1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bt_btm_sec"
26
27 #include <stdarg.h>
28 #include <string.h>
29
30 #include "device/include/controller.h"
31 #include "osi/include/log.h"
32 #include "osi/include/time.h"
33
34 #include "bt_types.h"
35 #include "bt_utils.h"
36 #include "btm_int.h"
37 #include "btu.h"
38 #include "hcimsgs.h"
39 #include "l2c_int.h"
40
41 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
42 /* needed for sprintf() */
43 #include <stdio.h>
44 #endif
45
46 #if BLE_INCLUDED == TRUE
47 #include "gatt_int.h"
48 #endif
49
50 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
51
52 extern fixed_queue_t *btu_general_alarm_queue;
53
54 #ifdef APPL_AUTH_WRITE_EXCEPTION
55 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
56 #endif
57
58 /********************************************************************************
59 ** L O C A L F U N C T I O N P R O T O T Y P E S *
60 *********************************************************************************/
61 tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
62 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
63 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
64 UINT32 mx_proto_id,
65 UINT32 mx_chan_id);
66
67 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
68 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
69 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
70 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
71 static void btm_sec_collision_timeout(void *data);
72 static void btm_restore_mode(void);
73 static void btm_sec_pairing_timeout(void *data);
74 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
75 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
76
77 #if (BT_USE_TRACES == TRUE)
78 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
79 #endif
80
81 static void btm_sec_check_pending_reqs(void);
82 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
83 UINT32 mx_proto_id, UINT32 mx_chan_id,
84 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
85 static void btm_sec_bond_cancel_complete (void);
86 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
87 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
88
89 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
90 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
91
92 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
93 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
94 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
95
96 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
97 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
98 UINT32 mx_chan_id);
99
100 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
101 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
102 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
103 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
104 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
105 static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
106
107 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
108 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data,
109 tBTM_BLE_SEC_ACT sec_act);
110 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
111 UINT8 encr_enable);
112
113 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
114 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
115
116 /* TRUE - authenticated link key is possible */
117 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
118 {
119 /* OUT, IO, IN, NONE */
120 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
121 /* IO */ {FALSE, TRUE, TRUE, FALSE},
122 /* IN */ {TRUE, TRUE, TRUE, FALSE},
123 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
124 };
125 /* BTM_IO_CAP_OUT 0 DisplayOnly */
126 /* BTM_IO_CAP_IO 1 DisplayYesNo */
127 /* BTM_IO_CAP_IN 2 KeyboardOnly */
128 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
129
130 /*******************************************************************************
131 **
132 ** Function btm_dev_authenticated
133 **
134 ** Description check device is authenticated
135 **
136 ** Returns BOOLEAN TRUE or FALSE
137 **
138 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)139 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
140 {
141 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
142 {
143 return(TRUE);
144 }
145 return(FALSE);
146 }
147
148 /*******************************************************************************
149 **
150 ** Function btm_dev_encrypted
151 **
152 ** Description check device is encrypted
153 **
154 ** Returns BOOLEAN TRUE or FALSE
155 **
156 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)157 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
158 {
159 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
160 {
161 return(TRUE);
162 }
163 return(FALSE);
164 }
165
166 /*******************************************************************************
167 **
168 ** Function btm_dev_authorized
169 **
170 ** Description check device is authorized
171 **
172 ** Returns BOOLEAN TRUE or FALSE
173 **
174 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)175 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
176 {
177 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
178 {
179 return(TRUE);
180 }
181 return(FALSE);
182 }
183
184 /*******************************************************************************
185 **
186 ** Function btm_dev_16_digit_authenticated
187 **
188 ** Description check device is authenticated by using 16 digit pin or MITM
189 **
190 ** Returns BOOLEAN TRUE or FALSE
191 **
192 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)193 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
194 {
195 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
196 if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
197 {
198 return(TRUE);
199 }
200 return(FALSE);
201 }
202
203 /*******************************************************************************
204 **
205 ** Function btm_serv_trusted
206 **
207 ** Description check service is trusted
208 **
209 ** Returns BOOLEAN TRUE or FALSE
210 **
211 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)212 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
213 {
214 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
215 {
216 return(TRUE);
217 }
218 return(FALSE);
219 }
220
221 /*******************************************************************************
222 **
223 ** Function BTM_SecRegister
224 **
225 ** Description Application manager calls this function to register for
226 ** security services. There can be one and only one application
227 ** saving link keys. BTM allows only first registration.
228 **
229 ** Returns TRUE if registered OK, else FALSE
230 **
231 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)232 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
233 {
234 #if BLE_INCLUDED == TRUE
235 BT_OCTET16 temp_value = {0};
236 #endif
237
238 BTM_TRACE_EVENT("%s application registered", __func__);
239
240 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
241 LOG_INFO(LOG_TAG, "%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
242 if (p_cb_info->p_le_callback)
243 {
244 #if SMP_INCLUDED == TRUE
245 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
246 SMP_Register(btm_proc_smp_cback);
247 #endif
248 /* if no IR is loaded, need to regenerate all the keys */
249 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
250 {
251 btm_ble_reset_id();
252 }
253 }
254 else
255 {
256 LOG_WARN(LOG_TAG, "%s p_cb_info->p_le_callback == NULL", __func__);
257 }
258 #endif
259
260 btm_cb.api = *p_cb_info;
261 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
262 LOG_INFO(LOG_TAG, "%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
263 #endif
264 BTM_TRACE_EVENT("%s application registered", __func__);
265 return(TRUE);
266 }
267
268 /*******************************************************************************
269 **
270 ** Function BTM_SecRegisterLinkKeyNotificationCallback
271 **
272 ** Description Application manager calls this function to register for
273 ** link key notification. When there is nobody registered
274 ** we should avoid changing link key
275 **
276 ** Returns TRUE if registered OK, else FALSE
277 **
278 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)279 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
280 {
281 btm_cb.api.p_link_key_callback = p_callback;
282 return TRUE;
283 }
284
285 /*******************************************************************************
286 **
287 ** Function BTM_SecAddRmtNameNotifyCallback
288 **
289 ** Description Any profile can register to be notified when name of the
290 ** remote device is resolved.
291 **
292 ** Returns TRUE if registered OK, else FALSE
293 **
294 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)295 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
296 {
297 int i;
298
299 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
300 {
301 if (btm_cb.p_rmt_name_callback[i] == NULL)
302 {
303 btm_cb.p_rmt_name_callback[i] = p_callback;
304 return(TRUE);
305 }
306 }
307
308 return(FALSE);
309 }
310
311 /*******************************************************************************
312 **
313 ** Function BTM_SecDeleteRmtNameNotifyCallback
314 **
315 ** Description Any profile can deregister notification when a new Link Key
316 ** is generated per connection.
317 **
318 ** Returns TRUE if OK, else FALSE
319 **
320 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)321 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
322 {
323 int i;
324
325 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
326 {
327 if (btm_cb.p_rmt_name_callback[i] == p_callback)
328 {
329 btm_cb.p_rmt_name_callback[i] = NULL;
330 return(TRUE);
331 }
332 }
333
334 return(FALSE);
335 }
336
337 /*******************************************************************************
338 **
339 ** Function BTM_GetSecurityFlags
340 **
341 ** Description Get security flags for the device
342 **
343 ** Returns BOOLEAN TRUE or FALSE is device found
344 **
345 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)346 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
347 {
348 tBTM_SEC_DEV_REC *p_dev_rec;
349
350 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
351 {
352 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
353 return(TRUE);
354 }
355 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
356 return(FALSE);
357 }
358
359 /*******************************************************************************
360 **
361 ** Function BTM_GetSecurityFlagsByTransport
362 **
363 ** Description Get security flags for the device on a particular transport
364 **
365 ** Returns BOOLEAN TRUE or FALSE is device found
366 **
367 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)368 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
369 tBT_TRANSPORT transport)
370 {
371 tBTM_SEC_DEV_REC *p_dev_rec;
372
373 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
374 {
375 if (transport == BT_TRANSPORT_BR_EDR)
376 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
377 else
378 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
379
380 return(TRUE);
381 }
382 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
383 return(FALSE);
384 }
385
386 /*******************************************************************************
387 **
388 ** Function BTM_SetPinType
389 **
390 ** Description Set PIN type for the device.
391 **
392 ** Returns void
393 **
394 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)395 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
396 {
397 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
398 pin_type, (char *) pin_code, pin_code_len);
399
400 /* If device is not up security mode will be set as a part of startup */
401 if ( (btm_cb.cfg.pin_type != pin_type)
402 && controller_get_interface()->get_is_ready() )
403 {
404 btsnd_hcic_write_pin_type (pin_type);
405 }
406
407 btm_cb.cfg.pin_type = pin_type;
408 btm_cb.cfg.pin_code_len = pin_code_len;
409 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
410 }
411
412 /*******************************************************************************
413 **
414 ** Function BTM_SetPairableMode
415 **
416 ** Description Enable or disable pairing
417 **
418 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
419 ** allows pairing.
420 ** connect_only_paired - (TRUE or FALSE) whether or not to
421 ** only allow paired devices to connect.
422 **
423 ** Returns void
424 **
425 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)426 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
427 {
428 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
429
430 btm_cb.pairing_disabled = !allow_pairing;
431 btm_cb.connect_only_paired = connect_only_paired;
432 }
433
434 /*******************************************************************************
435 **
436 ** Function BTM_SetSecureConnectionsOnly
437 **
438 ** Description Enable or disable default treatment for Mode 4 Level 0 services
439 **
440 ** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device
441 ** TRUE means that the device should treat Mode 4 Level 0 services as
442 ** services of other levels. (Secure_connections_only_mode)
443 ** FALSE means that the device should provide default treatment for
444 ** Mode 4 Level 0 services.
