1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for BLE device control utilities, and LE
22  *  security functions.
23  *
24  ******************************************************************************/
25 
26 #define LOG_TAG "bt_btm_ble"
27 
28 #include "bt_target.h"
29 
30 #if BLE_INCLUDED == TRUE
31 
32 #include <string.h>
33 
34 #include "bt_types.h"
35 #include "bt_utils.h"
36 #include "btm_ble_api.h"
37 #include "btm_int.h"
38 #include "btu.h"
39 #include "device/include/controller.h"
40 #include "gap_api.h"
41 #include "hcimsgs.h"
42 #include "l2c_int.h"
43 #include "osi/include/log.h"
44 #include "smp_api.h"
45 
46 #if SMP_INCLUDED == TRUE
47 extern BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length,
48                                                  UINT16 tlen, UINT8 *p_signature);
49 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable);
50 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda);
51 #endif
52 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr);
53 /*******************************************************************************/
54 /* External Function to be called by other modules                             */
55 /*******************************************************************************/
56 /********************************************************
57 **
58 ** Function         BTM_SecAddBleDevice
59 **
60 ** Description      Add/modify device.  This function will be normally called
61 **                  during host startup to restore all required information
62 **                  for a LE device stored in the NVRAM.
63 **
64 ** Parameters:      bd_addr          - BD address of the peer
65 **                  bd_name          - Name of the peer device.  NULL if unknown.
66 **                  dev_type         - Remote device's device type.
67 **                  addr_type        - LE device address type.
68 **
69 ** Returns          TRUE if added OK, else FALSE
70 **
71 *******************************************************************************/
BTM_SecAddBleDevice(BD_ADDR bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)72 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type,
73                              tBLE_ADDR_TYPE addr_type)
74 {
75     BTM_TRACE_DEBUG ("%s: dev_type=0x%x", __func__, dev_type);
76     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev(bd_addr);
77 
78     if (!p_dev_rec) {
79         if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
80             BTM_TRACE_ERROR("%s: %d max devices reached!", __func__, BTM_SEC_MAX_DEVICE_RECORDS);
81             return FALSE;
82         }
83 
84         p_dev_rec = osi_calloc(sizeof(tBTM_SEC_DEV_REC));
85         list_append(btm_cb.sec_dev_rec, p_dev_rec);
86 
87         memcpy(p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
88         p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
89         p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
90 
91         /* update conn params, use default value for background connection params */
92         p_dev_rec->conn_params.min_conn_int     = BTM_BLE_CONN_PARAM_UNDEF;
93         p_dev_rec->conn_params.max_conn_int     = BTM_BLE_CONN_PARAM_UNDEF;
94         p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
95         p_dev_rec->conn_params.slave_latency    = BTM_BLE_CONN_PARAM_UNDEF;
96 
97         BTM_TRACE_DEBUG("%s: Device added, handle=0x%x ", __func__, p_dev_rec->ble_hci_handle);
98     }
99 
100     memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
101 
102     if (bd_name && bd_name[0])
103     {
104         p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
105         strlcpy((char *)p_dev_rec->sec_bd_name,
106                 (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN);
107     }
108     p_dev_rec->device_type |= dev_type;
109     p_dev_rec->ble.ble_addr_type = addr_type;
110 
111     memcpy(p_dev_rec->ble.pseudo_addr, bd_addr, BD_ADDR_LEN);
112     /* sync up with the Inq Data base*/
113     tBTM_INQ_INFO      *p_info = BTM_InqDbRead(bd_addr);
114     if (p_info)
115     {
116         p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ;
117         p_info->results.device_type = p_dev_rec->device_type;
118         BTM_TRACE_DEBUG("InqDb  device_type =0x%x  addr_type=0x%x",
119                          p_info->results.device_type, p_info->results.ble_addr_type);
120     }
121 
122     return TRUE;
123 }
124 
125 /*******************************************************************************
126 **
127 ** Function         BTM_SecAddBleKey
128 **
129 ** Description      Add/modify LE device information.  This function will be
130 **                  normally called during host startup to restore all required
131 **                  information stored in the NVRAM.
132 **
133 ** Parameters:      bd_addr          - BD address of the peer
134 **                  p_le_key         - LE key values.
135 **                  key_type         - LE SMP key type.
136 *
137 ** Returns          TRUE if added OK, else FALSE
138 **
139 *******************************************************************************/
BTM_SecAddBleKey(BD_ADDR bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)140 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type)
141 {
142 #if SMP_INCLUDED == TRUE
143     tBTM_SEC_DEV_REC  *p_dev_rec;
144     BTM_TRACE_DEBUG ("BTM_SecAddBleKey");
145     p_dev_rec = btm_find_dev (bd_addr);
146     if (!p_dev_rec || !p_le_key ||
147         (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
148          key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
149          key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID))
150     {
151         BTM_TRACE_WARNING ("BTM_SecAddBleKey()  Wrong Type, or No Device record \
152                         for bdaddr: %08x%04x, Type: %d",
153                             (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
154                             (bd_addr[4]<<8)+bd_addr[5], key_type);
155         return(FALSE);
156     }
157 
158     BTM_TRACE_DEBUG ("BTM_SecAddLeKey()  BDA: %08x%04x, Type: 0x%02x",
159                       (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
160                       (bd_addr[4]<<8)+bd_addr[5], key_type);
161 
162     btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE);
163 
164 #if (BLE_PRIVACY_SPT == TRUE)
165     if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID)
166         btm_ble_resolving_list_load_dev (p_dev_rec);
167 #endif
168 
169 #endif
170 
171     return(TRUE);
172 }
173 
174 /*******************************************************************************
175 **
176 ** Function         BTM_BleLoadLocalKeys
177 **
178 ** Description      Local local identity key, encryption root or sign counter.
179 **
180 ** Parameters:      key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER
181 **                            or BTM_BLE_KEY_TYPE_COUNTER.
182 **                  p_key: pointer to the key.
183 *
184 ** Returns          non2.
185 **
186 *******************************************************************************/
BTM_BleLoadLocalKeys(UINT8 key_type,tBTM_BLE_LOCAL_KEYS * p_key)187 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key)
188 {
189     tBTM_DEVCB *p_devcb = &btm_cb.devcb;
190     BTM_TRACE_DEBUG ("%s", __func__);
191     if (p_key != NULL)
192     {
193         switch (key_type)
194         {
195             case BTM_BLE_KEY_TYPE_ID:
196                 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
197                 break;
198 
199             case BTM_BLE_KEY_TYPE_ER:
200                 memcpy(p_devcb->ble_encryption_key_value, p_key->er, sizeof(BT_OCTET16));
201                 break;
202 
203             default:
204                 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
205                 break;
206         }
207     }
208 }
209 
210 /*******************************************************************************
211 **
212 ** Function         BTM_GetDeviceEncRoot
213 **
214 ** Description      This function is called to read the local device encryption
215 **                  root.
216 **
217 ** Returns          void
218 **                  the local device ER is copied into ble_encr_key_value
219 **
220 *******************************************************************************/
BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value)221 void BTM_GetDeviceEncRoot (BT_OCTET16 ble_encr_key_value)
222 {
223     BTM_TRACE_DEBUG ("%s", __func__);
224     memcpy (ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value, BT_OCTET16_LEN);
225 }
226 
227 /*******************************************************************************
228 **
229 ** Function         BTM_GetDeviceIDRoot
230 **
231 ** Description      This function is called to read the local device identity
232 **                  root.
233 **
234 ** Returns          void
235 **                  the local device IR is copied into irk
236 **
237 *******************************************************************************/
BTM_GetDeviceIDRoot(BT_OCTET16 irk)238 void BTM_GetDeviceIDRoot (BT_OCTET16 irk)
239 {
240     BTM_TRACE_DEBUG ("BTM_GetDeviceIDRoot ");
241 
242     memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
243 }
244 
245 /*******************************************************************************
246 **
247 ** Function         BTM_GetDeviceDHK
248 **
249 ** Description      This function is called to read the local device DHK.
250 **
251 ** Returns          void
252 **                  the local device DHK is copied into dhk
253 **
254 *******************************************************************************/
BTM_GetDeviceDHK(BT_OCTET16 dhk)255 void BTM_GetDeviceDHK (BT_OCTET16 dhk)
256 {
257     BTM_TRACE_DEBUG ("BTM_GetDeviceDHK");
258     memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
259 }
260 
261 /*******************************************************************************
262 **
263 ** Function         BTM_ReadConnectionAddr
264 **
265 ** Description      This function is called to get the local device address information
266 **                  .
267 **
268 ** Returns          void
269 **
270 *******************************************************************************/
BTM_ReadConnectionAddr(BD_ADDR remote_bda,BD_ADDR local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)271 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type)
272 {
273     tACL_CONN       *p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
274 
275     if (p_acl == NULL)
276     {
277         BTM_TRACE_ERROR("No connection exist!");
278         return;
279     }
280     memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN);
281     * p_addr_type = p_acl->conn_addr_type;
282 
283     BTM_TRACE_DEBUG ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
284                     p_acl->conn_addr_type, p_acl->conn_addr[0]);
285 }
286 
287 /*******************************************************************************
288 **
289 ** Function         BTM_IsBleConnection
290 **
291 ** Description      This function is called to check if the connection handle
292 **                  for an LE link
293 **
294 ** Returns          TRUE if connection is LE link, otherwise FALSE.
295 **
296 *******************************************************************************/
BTM_IsBleConnection(UINT16 conn_handle)297 BOOLEAN BTM_IsBleConnection (UINT16 conn_handle)
298 {
299 #if (BLE_INCLUDED == TRUE)
300     UINT8                xx;
301     tACL_CONN            *p;
302 
303     BTM_TRACE_API ("BTM_IsBleConnection: conn_handle: %d", conn_handle);
304 
305     xx = btm_handle_to_acl_index (conn_handle);
306     if (xx >= MAX_L2CAP_LINKS)
307         return FALSE;
308 
309     p = &btm_cb.acl_db[xx];
310 
311     return (p->transport == BT_TRANSPORT_LE);
312 #else
313     return FALSE;
314 #endif
315 }
316 
317 /*******************************************************************************
318 **
319 ** Function         BTM_ReadRemoteConnectionAddr
320 **
321 ** Description      This function is read the remote device address currently used
322 **
323 ** Parameters     pseudo_addr: pseudo random address available
324 **                conn_addr:connection address used
325 **                p_addr_type : BD Address type, Public or Random of the address used
326 **
327 ** Returns          BOOLEAN , TRUE if connection to remote device exists, else FALSE
328 **
329 *******************************************************************************/
BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr,BD_ADDR conn_addr,tBLE_ADDR_TYPE * p_addr_type)330 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr,
331                                                tBLE_ADDR_TYPE *p_addr_type)
332 {
333  BOOLEAN         st = TRUE;
334 #if (BLE_PRIVACY_SPT == TRUE)
335     tACL_CONN       *p = btm_bda_to_acl (pseudo_addr, BT_TRANSPORT_LE);
336 
337     if (p == NULL)
338     {
339         BTM_TRACE_ERROR("BTM_ReadRemoteConnectionAddr can not find connection"
340                         " with matching address");
341         return FALSE;
342     }
343 
344     memcpy(conn_addr, p->active_remote_addr, BD_ADDR_LEN);
345     *p_addr_type = p->active_remote_addr_type;
346 #else
347     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr);
348 
349     memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN);
350     if (p_dev_rec != NULL)
351     {
352         *p_addr_type = p_dev_rec->ble.ble_addr_type;
353     }
354 #endif
355     return st;
356 
357 }
358 /*******************************************************************************
359 **
360 ** Function         BTM_SecurityGrant
361 **
362 ** Description      This function is called to grant security process.
