1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the Bluetooth Security Manager
22  *
23  ******************************************************************************/
24 
25 #define LOG_TAG "bt_btm_sec"
26 
27 #include <stdarg.h>
28 #include <string.h>
29 
30 #include "device/include/controller.h"
31 #include "osi/include/log.h"
32 #include "osi/include/time.h"
33 
34 #include "bt_types.h"
35 #include "bt_utils.h"
36 #include "btm_int.h"
37 #include "btu.h"
38 #include "hcimsgs.h"
39 #include "l2c_int.h"
40 
41 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
42 /* needed for sprintf() */
43 #include <stdio.h>
44 #endif
45 
46 #if BLE_INCLUDED == TRUE
47     #include "gatt_int.h"
48 #endif
49 
50 #define BTM_SEC_MAX_COLLISION_DELAY     (5000)
51 
52 extern fixed_queue_t *btu_general_alarm_queue;
53 
54 #ifdef APPL_AUTH_WRITE_EXCEPTION
55 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
56 #endif
57 
58 /********************************************************************************
59 **              L O C A L    F U N C T I O N     P R O T O T Y P E S            *
60 *********************************************************************************/
61 tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
62 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
63 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
64                                                 UINT32 mx_proto_id,
65                                                 UINT32 mx_chan_id);
66 
67 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
68 static BOOLEAN  btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
69 static BOOLEAN  btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
70 static BOOLEAN  btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
71 static void     btm_sec_collision_timeout(void *data);
72 static void     btm_restore_mode(void);
73 static void     btm_sec_pairing_timeout(void *data);
74 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
75 static void     btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
76 
77 #if (BT_USE_TRACES == TRUE)
78 static char     *btm_pair_state_descr (tBTM_PAIRING_STATE state);
79 #endif
80 
81 static void     btm_sec_check_pending_reqs(void);
82 static BOOLEAN  btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
83                                           UINT32 mx_proto_id, UINT32 mx_chan_id,
84                                           tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
85 static void     btm_sec_bond_cancel_complete (void);
86 static void     btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
87 static BOOLEAN  btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec);
88 
89 static UINT8    btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
90 BOOLEAN         btm_sec_are_all_trusted(UINT32 p_mask[]);
91 
92 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
93 UINT8           btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
94 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
95 
96 static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
97                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
98                                             UINT32 mx_chan_id);
99 
100 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
101 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
102 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
103 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
104 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
105 static UINT16  btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
106 
107 static BOOLEAN btm_sec_queue_encrypt_request  (BD_ADDR bd_addr, tBT_TRANSPORT transport,
108                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data,
109                                          tBTM_BLE_SEC_ACT sec_act);
110 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
111                                             UINT8 encr_enable);
112 
113 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
114 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
115 
116 /* TRUE - authenticated link key is possible */
117 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
118 {
119     /*   OUT,    IO,     IN,     NONE */
120 /* OUT  */ {FALSE,  FALSE,  TRUE,   FALSE},
121 /* IO   */ {FALSE,  TRUE,   TRUE,   FALSE},
122 /* IN   */ {TRUE,   TRUE,   TRUE,   FALSE},
123 /* NONE */ {FALSE,  FALSE,  FALSE,  FALSE}
124 };
125 /*  BTM_IO_CAP_OUT      0   DisplayOnly */
126 /*  BTM_IO_CAP_IO       1   DisplayYesNo */
127 /*  BTM_IO_CAP_IN       2   KeyboardOnly */
128 /*  BTM_IO_CAP_NONE     3   NoInputNoOutput */
129 
130 /*******************************************************************************
131 **
132 ** Function         btm_dev_authenticated
133 **
134 ** Description      check device is authenticated
135 **
136 ** Returns          BOOLEAN TRUE or FALSE
137 **
138 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)139 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
140 {
141     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
142     {
143         return(TRUE);
144     }
145     return(FALSE);
146 }
147 
148 /*******************************************************************************
149 **
150 ** Function         btm_dev_encrypted
151 **
152 ** Description      check device is encrypted
153 **
154 ** Returns          BOOLEAN TRUE or FALSE
155 **
156 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)157 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
158 {
159     if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
160     {
161         return(TRUE);
162     }
163     return(FALSE);
164 }
165 
166 /*******************************************************************************
167 **
168 ** Function         btm_dev_authorized
169 **
170 ** Description      check device is authorized
171 **
172 ** Returns          BOOLEAN TRUE or FALSE
173 **
174 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)175 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
176 {
177     if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
178     {
179         return(TRUE);
180     }
181     return(FALSE);
182 }
183 
184 /*******************************************************************************
185 **
186 ** Function         btm_dev_16_digit_authenticated
187 **
188 ** Description      check device is authenticated by using 16 digit pin or MITM
189 **
190 ** Returns          BOOLEAN TRUE or FALSE
191 **
192 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)193 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
194 {
195     // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
196     if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
197     {
198         return(TRUE);
199     }
200     return(FALSE);
201 }
202 
203 /*******************************************************************************
204 **
205 ** Function         btm_serv_trusted
206 **
207 ** Description      check service is trusted
208 **
209 ** Returns          BOOLEAN TRUE or FALSE
210 **
211 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)212 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
213 {
214     if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
215     {
216         return(TRUE);
217     }
218     return(FALSE);
219 }
220 
221 /*******************************************************************************
222 **
223 ** Function         BTM_SecRegister
224 **
225 ** Description      Application manager calls this function to register for
226 **                  security services.  There can be one and only one application
227 **                  saving link keys.  BTM allows only first registration.
228 **
229 ** Returns          TRUE if registered OK, else FALSE
230 **
231 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)232 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
233 {
234 #if BLE_INCLUDED == TRUE
235     BT_OCTET16      temp_value = {0};
236 #endif
237 
238     BTM_TRACE_EVENT("%s application registered", __func__);
239 
240 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
241     LOG_INFO(LOG_TAG, "%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
242     if (p_cb_info->p_le_callback)
243     {
244 #if SMP_INCLUDED == TRUE
245       BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
246       SMP_Register(btm_proc_smp_cback);
247 #endif
248       /* if no IR is loaded, need to regenerate all the keys */
249       if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
250       {
251         btm_ble_reset_id();
252       }
253     }
254     else
255     {
256       LOG_WARN(LOG_TAG, "%s p_cb_info->p_le_callback == NULL", __func__);
257     }
258 #endif
259 
260     btm_cb.api = *p_cb_info;
261 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
262      LOG_INFO(LOG_TAG, "%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
263 #endif
264     BTM_TRACE_EVENT("%s application registered", __func__);
265     return(TRUE);
266 }
267 
268 /*******************************************************************************
269 **
270 ** Function         BTM_SecRegisterLinkKeyNotificationCallback
271 **
272 ** Description      Application manager calls this function to register for
273 **                  link key notification.  When there is nobody registered
274 **                  we should avoid changing link key
275 **
276 ** Returns          TRUE if registered OK, else FALSE
277 **
278 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)279 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
280 {
281     btm_cb.api.p_link_key_callback = p_callback;
282     return TRUE;
283 }
284 
285 /*******************************************************************************
286 **
287 ** Function         BTM_SecAddRmtNameNotifyCallback
288 **
289 ** Description      Any profile can register to be notified when name of the
290 **                  remote device is resolved.
291 **
292 ** Returns          TRUE if registered OK, else FALSE
293 **
294 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)295 BOOLEAN  BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
296 {
297     int i;
298 
299     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
300     {
301         if (btm_cb.p_rmt_name_callback[i] == NULL)
302         {
303             btm_cb.p_rmt_name_callback[i] = p_callback;
304             return(TRUE);
305         }
306     }
307 
308     return(FALSE);
309 }
310 
311 /*******************************************************************************
312 **
313 ** Function         BTM_SecDeleteRmtNameNotifyCallback
314 **
315 ** Description      Any profile can deregister notification when a new Link Key
316 **                  is generated per connection.
317 **
318 ** Returns          TRUE if OK, else FALSE
319 **
320 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)321 BOOLEAN  BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
322 {
323     int i;
324 
325     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
326     {
327         if (btm_cb.p_rmt_name_callback[i] == p_callback)
328         {
329             btm_cb.p_rmt_name_callback[i] = NULL;
330             return(TRUE);
331         }
332     }
333 
334     return(FALSE);
335 }
336 
337 /*******************************************************************************
338 **
339 ** Function         BTM_GetSecurityFlags
340 **
341 ** Description      Get security flags for the device
342 **
343 ** Returns          BOOLEAN TRUE or FALSE is device found
344 **
345 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)346 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
347 {
348     tBTM_SEC_DEV_REC *p_dev_rec;
349 
350     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
351     {
352         *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
353         return(TRUE);
354     }
355     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
356     return(FALSE);
357 }
358 
359 /*******************************************************************************
360 **
361 ** Function         BTM_GetSecurityFlagsByTransport
362 **
363 ** Description      Get security flags for the device on a particular transport
364 **
365 ** Returns          BOOLEAN TRUE or FALSE is device found
366 **
367 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)368 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
369                                                 tBT_TRANSPORT transport)
370 {
371     tBTM_SEC_DEV_REC *p_dev_rec;
372 
373     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
374     {
375         if (transport == BT_TRANSPORT_BR_EDR)
376             *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
377         else
378             *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
379 
380         return(TRUE);
381     }
382     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
383     return(FALSE);
384 }
385 
386 /*******************************************************************************
387 **
388 ** Function         BTM_SetPinType
389 **
390 ** Description      Set PIN type for the device.
391 **
392 ** Returns          void
393 **
394 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)395 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
396 {
397     BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
398                     pin_type, (char *) pin_code, pin_code_len);
399 
400     /* If device is not up security mode will be set as a part of startup */
401     if ( (btm_cb.cfg.pin_type != pin_type)
402          && controller_get_interface()->get_is_ready() )
403     {
404         btsnd_hcic_write_pin_type (pin_type);
405     }
406 
407     btm_cb.cfg.pin_type     = pin_type;
408     btm_cb.cfg.pin_code_len = pin_code_len;
409     memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
410 }
411 
412 /*******************************************************************************
413 **
414 ** Function         BTM_SetPairableMode
415 **
416 ** Description      Enable or disable pairing
417 **
418 ** Parameters       allow_pairing - (TRUE or FALSE) whether or not the device
419 **                      allows pairing.
420 **                  connect_only_paired - (TRUE or FALSE) whether or not to
421 **                      only allow paired devices to connect.
422 **
423 ** Returns          void
424 **
425 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)426 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
427 {
428     BTM_TRACE_API ("BTM_SetPairableMode()  allow_pairing: %u   connect_only_paired: %u", allow_pairing, connect_only_paired);
429 
430     btm_cb.pairing_disabled    = !allow_pairing;
431     btm_cb.connect_only_paired = connect_only_paired;
432 }
433 
434 /*******************************************************************************
435 **
436 ** Function         BTM_SetSecureConnectionsOnly
437 **
438 ** Description      Enable or disable default treatment for Mode 4 Level 0 services
439 **
440 ** Parameter        secure_connections_only_mode - (TRUE or FALSE) whether or not the device
441 **                  TRUE means that the device should treat Mode 4 Level 0 services as
442 **                  services of other levels. (Secure_connections_only_mode)
443 **                  FALSE means that the device should provide default treatment for
444 **                  Mode 4 Level 0 services.
445 **
446 ** Returns          void
447 **
448 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)449 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
450 {
451     BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
452                    secure_connections_only_mode);
453 
454     btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
455     btm_cb.security_mode = BTM_SEC_MODE_SC;
456 }
457 #define BTM_NO_AVAIL_SEC_SERVICES   ((UINT16) 0xffff)
458 
459 /*******************************************************************************
460 **
461 ** Function         BTM_SetSecurityLevel
462 **
463 ** Description      Register service security level with Security Manager
464 **
465 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
466 **                  p_name      - Name of the service relevant only if
467 **                                authorization will show this name to user. ignored
468 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
469 **                  service_id  - service ID for the service passed to authorization callback
470 **                  sec_level   - bit mask of the security features
471 **                  psm         - L2CAP PSM
472 **                  mx_proto_id - protocol ID of multiplexing proto below
473 **                  mx_chan_id  - channel ID of multiplexing proto below
474 **
475 ** Returns          TRUE if registered OK, else FALSE
476 **
477 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)478 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
479                               UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
480                               UINT32 mx_chan_id)
481 {
482 #if (L2CAP_UCD_INCLUDED == TRUE)
483     CONNECTION_TYPE conn_type;
484 
485     if (is_originator)
486         conn_type = CONN_ORIENT_ORIG;
487     else
488         conn_type = CONN_ORIENT_TERM;
489 
490     return(btm_sec_set_security_level (conn_type, p_name, service_id,
491                                        sec_level, psm, mx_proto_id, mx_chan_id));
492 #else
493     return(btm_sec_set_security_level (is_originator, p_name, service_id,
494                                        sec_level, psm, mx_proto_id, mx_chan_id));
495 #endif
496 }
497 
498 /*******************************************************************************
499 **
500 ** Function         btm_sec_set_security_level
501 **
502 ** Description      Register service security level with Security Manager
503 **
504 ** Parameters:      conn_type   - TRUE if originating the connection, FALSE if not
505 **                  p_name      - Name of the service relevant only if
506 **                                authorization will show this name to user. ignored
507 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
508 **                  service_id  - service ID for the service passed to authorization callback
509 **                  sec_level   - bit mask of the security features
510 **                  psm         - L2CAP PSM
511 **                  mx_proto_id - protocol ID of multiplexing proto below
512 **                  mx_chan_id  - channel ID of multiplexing proto below
513 **
514 ** Returns          TRUE if registered OK, else FALSE
515 **
516 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)517 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
518                                            UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
519                                            UINT32 mx_chan_id)
520 {
521     tBTM_SEC_SERV_REC   *p_srec;
522     UINT16               index;
523     UINT16               first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
524     BOOLEAN              record_allocated = FALSE;
525     BOOLEAN              is_originator;
526 #if (L2CAP_UCD_INCLUDED == TRUE)
527     BOOLEAN              is_ucd;
528 
529     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
530         is_originator = TRUE;
531     else
532         is_originator = FALSE;
533 
534     if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
535     {
536         is_ucd = TRUE;
537     }
538     else
539     {
540         is_ucd = FALSE;
541     }
542 #else
543     is_originator = conn_type;
544 #endif
545 
546     BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
547 
548     /* See if the record can be reused (same service name, psm, mx_proto_id,
549        service_id, and mx_chan_id), or obtain the next unused record */
550 
551     p_srec = &btm_cb.sec_serv_rec[0];
552 
553     for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554     {
555         /* Check if there is already a record for this service */
556         if (p_srec->security_flags & BTM_SEC_IN_USE)
557         {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559             if (p_srec->psm == psm                  &&
560                 p_srec->mx_proto_id == mx_proto_id  &&
561                 service_id == p_srec->service_id    &&
562                 p_name                              &&
563                 (!strncmp (p_name, (char *) p_srec->orig_service_name,
564                            BTM_SEC_SERVICE_NAME_LEN) ||
565                  !strncmp (p_name, (char *) p_srec->term_service_name,
566                            BTM_SEC_SERVICE_NAME_LEN)))
567 #else
568             if (p_srec->psm == psm                  &&
569                 p_srec->mx_proto_id == mx_proto_id  &&
570                 service_id == p_srec->service_id)
571 #endif
572             {
573                 record_allocated = TRUE;
574                 break;
575             }
576         }
577         /* Mark the first available service record */
578         else if (!record_allocated)
579         {
580             memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
581             record_allocated = TRUE;
582             first_unused_record = index;
583         }
584     }
585 
586     if (!record_allocated)
587     {
588         BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)",  BTM_SEC_MAX_SERVICE_RECORDS);
589         return(record_allocated);
590     }
591 
592     /* Process the request if service record is valid */
593     /* If a duplicate service wasn't found, use the first available */
594     if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
595     {
596         index = first_unused_record;
597         p_srec = &btm_cb.sec_serv_rec[index];
598     }
599 
600     p_srec->psm         = psm;
601     p_srec->service_id  = service_id;
602     p_srec->mx_proto_id = mx_proto_id;
603 
604     if (is_originator)
605     {
606         p_srec->orig_mx_chan_id = mx_chan_id;
607 #if BTM_SEC_SERVICE_NAME_LEN > 0
608         strlcpy ((char *)p_srec->orig_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
609 #endif
610         /* clear out the old setting, just in case it exists */
611 #if (L2CAP_UCD_INCLUDED == TRUE)
612         if ( is_ucd )
613         {
614             p_srec->ucd_security_flags &=
615             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
616               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
617         }
618         else
619 #endif
620         {
621             p_srec->security_flags &=
622             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
623               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
624         }
625 
626         /* Parameter validation.  Originator should not set requirements for incoming connections */
627         sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
628                 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
629 
630         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
631             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
632             btm_cb.security_mode == BTM_SEC_MODE_SC)
633         {
634             if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
635                 sec_level |= BTM_SEC_OUT_MITM;
636         }
637 
638         /* Make sure the authenticate bit is set, when encrypt bit is set */
639         if (sec_level & BTM_SEC_OUT_ENCRYPT)
640             sec_level |= BTM_SEC_OUT_AUTHENTICATE;
641 
642         /* outgoing connections usually set the security level right before
643          * the connection is initiated.
644          * set it to be the outgoing service */
645 #if (L2CAP_UCD_INCLUDED == TRUE)
646         if ( is_ucd == FALSE )
647 #endif
648         {
649             btm_cb.p_out_serv = p_srec;
650         }
651     }
652     else
653     {
654         p_srec->term_mx_chan_id = mx_chan_id;
655 #if BTM_SEC_SERVICE_NAME_LEN > 0
656         strlcpy ((char *)p_srec->term_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
657 #endif
658         /* clear out the old setting, just in case it exists */
659 #if (L2CAP_UCD_INCLUDED == TRUE)
660         if ( is_ucd )
661         {
662             p_srec->ucd_security_flags &=
663             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
664               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
665               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
666         }
667         else
668 #endif
669         {
670             p_srec->security_flags &=
671             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
672               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
673               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
674         }
675 
676         /* Parameter validation.  Acceptor should not set requirements for outgoing connections */
677         sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
678 
679         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
680             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
681             btm_cb.security_mode == BTM_SEC_MODE_SC)
682         {
683             if (sec_level & BTM_SEC_IN_AUTHENTICATE)
684                 sec_level |= BTM_SEC_IN_MITM;
685         }
686 
687         /* Make sure the authenticate bit is set, when encrypt bit is set */
688         if (sec_level & BTM_SEC_IN_ENCRYPT)
689             sec_level |= BTM_SEC_IN_AUTHENTICATE;
690     }
691 
692 #if (L2CAP_UCD_INCLUDED == TRUE)
693     if ( is_ucd )
694     {
695         p_srec->security_flags     |= (UINT16)(BTM_SEC_IN_USE);
696         p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
697     }
698     else
699     {
700         p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
701     }
702 
703     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
704                    index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
705 
706     BTM_TRACE_API("               : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
707                    p_srec->security_flags, p_srec->ucd_security_flags);
708 
709 #if BTM_SEC_SERVICE_NAME_LEN > 0
710     BTM_TRACE_API("               : service name [%s] (up to %d chars saved)",
711                    p_name, BTM_SEC_SERVICE_NAME_LEN);
712 #endif
713 #else
714     p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
715 
716     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
717                    index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
718 
719 #if BTM_SEC_SERVICE_NAME_LEN > 0
720     BTM_TRACE_API("               : sec: 0x%x, service name [%s] (up to %d chars saved)",
721                    p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
722 #endif
723 #endif
724 
725     return(record_allocated);
726 }
727 
728 /*******************************************************************************
729 **
730 ** Function         BTM_SecClrService
731 **
732 ** Description      Removes specified service record(s) from the security database.
733 **                  All service records with the specified name are removed.
734 **                  Typically used only by devices with limited RAM so that it can
735 **                  reuse an old security service record.
736 **
737 **                  Note: Unpredictable results may occur if a service is cleared
738 **                      that is still in use by an application/profile.
739 **
740 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
741 **                          records (except SDP).
742 **
743 ** Returns          Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
749     UINT8   num_freed = 0;
750     int     i;
751 
752     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753     {
754         /* Delete services with specified name (if in use and not SDP) */
755         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756             (!service_id || (service_id == p_srec->service_id)))
757         {
758             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759             p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761             p_srec->ucd_security_flags = 0;
762 #endif
763             num_freed++;
764         }
765     }
766 
767     return(num_freed);
768 }
769 
770 /*******************************************************************************
771 **
772 ** Function         btm_sec_clr_service_by_psm
773 **
774 ** Description      Removes specified service record from the security database.
775 **                  All service records with the specified psm are removed.
776 **                  Typically used by L2CAP to free up the service record used
777 **                  by dynamic PSM clients when the channel is closed.
778 **                  The given psm must be a virtual psm.
779 **
780 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
781 **                          records (except SDP).