445 **
446 ** Returns void
447 **
448 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)449 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
450 {
451 BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
452 secure_connections_only_mode);
453
454 btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
455 btm_cb.security_mode = BTM_SEC_MODE_SC;
456 }
457 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
458
459 /*******************************************************************************
460 **
461 ** Function BTM_SetSecurityLevel
462 **
463 ** Description Register service security level with Security Manager
464 **
465 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
466 ** p_name - Name of the service relevant only if
467 ** authorization will show this name to user. ignored
468 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
469 ** service_id - service ID for the service passed to authorization callback
470 ** sec_level - bit mask of the security features
471 ** psm - L2CAP PSM
472 ** mx_proto_id - protocol ID of multiplexing proto below
473 ** mx_chan_id - channel ID of multiplexing proto below
474 **
475 ** Returns TRUE if registered OK, else FALSE
476 **
477 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)478 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
479 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
480 UINT32 mx_chan_id)
481 {
482 #if (L2CAP_UCD_INCLUDED == TRUE)
483 CONNECTION_TYPE conn_type;
484
485 if (is_originator)
486 conn_type = CONN_ORIENT_ORIG;
487 else
488 conn_type = CONN_ORIENT_TERM;
489
490 return(btm_sec_set_security_level (conn_type, p_name, service_id,
491 sec_level, psm, mx_proto_id, mx_chan_id));
492 #else
493 return(btm_sec_set_security_level (is_originator, p_name, service_id,
494 sec_level, psm, mx_proto_id, mx_chan_id));
495 #endif
496 }
497
498 /*******************************************************************************
499 **
500 ** Function btm_sec_set_security_level
501 **
502 ** Description Register service security level with Security Manager
503 **
504 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
505 ** p_name - Name of the service relevant only if
506 ** authorization will show this name to user. ignored
507 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
508 ** service_id - service ID for the service passed to authorization callback
509 ** sec_level - bit mask of the security features
510 ** psm - L2CAP PSM
511 ** mx_proto_id - protocol ID of multiplexing proto below
512 ** mx_chan_id - channel ID of multiplexing proto below
513 **
514 ** Returns TRUE if registered OK, else FALSE
515 **
516 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)517 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
518 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
519 UINT32 mx_chan_id)
520 {
521 tBTM_SEC_SERV_REC *p_srec;
522 UINT16 index;
523 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
524 BOOLEAN record_allocated = FALSE;
525 BOOLEAN is_originator;
526 #if (L2CAP_UCD_INCLUDED == TRUE)
527 BOOLEAN is_ucd;
528
529 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
530 is_originator = TRUE;
531 else
532 is_originator = FALSE;
533
534 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
535 {
536 is_ucd = TRUE;
537 }
538 else
539 {
540 is_ucd = FALSE;
541 }
542 #else
543 is_originator = conn_type;
544 #endif
545
546 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
547
548 /* See if the record can be reused (same service name, psm, mx_proto_id,
549 service_id, and mx_chan_id), or obtain the next unused record */
550
551 p_srec = &btm_cb.sec_serv_rec[0];
552
553 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554 {
555 /* Check if there is already a record for this service */
556 if (p_srec->security_flags & BTM_SEC_IN_USE)
557 {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559 if (p_srec->psm == psm &&
560 p_srec->mx_proto_id == mx_proto_id &&
561 service_id == p_srec->service_id &&
562 p_name &&
563 (!strncmp (p_name, (char *) p_srec->orig_service_name,
564 BTM_SEC_SERVICE_NAME_LEN) ||
565 !strncmp (p_name, (char *) p_srec->term_service_name,
566 BTM_SEC_SERVICE_NAME_LEN)))
567 #else
568 if (p_srec->psm == psm &&
569 p_srec->mx_proto_id == mx_proto_id &&
570 service_id == p_srec->service_id)
571 #endif
572 {
573 record_allocated = TRUE;
574 break;
575 }
576 }
577 /* Mark the first available service record */
578 else if (!record_allocated)
579 {
580 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
581 record_allocated = TRUE;
582 first_unused_record = index;
583 }
584 }
585
586 if (!record_allocated)
587 {
588 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
589 return(record_allocated);
590 }
591
592 /* Process the request if service record is valid */
593 /* If a duplicate service wasn't found, use the first available */
594 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
595 {
596 index = first_unused_record;
597 p_srec = &btm_cb.sec_serv_rec[index];
598 }
599
600 p_srec->psm = psm;
601 p_srec->service_id = service_id;
602 p_srec->mx_proto_id = mx_proto_id;
603
604 if (is_originator)
605 {
606 p_srec->orig_mx_chan_id = mx_chan_id;
607 #if BTM_SEC_SERVICE_NAME_LEN > 0
608 strlcpy ((char *)p_srec->orig_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
609 #endif
610 /* clear out the old setting, just in case it exists */
611 #if (L2CAP_UCD_INCLUDED == TRUE)
612 if ( is_ucd )
613 {
614 p_srec->ucd_security_flags &=
615 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
616 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
617 }
618 else
619 #endif
620 {
621 p_srec->security_flags &=
622 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
623 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
624 }
625
626 /* Parameter validation. Originator should not set requirements for incoming connections */
627 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
628 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
629
630 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
631 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
632 btm_cb.security_mode == BTM_SEC_MODE_SC)
633 {
634 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
635 sec_level |= BTM_SEC_OUT_MITM;
636 }
637
638 /* Make sure the authenticate bit is set, when encrypt bit is set */
639 if (sec_level & BTM_SEC_OUT_ENCRYPT)
640 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
641
642 /* outgoing connections usually set the security level right before
643 * the connection is initiated.
644 * set it to be the outgoing service */
645 #if (L2CAP_UCD_INCLUDED == TRUE)
646 if ( is_ucd == FALSE )
647 #endif
648 {
649 btm_cb.p_out_serv = p_srec;
650 }
651 }
652 else
653 {
654 p_srec->term_mx_chan_id = mx_chan_id;
655 #if BTM_SEC_SERVICE_NAME_LEN > 0
656 strlcpy ((char *)p_srec->term_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
657 #endif
658 /* clear out the old setting, just in case it exists */
659 #if (L2CAP_UCD_INCLUDED == TRUE)
660 if ( is_ucd )
661 {
662 p_srec->ucd_security_flags &=
663 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
664 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
665 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
666 }
667 else
668 #endif
669 {
670 p_srec->security_flags &=
671 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
672 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
673 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
674 }
675
676 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
677 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
678
679 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
680 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
681 btm_cb.security_mode == BTM_SEC_MODE_SC)
682 {
683 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
684 sec_level |= BTM_SEC_IN_MITM;
685 }
686
687 /* Make sure the authenticate bit is set, when encrypt bit is set */
688 if (sec_level & BTM_SEC_IN_ENCRYPT)
689 sec_level |= BTM_SEC_IN_AUTHENTICATE;
690 }
691
692 #if (L2CAP_UCD_INCLUDED == TRUE)
693 if ( is_ucd )
694 {
695 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
696 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
697 }
698 else
699 {
700 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
701 }
702
703 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
704 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
705
706 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
707 p_srec->security_flags, p_srec->ucd_security_flags);
708
709 #if BTM_SEC_SERVICE_NAME_LEN > 0
710 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)",
711 p_name, BTM_SEC_SERVICE_NAME_LEN);
712 #endif
713 #else
714 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
715
716 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
717 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
718
719 #if BTM_SEC_SERVICE_NAME_LEN > 0
720 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
721 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
722 #endif
723 #endif
724
725 return(record_allocated);
726 }
727
728 /*******************************************************************************
729 **
730 ** Function BTM_SecClrService
731 **
732 ** Description Removes specified service record(s) from the security database.
733 ** All service records with the specified name are removed.
734 ** Typically used only by devices with limited RAM so that it can
735 ** reuse an old security service record.
736 **
737 ** Note: Unpredictable results may occur if a service is cleared
738 ** that is still in use by an application/profile.
739 **
740 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
741 ** records (except SDP).
742 **
743 ** Returns Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
749 UINT8 num_freed = 0;
750 int i;
751
752 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753 {
754 /* Delete services with specified name (if in use and not SDP) */
755 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756 (!service_id || (service_id == p_srec->service_id)))
757 {
758 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759 p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761 p_srec->ucd_security_flags = 0;
762 #endif
763 num_freed++;
764 }
765 }
766
767 return(num_freed);
768 }
769
770 /*******************************************************************************
771 **
772 ** Function btm_sec_clr_service_by_psm
773 **
774 ** Description Removes specified service record from the security database.
775 ** All service records with the specified psm are removed.
776 ** Typically used by L2CAP to free up the service record used
777 ** by dynamic PSM clients when the channel is closed.
778 ** The given psm must be a virtual psm.
779 **
780 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
781 ** records (except SDP).
782 **
783 ** Returns Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
789 UINT8 num_freed = 0;
790 int i;
791
792 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793 {
794 /* Delete services with specified name (if in use and not SDP) */
795 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796 {
797 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798 p_srec->security_flags = 0;
799 num_freed++;
800 }
801 }
802 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803
804 return(num_freed);
805 }
806
807 /*******************************************************************************
808 **
809 ** Function btm_sec_clr_temp_auth_service
810 **
811 ** Description Removes specified device record's temporary authorization
812 ** flag from the security database.
813 **
814 ** Parameters Device address to be cleared
815 **
816 ** Returns void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821 tBTM_SEC_DEV_REC *p_dev_rec;
822
823 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824 {
825 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826 return;
827 }
828
829 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831 {
832 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834
835 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836 }
837 }
838
839 /*******************************************************************************
840 **
841 ** Function BTM_PINCodeReply
842 **
843 ** Description This function is called after Security Manager submitted
844 ** PIN code request to the UI.
845 **
846 ** Parameters: bd_addr - Address of the device for which PIN was requested
847 ** res - result of the operation BTM_SUCCESS if success
848 ** pin_len - length in bytes of the PIN Code
849 ** p_pin - pointer to array with the PIN Code
850 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855 tBTM_SEC_DEV_REC *p_dev_rec;
856
857 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
858 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859
860 /* If timeout already expired or has been canceled, ignore the reply */
861 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862 {
863 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864 return;
865 }
866
867 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868 {
869 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870 return;
871 }
872
873 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874 {
875 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876 return;
877 }
878
879 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880 res = BTM_ILLEGAL_VALUE;
881
882 if (res != BTM_SUCCESS)
883 {
884 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888 {
889 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892
893 btsnd_hcic_pin_code_neg_reply (bd_addr);
894 }
895 else
896 {
897 p_dev_rec->security_required = BTM_SEC_NONE;
898 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899 }
900 return;
901 }
902 if (trusted_mask)
903 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
905 if (pin_len >= 16) {
906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907 }
908
909 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911 && (btm_cb.security_mode_changed == FALSE) )
912 {
913 /* This is start of the dedicated bonding if local device is 2.0 */
914 btm_cb.pin_code_len = pin_len;
915 p_dev_rec->pin_code_length = pin_len;
916 memcpy (btm_cb.pin_code, p_pin, pin_len);
917
918 btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922 btsnd_hcic_write_auth_enable (TRUE);
923
924 btm_cb.acl_disc_reason = 0xff ;
925
926 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927 /* before originating */
928 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929 {
930 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931 /* we change state little bit early so btm_sec_connected() will originate connection */
932 /* when existing ACL link is down completely */
933 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934 }
935 /* if we already accepted incoming connection from pairing device */
936 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937 {
938 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940 }
941 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942 {
943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945
946 if (btm_cb.api.p_auth_complete_callback)
947 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
948 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949 }
950 return;
951 }
952
953 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954 btm_cb.acl_disc_reason = HCI_SUCCESS;
955
956 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
957 }
958
959 /*******************************************************************************
960 **
961 ** Function btm_sec_bond_by_transport
962 **
963 ** Description this is the bond function that will start either SSP or SMP.
964 **
965 ** Parameters: bd_addr - Address of the device to bond
966 ** pin_len - length in bytes of the PIN Code
967 ** p_pin - pointer to array with the PIN Code
968 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
969 **
970 ** Note: After 2.1 parameters are not used and preserved here not to change API
971 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])972 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
973 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
974 {
975 tBTM_SEC_DEV_REC *p_dev_rec;
976 tBTM_STATUS status;
977 UINT8 *p_features;
978 UINT8 ii;
979 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport);
980 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
981 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
982
983 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
984
985 /* Other security process is in progress */
986 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
987 {
988 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
989 return(BTM_WRONG_MODE);
990 }
991
992 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
993 {
994 return(BTM_NO_RESOURCES);
995 }
996
997 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
998
999 /* Finished if connection is active and already paired */
1000 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1001 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1002 #if (BLE_INCLUDED == TRUE)
1003 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1004 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1005 #endif
1006
1007 )
1008 {
1009 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1010 return(BTM_SUCCESS);
1011 }
1012
1013 /* Tell controller to get rid of the link key if it has one stored */
1014 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1015 return(BTM_NO_RESOURCES);
1016
1017 /* Save the PIN code if we got a valid one */
1018 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1019 {
1020 btm_cb.pin_code_len = pin_len;
1021 p_dev_rec->pin_code_length = pin_len;
1022 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1023 }
1024
1025 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1026
1027 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1028
1029 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1030 p_dev_rec->is_originator = TRUE;
1031 if (trusted_mask)
1032 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1033
1034 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1035 if (transport == BT_TRANSPORT_LE)
1036 {
1037 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1038 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1039
1040 if (SMP_Pair(bd_addr) == SMP_STARTED)
1041 {
1042 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1043 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1044 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1045 return BTM_CMD_STARTED;
1046 }
1047
1048 btm_cb.pairing_flags = 0;
1049 return(BTM_NO_RESOURCES);
1050 }
1051 #endif
1052
1053 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1054 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1055
1056 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1057 if (!controller_get_interface()->supports_simple_pairing())
1058 {
1059 /* The special case when we authenticate keyboard. Set pin type to fixed */
1060 /* It would be probably better to do it from the application, but it is */
1061 /* complicated */
1062 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1063 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1064 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1065 {
1066 btm_cb.pin_type_changed = TRUE;
1067 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1068 }
1069 }
1070
1071 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1072 {
1073 p_features = p_dev_rec->features[ii];
1074 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1075 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1076 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
1077 p_features[4], p_features[5], p_features[6], p_features[7]);
1078 }
1079
1080 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1081
1082 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1083 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1084 #endif
1085
1086 /* If connection already exists... */
1087 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1088 {
1089 if (!btm_sec_start_authentication (p_dev_rec))
1090 return(BTM_NO_RESOURCES);
1091
1092 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1093
1094 /* Mark lcb as bonding */
1095 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1096 return(BTM_CMD_STARTED);
1097 }
1098
1099 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1100 if (!controller_get_interface()->supports_simple_pairing()
1101 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1102 {
1103 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1104 return (BTM_CMD_STARTED);
1105 }
1106 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1107 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1108 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1109 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1110 {
1111 /* local is 2.1 and peer is unknown */
1112 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1113 {
1114 /* we are not accepting connection request from peer
1115 * -> RNR (to learn if peer is 2.1)
1116 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1117 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1118 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1119 }
1120 else
1121 {
1122 /* We are accepting connection request from peer */
1123 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1124 }
1125 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1126 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1127 return BTM_CMD_STARTED;
1128 }
1129
1130 /* both local and peer are 2.1 */
1131 status = btm_sec_dd_create_conn(p_dev_rec);
1132
1133 if (status != BTM_CMD_STARTED)
1134 {
1135 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1136 }
1137
1138 return status;
1139 }
1140
1141 /*******************************************************************************
1142 **
1143 ** Function BTM_SecBondByTransport
1144 **
1145 ** Description This function is called to perform bonding with peer device.
