the name, or if we are originator because some procedure can have */
4717 /* been scheduled while connection was down */
4718 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4719 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4720 {
4721 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4722 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4723 }
4724 return;
4725 }
4726
4727 /*******************************************************************************
4728 **
4729 ** Function btm_sec_disconnect
4730 **
4731 ** Description This function is called to disconnect HCI link
4732 **
4733 ** Returns btm status
4734 **
4735 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4736 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4737 {
4738 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4739
4740 /* In some weird race condition we may not have a record */
4741 if (!p_dev_rec)
4742 {
4743 btsnd_hcic_disconnect (handle, reason);
4744 return(BTM_SUCCESS);
4745 }
4746
4747 /* If we are in the process of bonding we need to tell client that auth failed */
4748 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4749 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4750 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4751 {
4752 /* we are currently doing bonding. Link will be disconnected when done */
4753 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4754 return(BTM_BUSY);
4755 }
4756
4757 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4758 }
4759
4760 /*******************************************************************************
4761 **
4762 ** Function btm_sec_disconnected
4763 **
4764 ** Description This function is when a connection to the peer device is
4765 ** dropped
4766 **
4767 ** Returns void
4768 **
4769 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4770 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4771 {
4772 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4773 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4774 int result = HCI_ERR_AUTH_FAILURE;
4775 tBTM_SEC_CALLBACK *p_callback = NULL;
4776 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4777
4778 /* If page was delayed for disc complete, can do it now */
4779 btm_cb.discing = FALSE;
4780
4781 btm_acl_resubmit_page();
4782
4783 if (!p_dev_rec)
4784 return;
4785
4786 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4787
4788 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4789
4790 #if BTM_DISC_DURING_RS == TRUE
4791 LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4792 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4793 #endif
4794
4795 /* clear unused flags */
4796 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4797
4798 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4799 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4800 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4801 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4802
4803 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4804
4805 /* If we are in the process of bonding we need to tell client that auth failed */
4806 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4807 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4808 {
4809 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4810 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4811 if (btm_cb.api.p_auth_complete_callback)
4812 {
4813 /* If the disconnection reason is REPEATED_ATTEMPTS,
4814 send this error message to complete callback function
4815 to display the error message of Repeated attempts.
4816 All others, send HCI_ERR_AUTH_FAILURE. */
4817 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4818 {
4819 result = HCI_ERR_REPEATED_ATTEMPTS;
4820 }
4821 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4822 {
4823 result = HCI_ERR_HOST_REJECT_SECURITY;
4824 }
4825 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4826 p_dev_rec->sec_bd_name, result);
4827 }
4828 }
4829
4830 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4831 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4832 /* see sec_flags processing in btm_acl_removed */
4833
4834 if (transport == BT_TRANSPORT_LE)
4835 {
4836 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4837 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4838 p_dev_rec->enc_key_size = 0;
4839 }
4840 else
4841 #endif
4842 {
4843 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4844 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4845 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4846 }
4847
4848 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4849 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4850 {
4851 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4852 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4853 return;
4854 }
4855 #endif
4856 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4857 p_dev_rec->security_required = BTM_SEC_NONE;
4858
4859 p_callback = p_dev_rec->p_callback;
4860
4861 /* if security is pending, send callback to clean up the security state */
4862 if(p_callback)
4863 {
4864 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4865 we do, this call back must be reset here */
4866 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4867 }
4868
4869 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4870 }
4871
4872 /*******************************************************************************
4873 **
4874 ** Function btm_sec_link_key_notification
4875 **
4876 ** Description This function is called when a new connection link key is
4877 ** generated
4878 **
4879 ** Returns Pointer to the record or NULL
4880 **
4881 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4882 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4883 {
4884 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4885 BOOLEAN we_are_bonding = FALSE;
4886 BOOLEAN ltk_derived_lk = FALSE;
4887
4888 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4889 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4890 key_type);
4891
4892 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4893 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4894 {
4895 ltk_derived_lk = TRUE;
4896 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4897 }
4898 /* If connection was made to do bonding restore link security if changed */
4899 btm_restore_mode();
4900
4901 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4902 p_dev_rec->link_key_type = key_type;
4903
4904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4905
4906 /*
4907 * Until this point in time, we do not know if MITM was enabled, hence we
4908 * add the extended security flag here.