782 **
783 ** Returns          Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
789     UINT8   num_freed = 0;
790     int     i;
791 
792     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793     {
794         /* Delete services with specified name (if in use and not SDP) */
795         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796         {
797             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798             p_srec->security_flags = 0;
799             num_freed++;
800         }
801     }
802     BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803 
804     return(num_freed);
805 }
806 
807 /*******************************************************************************
808 **
809 ** Function         btm_sec_clr_temp_auth_service
810 **
811 ** Description      Removes specified device record's temporary authorization
812 **                  flag from the security database.
813 **
814 ** Parameters       Device address to be cleared
815 **
816 ** Returns          void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821     tBTM_SEC_DEV_REC   *p_dev_rec;
822 
823     if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824     {
825         BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826         return;
827     }
828 
829     /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830     if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831     {
832         BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833                     bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834 
835         p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836     }
837 }
838 
839 /*******************************************************************************
840 **
841 ** Function         BTM_PINCodeReply
842 **
843 ** Description      This function is called after Security Manager submitted
844 **                  PIN code request to the UI.
845 **
846 ** Parameters:      bd_addr      - Address of the device for which PIN was requested
847 **                  res          - result of the operation BTM_SUCCESS if success
848 **                  pin_len      - length in bytes of the PIN Code
849 **                  p_pin        - pointer to array with the PIN Code
850 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855     tBTM_SEC_DEV_REC *p_dev_rec;
856 
857     BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s   PairFlags: 0x%02x  PinLen:%d  Result:%d",
858                     btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859 
860     /* If timeout already expired or has been canceled, ignore the reply */
861     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862     {
863         BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864         return;
865     }
866 
867     if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868     {
869         BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870         return;
871     }
872 
873     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874     {
875         BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876         return;
877     }
878 
879     if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880         res = BTM_ILLEGAL_VALUE;
881 
882     if (res != BTM_SUCCESS)
883     {
884         /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887             (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888         {
889             /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892 
893             btsnd_hcic_pin_code_neg_reply (bd_addr);
894         }
895         else
896         {
897             p_dev_rec->security_required = BTM_SEC_NONE;
898             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899         }
900         return;
901     }
902     if (trusted_mask)
903         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
905     if (pin_len >= 16) {
906         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907     }
908 
909     if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910          &&  (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911          &&  (btm_cb.security_mode_changed == FALSE) )
912     {
913         /* This is start of the dedicated bonding if local device is 2.0 */
914         btm_cb.pin_code_len = pin_len;
915         p_dev_rec->pin_code_length = pin_len;
916         memcpy (btm_cb.pin_code, p_pin, pin_len);
917 
918         btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920         if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922         btsnd_hcic_write_auth_enable (TRUE);
923 
924         btm_cb.acl_disc_reason = 0xff ;
925 
926         /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927         /*  before originating  */
928         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929         {
930             BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931             /* we change state little bit early so btm_sec_connected() will originate connection */
932             /*   when existing ACL link is down completely */
933             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934         }
935         /* if we already accepted incoming connection from pairing device */
936         else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937         {
938             BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940         }
941         else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942         {
943             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945 
946             if (btm_cb.api.p_auth_complete_callback)
947                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
948                                                     p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949         }
950         return;
951     }
952 
953     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954     btm_cb.acl_disc_reason = HCI_SUCCESS;
955 
956     btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
957 }
958 
959 /*******************************************************************************
960 **
961 ** Function         btm_sec_bond_by_transport
962 **
963 ** Description      this is the bond function that will start either SSP or SMP.
964 **
965 ** Parameters:      bd_addr      - Address of the device to bond
966 **                  pin_len      - length in bytes of the PIN Code
967 **                  p_pin        - pointer to array with the PIN Code
968 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
969 **
970 **  Note: After 2.1 parameters are not used and preserved here not to change API
971 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])972 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
973                                        UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
974 {
975     tBTM_SEC_DEV_REC *p_dev_rec;
976     tBTM_STATUS      status;
977     UINT8            *p_features;
978     UINT8            ii;
979     tACL_CONN        *p= btm_bda_to_acl(bd_addr, transport);
980     BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
981                     bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
982 
983     BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
984 
985     /* Other security process is in progress */
986     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
987     {
988         BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
989         return(BTM_WRONG_MODE);
990     }
991 
992     if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
993     {
994         return(BTM_NO_RESOURCES);
995     }
996 
997     BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
998 
999     /* Finished if connection is active and already paired */
1000     if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1001          &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1002 #if (BLE_INCLUDED == TRUE)
1003         ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1004          &&  (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1005 #endif
1006 
1007          )
1008     {
1009         BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1010         return(BTM_SUCCESS);
1011     }
1012 
1013     /* Tell controller to get rid of the link key if it has one stored */
1014     if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1015         return(BTM_NO_RESOURCES);
1016 
1017     /* Save the PIN code if we got a valid one */
1018     if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1019     {
1020         btm_cb.pin_code_len = pin_len;
1021         p_dev_rec->pin_code_length = pin_len;
1022         memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1023     }
1024 
1025     memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1026 
1027     btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1028 
1029     p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1030     p_dev_rec->is_originator     = TRUE;
1031     if (trusted_mask)
1032         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1033 
1034 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1035     if (transport == BT_TRANSPORT_LE)
1036     {
1037         btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1038         p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1039 
1040         if (SMP_Pair(bd_addr) == SMP_STARTED)
1041         {
1042             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1043             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1044             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1045             return BTM_CMD_STARTED;
1046         }
1047 
1048         btm_cb.pairing_flags = 0;
1049         return(BTM_NO_RESOURCES);
1050     }
1051 #endif
1052 
1053     p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1054                                   | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1055 
1056     BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1057     if (!controller_get_interface()->supports_simple_pairing())
1058     {
1059         /* The special case when we authenticate keyboard.  Set pin type to fixed */
1060         /* It would be probably better to do it from the application, but it is */
1061         /* complicated */
1062         if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1063             && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1064             && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1065         {
1066             btm_cb.pin_type_changed = TRUE;
1067             btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1068         }
1069     }
1070 
1071     for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1072     {
1073         p_features = p_dev_rec->features[ii];
1074         BTM_TRACE_EVENT("  remote_features page[%1d] = %02x-%02x-%02x-%02x",
1075                          ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1076         BTM_TRACE_EVENT("                              %02x-%02x-%02x-%02x",
1077                              p_features[4], p_features[5], p_features[6], p_features[7]);
1078     }
1079 
1080     BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x  HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1081 
1082 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1083     p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1084 #endif
1085 
1086     /* If connection already exists... */
1087     if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1088     {
1089         if (!btm_sec_start_authentication (p_dev_rec))
1090             return(BTM_NO_RESOURCES);
1091 
1092         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1093 
1094         /* Mark lcb as bonding */
1095         l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1096         return(BTM_CMD_STARTED);
1097     }
1098 
1099     BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1100     if (!controller_get_interface()->supports_simple_pairing()
1101         || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1102     {
1103         if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1104             return (BTM_CMD_STARTED);
1105     }
1106     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1107          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1108          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1109          BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1110     {
1111         /* local is 2.1 and peer is unknown */
1112         if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1113         {
1114             /* we are not accepting connection request from peer
1115              * -> RNR (to learn if peer is 2.1)
1116              * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1117             btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1118             BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1119         }
1120         else
1121         {
1122             /* We are accepting connection request from peer */
1123             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1124         }
1125         BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1126             btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1127         return BTM_CMD_STARTED;
1128     }
1129 
1130     /* both local and peer are 2.1  */
1131     status = btm_sec_dd_create_conn(p_dev_rec);
1132 
1133     if (status != BTM_CMD_STARTED)
1134     {
1135         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1136     }
1137 
1138     return status;
1139 }
1140 
1141 /*******************************************************************************
1142 **
1143 ** Function         BTM_SecBondByTransport
1144 **
1145 ** Description      This function is called to perform bonding with peer device.
1146 **                  If the connection is already up, but not secure, pairing
1147 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1148 **
1149 ** Parameters:      bd_addr      - Address of the device to bond
1150 **                  transport    - doing SSP over BR/EDR or SMP over LE
1151 **                  pin_len      - length in bytes of the PIN Code
1152 **                  p_pin        - pointer to array with the PIN Code
1153 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1154 **
1155 **  Note: After 2.1 parameters are not used and preserved here not to change API
1156 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1157 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1158                                     UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1159 {
1160 #if SMP_INCLUDED == TRUE
1161     tBT_DEVICE_TYPE     dev_type;
1162     tBLE_ADDR_TYPE      addr_type;
1163 
1164     BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1165     /* LE device, do SMP pairing */
1166     if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1167         (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1168     {
1169         return BTM_ILLEGAL_ACTION;
1170     }
1171 #endif
1172     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1173 }
1174 
1175 /*******************************************************************************
1176 **
1177 ** Function         BTM_SecBond
1178 **
1179 ** Description      This function is called to perform bonding with peer device.
1180 **                  If the connection is already up, but not secure, pairing
1181 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1182 **
1183 ** Parameters:      bd_addr      - Address of the device to bond
1184 **                  pin_len      - length in bytes of the PIN Code
1185 **                  p_pin        - pointer to array with the PIN Code
1186 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1187 **
1188 **  Note: After 2.1 parameters are not used and preserved here not to change API
1189 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1190 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1191 {
1192     tBT_TRANSPORT   transport = BT_TRANSPORT_BR_EDR;
1193 #if BLE_INCLUDED == TRUE
1194     if (BTM_UseLeLink(bd_addr))
1195         transport = BT_TRANSPORT_LE;
1196 #endif
1197     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1198 }
1199 /*******************************************************************************
1200 **
1201 ** Function         BTM_SecBondCancel
1202 **
1203 ** Description      This function is called to cancel ongoing bonding process
1204 **                  with peer device.
1205 **
1206 ** Parameters:      bd_addr      - Address of the peer device
1207 **                         transport    - FALSE for BR/EDR link; TRUE for LE link
1208 **
1209 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1210 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1211 {
1212     tBTM_SEC_DEV_REC *p_dev_rec;
1213 
1214     BTM_TRACE_API ("BTM_SecBondCancel()  State: %s flags:0x%x",
1215                     btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1216 
1217     if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1218         ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1219         return BTM_UNKNOWN_ADDR;
1220 
1221 #if SMP_INCLUDED == TRUE
1222     if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1223     {
1224         if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1225         {
1226             BTM_TRACE_DEBUG ("Cancel LE pairing");
1227             if (SMP_PairCancel(bd_addr))
1228             {
1229                 return BTM_CMD_STARTED;
1230             }
1231         }
1232         return BTM_WRONG_MODE;
1233     }
1234 
1235 #endif
1236     BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1237     if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1238         BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1239     {
1240         /* pre-fetching pin for dedicated bonding */
1241         btm_sec_bond_cancel_complete();
1242         return BTM_SUCCESS;
1243     }
1244 
1245     /* If this BDA is in a bonding procedure */
1246     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1247          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1248     {
1249         /* If the HCI link is up */
1250         if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1251         {
1252             /* If some other thread disconnecting, we do not send second command */
1253             if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1254                 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1255                 return(BTM_CMD_STARTED);
1256 
1257             /* If the HCI link was set up by Bonding process */
1258             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1259                 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1260             else
1261                 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1262 
1263             return BTM_NOT_AUTHORIZED;
1264         }
1265         else /*HCI link is not up */
1266         {
1267             /* If the HCI link creation was started by Bonding process */
1268             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1269             {
1270                 if (btsnd_hcic_create_conn_cancel(bd_addr))
1271                     return BTM_CMD_STARTED;
1272 
1273                 return BTM_NO_RESOURCES;
1274             }
1275             if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1276             {
1277                 BTM_CancelRemoteDeviceName();
1278                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1279                 return BTM_CMD_STARTED;
1280             }
1281             return BTM_NOT_AUTHORIZED;
1282         }
1283     }
1284 
1285     return BTM_WRONG_MODE;
1286 }
1287 
1288 /*******************************************************************************
1289 **
1290 ** Function         BTM_SecGetDeviceLinkKey
1291 **
1292 ** Description      This function is called to obtain link key for the device
1293 **                  it returns BTM_SUCCESS if link key is available, or
1294 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1295 **                  the device or device record does not contain link key info
1296 **
1297 ** Parameters:      bd_addr      - Address of the device
1298 **                  link_key     - Link Key is copied into this array
1299 **
1300 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1301 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1302 {
1303     tBTM_SEC_DEV_REC *p_dev_rec;
1304 
1305     if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1306         && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1307     {
1308         memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1309         return(BTM_SUCCESS);
1310     }
1311     return(BTM_UNKNOWN_ADDR);
1312 }
1313 
1314 /*******************************************************************************
1315 **
1316 ** Function         BTM_SecGetDeviceLinkKeyType
1317 **
1318 ** Description      This function is called to obtain link key type for the
1319 **                  device.
1320 **                  it returns BTM_SUCCESS if link key is available, or
1321 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1322 **                  the device or device record does not contain link key info
1323 **
1324 ** Returns          BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1325 **                  otherwise.
1326 **
1327 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1328 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1329 {
1330     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1331 
1332     if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1333     {
1334         return p_dev_rec->link_key_type;
1335     }
1336     return BTM_LKEY_TYPE_IGNORE;
1337 }
1338 
1339 /*******************************************************************************
1340 **
1341 ** Function         BTM_SetEncryption
1342 **
1343 ** Description      This function is called to ensure that connection is
1344 **                  encrypted.  Should be called only on an open connection.
1345 **                  Typically only needed for connections that first want to
1346 **                  bring up unencrypted links, then later encrypt them.
1347 **
1348 ** Parameters:      bd_addr       - Address of the peer device
1349 **                  transport     - Link transport
1350 **                  p_callback    - Pointer to callback function called if
1351 **                                  this function returns PENDING after required
1352 **                                  procedures are completed.  Can be set to NULL
1353 **                                  if status is not desired.
1354 **                  p_ref_data    - pointer to any data the caller wishes to receive
1355 **                                  in the callback function upon completion.
1356 **                                  can be set to NULL if not used.
1357 **                  sec_act       - LE security action, unused for BR/EDR
1358 **
1359 ** Returns          BTM_SUCCESS   - already encrypted
1360 **                  BTM_PENDING   - command will be returned in the callback
1361 **                  BTM_WRONG_MODE- connection not up.
1362 **                  BTM_BUSY      - security procedures are currently active
1363 **                  BTM_MODE_UNSUPPORTED - if security manager not linked in.
1364 **
1365 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)1366 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1367                                void *p_ref_data, tBTM_BLE_SEC_ACT sec_act)
1368 {
1369     tBTM_STATUS rc = 0;
1370 
1371     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
1372     if (!p_dev_rec ||
1373         (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1374 #if BLE_INCLUDED == TRUE
1375         || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1376 #endif
1377         )
1378     {
1379         /* Connection should be up and runnning */
1380         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1381 
1382         if (p_callback)
1383             (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1384 
1385         return(BTM_WRONG_MODE);
1386     }
1387 
1388     if (transport == BT_TRANSPORT_BR_EDR &&
1389          (p_dev_rec->sec_flags &  BTM_SEC_ENCRYPTED))
1390     {
1391         BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1392 
1393         if (p_callback)
1394             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1395 
1396         return(BTM_SUCCESS);
1397     }
1398 
1399     /* enqueue security request if security is active */
1400     if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1401     {
1402         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1403 
1404         if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data, sec_act))
1405         {
1406             return BTM_CMD_STARTED;
1407         }
1408         else
1409         {
1410             if (p_callback)
1411                 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1412             return BTM_NO_RESOURCES;
1413         }
1414     }
1415 
1416     p_dev_rec->p_callback        = p_callback;
1417     p_dev_rec->p_ref_data        = p_ref_data;
1418     p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1419     p_dev_rec->is_originator     = FALSE;
1420 
1421     BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1422                     p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1423                     p_dev_rec->security_required);
1424 
1425 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1426     if (transport == BT_TRANSPORT_LE)
1427     {
1428         tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1429         if (p)
1430         {
1431            rc = btm_ble_set_encryption(bd_addr, sec_act, p->link_role);
1432         }
1433         else
1434         {
1435             rc = BTM_WRONG_MODE;
1436             BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1437         }
1438     }
1439     else
1440 #endif
1441         rc = btm_sec_execute_procedure (p_dev_rec);
1442 
1443     if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1444     {
1445         if (p_callback)
1446         {
1447             p_dev_rec->p_callback = NULL;
1448             (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1449         }
1450     }
1451 
1452     return(rc);
1453 }
1454 
1455 /*******************************************************************************
1456  * disconnect the ACL link, if it's not done yet.
1457 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1458 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1459 {
1460     UINT8       old_state = p_dev_rec->sec_state;
1461     tBTM_STATUS status = BTM_CMD_STARTED;
1462 
1463     BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect:  handle:0x%x, reason=0x%x",
1464                       conn_handle, reason);
1465 
1466     /* send HCI_Disconnect on a transport only once */
1467     switch (old_state)
1468     {
1469         case BTM_SEC_STATE_DISCONNECTING:
1470             if (conn_handle == p_dev_rec->hci_handle)
1471                 return status;
1472 
1473             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1474             break;
1475 
1476 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1477         case BTM_SEC_STATE_DISCONNECTING_BLE:
1478             if (conn_handle == p_dev_rec->ble_hci_handle)
1479                 return status;
1480 
1481             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1482             break;
1483 
1484         case BTM_SEC_STATE_DISCONNECTING_BOTH:
1485             return status;
1486 #endif
1487 
1488         default:
1489             p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1490                     BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1491 
1492             break;
1493     }
1494 
1495     /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1496     if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1497     {
1498         BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1499               p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1500         status = BTM_SUCCESS;
1501     }
1502     /* Tear down the HCI link */
1503     else if (!btsnd_hcic_disconnect (conn_handle, reason))
1504     {
1505          /* could not send disconnect. restore old state */
1506          p_dev_rec->sec_state = old_state;
1507          status = BTM_NO_RESOURCES;
1508     }
1509 
1510     return status;
1511 }
1512 
1513 /*******************************************************************************
1514 **
1515 ** Function         BTM_ConfirmReqReply
1516 **
1517 ** Description      This function is called to confirm the numeric value for
1518 **                  Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1519 **
1520 ** Parameters:      res           - result of the operation BTM_SUCCESS if success
1521 **                  bd_addr       - Address of the peer device
1522 **
1523 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1524 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1525 {
1526     tBTM_SEC_DEV_REC *p_dev_rec;
1527 
1528     BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s  Res: %u",
1529                       btm_pair_state_descr(btm_cb.pairing_state), res);
1530 
1531     /* If timeout already expired or has been canceled, ignore the reply */
1532     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1533          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1534         return;
1535 
1536     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1537 
1538     if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1539     {
1540         btm_cb.acl_disc_reason = HCI_SUCCESS;
1541 
1542         if (res == BTM_SUCCESS)
1543         {
1544             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1545                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1546                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1547         }
1548 
1549         btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1550     }
1551     else
1552     {
1553         /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1554         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1555         btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1556     }
1557 }
1558 
1559 /*******************************************************************************
1560 **
1561 ** Function         BTM_PasskeyReqReply
1562 **
1563 ** Description      This function is called to provide the passkey for
1564 **                  Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1565 **
1566 ** Parameters:      res     - result of the operation BTM_SUCCESS if success
1567 **                  bd_addr - Address of the peer device
1568 **                  passkey - numeric value in the range of
1569 **                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1570 **
1571 *******************************************************************************/
1572 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1573 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1574 {
1575     BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s  res:%d",
1576                     btm_pair_state_descr(btm_cb.pairing_state), res);
1577 
1578     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1579          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1580     {
1581         return;
1582     }
1583 
1584     /* If timeout already expired or has been canceled, ignore the reply */
1585     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1586     {
1587         tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1588         if (p_dev_rec != NULL)
1589         {
1590             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1591 
1592             if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1593                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1594             else
1595                 BTM_SecBondCancel(bd_addr);
1596 
1597             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1598 
1599             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1600             return;
1601         }
1602     }
1603     else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1604         return;
1605 
1606     if (passkey > BTM_MAX_PASSKEY_VAL)
1607         res = BTM_ILLEGAL_VALUE;
1608 
1609     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1610 
1611     if (res != BTM_SUCCESS)
1612     {
1613         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1614         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1615         btsnd_hcic_user_passkey_neg_reply (bd_addr);
1616     } else {
1617         btm_cb.acl_disc_reason = HCI_SUCCESS;
1618         btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1619     }
1620 }
1621 #endif
1622 
1623 /*******************************************************************************
1624 **
1625 ** Function         BTM_SendKeypressNotif
1626 **
1627 ** Description      This function is used during the passkey entry model
1628 **                  by a device with KeyboardOnly IO capabilities
1629 **                  (very likely to be a HID Device).
1630 **                  It is called by a HID Device to inform the remote device when
1631 **                  a key has been entered or erased.