1146 ** If the connection is already up, but not secure, pairing
1147 ** is attempted. If already paired BTM_SUCCESS is returned.
1148 **
1149 ** Parameters: bd_addr - Address of the device to bond
1150 ** transport - doing SSP over BR/EDR or SMP over LE
1151 ** pin_len - length in bytes of the PIN Code
1152 ** p_pin - pointer to array with the PIN Code
1153 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1154 **
1155 ** Note: After 2.1 parameters are not used and preserved here not to change API
1156 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1157 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1158 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1159 {
1160 #if SMP_INCLUDED == TRUE
1161 tBT_DEVICE_TYPE dev_type;
1162 tBLE_ADDR_TYPE addr_type;
1163
1164 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1165 /* LE device, do SMP pairing */
1166 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1167 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1168 {
1169 return BTM_ILLEGAL_ACTION;
1170 }
1171 #endif
1172 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1173 }
1174
1175 /*******************************************************************************
1176 **
1177 ** Function BTM_SecBond
1178 **
1179 ** Description This function is called to perform bonding with peer device.
1180 ** If the connection is already up, but not secure, pairing
1181 ** is attempted. If already paired BTM_SUCCESS is returned.
1182 **
1183 ** Parameters: bd_addr - Address of the device to bond
1184 ** pin_len - length in bytes of the PIN Code
1185 ** p_pin - pointer to array with the PIN Code
1186 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1187 **
1188 ** Note: After 2.1 parameters are not used and preserved here not to change API
1189 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1190 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1191 {
1192 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1193 #if BLE_INCLUDED == TRUE
1194 if (BTM_UseLeLink(bd_addr))
1195 transport = BT_TRANSPORT_LE;
1196 #endif
1197 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1198 }
1199 /*******************************************************************************
1200 **
1201 ** Function BTM_SecBondCancel
1202 **
1203 ** Description This function is called to cancel ongoing bonding process
1204 ** with peer device.
1205 **
1206 ** Parameters: bd_addr - Address of the peer device
1207 ** transport - FALSE for BR/EDR link; TRUE for LE link
1208 **
1209 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1210 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1211 {
1212 tBTM_SEC_DEV_REC *p_dev_rec;
1213
1214 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x",
1215 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1216
1217 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1218 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1219 return BTM_UNKNOWN_ADDR;
1220
1221 #if SMP_INCLUDED == TRUE
1222 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1223 {
1224 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1225 {
1226 BTM_TRACE_DEBUG ("Cancel LE pairing");
1227 if (SMP_PairCancel(bd_addr))
1228 {
1229 return BTM_CMD_STARTED;
1230 }
1231 }
1232 return BTM_WRONG_MODE;
1233 }
1234
1235 #endif
1236 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1237 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1238 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1239 {
1240 /* pre-fetching pin for dedicated bonding */
1241 btm_sec_bond_cancel_complete();
1242 return BTM_SUCCESS;
1243 }
1244
1245 /* If this BDA is in a bonding procedure */
1246 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1247 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1248 {
1249 /* If the HCI link is up */
1250 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1251 {
1252 /* If some other thread disconnecting, we do not send second command */
1253 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1254 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1255 return(BTM_CMD_STARTED);
1256
1257 /* If the HCI link was set up by Bonding process */
1258 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1259 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1260 else
1261 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1262
1263 return BTM_NOT_AUTHORIZED;
1264 }
1265 else /*HCI link is not up */
1266 {
1267 /* If the HCI link creation was started by Bonding process */
1268 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1269 {
1270 if (btsnd_hcic_create_conn_cancel(bd_addr))
1271 return BTM_CMD_STARTED;
1272
1273 return BTM_NO_RESOURCES;
1274 }
1275 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1276 {
1277 BTM_CancelRemoteDeviceName();
1278 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1279 return BTM_CMD_STARTED;
1280 }
1281 return BTM_NOT_AUTHORIZED;
1282 }
1283 }
1284
1285 return BTM_WRONG_MODE;
1286 }
1287
1288 /*******************************************************************************
1289 **
1290 ** Function BTM_SecGetDeviceLinkKey
1291 **
1292 ** Description This function is called to obtain link key for the device
1293 ** it returns BTM_SUCCESS if link key is available, or
1294 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1295 ** the device or device record does not contain link key info
1296 **
1297 ** Parameters: bd_addr - Address of the device
1298 ** link_key - Link Key is copied into this array
1299 **
1300 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1301 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1302 {
1303 tBTM_SEC_DEV_REC *p_dev_rec;
1304
1305 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1306 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1307 {
1308 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1309 return(BTM_SUCCESS);
1310 }
1311 return(BTM_UNKNOWN_ADDR);
1312 }
1313
1314 /*******************************************************************************
1315 **
1316 ** Function BTM_SecGetDeviceLinkKeyType
1317 **
1318 ** Description This function is called to obtain link key type for the
1319 ** device.
1320 ** it returns BTM_SUCCESS if link key is available, or
1321 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1322 ** the device or device record does not contain link key info
1323 **
1324 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1325 ** otherwise.
1326 **
1327 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1328 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1329 {
1330 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1331
1332 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1333 {
1334 return p_dev_rec->link_key_type;
1335 }
1336 return BTM_LKEY_TYPE_IGNORE;
1337 }
1338
1339 /*******************************************************************************
1340 **
1341 ** Function BTM_SetEncryption
1342 **
1343 ** Description This function is called to ensure that connection is
1344 ** encrypted. Should be called only on an open connection.
1345 ** Typically only needed for connections that first want to
1346 ** bring up unencrypted links, then later encrypt them.
1347 **
1348 ** Parameters: bd_addr - Address of the peer device
1349 ** transport - Link transport
1350 ** p_callback - Pointer to callback function called if
1351 ** this function returns PENDING after required
1352 ** procedures are completed. Can be set to NULL
1353 ** if status is not desired.
1354 ** p_ref_data - pointer to any data the caller wishes to receive
1355 ** in the callback function upon completion.
1356 ** can be set to NULL if not used.
1357 ** sec_act - LE security action, unused for BR/EDR
1358 **
1359 ** Returns BTM_SUCCESS - already encrypted
1360 ** BTM_PENDING - command will be returned in the callback
1361 ** BTM_WRONG_MODE- connection not up.
1362 ** BTM_BUSY - security procedures are currently active
1363 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1364 **
1365 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)1366 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1367 void *p_ref_data, tBTM_BLE_SEC_ACT sec_act)
1368 {
1369 tBTM_STATUS rc = 0;
1370
1371 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1372 if (!p_dev_rec ||
1373 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1374 #if BLE_INCLUDED == TRUE
1375 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1376 #endif
1377 )
1378 {
1379 /* Connection should be up and runnning */
1380 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1381
1382 if (p_callback)
1383 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1384
1385 return(BTM_WRONG_MODE);
1386 }
1387
1388 if (transport == BT_TRANSPORT_BR_EDR &&
1389 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1390 {
1391 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1392
1393 if (p_callback)
1394 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1395
1396 return(BTM_SUCCESS);
1397 }
1398
1399 /* enqueue security request if security is active */
1400 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1401 {
1402 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1403
1404 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data, sec_act))
1405 {
1406 return BTM_CMD_STARTED;
1407 }
1408 else
1409 {
1410 if (p_callback)
1411 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1412 return BTM_NO_RESOURCES;
1413 }
1414 }
1415
1416 p_dev_rec->p_callback = p_callback;
1417 p_dev_rec->p_ref_data = p_ref_data;
1418 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1419 p_dev_rec->is_originator = FALSE;
1420
1421 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1422 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1423 p_dev_rec->security_required);
1424
1425 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1426 if (transport == BT_TRANSPORT_LE)
1427 {
1428 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1429 if (p)
1430 {
1431 rc = btm_ble_set_encryption(bd_addr, sec_act, p->link_role);
1432 }
1433 else
1434 {
1435 rc = BTM_WRONG_MODE;
1436 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1437 }
1438 }
1439 else
1440 #endif
1441 rc = btm_sec_execute_procedure (p_dev_rec);
1442
1443 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1444 {
1445 if (p_callback)
1446 {
1447 p_dev_rec->p_callback = NULL;
1448 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1449 }
1450 }
1451
1452 return(rc);
1453 }
1454
1455 /*******************************************************************************
1456 * disconnect the ACL link, if it's not done yet.
1457 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1458 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1459 {
1460 UINT8 old_state = p_dev_rec->sec_state;
1461 tBTM_STATUS status = BTM_CMD_STARTED;
1462
1463 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1464 conn_handle, reason);
1465
1466 /* send HCI_Disconnect on a transport only once */
1467 switch (old_state)
1468 {
1469 case BTM_SEC_STATE_DISCONNECTING:
1470 if (conn_handle == p_dev_rec->hci_handle)
1471 return status;
1472
1473 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1474 break;
1475
1476 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1477 case BTM_SEC_STATE_DISCONNECTING_BLE:
1478 if (conn_handle == p_dev_rec->ble_hci_handle)
1479 return status;
1480
1481 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1482 break;
1483
1484 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1485 return status;
1486 #endif
1487
1488 default:
1489 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1490 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1491
1492 break;
1493 }
1494
1495 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1496 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1497 {
1498 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1499 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1500 status = BTM_SUCCESS;
1501 }
1502 /* Tear down the HCI link */
1503 else if (!btsnd_hcic_disconnect (conn_handle, reason))
1504 {
1505 /* could not send disconnect. restore old state */
1506 p_dev_rec->sec_state = old_state;
1507 status = BTM_NO_RESOURCES;
1508 }
1509
1510 return status;
1511 }
1512
1513 /*******************************************************************************
1514 **
1515 ** Function BTM_ConfirmReqReply
1516 **
1517 ** Description This function is called to confirm the numeric value for
1518 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1519 **
1520 ** Parameters: res - result of the operation BTM_SUCCESS if success
1521 ** bd_addr - Address of the peer device
1522 **
1523 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1524 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1525 {
1526 tBTM_SEC_DEV_REC *p_dev_rec;
1527
1528 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1529 btm_pair_state_descr(btm_cb.pairing_state), res);
1530
1531 /* If timeout already expired or has been canceled, ignore the reply */
1532 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1533 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1534 return;
1535
1536 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1537
1538 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1539 {
1540 btm_cb.acl_disc_reason = HCI_SUCCESS;
1541
1542 if (res == BTM_SUCCESS)
1543 {
1544 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1545 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1546 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1547 }
1548
1549 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1550 }
1551 else
1552 {
1553 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1554 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1555 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1556 }
1557 }
1558
1559 /*******************************************************************************
1560 **
1561 ** Function BTM_PasskeyReqReply
1562 **
1563 ** Description This function is called to provide the passkey for
1564 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1565 **
1566 ** Parameters: res - result of the operation BTM_SUCCESS if success
1567 ** bd_addr - Address of the peer device
1568 ** passkey - numeric value in the range of
1569 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1570 **
1571 *******************************************************************************/
1572 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1573 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1574 {
1575 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d",
1576 btm_pair_state_descr(btm_cb.pairing_state), res);
1577
1578 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1579 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1580 {
1581 return;
1582 }
1583
1584 /* If timeout already expired or has been canceled, ignore the reply */
1585 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1586 {
1587 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1588 if (p_dev_rec != NULL)
1589 {
1590 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1591
1592 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1593 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1594 else
1595 BTM_SecBondCancel(bd_addr);
1596
1597 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1598
1599 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1600 return;
1601 }
1602 }
1603 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1604 return;
1605
1606 if (passkey > BTM_MAX_PASSKEY_VAL)
1607 res = BTM_ILLEGAL_VALUE;
1608
1609 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1610
1611 if (res != BTM_SUCCESS)
1612 {
1613 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1614 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1615 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1616 } else {
1617 btm_cb.acl_disc_reason = HCI_SUCCESS;
1618 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1619 }
1620 }
1621 #endif
1622
1623 /*******************************************************************************
1624 **
1625 ** Function BTM_SendKeypressNotif
1626 **
1627 ** Description This function is used during the passkey entry model
1628 ** by a device with KeyboardOnly IO capabilities
1629 ** (very likely to be a HID Device).