4909 */
4910 if (p_dev_rec->pin_code_length >= 16 ||
4911 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4912 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4913 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4914 }
4915
4916 #if (BLE_INCLUDED == TRUE)
4917 /* BR/EDR connection, update the encryption key size to be 16 as always */
4918 p_dev_rec->enc_key_size = 16;
4919 #endif
4920 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4921
4922 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4923 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4924 {
4925 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4926 we_are_bonding = TRUE;
4927 else
4928 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4929 }
4930
4931 /* save LTK derived LK no matter what */
4932 if (ltk_derived_lk)
4933 {
4934 if (btm_cb.api.p_link_key_callback)
4935 {
4936 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4937 __FUNCTION__, p_dev_rec->link_key_type);
4938 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4939 p_dev_rec->sec_bd_name,
4940 p_link_key, p_dev_rec->link_key_type);
4941 }
4942 }
4943 else
4944 {
4945 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4946 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4947 {
4948 p_dev_rec->new_encryption_key_is_p256 = TRUE;
4949 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4950 __func__, p_dev_rec->new_encryption_key_is_p256);
4951 }
4952 }
4953
4954 /* If name is not known at this point delay calling callback until the name is */
4955 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4956 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4957 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4958 && !ltk_derived_lk)
4959 {
4960 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4961 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4962 (p_bda[4] << 8) + p_bda[5], key_type);
4963
4964 p_dev_rec->link_key_not_sent = TRUE;
4965
4966 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4967 if (we_are_bonding)
4968 {
4969 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4970 btm_inq_rmt_name_failed();
4971 }
4972
4973 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4974 return;
4975 }
4976
4977 /* If its not us who perform authentication, we should tell stackserver */
4978 /* that some authentication has been completed */
4979 /* This is required when different entities receive link notification and auth complete */
4980 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4981 /* for derived key, always send authentication callback for BR channel */
4982 || ltk_derived_lk)
4983 {
4984 if (btm_cb.api.p_auth_complete_callback)
4985 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4986 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4987 }
4988
4989 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4990 #ifdef BRCM_NONE_BTE
4991 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4992 #endif
4993 {
4994 if (btm_cb.api.p_link_key_callback)
4995 {
4996 if (ltk_derived_lk)
4997 {
4998 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already"
4999 " (key_type = %d)", p_dev_rec->link_key_type);
5000 }
5001 else
5002 {
5003 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
5004 p_dev_rec->sec_bd_name,
5005 p_link_key, p_dev_rec->link_key_type);
5006 }
5007 }
5008 }
5009 }
5010
5011 /*******************************************************************************
5012 **
5013 ** Function btm_sec_link_key_request
5014 **
5015 ** Description This function is called when controller requests link key
5016 **
5017 ** Returns Pointer to the record or NULL
5018 **
5019 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)5020 void btm_sec_link_key_request (UINT8 *p_bda)
5021 {
5022 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
5023
5024 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
5025 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
5026
5027 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
5028 (btm_cb.collision_start_time != 0) &&
5029 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
5030 {
5031 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
5032 "State: %d START_TIMEOUT : %d",
5033 btm_cb.pairing_state, btm_cb.collision_start_time);
5034 btsnd_hcic_link_key_neg_reply (p_bda);
5035 return;
5036 }
5037 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5038 {
5039 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5040 return;
5041 }
5042
5043 /* Notify L2CAP to increase timeout */
5044 l2c_pin_code_request (p_bda);
5045
5046 /* The link key is not in the database and it is not known to the manager */
5047 btsnd_hcic_link_key_neg_reply (p_bda);
5048 }
5049
5050 /*******************************************************************************
5051 **
5052 ** Function btm_sec_pairing_timeout
5053 **
5054 ** Description This function is called when host does not provide PIN
5055 ** within requested time
5056 **
5057 ** Returns Pointer to the TLE struct
5058 **
5059 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)5060 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
5061 {
5062 tBTM_CB *p_cb = &btm_cb;
5063 tBTM_SEC_DEV_REC *p_dev_rec;
5064 #if BTM_OOB_INCLUDED == TRUE
5065 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5066 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
5067 #else
5068 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
5069 #endif
5070 #endif
5071 UINT8 name[2];
5072 UNUSED(p_tle);
5073
5074 p_cb->pairing_tle.param = 0;
5075 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5076 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5077 */
5078 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5079
5080 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u",
5081 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5082
5083 switch (p_cb->pairing_state)
5084 {
5085 case BTM_PAIR_STATE_WAIT_PIN_REQ:
5086 btm_sec_bond_cancel_complete();
5087 break;
5088
5089 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5090 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5091 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5092 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5093 /* We need to notify the UI that no longer need the PIN */
5094 if (btm_cb.api.p_auth_complete_callback)
5095 {
5096 if (p_dev_rec == NULL)
5097 {
5098 name[0] = 0;
5099 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5100 NULL,
5101 name, HCI_ERR_CONNECTION_TOUT);
5102 }
5103 else
5104 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5105 p_dev_rec->dev_class,
5106 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5107 }
5108 break;
5109
5110 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5111 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5112 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5113 break;
5114
5115 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5116 case BTM_PAIR_STATE_KEY_ENTRY:
5117 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5118 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5119 break;
5120 #endif /* !BTM_IO_CAP_NONE */
5121
5122 #if BTM_OOB_INCLUDED == TRUE
5123 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5124 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5125 auth_req |= BTM_AUTH_DD_BOND;
5126
5127 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5128 BTM_OOB_NONE, auth_req);
5129 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5130 break;
5131
5132 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5133 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5134 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5135 break;
5136 #endif /* BTM_OOB_INCLUDED */
5137
5138 case BTM_PAIR_STATE_WAIT_DISCONNECT:
5139 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5140 * now it's time to tear down the ACL link*/
5141 if (p_dev_rec == NULL)
5142 {
5143 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5144 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5145 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5146 break;
5147 }
5148 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5149 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5150 break;
5151
5152 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5153 case BTM_PAIR_STATE_GET_REM_NAME:
5154 /* We need to notify the UI that timeout has happened while waiting for authentication*/
5155 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5156 if (btm_cb.api.p_auth_complete_callback)
5157 {
5158 if (p_dev_rec == NULL)
5159 {
5160 name[0] = 0;