363 **
364 ** Parameters       bd_addr - peer device bd address.
365 **                  res     - result of the operation BTM_SUCCESS if success.
366 **                            Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts.
367 **
368 ** Returns          None
369 **
370 *******************************************************************************/
BTM_SecurityGrant(BD_ADDR bd_addr,UINT8 res)371 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res)
372 {
373 #if SMP_INCLUDED == TRUE
374     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
375     BTM_TRACE_DEBUG ("BTM_SecurityGrant");
376     SMP_SecurityGrant(bd_addr, res_smp);
377 #endif
378 }
379 
380 /*******************************************************************************
381 **
382 ** Function         BTM_BlePasskeyReply
383 **
384 ** Description      This function is called after Security Manager submitted
385 **                  passkey request to the application.
386 **
387 ** Parameters:      bd_addr      - Address of the device for which passkey was requested
388 **                  res          - result of the operation BTM_SUCCESS if success
389 **                  key_len      - length in bytes of the Passkey
390 **                  p_passkey        - pointer to array with the passkey
391 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
392 **
393 *******************************************************************************/
BTM_BlePasskeyReply(BD_ADDR bd_addr,UINT8 res,UINT32 passkey)394 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
395 {
396 #if SMP_INCLUDED == TRUE
397     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
398     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
399 
400     if (p_dev_rec == NULL)
401     {
402         BTM_TRACE_ERROR("Passkey reply to Unknown device");
403         return;
404     }
405 
406     p_dev_rec->sec_flags   |= BTM_SEC_LE_AUTHENTICATED;
407     BTM_TRACE_DEBUG ("BTM_BlePasskeyReply");
408     SMP_PasskeyReply(bd_addr, res_smp, passkey);
409 #endif
410 }
411 
412 /*******************************************************************************
413 **
414 ** Function         BTM_BleConfirmReply
415 **
416 ** Description      This function is called after Security Manager submitted
417 **                  numeric comparison request to the application.
418 **
419 ** Parameters:      bd_addr      - Address of the device with which numeric
420 **                                 comparison was requested
421 **                  res          - comparison result BTM_SUCCESS if success
422 **
423 *******************************************************************************/
BTM_BleConfirmReply(BD_ADDR bd_addr,UINT8 res)424 void BTM_BleConfirmReply (BD_ADDR bd_addr, UINT8 res)
425 {
426     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
427     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
428 
429     if (p_dev_rec == NULL)
430     {
431         BTM_TRACE_ERROR("Passkey reply to Unknown device");
432         return;
433     }
434 
435     p_dev_rec->sec_flags   |= BTM_SEC_LE_AUTHENTICATED;
436     BTM_TRACE_DEBUG ("%s", __func__);
437     SMP_ConfirmReply(bd_addr, res_smp);
438 }
439 
440 /*******************************************************************************
441 **
442 ** Function         BTM_BleOobDataReply
443 **
444 ** Description      This function is called to provide the OOB data for
445 **                  SMP in response to BTM_LE_OOB_REQ_EVT
446 **
447 ** Parameters:      bd_addr     - Address of the peer device
448 **                  res         - result of the operation SMP_SUCCESS if success
449 **                  p_data      - oob data, depending on transport and capabilities.
450 **                                Might be "Simple Pairing Randomizer", or
451 **                                "Security Manager TK Value".
452 **
453 *******************************************************************************/
BTM_BleOobDataReply(BD_ADDR bd_addr,UINT8 res,UINT8 len,UINT8 * p_data)454 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data)
455 {
456 #if SMP_INCLUDED == TRUE
457     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
458     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
459 
460     BTM_TRACE_DEBUG ("BTM_BleOobDataReply");
461 
462     if (p_dev_rec == NULL)
463     {
464         BTM_TRACE_ERROR("BTM_BleOobDataReply() to Unknown device");
465         return;
466     }
467 
468     p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
469     SMP_OobDataReply(bd_addr, res_smp, len, p_data);
470 #endif
471 }
472 
473 /******************************************************************************
474 **
475 ** Function         BTM_BleSetConnScanParams
476 **
477 ** Description      Set scan parameter used in BLE connection request
478 **
479 ** Parameters:      scan_interval: scan interval
480 **                  scan_window: scan window
481 **
482 ** Returns          void
483 **
484 *******************************************************************************/
BTM_BleSetConnScanParams(UINT32 scan_interval,UINT32 scan_window)485 void BTM_BleSetConnScanParams (UINT32 scan_interval, UINT32 scan_window)
486 {
487 #if SMP_INCLUDED == TRUE
488     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
489     BOOLEAN     new_param = FALSE;
490 
491     if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) &&
492         BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX))
493     {
494         if (p_ble_cb->scan_int != scan_interval)
495         {
496             p_ble_cb->scan_int = scan_interval;
497             new_param = TRUE;
498         }
499 
500         if (p_ble_cb->scan_win != scan_window)
501         {
502             p_ble_cb->scan_win = scan_window;
503             new_param = TRUE;
504         }
505 
506         if (new_param && p_ble_cb->conn_state == BLE_BG_CONN)
507         {
508             btm_ble_suspend_bg_conn();
509         }
510     }
511     else
512     {
513         BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
514     }
515 #endif
516 }
517 
518 /********************************************************
519 **
520 ** Function         BTM_BleSetPrefConnParams
521 **
522 ** Description      Set a peripheral's preferred connection parameters
523 **
524 ** Parameters:      bd_addr          - BD address of the peripheral
525 **                  scan_interval: scan interval
526 **                  scan_window: scan window
527 **                  min_conn_int     - minimum preferred connection interval
528 **                  max_conn_int     - maximum preferred connection interval
529 **                  slave_latency    - preferred slave latency
530 **                  supervision_tout - preferred supervision timeout
531 **
532 ** Returns          void
533 **
534 *******************************************************************************/
BTM_BleSetPrefConnParams(BD_ADDR bd_addr,UINT16 min_conn_int,UINT16 max_conn_int,UINT16 slave_latency,UINT16 supervision_tout)535 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr,
536                                UINT16 min_conn_int, UINT16 max_conn_int,
537                                UINT16 slave_latency, UINT16 supervision_tout)
538 {
539     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
540 
541     BTM_TRACE_API ("BTM_BleSetPrefConnParams min: %u  max: %u  latency: %u  \
542                     tout: %u",
543                     min_conn_int, max_conn_int, slave_latency, supervision_tout);
544 
545     if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
546         BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
547         BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) &&
548         (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF))
549     {
550         if (p_dev_rec)
551         {
552             /* expect conn int and stout and slave latency to be updated all together */
553             if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
554             {
555                 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
556                     p_dev_rec->conn_params.min_conn_int = min_conn_int;
557                 else
558                     p_dev_rec->conn_params.min_conn_int = max_conn_int;
559 
560                 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
561                     p_dev_rec->conn_params.max_conn_int = max_conn_int;
562                 else
563                     p_dev_rec->conn_params.max_conn_int = min_conn_int;
564 
565                 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
566                     p_dev_rec->conn_params.slave_latency = slave_latency;
567                 else
568                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
569 
570                 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
571                     p_dev_rec->conn_params.supervision_tout = supervision_tout;
572                 else
573                     p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
574 
575             }
576 
577         }
578         else
579         {
580             BTM_TRACE_ERROR("Unknown Device, setting rejected");
581         }
582     }
583     else
584     {
585         BTM_TRACE_ERROR("Illegal Connection Parameters");
586     }
587 }
588 
589 /*******************************************************************************
590 **
591 ** Function         BTM_ReadDevInfo
592 **
593 ** Description      This function is called to read the device/address type
594 **                  of BD address.
595 **
596 ** Parameter        remote_bda: remote device address
597 **                  p_dev_type: output parameter to read the device type.
598 **                  p_addr_type: output parameter to read the address type.