1632 **
1633 ** Parameters:      bd_addr - Address of the peer device
1634 **                  type - notification type
1635 **
1636 *******************************************************************************/
1637 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1638 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1639 {
1640     /* This API only make sense between PASSKEY_REQ and SP complete */
1641     if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1642         btsnd_hcic_send_keypress_notif (bd_addr, type);
1643 }
1644 #endif
1645 
1646 /*******************************************************************************
1647 **
1648 ** Function         BTM_IoCapRsp
1649 **
1650 ** Description      This function is called in response to BTM_SP_IO_REQ_EVT
1651 **                  When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1652 **                  by the tBTM_SP_CALLBACK implementation, this function is
1653 **                  called to provide the actual response
1654 **
1655 ** Parameters:      bd_addr - Address of the peer device
1656 **                  io_cap  - The IO capability of local device.
1657 **                  oob     - BTM_OOB_NONE or BTM_OOB_PRESENT.
1658 **                  auth_req- MITM protection required or not.
1659 **
1660 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1661 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1662 {
1663     BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s  oob: %d io_cap: %d",
1664                       btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1665 
1666     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1667          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1668         return;
1669 
1670     if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1671     {
1672         btm_cb.devcb.loc_auth_req   = auth_req;
1673         btm_cb.devcb.loc_io_caps    = io_cap;
1674 
1675         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1676             auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1677 
1678         btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1679     }
1680 }
1681 
1682 /*******************************************************************************
1683 **
1684 ** Function         BTM_ReadLocalOobData
1685 **
1686 ** Description      This function is called to read the local OOB data from
1687 **                  LM
1688 **
1689 *******************************************************************************/
BTM_ReadLocalOobData(void)1690 tBTM_STATUS BTM_ReadLocalOobData(void)
1691 {
1692     tBTM_STATUS status = BTM_SUCCESS;
1693 
1694     if (btsnd_hcic_read_local_oob_data() == FALSE)
1695         status = BTM_NO_RESOURCES;
1696 
1697     return status;
1698 }
1699 
1700 /*******************************************************************************
1701 **
1702 ** Function         BTM_RemoteOobDataReply
1703 **
1704 ** Description      This function is called to provide the remote OOB data for
1705 **                  Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1706 **
1707 ** Parameters:      bd_addr     - Address of the peer device
1708 **                  c           - simple pairing Hash C.
1709 **                  r           - simple pairing Randomizer  C.
1710 **
1711 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1712 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1713 {
1714     BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1715                       btm_pair_state_descr(btm_cb.pairing_state), res);
1716 
1717     /* If timeout already expired or has been canceled, ignore the reply */
1718     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1719         return;
1720 
1721     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1722 
1723     if (res != BTM_SUCCESS)
1724     {
1725         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1726         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1727         btsnd_hcic_rem_oob_neg_reply (bd_addr);
1728     } else {
1729         btm_cb.acl_disc_reason = HCI_SUCCESS;
1730         btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1731     }
1732 }
1733 
1734 /*******************************************************************************
1735 **
1736 ** Function         BTM_BuildOobData
1737 **
1738 ** Description      This function is called to build the OOB data payload to
1739 **                  be sent over OOB (non-Bluetooth) link
1740 **
1741 ** Parameters:      p_data  - the location for OOB data
1742 **                  max_len - p_data size.
1743 **                  c       - simple pairing Hash C.
1744 **                  r       - simple pairing Randomizer  C.
1745 **                  name_len- 0, local device name would not be included.
1746 **                            otherwise, the local device name is included for
1747 **                            up to this specified length
1748 **
1749 ** Returns          Number of bytes in p_data.
1750 **
1751 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1752 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1753                         BT_OCTET16 r, UINT8 name_len)
1754 {
1755     UINT8   *p = p_data;
1756     UINT16  len = 0;
1757 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1758     UINT16  name_size;
1759     UINT8   name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1760 #endif
1761 
1762     if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1763     {
1764         /* add mandatory part */
1765         UINT16_TO_STREAM(p, len);
1766         BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1767 
1768         len = BTM_OOB_MANDATORY_SIZE;
1769         max_len -= len;
1770 
1771         /* now optional part */
1772 
1773         /* add Hash C */
1774         UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1775         if (max_len >= delta)
1776         {
1777             *p++ = BTM_OOB_HASH_C_SIZE + 1;
1778             *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1779             ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1780             len     += delta;
1781             max_len -= delta;
1782         }
1783 
1784         /* add Rand R */
1785         delta = BTM_OOB_RAND_R_SIZE + 2;
1786         if (max_len >= delta)
1787         {
1788             *p++ = BTM_OOB_RAND_R_SIZE + 1;
1789             *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1790             ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1791             len     += delta;
1792             max_len -= delta;
1793         }
1794 
1795         /* add class of device */
1796         delta = BTM_OOB_COD_SIZE + 2;
1797         if (max_len >= delta)
1798         {
1799             *p++ = BTM_OOB_COD_SIZE + 1;
1800             *p++ = BTM_EIR_OOB_COD_TYPE;
1801             DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1802             len     += delta;
1803             max_len -= delta;
1804         }
1805 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1806         name_size = name_len;
1807         if (name_size > strlen(btm_cb.cfg.bd_name))
1808         {
1809             name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1810             name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1811         }
1812         delta = name_size + 2;
1813         if (max_len >= delta)
1814         {
1815             *p++ = name_size + 1;
1816             *p++ = name_type;
1817             ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1818             len     += delta;
1819             max_len -= delta;
1820         }
1821 #endif
1822         /* update len */
1823         p = p_data;
1824         UINT16_TO_STREAM(p, len);
1825     }
1826     return len;
1827 }
1828 
1829 /*******************************************************************************
1830 **
1831 ** Function         BTM_BothEndsSupportSecureConnections
1832 **
1833 ** Description      This function is called to check if both the local device and the peer device
1834 **                  specified by bd_addr support BR/EDR Secure Connections.
1835 **
1836 ** Parameters:      bd_addr - address of the peer
1837 **
1838 ** Returns          TRUE if BR/EDR Secure Connections are supported by both local
1839 **                  and the remote device.
1840 **                  else FALSE.
1841 **
1842 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1843 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1844 {
1845     return ((controller_get_interface()->supports_secure_connections()) &&
1846             (BTM_PeerSupportsSecureConnections(bd_addr)));
1847 }
1848 
1849 /*******************************************************************************
1850 **
1851 ** Function         BTM_PeerSupportsSecureConnections
1852 **
1853 ** Description      This function is called to check if the peer supports
1854 **                  BR/EDR Secure Connections.
1855 **
1856 ** Parameters:      bd_addr - address of the peer
1857 **
1858 ** Returns          TRUE if BR/EDR Secure Connections are supported by the peer,
1859 **                  else FALSE.
1860 **
1861 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1862 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1863 {
1864     tBTM_SEC_DEV_REC    *p_dev_rec;
1865 
1866     if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1867     {
1868         BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1869             (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1870             (bd_addr[4]<< 8) + bd_addr[5]);
1871         return FALSE;
1872     }
1873 
1874     return (p_dev_rec->remote_supports_secure_connections);
1875 }
1876 
1877 /*******************************************************************************
1878 **
1879 ** Function         BTM_ReadOobData
1880 **
1881 ** Description      This function is called to parse the OOB data payload
1882 **                  received over OOB (non-Bluetooth) link
1883 **
1884 ** Parameters:      p_data  - the location for OOB data
1885 **                  eir_tag - The associated EIR tag to read the data.
1886 **                  *p_len(output) - the length of the data with the given tag.
1887 **
1888 ** Returns          the beginning of the data with the given tag.
1889 **                  NULL, if the tag is not found.
1890 **
1891 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1892 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1893 {
1894     UINT8   *p = p_data;
1895     UINT16  max_len;
1896     UINT8   len, type;
1897     UINT8   *p_ret = NULL;
1898     UINT8   ret_len = 0;
1899 
1900     if (p_data)
1901     {
1902         STREAM_TO_UINT16(max_len, p);
1903         if (max_len >= BTM_OOB_MANDATORY_SIZE)
1904         {
1905             if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1906             {
1907                 p_ret = p; /* the location for bd_addr */
1908                 ret_len = BTM_OOB_BD_ADDR_SIZE;
1909             }
1910             else
1911             {
1912                 p += BD_ADDR_LEN;
1913                 max_len -= BTM_OOB_MANDATORY_SIZE;
1914                 /* now the optional data in EIR format */
1915                 while (max_len > 0)
1916                 {
1917                     len     = *p++; /* tag data len + 1 */
1918                     type    = *p++;
1919                     if (eir_tag == type)
1920                     {
1921                         p_ret = p;
1922                         ret_len = len - 1;
1923                         break;
1924                     }
1925                     /* the data size of this tag is len + 1 (tag data len + 2) */
1926                     if (max_len > len)
1927                     {
1928                         max_len -= len;
1929                         max_len--;
1930                         len--;
1931                         p += len;
1932                     }
1933                     else
1934                         max_len = 0;
1935                 }
1936             }
1937         }
1938     }
1939 
1940     if (p_len)
1941         *p_len = ret_len;
1942 
1943     return p_ret;
1944 }
1945 
1946 /*******************************************************************************
1947 **
1948 ** Function         BTM_SetOutService
1949 **
1950 ** Description      This function is called to set the service for
1951 **                  outgoing connections.
1952 **
1953 **                  If the profile/application calls BTM_SetSecurityLevel
1954 **                  before initiating a connection, this function does not
1955 **                  need to be called.
1956 **
1957 ** Returns          void
1958 **
1959 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1960 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1961 {
1962     tBTM_SEC_DEV_REC *p_dev_rec;
1963     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1964 
1965     btm_cb.p_out_serv = p_serv_rec;
1966     p_dev_rec = btm_find_dev (bd_addr);
1967 
1968     for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1969     {
1970         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1971             && (p_serv_rec->service_id == service_id)
1972             && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1973         {
1974             BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1975                            p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1976             btm_cb.p_out_serv = p_serv_rec;
1977             if (p_dev_rec)
1978                 p_dev_rec->p_cur_service = p_serv_rec;
1979             break;
1980         }
1981     }
1982 }
1983 
1984 /************************************************************************
1985 **              I N T E R N A L     F U N C T I O N S
1986 *************************************************************************/
1987 /*******************************************************************************
1988 **
1989 ** Function         btm_sec_is_upgrade_possible
1990 **
1991 ** Description      This function returns TRUE if the existing link key
1992 **                  can be upgraded or if the link key does not exist.
1993 **
1994 ** Returns          BOOLEAN
1995 **
1996 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1997 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
1998 {
1999     UINT16              mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2000     BOOLEAN             is_possible = TRUE;
2001 
2002     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2003     {
2004         is_possible = FALSE;
2005         if(p_dev_rec->p_cur_service)
2006         {
2007             BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2008                           __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2009                           p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2010         }
2011         else
2012         {
2013             BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2014                           __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2015         }
2016         /* Already have a link key to the connected peer. Is the link key secure enough?
2017         ** Is a link key upgrade even possible?
2018         */
2019         if ((p_dev_rec->security_required & mtm_check)    /* needs MITM */
2020             && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2021                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2022                                                           /* has unauthenticated
2023                                                           link key */
2024             && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX)  /* a valid peer IO cap */
2025             && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2026                                                           /* authenticated
2027                                                           link key is possible */
2028         {
2029             /* upgrade is possible: check if the application wants the upgrade.
2030              * If the application is configured to use a global MITM flag,
2031              * it probably would not want to upgrade the link key based on the security level database */
2032             is_possible = TRUE;
2033         }
2034     }
2035     BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2036     return is_possible;
2037 }
2038 
2039 /*******************************************************************************
2040 **
2041 ** Function         btm_sec_check_upgrade
2042 **
2043 ** Description      This function is called to check if the existing link key
2044 **                  needs to be upgraded.
2045 **
2046 ** Returns          void
2047 **
2048 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2049 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2050 {
2051 
2052     BTM_TRACE_DEBUG ("%s()", __func__);
2053 
2054     /* Only check if link key already exists */
2055     if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2056         return;
2057 
2058     if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2059     {
2060         BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2061         /* upgrade is possible: check if the application wants the upgrade.
2062          * If the application is configured to use a global MITM flag,
2063          * it probably would not want to upgrade the link key based on the security level database */
2064         tBTM_SP_UPGRADE evt_data;
2065         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2066         evt_data.upgrade = TRUE;
2067         if (btm_cb.api.p_sp_callback)
2068             (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2069 
2070         BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2071         if (evt_data.upgrade)
2072         {
2073             /* if the application confirms the upgrade, set the upgrade bit */
2074             p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2075 
2076             /* Clear the link key known to go through authentication/pairing again */
2077             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2078             p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2079             BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2080         }
2081     }
2082 }
2083 
2084 /*******************************************************************************
2085 **
2086 ** Function         btm_sec_l2cap_access_req
2087 **
2088 ** Description      This function is called by the L2CAP to grant permission to
2089 **                  establish L2CAP connection to or from the peer device.
2090 **
2091 ** Parameters:      bd_addr       - Address of the peer device
2092 **                  psm           - L2CAP PSM
2093 **                  is_originator - TRUE if protocol above L2CAP originates
2094 **                                  connection
2095 **                  p_callback    - Pointer to callback function called if
2096 **                                  this function returns PENDING after required
2097 **                                  procedures are complete. MUST NOT BE NULL.
2098 **
2099 ** Returns          tBTM_STATUS
2100 **
2101 *******************************************************************************/
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2102 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2103                                       CONNECTION_TYPE conn_type,
2104                                       tBTM_SEC_CALLBACK *p_callback,
2105                                       void *p_ref_data)
2106 {
2107     tBTM_SEC_DEV_REC  *p_dev_rec;
2108     tBTM_SEC_SERV_REC *p_serv_rec;
2109     UINT16         security_required;
2110     UINT16         old_security_required;
2111     BOOLEAN       old_is_originator;
2112     tBTM_STATUS   rc = BTM_SUCCESS;
2113     BOOLEAN       chk_acp_auth_done = FALSE;
2114     BOOLEAN is_originator;
2115     tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; /* should check PSM range in LE connection oriented L2CAP connection */
2116 
2117 #if (L2CAP_UCD_INCLUDED == TRUE)
2118     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2119         is_originator = TRUE;
2120     else
2121         is_originator = FALSE;
2122 
2123     BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2124 #else
2125     is_originator = conn_type;
2126 
2127     BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2128 #endif
2129 
2130     /* Find or get oldest record */
2131     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2132 
2133     p_dev_rec->hci_handle = handle;
2134 
2135     /* Find the service record for the PSM */
2136     p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2137 
2138     /* If there is no application registered with this PSM do not allow connection */
2139     if (!p_serv_rec)
2140     {
2141         BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2142         (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2143         return(BTM_MODE_UNSUPPORTED);
2144     }
2145 
2146     /* Services level0 by default have no security */
2147     if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2148     {
2149         (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2150         return(BTM_SUCCESS);
2151     }
2152 #if (L2CAP_UCD_INCLUDED == TRUE)
2153     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2154     {
2155         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2156         {
2157             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2158                                                                is_originator);
2159         }
2160         else
2161         {
2162             security_required = p_serv_rec->ucd_security_flags;
2163         }
2164 
2165         rc = BTM_CMD_STARTED;
2166         if (is_originator)
2167         {
2168             if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2169                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2170                 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2171                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2172             {
2173                 rc = BTM_SUCCESS;
2174             }
2175         }
2176         else
2177         {
2178             if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2179                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2180                 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2181                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2182             {
2183                 // Check for 16 digits (or MITM)
2184                 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2185                     (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2186                      btm_dev_16_digit_authenticated(p_dev_rec))) {
2187                     rc = BTM_SUCCESS;
2188                 }
2189             }
2190         }
2191 
2192         if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2193             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2194         {
2195             rc = BTM_CMD_STARTED;
2196         }
2197 
2198         if (rc == BTM_SUCCESS)
2199         {
2200             if (p_callback)
2201                 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2202 
2203             return(BTM_SUCCESS);
2204         }
2205     }
2206     else
2207 #endif
2208     {
2209         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2210         {
2211             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2212                                                                 is_originator);
2213         }
2214         else
2215         {
2216             security_required = p_serv_rec->security_flags;
2217         }
2218     }
2219 
2220     BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm  0x%04x",
2221                     __FUNCTION__, security_required, is_originator, psm);
2222 
2223     if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2224     {
2225         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2226         /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2227         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2228         {
2229             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2230                             "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2231                             local_supports_sc,
2232                             p_dev_rec->remote_supports_secure_connections);
2233             if (p_callback)
2234                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2235                                                     BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2236 
2237             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2238         }
2239     }
2240 
2241     /* there are some devices (moto KRZR) which connects to several services at the same time */
2242     /* we will process one after another */
2243     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2244     {
2245         BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed  state: %s mode:%d, sm4:0x%x", __func__,
2246                           psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2247         BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2248         rc = BTM_CMD_STARTED;
2249         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2250              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2251              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2252              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2253             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2254             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2255         {
2256             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2257              * or SM4 with no possibility of link key upgrade */
2258             if (is_originator)
2259             {
2260                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2261                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2262                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2263                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec)  && btm_dev_encrypted(p_dev_rec))) )
2264                 {
2265                     rc = BTM_SUCCESS;
2266                 }
2267             }
2268             else
2269             {
2270                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2271                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2272                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2273                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2274                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2275                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2276                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS)  && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2277                 {
2278                     // Check for 16 digits (or MITM)
2279                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2280                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2281                         rc = BTM_SUCCESS;
2282                     }
2283                 }
2284             }
2285 
2286             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2287                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2288             {
2289                 rc = BTM_CMD_STARTED;
2290             }
2291 
2292             if (rc == BTM_SUCCESS)
2293             {
2294                 if (p_callback)
2295                     (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2296                 return(BTM_SUCCESS);
2297             }
2298         }
2299 
2300         btm_cb.sec_req_pending = TRUE;
2301         return(BTM_CMD_STARTED);
2302     }
2303 
2304     /* Save pointer to service record */
2305     p_dev_rec->p_cur_service = p_serv_rec;
2306 
2307     /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2308     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2309         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2310         btm_cb.security_mode == BTM_SEC_MODE_SC)
2311     {
2312         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2313         {
2314             if (is_originator)
2315             {
2316                 /* SM4 to SM4 -> always authenticate & encrypt */
2317                 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2318             }
2319             else /* acceptor */
2320             {
2321                 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2322                 chk_acp_auth_done = TRUE;
2323                 /* SM4 to SM4 -> always authenticate & encrypt */
2324                 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2325            }
2326         }
2327         else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2328         {
2329             /* the remote features are not known yet */
2330             BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2331                             (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2332 
2333             p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2334             return (BTM_CMD_STARTED);
2335         }
2336     }
2337 
2338     BTM_TRACE_DEBUG ("%s()  sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2339                       p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2340 
2341     old_security_required        = p_dev_rec->security_required;
2342     old_is_originator            = p_dev_rec->is_originator;
2343     p_dev_rec->security_required = security_required;
2344     p_dev_rec->p_ref_data        = p_ref_data;
2345     p_dev_rec->is_originator     = is_originator;
2346 
2347 #if (L2CAP_UCD_INCLUDED == TRUE)
2348     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2349         p_dev_rec->is_ucd = TRUE;
2350     else
2351         p_dev_rec->is_ucd = FALSE;
2352 #endif
2353 
2354     /* If there are multiple service records used through the same PSM */
2355     /* leave security decision for the multiplexor on the top */
2356 #if (L2CAP_UCD_INCLUDED == TRUE)
2357     if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2358         &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2359 #else
2360     if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2361 #endif
2362     {
2363         BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2364         if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2365         {
2366             BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2367             /* pre-Lisbon: restore the old settings */
2368             p_dev_rec->security_required = old_security_required;
2369             p_dev_rec->is_originator     = old_is_originator;
2370 
2371             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2372 
2373             return(BTM_SUCCESS);
2374         }
2375     }
2376 
2377     /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2378      * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2379      * response is received */
2380     if (is_originator &&
2381         ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2382           btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2383           btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2384           btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2385          !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2386     {
2387         BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2388         /* restore the old settings */
2389         p_dev_rec->security_required = old_security_required;
2390         p_dev_rec->is_originator     = old_is_originator;
2391 
2392         (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2393 
2394         return(BTM_SUCCESS);
2395     }
2396 
2397     if (chk_acp_auth_done)
2398     {
2399         BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2400                           (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2401         /* SM4, but we do not know for sure which level of security we need.
2402          * as long as we have a link key, it's OK */
2403         if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2404             ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2405         {
2406             rc = BTM_DELAY_CHECK;
2407             /*
2408             2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2409             because of data path issues. Delay this disconnect a little bit
2410             */
2411             LOG_INFO(LOG_TAG, "%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2412             p_dev_rec->p_callback        = p_callback;
2413             p_dev_rec->sec_state         = BTM_SEC_STATE_DELAY_FOR_ENC;
2414             (*p_callback) (bd_addr, transport, p_ref_data, rc);
2415 
2416             return BTM_SUCCESS;
2417         }
2418     }
2419 
2420     p_dev_rec->p_callback        = p_callback;
2421 
2422     if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2423         || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2424     {
2425         /* Although authentication and encryption are per connection
2426         ** authorization is per access request.  For example when serial connection
2427         ** is up and authorized and client requests to read file (access to other
2428         ** scn), we need to request user's permission again.