5161 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5162 NULL,
5163 name, HCI_ERR_CONNECTION_TOUT);
5164 }
5165 else
5166 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5167 p_dev_rec->dev_class,
5168 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5169 }
5170 break;
5171
5172 default:
5173 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5174 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5175 break;
5176 }
5177 }
5178
5179 /*******************************************************************************
5180 **
5181 ** Function btm_sec_pin_code_request
5182 **
5183 ** Description This function is called when controller requests PIN code
5184 **
5185 ** Returns Pointer to the record or NULL
5186 **
5187 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5188 void btm_sec_pin_code_request (UINT8 *p_bda)
5189 {
5190 tBTM_SEC_DEV_REC *p_dev_rec;
5191 tBTM_CB *p_cb = &btm_cb;
5192
5193 #ifdef PORCHE_PAIRING_CONFLICT
5194 UINT8 default_pin_code_len = 4;
5195 PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
5196 #endif
5197 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
5198 btm_pair_state_descr(btm_cb.pairing_state),
5199 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5200
5201 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5202 {
5203 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
5204 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5205 {
5206 /* fake this out - porshe carkit issue - */
5207 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
5208 if(! btm_cb.pin_code_len_saved)
5209 {
5210 btsnd_hcic_pin_code_neg_reply (p_bda);
5211 return;
5212 }
5213 else
5214 {
5215 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5216 return;
5217 }
5218 }
5219 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5220 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5221 {
5222 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5223 btm_pair_state_descr(btm_cb.pairing_state));
5224
5225 #ifdef PORCHE_PAIRING_CONFLICT
5226 /* reply pin code again due to counter in_rand when local initiates pairing */
5227 BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
5228 if(! btm_cb.pin_code_len_saved)
5229 {
5230 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5231 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
5232 }
5233 else
5234 {
5235 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5236 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5237 }
5238 #else
5239 btsnd_hcic_pin_code_neg_reply (p_bda);
5240 #endif
5241 return;
5242 }
5243 }
5244
5245 p_dev_rec = btm_find_or_alloc_dev (p_bda);
5246 /* received PIN code request. must be non-sm4 */
5247 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5248
5249 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5250 {
5251 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5252
5253 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5254 /* Make sure we reset the trusted mask to help against attacks */
5255 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5256 }
5257
5258 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5259 {
5260 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5261 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5262 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5263 return;
5264 }
5265
5266 /* Use the connecting device's CoD for the connection */
5267 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5268 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5269 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5270
5271 /* We could have started connection after asking user for the PIN code */
5272 if (btm_cb.pin_code_len != 0)
5273 {
5274 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5275 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5276
5277 #ifdef PORCHE_PAIRING_CONFLICT
5278 btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
5279 #endif
5280
5281 /* Mark that we forwarded received from the user PIN code */
5282 btm_cb.pin_code_len = 0;
5283
5284 /* We can change mode back right away, that other connection being established */
5285 /* is not forced to be secure - found a FW issue, so we can not do this
5286 btm_restore_mode(); */
5287
5288 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5289 }
5290
5291 /* If pairing disabled OR (no PIN callback and not bonding) */
5292 /* OR we could not allocate entry in the database reject pairing request */
5293 else if (p_cb->pairing_disabled
5294 || (p_cb->api.p_pin_callback == NULL)
5295
5296 /* OR Microsoft keyboard can for some reason try to establish connection */
5297 /* the only thing we can do here is to shut it up. Normally we will be originator */
5298 /* for keyboard bonding */
5299 || (!p_dev_rec->is_originator
5300 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5301 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5302 {
5303 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5304 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5305
5306 btsnd_hcic_pin_code_neg_reply (p_bda);
5307 }
5308 /* Notify upper layer of PIN request and start expiration timer */
5309 else
5310 {
5311 btm_cb.pin_code_len_saved = 0;
5312 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5313 /* Pin code request can not come at the same time as connection request */
5314 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5315 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
5316
5317 /* Check if the name is known */
5318 /* Even if name is not known we might not be able to get one */
5319 /* this is the case when we are already getting something from the */
5320 /* device, so HCI level is flow controlled */
5321 /* Also cannot send remote name request while paging, i.e. connection is not completed */
5322 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5323 {
5324 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5325
5326 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5327 if (p_cb->api.p_pin_callback) {
5328 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5329 (p_dev_rec->p_cur_service == NULL) ? FALSE
5330 : (p_dev_rec->p_cur_service->security_flags
5331 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5332 }
5333 }
5334 else
5335 {
5336 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5337
5338 /* We received PIN code request for the device with unknown name */
5339 /* it is not user friendly just to ask for the PIN without name */
5340 /* try to get name at first */
5341 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5342 HCI_PAGE_SCAN_REP_MODE_R1,
5343 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5344 {
5345 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5346 p_dev_rec->sec_bd_name[0] = 'f';
5347 p_dev_rec->sec_bd_name[1] = '0';
5348 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5349
5350 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5351 if (p_cb->api.p_pin_callback)
5352 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5353 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5354 : (p_dev_rec->p_cur_service->security_flags
5355 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5356 }
5357 }
5358 }
5359
5360 return;
5361 }
5362
5363 /*******************************************************************************
5364 **
5365 ** Function btm_sec_update_clock_offset
5366 **
5367 ** Description This function is called to update clock offset
5368 **
5369 ** Returns void
5370 **
5371 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5372 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5373 {
5374 tBTM_SEC_DEV_REC *p_dev_rec;
5375 tBTM_INQ_INFO *p_inq_info;
5376
5377 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5378 return;
5379
5380 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5381
5382 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5383 return;
5384
5385 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5386 }
5387
5388
5389 /******************************************************************
5390 ** S T A T I C F U N C T I O N S
5391 *******************************************************************/
5392
5393 /*******************************************************************************
5394 **
5395 ** Function btm_sec_execute_procedure
5396 **
5397 ** Description This function is called to start required security
5398 ** procedure. There is a case when multiplexing protocol
5399 ** calls this function on the originating side, connection to
5400 ** the peer will not be established. This function in this
5401 ** case performs only authorization.