1630 ** It is called by a HID Device to inform the remote device when
1631 ** a key has been entered or erased.
1632 **
1633 ** Parameters: bd_addr - Address of the peer device
1634 ** type - notification type
1635 **
1636 *******************************************************************************/
1637 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1638 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1639 {
1640 /* This API only make sense between PASSKEY_REQ and SP complete */
1641 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1642 btsnd_hcic_send_keypress_notif (bd_addr, type);
1643 }
1644 #endif
1645
1646 /*******************************************************************************
1647 **
1648 ** Function BTM_IoCapRsp
1649 **
1650 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1651 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1652 ** by the tBTM_SP_CALLBACK implementation, this function is
1653 ** called to provide the actual response
1654 **
1655 ** Parameters: bd_addr - Address of the peer device
1656 ** io_cap - The IO capability of local device.
1657 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1658 ** auth_req- MITM protection required or not.
1659 **
1660 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1661 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1662 {
1663 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1664 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1665
1666 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1667 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1668 return;
1669
1670 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1671 {
1672 btm_cb.devcb.loc_auth_req = auth_req;
1673 btm_cb.devcb.loc_io_caps = io_cap;
1674
1675 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1676 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1677
1678 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1679 }
1680 }
1681
1682 /*******************************************************************************
1683 **
1684 ** Function BTM_ReadLocalOobData
1685 **
1686 ** Description This function is called to read the local OOB data from
1687 ** LM
1688 **
1689 *******************************************************************************/
BTM_ReadLocalOobData(void)1690 tBTM_STATUS BTM_ReadLocalOobData(void)
1691 {
1692 tBTM_STATUS status = BTM_SUCCESS;
1693
1694 if (btsnd_hcic_read_local_oob_data() == FALSE)
1695 status = BTM_NO_RESOURCES;
1696
1697 return status;
1698 }
1699
1700 /*******************************************************************************
1701 **
1702 ** Function BTM_RemoteOobDataReply
1703 **
1704 ** Description This function is called to provide the remote OOB data for
1705 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1706 **
1707 ** Parameters: bd_addr - Address of the peer device
1708 ** c - simple pairing Hash C.
1709 ** r - simple pairing Randomizer C.
1710 **
1711 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1712 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1713 {
1714 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1715 btm_pair_state_descr(btm_cb.pairing_state), res);
1716
1717 /* If timeout already expired or has been canceled, ignore the reply */
1718 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1719 return;
1720
1721 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1722
1723 if (res != BTM_SUCCESS)
1724 {
1725 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1726 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1727 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1728 } else {
1729 btm_cb.acl_disc_reason = HCI_SUCCESS;
1730 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1731 }
1732 }
1733
1734 /*******************************************************************************
1735 **
1736 ** Function BTM_BuildOobData
1737 **
1738 ** Description This function is called to build the OOB data payload to
1739 ** be sent over OOB (non-Bluetooth) link
1740 **
1741 ** Parameters: p_data - the location for OOB data
1742 ** max_len - p_data size.
1743 ** c - simple pairing Hash C.
1744 ** r - simple pairing Randomizer C.
1745 ** name_len- 0, local device name would not be included.
1746 ** otherwise, the local device name is included for
1747 ** up to this specified length
1748 **
1749 ** Returns Number of bytes in p_data.
1750 **
1751 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1752 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1753 BT_OCTET16 r, UINT8 name_len)
1754 {
1755 UINT8 *p = p_data;
1756 UINT16 len = 0;
1757 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1758 UINT16 name_size;
1759 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1760 #endif
1761
1762 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1763 {
1764 /* add mandatory part */
1765 UINT16_TO_STREAM(p, len);
1766 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1767
1768 len = BTM_OOB_MANDATORY_SIZE;
1769 max_len -= len;
1770
1771 /* now optional part */
1772
1773 /* add Hash C */
1774 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1775 if (max_len >= delta)
1776 {
1777 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1778 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1779 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1780 len += delta;
1781 max_len -= delta;
1782 }
1783
1784 /* add Rand R */
1785 delta = BTM_OOB_RAND_R_SIZE + 2;
1786 if (max_len >= delta)
1787 {
1788 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1789 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1790 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1791 len += delta;
1792 max_len -= delta;
1793 }
1794
1795 /* add class of device */
1796 delta = BTM_OOB_COD_SIZE + 2;
1797 if (max_len >= delta)
1798 {
1799 *p++ = BTM_OOB_COD_SIZE + 1;
1800 *p++ = BTM_EIR_OOB_COD_TYPE;
1801 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1802 len += delta;
1803 max_len -= delta;
1804 }
1805 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1806 name_size = name_len;
1807 if (name_size > strlen(btm_cb.cfg.bd_name))
1808 {
1809 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1810 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1811 }
1812 delta = name_size + 2;
1813 if (max_len >= delta)
1814 {
1815 *p++ = name_size + 1;
1816 *p++ = name_type;
1817 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1818 len += delta;
1819 max_len -= delta;
1820 }
1821 #endif
1822 /* update len */
1823 p = p_data;
1824 UINT16_TO_STREAM(p, len);
1825 }
1826 return len;
1827 }
1828
1829 /*******************************************************************************
1830 **
1831 ** Function BTM_BothEndsSupportSecureConnections
1832 **
1833 ** Description This function is called to check if both the local device and the peer device
1834 ** specified by bd_addr support BR/EDR Secure Connections.
1835 **
1836 ** Parameters: bd_addr - address of the peer
1837 **
1838 ** Returns TRUE if BR/EDR Secure Connections are supported by both local
1839 ** and the remote device.
1840 ** else FALSE.
1841 **
1842 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1843 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1844 {
1845 return ((controller_get_interface()->supports_secure_connections()) &&
1846 (BTM_PeerSupportsSecureConnections(bd_addr)));
1847 }
1848
1849 /*******************************************************************************
1850 **
1851 ** Function BTM_PeerSupportsSecureConnections
1852 **
1853 ** Description This function is called to check if the peer supports
1854 ** BR/EDR Secure Connections.
1855 **
1856 ** Parameters: bd_addr - address of the peer
1857 **
1858 ** Returns TRUE if BR/EDR Secure Connections are supported by the peer,
1859 ** else FALSE.
1860 **
1861 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1862 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1863 {
1864 tBTM_SEC_DEV_REC *p_dev_rec;
1865
1866 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1867 {
1868 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1869 (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1870 (bd_addr[4]<< 8) + bd_addr[5]);
1871 return FALSE;
1872 }
1873
1874 return (p_dev_rec->remote_supports_secure_connections);
1875 }
1876
1877 /*******************************************************************************
1878 **
1879 ** Function BTM_ReadOobData
1880 **
1881 ** Description This function is called to parse the OOB data payload
1882 ** received over OOB (non-Bluetooth) link
1883 **
1884 ** Parameters: p_data - the location for OOB data
1885 ** eir_tag - The associated EIR tag to read the data.
1886 ** *p_len(output) - the length of the data with the given tag.
1887 **
1888 ** Returns the beginning of the data with the given tag.
1889 ** NULL, if the tag is not found.
1890 **
1891 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1892 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1893 {
1894 UINT8 *p = p_data;
1895 UINT16 max_len;
1896 UINT8 len, type;
1897 UINT8 *p_ret = NULL;
1898 UINT8 ret_len = 0;
1899
1900 if (p_data)
1901 {
1902 STREAM_TO_UINT16(max_len, p);
1903 if (max_len >= BTM_OOB_MANDATORY_SIZE)
1904 {
1905 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1906 {
1907 p_ret = p; /* the location for bd_addr */
1908 ret_len = BTM_OOB_BD_ADDR_SIZE;
1909 }
1910 else
1911 {
1912 p += BD_ADDR_LEN;
1913 max_len -= BTM_OOB_MANDATORY_SIZE;
1914 /* now the optional data in EIR format */
1915 while (max_len > 0)
1916 {
1917 len = *p++; /* tag data len + 1 */
1918 type = *p++;
1919 if (eir_tag == type)
1920 {
1921 p_ret = p;
1922 ret_len = len - 1;
1923 break;
1924 }
1925 /* the data size of this tag is len + 1 (tag data len + 2) */
1926 if (max_len > len)
1927 {
1928 max_len -= len;
1929 max_len--;
1930 len--;
1931 p += len;
1932 }
1933 else
1934 max_len = 0;
1935 }
1936 }
1937 }
1938 }
1939
1940 if (p_len)
1941 *p_len = ret_len;
1942
1943 return p_ret;
1944 }
1945
1946 /*******************************************************************************
1947 **
1948 ** Function BTM_SetOutService
1949 **
1950 ** Description This function is called to set the service for
1951 ** outgoing connections.
1952 **
1953 ** If the profile/application calls BTM_SetSecurityLevel
1954 ** before initiating a connection, this function does not
1955 ** need to be called.
1956 **
1957 ** Returns void
1958 **
1959 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1960 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1961 {
1962 tBTM_SEC_DEV_REC *p_dev_rec;
1963 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1964
1965 btm_cb.p_out_serv = p_serv_rec;
1966 p_dev_rec = btm_find_dev (bd_addr);
1967
1968 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1969 {
1970 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1971 && (p_serv_rec->service_id == service_id)
1972 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1973 {
1974 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1975 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1976 btm_cb.p_out_serv = p_serv_rec;
1977 if (p_dev_rec)
1978 p_dev_rec->p_cur_service = p_serv_rec;
1979 break;
1980 }
1981 }
1982 }
1983
1984 /************************************************************************
1985 ** I N T E R N A L F U N C T I O N S
1986 *************************************************************************/
1987 /*******************************************************************************
1988 **
1989 ** Function btm_sec_is_upgrade_possible
1990 **
1991 ** Description This function returns TRUE if the existing link key
1992 ** can be upgraded or if the link key does not exist.
1993 **
1994 ** Returns BOOLEAN
1995 **
1996 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1997 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1998 {
1999 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2000 BOOLEAN is_possible = TRUE;
2001
2002 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2003 {
2004 is_possible = FALSE;
2005 if(p_dev_rec->p_cur_service)
2006 {
2007 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2008 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2009 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2010 }
2011 else
2012 {
2013 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2014 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2015 }
2016 /* Already have a link key to the connected peer. Is the link key secure enough?