2429         */
2430         p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2431     }
2432 
2433     if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2434     {
2435         if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2436             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2437         {
2438             /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2439             if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2440             {
2441                 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2442             }
2443             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2444                                       BTM_SEC_AUTHENTICATED);
2445             BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2446         }
2447         else
2448         {
2449             /* If we already have a link key to the connected peer, is it secure enough? */
2450             btm_sec_check_upgrade(p_dev_rec, is_originator);
2451         }
2452     }
2453 
2454     BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2455            __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2456            p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2457 
2458     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2459     {
2460         p_dev_rec->p_callback = NULL;
2461         (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2462     }
2463 
2464     return(rc);
2465 }
2466 
2467 /*******************************************************************************
2468 **
2469 ** Function         btm_sec_mx_access_request
2470 **
2471 ** Description      This function is called by all Multiplexing Protocols during
2472 **                  establishing connection to or from peer device to grant
2473 **                  permission to establish application connection.
2474 **
2475 ** Parameters:      bd_addr       - Address of the peer device
2476 **                  psm           - L2CAP PSM
2477 **                  is_originator - TRUE if protocol above L2CAP originates
2478 **                                  connection
2479 **                  mx_proto_id   - protocol ID of the multiplexer
2480 **                  mx_chan_id    - multiplexer channel to reach application
2481 **                  p_callback    - Pointer to callback function called if
2482 **                                  this function returns PENDING after required
2483 **                                  procedures are completed
2484 **                  p_ref_data    - Pointer to any reference data needed by the
2485 **                                  the callback function.
2486 **
2487 ** Returns          BTM_CMD_STARTED
2488 **
2489 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2490 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2491                                        UINT32 mx_proto_id, UINT32 mx_chan_id,
2492                                        tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2493 {
2494     tBTM_SEC_DEV_REC  *p_dev_rec;
2495     tBTM_SEC_SERV_REC *p_serv_rec;
2496     tBTM_STATUS        rc;
2497     UINT16             security_required;
2498     BOOLEAN transport   = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2499 
2500     BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2501     /* Find or get oldest record */
2502     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2503 
2504     /* Find the service record for the PSM */
2505     p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2506 
2507     /* If there is no application registered with this PSM do not allow connection */
2508     if (!p_serv_rec)
2509     {
2510         if (p_callback)
2511             (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2512 
2513         BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2514                           psm, mx_proto_id, mx_chan_id);
2515         return BTM_NO_RESOURCES;
2516     }
2517 
2518     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2519     {
2520         security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2521                                                            is_originator);
2522     }
2523     else
2524     {
2525         security_required = p_serv_rec->security_flags;
2526     }
2527 
2528     /* there are some devices (moto phone) which connects to several services at the same time */
2529     /* we will process one after another */
2530     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2531     {
2532         BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed  state: %s", __func__,
2533                           psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2534 
2535         rc = BTM_CMD_STARTED;
2536 
2537         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2538              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2539              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2540              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2541             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2542             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2543         {
2544             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2545              * or SM4 with no possibility of link key upgrade */
2546             if (is_originator)
2547             {
2548                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2549                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2550                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2551                     )
2552                 {
2553                     rc = BTM_SUCCESS;
2554                 }
2555             }
2556             else
2557             {
2558                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2559                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2560                     (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2561                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2562                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2563                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2564                     )
2565                 {
2566                     // Check for 16 digits (or MITM)
2567                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2568                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2569                         rc = BTM_SUCCESS;
2570                     }
2571                 }
2572             }
2573             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2574                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2575             {
2576                 rc = BTM_CMD_STARTED;
2577             }
2578         }
2579 
2580         if (rc == BTM_SUCCESS)
2581         {
2582             BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2583             /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2584             /* btm_sec_execute_procedure */
2585             if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2586                 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2587             {
2588                 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2589                 rc = BTM_CMD_STARTED;
2590             }
2591         }
2592 
2593         /* Check whether there is a pending security procedure, if so we should always queue */
2594         /* the new security request */
2595         if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2596         {
2597             BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2598             rc = BTM_CMD_STARTED;
2599         }
2600         if (rc == BTM_CMD_STARTED)
2601         {
2602             BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2603             btm_sec_queue_mx_request (bd_addr, psm,  is_originator, mx_proto_id,
2604                                       mx_chan_id, p_callback, p_ref_data);
2605         }
2606         else /* rc == BTM_SUCCESS */
2607         {
2608             /* access granted */
2609              if (p_callback)
2610             {
2611                 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2612             }
2613         }
2614 
2615         BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2616                           btm_pair_state_descr(btm_cb.pairing_state));
2617         return rc;
2618     }
2619 
2620     if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2621         (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2622     {
2623         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2624         /* acceptor receives service connection establishment Request for */
2625         /* Secure Connections Only service */
2626         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2627         {
2628             BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2629                             "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2630                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2631 
2632             if (p_callback)
2633                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2634                                BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2635 
2636             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2637         }
2638     }
2639 
2640     p_dev_rec->p_cur_service     = p_serv_rec;
2641     p_dev_rec->security_required = security_required;
2642 
2643     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2644         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2645         btm_cb.security_mode == BTM_SEC_MODE_SC)
2646     {
2647         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2648         {
2649             if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2650                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2651             {
2652                 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2653                 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2654                 {
2655                     p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2656                 }
2657 
2658                 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2659                                           BTM_SEC_AUTHENTICATED);
2660                 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2661             }
2662             else
2663             {
2664                 /* If we already have a link key, check if that link key is good enough */
2665                 btm_sec_check_upgrade(p_dev_rec, is_originator);
2666             }
2667         }
2668     }
2669 
2670     p_dev_rec->is_originator     = is_originator;
2671     p_dev_rec->p_callback        = p_callback;
2672     p_dev_rec->p_ref_data        = p_ref_data;
2673 
2674     /* Although authentication and encryption are per connection */
2675     /* authorization is per access request.  For example when serial connection */
2676     /* is up and authorized and client requests to read file (access to other */
2677     /* scn, we need to request user's permission again. */
2678     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2679 
2680     BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2681                       __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2682                       p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2683 
2684     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2685     {
2686         if (p_callback)
2687         {
2688             p_dev_rec->p_callback = NULL;
2689             (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2690         }
2691     }
2692 
2693     return rc;
2694 }
2695 
2696 /*******************************************************************************
2697 **
2698 ** Function         btm_sec_conn_req
2699 **
2700 ** Description      This function is when the peer device is requesting
2701 **                  connection
2702 **
2703 ** Returns          void
2704 **
2705 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2706 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2707 {
2708     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bda);
2709 
2710     /* Some device may request a connection before we are done with the HCI_Reset sequence */
2711     if (!controller_get_interface()->get_is_ready())
2712     {
2713         BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2714         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2715         return;
2716     }
2717 
2718     /* Security guys wants us not to allow connection from not paired devices */
2719 
2720     /* Check if connection is allowed for only paired devices */
2721     if (btm_cb.connect_only_paired)
2722     {
2723         if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2724         {
2725             BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2726             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2727             return;
2728         }
2729     }
2730 
2731 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2732     /* If non-discoverable, only allow known devices to connect */
2733     if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2734     {
2735         if (!p_dev_rec)
2736         {
2737             BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2738             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2739             return;
2740         }
2741     }
2742 #endif
2743 
2744     if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2745         &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2746         &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2747     {
2748         BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2749 
2750         /* incoming connection from bonding device is rejected */
2751         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2752         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2753         return;
2754     }
2755 
2756     /* Host is not interested or approved connection.  Save BDA and DC and */
2757     /* pass request to L2CAP */
2758     memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2759     memcpy (btm_cb.connecting_dc,  dc,  DEV_CLASS_LEN);
2760 
2761     if (l2c_link_hci_conn_req (bda))
2762     {
2763         if (!p_dev_rec)
2764         {
2765             /* accept the connection -> allocate a device record */
2766             p_dev_rec = btm_sec_alloc_dev (bda);
2767         }
2768         if (p_dev_rec)
2769         {
2770             p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2771         }
2772     }
2773 }
2774 
2775 /*******************************************************************************
2776 **
2777 ** Function         btm_sec_bond_cancel_complete
2778 **
2779 ** Description      This function is called to report bond cancel complete
2780 **                  event.
2781 **
2782 ** Returns          void
2783 **
2784 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2785 static void btm_sec_bond_cancel_complete (void)
2786 {
2787     tBTM_SEC_DEV_REC *p_dev_rec;
2788 
2789     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2790         (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2791          BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2792          (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2793           BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2794     {
2795         /* for dedicated bonding in legacy mode, authentication happens at "link level"
2796          * btm_sec_connected is called with failed status.
2797          * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2798          * However, this function may clean out the security related flags and btm_sec_connected would not know
2799          * this function also needs to do proper clean up.
2800          */
2801         if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2802             p_dev_rec->security_required = BTM_SEC_NONE;
2803         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2804 
2805         /* Notify application that the cancel succeeded */
2806         if (btm_cb.api.p_bond_cancel_cmpl_callback)
2807             btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2808     }
2809 }
2810 
2811 /*******************************************************************************
2812 **
2813 ** Function         btm_create_conn_cancel_complete
2814 **
2815 ** Description      This function is called when the command complete message
2816 **                  is received from the HCI for the create connection cancel
2817 **                  command.
2818 **
2819 ** Returns          void
2820 **
2821 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2822 void btm_create_conn_cancel_complete (UINT8 *p)
2823 {
2824     UINT8       status;
2825 
2826     STREAM_TO_UINT8 (status, p);
2827     BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s  status:%d",
2828                       btm_pair_state_descr(btm_cb.pairing_state), status);
2829 
2830     /* if the create conn cancel cmd was issued by the bond cancel,
2831     ** the application needs to be notified that bond cancel succeeded
2832     */
2833     switch (status)
2834     {
2835         case HCI_SUCCESS:
2836             btm_sec_bond_cancel_complete();
2837             break;
2838         case HCI_ERR_CONNECTION_EXISTS:
2839         case HCI_ERR_NO_CONNECTION:
2840         default:
2841             /* Notify application of the error */
2842             if (btm_cb.api.p_bond_cancel_cmpl_callback)
2843                 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2844             break;
2845     }
2846 }
2847 
2848 /*******************************************************************************
2849 **
2850 ** Function         btm_sec_check_pending_reqs
2851 **
2852 ** Description      This function is called at the end of the security procedure
2853 **                  to let L2CAP and RFCOMM know to re-submit any pending requests
2854 **
2855 ** Returns          void
2856 **
2857 *******************************************************************************/
btm_sec_check_pending_reqs(void)2858 void btm_sec_check_pending_reqs (void)
2859 {
2860     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2861     {
2862         /* First, resubmit L2CAP requests */
2863         if (btm_cb.sec_req_pending)
2864         {
2865             btm_cb.sec_req_pending = FALSE;
2866             l2cu_resubmit_pending_sec_req (NULL);
2867         }
2868 
2869         /* Now, re-submit anything in the mux queue */
2870         fixed_queue_t *bq = btm_cb.sec_pending_q;
2871 
2872         btm_cb.sec_pending_q = fixed_queue_new(SIZE_MAX);
2873 
2874         tBTM_SEC_QUEUE_ENTRY *p_e;
2875         while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)fixed_queue_try_dequeue(bq)) != NULL)
2876         {
2877             /* Check that the ACL is still up before starting security procedures */
2878             if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2879             {
2880                 if (p_e->psm != 0)
2881                 {
2882                     BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2883                                     __FUNCTION__, p_e->psm, p_e->is_orig,
2884                                     p_e->mx_proto_id, p_e->mx_chan_id);
2885 
2886                     btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2887                                            p_e->mx_proto_id, p_e->mx_chan_id,
2888                                            p_e->p_callback, p_e->p_ref_data);
2889                 }
2890                 else
2891                 {
2892                     BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2893                                       p_e->p_ref_data, p_e->sec_act);
2894                 }
2895             }
2896 
2897             osi_free(p_e);
2898         }
2899         fixed_queue_free(bq, NULL);
2900     }
2901 }
2902 
2903 /*******************************************************************************
2904 **
2905 ** Function         btm_sec_init
2906 **
2907 ** Description      This function is on the SEC startup
2908 **
2909 ** Returns          void
2910 **
2911 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2912 void btm_sec_init (UINT8 sec_mode)
2913 {
2914     btm_cb.security_mode = sec_mode;
2915     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2916     btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2917 }
2918 
2919 /*******************************************************************************
2920 **
2921 ** Function         btm_sec_device_down
2922 **
2923 ** Description      This function should be called when device is disabled or
2924 **                  turned off
2925 **
2926 ** Returns          void
2927 **
2928 *******************************************************************************/
btm_sec_device_down(void)2929 void btm_sec_device_down (void)
2930 {
2931     BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2932     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2933 }
2934 
2935 /*******************************************************************************
2936 **
2937 ** Function         btm_sec_dev_reset
2938 **
2939 ** Description      This function should be called after device reset
2940 **
2941 ** Returns          void
2942 **
2943 *******************************************************************************/
btm_sec_dev_reset(void)2944 void btm_sec_dev_reset (void)
2945 {
2946     if (controller_get_interface()->supports_simple_pairing())
2947     {
2948         /* set the default IO capabilities */
2949         btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2950         /* add mx service to use no security */
2951         BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2952                              BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2953     }
2954     else
2955     {
2956         btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2957     }
2958 
2959     BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2960 }
2961 
2962 /*******************************************************************************
2963 **
2964 ** Function         btm_sec_abort_access_req
2965 **
2966 ** Description      This function is called by the L2CAP or RFCOMM to abort
2967 **                  the pending operation.
2968 **
2969 ** Parameters:      bd_addr       - Address of the peer device
2970 **
2971 ** Returns          void
2972 **
2973 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2974 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2975 {
2976     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
2977 
2978     if (!p_dev_rec)
2979         return;
2980 
2981     if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2982         && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2983         return;
2984 
2985     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
2986     p_dev_rec->p_callback = NULL;
2987 }
2988 
2989 /*******************************************************************************
2990 **
2991 ** Function         btm_sec_dd_create_conn
2992 **
2993 ** Description      This function is called to create the ACL connection for
2994 **                  the dedicated boding process
2995 **
2996 ** Returns          void
2997 **
2998 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2999 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3000 {
3001     tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3002     if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3003     {
3004        BTM_TRACE_WARNING("%s Connection already exists", __func__);
3005        return BTM_CMD_STARTED;
3006     }
3007 
3008     /* Make sure an L2cap link control block is available */
3009     if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3010     {
3011         BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3012                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3013                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3014 
3015         return(BTM_NO_RESOURCES);
3016     }
3017 
3018     /* set up the control block to indicated dedicated bonding */
3019     btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3020 
3021     if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3022     {
3023         BTM_TRACE_WARNING ("Security Manager: failed create  [%02x%02x%02x%02x%02x%02x]",
3024                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3025                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3026 
3027         l2cu_release_lcb(p_lcb);
3028         return(BTM_NO_RESOURCES);
3029     }
3030 
3031     btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3032 
3033     BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3034                       p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3035                       p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3036 
3037     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3038 
3039     return(BTM_CMD_STARTED);
3040 }
3041 
3042 
is_state_getting_name(void * data,void * context)3043 bool is_state_getting_name(void *data, void *context)
3044 {
3045     tBTM_SEC_DEV_REC *p_dev_rec = data;
3046 
3047     if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) {
3048         return false;
3049     }
3050     return true;
3051 }
3052 
3053 /*******************************************************************************
3054 **
3055 ** Function         btm_sec_rmt_name_request_complete
3056 *
3057 ** Description      This function is called when remote name was obtained from
3058 **                  the peer device
3059 **
3060 ** Returns          void
3061 **
3062 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3063 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3064 {
3065     tBTM_SEC_DEV_REC *p_dev_rec;
3066     int              i;
3067     DEV_CLASS        dev_class;
3068     UINT8            old_sec_state;
3069 
3070     BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3071     if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3072         || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3073     {
3074         btm_acl_resubmit_page();
3075     }
3076 
3077     /* If remote name request failed, p_bd_addr is null and we need to search */
3078     /* based on state assuming that we are doing 1 at a time */
3079     if (p_bd_addr)
3080         p_dev_rec = btm_find_dev (p_bd_addr);
3081     else
3082     {
3083         list_node_t *node = list_foreach(btm_cb.sec_dev_rec, is_state_getting_name, NULL);
3084         if (node != NULL) {
3085             p_dev_rec = list_node(node);
3086             p_bd_addr = p_dev_rec->bd_addr;
3087         } else {
3088             p_dev_rec = NULL;
3089         }
3090     }
3091 
3092     /* Commenting out trace due to obf/compilation problems.