599 **
600 *******************************************************************************/
BTM_ReadDevInfo(BD_ADDR remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)601 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type)
602 {
603     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (remote_bda);
604     tBTM_INQ_INFO     *p_inq_info = BTM_InqDbRead(remote_bda);
605 
606     *p_addr_type = BLE_ADDR_PUBLIC;
607 
608     if (!p_dev_rec)
609     {
610         *p_dev_type = BT_DEVICE_TYPE_BREDR;
611         /* Check with the BT manager if details about remote device are known */
612         if (p_inq_info != NULL)
613         {
614             *p_dev_type = p_inq_info->results.device_type ;
615             *p_addr_type = p_inq_info->results.ble_addr_type;
616         } else {
617             /* unknown device, assume BR/EDR */
618             BTM_TRACE_DEBUG ("btm_find_dev_type - unknown device, BR/EDR assumed");
619         }
620     }
621     else /* there is a security device record exisitng */
622     {
623         /* new inquiry result, overwrite device type in security device record */
624         if (p_inq_info)
625         {
626             p_dev_rec->device_type          = p_inq_info->results.device_type;
627             p_dev_rec->ble.ble_addr_type    = p_inq_info->results.ble_addr_type;
628         }
629         if (memcmp(p_dev_rec->bd_addr, remote_bda, BD_ADDR_LEN) == 0 &&
630             memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0)
631         {
632             *p_dev_type = p_dev_rec->device_type;
633             *p_addr_type = p_dev_rec->ble.ble_addr_type;
634         }
635         else if (memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0)
636         {
637             *p_dev_type = BT_DEVICE_TYPE_BLE;
638             *p_addr_type = p_dev_rec->ble.ble_addr_type;
639         }
640         else  /* matching static adddress only */
641         {
642             *p_dev_type = BT_DEVICE_TYPE_BREDR;
643             *p_addr_type = BLE_ADDR_PUBLIC;
644         }
645 
646     }
647 
648     BTM_TRACE_DEBUG ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type);
649 }
650 
651 /*******************************************************************************
652 **
653 ** Function         BTM_ReadConnectedTransportAddress
654 **
655 ** Description      This function is called to read the paired device/address type of other device paired
656 **                  corresponding to the BD_address
657 **
658 ** Parameter        remote_bda: remote device address, carry out the transport address
659 **                  transport: active transport
660 **
661 ** Return           TRUE if an active link is identified; FALSE otherwise
662 **
663 *******************************************************************************/
BTM_ReadConnectedTransportAddress(BD_ADDR remote_bda,tBT_TRANSPORT transport)664 BOOLEAN BTM_ReadConnectedTransportAddress(BD_ADDR remote_bda, tBT_TRANSPORT transport)
665 {
666     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(remote_bda);
667 
668     /* if no device can be located, return */
669     if (p_dev_rec == NULL)
670         return FALSE;
671 
672     if (transport == BT_TRANSPORT_BR_EDR)
673     {
674         if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL)
675         {
676             memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
677             return TRUE;
678         }
679         else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR)
680         {
681             memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
682         }
683         else
684             memset(remote_bda, 0, BD_ADDR_LEN);
685         return FALSE;
686     }
687 
688     if (transport == BT_TRANSPORT_LE)
689     {
690         memcpy(remote_bda, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN);
691         if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL)
692             return TRUE;
693         else
694             return FALSE;
695     }
696 
697     return FALSE;
698 }
699 
700 /*******************************************************************************
701 **
702 ** Function         BTM_BleReceiverTest
703 **
704 ** Description      This function is called to start the LE Receiver test
705 **
706 ** Parameter       rx_freq - Frequency Range
707 **               p_cmd_cmpl_cback - Command Complete callback
708 **
709 *******************************************************************************/
BTM_BleReceiverTest(UINT8 rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)710 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback)
711 {
712      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
713 
714      if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE)
715      {
716           BTM_TRACE_ERROR("%s: Unable to Trigger LE receiver test", __FUNCTION__);
717      }
718 }
719 
720 /*******************************************************************************
721 **
722 ** Function         BTM_BleTransmitterTest
723 **
724 ** Description      This function is called to start the LE Transmitter test
725 **
726 ** Parameter       tx_freq - Frequency Range
727 **                       test_data_len - Length in bytes of payload data in each packet
728 **                       packet_payload - Pattern to use in the payload
729 **                       p_cmd_cmpl_cback - Command Complete callback
730 **
731 *******************************************************************************/
BTM_BleTransmitterTest(UINT8 tx_freq,UINT8 test_data_len,UINT8 packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)732 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len,
733                                  UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback)
734 {
735      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
736      if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE)
737      {
738           BTM_TRACE_ERROR("%s: Unable to Trigger LE transmitter test", __FUNCTION__);
739      }
740 }
741 
742 /*******************************************************************************
743 **
744 ** Function         BTM_BleTestEnd
745 **
746 ** Description      This function is called to stop the in-progress TX or RX test
747 **
748 ** Parameter       p_cmd_cmpl_cback - Command complete callback
749 **
750 *******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)751 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback)
752 {
753      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
754 
755      if (btsnd_hcic_ble_test_end() == FALSE)
756      {
757           BTM_TRACE_ERROR("%s: Unable to End the LE TX/RX test", __FUNCTION__);
758      }
759 }
760 
761 /*******************************************************************************
762 ** Internal Functions
763 *******************************************************************************/
btm_ble_test_command_complete(UINT8 * p)764 void btm_ble_test_command_complete(UINT8 *p)
765 {
766     tBTM_CMPL_CB   *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
767 
768     btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
769 
770     if (p_cb)
771     {
772         (*p_cb)(p);
773     }
774 }
775 
776 /*******************************************************************************
777 **
778 ** Function         BTM_UseLeLink
779 **
780 ** Description      This function is to select the underneath physical link to use.
781 **
782 ** Returns          TRUE to use LE, FALSE use BR/EDR.
783 **
784 *******************************************************************************/
BTM_UseLeLink(BD_ADDR bd_addr)785 BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr)
786 {
787     tACL_CONN         *p;
788     tBT_DEVICE_TYPE     dev_type;
789     tBLE_ADDR_TYPE      addr_type;
790     BOOLEAN             use_le = FALSE;
791 
792     if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR)) != NULL)
793     {
794         return use_le;
795     }
796     else if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE)) != NULL)
797     {
798         use_le = TRUE;
799     }
800     else
801     {
802         BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
803         use_le = (dev_type == BT_DEVICE_TYPE_BLE);
804     }
805     return use_le;
806 }
807 
808 /*******************************************************************************
809 **
810 ** Function         BTM_SetBleDataLength
811 **
812 ** Description      This function is to set maximum BLE transmission packet size
813 **
814 ** Returns          BTM_SUCCESS if success; otherwise failed.
815 **
816 *******************************************************************************/
BTM_SetBleDataLength(BD_ADDR bd_addr,UINT16 tx_pdu_length)817 tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
818 {
819     tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
820     BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length);
821 
822     if (!controller_get_interface()->supports_ble_packet_extension())
823     {
824         BTM_TRACE_ERROR("%s failed, request not supported", __FUNCTION__);
825         return BTM_ILLEGAL_VALUE;
826     }
827 
828     if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features))
829     {
830         BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
831         return BTM_ILLEGAL_VALUE;
832     }
833 
834     if (p_acl != NULL)
835     {
836         if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
837             tx_pdu_length =  BTM_BLE_DATA_SIZE_MAX;
838         else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
839             tx_pdu_length =  BTM_BLE_DATA_SIZE_MIN;
840 
841         /* always set the TxTime to be max, as controller does not care for now */
842         btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length,
843                                             BTM_BLE_DATA_TX_TIME_MAX);
844 
845         return BTM_SUCCESS;
846     }
847     else
848     {
849         BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",__FUNCTION__);
850         return BTM_WRONG_MODE;
851     }
852 }
853 
854 /*******************************************************************************
855 **
856 ** Function         btm_ble_determine_security_act
857 **
858 ** Description      This function checks the security of current LE link
859 **                  and returns the appropriate action that needs to be
860 **                  taken to achieve the required security.
861 **
862 ** Parameter        is_originator - True if outgoing connection
863 **                  bdaddr: remote device address
864 **                  security_required: Security required for the service.
865 **
866 ** Returns          The appropriate security action required.
867 **
868 *******************************************************************************/
btm_ble_determine_security_act(BOOLEAN is_originator,BD_ADDR bdaddr,UINT16 security_required)869 tBTM_SEC_ACTION btm_ble_determine_security_act(BOOLEAN is_originator, BD_ADDR bdaddr, UINT16 security_required)
870 {
871     tBTM_LE_AUTH_REQ auth_req = 0x00;
872 
873     if (is_originator)
874     {
875         if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
876                 (security_required & BTM_SEC_OUT_MITM) == 0)
877         {
878             BTM_TRACE_DEBUG ("%s No security required for outgoing connection", __func__);
879             return BTM_SEC_OK;
880         }
881 
882         if (security_required & BTM_SEC_OUT_MITM)
883             auth_req |= BTM_LE_AUTH_REQ_MITM;
884     }
885     else
886     {
887         if ((security_required & BTM_SEC_IN_FLAGS) == 0&& (security_required & BTM_SEC_IN_MITM) == 0)
888         {
889             BTM_TRACE_DEBUG ("%s No security required for incoming connection", __func__);
890             return BTM_SEC_OK;
891         }
892 
893         if (security_required & BTM_SEC_IN_MITM)
894             auth_req |= BTM_LE_AUTH_REQ_MITM;
895     }
896 
897     tBTM_BLE_SEC_REQ_ACT ble_sec_act;
898     btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
899 
900     BTM_TRACE_DEBUG ("%s ble_sec_act %d", __func__ , ble_sec_act);
901 
902     if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD)
903         return BTM_SEC_ENC_PENDING;
904 
905     if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE)
906         return BTM_SEC_OK;
907 
908     UINT8 sec_flag = 0;
909     BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE);
910 
911     BOOLEAN is_link_encrypted = FALSE;
912     BOOLEAN is_key_mitm = FALSE;
913     if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED| BTM_SEC_FLAG_LKEY_KNOWN))
914     {
915         if (sec_flag & BTM_SEC_FLAG_ENCRYPTED)
916             is_link_encrypted = TRUE;
917 
918         if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED)
919             is_key_mitm = TRUE;
920     }
921 
922     if (auth_req & BTM_LE_AUTH_REQ_MITM)
923     {
924         if (!is_key_mitm)
925         {
926             return BTM_SEC_ENCRYPT_MITM;
927         } else {
928             if (is_link_encrypted)
929                 return BTM_SEC_OK;
930             else
931                 return BTM_SEC_ENCRYPT;
932         }
933     } else {
934         if (is_link_encrypted)
935             return BTM_SEC_OK;
936         else
937             return BTM_SEC_ENCRYPT_NO_MITM;
938     }
939 
940     return BTM_SEC_OK;
941 }
942 
943 /*******************************************************************************
944 **
945 ** Function         btm_ble_start_sec_check
946 **
947 ** Description      This function is to check and set the security required for
948 **                  LE link for LE COC.
949 **
950 ** Parameter        bdaddr: remote device address.
951 **                  psm : PSM of the LE COC sevice.
952 **                  is_originator: TRUE if outgoing connection.
953 **                  p_callback : Pointer to the callback function.
954 **                  p_ref_data : Pointer to be returned along with the callback.
955 **
956 ** Returns          TRUE if link already meets the required security; otherwise FALSE.
957 **
958 *******************************************************************************/
btm_ble_start_sec_check(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)959 BOOLEAN btm_ble_start_sec_check(BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
960                             tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
961 {
962     /* Find the service record for the PSM */
963     tBTM_SEC_SERV_REC *p_serv_rec = btm_sec_find_first_serv (is_originator, psm);
964 
965     /* If there is no application registered with this PSM do not allow connection */
966     if (!p_serv_rec)
967     {
968         BTM_TRACE_WARNING ("%s PSM: %d no application registerd", __func__, psm);
969         (*p_callback) (bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED);
970         return FALSE;
971     }
972 
973     tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(is_originator,
974                                   bd_addr, p_serv_rec->security_flags);
975 
976     tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
977     BOOLEAN status = FALSE;
978 
979     switch (sec_act)
980     {
981         case BTM_SEC_OK:
982             BTM_TRACE_DEBUG ("%s Security met", __func__);
983             p_callback(bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS);
984             status = TRUE;
985             break;
986 
987         case BTM_SEC_ENCRYPT:
988             BTM_TRACE_DEBUG ("%s Encryption needs to be done", __func__);
989             ble_sec_act = BTM_BLE_SEC_ENCRYPT;
990             break;
991 
992         case BTM_SEC_ENCRYPT_MITM:
993             BTM_TRACE_DEBUG ("%s Pairing with MITM needs to be done", __func__);
994             ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
995             break;
996 
997         case BTM_SEC_ENCRYPT_NO_MITM:
998             BTM_TRACE_DEBUG ("%s Pairing with No MITM needs to be done", __func__);
999             ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
1000             break;
1001 
1002         case BTM_SEC_ENC_PENDING:
1003             BTM_TRACE_DEBUG ("%s Ecryption pending", __func__);
1004             break;
1005     }
1006 
1007     if (ble_sec_act == BTM_BLE_SEC_NONE)
1008         return status;
1009 
1010     tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE);
1011     p_lcb->sec_act = sec_act;
1012     BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data, ble_sec_act);
1013 
1014     return FALSE;
1015 }
1016 
1017 /*******************************************************************************
1018 **
1019 ** Function         btm_ble_rand_enc_complete
1020 **
1021 ** Description      This function is the callback functions for HCI_Rand command
1022 **                  and HCI_Encrypt command is completed.