2017 ** Is a link key upgrade even possible?
2018 */
2019 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
2020 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2021 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2022 /* has unauthenticated
2023 link key */
2024 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
2025 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2026 /* authenticated
2027 link key is possible */
2028 {
2029 /* upgrade is possible: check if the application wants the upgrade.
2030 * If the application is configured to use a global MITM flag,
2031 * it probably would not want to upgrade the link key based on the security level database */
2032 is_possible = TRUE;
2033 }
2034 }
2035 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2036 return is_possible;
2037 }
2038
2039 /*******************************************************************************
2040 **
2041 ** Function btm_sec_check_upgrade
2042 **
2043 ** Description This function is called to check if the existing link key
2044 ** needs to be upgraded.
2045 **
2046 ** Returns void
2047 **
2048 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2049 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2050 {
2051
2052 BTM_TRACE_DEBUG ("%s()", __func__);
2053
2054 /* Only check if link key already exists */
2055 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2056 return;
2057
2058 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2059 {
2060 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2061 /* upgrade is possible: check if the application wants the upgrade.
2062 * If the application is configured to use a global MITM flag,
2063 * it probably would not want to upgrade the link key based on the security level database */
2064 tBTM_SP_UPGRADE evt_data;
2065 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2066 evt_data.upgrade = TRUE;
2067 if (btm_cb.api.p_sp_callback)
2068 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2069
2070 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2071 if (evt_data.upgrade)
2072 {
2073 /* if the application confirms the upgrade, set the upgrade bit */
2074 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2075
2076 /* Clear the link key known to go through authentication/pairing again */
2077 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2078 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2079 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2080 }
2081 }
2082 }
2083
2084 /*******************************************************************************
2085 **
2086 ** Function btm_sec_l2cap_access_req
2087 **
2088 ** Description This function is called by the L2CAP to grant permission to
2089 ** establish L2CAP connection to or from the peer device.
2090 **
2091 ** Parameters: bd_addr - Address of the peer device
2092 ** psm - L2CAP PSM
2093 ** is_originator - TRUE if protocol above L2CAP originates
2094 ** connection
2095 ** p_callback - Pointer to callback function called if
2096 ** this function returns PENDING after required
2097 ** procedures are complete. MUST NOT BE NULL.
2098 **
2099 ** Returns tBTM_STATUS
2100 **
2101 *******************************************************************************/
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2102 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2103 CONNECTION_TYPE conn_type,
2104 tBTM_SEC_CALLBACK *p_callback,
2105 void *p_ref_data)
2106 {
2107 tBTM_SEC_DEV_REC *p_dev_rec;
2108 tBTM_SEC_SERV_REC *p_serv_rec;
2109 UINT16 security_required;
2110 UINT16 old_security_required;
2111 BOOLEAN old_is_originator;
2112 tBTM_STATUS rc = BTM_SUCCESS;
2113 BOOLEAN chk_acp_auth_done = FALSE;
2114 BOOLEAN is_originator;
2115 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; /* should check PSM range in LE connection oriented L2CAP connection */
2116
2117 #if (L2CAP_UCD_INCLUDED == TRUE)
2118 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2119 is_originator = TRUE;
2120 else
2121 is_originator = FALSE;
2122
2123 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2124 #else
2125 is_originator = conn_type;
2126
2127 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2128 #endif
2129
2130 /* Find or get oldest record */
2131 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2132
2133 p_dev_rec->hci_handle = handle;
2134
2135 /* Find the service record for the PSM */
2136 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2137
2138 /* If there is no application registered with this PSM do not allow connection */
2139 if (!p_serv_rec)
2140 {
2141 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2142 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2143 return(BTM_MODE_UNSUPPORTED);
2144 }
2145
2146 /* Services level0 by default have no security */
2147 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2148 {
2149 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2150 return(BTM_SUCCESS);
2151 }
2152 #if (L2CAP_UCD_INCLUDED == TRUE)
2153 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2154 {
2155 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2156 {
2157 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2158 is_originator);
2159 }
2160 else
2161 {
2162 security_required = p_serv_rec->ucd_security_flags;
2163 }
2164
2165 rc = BTM_CMD_STARTED;
2166 if (is_originator)
2167 {
2168 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2169 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2170 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2171 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2172 {
2173 rc = BTM_SUCCESS;
2174 }
2175 }
2176 else
2177 {
2178 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2179 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2180 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2181 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2182 {
2183 // Check for 16 digits (or MITM)
2184 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2185 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2186 btm_dev_16_digit_authenticated(p_dev_rec))) {
2187 rc = BTM_SUCCESS;
2188 }
2189 }
2190 }
2191
2192 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2193 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2194 {
2195 rc = BTM_CMD_STARTED;
2196 }
2197
2198 if (rc == BTM_SUCCESS)
2199 {
2200 if (p_callback)
2201 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2202
2203 return(BTM_SUCCESS);
2204 }
2205 }
2206 else
2207 #endif
2208 {
2209 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2210 {
2211 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2212 is_originator);
2213 }
2214 else
2215 {
2216 security_required = p_serv_rec->security_flags;
2217 }
2218 }
2219
2220 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x",
2221 __FUNCTION__, security_required, is_originator, psm);
2222
2223 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2224 {
2225 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2226 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2227 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2228 {
2229 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2230 "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2231 local_supports_sc,
2232 p_dev_rec->remote_supports_secure_connections);
2233 if (p_callback)
2234 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2235 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2236
2237 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2238 }
2239 }
2240
2241 /* there are some devices (moto KRZR) which connects to several services at the same time */
2242 /* we will process one after another */
2243 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2244 {
2245 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__,
2246 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2247 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2248 rc = BTM_CMD_STARTED;
2249 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2250 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2251 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2252 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2253 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2254 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2255 {
2256 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2257 * or SM4 with no possibility of link key upgrade */
2258 if (is_originator)
2259 {
2260 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2261 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2262 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2263 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) )
2264 {
2265 rc = BTM_SUCCESS;
2266 }
2267 }
2268 else
2269 {
2270 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2271 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2272 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2273 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2274 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2275 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2276 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2277 {
2278 // Check for 16 digits (or MITM)
2279 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2280 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2281 rc = BTM_SUCCESS;
2282 }
2283 }
2284 }
2285
2286 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2287 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2288 {
2289 rc = BTM_CMD_STARTED;
2290 }
2291
2292 if (rc == BTM_SUCCESS)
2293 {
2294 if (p_callback)
2295 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2296 return(BTM_SUCCESS);
2297 }
2298 }
2299
2300 btm_cb.sec_req_pending = TRUE;
2301 return(BTM_CMD_STARTED);
2302 }
2303
2304 /* Save pointer to service record */
2305 p_dev_rec->p_cur_service = p_serv_rec;
2306
2307 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2308 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2309 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2310 btm_cb.security_mode == BTM_SEC_MODE_SC)
2311 {
2312 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2313 {
2314 if (is_originator)
2315 {
2316 /* SM4 to SM4 -> always authenticate & encrypt */
2317 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2318 }
2319 else /* acceptor */
2320 {
2321 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2322 chk_acp_auth_done = TRUE;
2323 /* SM4 to SM4 -> always authenticate & encrypt */
2324 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2325 }
2326 }
2327 else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2328 {
2329 /* the remote features are not known yet */
2330 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2331 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2332
2333 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2334 return (BTM_CMD_STARTED);
2335 }
2336 }
2337
2338 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2339 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2340
2341 old_security_required = p_dev_rec->security_required;
2342 old_is_originator = p_dev_rec->is_originator;
2343 p_dev_rec->security_required = security_required;
2344 p_dev_rec->p_ref_data = p_ref_data;
2345 p_dev_rec->is_originator = is_originator;
2346
2347 #if (L2CAP_UCD_INCLUDED == TRUE)
2348 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2349 p_dev_rec->is_ucd = TRUE;
2350 else
2351 p_dev_rec->is_ucd = FALSE;
2352 #endif
2353
2354 /* If there are multiple service records used through the same PSM */
2355 /* leave security decision for the multiplexor on the top */
2356 #if (L2CAP_UCD_INCLUDED == TRUE)
2357 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2358 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2359 #else
2360 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2361 #endif
2362 {
2363 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2364 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2365 {
2366 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2367 /* pre-Lisbon: restore the old settings */
2368 p_dev_rec->security_required = old_security_required;
2369 p_dev_rec->is_originator = old_is_originator;
2370
2371 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2372
2373 return(BTM_SUCCESS);
2374 }
2375 }
2376
2377 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2378 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2379 * response is received */
2380 if (is_originator &&
2381 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2382 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2383 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2384 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2385 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2386 {
2387 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2388 /* restore the old settings */
2389 p_dev_rec->security_required = old_security_required;
2390 p_dev_rec->is_originator = old_is_originator;
2391
2392 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2393
2394 return(BTM_SUCCESS);
2395 }
2396
2397 if (chk_acp_auth_done)
2398 {
2399 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2400 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2401 /* SM4, but we do not know for sure which level of security we need.
2402 * as long as we have a link key, it's OK */
2403 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2404 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2405 {
2406 rc = BTM_DELAY_CHECK;
2407 /*
2408 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2409 because of data path issues. Delay this disconnect a little bit
2410 */
2411 LOG_INFO(LOG_TAG, "%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2412 p_dev_rec->p_callback = p_callback;
2413 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2414 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2415
2416 return BTM_SUCCESS;
2417 }
2418 }
2419
2420 p_dev_rec->p_callback = p_callback;
2421
2422 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2423 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2424 {
2425 /* Although authentication and encryption are per connection
2426 ** authorization is per access request. For example when serial connection
2427 ** is up and authorized and client requests to read file (access to other
2428 ** scn), we need to request user's permission again.
2429 */
2430 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2431 }
2432
2433 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2434 {
2435 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2436 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2437 {
2438 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2439 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2440 {
2441 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2442 }
2443 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2444 BTM_SEC_AUTHENTICATED);
2445 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2446 }
2447 else
2448 {
2449 /* If we already have a link key to the connected peer, is it secure enough? */
2450 btm_sec_check_upgrade(p_dev_rec, is_originator);
2451 }
2452 }
2453
2454 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2455 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2456 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2457
2458 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2459 {
2460 p_dev_rec->p_callback = NULL;
2461 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2462 }
2463
2464 return(rc);
2465 }
2466
2467 /*******************************************************************************
2468 **
2469 ** Function btm_sec_mx_access_request
2470 **
2471 ** Description This function is called by all Multiplexing Protocols during
2472 ** establishing connection to or from peer device to grant
2473 ** permission to establish application connection.
2474 **
2475 ** Parameters: bd_addr - Address of the peer device
2476 ** psm - L2CAP PSM
2477 ** is_originator - TRUE if protocol above L2CAP originates
2478 ** connection
2479 ** mx_proto_id - protocol ID of the multiplexer
2480 ** mx_chan_id - multiplexer channel to reach application
2481 ** p_callback - Pointer to callback function called if
2482 ** this function returns PENDING after required
2483 ** procedures are completed
2484 ** p_ref_data - Pointer to any reference data needed by the
2485 ** the callback function.