3093     */
3094 #if (BT_USE_TRACES == TRUE)
3095     if (!p_bd_name)
3096         p_bd_name = (UINT8 *)"";
3097 
3098     if (p_dev_rec)
3099     {
3100         BTM_TRACE_EVENT ("%s PairState: %s  RemName: %s  status: %d State:%d  p_dev_rec: 0x%08x ", __func__,
3101                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3102                           status, p_dev_rec->sec_state, p_dev_rec);
3103     } else {
3104         BTM_TRACE_EVENT ("%s PairState: %s  RemName: %s  status: %d", __func__,
3105                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3106                           status);
3107     }
3108 #endif
3109 
3110     if (p_dev_rec)
3111     {
3112         old_sec_state = p_dev_rec->sec_state;
3113         if (status == HCI_SUCCESS)
3114         {
3115             strlcpy((char *)p_dev_rec->sec_bd_name, (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3116             p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3117             BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3118         }
3119         else
3120         {
3121             /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3122             p_dev_rec->sec_bd_name[0] = 0;
3123         }
3124 
3125         if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3126             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3127 
3128         /* Notify all clients waiting for name to be resolved */
3129         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3130         {
3131             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3132                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3133                                                  p_dev_rec->sec_bd_name);
3134         }
3135     } else {
3136         dev_class[0] = 0;
3137         dev_class[1] = 0;
3138         dev_class[2] = 0;
3139 
3140         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3141         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3142         {
3143             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3144                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3145         }
3146 
3147         return;
3148     }
3149 
3150     /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3151     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3152          &&  (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3153     {
3154         BTM_TRACE_EVENT ("%s() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)",
3155             __func__, btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3156 
3157         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0 && btm_cb.api.p_pin_callback)
3158         {
3159             BTM_TRACE_EVENT ("%s() calling pin_callback", __func__);
3160             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3161             (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3162                     (p_dev_rec->p_cur_service==NULL) ? FALSE
3163                      : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3164         }
3165 
3166         /* Set the same state again to force the timer to be restarted */
3167         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3168         return;
3169     }
3170 
3171     /* Check if we were delaying bonding because name was not resolved */
3172     if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3173     {
3174         if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3175         {
3176             BTM_TRACE_EVENT ("%s() continue bonding sm4: 0x%04x, status:0x%x", __func__, p_dev_rec->sm4, status);
3177             if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3178             {
3179                 btm_sec_bond_cancel_complete();
3180                 return;
3181             }
3182 
3183             if (status != HCI_SUCCESS)
3184             {
3185                 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3186 
3187                 if (btm_cb.api.p_auth_complete_callback)
3188                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3189                                                             p_dev_rec->sec_bd_name, status);
3190                 return;
3191             }
3192 
3193             /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3194             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3195             {
3196                 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3197                 /* If it is set, there may be a race condition */
3198                 BTM_TRACE_DEBUG ("%s IS_SM4_UNKNOWN Flags:0x%04x", __func__,
3199                                    btm_cb.pairing_flags);
3200                 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3201                     p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3202             }
3203 
3204             BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3205                 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3206                 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3207 
3208             /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3209             ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3210             */
3211             if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3212             {
3213                 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3214                 /*  before originating  */
3215                 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3216                 {
3217                     BTM_TRACE_WARNING ("%s: waiting HCI_Connection_Complete after rejecting connection", __func__);
3218                 }
3219                 /* Both we and the peer are 2.1 - continue to create connection */
3220                 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3221                 {
3222                     BTM_TRACE_WARNING ("%s: failed to start connection", __func__);
3223 
3224                     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3225 
3226                     if (btm_cb.api.p_auth_complete_callback)
3227                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3228                                                             p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3229                 }
3230             }
3231             return;
3232         } else {
3233             BTM_TRACE_WARNING ("%s: wrong BDA, retry with pairing BDA", __func__);
3234             BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3235             return;
3236         }
3237     }
3238 
3239     /* check if we were delaying link_key_callback because name was not resolved */
3240     if (p_dev_rec->link_key_not_sent)
3241     {
3242         /* If HCI connection complete has not arrived, wait for it */
3243         if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3244             return;
3245 
3246         p_dev_rec->link_key_not_sent = FALSE;
3247         btm_send_link_key_notif(p_dev_rec);
3248 
3249         /* If its not us who perform authentication, we should tell stackserver */
3250         /* that some authentication has been completed                          */
3251         /* This is required when different entities receive link notification and auth complete */
3252         if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3253         {
3254             if (btm_cb.api.p_auth_complete_callback)
3255                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3256                                                         p_dev_rec->dev_class,
3257                                                         p_dev_rec->sec_bd_name, HCI_SUCCESS);
3258 
3259         }
3260     }
3261 
3262     /* If this is a bonding procedure can disconnect the link now */
3263     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3264         && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3265     {
3266         BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3267         p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3268         l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3269         return;
3270     }
3271 
3272     if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3273         return;
3274 
3275     /* If get name failed, notify the waiting layer */
3276     if (status != HCI_SUCCESS)
3277     {
3278         btm_sec_dev_rec_cback_event  (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3279         return;
3280     }
3281 
3282     if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3283     {
3284         BTM_TRACE_EVENT ("waiting for remote features!!");
3285         return;
3286     }
3287 
3288     /* Remote Name succeeded, execute the next security procedure, if any */
3289     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3290 
3291     /* If result is pending reply from the user or from the device is pending */
3292     if (status == BTM_CMD_STARTED)
3293         return;
3294 
3295     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3296     btm_sec_dev_rec_cback_event  (p_dev_rec, status, FALSE);
3297 }
3298 
3299 /*******************************************************************************
3300 **
3301 ** Function         btm_sec_rmt_host_support_feat_evt
3302 **
3303 ** Description      This function is called when the
3304 **                  HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3305 **
3306 ** Returns          void
3307 **
3308 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3309 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3310 {
3311     tBTM_SEC_DEV_REC *p_dev_rec;
3312     BD_ADDR         bd_addr;        /* peer address */
3313     BD_FEATURES     features;
3314 
3315     STREAM_TO_BDADDR (bd_addr, p);
3316     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3317 
3318     BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt  sm4: 0x%x  p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3319 
3320     if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3321     {
3322         p_dev_rec->sm4 = BTM_SM4_KNOWN;
3323         STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3324         if (HCI_SSP_HOST_SUPPORTED(features))
3325         {
3326             p_dev_rec->sm4 = BTM_SM4_TRUE;
3327         }
3328         BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3329     }
3330 }
3331 
3332 /*******************************************************************************
3333 **
3334 ** Function         btm_io_capabilities_req
3335 **
3336 ** Description      This function is called when LM request for the IO
3337 **                  capability of the local device and
3338 **                  if the OOB data is present for the device in the event
3339 **
3340 ** Returns          void
3341 **
3342 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3343 void btm_io_capabilities_req (UINT8 *p)
3344 {
3345     tBTM_SP_IO_REQ  evt_data;
3346     UINT8           err_code = 0;
3347     tBTM_SEC_DEV_REC *p_dev_rec;
3348     BOOLEAN         is_orig = TRUE;
3349     UINT8           callback_rc = BTM_SUCCESS;
3350 
3351     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3352 
3353     /* setup the default response according to compile options */
3354     /* assume that the local IO capability does not change
3355      * loc_io_caps is initialized with the default value */
3356     evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3357     evt_data.oob_data = BTM_OOB_NONE;
3358     evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3359 
3360     BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3361 
3362     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3363 
3364     BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3365                       btm_cb.security_mode, p_dev_rec->num_read_pages);
3366 
3367     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3368     {
3369         BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3370                          "To continue need to know remote features.", __FUNCTION__);
3371 
3372         p_dev_rec->remote_features_needed = TRUE;
3373         return;
3374     }
3375 
3376     p_dev_rec->sm4 |= BTM_SM4_TRUE;
3377 
3378     BTM_TRACE_EVENT("%s: State: %s  Flags: 0x%04x  p_cur_service: 0x%08x",
3379                      __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3380                      btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3381 
3382     if (p_dev_rec->p_cur_service)
3383     {
3384         BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3385                          __FUNCTION__, p_dev_rec->p_cur_service->psm,
3386                          p_dev_rec->p_cur_service->security_flags);
3387     }
3388 
3389     switch (btm_cb.pairing_state)
3390     {
3391         /* initiator connecting */
3392         case BTM_PAIR_STATE_IDLE:
3393             //TODO: Handle Idle pairing state
3394             //security_required = p_dev_rec->security_required;
3395             break;
3396 
3397         /* received IO capability response already->acceptor */
3398         case BTM_PAIR_STATE_INCOMING_SSP:
3399             is_orig = FALSE;
3400 
3401             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3402             {
3403                 /* acceptor in dedicated bonding */
3404                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3405             }
3406             break;
3407 
3408         /* initiator, at this point it is expected to be dedicated bonding
3409         initiated by local device */
3410         case BTM_PAIR_STATE_WAIT_PIN_REQ:
3411             if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3412             {
3413                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3414             }
3415             else
3416             {
3417                 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3418             }
3419             break;
3420 
3421         /* any other state is unexpected */
3422         default:
3423             err_code = HCI_ERR_HOST_BUSY_PAIRING;
3424             BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3425                              btm_cb.pairing_state);
3426             break;
3427     }
3428 
3429     if (btm_cb.pairing_disabled)
3430     {
3431         /* pairing is not allowed */
3432         BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3433         err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3434     }
3435     else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3436     {
3437         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3438         /* device in Secure Connections Only mode */
3439         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3440         {
3441             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3442                             " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3443                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3444 
3445             err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3446         }
3447     }
3448 
3449     if (err_code != 0)
3450     {
3451 /* coverity[uninit_use_in_call]
3452 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3453 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3454 */
3455         btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3456         return;
3457     }
3458 
3459     evt_data.is_orig = is_orig;
3460 
3461     if (is_orig)
3462     {
3463         /* local device initiated the pairing non-bonding -> use p_cur_service */
3464         if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3465             p_dev_rec->p_cur_service &&
3466             (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3467         {
3468             if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3469             {
3470                 /* SC only mode device requires MITM protection */
3471                 evt_data.auth_req = BTM_AUTH_SP_YES;
3472             }
3473             else
3474             {
3475                 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3476                                      BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3477             }
3478         }
3479     }
3480 
3481     /* Notify L2CAP to increase timeout */
3482     l2c_pin_code_request (evt_data.bd_addr);
3483 
3484     memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3485 
3486 /* coverity[uninit_use_in_call]
3487 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3488 False-positive: False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3489 */
3490     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3491         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3492 
3493     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3494 
3495     callback_rc = BTM_SUCCESS;
3496     if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3497     {
3498         p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3499 
3500         /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3501         evt_data.auth_req = BTM_AUTH_SPGB_YES;
3502     }
3503     else if (btm_cb.api.p_sp_callback)
3504     {
3505         /* the callback function implementation may change the IO capability... */
3506         callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3507     }
3508 
3509     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3510     {
3511         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3512         {
3513             evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3514         }
3515 
3516         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3517         {
3518             /* At this moment we know that both sides are SC capable, device in */
3519             /* SC only mode requires MITM for any service so let's set MITM bit */
3520             evt_data.auth_req |= BTM_AUTH_YN_BIT;
3521             BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3522                              __FUNCTION__, evt_data.auth_req);
3523         }
3524 
3525         /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3526         /* send the response right now. Save the current IO capability in the control block */
3527         btm_cb.devcb.loc_auth_req   = evt_data.auth_req;
3528         btm_cb.devcb.loc_io_caps    = evt_data.io_cap;
3529 
3530         BTM_TRACE_EVENT("%s: State: %s  IO_CAP:%d oob_data:%d auth_req:%d",
3531                          __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3532                          evt_data.oob_data, evt_data.auth_req);
3533 
3534         btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3535                                     evt_data.oob_data, evt_data.auth_req);
3536     }
3537 }
3538 
3539 /*******************************************************************************
3540 **
3541 ** Function         btm_io_capabilities_rsp
3542 **
3543 ** Description      This function is called when the IO capability of the
3544 **                  specified device is received
3545 **
3546 ** Returns          void
3547 **
3548 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3549 void btm_io_capabilities_rsp (UINT8 *p)
3550 {
3551     tBTM_SEC_DEV_REC *p_dev_rec;
3552     tBTM_SP_IO_RSP evt_data;
3553 
3554     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3555     STREAM_TO_UINT8 (evt_data.io_cap, p);
3556     STREAM_TO_UINT8 (evt_data.oob_data, p);
3557     STREAM_TO_UINT8 (evt_data.auth_req, p);
3558 
3559     /* Allocate a new device record or reuse the oldest one */
3560     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3561 
3562     /* If no security is in progress, this indicates incoming security */
3563     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3564     {
3565         memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3566 
3567         btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3568 
3569         /* Make sure we reset the trusted mask to help against attacks */
3570         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3571 
3572         /* work around for FW bug */
3573         btm_inq_stop_on_ssp();
3574     }
3575 
3576     /* Notify L2CAP to increase timeout */
3577     l2c_pin_code_request (evt_data.bd_addr);
3578 
3579     /* We must have a device record here.
3580      * Use the connecting device's CoD for the connection */
3581 /* coverity[uninit_use_in_call]
3582 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3583 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3584 */
3585     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3586         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3587 
3588     /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3589     if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3590         && (evt_data.auth_req & BTM_AUTH_DD_BOND) )            /* and dedicated bonding bit is set */
3591     {
3592         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3593     }
3594 
3595     /* save the IO capability in the device record */
3596     p_dev_rec->rmt_io_caps  = evt_data.io_cap;
3597     p_dev_rec->rmt_auth_req = evt_data.auth_req;
3598 
3599     if (btm_cb.api.p_sp_callback)
3600         (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3601 }
3602 
3603 /*******************************************************************************
3604 **
3605 ** Function         btm_proc_sp_req_evt
3606 **
3607 ** Description      This function is called to process/report
3608 **                  HCI_USER_CONFIRMATION_REQUEST_EVT
3609 **                  or HCI_USER_PASSKEY_REQUEST_EVT
3610 **                  or HCI_USER_PASSKEY_NOTIFY_EVT
3611 **
3612 ** Returns          void
3613 **
3614 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3615 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3616 {
3617     tBTM_STATUS status = BTM_ERR_PROCESSING;
3618     tBTM_SP_EVT_DATA evt_data;
3619     UINT8               *p_bda = evt_data.cfm_req.bd_addr;
3620     tBTM_SEC_DEV_REC *p_dev_rec;
3621 
3622     /* All events start with bd_addr */
3623     STREAM_TO_BDADDR (p_bda, p);
3624 
3625     BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3626                       (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3627                       event, btm_pair_state_descr(btm_cb.pairing_state));
3628 
3629     if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3630          &&  (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3631          &&  (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3632     {
3633         memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3634         memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3635 
3636         strlcpy((char *)evt_data.cfm_req.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3637 
3638         switch (event)
3639         {
3640             case BTM_SP_CFM_REQ_EVT:
3641                 /* Numeric confirmation. Need user to conf the passkey */
3642                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3643 
3644                 /* The device record must be allocated in the "IO cap exchange" step */
3645                 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3646 
3647                 evt_data.cfm_req.just_works = TRUE;
3648 
3649                 /* process user confirm req in association with the auth_req param */
3650 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3651                 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3652                      &&  (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3653                      &&  ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3654                 {
3655                     /* Both devices are DisplayYesNo and one or both devices want to authenticate
3656                        -> use authenticated link key */
3657                     evt_data.cfm_req.just_works = FALSE;
3658                 }
3659 #endif
3660                 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt()  just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3661                                   evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3662                                   btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3663 
3664                 evt_data.cfm_req.loc_auth_req   = btm_cb.devcb.loc_auth_req;
3665                 evt_data.cfm_req.rmt_auth_req   = p_dev_rec->rmt_auth_req;
3666                 evt_data.cfm_req.loc_io_caps    = btm_cb.devcb.loc_io_caps;
3667                 evt_data.cfm_req.rmt_io_caps    = p_dev_rec->rmt_io_caps;
3668                 break;
3669 
3670             case BTM_SP_KEY_NOTIF_EVT:
3671                 /* Passkey notification (other side is a keyboard) */
3672                 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3673 
3674                 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT:  passkey: %u", evt_data.key_notif.passkey);
3675 
3676                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3677                 break;
3678 
3679 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3680             case BTM_SP_KEY_REQ_EVT:
3681                 /* HCI_USER_PASSKEY_REQUEST_EVT */
3682                 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3683                 break;
3684 #endif
3685         }
3686 
3687         if (btm_cb.api.p_sp_callback)
3688         {
3689             status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3690             if (status != BTM_NOT_AUTHORIZED)
3691             {
3692                 return;
3693             }
3694             /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3695         }
3696         else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3697         {
3698             /* automatically reply with just works if no sp_cback */
3699             status = BTM_SUCCESS;
3700         }
3701 
3702         if (event == BTM_SP_CFM_REQ_EVT)
3703         {
3704             BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3705             BTM_ConfirmReqReply (status, p_bda);
3706         }
3707 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3708         else if (event == BTM_SP_KEY_REQ_EVT)
3709         {
3710             BTM_PasskeyReqReply(status, p_bda, 0);
3711         }
3712 #endif
3713         return;
3714     }
3715 
3716     /* Something bad. we can only fail this connection */
3717     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3718 
3719     if (BTM_SP_CFM_REQ_EVT == event)
3720     {
3721         btsnd_hcic_user_conf_reply (p_bda, FALSE);
3722     }
3723     else if (BTM_SP_KEY_NOTIF_EVT == event)
3724     {
3725         /* do nothing -> it very unlikely to happen.
3726         This event is most likely to be received by a HID host when it first connects to a HID device.
3727         Usually the Host initiated the connection in this case.
3728         On Mobile platforms, if there's a security process happening,
3729         the host probably can not initiate another connection.
3730         BTW (PC) is another story.  */
3731         if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3732         {
3733             btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3734         }
3735     }
3736 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3737     else
3738     {
3739         btsnd_hcic_user_passkey_neg_reply(p_bda);
3740     }
3741 #endif
3742 }
3743 
3744 /*******************************************************************************
3745 **
3746 ** Function         btm_keypress_notif_evt
3747 **
3748 ** Description      This function is called when a key press notification is
3749 **                  received
3750 **
3751 ** Returns          void
3752 **
3753 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3754 void  btm_keypress_notif_evt (UINT8 *p)
3755 {
3756     tBTM_SP_KEYPRESS    evt_data;
3757     UINT8 *p_bda;
3758 
3759     /* parse & report BTM_SP_KEYPRESS_EVT */
3760     if (btm_cb.api.p_sp_callback)
3761     {
3762         p_bda = evt_data.bd_addr;
3763 
3764         STREAM_TO_BDADDR (p_bda, p);
3765         evt_data.notif_type = *p;
3766 
3767         (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3768     }
3769 }
3770 
3771 /*******************************************************************************
3772 **
3773 ** Function         btm_simple_pair_complete
3774 **
3775 ** Description      This function is called when simple pairing process is
3776 **                  complete
3777 **
3778 ** Returns          void
3779 **
3780 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3781 void btm_simple_pair_complete (UINT8 *p)
3782 {
3783     tBTM_SP_COMPLT  evt_data;
3784     tBTM_SEC_DEV_REC *p_dev_rec;
3785     UINT8           status;
3786     BOOLEAN         disc = FALSE;
3787 
3788     status = *p++;
3789     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3790 
3791     if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3792     {
3793         BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3794                           (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3795                           (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3796         return;
3797     }
3798 
3799     BTM_TRACE_EVENT ("btm_simple_pair_complete()  Pair State: %s  Status:%d  sec_state: %u",
3800                       btm_pair_state_descr(btm_cb.pairing_state),  status, p_dev_rec->sec_state);
3801 
3802     evt_data.status = BTM_ERR_PROCESSING;
3803     if (status == HCI_SUCCESS)
3804     {
3805         evt_data.status = BTM_SUCCESS;
3806         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3807     }
3808     else
3809     {
3810         if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3811         {
3812             /* The test spec wants the peer device to get this failure code. */
3813             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3814 
3815             /* Change the timer to 1 second */
3816             alarm_set_on_queue(btm_cb.pairing_timer, BT_1SEC_TIMEOUT_MS,
3817                                btm_sec_pairing_timeout, NULL,
3818                                btu_general_alarm_queue);
3819         }
3820         else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3821         {
3822             /* stop the timer */
3823             alarm_cancel(btm_cb.pairing_timer);
3824 
3825             if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3826             {
3827                 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3828                 disc = TRUE;
3829             }
3830         }
3831         else
3832             disc = TRUE;
3833     }
3834 
3835     /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3836     memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3837     memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3838 
3839     if (btm_cb.api.p_sp_callback)
3840         (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3841 
3842     if (disc)
3843     {
3844         /* simple pairing failed */
3845         /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3846         if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3847         {
3848             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3849         }
3850     }
3851 }
3852 
3853 /*******************************************************************************
3854 **
3855 ** Function         btm_rem_oob_req
3856 **
3857 ** Description      This function is called to process/report
3858 **                  HCI_REMOTE_OOB_DATA_REQUEST_EVT
3859 **
3860 ** Returns          void
3861 **
3862 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3863 void btm_rem_oob_req (UINT8 *p)
3864 {
3865     UINT8 *p_bda;
3866     tBTM_SP_RMT_OOB  evt_data;
3867     tBTM_SEC_DEV_REC *p_dev_rec;
3868     BT_OCTET16      c;
3869     BT_OCTET16      r;
3870 
3871     p_bda = evt_data.bd_addr;
3872 
3873     STREAM_TO_BDADDR (p_bda, p);
3874 
3875     BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3876                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3877 
3878     if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3879          btm_cb.api.p_sp_callback)
3880     {
3881         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3882         memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3883         strlcpy((char *)evt_data.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3884 
3885         btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3886         if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3887         {
3888             BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3889         }
3890         return;
3891     }
3892 
3893     /* something bad. we can only fail this connection */
3894     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3895     btsnd_hcic_rem_oob_neg_reply (p_bda);
3896 }
3897 
3898 /*******************************************************************************
3899 **
3900 ** Function         btm_read_local_oob_complete
3901 **
3902 ** Description      This function is called when read local oob data is
3903 **                  completed by the LM
3904 **
3905 ** Returns          void
3906 **
3907 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3908 void btm_read_local_oob_complete (UINT8 *p)
3909 {
3910     tBTM_SP_LOC_OOB evt_data;
3911     UINT8           status = *p++;
3912 
3913     BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3914     if (status == HCI_SUCCESS)
3915     {
3916         evt_data.status = BTM_SUCCESS;
3917         STREAM_TO_ARRAY16(evt_data.c, p);
3918         STREAM_TO_ARRAY16(evt_data.r, p);
3919     }
3920     else
3921         evt_data.status = BTM_ERR_PROCESSING;
3922 
3923     if (btm_cb.api.p_sp_callback)
3924         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3925 }
3926 
3927 /*******************************************************************************
3928 **
3929 ** Function         btm_sec_auth_collision
3930 **
3931 ** Description      This function is called when authentication or encryption
3932 **                  needs to be retried at a later time.
3933 **
3934 ** Returns          void
3935 **
3936 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3937 static void btm_sec_auth_collision (UINT16 handle)
3938 {
3939     tBTM_SEC_DEV_REC *p_dev_rec;
3940 
3941     if (!btm_cb.collision_start_time)
3942         btm_cb.collision_start_time = time_get_os_boottime_ms();
3943 
3944     if ((time_get_os_boottime_ms() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3945     {
3946         if (handle == BTM_SEC_INVALID_HANDLE)
3947         {
3948             if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3949                 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3950         }
3951         else
3952             p_dev_rec = btm_find_dev_by_handle (handle);
3953 
3954         if (p_dev_rec != NULL)
3955         {
3956             BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3957             /* We will restart authentication after timeout */
3958             if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3959                 p_dev_rec->sec_state = 0;
3960 
3961             btm_cb.p_collided_dev_rec = p_dev_rec;
3962             alarm_set_on_queue(btm_cb.sec_collision_timer, BT_1SEC_TIMEOUT_MS,
3963                                btm_sec_collision_timeout, NULL,
3964                                btu_general_alarm_queue);
3965         }
3966     }
3967 }
3968 
3969 /*******************************************************************************
3970 **
3971 ** Function         btm_sec_auth_complete
3972 **
3973 ** Description      This function is when authentication of the connection is
3974 **                  completed by the LM
3975 **
3976 ** Returns          void
3977 **
3978 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3979 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3980 {
3981     UINT8            old_sm4;
3982     tBTM_PAIRING_STATE  old_state   = btm_cb.pairing_state;
3983     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3984     BOOLEAN             are_bonding = FALSE;
3985 
3986     /* Commenting out trace due to obf/compilation problems.