1023 **                  This message is received from the HCI.
1024 **
1025 ** Returns          void
1026 **
1027 *******************************************************************************/
btm_ble_rand_enc_complete(UINT8 * p,UINT16 op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)1028 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback)
1029 {
1030     tBTM_RAND_ENC   params;
1031     UINT8           *p_dest = params.param_buf;
1032 
1033     BTM_TRACE_DEBUG ("btm_ble_rand_enc_complete");
1034 
1035     memset(&params, 0, sizeof(tBTM_RAND_ENC));
1036 
1037     /* If there was a callback address for vcs complete, call it */
1038     if (p_enc_cplt_cback && p)
1039     {
1040         /* Pass paramters to the callback function */
1041         STREAM_TO_UINT8(params.status, p); /* command status */
1042 
1043         if (params.status == HCI_SUCCESS)
1044         {
1045             params.opcode = op_code;
1046 
1047             if (op_code == HCI_BLE_RAND)
1048                 params.param_len = BT_OCTET8_LEN;
1049             else
1050                 params.param_len = BT_OCTET16_LEN;
1051 
1052             memcpy(p_dest, p, params.param_len);  /* Fetch return info from HCI event message */
1053         }
1054         if (p_enc_cplt_cback)
1055             (*p_enc_cplt_cback)(&params);  /* Call the Encryption complete callback function */
1056     }
1057 }
1058 
1059     #if (SMP_INCLUDED == TRUE)
1060 
1061 /*******************************************************************************
1062 **
1063 ** Function         btm_ble_get_enc_key_type
1064 **
1065 ** Description      This function is to increment local sign counter
1066 ** Returns         None
1067 **
1068 *******************************************************************************/
btm_ble_increment_sign_ctr(BD_ADDR bd_addr,BOOLEAN is_local)1069 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local )
1070 {
1071     tBTM_SEC_DEV_REC *p_dev_rec;
1072 
1073     BTM_TRACE_DEBUG ("btm_ble_increment_sign_ctr is_local=%d", is_local);
1074 
1075     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1076     {
1077         if (is_local)
1078             p_dev_rec->ble.keys.local_counter++;
1079         else
1080             p_dev_rec->ble.keys.counter++;
1081         BTM_TRACE_DEBUG ("is_local=%d local sign counter=%d peer sign counter=%d",
1082                           is_local,
1083                           p_dev_rec->ble.keys.local_counter,
1084                           p_dev_rec->ble.keys.counter);
1085     }
1086 }
1087 
1088 /*******************************************************************************
1089 **
1090 ** Function         btm_ble_get_enc_key_type
1091 **
1092 ** Description      This function is to get the BLE key type that has been exchanged
1093 **                  in betweem local device and peer device.
1094 **
1095 ** Returns          p_key_type: output parameter to carry the key type value.
1096 **
1097 *******************************************************************************/
btm_ble_get_enc_key_type(BD_ADDR bd_addr,UINT8 * p_key_types)1098 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types)
1099 {
1100     tBTM_SEC_DEV_REC *p_dev_rec;
1101 
1102     BTM_TRACE_DEBUG ("btm_ble_get_enc_key_type");
1103 
1104     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1105     {
1106         *p_key_types = p_dev_rec->ble.key_type;
1107         return TRUE;
1108     }
1109     return FALSE;
1110 }
1111 
1112 /*******************************************************************************
1113 **
1114 ** Function         btm_get_local_div
1115 **
1116 ** Description      This function is called to read the local DIV
1117 **
1118 ** Returns          TURE - if a valid DIV is availavle
1119 *******************************************************************************/
btm_get_local_div(BD_ADDR bd_addr,UINT16 * p_div)1120 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div)
1121 {
1122     tBTM_SEC_DEV_REC   *p_dev_rec;
1123     BOOLEAN            status = FALSE;
1124     BTM_TRACE_DEBUG ("btm_get_local_div");
1125 
1126     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
1127                      bd_addr[0],bd_addr[1],
1128                      bd_addr[2],bd_addr[3],
1129                      bd_addr[4],bd_addr[5]);
1130 
1131     *p_div = 0;
1132     p_dev_rec = btm_find_dev (bd_addr);
1133 
1134     if (p_dev_rec && p_dev_rec->ble.keys.div)
1135     {
1136         status = TRUE;
1137         *p_div = p_dev_rec->ble.keys.div;
1138     }
1139     BTM_TRACE_DEBUG ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div);
1140     return status;
1141 }
1142 
1143 /*******************************************************************************
1144 **
1145 ** Function         btm_sec_save_le_key
1146 **
1147 ** Description      This function is called by the SMP to update
1148 **                  an  BLE key.  SMP is internal, whereas all the keys shall
1149 **                  be sent to the application.  The function is also called
1150 **                  when application passes ble key stored in NVRAM to the btm_sec.
1151 **                  pass_to_application parameter is false in this case.
1152 **
1153 ** Returns          void
1154 **
1155 *******************************************************************************/
btm_sec_save_le_key(BD_ADDR bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,BOOLEAN pass_to_application)1156 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys,
1157                          BOOLEAN pass_to_application)
1158 {
1159     tBTM_SEC_DEV_REC *p_rec;
1160     tBTM_LE_EVT_DATA    cb_data;
1161     UINT8 i;
1162 
1163     BTM_TRACE_DEBUG ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application);
1164     /* Store the updated key in the device database */
1165 
1166     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
1167                      bd_addr[0],bd_addr[1],
1168                      bd_addr[2],bd_addr[3],
1169                      bd_addr[4],bd_addr[5]);
1170 
1171     if ((p_rec = btm_find_dev (bd_addr)) != NULL && (p_keys || key_type== BTM_LE_KEY_LID))
1172     {
1173         btm_ble_init_pseudo_addr (p_rec, bd_addr);
1174 
1175         switch (key_type)
1176         {
1177             case BTM_LE_KEY_PENC:
1178                 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
1179                 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1180                 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1181                 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1182                 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1183                 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1184                 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1185                 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1186                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1187                 else
1188                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1189                 BTM_TRACE_DEBUG("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1190                                  p_rec->ble.key_type,
1191                                  p_rec->sec_flags,
1192                                  p_rec->ble.keys.sec_level);
1193                 break;
1194 
1195             case BTM_LE_KEY_PID:
1196                 for (i=0; i<BT_OCTET16_LEN; i++)
1197                 {
1198                     p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
1199                 }
1200 
1201                  //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system
1202                 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
1203                 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
1204                 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1205                 BTM_TRACE_DEBUG("BTM_LE_KEY_PID key_type=0x%x save peer IRK",  p_rec->ble.key_type);
1206                  /* update device record address as static address */
1207                 memcpy(p_rec->bd_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
1208                 /* combine DUMO device security record if needed */
1209                 btm_consolidate_dev(p_rec);
1210                 break;
1211 
1212             case BTM_LE_KEY_PCSRK:
1213                 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
1214                 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1215                 p_rec->ble.keys.counter  = p_keys->pcsrk_key.counter;
1216                 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1217                 p_rec->sec_flags |=  BTM_SEC_LE_LINK_KEY_KNOWN;
1218                 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED)
1219                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1220                 else
1221                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1222 
1223                 BTM_TRACE_DEBUG("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d",
1224                                  p_rec->ble.key_type,
1225                                  p_rec->sec_flags,
1226                                  p_rec->ble.keys.srk_sec_level,
1227                                  p_rec->ble.keys.counter );
1228                 break;
1229 
1230             case BTM_LE_KEY_LENC:
1231                 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN);
1232                 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1233                 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1234                 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1235                 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1236 
1237                 BTM_TRACE_DEBUG("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x",
1238                                  p_rec->ble.key_type,
1239                                  p_rec->ble.keys.div,
1240                                  p_rec->ble.keys.key_size,
1241                                  p_rec->ble.keys.sec_level );
1242                 break;
1243 
1244             case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */
1245                 memcpy (p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN);
1246                 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1247                 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1248                 p_rec->ble.keys.local_counter  = p_keys->lcsrk_key.counter;
1249                 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1250                 BTM_TRACE_DEBUG("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d",
1251                                  p_rec->ble.key_type,
1252                                  p_rec->ble.keys.div,
1253                                  p_rec->ble.keys.local_csrk_sec_level,
1254                                  p_rec->ble.keys.local_counter );
1255                 break;
1256 
1257             case BTM_LE_KEY_LID:
1258                p_rec->ble.key_type |= BTM_LE_KEY_LID;
1259                break;
1260             default:
1261                 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type);
1262                 return;
1263         }
1264 
1265         BTM_TRACE_DEBUG ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type,
1266                           (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
1267                           (bd_addr[4]<<8)+bd_addr[5]);
1268 
1269         /* Notify the application that one of the BLE keys has been updated
1270            If link key is in progress, it will get sent later.*/
1271         if (pass_to_application && btm_cb.api.p_le_callback)
1272         {
1273             cb_data.key.p_key_value = p_keys;
1274             cb_data.key.key_type = key_type;
1275 
1276             (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data);
1277         }
1278         return;
1279     }
1280 
1281     BTM_TRACE_WARNING ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type,
1282                         (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
1283                         (bd_addr[4]<<8)+bd_addr[5]);
1284 
1285     if (p_rec)
1286     {
1287         BTM_TRACE_DEBUG ("sec_flags=0x%x", p_rec->sec_flags);
1288     }
1289 }
1290 
1291 /*******************************************************************************
1292 **
1293 ** Function         btm_ble_update_sec_key_size
1294 **
1295 ** Description      update the current lin kencryption key size
1296 **
1297 ** Returns          void
1298 **
1299 *******************************************************************************/
btm_ble_update_sec_key_size(BD_ADDR bd_addr,UINT8 enc_key_size)1300 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size)
1301 {
1302     tBTM_SEC_DEV_REC *p_rec;
1303 
1304     BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size);
1305 
1306     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
1307     {
1308         p_rec->enc_key_size = enc_key_size;
1309     }
1310 }
1311 
1312 /*******************************************************************************
1313 **
1314 ** Function         btm_ble_read_sec_key_size
1315 **
1316 ** Description      update the current lin kencryption key size
1317 **
1318 ** Returns          void
1319 **
1320 *******************************************************************************/
btm_ble_read_sec_key_size(BD_ADDR bd_addr)1321 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr)
1322 {
1323     tBTM_SEC_DEV_REC *p_rec;
1324 
1325     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
1326     {
1327         return p_rec->enc_key_size;
1328     }
1329     else
1330         return 0;
1331 }
1332 
1333 /*******************************************************************************
1334 **
1335 ** Function         btm_ble_link_sec_check
1336 **
1337 ** Description      Check BLE link security level match.