2486 **
2487 ** Returns BTM_CMD_STARTED
2488 **
2489 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2490 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2491 UINT32 mx_proto_id, UINT32 mx_chan_id,
2492 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2493 {
2494 tBTM_SEC_DEV_REC *p_dev_rec;
2495 tBTM_SEC_SERV_REC *p_serv_rec;
2496 tBTM_STATUS rc;
2497 UINT16 security_required;
2498 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2499
2500 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2501 /* Find or get oldest record */
2502 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2503
2504 /* Find the service record for the PSM */
2505 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2506
2507 /* If there is no application registered with this PSM do not allow connection */
2508 if (!p_serv_rec)
2509 {
2510 if (p_callback)
2511 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2512
2513 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2514 psm, mx_proto_id, mx_chan_id);
2515 return BTM_NO_RESOURCES;
2516 }
2517
2518 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2519 {
2520 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2521 is_originator);
2522 }
2523 else
2524 {
2525 security_required = p_serv_rec->security_flags;
2526 }
2527
2528 /* there are some devices (moto phone) which connects to several services at the same time */
2529 /* we will process one after another */
2530 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2531 {
2532 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__,
2533 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2534
2535 rc = BTM_CMD_STARTED;
2536
2537 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2538 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2539 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2540 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2541 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2542 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2543 {
2544 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2545 * or SM4 with no possibility of link key upgrade */
2546 if (is_originator)
2547 {
2548 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2549 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2550 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2551 )
2552 {
2553 rc = BTM_SUCCESS;
2554 }
2555 }
2556 else
2557 {
2558 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2559 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2560 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2561 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2562 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2563 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2564 )
2565 {
2566 // Check for 16 digits (or MITM)
2567 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2568 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2569 rc = BTM_SUCCESS;
2570 }
2571 }
2572 }
2573 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2574 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2575 {
2576 rc = BTM_CMD_STARTED;
2577 }
2578 }
2579
2580 if (rc == BTM_SUCCESS)
2581 {
2582 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2583 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2584 /* btm_sec_execute_procedure */
2585 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2586 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2587 {
2588 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2589 rc = BTM_CMD_STARTED;
2590 }
2591 }
2592
2593 /* Check whether there is a pending security procedure, if so we should always queue */
2594 /* the new security request */
2595 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2596 {
2597 BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2598 rc = BTM_CMD_STARTED;
2599 }
2600 if (rc == BTM_CMD_STARTED)
2601 {
2602 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2603 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id,
2604 mx_chan_id, p_callback, p_ref_data);
2605 }
2606 else /* rc == BTM_SUCCESS */
2607 {
2608 /* access granted */
2609 if (p_callback)
2610 {
2611 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2612 }
2613 }
2614
2615 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2616 btm_pair_state_descr(btm_cb.pairing_state));
2617 return rc;
2618 }
2619
2620 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2621 (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2622 {
2623 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2624 /* acceptor receives service connection establishment Request for */
2625 /* Secure Connections Only service */
2626 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2627 {
2628 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2629 "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2630 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2631
2632 if (p_callback)
2633 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2634 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2635
2636 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2637 }
2638 }
2639
2640 p_dev_rec->p_cur_service = p_serv_rec;
2641 p_dev_rec->security_required = security_required;
2642
2643 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2644 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2645 btm_cb.security_mode == BTM_SEC_MODE_SC)
2646 {
2647 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2648 {
2649 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2650 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2651 {
2652 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2653 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2654 {
2655 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2656 }
2657
2658 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2659 BTM_SEC_AUTHENTICATED);
2660 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2661 }
2662 else
2663 {
2664 /* If we already have a link key, check if that link key is good enough */
2665 btm_sec_check_upgrade(p_dev_rec, is_originator);
2666 }
2667 }
2668 }
2669
2670 p_dev_rec->is_originator = is_originator;
2671 p_dev_rec->p_callback = p_callback;
2672 p_dev_rec->p_ref_data = p_ref_data;
2673
2674 /* Although authentication and encryption are per connection */
2675 /* authorization is per access request. For example when serial connection */
2676 /* is up and authorized and client requests to read file (access to other */
2677 /* scn, we need to request user's permission again. */
2678 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2679
2680 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2681 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2682 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2683
2684 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2685 {
2686 if (p_callback)
2687 {
2688 p_dev_rec->p_callback = NULL;
2689 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2690 }
2691 }
2692
2693 return rc;
2694 }
2695
2696 /*******************************************************************************
2697 **
2698 ** Function btm_sec_conn_req
2699 **
2700 ** Description This function is when the peer device is requesting
2701 ** connection
2702 **
2703 ** Returns void
2704 **
2705 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2706 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2707 {
2708 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2709
2710 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2711 if (!controller_get_interface()->get_is_ready())
2712 {
2713 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2714 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2715 return;
2716 }
2717
2718 /* Security guys wants us not to allow connection from not paired devices */
2719
2720 /* Check if connection is allowed for only paired devices */
2721 if (btm_cb.connect_only_paired)
2722 {
2723 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2724 {
2725 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2726 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2727 return;
2728 }
2729 }
2730
2731 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2732 /* If non-discoverable, only allow known devices to connect */
2733 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2734 {
2735 if (!p_dev_rec)
2736 {
2737 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2738 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2739 return;
2740 }
2741 }
2742 #endif
2743
2744 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2745 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2746 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2747 {
2748 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2749
2750 /* incoming connection from bonding device is rejected */
2751 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2752 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2753 return;
2754 }
2755
2756 /* Host is not interested or approved connection. Save BDA and DC and */
2757 /* pass request to L2CAP */
2758 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2759 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2760
2761 if (l2c_link_hci_conn_req (bda))
2762 {
2763 if (!p_dev_rec)
2764 {
2765 /* accept the connection -> allocate a device record */
2766 p_dev_rec = btm_sec_alloc_dev (bda);
2767 }
2768 if (p_dev_rec)
2769 {
2770 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2771 }
2772 }
2773 }
2774
2775 /*******************************************************************************
2776 **
2777 ** Function btm_sec_bond_cancel_complete
2778 **
2779 ** Description This function is called to report bond cancel complete
2780 ** event.
2781 **
2782 ** Returns void
2783 **
2784 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2785 static void btm_sec_bond_cancel_complete (void)
2786 {
2787 tBTM_SEC_DEV_REC *p_dev_rec;
2788
2789 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2790 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2791 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2792 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2793 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2794 {
2795 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2796 * btm_sec_connected is called with failed status.
2797 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2798 * However, this function may clean out the security related flags and btm_sec_connected would not know
2799 * this function also needs to do proper clean up.
2800 */
2801 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2802 p_dev_rec->security_required = BTM_SEC_NONE;
2803 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2804
2805 /* Notify application that the cancel succeeded */
2806 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2807 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2808 }
2809 }
2810
2811 /*******************************************************************************
2812 **
2813 ** Function btm_create_conn_cancel_complete
2814 **
2815 ** Description This function is called when the command complete message
2816 ** is received from the HCI for the create connection cancel
2817 ** command.
2818 **
2819 ** Returns void
2820 **
2821 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2822 void btm_create_conn_cancel_complete (UINT8 *p)
2823 {
2824 UINT8 status;
2825
2826 STREAM_TO_UINT8 (status, p);
2827 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2828 btm_pair_state_descr(btm_cb.pairing_state), status);
2829
2830 /* if the create conn cancel cmd was issued by the bond cancel,
2831 ** the application needs to be notified that bond cancel succeeded
2832 */
2833 switch (status)
2834 {
2835 case HCI_SUCCESS:
2836 btm_sec_bond_cancel_complete();
2837 break;
2838 case HCI_ERR_CONNECTION_EXISTS:
2839 case HCI_ERR_NO_CONNECTION:
2840 default:
2841 /* Notify application of the error */
2842 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2843 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2844 break;
2845 }
2846 }
2847
2848 /*******************************************************************************
2849 **
2850 ** Function btm_sec_check_pending_reqs
2851 **
2852 ** Description This function is called at the end of the security procedure
2853 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2854 **
2855 ** Returns void
2856 **
2857 *******************************************************************************/
btm_sec_check_pending_reqs(void)2858 void btm_sec_check_pending_reqs (void)
2859 {
2860 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2861 {
2862 /* First, resubmit L2CAP requests */
2863 if (btm_cb.sec_req_pending)
2864 {
2865 btm_cb.sec_req_pending = FALSE;
2866 l2cu_resubmit_pending_sec_req (NULL);
2867 }
2868
2869 /* Now, re-submit anything in the mux queue */
2870 fixed_queue_t *bq = btm_cb.sec_pending_q;
2871
2872 btm_cb.sec_pending_q = fixed_queue_new(SIZE_MAX);
2873
2874 tBTM_SEC_QUEUE_ENTRY *p_e;
2875 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)fixed_queue_try_dequeue(bq)) != NULL)
2876 {
2877 /* Check that the ACL is still up before starting security procedures */
2878 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2879 {
2880 if (p_e->psm != 0)
2881 {
2882 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2883 __FUNCTION__, p_e->psm, p_e->is_orig,
2884 p_e->mx_proto_id, p_e->mx_chan_id);
2885
2886 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2887 p_e->mx_proto_id, p_e->mx_chan_id,
2888 p_e->p_callback, p_e->p_ref_data);
2889 }
2890 else
2891 {
2892 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2893 p_e->p_ref_data, p_e->sec_act);
2894 }
2895 }
2896
2897 osi_free(p_e);
2898 }
2899 fixed_queue_free(bq, NULL);
2900 }
2901 }
2902
2903 /*******************************************************************************
2904 **
2905 ** Function btm_sec_init
2906 **
2907 ** Description This function is on the SEC startup
2908 **
2909 ** Returns void
2910 **
2911 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2912 void btm_sec_init (UINT8 sec_mode)
2913 {
2914 btm_cb.security_mode = sec_mode;
2915 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2916 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2917 }
2918
2919 /*******************************************************************************
2920 **
2921 ** Function btm_sec_device_down
2922 **
2923 ** Description This function should be called when device is disabled or
2924 ** turned off
2925 **
2926 ** Returns void
2927 **
2928 *******************************************************************************/
btm_sec_device_down(void)2929 void btm_sec_device_down (void)
2930 {
2931 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2932 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2933 }
2934
2935 /*******************************************************************************
2936 **
2937 ** Function btm_sec_dev_reset
2938 **
2939 ** Description This function should be called after device reset
2940 **
2941 ** Returns void
2942 **
2943 *******************************************************************************/
btm_sec_dev_reset(void)2944 void btm_sec_dev_reset (void)
2945 {
2946 if (controller_get_interface()->supports_simple_pairing())
2947 {
2948 /* set the default IO capabilities */
2949 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2950 /* add mx service to use no security */
2951 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2952 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2953 }
2954 else
2955 {
2956 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2957 }
2958
2959 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2960 }
2961
2962 /*******************************************************************************
2963 **
2964 ** Function btm_sec_abort_access_req
2965 **
2966 ** Description This function is called by the L2CAP or RFCOMM to abort
2967 ** the pending operation.
2968 **
2969 ** Parameters: bd_addr - Address of the peer device
2970 **
2971 ** Returns void
2972 **
2973 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2974 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2975 {
2976 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2977
2978 if (!p_dev_rec)
2979 return;
2980
2981 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2982 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2983 return;
2984
2985 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2986 p_dev_rec->p_callback = NULL;
2987 }
2988
2989 /*******************************************************************************
2990 **
2991 ** Function btm_sec_dd_create_conn
2992 **
2993 ** Description This function is called to create the ACL connection for
2994 ** the dedicated boding process
2995 **
2996 ** Returns void
2997 **
2998 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2999 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3000 {
3001 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3002 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3003 {
3004 BTM_TRACE_WARNING("%s Connection already exists", __func__);
3005 return BTM_CMD_STARTED;
3006 }
3007
3008 /* Make sure an L2cap link control block is available */
3009 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3010 {
3011 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3012 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3013 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3014
3015 return(BTM_NO_RESOURCES);
3016 }
3017
3018 /* set up the control block to indicated dedicated bonding */
3019 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3020
3021 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3022 {
3023 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
3024 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3025 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3026
3027 l2cu_release_lcb(p_lcb);
3028 return(BTM_NO_RESOURCES);
3029 }
3030
3031 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3032
3033 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3034 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3035 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3036
3037 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3038
3039 return(BTM_CMD_STARTED);
3040 }
3041
3042
is_state_getting_name(void * data,void * context)3043 bool is_state_getting_name(void *data, void *context)
3044 {
3045 tBTM_SEC_DEV_REC *p_dev_rec = data;
3046
3047 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) {
3048 return false;
3049 }
3050 return true;
3051 }
3052
3053 /*******************************************************************************
3054 **
3055 ** Function btm_sec_rmt_name_request_complete
3056 *
3057 ** Description This function is called when remote name was obtained from
3058 ** the peer device
3059 **
3060 ** Returns void
3061 **
3062 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3063 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3064 {
3065 tBTM_SEC_DEV_REC *p_dev_rec;
3066 int i;
3067 DEV_CLASS dev_class;
3068 UINT8 old_sec_state;
3069
3070 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3071 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3072 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3073 {
3074 btm_acl_resubmit_page();
3075 }
3076
3077 /* If remote name request failed, p_bd_addr is null and we need to search */
3078 /* based on state assuming that we are doing 1 at a time */
3079 if (p_bd_addr)
3080 p_dev_rec = btm_find_dev (p_bd_addr);
3081 else
3082 {
3083 list_node_t *node = list_foreach(btm_cb.sec_dev_rec, is_state_getting_name, NULL);
3084 if (node != NULL) {
3085 p_dev_rec = list_node(node);
3086 p_bd_addr = p_dev_rec->bd_addr;
3087 } else {
3088 p_dev_rec = NULL;
3089 }
3090 }
3091
3092 /* Commenting out trace due to obf/compilation problems.