5402 **
5403 ** Returns BTM_SUCCESS - permission is granted
5404 ** BTM_CMD_STARTED - in process
5405 ** BTM_NO_RESOURCES - permission declined
5406 **
5407 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5408 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5409 {
5410 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5411 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5412
5413 /* There is a chance that we are getting name. Wait until done. */
5414 if (p_dev_rec->sec_state != 0)
5415 return(BTM_CMD_STARTED);
5416
5417 /* If any security is required, get the name first */
5418 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5419 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5420 {
5421 BTM_TRACE_EVENT ("Security Manager: Start get name");
5422 if (!btm_sec_start_get_name (p_dev_rec))
5423 {
5424 return(BTM_NO_RESOURCES);
5425 }
5426 return(BTM_CMD_STARTED);
5427 }
5428
5429 /* If connection is not authenticated and authentication is required */
5430 /* start authentication and return PENDING to the caller */
5431 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5432 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5433 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5434 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5435 && (!p_dev_rec->is_originator
5436 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5437 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5438 {
5439 /*
5440 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5441 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5442 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5443 * authenticated connections, hence we cannot distinguish here.
5444 */
5445
5446 #if (L2CAP_UCD_INCLUDED == TRUE)
5447 /* if incoming UCD packet, discard it */
5448 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5449 return(BTM_FAILED_ON_SECURITY);
5450 #endif
5451
5452 BTM_TRACE_EVENT ("Security Manager: Start authentication");
5453
5454 /*
5455 * If we do have a link-key, but we end up here because we need an
5456 * upgrade, then clear the link-key known and authenticated flag before
5457 * restarting authentication.
5458 * WARNING: If the controller has link-key, it is optional and
5459 * recommended for the controller to send a Link_Key_Request.
5460 * In case we need an upgrade, the only alternative would be to delete
5461 * the existing link-key. That could lead to very bad user experience
5462 * or even IOP issues, if a reconnect causes a new connection that
5463 * requires an upgrade.
5464 */
5465 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5466 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5467 && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5468 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5469 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5470 | BTM_SEC_AUTHENTICATED);
5471 }
5472
5473 if (!btm_sec_start_authentication (p_dev_rec))
5474 {
5475 return(BTM_NO_RESOURCES);
5476 }
5477 return(BTM_CMD_STARTED);
5478 }
5479
5480 /* If connection is not encrypted and encryption is required */
5481 /* start encryption and return PENDING to the caller */
5482 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5483 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5484 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5485 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5486 {
5487 #if (L2CAP_UCD_INCLUDED == TRUE)
5488 /* if incoming UCD packet, discard it */
5489 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5490 return(BTM_FAILED_ON_SECURITY);
5491 #endif
5492
5493 BTM_TRACE_EVENT ("Security Manager: Start encryption");
5494
5495 if (!btm_sec_start_encryption (p_dev_rec))
5496 {
5497 return(BTM_NO_RESOURCES);
5498 }
5499 return(BTM_CMD_STARTED);
5500 }
5501
5502 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5503 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5504 {
5505 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5506 "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5507 return (BTM_FAILED_ON_SECURITY);
5508 }
5509
5510 /* If connection is not authorized and authorization is required */
5511 /* start authorization and return PENDING to the caller */
5512 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5513 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5514 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5515 {
5516 BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5517 p_dev_rec->p_cur_service->service_id,
5518 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5519 p_dev_rec->p_cur_service->service_id)));
5520 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5521 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5522 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5523 p_dev_rec->p_cur_service->service_id) == FALSE))
5524 {
5525 BTM_TRACE_EVENT ("Security Manager: Start authorization");
5526 return(btm_sec_start_authorization (p_dev_rec));
5527 }
5528 }
5529
5530 /* All required security procedures already established */
5531 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5532 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5533 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5534 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5535 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5536
5537 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5538 BTM_TRACE_EVENT ("Security Manager: access granted");
5539
5540 return(BTM_SUCCESS);
5541 }
5542
5543
5544 /*******************************************************************************
5545 **
5546 ** Function btm_sec_start_get_name
5547 **
5548 ** Description This function is called to start get name procedure
5549 **
5550 ** Returns TRUE if started
5551 **
5552 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5553 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5554 {
5555 UINT8 tempstate = p_dev_rec->sec_state;
5556
5557 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5558
5559 /* Device should be connected, no need to provide correct page params */
5560 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5561 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5562 0, NULL)) != BTM_CMD_STARTED)
5563 {
5564 p_dev_rec->sec_state = tempstate;
5565 return(FALSE);
5566 }
5567
5568 return(TRUE);
5569 }
5570
5571 /*******************************************************************************
5572 **
5573 ** Function btm_sec_start_authentication
5574 **
5575 ** Description This function is called to start authentication
5576 **
5577 ** Returns TRUE if started
5578 **
5579 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5580 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5581 {
5582 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5583
5584 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5585 }
5586
5587 /*******************************************************************************
5588 **
5589 ** Function btm_sec_start_encryption
5590 **
5591 ** Description This function is called to start encryption
5592 **
5593 ** Returns TRUE if started
5594 **
5595 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5596 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5597 {
5598 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5599 return(FALSE);
5600
5601 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5602 return(TRUE);
5603 }
5604
5605
5606 /*******************************************************************************
5607 **
5608 ** Function btm_sec_start_authorization
5609 **
5610 ** Description This function is called to start authorization
5611 **
5612 ** Returns TRUE if started
5613 **