1338 **
1339 ** Returns          TRUE: check is OK and the *p_sec_req_act contain the action
1340 **
1341 *******************************************************************************/
btm_ble_link_sec_check(BD_ADDR bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1342 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act)
1343 {
1344     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1345     UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1346 
1347     BTM_TRACE_DEBUG ("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1348 
1349     if (p_dev_rec == NULL)
1350     {
1351         BTM_TRACE_ERROR ("btm_ble_link_sec_check received for unknown device");
1352         return;
1353     }
1354 
1355     if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1356         p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1357     {
1358         /* race condition: discard the security request while master is encrypting the link */
1359         *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1360     }
1361     else
1362     {
1363         req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1364         if (auth_req & BTM_LE_AUTH_REQ_MITM)
1365         {
1366             req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1367         }
1368 
1369         BTM_TRACE_DEBUG ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1370 
1371         /* currently encrpted  */
1372         if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED)
1373         {
1374             if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1375                 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1376             else
1377                 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1378         }
1379         else /* unencrypted link */
1380         {
1381             /* if bonded, get the key security level */
1382             if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1383                 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1384             else
1385                 cur_sec_level = BTM_LE_SEC_NONE;
1386         }
1387 
1388         if (cur_sec_level >= req_sec_level)
1389         {
1390             /* To avoid re-encryption on an encrypted link for an equal condition encryption */
1391             *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1392         }
1393         else
1394         {
1395             *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/
1396         }
1397     }
1398 
1399     BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1400                      cur_sec_level,
1401                      req_sec_level,
1402                      *p_sec_req_act);
1403 
1404 }
1405 
1406 /*******************************************************************************
1407 **
1408 ** Function         btm_ble_set_encryption
1409 **
1410 ** Description      This function is called to ensure that LE connection is
1411 **                  encrypted.  Should be called only on an open connection.
1412 **                  Typically only needed for connections that first want to
1413 **                  bring up unencrypted links, then later encrypt them.
1414 **
1415 ** Returns          void
1416 **                  the local device ER is copied into er
1417 **
1418 *******************************************************************************/
btm_ble_set_encryption(BD_ADDR bd_addr,tBTM_BLE_SEC_ACT sec_act,UINT8 link_role)1419 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, tBTM_BLE_SEC_ACT sec_act, UINT8 link_role)
1420 {
1421     tBTM_STATUS         cmd = BTM_NO_RESOURCES;
1422     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
1423     tBTM_BLE_SEC_REQ_ACT sec_req_act;
1424     tBTM_LE_AUTH_REQ    auth_req;
1425 
1426     if (p_rec == NULL)
1427     {
1428         BTM_TRACE_WARNING ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1429         return(BTM_WRONG_MODE);
1430     }
1431 
1432     BTM_TRACE_DEBUG ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master);
1433 
1434     if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM)
1435     {
1436         p_rec->security_required |= BTM_SEC_IN_MITM;
1437     }
1438 
1439     switch (sec_act)
1440     {
1441         case BTM_BLE_SEC_ENCRYPT:
1442             if (link_role == BTM_ROLE_MASTER)
1443             {
1444                     /* start link layer encryption using the security info stored */
1445                 cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL);
1446                 break;
1447             }
1448             /* if salve role then fall through to call SMP_Pair below which will send a
1449                sec_request to request the master to encrypt the link */
1450         case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1451         case BTM_BLE_SEC_ENCRYPT_MITM:
1452             auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1453                        ? SMP_AUTH_GEN_BOND : (SMP_AUTH_GEN_BOND | SMP_AUTH_YN_BIT);
1454             btm_ble_link_sec_check (bd_addr, auth_req, &sec_req_act);
1455             if(sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE || sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD)
1456             {
1457                 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__);
1458                 cmd = BTM_SUCCESS;
1459                 break;
1460             }
1461             if (link_role == BTM_ROLE_MASTER)
1462             {
1463 
1464                 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT)
1465                 {
1466                    cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL);
1467                    break;
1468                 }
1469             }
1470 
1471             if (SMP_Pair(bd_addr) == SMP_STARTED)
1472             {
1473                 cmd = BTM_CMD_STARTED;
1474                 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1475             }
1476             break;
1477 
1478         default:
1479             cmd = BTM_WRONG_MODE;
1480             break;
1481     }
1482     return cmd;
1483 }
1484 
1485 /*******************************************************************************
1486 **
1487 ** Function         btm_ble_ltk_request
1488 **
1489 ** Description      This function is called when encryption request is received
1490 **                  on a slave device.
1491 **
1492 **
1493 ** Returns          void
1494 **
1495 *******************************************************************************/
btm_ble_ltk_request(UINT16 handle,UINT8 rand[8],UINT16 ediv)1496 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv)
1497 {
1498     tBTM_CB *p_cb = &btm_cb;
1499     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
1500     BT_OCTET8 dummy_stk = {0};
1501 
1502     BTM_TRACE_DEBUG ("btm_ble_ltk_request");
1503 
1504     p_cb->ediv = ediv;
1505 
1506     memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1507 
1508     if (p_dev_rec != NULL)
1509     {
1510         if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
1511             btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk);
1512     }
1513 
1514 }
1515 
1516 /*******************************************************************************
1517 **
1518 ** Function         btm_ble_start_encrypt
1519 **
1520 ** Description      This function is called to start LE encryption.
1521 **
1522 **
1523 ** Returns          BTM_SUCCESS if encryption was started successfully
1524 **
1525 *******************************************************************************/
btm_ble_start_encrypt(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1526 tBTM_STATUS btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk)
1527 {
1528     tBTM_CB *p_cb = &btm_cb;
1529     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1530     BT_OCTET8    dummy_rand = {0};
1531     tBTM_STATUS  rt = BTM_NO_RESOURCES;
1532 
1533     BTM_TRACE_DEBUG ("btm_ble_start_encrypt");
1534 
1535     if (!p_rec )
1536     {
1537         BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1538         return BTM_WRONG_MODE;
1539     }
1540 
1541     if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
1542     {
1543         BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1544         return BTM_BUSY;
1545     }
1546 
1547     p_cb->enc_handle = p_rec->ble_hci_handle;
1548 
1549     if (use_stk)
1550     {
1551         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk))
1552             rt = BTM_CMD_STARTED;
1553     }
1554     else if (p_rec->ble.key_type & BTM_LE_KEY_PENC)
1555     {
1556         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1557                                      p_rec->ble.keys.ediv, p_rec->ble.keys.pltk))
1558             rt = BTM_CMD_STARTED;
1559     }
1560     else
1561     {
1562         BTM_TRACE_ERROR("No key available to encrypt the link");
1563     }
1564     if (rt == BTM_CMD_STARTED)
1565     {
1566         if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1567             p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1568     }
1569 
1570     return rt;
1571 }
1572 
1573 /*******************************************************************************
1574 **
1575 ** Function         btm_ble_link_encrypted
1576 **
1577 ** Description      This function is called when LE link encrption status is changed.
1578 **
1579 ** Returns          void
1580 **
1581 *******************************************************************************/
btm_ble_link_encrypted(BD_ADDR bd_addr,UINT8 encr_enable)1582 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
1583 {
1584     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
1585     BOOLEAN             enc_cback;
1586 
1587     if (!p_dev_rec)
1588     {
1589         BTM_TRACE_WARNING ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable);
1590         return;
1591     }
1592 
1593     BTM_TRACE_DEBUG ("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1594 
1595     enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1596 
1597     smp_link_encrypted(bd_addr, encr_enable);
1598 
1599     BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1600 
1601     if (encr_enable && p_dev_rec->enc_key_size == 0)
1602         p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1603 
1604     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1605     if (p_dev_rec->p_callback && enc_cback)
1606     {
1607         if (encr_enable)
1608             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE);
1609         else if (p_dev_rec->role_master)
1610             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE);
1611 
1612     }
1613     /* to notify GATT to send data if any request is pending */
1614     gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1615 }
1616 
1617 /*******************************************************************************
1618 **
1619 ** Function         btm_ble_ltk_request_reply
1620 **
1621 ** Description      This function is called to send a LTK request reply on a slave
1622 **                  device.
1623 **
1624 ** Returns          void
1625 **
1626 *******************************************************************************/
btm_ble_ltk_request_reply(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1627 void btm_ble_ltk_request_reply(BD_ADDR bda,  BOOLEAN use_stk, BT_OCTET16 stk)
1628 {
1629     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1630     tBTM_CB *p_cb = &btm_cb;
1631 
1632     if (p_rec == NULL)
1633     {
1634         BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1635         return;
1636     }
1637 
1638     BTM_TRACE_DEBUG ("btm_ble_ltk_request_reply");
1639     p_cb->enc_handle = p_rec->ble_hci_handle;
1640     p_cb->key_size = p_rec->ble.keys.key_size;
1641 
1642     BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1643     if (use_stk)
1644     {
1645         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1646     }
1647     else /* calculate LTK using peer device  */
1648     {
1649         if (p_rec->ble.key_type & BTM_LE_KEY_LENC)
1650             btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1651         else
1652             btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1653     }
1654 }
1655 
1656 /*******************************************************************************
1657 **
1658 ** Function         btm_ble_io_capabilities_req
1659 **
1660 ** Description      This function is called to handle SMP get IO capability request.
1661 **
1662 ** Returns          void
1663 **
1664 *******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1665 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
1666 {
1667     UINT8           callback_rc = BTM_SUCCESS;
1668     BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req");
1669     if (btm_cb.api.p_le_callback)
1670     {
1671         /* the callback function implementation may change the IO capability... */
1672         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data);
1673     }
1674     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data))
1675     {
1676 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1677         if (btm_cb.devcb.keep_rfu_in_auth_req)
1678         {
1679             BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1680                 btm_cb.devcb.keep_rfu_in_auth_req);
1681             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1682             btm_cb.devcb.keep_rfu_in_auth_req = FALSE;
1683         }
1684         else
1685         {   /* default */
1686             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1687         }
1688 #else
1689         p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1690 #endif
1691 
1692         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d",
1693                           p_dev_rec->security_required, p_data->auth_req);
1694         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)",
1695                           p_data->init_keys,
1696                           p_data->resp_keys);
1697 
1698         /* if authentication requires MITM protection, put on the mask */
1699         if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1700             p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1701 
1702         if (!(p_data->auth_req & SMP_AUTH_BOND))
1703         {
1704             BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1705             p_data->init_keys = 0;
1706             p_data->resp_keys = 0;
1707         }
1708 
1709         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req);
1710         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1711                           p_data->init_keys,
1712                           p_data->resp_keys);
1713 
1714         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1715                           p_data->io_cap, p_data->auth_req);
1716 
1717         /* remove MITM protection requirement if IO cap does not allow it */
1718         if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1719             p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1720 
1721         if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT))
1722         {
1723             /* if Secure Connections are not supported then remove LK derivation,
1724             ** and keypress notifications.