3987     */
3988 #if (BT_USE_TRACES == TRUE)
3989     if (p_dev_rec)
3990     {
3991         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d  dev->sec_state: %u  Bda:%08x, RName:%s",
3992                           btm_pair_state_descr (btm_cb.pairing_state),
3993                           handle, status,
3994                           p_dev_rec->sec_state,
3995                           (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3996                           p_dev_rec->sec_bd_name);
3997     }
3998     else
3999     {
4000         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d",
4001                           btm_pair_state_descr (btm_cb.pairing_state),
4002                           handle, status);
4003     }
4004 #endif
4005 
4006     /* For transaction collision we need to wait and repeat.  There is no need */
4007     /* for random timeout because only slave should receive the result */
4008     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4009     {
4010         btm_sec_auth_collision(handle);
4011         return;
4012     }
4013     btm_cb.collision_start_time = 0;
4014 
4015     btm_restore_mode();
4016 
4017     /* Check if connection was made just to do bonding.  If we authenticate
4018        the connection that is up, this is the last event received.
4019     */
4020     if (p_dev_rec
4021         && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4022         && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4023     {
4024         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4025 
4026         l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4027     }
4028 
4029     if (!p_dev_rec)
4030         return;
4031 
4032     /* keep the old sm4 flag and clear the retry bit in control block */
4033     old_sm4 = p_dev_rec->sm4;
4034     p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4035 
4036     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4037          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4038          &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4039         are_bonding = TRUE;
4040 
4041     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4042           &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4043         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4044 
4045     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4046     {
4047         if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4048              &&  (old_state != BTM_PAIR_STATE_IDLE) )
4049         {
4050             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4051                                                     p_dev_rec->dev_class,
4052                                                     p_dev_rec->sec_bd_name, status);
4053         }
4054         return;
4055     }
4056 
4057     /* There can be a race condition, when we are starting authentication and
4058     ** the peer device is doing encryption.
4059     ** If first we receive encryption change up, then initiated authentication
4060     ** can not be performed.  According to the spec we can not do authentication
4061     ** on the encrypted link, so device is correct.
4062     */
4063     if ((status == HCI_ERR_COMMAND_DISALLOWED)
4064         && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4065             (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4066     {
4067         status = HCI_SUCCESS;
4068     }
4069     /* Currently we do not notify user if it is a keyboard which connects */
4070     /* User probably Disabled the keyboard while it was asleap.  Let her try */
4071     if (btm_cb.api.p_auth_complete_callback)
4072     {
4073         /* report the suthentication status */
4074         if (old_state != BTM_PAIR_STATE_IDLE)
4075             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4076                                                     p_dev_rec->dev_class,
4077                                                     p_dev_rec->sec_bd_name, status);
4078     }
4079 
4080     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4081 
4082     /* If this is a bonding procedure can disconnect the link now */
4083     if (are_bonding)
4084     {
4085         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4086 
4087         if (status != HCI_SUCCESS)
4088         {
4089             if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4090                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4091         }
4092         else
4093         {
4094             BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4095             if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4096                 /* no LE keys are available, do deriving */
4097                  && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4098                 /* or BR key is higher security than existing LE keys */
4099                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4100                  (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4101             {
4102                 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4103 
4104                 if (btm_sec_is_master(p_dev_rec))
4105                 {
4106                     // Encryption is required to start SM over BR/EDR
4107                     // indicate that this is encryption after authentication
4108                     BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL, 0);
4109                 }
4110             }
4111             l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4112         }
4113 
4114         return;
4115     }
4116 
4117     /* If authentication failed, notify the waiting layer */
4118     if (status != HCI_SUCCESS)
4119     {
4120         if ((old_sm4 & BTM_SM4_RETRY) == 0)
4121         {
4122             /* allow retry only once */
4123             if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4124             {
4125                 /* not retried yet. set the retry bit */
4126                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4127                 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4128             }
4129             /* this retry for missing key is for Lisbon or later only.
4130              * Legacy device do not need this. the controller will drive the retry automatically */
4131             else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4132             {
4133                 /* not retried yet. set the retry bit */
4134                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4135                 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4136                 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4137 
4138                 /* With BRCM controller, we do not need to delete the stored link key in controller.
4139                 If the stack may sit on top of other controller, we may need this
4140                 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4141             }
4142 
4143             if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4144             {
4145                 btm_sec_execute_procedure (p_dev_rec);
4146                 return;
4147             }
4148         }
4149 
4150         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4151 
4152         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4153         {
4154             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4155         }
4156         return;
4157     }
4158 
4159     p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4160 
4161     if (p_dev_rec->pin_code_length >= 16 ||
4162         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4163         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4164         // If we have MITM protection we have a higher level of security than
4165         // provided by 16 digits PIN
4166         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4167     }
4168 
4169     /* Authentication succeeded, execute the next security procedure, if any */
4170     status = btm_sec_execute_procedure (p_dev_rec);
4171 
4172     /* If there is no next procedure, or procedure failed to start, notify the caller */
4173     if (status != BTM_CMD_STARTED)
4174         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4175 }
4176 
4177 /*******************************************************************************
4178 **
4179 ** Function         btm_sec_encrypt_change
4180 **
4181 ** Description      This function is when encryption of the connection is
4182 **                  completed by the LM
4183 **
4184 ** Returns          void
4185 **
4186 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4187 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4188 {
4189     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4190 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4191     tACL_CONN       *p_acl = NULL;
4192     UINT8           acl_idx = btm_handle_to_acl_index(handle);
4193 #endif
4194     BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4195                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4196     BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4197 
4198     /* For transaction collision we need to wait and repeat.  There is no need */
4199     /* for random timeout because only slave should receive the result */
4200     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4201         (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4202     {
4203         btm_sec_auth_collision(handle);
4204         return;
4205     }
4206     btm_cb.collision_start_time = 0;
4207 
4208     if (!p_dev_rec)
4209         return;
4210 
4211     if ((status == HCI_SUCCESS) && encr_enable)
4212     {
4213         if (p_dev_rec->hci_handle == handle) {
4214             p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4215             if (p_dev_rec->pin_code_length >= 16 ||
4216                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4217                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4218                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4219             }
4220         }
4221         else
4222         {
4223             p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4224         }
4225     }
4226 
4227     /* It is possible that we decrypted the link to perform role switch */
4228     /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4229     if ((status == HCI_SUCCESS) && !encr_enable)
4230     {
4231         if (p_dev_rec->hci_handle == handle)
4232             p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4233         else
4234             p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4235     }
4236 
4237     BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4238 
4239 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4240     if (acl_idx != MAX_L2CAP_LINKS)
4241         p_acl = &btm_cb.acl_db[acl_idx];
4242 
4243     if (p_acl != NULL)
4244         btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4245 
4246     if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4247     {
4248         if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4249             status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4250         {
4251             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4252             p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4253         }
4254         btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4255         return;
4256     }
4257     else
4258     {
4259         /* BR/EDR connection, update the encryption key size to be 16 as always */
4260         p_dev_rec->enc_key_size = 16;
4261     }
4262 
4263      BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4264                        __func__, p_dev_rec->new_encryption_key_is_p256);
4265 
4266     if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4267     {
4268         if (p_dev_rec->new_encryption_key_is_p256)
4269         {
4270             if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4271                 btm_sec_is_master(p_dev_rec) &&
4272                 /* if LE key is not known, do deriving */
4273                 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4274                 /* or BR key is higher security than existing LE keys */
4275                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4276                  && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4277             {
4278                 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4279                 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4280 
4281                 if (p_dev_rec->no_smp_on_br)
4282                 {
4283                     BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4284                 }
4285                 else
4286                 {
4287                     BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4288                     SMP_BR_PairWith(p_dev_rec->bd_addr);
4289                 }
4290             }
4291         }
4292         else
4293         {
4294             // BR/EDR is successfully encrypted. Correct LK type if needed
4295             // (BR/EDR LK derived from LE LTK was used for encryption)
4296             if ((encr_enable == 1)  && /* encryption is ON for SSP */
4297                 /* LK type is for BR/EDR SC */
4298                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4299                  p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4300             {
4301                 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4302                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4303                 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4304                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4305 
4306                 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4307                 btm_send_link_key_notif(p_dev_rec);
4308             }
4309         }
4310     }
4311 #else
4312     btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4313 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4314 
4315     /* If this encryption was started by peer do not need to do anything */
4316     if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4317     {
4318         if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4319         {
4320             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4321             p_dev_rec->p_callback = NULL;
4322             l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4323         }
4324         return;
4325     }
4326 
4327     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4328     /* If encryption setup failed, notify the waiting layer */
4329     if (status != HCI_SUCCESS)
4330     {
4331         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4332         return;
4333     }
4334 
4335     /* Encryption setup succeeded, execute the next security procedure, if any */
4336     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4337     /* If there is no next procedure, or procedure failed to start, notify the caller */
4338     if (status != BTM_CMD_STARTED)
4339         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4340 }
4341 
4342 /*******************************************************************************
4343 **
4344 ** Function         btm_sec_connect_after_reject_timeout
4345 **
4346 ** Description      Connection for bonding could not start because of the collision
4347 **                  Initiate outgoing connection
4348 **
4349 ** Returns          Pointer to the TLE struct
4350 **
4351 *******************************************************************************/
btm_sec_connect_after_reject_timeout(UNUSED_ATTR void * data)4352 static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void *data)
4353 {
4354     tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4355 
4356     BTM_TRACE_EVENT("%s", __func__);
4357     btm_cb.p_collided_dev_rec = 0;
4358 
4359     if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4360     {
4361         BTM_TRACE_WARNING("Security Manager: %s: failed to start connection",
4362                           __func__);
4363 
4364         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4365 
4366         if (btm_cb.api.p_auth_complete_callback)
4367         (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
4368                                                 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4369     }
4370 }
4371 
4372 /*******************************************************************************
4373 **
4374 ** Function         btm_sec_connected
4375 **
4376 ** Description      This function is when a connection to the peer device is
4377 **                  establsihed
4378 **
4379 ** Returns          void
4380 **
4381 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4382 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4383 {
4384     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4385     UINT8            res;
4386     BOOLEAN          is_pairing_device = FALSE;
4387     tACL_CONN        *p_acl_cb;
4388     UINT8            bit_shift = 0;
4389 
4390     btm_acl_resubmit_page();
4391 
4392     /* Commenting out trace due to obf/compilation problems.
4393     */
4394 #if (BT_USE_TRACES == TRUE)
4395     if (p_dev_rec)
4396     {
4397         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x RName:%s",
4398                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4399                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4400                           p_dev_rec->sec_bd_name);
4401     }
4402     else
4403     {
4404         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x ",
4405                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4406                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4407     }
4408 #endif
4409 
4410     if (!p_dev_rec)
4411     {
4412         /* There is no device record for new connection.  Allocate one */
4413         if (status == HCI_SUCCESS)
4414         {
4415             p_dev_rec = btm_sec_alloc_dev (bda);
4416         }
4417         else
4418         {
4419             /* If the device matches with stored paring address
4420              * reset the paring state to idle */
4421             if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4422                 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4423             {
4424                 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4425             }
4426 
4427             /* can not find the device record and the status is error,
4428              * just ignore it */
4429             return;
4430         }
4431     }
4432     else    /* Update the timestamp for this device */
4433     {
4434 
4435 #if BLE_INCLUDED == TRUE
4436         bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4437 #endif
4438         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4439         if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4440         {
4441             /* tell L2CAP it's a bonding connection. */
4442             if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4443                  &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4444                  &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4445             {
4446                 /* if incoming connection failed while pairing, then try to connect and continue */
4447                 /* Motorola S9 disconnects without asking pin code */
4448                 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4449                 {
4450                     BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4451 
4452                     p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4453                     if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4454                     {
4455                         /* Start timer with 0 to initiate connection with new LCB */
4456                         /* because L2CAP will delete current LCB with this event  */
4457                         btm_cb.p_collided_dev_rec = p_dev_rec;
4458                         alarm_set_on_queue(btm_cb.sec_collision_timer, 0,
4459                                            btm_sec_connect_after_reject_timeout,
4460                                            NULL, btu_general_alarm_queue);
4461                     }
4462                     else
4463                     {
4464                         btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4465                         BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4466                     }
4467 #if BTM_DISC_DURING_RS == TRUE
4468                     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4469 #endif
4470                     return;
4471                 }
4472                 else
4473                 {
4474                     l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4475                 }
4476             }
4477             /* always clear the pending flag */
4478             p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4479         }
4480     }
4481 
4482 #if BLE_INCLUDED == TRUE
4483     p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4484 #endif
4485 
4486 #if BTM_DISC_DURING_RS == TRUE
4487     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4488 #endif
4489 
4490     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4491 
4492     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4493          && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4494     {
4495         /* if we rejected incoming connection from bonding device */
4496         if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4497             &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4498         {
4499             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4500                 btm_cb.pairing_flags, p_dev_rec->sm4);
4501 
4502             btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4503             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4504             {
4505                 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4506                 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4507                 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4508                 return;
4509             }
4510 
4511             /* if we already have pin code */
4512             if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4513             {
4514                 /* Start timer with 0 to initiate connection with new LCB */
4515                 /* because L2CAP will delete current LCB with this event  */
4516                 btm_cb.p_collided_dev_rec = p_dev_rec;
4517                 alarm_set_on_queue(btm_cb.sec_collision_timer, 0,
4518                                    btm_sec_connect_after_reject_timeout,
4519                                    NULL, btu_general_alarm_queue);
4520             }
4521 
4522             return;
4523         }
4524         /* wait for incoming connection without resetting pairing state */
4525         else if (status == HCI_ERR_CONNECTION_EXISTS)
4526         {
4527             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4528             return;
4529         }
4530 
4531         is_pairing_device = TRUE;
4532     }
4533 
4534     /* If connection was made to do bonding restore link security if changed */
4535     btm_restore_mode();
4536 
4537     /* if connection fails during pin request, notify application */
4538     if (status != HCI_SUCCESS)
4539     {
4540         /* If connection failed because of during pairing, need to tell user */
4541         if (is_pairing_device)
4542         {
4543             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4544             p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4545             BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4546 
4547             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4548 
4549             /* We need to notify host that the key is not known any more */
4550             if (btm_cb.api.p_auth_complete_callback)
4551             {
4552                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4553                                                         p_dev_rec->dev_class,
4554                                                         p_dev_rec->sec_bd_name, status);
4555             }
4556         }
4557  /*
4558      Do not send authentication failure, if following conditions hold good
4559       1.  BTM Sec Pairing state is idle
4560       2.  Link key for the remote device is present.
4561       3.  Remote is SSP capable.
4562   */
4563         else if  ((p_dev_rec->link_key_type  <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4564                  (((status == HCI_ERR_AUTH_FAILURE)                      ||
4565                  (status == HCI_ERR_KEY_MISSING)                         ||
4566                  (status == HCI_ERR_HOST_REJECT_SECURITY)                ||
4567                  (status == HCI_ERR_PAIRING_NOT_ALLOWED)                 ||
4568                  (status == HCI_ERR_UNIT_KEY_USED)                       ||
4569                  (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4570                  (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)           ||
4571                  (status == HCI_ERR_REPEATED_ATTEMPTS))))
4572         {
4573             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4574             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4575 
4576 #ifdef BRCM_NOT_4_BTE
4577             /* If we rejected pairing, pass this special result code */
4578             if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4579             {
4580                 status = HCI_ERR_HOST_REJECT_SECURITY;
4581             }
4582 #endif
4583 
4584             /* We need to notify host that the key is not known any more */
4585             if (btm_cb.api.p_auth_complete_callback)
4586             {
4587                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4588                                                         p_dev_rec->dev_class,
4589                                                         p_dev_rec->sec_bd_name, status);
4590             }
4591         }
4592 
4593         if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT  ||
4594             status == HCI_ERR_UNSPECIFIED     || status == HCI_ERR_PAGE_TIMEOUT)
4595             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4596         else
4597             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4598 
4599         return;
4600     }
4601 
4602     /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4603     /* If dedicated bonding, and we now have a link key, we are all done */
4604     if ( is_pairing_device
4605          && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4606     {
4607         if (p_dev_rec->link_key_not_sent)
4608         {
4609             p_dev_rec->link_key_not_sent = FALSE;
4610             btm_send_link_key_notif(p_dev_rec);
4611         }
4612 
4613         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4614 
4615         /* remember flag before it is initialized */
4616         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4617             res = TRUE;
4618         else
4619             res = FALSE;
4620 
4621         if (btm_cb.api.p_auth_complete_callback)
4622             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4623                                                     p_dev_rec->dev_class,
4624                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4625 
4626         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4627 
4628         if ( res )
4629         {
4630             /* Let l2cap start bond timer */
4631             l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4632         }
4633 
4634         return;
4635     }
4636 
4637     p_dev_rec->hci_handle = handle;
4638 
4639     /* role may not be correct here, it will be updated by l2cap, but we need to */
4640     /* notify btm_acl that link is up, so starting of rmt name request will not */
4641     /* set paging flag up */
4642     p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4643     if (p_acl_cb)
4644     {
4645         /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4646 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4647         /* For now there are a some devices that do not like sending */
4648         /* commands events and data at the same time. */
4649         /* Set the packet types to the default allowed by the device */
4650         btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4651 
4652         if (btm_cb.btm_def_link_policy)
4653             BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4654 #endif
4655     }
4656     btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4657 
4658     /* Initialize security flags.  We need to do that because some            */
4659     /* authorization complete could have come after the connection is dropped */
4660     /* and that would set wrong flag that link has been authorized already    */
4661     p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4662                               BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4663 
4664     if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4665         p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4666 
4667     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4668         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4669 
4670     if (p_dev_rec->pin_code_length >= 16 ||
4671         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4672         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4673         p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4674     }
4675 
4676     p_dev_rec->link_key_changed = FALSE;
4677 
4678     /* After connection is established we perform security if we do not know */
4679     /* the name, or if we are originator because some procedure can have */
4680     /* been scheduled while connection was down */
4681     BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4682     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4683     {
4684         if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4685             btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4686     }
4687     return;
4688 }
4689 
4690 /*******************************************************************************
4691 **
4692 ** Function         btm_sec_disconnect
4693 **
4694 ** Description      This function is called to disconnect HCI link
4695 **
4696 ** Returns          btm status
4697 **
4698 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4699 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4700 {
4701     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4702 
4703     /* In some weird race condition we may not have a record */
4704     if (!p_dev_rec)
4705     {
4706         btsnd_hcic_disconnect (handle, reason);
4707         return(BTM_SUCCESS);
4708     }
4709 
4710     /* If we are in the process of bonding we need to tell client that auth failed */
4711     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4712          &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4713          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4714     {
4715         /* we are currently doing bonding.  Link will be disconnected when done */
4716         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4717         return(BTM_BUSY);
4718     }
4719 
4720     return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4721 }
4722 
4723 /*******************************************************************************
4724 **
4725 ** Function         btm_sec_disconnected
4726 **
4727 ** Description      This function is when a connection to the peer device is
4728 **                  dropped
4729 **
4730 ** Returns          void
4731 **
4732 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4733 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4734 {
4735     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4736     UINT8             old_pairing_flags = btm_cb.pairing_flags;
4737     int               result = HCI_ERR_AUTH_FAILURE;
4738     tBTM_SEC_CALLBACK   *p_callback = NULL;
4739     tBT_TRANSPORT      transport = BT_TRANSPORT_BR_EDR;
4740 
4741     /* If page was delayed for disc complete, can do it now */
4742     btm_cb.discing = FALSE;
4743 
4744     btm_acl_resubmit_page();
4745 
4746     if (!p_dev_rec)
4747         return;
4748 
4749     transport  = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4750 
4751     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4752 
4753 #if BTM_DISC_DURING_RS == TRUE
4754     LOG_INFO(LOG_TAG, "%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4755     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4756 #endif
4757 
4758     /* clear unused flags */
4759     p_dev_rec->sm4 &= BTM_SM4_TRUE;
4760 
4761     uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4762     BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4763             "  remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4764             reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4765 
4766     BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4767 
4768     /* If we are in the process of bonding we need to tell client that auth failed */
4769     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4770          && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4771     {
4772         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4773         p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4774         if (btm_cb.api.p_auth_complete_callback)
4775         {
4776             /* If the disconnection reason is REPEATED_ATTEMPTS,
4777                send this error message to complete callback function
4778                to display the error message of Repeated attempts.