5614 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5615 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5616 {
5617 UINT8 result;
5618 UINT8 *p_service_name = NULL;
5619 UINT8 service_id;
5620
5621 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5622 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5623 {
5624 if (!btm_cb.api.p_authorize_callback)
5625 return(BTM_MODE_UNSUPPORTED);
5626
5627 if (p_dev_rec->p_cur_service)
5628 {
5629 #if BTM_SEC_SERVICE_NAME_LEN > 0
5630 if (p_dev_rec->is_originator)
5631 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5632 else
5633 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5634 #endif
5635 service_id = p_dev_rec->p_cur_service->service_id;
5636 }
5637 else
5638 service_id = 0;
5639
5640 /* Send authorization request if not already sent during this service connection */
5641 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5642 || p_dev_rec->last_author_service_id != service_id)
5643 {
5644 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5645 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5646 p_dev_rec->dev_class,
5647 p_dev_rec->sec_bd_name,
5648 p_service_name,
5649 service_id,
5650 p_dev_rec->is_originator);
5651 }
5652
5653 else /* Already authorized once for this L2CAP bringup */
5654 {
5655 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5656 return (BTM_SUCCESS);
5657 }
5658
5659 if (result == BTM_SUCCESS)
5660 {
5661 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5662
5663 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5664 if (!p_dev_rec->is_originator)
5665 p_dev_rec->last_author_service_id = service_id;
5666
5667 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5668 }
5669 return(result);
5670 }
5671 btm_sec_start_get_name (p_dev_rec);
5672 return(BTM_CMD_STARTED);
5673 }
5674
5675 /*******************************************************************************
5676 **
5677 ** Function btm_sec_are_all_trusted
5678 **
5679 ** Description This function is called check if all services are trusted
5680 **
5681 ** Returns TRUE if all are trusted, otherwise FALSE
5682 **
5683 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5684 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5685 {
5686 UINT32 trusted_inx;
5687 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5688 {
5689 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5690 return(FALSE);
5691 }
5692
5693 return(TRUE);
5694 }
5695
5696 /*******************************************************************************
5697 **
5698 ** Function btm_sec_find_first_serv
5699 **
5700 ** Description Look for the first record in the service database
5701 ** with specified PSM
5702 **
5703 ** Returns Pointer to the record or NULL
5704 **
5705 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5706 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5707 {
5708 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5709 int i;
5710 BOOLEAN is_originator;
5711
5712 #if (L2CAP_UCD_INCLUDED == TRUE)
5713
5714 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5715 is_originator = TRUE;
5716 else
5717 is_originator = FALSE;
5718 #else
5719 is_originator = conn_type;
5720 #endif
5721
5722 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5723 {
5724 /* If this is outgoing connection and the PSM matches p_out_serv,
5725 * use it as the current service */
5726 return btm_cb.p_out_serv;
5727 }
5728
5729 /* otherwise, just find the first record with the specified PSM */
5730 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5731 {
5732 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5733 return(p_serv_rec);
5734 }
5735 return(NULL);
5736 }
5737
5738
5739 /*******************************************************************************
5740 **
5741 ** Function btm_sec_find_next_serv
5742 **
5743 ** Description Look for the next record in the service database
5744 ** with specified PSM
5745 **
5746 ** Returns Pointer to the record or NULL
5747 **
5748 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5749 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5750 {
5751 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5752 int i;
5753
5754 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5755 {
5756 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5757 && (p_serv_rec->psm == p_cur->psm) )
5758 {
5759 if (p_cur != p_serv_rec)
5760 {
5761 return(p_serv_rec);
5762 }
5763 }
5764 }
5765 return(NULL);
5766 }
5767
5768
5769 /*******************************************************************************
5770 **
5771 ** Function btm_sec_find_mx_serv
5772 **
5773 ** Description Look for the record in the service database with specified
5774 ** PSM and multiplexor channel information
5775 **
5776 ** Returns Pointer to the record or NULL
5777 **
5778 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5779 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5780 UINT32 mx_proto_id, UINT32 mx_chan_id)
5781 {
5782 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5783 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5784 int i;
5785
5786 BTM_TRACE_DEBUG ("%s()", __func__);
5787 if (is_originator && p_out_serv && p_out_serv->psm == psm
5788 && p_out_serv->mx_proto_id == mx_proto_id
5789 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5790 {
5791 /* If this is outgoing connection and the parameters match p_out_serv,
5792 * use it as the current service */
5793 return btm_cb.p_out_serv;
5794 }
5795
5796 /* otherwise, the old way */
5797 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5798 {
5799 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5800 && (p_serv_rec->psm == psm)
5801 && (p_serv_rec->mx_proto_id == mx_proto_id)
5802 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5803 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5804 {
5805 return(p_serv_rec);
5806 }
5807 }
5808 return(NULL);
5809 }
5810
5811
5812 /*******************************************************************************
5813 **
5814 ** Function btm_sec_collision_timeout
5815 **
5816 ** Description Encryption could not start because of the collision
5817 ** try to do it again
5818 **
5819 ** Returns Pointer to the TLE struct
5820 **
5821 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5822 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5823 {
5824 UNUSED(p_tle);
5825
5826 BTM_TRACE_EVENT ("%s()", __func__);
5827 btm_cb.sec_collision_tle.param = 0;
5828
5829 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5830
5831 /* If result is pending reply from the user or from the device is pending */
5832 if (status != BTM_CMD_STARTED)
5833 {
5834 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5835 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5836 }
5837 }
5838
5839 /*******************************************************************************
5840 **
5841 ** Function btm_sec_link_key_request
5842 **
5843 ** Description This function is called when controller requests link key
5844 **
5845 ** Returns Pointer to the record or NULL
5846 **
5847 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5848 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5849 {
5850 if (btm_cb.api.p_link_key_callback)
5851 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5852 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5853 p_dev_rec->link_key_type);
5854 }
5855
5856 /*******************************************************************************
5857 **
5858 ** Function BTM_ReadTrustedMask
5859 **
5860 ** Description Get trusted mask for the peer device
5861 **
5862 ** Parameters: bd_addr - Address of the device
5863 **
5864 ** Returns NULL, if the device record is not found.