1725             */
1726             BTM_TRACE_DEBUG("%s-SC not supported -> No LK derivation, no keypress notifications",
1727                             __func__);
1728             p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1729             p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1730             p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1731         }
1732 
1733         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1734                           p_data->io_cap, p_data->oob_data, p_data->auth_req);
1735     }
1736     return callback_rc;
1737 }
1738 
1739 /*******************************************************************************
1740 **
1741 ** Function         btm_ble_br_keys_req
1742 **
1743 ** Description      This function is called to handle SMP request for keys sent
1744 **                  over BR/EDR.
1745 **
1746 ** Returns          void
1747 **
1748 *******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1749 UINT8 btm_ble_br_keys_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
1750 {
1751     UINT8           callback_rc = BTM_SUCCESS;
1752     BTM_TRACE_DEBUG ("%s", __func__);
1753     if (btm_cb.api.p_le_callback)
1754     {
1755         /* the callback function implementation may change the IO capability... */
1756         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr,
1757                                                   (tBTM_LE_EVT_DATA *)p_data);
1758     }
1759 
1760     return callback_rc;
1761 }
1762 
1763 #if (BLE_PRIVACY_SPT == TRUE )
1764 /*******************************************************************************
1765 **
1766 ** Function         btm_ble_resolve_random_addr_on_conn_cmpl
1767 **
1768 ** Description      resolve random address complete on connection complete event.
1769 **
1770 ** Returns          void
1771 **
1772 *******************************************************************************/
btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec,void * p_data)1773 static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data)
1774 {
1775     UINT8   *p = (UINT8 *)p_data;
1776     tBTM_SEC_DEV_REC    *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
1777     UINT8       role, bda_type;
1778     UINT16      handle;
1779     BD_ADDR     bda;
1780     UINT16      conn_interval, conn_latency, conn_timeout;
1781     BOOLEAN     match = FALSE;
1782 
1783     ++p;
1784     STREAM_TO_UINT16   (handle, p);
1785     STREAM_TO_UINT8    (role, p);
1786     STREAM_TO_UINT8    (bda_type, p);
1787     STREAM_TO_BDADDR   (bda, p);
1788     STREAM_TO_UINT16   (conn_interval, p);
1789     STREAM_TO_UINT16   (conn_latency, p);
1790     STREAM_TO_UINT16   (conn_timeout, p);
1791 
1792     handle = HCID_GET_HANDLE (handle);
1793 
1794     BTM_TRACE_EVENT ("%s", __func__);
1795 
1796     if (match_rec)
1797     {
1798         LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
1799         match = TRUE;
1800         match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
1801         memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
1802         if (!btm_ble_init_pseudo_addr (match_rec, bda))
1803         {
1804             /* assign the original address to be the current report address */
1805             memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
1806         }
1807         else
1808         {
1809             memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
1810         }
1811     }
1812     else
1813     {
1814         LOG_INFO(LOG_TAG, "%s unable to match and resolve random address", __func__);
1815     }
1816 
1817     btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
1818 
1819     l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
1820                       conn_latency, conn_timeout);
1821 
1822     return;
1823 }
1824 #endif
1825 
1826 /*******************************************************************************
1827 **
1828 ** Function         btm_ble_connected
1829 **
1830 ** Description      This function is when a LE connection to the peer device is
1831 **                  establsihed
1832 **
1833 ** Returns          void
1834 **
1835 *******************************************************************************/
btm_ble_connected(UINT8 * bda,UINT16 handle,UINT8 enc_mode,UINT8 role,tBLE_ADDR_TYPE addr_type,BOOLEAN addr_matched)1836 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
1837                         tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched)
1838 {
1839     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
1840     tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb;
1841     UNUSED(addr_matched);
1842 
1843     BTM_TRACE_EVENT ("btm_ble_connected");
1844 
1845     /* Commenting out trace due to obf/compilation problems.
1846     */
1847 #if (BT_USE_TRACES == TRUE)
1848     if (p_dev_rec)
1849     {
1850         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected :  handle:%d  enc_mode:%d  bda:%x RName:%s",
1851                           handle,  enc_mode,
1852                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
1853                           p_dev_rec->sec_bd_name);
1854 
1855         BTM_TRACE_DEBUG ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags);
1856     }
1857     else
1858     {
1859         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected:   handle:%d  enc_mode:%d  bda:%x ",
1860                           handle,  enc_mode,
1861                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
1862     }
1863 #endif
1864 
1865     if (!p_dev_rec)
1866     {
1867         /* There is no device record for new connection.  Allocate one */
1868         if ((p_dev_rec = btm_sec_alloc_dev (bda)) == NULL)
1869             return;
1870     }
1871     else    /* Update the timestamp for this device */
1872     {
1873         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1874     }
1875 
1876     /* update device information */
1877     p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1878     p_dev_rec->ble_hci_handle = handle;
1879     p_dev_rec->ble.ble_addr_type = addr_type;
1880     /* update pseudo address */
1881     memcpy(p_dev_rec->ble.pseudo_addr, bda, BD_ADDR_LEN);
1882 
1883     p_dev_rec->role_master = FALSE;
1884     if (role == HCI_ROLE_MASTER)
1885         p_dev_rec->role_master = TRUE;
1886 
1887 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1888     if (!addr_matched)
1889         p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1890 
1891     if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
1892         memcpy(p_dev_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
1893 #endif
1894 
1895     p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT;
1896 
1897     return;
1898 }
1899 
1900 /*****************************************************************************
1901 **  Function        btm_ble_conn_complete
1902 **
1903 **  Description     LE connection complete.
1904 **
1905 ******************************************************************************/
btm_ble_conn_complete(UINT8 * p,UINT16 evt_len,BOOLEAN enhanced)1906 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
1907 {
1908 #if (BLE_PRIVACY_SPT == TRUE )
1909     UINT8       *p_data = p, peer_addr_type;
1910     BD_ADDR     local_rpa, peer_rpa;
1911 #endif
1912     UINT8       role, status, bda_type;
1913     UINT16      handle;
1914     BD_ADDR     bda;
1915     UINT16      conn_interval, conn_latency, conn_timeout;
1916     BOOLEAN     match = FALSE;
1917     UNUSED(evt_len);
1918 
1919     STREAM_TO_UINT8   (status, p);
1920     STREAM_TO_UINT16   (handle, p);
1921     STREAM_TO_UINT8    (role, p);
1922     STREAM_TO_UINT8    (bda_type, p);
1923     STREAM_TO_BDADDR   (bda, p);
1924 
1925     if (status == 0)
1926     {
1927 #if (BLE_PRIVACY_SPT == TRUE )
1928         peer_addr_type = bda_type;
1929         match = btm_identity_addr_to_random_pseudo (bda, &bda_type, TRUE);
1930 
1931         if (enhanced)
1932         {
1933             STREAM_TO_BDADDR   (local_rpa, p);
1934             STREAM_TO_BDADDR   (peer_rpa, p);
1935         }
1936 
1937         /* possiblly receive connection complete with resolvable random while
1938            the device has been paired */
1939         if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
1940         {
1941             btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data);
1942         }
1943         else
1944 #endif
1945         {
1946             STREAM_TO_UINT16   (conn_interval, p);
1947             STREAM_TO_UINT16   (conn_latency, p);
1948             STREAM_TO_UINT16   (conn_timeout, p);
1949             handle = HCID_GET_HANDLE (handle);
1950 
1951             btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
1952 
1953             l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
1954                               conn_latency, conn_timeout);
1955 
1956 #if (BLE_PRIVACY_SPT == TRUE)
1957             if (enhanced)
1958             {
1959                 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
1960 
1961                 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
1962                     btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
1963             }
1964 #endif
1965         }
1966     }
1967     else
1968     {
1969         role = HCI_ROLE_UNKNOWN;
1970         if (status != HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT)
1971         {
1972             btm_ble_set_conn_st(BLE_CONN_IDLE);
1973 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1974             btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, TRUE);
1975 #endif
1976         }
1977         else
1978         {
1979 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
1980             btm_cb.ble_ctr_cb.inq_var.adv_mode  = BTM_BLE_ADV_DISABLE;
1981             btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, TRUE);
1982 #endif
1983         }
1984     }
1985 
1986     btm_ble_update_mode_operation(role, bda, status);
1987 }
1988 
1989 /*****************************************************************************
1990 ** Function btm_ble_create_ll_conn_complete
1991 **
1992 ** Description LE connection complete.
1993 **
1994 ******************************************************************************/
btm_ble_create_ll_conn_complete(UINT8 status)1995 void btm_ble_create_ll_conn_complete (UINT8 status)
1996 {
1997     if (status != HCI_SUCCESS)
1998     {
1999         btm_ble_set_conn_st(BLE_CONN_IDLE);
2000         btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status);
2001     }
2002 }
2003 /*****************************************************************************
2004 **  Function        btm_proc_smp_cback
2005 **
2006 **  Description     This function is the SMP callback handler.