4779                All others, send HCI_ERR_AUTH_FAILURE. */
4780             if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4781             {
4782                 result = HCI_ERR_REPEATED_ATTEMPTS;
4783             }
4784             else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4785             {
4786                 result = HCI_ERR_HOST_REJECT_SECURITY;
4787             }
4788             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,     p_dev_rec->dev_class,
4789                                                     p_dev_rec->sec_bd_name, result);
4790         }
4791     }
4792 
4793 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4794     btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4795     /* see sec_flags processing in btm_acl_removed */
4796 
4797     if (transport == BT_TRANSPORT_LE)
4798     {
4799         p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4800         p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4801         p_dev_rec->enc_key_size = 0;
4802     }
4803     else
4804 #endif
4805     {
4806         p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4807         p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4808                 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4809     }
4810 
4811 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4812     if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4813     {
4814         p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4815                                 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4816         return;
4817     }
4818 #endif
4819     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
4820     p_dev_rec->security_required = BTM_SEC_NONE;
4821 
4822     p_callback = p_dev_rec->p_callback;
4823 
4824     /* if security is pending, send callback to clean up the security state */
4825     if(p_callback)
4826     {
4827         p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4828                                          we do, this call back must be reset here */
4829         (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4830     }
4831 
4832     BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4833 }
4834 
4835 /*******************************************************************************
4836 **
4837 ** Function         btm_sec_link_key_notification
4838 **
4839 ** Description      This function is called when a new connection link key is
4840 **                  generated
4841 **
4842 ** Returns          Pointer to the record or NULL
4843 **
4844 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4845 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4846 {
4847     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4848     BOOLEAN         we_are_bonding = FALSE;
4849     BOOLEAN         ltk_derived_lk  = FALSE;
4850 
4851     BTM_TRACE_EVENT ("btm_sec_link_key_notification()  BDA:%04x%08x, TYPE: %d",
4852                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4853                       key_type);
4854 
4855     if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4856         (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4857     {
4858         ltk_derived_lk = TRUE;
4859         key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4860     }
4861     /* If connection was made to do bonding restore link security if changed */
4862     btm_restore_mode();
4863 
4864     if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4865         p_dev_rec->link_key_type = key_type;
4866 
4867     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4868 
4869     /*
4870      * Until this point in time, we do not know if MITM was enabled, hence we
4871      * add the extended security flag here.
4872      */
4873     if (p_dev_rec->pin_code_length >= 16 ||
4874         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4875         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4876         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4877     }
4878 
4879 #if (BLE_INCLUDED == TRUE)
4880     /* BR/EDR connection, update the encryption key size to be 16 as always */
4881     p_dev_rec->enc_key_size = 16;
4882 #endif
4883     memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4884 
4885     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4886          && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4887     {
4888         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4889             we_are_bonding = TRUE;
4890         else
4891             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4892     }
4893 
4894     /* save LTK derived LK no matter what */
4895     if (ltk_derived_lk)
4896     {
4897         if (btm_cb.api.p_link_key_callback)
4898         {
4899                 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4900                                   __FUNCTION__, p_dev_rec->link_key_type);
4901                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4902                                                    p_dev_rec->sec_bd_name,
4903                                                    p_link_key, p_dev_rec->link_key_type);
4904         }
4905     }
4906     else
4907     {
4908         if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4909             (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4910         {
4911              p_dev_rec->new_encryption_key_is_p256 = TRUE;
4912              BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4913                                __func__, p_dev_rec->new_encryption_key_is_p256);
4914         }
4915     }
4916 
4917     /* If name is not known at this point delay calling callback until the name is   */
4918     /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4919     if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4920         &&  ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4921         && !ltk_derived_lk)
4922     {
4923         BTM_TRACE_EVENT ("btm_sec_link_key_notification()  Delayed BDA: %08x%04x Type:%d",
4924                           (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4925                           (p_bda[4] << 8) + p_bda[5], key_type);
4926 
4927         p_dev_rec->link_key_not_sent = TRUE;
4928 
4929         /* If it is for bonding nothing else will follow, so we need to start name resolution */
4930         if (we_are_bonding)
4931         {
4932             if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4933                 btm_inq_rmt_name_failed();
4934         }
4935 
4936         BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4937         return;
4938     }
4939 
4940     /* If its not us who perform authentication, we should tell stackserver */
4941     /* that some authentication has been completed                          */
4942     /* This is required when different entities receive link notification and auth complete */
4943     if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4944         /* for derived key, always send authentication callback for BR channel */
4945          || ltk_derived_lk)
4946     {
4947         if (btm_cb.api.p_auth_complete_callback)
4948             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4949                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4950     }
4951 
4952     /* We will save link key only if the user authorized it - BTE report link key in all cases */
4953 #ifdef BRCM_NONE_BTE
4954     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4955 #endif
4956     {
4957         if (btm_cb.api.p_link_key_callback)
4958         {
4959             if (ltk_derived_lk)
4960             {
4961                 BTM_TRACE_DEBUG ("btm_sec_link_key_notification()  LTK derived LK is saved already"
4962                                     " (key_type = %d)", p_dev_rec->link_key_type);
4963             }
4964             else
4965             {
4966                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4967                                                    p_dev_rec->sec_bd_name,
4968                                                    p_link_key, p_dev_rec->link_key_type);
4969             }
4970         }
4971     }
4972 }
4973 
4974 /*******************************************************************************
4975 **
4976 ** Function         btm_sec_link_key_request
4977 **
4978 ** Description      This function is called when controller requests link key
4979 **
4980 ** Returns          Pointer to the record or NULL
4981 **
4982 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4983 void btm_sec_link_key_request (UINT8 *p_bda)
4984 {
4985     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4986 
4987     BTM_TRACE_EVENT ("btm_sec_link_key_request()  BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4988                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4989 
4990     if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4991         (btm_cb.collision_start_time != 0) &&
4992         (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
4993     {
4994         BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4995             "State: %d START_TIMEOUT : %d",
4996              btm_cb.pairing_state, btm_cb.collision_start_time);
4997         btsnd_hcic_link_key_neg_reply (p_bda);
4998         return;
4999     }
5000     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5001     {
5002         btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5003         return;
5004     }
5005 
5006     /* Notify L2CAP to increase timeout */
5007     l2c_pin_code_request (p_bda);
5008 
5009     /* The link key is not in the database and it is not known to the manager */
5010     btsnd_hcic_link_key_neg_reply (p_bda);
5011 }
5012 
5013 /*******************************************************************************
5014 **
5015 ** Function         btm_sec_pairing_timeout
5016 **
5017 ** Description      This function is called when host does not provide PIN
5018 **                  within requested time
5019 **
5020 ** Returns          Pointer to the TLE struct
5021 **
5022 *******************************************************************************/
btm_sec_pairing_timeout(UNUSED_ATTR void * data)5023 static void btm_sec_pairing_timeout(UNUSED_ATTR void *data)
5024 {
5025     tBTM_CB *p_cb = &btm_cb;
5026     tBTM_SEC_DEV_REC *p_dev_rec;
5027 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5028     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_NO;
5029 #else
5030     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_YES;
5031 #endif
5032     UINT8   name[2];
5033 
5034 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5035 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5036 */
5037     p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5038 
5039     BTM_TRACE_EVENT ("%s  State: %s   Flags: %u", __func__,
5040                       btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5041 
5042     switch (p_cb->pairing_state)
5043     {
5044         case BTM_PAIR_STATE_WAIT_PIN_REQ:
5045             btm_sec_bond_cancel_complete();
5046             break;
5047 
5048         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5049             if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5050                 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5051             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5052             /* We need to notify the UI that no longer need the PIN */
5053             if (btm_cb.api.p_auth_complete_callback)
5054             {
5055                 if (p_dev_rec == NULL)
5056                 {
5057                     name[0] = 0;
5058                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5059                                                             NULL,
5060                                                             name, HCI_ERR_CONNECTION_TOUT);
5061                 }
5062                 else
5063                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5064                                                             p_dev_rec->dev_class,
5065                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5066             }
5067             break;
5068 
5069         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5070             btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5071             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5072             break;
5073 
5074 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5075         case BTM_PAIR_STATE_KEY_ENTRY:
5076             btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5077             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5078             break;
5079 #endif /* !BTM_IO_CAP_NONE */
5080 
5081         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5082             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5083                 auth_req |= BTM_AUTH_DD_BOND;
5084 
5085             btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5086                                          BTM_OOB_NONE, auth_req);
5087             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5088             break;
5089 
5090         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5091             btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5092             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5093             break;
5094 
5095         case BTM_PAIR_STATE_WAIT_DISCONNECT:
5096             /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5097              * now it's time to tear down the ACL link*/
5098             if (p_dev_rec == NULL)
5099             {
5100                 BTM_TRACE_ERROR("%s BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5101                                 __func__,
5102                                 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5103                                 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5104                 break;
5105             }
5106             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5107             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5108             break;
5109 
5110         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5111         case BTM_PAIR_STATE_GET_REM_NAME:
5112             /* We need to notify the UI that timeout has happened while waiting for authentication*/
5113             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5114             if (btm_cb.api.p_auth_complete_callback)
5115             {
5116                 if (p_dev_rec == NULL)
5117                 {
5118                     name[0] = 0;
5119                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5120                                                             NULL,
5121                                                             name, HCI_ERR_CONNECTION_TOUT);
5122                 }
5123                 else
5124                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5125                                                             p_dev_rec->dev_class,
5126                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5127             }
5128             break;
5129 
5130         default:
5131             BTM_TRACE_WARNING("%s not processed state: %s", __func__,
5132                               btm_pair_state_descr(btm_cb.pairing_state));
5133             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5134             break;
5135     }
5136 }
5137 
5138 /*******************************************************************************
5139 **
5140 ** Function         btm_sec_pin_code_request
5141 **
5142 ** Description      This function is called when controller requests PIN code
5143 **
5144 ** Returns          Pointer to the record or NULL
5145 **
5146 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5147 void btm_sec_pin_code_request (UINT8 *p_bda)
5148 {
5149     tBTM_SEC_DEV_REC *p_dev_rec;
5150     tBTM_CB          *p_cb = &btm_cb;
5151 
5152     BTM_TRACE_EVENT ("btm_sec_pin_code_request()  State: %s, BDA:%04x%08x",
5153                       btm_pair_state_descr(btm_cb.pairing_state),
5154                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5155 
5156     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5157     {
5158         if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)  &&
5159              (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5160         {
5161              btsnd_hcic_pin_code_neg_reply (p_bda);
5162              return;
5163         }
5164         else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5165                  || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5166         {
5167             BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5168                                 btm_pair_state_descr(btm_cb.pairing_state));
5169             btsnd_hcic_pin_code_neg_reply (p_bda);
5170             return;
5171         }
5172     }
5173 
5174     p_dev_rec = btm_find_or_alloc_dev (p_bda);
5175     /* received PIN code request. must be non-sm4 */
5176     p_dev_rec->sm4 = BTM_SM4_KNOWN;
5177 
5178     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5179     {
5180         memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5181 
5182         btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5183         /* Make sure we reset the trusted mask to help against attacks */
5184         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5185     }
5186 
5187     if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5188     {
5189         BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5190         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5191         btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5192         return;
5193     }
5194 
5195     /* Use the connecting device's CoD for the connection */
5196     if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5197          &&  (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5198         memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5199 
5200     /* We could have started connection after asking user for the PIN code */
5201     if (btm_cb.pin_code_len != 0)
5202     {
5203         BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5204         btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5205 
5206         /* Mark that we forwarded received from the user PIN code */
5207         btm_cb.pin_code_len = 0;
5208 
5209         /* We can change mode back right away, that other connection being established */
5210         /* is not forced to be secure - found a FW issue, so we can not do this
5211         btm_restore_mode(); */
5212 
5213         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5214     }
5215 
5216     /* If pairing disabled OR (no PIN callback and not bonding) */
5217     /* OR we could not allocate entry in the database reject pairing request */
5218     else if (p_cb->pairing_disabled
5219              || (p_cb->api.p_pin_callback == NULL)
5220 
5221              /* OR Microsoft keyboard can for some reason try to establish connection */
5222              /*  the only thing we can do here is to shut it up.  Normally we will be originator */
5223              /*  for keyboard bonding */
5224              || (!p_dev_rec->is_originator
5225                  && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5226                  &&  (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5227     {
5228         BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5229                            p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5230 
5231         btsnd_hcic_pin_code_neg_reply (p_bda);
5232     }
5233     /* Notify upper layer of PIN request and start expiration timer */
5234     else
5235     {
5236         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5237         /* Pin code request can not come at the same time as connection request */
5238         memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5239         memcpy (p_cb->connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
5240 
5241         /* Check if the name is known */
5242         /* Even if name is not known we might not be able to get one */
5243         /* this is the case when we are already getting something from the */
5244         /* device, so HCI level is flow controlled */
5245         /* Also cannot send remote name request while paging, i.e. connection is not completed */
5246         if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5247         {
5248             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5249 
5250             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5251             if (p_cb->api.p_pin_callback) {
5252                 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5253                         (p_dev_rec->p_cur_service == NULL) ? FALSE
5254                                 : (p_dev_rec->p_cur_service->security_flags
5255                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5256             }
5257         }
5258         else
5259         {
5260             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5261 
5262             /* We received PIN code request for the device with unknown name */
5263             /* it is not user friendly just to ask for the PIN without name */
5264             /* try to get name at first */
5265             if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5266                                           HCI_PAGE_SCAN_REP_MODE_R1,
5267                                           HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5268             {
5269                 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5270                 p_dev_rec->sec_bd_name[0] = 'f';
5271                 p_dev_rec->sec_bd_name[1] = '0';
5272                 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5273 
5274                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5275                 if (p_cb->api.p_pin_callback)
5276                     (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5277                             p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5278                                     : (p_dev_rec->p_cur_service->security_flags
5279                                        & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5280             }
5281         }
5282     }
5283 
5284     return;
5285 }
5286 
5287 /*******************************************************************************
5288 **
5289 ** Function         btm_sec_update_clock_offset
5290 **
5291 ** Description      This function is called to update clock offset
5292 **
5293 ** Returns          void
5294 **
5295 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5296 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5297 {
5298     tBTM_SEC_DEV_REC  *p_dev_rec;
5299     tBTM_INQ_INFO     *p_inq_info;
5300 
5301     if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5302         return;
5303 
5304     p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5305 
5306     if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5307         return;
5308 
5309     p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5310 }
5311 
5312 /******************************************************************
5313 ** S T A T I C     F U N C T I O N S
5314 *******************************************************************/
5315 
5316 /*******************************************************************************
5317 **
5318 ** Function         btm_sec_execute_procedure
5319 **
5320 ** Description      This function is called to start required security
5321 **                  procedure.  There is a case when multiplexing protocol
5322 **                  calls this function on the originating side, connection to
5323 **                  the peer will not be established.  This function in this
5324 **                  case performs only authorization.
5325 **
5326 ** Returns          BTM_SUCCESS     - permission is granted
5327 **                  BTM_CMD_STARTED - in process
5328 **                  BTM_NO_RESOURCES  - permission declined
5329 **
5330 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5331 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5332 {
5333     BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5334                       p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5335 
5336     /* There is a chance that we are getting name.  Wait until done. */
5337     if (p_dev_rec->sec_state != 0)
5338         return(BTM_CMD_STARTED);
5339 
5340     /* If any security is required, get the name first */
5341     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5342         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5343     {
5344         BTM_TRACE_EVENT ("Security Manager: Start get name");
5345         if (!btm_sec_start_get_name (p_dev_rec))
5346         {
5347             return(BTM_NO_RESOURCES);
5348         }
5349         return(BTM_CMD_STARTED);
5350     }
5351 
5352     /* If connection is not authenticated and authentication is required */
5353     /* start authentication and return PENDING to the caller */
5354     if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5355         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5356             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5357         || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5358             && (!p_dev_rec->is_originator
5359                     && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5360         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5361     {
5362         /*
5363          * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5364          * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5365          * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5366          * authenticated connections, hence we cannot distinguish here.
5367          */
5368 
5369 #if (L2CAP_UCD_INCLUDED == TRUE)
5370         /* if incoming UCD packet, discard it */
5371         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5372             return(BTM_FAILED_ON_SECURITY);
5373 #endif
5374 
5375         BTM_TRACE_EVENT ("Security Manager: Start authentication");
5376 
5377         /*
5378          * If we do have a link-key, but we end up here because we need an
5379          * upgrade, then clear the link-key known and authenticated flag before
5380          * restarting authentication.
5381          * WARNING: If the controller has link-key, it is optional and
5382          * recommended for the controller to send a Link_Key_Request.
5383          * In case we need an upgrade, the only alternative would be to delete
5384          * the existing link-key. That could lead to very bad user experience
5385          * or even IOP issues, if a reconnect causes a new connection that
5386          * requires an upgrade.