5865 ** otherwise, the trusted mask
5866 **
5867 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5868 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5869 {
5870 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5871 if (p_dev_rec != NULL)
5872 return(p_dev_rec->trusted_mask);
5873 return NULL;
5874 }
5875
5876 /*******************************************************************************
5877 **
5878 ** Function btm_restore_mode
5879 **
5880 ** Description This function returns the security mode to previous setting
5881 ** if it was changed during bonding.
5882 **
5883 **
5884 ** Parameters: void
5885 **
5886 *******************************************************************************/
btm_restore_mode(void)5887 static void btm_restore_mode(void)
5888 {
5889 if (btm_cb.security_mode_changed)
5890 {
5891 btm_cb.security_mode_changed = FALSE;
5892 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5893 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5894 }
5895
5896 if (btm_cb.pin_type_changed)
5897 {
5898 btm_cb.pin_type_changed = FALSE;
5899 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5900 }
5901 }
5902
5903
5904 /*******************************************************************************
5905 **
5906 ** Function btm_sec_find_dev_by_sec_state
5907 **
5908 ** Description Look for the record in the device database for the device
5909 ** which is being authenticated or encrypted
5910 **
5911 ** Returns Pointer to the record or NULL
5912 **
5913 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5914 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5915 {
5916 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5917
5918 for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5919 {
5920 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5921 && (p_dev_rec->sec_state == state))
5922 return(p_dev_rec);
5923 }
5924 return(NULL);
5925 }
5926
5927 /*******************************************************************************
5928 **
5929 ** Function btm_sec_change_pairing_state
5930 **
5931 ** Description This function is called to change pairing state
5932 **
5933 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5934 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5935 {
5936 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5937
5938 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5939 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__,
5940 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5941
5942 btm_cb.pairing_state = new_state;
5943
5944 if (new_state == BTM_PAIR_STATE_IDLE)
5945 {
5946 btu_stop_timer (&btm_cb.pairing_tle);
5947
5948 btm_cb.pairing_flags = 0;
5949 btm_cb.pin_code_len = 0;
5950
5951 /* Make sure the the lcb shows we are not bonding */
5952 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5953
5954 btm_restore_mode();
5955 btm_sec_check_pending_reqs();
5956 btm_inq_clear_ssp();
5957
5958 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5959 }
5960 else
5961 {
5962 /* If transitionng out of idle, mark the lcb as bonding */
5963 if (old_state == BTM_PAIR_STATE_IDLE)
5964 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5965
5966 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5967
5968 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5969 }
5970 }
5971
5972
5973 /*******************************************************************************
5974 **
5975 ** Function btm_pair_state_descr
5976 **
5977 ** Description Return state description for tracing
5978 **
5979 *******************************************************************************/
5980 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5981 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5982 {
5983 #if (BT_TRACE_VERBOSE == TRUE)
5984 switch (state)
5985 {
5986 case BTM_PAIR_STATE_IDLE: return("IDLE");
5987 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5988 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5989 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5990 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5991 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5992 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5993 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5994 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5995 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5996 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5997 }
5998
5999 return("???");
6000 #else
6001 sprintf(btm_cb.state_temp_buffer,"%hhu",state);
6002
6003 return(btm_cb.state_temp_buffer);
6004 #endif
6005 }
6006 #endif
6007
6008 /*******************************************************************************
6009 **
6010 ** Function btm_sec_dev_rec_cback_event
6011 **
6012 ** Description This function calls the callback function with the given
6013 ** result and clear the callback function.