2007 **
2008 ******************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,BD_ADDR bd_addr,tSMP_EVT_DATA * p_data)2009 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
2010 {
2011     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
2012     UINT8 res = 0;
2013 
2014     BTM_TRACE_DEBUG ("btm_proc_smp_cback event = %d", event);
2015 
2016     if (p_dev_rec != NULL)
2017     {
2018         switch (event)
2019         {
2020             case SMP_IO_CAP_REQ_EVT:
2021                 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
2022                 break;
2023 
2024             case SMP_BR_KEYS_REQ_EVT:
2025                 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
2026                 break;
2027 
2028             case SMP_PASSKEY_REQ_EVT:
2029             case SMP_PASSKEY_NOTIF_EVT:
2030             case SMP_OOB_REQ_EVT:
2031             case SMP_NC_REQ_EVT:
2032             case SMP_SC_OOB_REQ_EVT:
2033                 /* fall through */
2034                 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
2035 
2036             case SMP_SEC_REQUEST_EVT:
2037                 if (event == SMP_SEC_REQUEST_EVT && btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2038                 {
2039                     BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
2040                     break;
2041                 }
2042                 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
2043                 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
2044                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
2045                 /* fall through */
2046 
2047             case SMP_COMPLT_EVT:
2048                 if (btm_cb.api.p_le_callback)
2049                 {
2050                     /* the callback function implementation may change the IO capability... */
2051                     BTM_TRACE_DEBUG ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback );
2052                    (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data);
2053                 }
2054 
2055                 if (event == SMP_COMPLT_EVT)
2056                 {
2057                     BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
2058 
2059                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;
2060 
2061                     BTM_TRACE_DEBUG ("after update result=%d sec_level=0x%x sec_flags=0x%x",
2062                                       res, p_data->cmplt.sec_level , p_dev_rec->sec_flags );
2063 
2064                     if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback )
2065                     {
2066                         BTM_TRACE_DEBUG ("Pairing Cancel completed");
2067                         (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
2068                     }
2069 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2070                     if (res != BTM_SUCCESS)
2071                     {
2072                         if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT)
2073                         {
2074                             BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL");
2075                             l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2076                         }
2077                         else
2078                         {
2079                             BTM_TRACE_DEBUG ("Pairing failed - Not Removing ACL");
2080                             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2081                         }
2082                     }
2083 #else
2084                     if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT)
2085                     {
2086                         BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL");
2087                         l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2088                     }
2089 #endif
2090 
2091                     BTM_TRACE_DEBUG ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
2092                                       btm_cb.pairing_state,
2093                                       btm_cb.pairing_flags,
2094                                       btm_cb.pin_code_len  );
2095                     BTM_TRACE_DEBUG ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x",
2096                                       btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2],
2097                                       btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]);
2098 
2099                     /* Reset btm state only if the callback address matches pairing address*/
2100                     if(memcmp(bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)
2101                     {
2102                         memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2103                         btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
2104                         btm_cb.pairing_flags = 0;
2105                     }
2106 
2107                     if (res == BTM_SUCCESS)
2108                     {
2109                         p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2110 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
2111                         /* add all bonded device into resolving list if IRK is available*/
2112                         btm_ble_resolving_list_load_dev(p_dev_rec);
2113 #endif
2114                     }
2115 
2116                     btm_sec_dev_rec_cback_event(p_dev_rec, res, TRUE);
2117                 }
2118                 break;
2119 
2120             default:
2121                 BTM_TRACE_DEBUG ("unknown event = %d", event);
2122                 break;
2123 
2124         }
2125     }
2126     else
2127     {
2128         BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
2129     }
2130 
2131     return 0;
2132 }
2133 
2134     #endif  /* SMP_INCLUDED */
2135 
2136 /*******************************************************************************
2137 **
2138 ** Function         BTM_BleDataSignature
2139 **
2140 ** Description      This function is called to sign the data using AES128 CMAC
2141 **                  algorith.
2142 **
2143 ** Parameter        bd_addr: target device the data to be signed for.
2144 **                  p_text: singing data
2145 **                  len: length of the data to be signed.
2146 **                  signature: output parameter where data signature is going to
2147 **                             be stored.
2148 **
2149 ** Returns          TRUE if signing sucessul, otherwise FALSE.
2150 **
2151 *******************************************************************************/
BTM_BleDataSignature(BD_ADDR bd_addr,UINT8 * p_text,UINT16 len,BLE_SIGNATURE signature)2152 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len,
2153                               BLE_SIGNATURE signature)
2154 {
2155     tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr);
2156 
2157     BTM_TRACE_DEBUG ("%s", __func__);
2158     BOOLEAN ret = FALSE;
2159     if (p_rec == NULL)
2160     {
2161         BTM_TRACE_ERROR("%s-data signing can not be done from unknown device", __func__);
2162     }
2163     else
2164     {
2165         UINT8 *p_mac = (UINT8 *)signature;
2166         UINT8 *pp;
2167         UINT8 *p_buf = (UINT8 *)osi_malloc(len + 4);
2168 
2169         BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2170         pp = p_buf;
2171         /* prepare plain text */
2172         if (p_text) {
2173             memcpy(p_buf, p_text, len);
2174             pp = (p_buf + len);
2175         }
2176 
2177         UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2178         UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2179 
2180         if ((ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf, (UINT16)(len + 4),
2181                                             BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE) {
2182             btm_ble_increment_sign_ctr(bd_addr, TRUE);
2183         }
2184 
2185         BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2186         BTM_TRACE_DEBUG("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
2187                         *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2188         BTM_TRACE_DEBUG("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
2189                         *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2190         osi_free(p_buf);
2191     }
2192     return ret;
2193 }
2194 
2195 /*******************************************************************************
2196 **
2197 ** Function         BTM_BleVerifySignature
2198 **
2199 ** Description      This function is called to verify the data signature
2200 **
2201 ** Parameter        bd_addr: target device the data to be signed for.
2202 **                  p_orig:  original data before signature.
2203 **                  len: length of the signing data
2204 **                  counter: counter used when doing data signing
2205 **                  p_comp: signature to be compared against.
2206 
2207 ** Returns          TRUE if signature verified correctly; otherwise FALSE.
2208 **
2209 *******************************************************************************/
BTM_BleVerifySignature(BD_ADDR bd_addr,UINT8 * p_orig,UINT16 len,UINT32 counter,UINT8 * p_comp)2210 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter,
2211                                 UINT8 *p_comp)
2212 {
2213     BOOLEAN verified = FALSE;
2214 #if SMP_INCLUDED == TRUE
2215     tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr);
2216     UINT8 p_mac[BTM_CMAC_TLEN_SIZE];
2217 
2218     if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK)))
2219     {
2220         BTM_TRACE_ERROR("can not verify signature for unknown device");
2221     }
2222     else if (counter < p_rec->ble.keys.counter)
2223     {
2224         BTM_TRACE_ERROR("signature received with out dated sign counter");
2225     }
2226     else if (p_orig == NULL)
2227     {
2228         BTM_TRACE_ERROR("No signature to verify");
2229     }
2230     else
2231     {
2232         BTM_TRACE_DEBUG ("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2233                           p_rec->ble.keys.counter);
2234 
2235         if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac))
2236         {
2237             if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0)
2238             {
2239                 btm_ble_increment_sign_ctr(bd_addr, FALSE);
2240                 verified = TRUE;
2241             }
2242         }
2243     }
2244 #endif  /* SMP_INCLUDED */
2245     return verified;
2246 }
2247 
2248 /*******************************************************************************
2249 **
2250 ** Function         BTM_GetLeSecurityState
2251 **
2252 ** Description      This function is called to get security mode 1 flags and
2253 **                  encryption key size for LE peer.
2254 **
2255 ** Returns          BOOLEAN TRUE if LE device is found, FALSE otherwise.
2256 **
2257 *******************************************************************************/
BTM_GetLeSecurityState(BD_ADDR bd_addr,UINT8 * p_le_dev_sec_flags,UINT8 * p_le_key_size)2258 BOOLEAN BTM_GetLeSecurityState (BD_ADDR bd_addr, UINT8 *p_le_dev_sec_flags, UINT8 *p_le_key_size)
2259 {
2260 #if (BLE_INCLUDED == TRUE)
2261     tBTM_SEC_DEV_REC *p_dev_rec;
2262     UINT16 dev_rec_sec_flags;
2263 #endif
2264 
2265     *p_le_dev_sec_flags = 0;
2266     *p_le_key_size = 0;
2267 
2268 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
2269     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
2270     {
2271         BTM_TRACE_ERROR ("%s fails", __func__);
2272         return (FALSE);
2273     }
2274 
2275     if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) {
2276         BTM_TRACE_ERROR ("%s-this is not LE device", __func__);
2277         return (FALSE);
2278     }
2279 
2280     dev_rec_sec_flags = p_dev_rec->sec_flags;
2281 
2282     if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED)
2283     {
2284         /* link is encrypted with LTK or STK */
2285         *p_le_key_size = p_dev_rec->enc_key_size;
2286         *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED;
2287 
2288         *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED)
2289             ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM      /* set auth LTK flag */
2290             : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM;  /* set unauth LTK flag */
2291     }
2292     else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
2293     {
2294         /* link is unencrypted, still LTK is available */
2295         *p_le_key_size = p_dev_rec->ble.keys.key_size;
2296 
2297         *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
2298             ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM      /* set auth LTK flag */
2299             : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM;  /* set unauth LTK flag */
2300     }
2301 
2302     BTM_TRACE_DEBUG ("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d",
2303         __func__, *p_le_dev_sec_flags, *p_le_key_size);
2304 
2305     return TRUE;
2306 #else
2307     return FALSE;
2308 #endif
2309 }
2310 
2311 /*******************************************************************************
2312 **
2313 ** Function         BTM_BleSecurityProcedureIsRunning
2314 **
2315 ** Description      This function indicates if LE security procedure is
2316 **                  currently running with the peer.
2317 **
2318 ** Returns          BOOLEAN TRUE if security procedure is running, FALSE otherwise.
2319 **
2320 *******************************************************************************/
BTM_BleSecurityProcedureIsRunning(BD_ADDR bd_addr)2321 BOOLEAN BTM_BleSecurityProcedureIsRunning(BD_ADDR bd_addr)
2322 {
2323 #if (BLE_INCLUDED == TRUE)
2324     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2325 
2326     if (p_dev_rec == NULL)
2327     {
2328         BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found",
2329                           __func__, (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
2330                           (bd_addr[4]<<8)+bd_addr[5]);
2331         return FALSE;
2332     }
2333 
2334     return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
2335             p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING);
2336 #else
2337     return FALSE;
2338 #endif
2339 }
2340 
2341 /*******************************************************************************
2342 **
2343 ** Function         BTM_BleGetSupportedKeySize
2344 **
2345 ** Description      This function gets the maximum encryption key size in bytes
2346 **                  the local device can suport.
2347 **                  record.
2348 **
2349 ** Returns          the key size or 0 if the size can't be retrieved.
2350 **
2351 *******************************************************************************/
BTM_BleGetSupportedKeySize(BD_ADDR bd_addr)2352 extern UINT8 BTM_BleGetSupportedKeySize (BD_ADDR bd_addr)
2353 {
2354 #if ((BLE_INCLUDED == TRUE) && (L2CAP_LE_COC_INCLUDED == TRUE))
2355     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2356     tBTM_LE_IO_REQ dev_io_cfg;
2357     UINT8 callback_rc;
2358 
2359     if (!p_dev_rec)
2360     {
2361         BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found",
2362                          __func__,(bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
2363                           (bd_addr[4]<<8)+bd_addr[5]);
2364         return 0;
2365     }
2366 
2367     if (btm_cb.api.p_le_callback == NULL)
2368     {
2369         BTM_TRACE_ERROR ("%s can't access supported key size",__func__);
2370         return 0;
2371     }
2372 
2373     callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr,
2374                                                (tBTM_LE_EVT_DATA *) &dev_io_cfg);
2375 
2376     if (callback_rc != BTM_SUCCESS)
2377     {
2378         BTM_TRACE_ERROR ("%s can't access supported key size",__func__);
2379         return 0;
2380     }
2381 
2382     BTM_TRACE_DEBUG ("%s device supports key size = %d", __func__, dev_io_cfg.max_key_size);
2383     return (dev_io_cfg.max_key_size);
2384 #else
2385     return 0;
2386 #endif
2387 }
2388 
2389 /*******************************************************************************
2390 **  Utility functions for LE device IR/ER generation
2391 *******************************************************************************/
2392 /*******************************************************************************
2393 **
2394 ** Function         btm_notify_new_key
2395 **
2396 ** Description      This function is to notify application new keys have been
2397 **                  generated.