3093 */
3094 #if (BT_USE_TRACES == TRUE)
3095 if (!p_bd_name)
3096 p_bd_name = (UINT8 *)"";
3097
3098 if (p_dev_rec)
3099 {
3100 BTM_TRACE_EVENT ("%s PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ", __func__,
3101 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3102 status, p_dev_rec->sec_state, p_dev_rec);
3103 } else {
3104 BTM_TRACE_EVENT ("%s PairState: %s RemName: %s status: %d", __func__,
3105 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3106 status);
3107 }
3108 #endif
3109
3110 if (p_dev_rec)
3111 {
3112 old_sec_state = p_dev_rec->sec_state;
3113 if (status == HCI_SUCCESS)
3114 {
3115 strlcpy((char *)p_dev_rec->sec_bd_name, (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3116 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3117 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3118 }
3119 else
3120 {
3121 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3122 p_dev_rec->sec_bd_name[0] = 0;
3123 }
3124
3125 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3126 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3127
3128 /* Notify all clients waiting for name to be resolved */
3129 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3130 {
3131 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3132 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3133 p_dev_rec->sec_bd_name);
3134 }
3135 } else {
3136 dev_class[0] = 0;
3137 dev_class[1] = 0;
3138 dev_class[2] = 0;
3139
3140 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3141 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3142 {
3143 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3144 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3145 }
3146
3147 return;
3148 }
3149
3150 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3151 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3152 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3153 {
3154 BTM_TRACE_EVENT ("%s() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)",
3155 __func__, btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3156
3157 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0 && btm_cb.api.p_pin_callback)
3158 {
3159 BTM_TRACE_EVENT ("%s() calling pin_callback", __func__);
3160 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3161 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3162 (p_dev_rec->p_cur_service==NULL) ? FALSE
3163 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3164 }
3165
3166 /* Set the same state again to force the timer to be restarted */
3167 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3168 return;
3169 }
3170
3171 /* Check if we were delaying bonding because name was not resolved */
3172 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3173 {
3174 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3175 {
3176 BTM_TRACE_EVENT ("%s() continue bonding sm4: 0x%04x, status:0x%x", __func__, p_dev_rec->sm4, status);
3177 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3178 {
3179 btm_sec_bond_cancel_complete();
3180 return;
3181 }
3182
3183 if (status != HCI_SUCCESS)
3184 {
3185 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3186
3187 if (btm_cb.api.p_auth_complete_callback)
3188 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3189 p_dev_rec->sec_bd_name, status);
3190 return;
3191 }
3192
3193 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3194 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3195 {
3196 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3197 /* If it is set, there may be a race condition */
3198 BTM_TRACE_DEBUG ("%s IS_SM4_UNKNOWN Flags:0x%04x", __func__,
3199 btm_cb.pairing_flags);
3200 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3201 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3202 }
3203
3204 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3205 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3206 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3207
3208 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3209 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3210 */
3211 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3212 {
3213 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3214 /* before originating */
3215 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3216 {
3217 BTM_TRACE_WARNING ("%s: waiting HCI_Connection_Complete after rejecting connection", __func__);
3218 }
3219 /* Both we and the peer are 2.1 - continue to create connection */
3220 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3221 {
3222 BTM_TRACE_WARNING ("%s: failed to start connection", __func__);
3223
3224 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3225
3226 if (btm_cb.api.p_auth_complete_callback)
3227 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3228 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3229 }
3230 }
3231 return;
3232 } else {
3233 BTM_TRACE_WARNING ("%s: wrong BDA, retry with pairing BDA", __func__);
3234 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3235 return;
3236 }
3237 }
3238
3239 /* check if we were delaying link_key_callback because name was not resolved */
3240 if (p_dev_rec->link_key_not_sent)
3241 {
3242 /* If HCI connection complete has not arrived, wait for it */
3243 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3244 return;
3245
3246 p_dev_rec->link_key_not_sent = FALSE;
3247 btm_send_link_key_notif(p_dev_rec);
3248
3249 /* If its not us who perform authentication, we should tell stackserver */
3250 /* that some authentication has been completed */
3251 /* This is required when different entities receive link notification and auth complete */
3252 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3253 {
3254 if (btm_cb.api.p_auth_complete_callback)
3255 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3256 p_dev_rec->dev_class,
3257 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3258
3259 }
3260 }
3261
3262 /* If this is a bonding procedure can disconnect the link now */
3263 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3264 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3265 {
3266 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3267 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3268 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3269 return;
3270 }
3271
3272 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3273 return;
3274
3275 /* If get name failed, notify the waiting layer */
3276 if (status != HCI_SUCCESS)
3277 {
3278 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3279 return;
3280 }
3281
3282 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3283 {
3284 BTM_TRACE_EVENT ("waiting for remote features!!");
3285 return;
3286 }
3287
3288 /* Remote Name succeeded, execute the next security procedure, if any */
3289 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3290
3291 /* If result is pending reply from the user or from the device is pending */
3292 if (status == BTM_CMD_STARTED)
3293 return;
3294
3295 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3296 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3297 }
3298
3299 /*******************************************************************************
3300 **
3301 ** Function btm_sec_rmt_host_support_feat_evt
3302 **
3303 ** Description This function is called when the
3304 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3305 **
3306 ** Returns void
3307 **
3308 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3309 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3310 {
3311 tBTM_SEC_DEV_REC *p_dev_rec;
3312 BD_ADDR bd_addr; /* peer address */
3313 BD_FEATURES features;
3314
3315 STREAM_TO_BDADDR (bd_addr, p);
3316 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3317
3318 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3319
3320 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3321 {
3322 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3323 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3324 if (HCI_SSP_HOST_SUPPORTED(features))
3325 {
3326 p_dev_rec->sm4 = BTM_SM4_TRUE;
3327 }
3328 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3329 }
3330 }
3331
3332 /*******************************************************************************
3333 **
3334 ** Function btm_io_capabilities_req
3335 **
3336 ** Description This function is called when LM request for the IO
3337 ** capability of the local device and
3338 ** if the OOB data is present for the device in the event
3339 **
3340 ** Returns void
3341 **
3342 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3343 void btm_io_capabilities_req (UINT8 *p)
3344 {
3345 tBTM_SP_IO_REQ evt_data;
3346 UINT8 err_code = 0;
3347 tBTM_SEC_DEV_REC *p_dev_rec;
3348 BOOLEAN is_orig = TRUE;
3349 UINT8 callback_rc = BTM_SUCCESS;
3350
3351 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3352
3353 /* setup the default response according to compile options */
3354 /* assume that the local IO capability does not change
3355 * loc_io_caps is initialized with the default value */
3356 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3357 evt_data.oob_data = BTM_OOB_NONE;
3358 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3359
3360 BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3361
3362 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3363
3364 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3365 btm_cb.security_mode, p_dev_rec->num_read_pages);
3366
3367 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3368 {
3369 BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3370 "To continue need to know remote features.", __FUNCTION__);
3371
3372 p_dev_rec->remote_features_needed = TRUE;
3373 return;
3374 }
3375
3376 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3377
3378 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3379 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3380 btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3381
3382 if (p_dev_rec->p_cur_service)
3383 {
3384 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3385 __FUNCTION__, p_dev_rec->p_cur_service->psm,
3386 p_dev_rec->p_cur_service->security_flags);
3387 }
3388
3389 switch (btm_cb.pairing_state)
3390 {
3391 /* initiator connecting */
3392 case BTM_PAIR_STATE_IDLE:
3393 //TODO: Handle Idle pairing state
3394 //security_required = p_dev_rec->security_required;
3395 break;
3396
3397 /* received IO capability response already->acceptor */
3398 case BTM_PAIR_STATE_INCOMING_SSP:
3399 is_orig = FALSE;
3400
3401 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3402 {
3403 /* acceptor in dedicated bonding */
3404 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3405 }
3406 break;
3407
3408 /* initiator, at this point it is expected to be dedicated bonding
3409 initiated by local device */
3410 case BTM_PAIR_STATE_WAIT_PIN_REQ:
3411 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3412 {
3413 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3414 }
3415 else
3416 {
3417 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3418 }
3419 break;
3420
3421 /* any other state is unexpected */
3422 default:
3423 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3424 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3425 btm_cb.pairing_state);
3426 break;
3427 }
3428
3429 if (btm_cb.pairing_disabled)
3430 {
3431 /* pairing is not allowed */
3432 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3433 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3434 }
3435 else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3436 {
3437 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3438 /* device in Secure Connections Only mode */
3439 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3440 {
3441 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3442 " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3443 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3444
3445 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3446 }
3447 }
3448
3449 if (err_code != 0)
3450 {
3451 /* coverity[uninit_use_in_call]
3452 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3453 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3454 */
3455 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3456 return;
3457 }
3458
3459 evt_data.is_orig = is_orig;
3460
3461 if (is_orig)
3462 {
3463 /* local device initiated the pairing non-bonding -> use p_cur_service */
3464 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3465 p_dev_rec->p_cur_service &&
3466 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3467 {
3468 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3469 {
3470 /* SC only mode device requires MITM protection */
3471 evt_data.auth_req = BTM_AUTH_SP_YES;
3472 }
3473 else
3474 {
3475 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3476 BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3477 }
3478 }
3479 }
3480
3481 /* Notify L2CAP to increase timeout */
3482 l2c_pin_code_request (evt_data.bd_addr);
3483
3484 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3485
3486 /* coverity[uninit_use_in_call]
3487 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3488 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3489 */
3490 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3491 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3492
3493 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3494
3495 callback_rc = BTM_SUCCESS;
3496 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3497 {
3498 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3499
3500 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3501 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3502 }
3503 else if (btm_cb.api.p_sp_callback)
3504 {
3505 /* the callback function implementation may change the IO capability... */
3506 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3507 }
3508
3509 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3510 {
3511 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3512 {
3513 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3514 }
3515
3516 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3517 {
3518 /* At this moment we know that both sides are SC capable, device in */
3519 /* SC only mode requires MITM for any service so let's set MITM bit */
3520 evt_data.auth_req |= BTM_AUTH_YN_BIT;
3521 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3522 __FUNCTION__, evt_data.auth_req);
3523 }
3524
3525 /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3526 /* send the response right now. Save the current IO capability in the control block */
3527 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3528 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3529
3530 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3531 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3532 evt_data.oob_data, evt_data.auth_req);
3533
3534 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3535 evt_data.oob_data, evt_data.auth_req);
3536 }
3537 }
3538
3539 /*******************************************************************************
3540 **
3541 ** Function btm_io_capabilities_rsp
3542 **
3543 ** Description This function is called when the IO capability of the
3544 ** specified device is received
3545 **
3546 ** Returns void
3547 **
3548 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3549 void btm_io_capabilities_rsp (UINT8 *p)
3550 {
3551 tBTM_SEC_DEV_REC *p_dev_rec;
3552 tBTM_SP_IO_RSP evt_data;
3553
3554 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3555 STREAM_TO_UINT8 (evt_data.io_cap, p);
3556 STREAM_TO_UINT8 (evt_data.oob_data, p);
3557 STREAM_TO_UINT8 (evt_data.auth_req, p);
3558
3559 /* Allocate a new device record or reuse the oldest one */
3560 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3561
3562 /* If no security is in progress, this indicates incoming security */
3563 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3564 {
3565 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3566
3567 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3568
3569 /* Make sure we reset the trusted mask to help against attacks */
3570 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3571
3572 /* work around for FW bug */
3573 btm_inq_stop_on_ssp();
3574 }
3575
3576 /* Notify L2CAP to increase timeout */
3577 l2c_pin_code_request (evt_data.bd_addr);
3578
3579 /* We must have a device record here.