6014 **
6015 ** Parameters: void
6016 **
6017 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)6018 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
6019 {
6020 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
6021
6022 if (p_dev_rec->p_callback)
6023 {
6024 p_dev_rec->p_callback = NULL;
6025
6026 #if BLE_INCLUDED == TRUE
6027 if (is_le_transport)
6028 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
6029 else
6030 #endif
6031 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
6032 }
6033
6034 btm_sec_check_pending_reqs();
6035 }
6036
6037 /*******************************************************************************
6038 **
6039 ** Function btm_sec_queue_mx_request
6040 **
6041 ** Description Return state description for tracing
6042 **
6043 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6044 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
6045 UINT32 mx_proto_id, UINT32 mx_chan_id,
6046 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6047 {
6048 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
6049
6050 if (p_e)
6051 {
6052 p_e->psm = psm;
6053 p_e->is_orig = is_orig;
6054 p_e->p_callback = p_callback;
6055 p_e->p_ref_data = p_ref_data;
6056 p_e->mx_proto_id = mx_proto_id;
6057 p_e->mx_chan_id = mx_chan_id;
6058 p_e->transport = BT_TRANSPORT_BR_EDR;
6059
6060 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6061
6062 BTM_TRACE_EVENT ("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
6063 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
6064
6065 GKI_enqueue (&btm_cb.sec_pending_q, p_e);
6066
6067 return(TRUE);
6068 }
6069
6070 return(FALSE);
6071 }
6072
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)6073 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
6074 {
6075 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
6076 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
6077 BOOLEAN rv = FALSE;
6078
6079 if ((major == BTM_COD_MAJOR_AUDIO)
6080 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
6081 {
6082 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6083 __func__, major, minor);
6084
6085 if (btm_cb.security_mode_changed == FALSE)
6086 {
6087 btm_cb.security_mode_changed = TRUE;
6088 #ifdef APPL_AUTH_WRITE_EXCEPTION
6089 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6090 #endif
6091 btsnd_hcic_write_auth_enable (TRUE);
6092 }
6093 }
6094 else
6095 {
6096 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6097
6098 /* If we got a PIN, use that, else try to get one */
6099 if (btm_cb.pin_code_len)
6100 {
6101 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6102 }
6103 else
6104 {
6105 /* pin was not supplied - pre-fetch pin code now */
6106 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6107 {
6108 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6109 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6110 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6111 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6112 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6113 : (p_dev_rec->p_cur_service->security_flags
6114 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6115 }
6116 }
6117
6118 rv = TRUE;
6119 }
6120
6121 return rv;
6122 }
6123
6124 /*******************************************************************************
6125 **
6126 ** Function btm_sec_auth_payload_tout
6127 **
6128 ** Description Processes the HCI Autheniticated Payload Timeout Event
6129 ** indicating that a packet containing a valid MIC on the
6130 ** connection handle was not received within the programmed
6131 ** timeout value. (Spec Default is 30 secs, but can be
6132 ** changed via the BTM_SecSetAuthPayloadTimeout() function.
6133 **
6134 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6135 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6136 {
6137 UINT16 handle;
6138
6139 STREAM_TO_UINT16 (handle, p);
6140 handle = HCID_GET_HANDLE (handle);
6141
6142 /* Will be exposed to upper layers in the future if/when determined necessary */
6143 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6144 }
6145
6146 /*******************************************************************************
6147 **
6148 ** Function btm_sec_queue_encrypt_request
6149 **
6150 ** Description encqueue encryption request when device has active security
6151 ** process pending.
6152 **
6153 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6154 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6155 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6156 {
6157 tBTM_SEC_QUEUE_ENTRY *p_e;
6158 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6159
6160 if (p_e)
6161 {
6162 p_e->psm = 0; /* if PSM 0, encryption request */
6163 p_e->p_callback = p_callback;
6164 p_e->p_ref_data = (void *)(p_e + 1);
6165 *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
6166 p_e->transport = transport;
6167 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6168 GKI_enqueue(&btm_cb.sec_pending_q, p_e);
6169 return TRUE;
6170 }
6171
6172 return FALSE;
6173 }
6174
6175 /*******************************************************************************
6176 **
6177 ** Function btm_sec_set_peer_sec_caps
6178 **
6179 ** Description This function is called to set sm4 and rmt_sec_caps fields
6180 ** based on the available peer device features.
6181 **
6182 ** Returns void
6183 **
6184 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6185 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6186 {
6187 BD_ADDR rem_bd_addr;
6188 UINT8 *p_rem_bd_addr;
6189
6190 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6191 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6192 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6193 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6194 {
6195 p_dev_rec->sm4 = BTM_SM4_TRUE;
6196 p_dev_rec->remote_supports_secure_connections =
6197 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6198 }
6199 else
6200 {
6201 p_dev_rec->sm4 = BTM_SM4_KNOWN;
6202 p_dev_rec->remote_supports_secure_connections = FALSE;
6203 }
6204
6205 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6206 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6207
6208
6209 if (p_dev_rec->remote_features_needed)
6210 {
6211 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6212 __FUNCTION__);
6213 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6214 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6215 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6216 btm_io_capabilities_req(p_rem_bd_addr);
6217 p_dev_rec->remote_features_needed = FALSE;
6218 }
6219 }
6220
6221 /*******************************************************************************
6222 **
6223 ** Function btm_sec_clean_pending_req_queue
6224 **
6225 ** Description This function cleans up the pending security request when the
6226 ** link to the target device dropped.
6227 **
6228 ** Returns void
6229 **
6230 *******************************************************************************/
btm_sec_clean_pending_req_queue(BD_ADDR remote_bda,tBT_TRANSPORT transport)6231 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport)
6232 {
6233 tBTM_SEC_QUEUE_ENTRY *p_e;
6234 BUFFER_Q *bq = &btm_cb.sec_pending_q;
6235
6236 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6237
6238 if (p_e != NULL)
6239 {
6240 if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0
6241 #if BLE_INCLUDED == TRUE
6242 && p_e->transport == transport
6243 #endif
6244 )
6245 {
6246 (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING);
6247 GKI_remove_from_queue(bq, (void *)p_e);
6248 }
6249 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6250 }
6251 }
6252
6253 /*******************************************************************************
6254 **
6255 ** Function btm_sec_is_serv_level0
6256 **
6257 ** Description This function is called to check if the service corresponding
6258 ** to PSM is security mode 4 level 0 service.