2398 **
2399 ** Returns          void
2400 **
2401 *******************************************************************************/
btm_notify_new_key(UINT8 key_type)2402 static void btm_notify_new_key(UINT8 key_type)
2403 {
2404     tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL;
2405 
2406     BTM_TRACE_DEBUG ("btm_notify_new_key key_type=%d", key_type);
2407 
2408     if (btm_cb.api.p_le_key_callback)
2409     {
2410         switch (key_type)
2411         {
2412             case BTM_BLE_KEY_TYPE_ID:
2413                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ID");
2414                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys;
2415                 break;
2416 
2417             case BTM_BLE_KEY_TYPE_ER:
2418                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ER");
2419                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.ble_encryption_key_value;
2420                 break;
2421 
2422             default:
2423                 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2424                 break;
2425         }
2426         if (p_locak_keys != NULL)
2427             (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys);
2428     }
2429 }
2430 
2431 /*******************************************************************************
2432 **
2433 ** Function         btm_ble_process_er2
2434 **
2435 ** Description      This function is called when ER is generated, store it in
2436 **                  local control block.
2437 **
2438 ** Returns          void
2439 **
2440 *******************************************************************************/
btm_ble_process_er2(tBTM_RAND_ENC * p)2441 static void btm_ble_process_er2(tBTM_RAND_ENC *p)
2442 {
2443     BTM_TRACE_DEBUG ("btm_ble_process_er2");
2444 
2445     if (p &&p->opcode == HCI_BLE_RAND)
2446     {
2447         memcpy(&btm_cb.devcb.ble_encryption_key_value[8], p->param_buf, BT_OCTET8_LEN);
2448         btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2449     }
2450     else
2451     {
2452         BTM_TRACE_ERROR("Generating ER2 exception.");
2453         memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16));
2454     }
2455 }
2456 
2457 /*******************************************************************************
2458 **
2459 ** Function         btm_ble_process_er
2460 **
2461 ** Description      This function is called when ER is generated, store it in
2462 **                  local control block.
2463 **
2464 ** Returns          void
2465 **
2466 *******************************************************************************/
btm_ble_process_er(tBTM_RAND_ENC * p)2467 static void btm_ble_process_er(tBTM_RAND_ENC *p)
2468 {
2469     BTM_TRACE_DEBUG ("btm_ble_process_er");
2470 
2471     if (p &&p->opcode == HCI_BLE_RAND)
2472     {
2473         memcpy(&btm_cb.devcb.ble_encryption_key_value[0], p->param_buf, BT_OCTET8_LEN);
2474 
2475         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2))
2476         {
2477             memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16));
2478             BTM_TRACE_ERROR("Generating ER2 failed.");
2479         }
2480     }
2481     else
2482     {
2483         BTM_TRACE_ERROR("Generating ER1 exception.");
2484     }
2485 }
2486 
2487 /*******************************************************************************
2488 **
2489 ** Function         btm_ble_process_irk
2490 **
2491 ** Description      This function is called when IRK is generated, store it in
2492 **                  local control block.
2493 **
2494 ** Returns          void
2495 **
2496 *******************************************************************************/
btm_ble_process_irk(tSMP_ENC * p)2497 static void btm_ble_process_irk(tSMP_ENC *p)
2498 {
2499     BTM_TRACE_DEBUG ("btm_ble_process_irk");
2500     if (p &&p->opcode == HCI_BLE_ENCRYPT)
2501     {
2502         memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
2503         btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2504 
2505 #if BLE_PRIVACY_SPT == TRUE
2506         /* if privacy is enabled, new RPA should be calculated */
2507         if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE)
2508         {
2509             btm_gen_resolvable_private_addr((void *)btm_gen_resolve_paddr_low);
2510         }
2511 #endif
2512     }
2513     else
2514     {
2515         BTM_TRACE_ERROR("Generating IRK exception.");
2516     }
2517 
2518     /* proceed generate ER */
2519     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er))
2520     {
2521         BTM_TRACE_ERROR("Generating ER failed.");
2522     }
2523 }
2524 
2525 /*******************************************************************************
2526 **
2527 ** Function         btm_ble_process_dhk
2528 **
2529 ** Description      This function is called when DHK is calculated, store it in
2530 **                  local control block, and proceed to generate ER, a 128-bits
2531 **                  random number.
2532 **
2533 ** Returns          void
2534 **
2535 *******************************************************************************/
btm_ble_process_dhk(tSMP_ENC * p)2536 static void btm_ble_process_dhk(tSMP_ENC *p)
2537 {
2538 #if SMP_INCLUDED == TRUE
2539     UINT8 btm_ble_irk_pt = 0x01;
2540     tSMP_ENC output;
2541 
2542     BTM_TRACE_DEBUG ("btm_ble_process_dhk");
2543 
2544     if (p && p->opcode == HCI_BLE_ENCRYPT)
2545     {
2546         memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
2547         BTM_TRACE_DEBUG("BLE DHK generated.");
2548 
2549         /* IRK = D1(IR, 1) */
2550         if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
2551                          1,   &output))
2552         {
2553             /* reset all identity root related key */
2554             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2555         }
2556         else
2557         {
2558             btm_ble_process_irk(&output);
2559         }
2560     }
2561     else
2562     {
2563         /* reset all identity root related key */
2564         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2565     }
2566 #endif
2567 }
2568 
2569 /*******************************************************************************
2570 **
2571 ** Function         btm_ble_process_ir2
2572 **
2573 ** Description      This function is called when IR is generated, proceed to calculate
2574 **                  DHK = Eir({0x03, 0, 0 ...})
2575 **
2576 **
2577 ** Returns          void
2578 **
2579 *******************************************************************************/
btm_ble_process_ir2(tBTM_RAND_ENC * p)2580 static void btm_ble_process_ir2(tBTM_RAND_ENC *p)
2581 {
2582 #if SMP_INCLUDED == TRUE
2583     UINT8 btm_ble_dhk_pt = 0x03;
2584     tSMP_ENC output;
2585 
2586     BTM_TRACE_DEBUG ("btm_ble_process_ir2");
2587 
2588     if (p && p->opcode == HCI_BLE_RAND)
2589     {
2590         /* remembering in control block */
2591         memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN);
2592         /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2593 
2594         SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt,
2595                     1, &output);
2596         btm_ble_process_dhk(&output);
2597 
2598         BTM_TRACE_DEBUG("BLE IR generated.");
2599     }
2600     else
2601     {
2602         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2603     }
2604 #endif
2605 }
2606 
2607 /*******************************************************************************
2608 **
2609 ** Function         btm_ble_process_ir
2610 **
2611 ** Description      This function is called when IR is generated, proceed to calculate
2612 **                  DHK = Eir({0x02, 0, 0 ...})
2613 **
2614 **
2615 ** Returns          void
2616 **
2617 *******************************************************************************/
btm_ble_process_ir(tBTM_RAND_ENC * p)2618 static void btm_ble_process_ir(tBTM_RAND_ENC *p)
2619 {
2620     BTM_TRACE_DEBUG ("btm_ble_process_ir");
2621 
2622     if (p && p->opcode == HCI_BLE_RAND)
2623     {
2624         /* remembering in control block */
2625         memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN);
2626 
2627         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2))
2628         {
2629             BTM_TRACE_ERROR("Generating IR2 failed.");
2630             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2631         }
2632     }
2633 }
2634 
2635 /*******************************************************************************
2636 **
2637 ** Function         btm_ble_reset_id
2638 **
2639 ** Description      This function is called to reset LE device identity.
2640 **
2641 ** Returns          void
2642 **
2643 *******************************************************************************/
btm_ble_reset_id(void)2644 void btm_ble_reset_id( void )
2645 {
2646     BTM_TRACE_DEBUG ("btm_ble_reset_id");
2647 
2648     /* regenrate Identity Root*/
2649     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir))
2650     {
2651         BTM_TRACE_DEBUG("Generating IR failed.");
2652     }
2653 }
2654 
2655     #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2656 /*******************************************************************************
2657 **
2658 ** Function         btm_ble_set_no_disc_if_pair_fail
2659 **
2660 ** Description      This function indicates that whether no disconnect of the ACL
2661 **                  should be used if pairing failed
2662 **
2663 ** Returns          void
2664 **
2665 *******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc)2666 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc )
2667 {
2668     BTM_TRACE_DEBUG ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc);
2669     btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2670 }
2671 
2672 /*******************************************************************************
2673 **
2674 ** Function         btm_ble_set_test_mac_value
2675 **
2676 ** Description      This function set test MAC value
2677 **
2678 ** Returns          void
2679 **
2680 *******************************************************************************/
btm_ble_set_test_mac_value(BOOLEAN enable,UINT8 * p_test_mac_val)2681 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val )
2682 {
2683     BTM_TRACE_DEBUG ("btm_ble_set_test_mac_value enable=%d", enable);
2684     btm_cb.devcb.enable_test_mac_val = enable;
2685     memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2686 }
2687 
2688 /*******************************************************************************
2689 **
2690 ** Function         btm_ble_set_test_local_sign_cntr_value
2691 **
2692 ** Description      This function set test local sign counter value
2693 **
2694 ** Returns          void
2695 **
2696 *******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable,UINT32 test_local_sign_cntr)2697 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr )
2698 {
2699     BTM_TRACE_DEBUG ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2700                       enable, test_local_sign_cntr);
2701     btm_cb.devcb.enable_test_local_sign_cntr = enable;
2702     btm_cb.devcb.test_local_sign_cntr =  test_local_sign_cntr;
2703 }
2704 
2705 /*******************************************************************************
2706 **
2707 ** Function         btm_set_random_address
2708 **
2709 ** Description      This function set a random address to local controller.
2710 **
2711 ** Returns          void
2712 **
2713 *******************************************************************************/
btm_set_random_address(BD_ADDR random_bda)2714 void btm_set_random_address(BD_ADDR random_bda)
2715 {
2716     tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2717     BOOLEAN     adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ;
2718 
2719     BTM_TRACE_DEBUG ("btm_set_random_address");
2720 
2721     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2722         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE);
2723 
2724     memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN);
2725     btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2726 
2727     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2728         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE);
2729 
2730 }
2731 
2732 /*******************************************************************************
2733 **
2734 ** Function         btm_ble_set_keep_rfu_in_auth_req
2735 **
2736 ** Description      This function indicates if RFU bits have to be kept as is
2737 **                  (by default they have to be set to 0 by the sender).
2738 **
2739 ** Returns          void
2740 **
2741 *******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu)2742 void btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu)
2743 {
2744     BTM_TRACE_DEBUG ("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2745     btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2746 }
2747 
2748 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2749 
2750 #endif /* BLE_INCLUDED */
2751