5387          */
5388         if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5389                 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5390                     && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5391                             & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5392             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5393                     | BTM_SEC_AUTHENTICATED);
5394         }
5395 
5396         if (!btm_sec_start_authentication (p_dev_rec))
5397         {
5398             return(BTM_NO_RESOURCES);
5399         }
5400         return(BTM_CMD_STARTED);
5401     }
5402 
5403     /* If connection is not encrypted and encryption is required */
5404     /* start encryption and return PENDING to the caller */
5405     if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5406         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5407             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5408         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5409     {
5410 #if (L2CAP_UCD_INCLUDED == TRUE)
5411         /* if incoming UCD packet, discard it */
5412         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5413             return(BTM_FAILED_ON_SECURITY);
5414 #endif
5415 
5416         BTM_TRACE_EVENT ("Security Manager: Start encryption");
5417 
5418         if (!btm_sec_start_encryption (p_dev_rec))
5419         {
5420             return(BTM_NO_RESOURCES);
5421         }
5422         return(BTM_CMD_STARTED);
5423     }
5424 
5425     if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5426         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5427     {
5428         BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5429                         "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5430         return (BTM_FAILED_ON_SECURITY);
5431     }
5432 
5433     /* If connection is not authorized and authorization is required */
5434     /* start authorization and return PENDING to the caller */
5435     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5436         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5437             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5438     {
5439         BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5440                           p_dev_rec->p_cur_service->service_id,
5441                           (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5442                                                       p_dev_rec->p_cur_service->service_id)));
5443         if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5444             (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5445             (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5446                                         p_dev_rec->p_cur_service->service_id) == FALSE))
5447         {
5448             BTM_TRACE_EVENT ("Security Manager: Start authorization");
5449             return(btm_sec_start_authorization (p_dev_rec));
5450         }
5451     }
5452 
5453     /* All required  security procedures already established */
5454     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5455                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5456                                       BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5457                                       BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5458                                       BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5459 
5460     BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5461     BTM_TRACE_EVENT ("Security Manager: access granted");
5462 
5463     return(BTM_SUCCESS);
5464 }
5465 
5466 /*******************************************************************************
5467 **
5468 ** Function         btm_sec_start_get_name
5469 **
5470 ** Description      This function is called to start get name procedure
5471 **
5472 ** Returns          TRUE if started
5473 **
5474 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5475 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5476 {
5477     UINT8 tempstate = p_dev_rec->sec_state;
5478 
5479     p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5480 
5481     /* Device should be connected, no need to provide correct page params */
5482     /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5483     if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5484                                 0, NULL)) != BTM_CMD_STARTED)
5485     {
5486         p_dev_rec->sec_state = tempstate;
5487         return(FALSE);
5488     }
5489 
5490     return(TRUE);
5491 }
5492 
5493 /*******************************************************************************
5494 **
5495 ** Function         btm_sec_start_authentication
5496 **
5497 ** Description      This function is called to start authentication
5498 **
5499 ** Returns          TRUE if started
5500 **
5501 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5502 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5503 {
5504     p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5505 
5506     return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5507 }
5508 
5509 /*******************************************************************************
5510 **
5511 ** Function         btm_sec_start_encryption
5512 **
5513 ** Description      This function is called to start encryption
5514 **
5515 ** Returns          TRUE if started
5516 **
5517 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5518 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5519 {
5520     if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5521         return(FALSE);
5522 
5523     p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5524     return(TRUE);
5525 }
5526 
5527 /*******************************************************************************
5528 **
5529 ** Function         btm_sec_start_authorization
5530 **
5531 ** Description      This function is called to start authorization
5532 **
5533 ** Returns          TRUE if started
5534 **
5535 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5536 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5537 {
5538     UINT8    result;
5539     UINT8   *p_service_name = NULL;
5540     UINT8    service_id;
5541 
5542     if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5543         || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5544     {
5545         if (!btm_cb.api.p_authorize_callback)
5546             return(BTM_MODE_UNSUPPORTED);
5547 
5548         if (p_dev_rec->p_cur_service)
5549         {
5550 #if BTM_SEC_SERVICE_NAME_LEN > 0
5551             if (p_dev_rec->is_originator)
5552                 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5553             else
5554                 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5555 #endif
5556             service_id = p_dev_rec->p_cur_service->service_id;
5557         }
5558         else
5559             service_id = 0;
5560 
5561         /* Send authorization request if not already sent during this service connection */
5562         if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5563             || p_dev_rec->last_author_service_id != service_id)
5564         {
5565             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5566             result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5567                                                      p_dev_rec->dev_class,
5568                                                      p_dev_rec->sec_bd_name,
5569                                                      p_service_name,
5570                                                      service_id,
5571                                                      p_dev_rec->is_originator);
5572         }
5573 
5574         else    /* Already authorized once for this L2CAP bringup */
5575         {
5576             BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5577             return (BTM_SUCCESS);
5578         }
5579 
5580         if (result == BTM_SUCCESS)
5581         {
5582             p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5583 
5584             /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5585             if (!p_dev_rec->is_originator)
5586                 p_dev_rec->last_author_service_id = service_id;
5587 
5588             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5589         }
5590         return(result);
5591     }
5592     btm_sec_start_get_name (p_dev_rec);
5593     return(BTM_CMD_STARTED);
5594 }
5595 
5596 /*******************************************************************************
5597 **
5598 ** Function         btm_sec_are_all_trusted
5599 **
5600 ** Description      This function is called check if all services are trusted
5601 **
5602 ** Returns          TRUE if all are trusted, otherwise FALSE
5603 **
5604 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5605 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5606 {
5607     UINT32 trusted_inx;
5608     for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5609     {
5610         if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5611             return(FALSE);
5612     }
5613 
5614     return(TRUE);
5615 }
5616 
5617 /*******************************************************************************
5618 **
5619 ** Function         btm_sec_find_first_serv
5620 **
5621 ** Description      Look for the first record in the service database
5622 **                  with specified PSM
5623 **
5624 ** Returns          Pointer to the record or NULL
5625 **
5626 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5627 tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5628 {
5629     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5630     int i;
5631     BOOLEAN is_originator;
5632 
5633 #if (L2CAP_UCD_INCLUDED == TRUE)
5634 
5635     if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5636         is_originator = TRUE;
5637     else
5638         is_originator = FALSE;
5639 #else
5640     is_originator = conn_type;
5641 #endif
5642 
5643     if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5644     {
5645         /* If this is outgoing connection and the PSM matches p_out_serv,
5646          * use it as the current service */
5647         return btm_cb.p_out_serv;
5648     }
5649 
5650     /* otherwise, just find the first record with the specified PSM */
5651     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5652     {
5653         if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5654             return(p_serv_rec);
5655     }
5656     return(NULL);
5657 }
5658 
5659 /*******************************************************************************
5660 **
5661 ** Function         btm_sec_find_next_serv
5662 **
5663 ** Description      Look for the next record in the service database
5664 **                  with specified PSM
5665 **
5666 ** Returns          Pointer to the record or NULL
5667 **
5668 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5669 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5670 {
5671     tBTM_SEC_SERV_REC *p_serv_rec   = &btm_cb.sec_serv_rec[0];
5672     int               i;
5673 
5674     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5675     {
5676         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5677             && (p_serv_rec->psm == p_cur->psm) )
5678         {
5679             if (p_cur != p_serv_rec)
5680             {
5681                 return(p_serv_rec);
5682             }
5683         }
5684     }
5685     return(NULL);
5686 }
5687 
5688 /*******************************************************************************
5689 **
5690 ** Function         btm_sec_find_mx_serv
5691 **
5692 ** Description      Look for the record in the service database with specified
5693 **                  PSM and multiplexor channel information
5694 **
5695 ** Returns          Pointer to the record or NULL
5696 **
5697 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5698 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5699                                                 UINT32 mx_proto_id, UINT32 mx_chan_id)
5700 {
5701     tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5702     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5703     int i;
5704 
5705     BTM_TRACE_DEBUG ("%s()", __func__);
5706     if (is_originator && p_out_serv && p_out_serv->psm == psm
5707         && p_out_serv->mx_proto_id == mx_proto_id
5708         && p_out_serv->orig_mx_chan_id == mx_chan_id)
5709     {
5710         /* If this is outgoing connection and the parameters match p_out_serv,
5711          * use it as the current service */
5712         return btm_cb.p_out_serv;
5713     }
5714 
5715     /* otherwise, the old way */
5716     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5717     {
5718         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5719             && (p_serv_rec->psm == psm)
5720             && (p_serv_rec->mx_proto_id == mx_proto_id)
5721             && (( is_originator && (p_serv_rec->orig_mx_chan_id  == mx_chan_id))
5722                 || (!is_originator && (p_serv_rec->term_mx_chan_id  == mx_chan_id))))
5723         {
5724             return(p_serv_rec);
5725         }
5726     }
5727     return(NULL);
5728 }
5729 
5730 /*******************************************************************************
5731 **
5732 ** Function         btm_sec_collision_timeout
5733 **
5734 ** Description      Encryption could not start because of the collision
5735 **                  try to do it again
5736 **
5737 ** Returns          Pointer to the TLE struct
5738 **
5739 *******************************************************************************/
btm_sec_collision_timeout(UNUSED_ATTR void * data)5740 static void btm_sec_collision_timeout(UNUSED_ATTR void *data)
5741 {
5742     BTM_TRACE_EVENT ("%s()", __func__);
5743 
5744     tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5745 
5746     /* If result is pending reply from the user or from the device is pending */
5747     if (status != BTM_CMD_STARTED)
5748     {
5749         /* There is no next procedure or start of procedure failed, notify the waiting layer */
5750         btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5751     }
5752 }
5753 
5754 /*******************************************************************************
5755 **
5756 ** Function         btm_sec_link_key_request
5757 **
5758 ** Description      This function is called when controller requests link key
5759 **
5760 ** Returns          Pointer to the record or NULL
5761 **
5762 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5763 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5764 {
5765     if (btm_cb.api.p_link_key_callback)
5766         (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5767                                            p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5768                                            p_dev_rec->link_key_type);
5769 }
5770 
5771 /*******************************************************************************
5772 **
5773 ** Function         BTM_ReadTrustedMask
5774 **
5775 ** Description      Get trusted mask for the peer device
5776 **
5777 ** Parameters:      bd_addr   - Address of the device
5778 **
5779 ** Returns          NULL, if the device record is not found.
5780 **                  otherwise, the trusted mask
5781 **
5782 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5783 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5784 {
5785     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5786     if (p_dev_rec != NULL)
5787         return(p_dev_rec->trusted_mask);
5788     return NULL;
5789 }
5790 
5791 /*******************************************************************************
5792 **
5793 ** Function         btm_restore_mode
5794 **
5795 ** Description      This function returns the security mode to previous setting
5796 **                  if it was changed during bonding.
5797 **
5798 **
5799 ** Parameters:      void
5800 **
5801 *******************************************************************************/
btm_restore_mode(void)5802 static void btm_restore_mode(void)
5803 {
5804     if (btm_cb.security_mode_changed)
5805     {
5806         btm_cb.security_mode_changed = FALSE;
5807         BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5808         btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5809     }
5810 
5811     if (btm_cb.pin_type_changed)
5812     {
5813         btm_cb.pin_type_changed = FALSE;
5814         btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5815     }
5816 }
5817 
5818 
is_sec_state_equal(void * data,void * context)5819 bool is_sec_state_equal(void *data, void *context)
5820 {
5821     tBTM_SEC_DEV_REC *p_dev_rec = data;
5822     UINT8 *state = context;
5823 
5824     if (p_dev_rec->sec_state == *state)
5825         return false;
5826 
5827     return true;
5828 }
5829 
5830 /*******************************************************************************
5831 **
5832 ** Function         btm_sec_find_dev_by_sec_state
5833 **
5834 ** Description      Look for the record in the device database for the device
5835 **                  which is being authenticated or encrypted
5836 **
5837 ** Returns          Pointer to the record or NULL
5838 **
5839 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5840 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5841 {
5842     list_node_t *n = list_foreach(btm_cb.sec_dev_rec, is_sec_state_equal, &state);
5843     if (n)
5844         return list_node(n);
5845 
5846     return NULL;
5847 }
5848 
5849 /*******************************************************************************
5850 **
5851 ** Function         btm_sec_change_pairing_state
5852 **
5853 ** Description      This function is called to change pairing state
5854 **
5855 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5856 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5857 {
5858     tBTM_PAIRING_STATE  old_state = btm_cb.pairing_state;
5859 
5860     BTM_TRACE_EVENT ("%s()  Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5861     BTM_TRACE_EVENT ("%s()  New: %s pairing_flags:0x%x", __func__,
5862             btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5863 
5864     btm_cb.pairing_state = new_state;
5865 
5866     if (new_state == BTM_PAIR_STATE_IDLE)
5867     {
5868         alarm_cancel(btm_cb.pairing_timer);
5869 
5870         btm_cb.pairing_flags = 0;
5871         btm_cb.pin_code_len  = 0;
5872 
5873         /* Make sure the the lcb shows we are not bonding */
5874         l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5875 
5876         btm_restore_mode();
5877         btm_sec_check_pending_reqs();
5878         btm_inq_clear_ssp();
5879 
5880         memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5881     }
5882     else
5883     {
5884         /* If transitioning out of idle, mark the lcb as bonding */
5885         if (old_state == BTM_PAIR_STATE_IDLE)
5886             l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5887 
5888         alarm_set_on_queue(btm_cb.pairing_timer,
5889                            BTM_SEC_TIMEOUT_VALUE * 1000,
5890                            btm_sec_pairing_timeout, NULL,
5891                            btu_general_alarm_queue);
5892     }
5893 }
5894 
5895 /*******************************************************************************
5896 **
5897 ** Function         btm_pair_state_descr
5898 **
5899 ** Description      Return state description for tracing
5900 **
5901 *******************************************************************************/
5902 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5903 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5904 {
5905 #if (BT_TRACE_VERBOSE == TRUE)
5906     switch (state)
5907     {
5908         case BTM_PAIR_STATE_IDLE:                   return("IDLE");
5909         case BTM_PAIR_STATE_GET_REM_NAME:           return("GET_REM_NAME");
5910         case BTM_PAIR_STATE_WAIT_PIN_REQ:           return("WAIT_PIN_REQ");
5911         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:         return("WAIT_LOCAL_PIN");
5912         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:   return("WAIT_NUM_CONFIRM");
5913         case BTM_PAIR_STATE_KEY_ENTRY:              return("KEY_ENTRY");
5914         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:     return("WAIT_LOCAL_OOB_RSP");
5915         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:      return("WAIT_LOCAL_IOCAPS");
5916         case BTM_PAIR_STATE_INCOMING_SSP:           return("INCOMING_SSP");
5917         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:     return("WAIT_AUTH_COMPLETE");
5918         case BTM_PAIR_STATE_WAIT_DISCONNECT:        return("WAIT_DISCONNECT");
5919     }
5920 
5921     return("???");
5922 #else
5923     sprintf(btm_cb.state_temp_buffer,"%hhu",state);
5924 
5925     return(btm_cb.state_temp_buffer);
5926 #endif
5927 }
5928 #endif
5929 
5930 /*******************************************************************************
5931 **
5932 ** Function         btm_sec_dev_rec_cback_event
5933 **
5934 ** Description      This function calls the callback function with the given
5935 **                  result and clear the callback function.
5936 **
5937 ** Parameters:      void
5938 **
5939 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5940 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5941 {
5942     tBTM_SEC_CALLBACK   *p_callback = p_dev_rec->p_callback;
5943 
5944     if (p_dev_rec->p_callback)
5945     {
5946         p_dev_rec->p_callback = NULL;
5947 
5948 #if BLE_INCLUDED == TRUE
5949         if (is_le_transport)
5950            (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
5951         else
5952 #endif
5953            (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
5954     }
5955 
5956     btm_sec_check_pending_reqs();
5957 }
5958 
5959 /*******************************************************************************
5960 **
5961 ** Function         btm_sec_queue_mx_request
5962 **
5963 ** Description      Return state description for tracing
5964 **
5965 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5966 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
5967                                          UINT32 mx_proto_id, UINT32 mx_chan_id,
5968                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5969 {
5970     tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY));
5971 
5972     p_e->psm            = psm;
5973     p_e->is_orig        = is_orig;
5974     p_e->p_callback     = p_callback;
5975     p_e->p_ref_data     = p_ref_data;
5976     p_e->mx_proto_id    = mx_proto_id;
5977     p_e->mx_chan_id     = mx_chan_id;
5978     p_e->transport      = BT_TRANSPORT_BR_EDR;
5979     p_e->sec_act        = 0;
5980 
5981     memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5982 
5983     BTM_TRACE_EVENT("%s() PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
5984                      __func__, psm, is_orig, mx_proto_id, mx_chan_id);
5985 
5986     fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
5987 
5988     return TRUE;
5989 }
5990 
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5991 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec)
5992 {
5993     UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5994     UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5995     BOOLEAN rv = FALSE;
5996 
5997     if ((major == BTM_COD_MAJOR_AUDIO)
5998         &&  ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5999     {
6000         BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6001             __func__, major, minor);
6002 
6003         if (btm_cb.security_mode_changed == FALSE)
6004         {
6005             btm_cb.security_mode_changed = TRUE;
6006 #ifdef APPL_AUTH_WRITE_EXCEPTION
6007             if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6008 #endif
6009                 btsnd_hcic_write_auth_enable (TRUE);
6010         }
6011     }
6012     else
6013     {
6014         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6015 
6016         /* If we got a PIN, use that, else try to get one */
6017         if (btm_cb.pin_code_len)
6018         {
6019             BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6020         }
6021         else
6022         {
6023             /* pin was not supplied - pre-fetch pin code now */
6024             if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6025             {
6026                 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6027                 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6028                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6029                 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6030                         p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6031                                 : (p_dev_rec->p_cur_service->security_flags
6032                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6033             }
6034         }
6035 
6036         rv = TRUE;
6037     }
6038 
6039     return rv;
6040 }
6041 
6042 /*******************************************************************************
6043 **
6044 ** Function         btm_sec_auth_payload_tout
6045 **
6046 ** Description      Processes the HCI Autheniticated Payload Timeout Event
6047 **                  indicating that a packet containing a valid MIC on the
6048 **                  connection handle was not received within the programmed
6049 **                  timeout value. (Spec Default is 30 secs, but can be
6050 **                  changed via the BTM_SecSetAuthPayloadTimeout() function.
6051 **
6052 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6053 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6054 {
6055     UINT16 handle;
6056 
6057     STREAM_TO_UINT16 (handle, p);
6058     handle = HCID_GET_HANDLE (handle);
6059 
6060     /* Will be exposed to upper layers in the future if/when determined necessary */
6061     BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6062 }
6063 
6064 /*******************************************************************************
6065 **
6066 ** Function         btm_sec_queue_encrypt_request
6067 **
6068 ** Description      encqueue encryption request when device has active security
6069 **                  process pending.
6070 **
6071 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)6072 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6073                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data,
6074                                          tBTM_BLE_SEC_ACT sec_act)
6075 {
6076     tBTM_SEC_QUEUE_ENTRY *p_e =
6077         (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6078 
6079     p_e->psm        = 0;  /* if PSM 0, encryption request */
6080     p_e->p_callback = p_callback;
6081     p_e->p_ref_data = p_ref_data;
6082     p_e->transport  = transport;
6083     p_e->sec_act    = sec_act;
6084     memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6085     fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
6086 
6087     return TRUE;
6088 }
6089 
6090 /*******************************************************************************
6091 **
6092 ** Function         btm_sec_set_peer_sec_caps
6093 **
6094 ** Description      This function is called to set sm4 and rmt_sec_caps fields
6095 **                  based on the available peer device features.
6096 **
6097 ** Returns          void
6098 **
6099 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6100 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6101 {
6102     BD_ADDR     rem_bd_addr;
6103     UINT8       *p_rem_bd_addr;
6104 
6105     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6106          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6107          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6108         HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6109     {
6110         p_dev_rec->sm4 = BTM_SM4_TRUE;
6111         p_dev_rec->remote_supports_secure_connections =
6112             (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6113     }
6114     else
6115     {
6116         p_dev_rec->sm4 = BTM_SM4_KNOWN;
6117         p_dev_rec->remote_supports_secure_connections = FALSE;
6118     }
6119 
6120     BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6121                   p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6122 
6123     if (p_dev_rec->remote_features_needed)
6124     {
6125         BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6126                         __FUNCTION__);
6127         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6128         BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6129         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6130         btm_io_capabilities_req(p_rem_bd_addr);
6131         p_dev_rec->remote_features_needed = FALSE;
6132     }
6133 }
6134 
6135 /*******************************************************************************
6136 **
6137 ** Function         btm_sec_is_serv_level0
6138 **
6139 ** Description      This function is called to check if the service corresponding
6140 **                  to PSM is security mode 4 level 0 service.
6141 **
6142 ** Returns          TRUE if the service is security mode 4 level 0 service
6143 **
6144 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6145 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6146 {
6147     if (psm == BT_PSM_SDP)
6148     {
6149         BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6150         return TRUE;
6151     }
6152     return FALSE;
6153 }
6154 
6155 /*******************************************************************************
6156 **
6157 ** Function         btm_sec_check_pending_enc_req
6158 **
6159 ** Description      This function is called to send pending encryption callback if
6160 **                  waiting
6161 **
6162 ** Returns          void
6163 **
6164 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6165 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
6166                                             UINT8 encr_enable)
6167 {
6168     if (fixed_queue_is_empty(btm_cb.sec_pending_q))
6169         return;
6170 
6171     UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6172     list_t *list = fixed_queue_get_list(btm_cb.sec_pending_q);
6173     for (const list_node_t *node = list_begin(list); node != list_end(list); ) {
6174         tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)list_node(node);
6175         node = list_next(node);
6176 
6177         if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6178 #if BLE_INCLUDED == TRUE
6179             && p_e->transport == transport
6180 #endif
6181             )
6182         {
6183             if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6184 #if BLE_INCLUDED == TRUE
6185                 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT
6186                 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM
6187                 || (p_e->sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6188                     & BTM_SEC_LE_AUTHENTICATED)
6189 #endif
6190                )
6191             {
6192                 if (p_e->p_callback)
6193                     (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6194                 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void *)p_e);
6195             }
6196         }
6197     }
6198 }
6199 
6200 /*******************************************************************************
6201 **
6202 ** Function         btm_sec_set_serv_level4_flags
6203 **
6204 ** Description      This function is called to set security mode 4 level 4 flags.
6205 **
6206 ** Returns          service security requirements updated to include secure
6207 **                  connections only mode.
6208 **
6209 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6210 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6211 {
6212     UINT16  sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6213 
6214     return cur_security | sec_level4_flags;
6215 }
6216 
6217 /*******************************************************************************
6218 **
6219 ** Function         btm_sec_clear_ble_keys
6220 **
6221 ** Description      This function is called to clear out the BLE keys.
6222 **                  Typically when devices are removed in BTM_SecDeleteDevice,
6223 **                  or when a new BT Link key is generated.
6224 **
6225 ** Returns          void
6226 **
6227 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6228 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC  *p_dev_rec)
6229 {
6230 
6231     BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6232 #if (SMP_INCLUDED== TRUE)
6233     p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6234     memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6235 
6236 #if (BLE_PRIVACY_SPT == TRUE)
6237     btm_ble_resolving_list_remove_dev(p_dev_rec);
6238 #endif
6239 #endif
6240 }
6241 
6242 /*******************************************************************************
6243 **
6244 ** Function         btm_sec_is_a_bonded_dev
6245 **
6246 ** Description       Is the specified device is a bonded device
6247 **
6248 ** Returns          TRUE - dev is bonded
6249 **
6250 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6251 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6252 {
6253 
6254     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6255     BOOLEAN is_bonded= FALSE;
6256 
6257     if (p_dev_rec &&
6258 #if (SMP_INCLUDED == TRUE)
6259         ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6260 #else
6261         (
6262 #endif
6263          (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6264     {
6265         is_bonded = TRUE;
6266     }
6267     BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6268     return(is_bonded);
6269 }
6270 
6271 /*******************************************************************************
6272 **
6273 ** Function         btm_sec_is_le_capable_dev
6274 **
6275 ** Description       Is the specified device is dual mode or LE only device
6276 **
6277 ** Returns          TRUE - dev is a dual mode
6278 **
6279 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6280 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6281 {
6282     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6283     BOOLEAN le_capable = FALSE;
6284 
6285 #if (BLE_INCLUDED== TRUE)
6286     if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6287         le_capable  = TRUE;
6288 #endif
6289     return le_capable;
6290 }
6291 
6292 /*******************************************************************************
6293 **
6294 ** Function         btm_sec_use_smp_br_chnl
6295 **
6296 ** Description      The function checks if SMP BR connection can be used with
6297 **                  the peer.
6298 **                  Is called when authentication for dedicated bonding is
6299 **                  successfully completed.
6300 **
6301 ** Returns          TRUE - if SMP BR connection can be used (the link key is
6302 **                         generated from P-256 and the peer supports Security
6303 **                         Manager over BR).
6304 **
6305 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6306 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6307 {
6308     UINT32  ext_feat;
6309     UINT8   chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6310 
6311     BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6312                       p_dev_rec->link_key_type);
6313 
6314     if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6315         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6316          return FALSE;
6317 
6318     if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6319         return FALSE;
6320 
6321     if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6322         return FALSE;
6323 
6324     return TRUE;
6325 }
6326 
6327 /*******************************************************************************
6328 **
6329 ** Function         btm_sec_is_master
6330 **
6331 ** Description      The function checks if the device is BR/EDR master after
6332 **                  pairing is completed.
6333 **
6334 ** Returns          TRUE - if the device is master.
6335 **
6336 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6337 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6338 {
6339     tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6340     return (p && (p->link_role == BTM_ROLE_MASTER));
6341 }
6342 
6343