6259 **
6260 ** Returns TRUE if the service is security mode 4 level 0 service
6261 **
6262 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6263 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6264 {
6265 if (psm == BT_PSM_SDP)
6266 {
6267 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6268 return TRUE;
6269 }
6270 return FALSE;
6271 }
6272
6273 /*******************************************************************************
6274 **
6275 ** Function btm_sec_check_pending_enc_req
6276 **
6277 ** Description This function is called to send pending encryption callback if
6278 ** waiting
6279 **
6280 ** Returns void
6281 **
6282 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6283 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
6284 UINT8 encr_enable)
6285 {
6286 tBTM_SEC_QUEUE_ENTRY *p_e;
6287 BUFFER_Q *bq = &btm_cb.sec_pending_q;
6288 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6289
6290 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6291
6292 while (p_e != NULL)
6293 {
6294 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6295 #if BLE_INCLUDED == TRUE
6296 && p_e->transport == transport
6297 #endif
6298 )
6299 {
6300 #if BLE_INCLUDED == TRUE
6301 UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data);
6302 #endif
6303
6304 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6305 #if BLE_INCLUDED == TRUE
6306 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
6307 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6308 & BTM_SEC_LE_AUTHENTICATED)
6309 #endif
6310 )
6311 {
6312 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6313 GKI_remove_from_queue(bq, (void *)p_e);
6314 }
6315 }
6316 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6317 }
6318 }
6319
6320 /*******************************************************************************
6321 **
6322 ** Function btm_sec_set_serv_level4_flags
6323 **
6324 ** Description This function is called to set security mode 4 level 4 flags.
6325 **
6326 ** Returns service security requirements updated to include secure
6327 ** connections only mode.
6328 **
6329 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6330 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6331 {
6332 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6333
6334 return cur_security | sec_level4_flags;
6335 }
6336
6337 /*******************************************************************************
6338 **
6339 ** Function btm_sec_clear_ble_keys
6340 **
6341 ** Description This function is called to clear out the BLE keys.
6342 ** Typically when devices are removed in BTM_SecDeleteDevice,
6343 ** or when a new BT Link key is generated.
6344 **
6345 ** Returns void
6346 **
6347 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6348 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
6349 {
6350
6351 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6352 #if (SMP_INCLUDED== TRUE)
6353 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6354 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6355
6356 #if (BLE_PRIVACY_SPT == TRUE)
6357 btm_ble_resolving_list_remove_dev(p_dev_rec);
6358 #endif
6359 #endif
6360 }
6361
6362 /*******************************************************************************
6363 **
6364 ** Function btm_sec_is_a_bonded_dev
6365 **
6366 ** Description Is the specified device is a bonded device
6367 **
6368 ** Returns TRUE - dev is bonded
6369 **
6370 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6371 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6372 {
6373
6374 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6375 BOOLEAN is_bonded= FALSE;
6376
6377 if (p_dev_rec &&
6378 #if (SMP_INCLUDED == TRUE)
6379 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6380 #else
6381 (
6382 #endif
6383 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6384 {
6385 is_bonded = TRUE;
6386 }
6387 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6388 return(is_bonded);
6389 }
6390
6391 /*******************************************************************************
6392 **
6393 ** Function btm_sec_is_le_capable_dev
6394 **
6395 ** Description Is the specified device is dual mode or LE only device
6396 **
6397 ** Returns TRUE - dev is a dual mode
6398 **
6399 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6400 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6401 {
6402 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6403 BOOLEAN le_capable = FALSE;
6404
6405 #if (BLE_INCLUDED== TRUE)
6406 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6407 le_capable = TRUE;
6408 #endif
6409 return le_capable;
6410 }
6411
6412 /*******************************************************************************
6413 **
6414 ** Function btm_sec_find_bonded_dev
6415 **
6416 ** Description Find a bonded device starting from the specified index
6417 **
6418 ** Returns TRUE - found a bonded device
6419 **
6420 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6421 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6422 {
6423 BOOLEAN found= FALSE;
6424
6425 #if (SMP_INCLUDED== TRUE)
6426 tBTM_SEC_DEV_REC *p_dev_rec;
6427 int i;
6428 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6429 {
6430 BTM_TRACE_DEBUG ("LE bonded device not found");
6431 return found;
6432 }
6433
6434 p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6435 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6436 {
6437 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6438 {
6439 *p_found_idx = i;
6440 *p_rec = p_dev_rec;
6441 break;
6442 }
6443 }
6444 BTM_TRACE_DEBUG ("%s() found=%d", __func__, found);
6445 #endif
6446 return(found);
6447 }
6448
6449 /*******************************************************************************
6450 **
6451 ** Function btm_sec_use_smp_br_chnl
6452 **
6453 ** Description The function checks if SMP BR connection can be used with
6454 ** the peer.
6455 ** Is called when authentication for dedicated bonding is
6456 ** successfully completed.
6457 **
6458 ** Returns TRUE - if SMP BR connection can be used (the link key is
6459 ** generated from P-256 and the peer supports Security
6460 ** Manager over BR).
6461 **
6462 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6463 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6464 {
6465 UINT32 ext_feat;
6466 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6467
6468 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6469 p_dev_rec->link_key_type);
6470
6471 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6472 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6473 return FALSE;
6474
6475 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6476 return FALSE;
6477
6478 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6479 return FALSE;
6480
6481 return TRUE;
6482 }
6483
6484 /*******************************************************************************
6485 **
6486 ** Function btm_sec_is_master
6487 **
6488 ** Description The function checks if the device is BR/EDR master after
6489 ** pairing is completed.
6490 **
6491 ** Returns TRUE - if the device is master.
6492 **
6493 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6494 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6495 {
6496 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6497 return (p && (p->link_role == BTM_ROLE_MASTER));
6498 }
6499
6500