3580 * Use the connecting device's CoD for the connection */
3581 /* coverity[uninit_use_in_call]
3582 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3583 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3584 */
3585 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3586 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3587
3588 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3589 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3590 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3591 {
3592 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3593 }
3594
3595 /* save the IO capability in the device record */
3596 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3597 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3598
3599 if (btm_cb.api.p_sp_callback)
3600 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3601 }
3602
3603 /*******************************************************************************
3604 **
3605 ** Function btm_proc_sp_req_evt
3606 **
3607 ** Description This function is called to process/report
3608 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3609 ** or HCI_USER_PASSKEY_REQUEST_EVT
3610 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3611 **
3612 ** Returns void
3613 **
3614 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3615 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3616 {
3617 tBTM_STATUS status = BTM_ERR_PROCESSING;
3618 tBTM_SP_EVT_DATA evt_data;
3619 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3620 tBTM_SEC_DEV_REC *p_dev_rec;
3621
3622 /* All events start with bd_addr */
3623 STREAM_TO_BDADDR (p_bda, p);
3624
3625 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3626 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3627 event, btm_pair_state_descr(btm_cb.pairing_state));
3628
3629 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3630 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3631 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3632 {
3633 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3634 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3635
3636 strlcpy((char *)evt_data.cfm_req.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3637
3638 switch (event)
3639 {
3640 case BTM_SP_CFM_REQ_EVT:
3641 /* Numeric confirmation. Need user to conf the passkey */
3642 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3643
3644 /* The device record must be allocated in the "IO cap exchange" step */
3645 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3646
3647 evt_data.cfm_req.just_works = TRUE;
3648
3649 /* process user confirm req in association with the auth_req param */
3650 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3651 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3652 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3653 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3654 {
3655 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3656 -> use authenticated link key */
3657 evt_data.cfm_req.just_works = FALSE;
3658 }
3659 #endif
3660 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3661 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3662 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3663
3664 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3665 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3666 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3667 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3668 break;
3669
3670 case BTM_SP_KEY_NOTIF_EVT:
3671 /* Passkey notification (other side is a keyboard) */
3672 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3673
3674 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3675
3676 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3677 break;
3678
3679 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3680 case BTM_SP_KEY_REQ_EVT:
3681 /* HCI_USER_PASSKEY_REQUEST_EVT */
3682 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3683 break;
3684 #endif
3685 }
3686
3687 if (btm_cb.api.p_sp_callback)
3688 {
3689 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3690 if (status != BTM_NOT_AUTHORIZED)
3691 {
3692 return;
3693 }
3694 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3695 }
3696 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3697 {
3698 /* automatically reply with just works if no sp_cback */
3699 status = BTM_SUCCESS;
3700 }
3701
3702 if (event == BTM_SP_CFM_REQ_EVT)
3703 {
3704 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3705 BTM_ConfirmReqReply (status, p_bda);
3706 }
3707 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3708 else if (event == BTM_SP_KEY_REQ_EVT)
3709 {
3710 BTM_PasskeyReqReply(status, p_bda, 0);
3711 }
3712 #endif
3713 return;
3714 }
3715
3716 /* Something bad. we can only fail this connection */
3717 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3718
3719 if (BTM_SP_CFM_REQ_EVT == event)
3720 {
3721 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3722 }
3723 else if (BTM_SP_KEY_NOTIF_EVT == event)
3724 {
3725 /* do nothing -> it very unlikely to happen.
3726 This event is most likely to be received by a HID host when it first connects to a HID device.
3727 Usually the Host initiated the connection in this case.
3728 On Mobile platforms, if there's a security process happening,
3729 the host probably can not initiate another connection.
3730 BTW (PC) is another story. */
3731 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3732 {
3733 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3734 }
3735 }
3736 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3737 else
3738 {
3739 btsnd_hcic_user_passkey_neg_reply(p_bda);
3740 }
3741 #endif
3742 }
3743
3744 /*******************************************************************************
3745 **
3746 ** Function btm_keypress_notif_evt
3747 **
3748 ** Description This function is called when a key press notification is
3749 ** received
3750 **
3751 ** Returns void
3752 **
3753 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3754 void btm_keypress_notif_evt (UINT8 *p)
3755 {
3756 tBTM_SP_KEYPRESS evt_data;
3757 UINT8 *p_bda;
3758
3759 /* parse & report BTM_SP_KEYPRESS_EVT */
3760 if (btm_cb.api.p_sp_callback)
3761 {
3762 p_bda = evt_data.bd_addr;
3763
3764 STREAM_TO_BDADDR (p_bda, p);
3765 evt_data.notif_type = *p;
3766
3767 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3768 }
3769 }
3770
3771 /*******************************************************************************
3772 **
3773 ** Function btm_simple_pair_complete
3774 **
3775 ** Description This function is called when simple pairing process is
3776 ** complete
3777 **
3778 ** Returns void
3779 **
3780 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3781 void btm_simple_pair_complete (UINT8 *p)
3782 {
3783 tBTM_SP_COMPLT evt_data;
3784 tBTM_SEC_DEV_REC *p_dev_rec;
3785 UINT8 status;
3786 BOOLEAN disc = FALSE;
3787
3788 status = *p++;
3789 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3790
3791 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3792 {
3793 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3794 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3795 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3796 return;
3797 }
3798
3799 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3800 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3801
3802 evt_data.status = BTM_ERR_PROCESSING;
3803 if (status == HCI_SUCCESS)
3804 {
3805 evt_data.status = BTM_SUCCESS;
3806 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3807 }
3808 else
3809 {
3810 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3811 {
3812 /* The test spec wants the peer device to get this failure code. */
3813 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3814
3815 /* Change the timer to 1 second */
3816 alarm_set_on_queue(btm_cb.pairing_timer, BT_1SEC_TIMEOUT_MS,
3817 btm_sec_pairing_timeout, NULL,
3818 btu_general_alarm_queue);
3819 }
3820 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3821 {
3822 /* stop the timer */
3823 alarm_cancel(btm_cb.pairing_timer);
3824
3825 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3826 {
3827 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3828 disc = TRUE;
3829 }
3830 }
3831 else
3832 disc = TRUE;
3833 }
3834
3835 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3836 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3837 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3838
3839 if (btm_cb.api.p_sp_callback)
3840 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3841
3842 if (disc)
3843 {
3844 /* simple pairing failed */
3845 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3846 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3847 {
3848 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3849 }
3850 }
3851 }
3852
3853 /*******************************************************************************
3854 **
3855 ** Function btm_rem_oob_req
3856 **
3857 ** Description This function is called to process/report
3858 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3859 **
3860 ** Returns void
3861 **
3862 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3863 void btm_rem_oob_req (UINT8 *p)
3864 {
3865 UINT8 *p_bda;
3866 tBTM_SP_RMT_OOB evt_data;
3867 tBTM_SEC_DEV_REC *p_dev_rec;
3868 BT_OCTET16 c;
3869 BT_OCTET16 r;
3870
3871 p_bda = evt_data.bd_addr;
3872
3873 STREAM_TO_BDADDR (p_bda, p);
3874
3875 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3876 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3877
3878 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3879 btm_cb.api.p_sp_callback)
3880 {
3881 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3882 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3883 strlcpy((char *)evt_data.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3884
3885 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3886 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3887 {
3888 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3889 }
3890 return;
3891 }
3892
3893 /* something bad. we can only fail this connection */
3894 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3895 btsnd_hcic_rem_oob_neg_reply (p_bda);
3896 }
3897
3898 /*******************************************************************************
3899 **
3900 ** Function btm_read_local_oob_complete
3901 **
3902 ** Description This function is called when read local oob data is
3903 ** completed by the LM
3904 **
3905 ** Returns void
3906 **
3907 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3908 void btm_read_local_oob_complete (UINT8 *p)
3909 {
3910 tBTM_SP_LOC_OOB evt_data;
3911 UINT8 status = *p++;
3912
3913 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3914 if (status == HCI_SUCCESS)
3915 {
3916 evt_data.status = BTM_SUCCESS;
3917 STREAM_TO_ARRAY16(evt_data.c, p);
3918 STREAM_TO_ARRAY16(evt_data.r, p);
3919 }
3920 else
3921 evt_data.status = BTM_ERR_PROCESSING;
3922
3923 if (btm_cb.api.p_sp_callback)
3924 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3925 }
3926
3927 /*******************************************************************************
3928 **
3929 ** Function btm_sec_auth_collision
3930 **
3931 ** Description This function is called when authentication or encryption
3932 ** needs to be retried at a later time.
3933 **
3934 ** Returns void
3935 **
3936 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3937 static void btm_sec_auth_collision (UINT16 handle)
3938 {
3939 tBTM_SEC_DEV_REC *p_dev_rec;
3940
3941 if (!btm_cb.collision_start_time)
3942 btm_cb.collision_start_time = time_get_os_boottime_ms();
3943
3944 if ((time_get_os_boottime_ms() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3945 {
3946 if (handle == BTM_SEC_INVALID_HANDLE)
3947 {
3948 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3949 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3950 }
3951 else
3952 p_dev_rec = btm_find_dev_by_handle (handle);
3953
3954 if (p_dev_rec != NULL)
3955 {
3956 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3957 /* We will restart authentication after timeout */
3958 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3959 p_dev_rec->sec_state = 0;
3960
3961 btm_cb.p_collided_dev_rec = p_dev_rec;
3962 alarm_set_on_queue(btm_cb.sec_collision_timer, BT_1SEC_TIMEOUT_MS,
3963 btm_sec_collision_timeout, NULL,
3964 btu_general_alarm_queue);
3965 }
3966 }
3967 }
3968
3969 /*******************************************************************************
3970 **
3971 ** Function btm_sec_auth_complete
3972 **
3973 ** Description This function is when authentication of the connection is
3974 ** completed by the LM
3975 **
3976 ** Returns void
3977 **
3978 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3979 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3980 {
3981 UINT8 old_sm4;
3982 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3983 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3984 BOOLEAN are_bonding = FALSE;
3985
3986 /* Commenting out trace due to obf/compilation problems.
3987 */
3988 #if (BT_USE_TRACES == TRUE)
3989 if (p_dev_rec)
3990 {
3991 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
3992 btm_pair_state_descr (btm_cb.pairing_state),
3993 handle, status,
3994 p_dev_rec->sec_state,
3995 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3996 p_dev_rec->sec_bd_name);
3997 }
3998 else
3999 {
4000 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
4001 btm_pair_state_descr (btm_cb.pairing_state),
4002 handle, status);
4003 }
4004 #endif
4005
4006 /* For transaction collision we need to wait and repeat. There is no need */
4007 /* for random timeout because only slave should receive the result */
4008 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4009 {
4010 btm_sec_auth_collision(handle);
4011 return;
4012 }
4013 btm_cb.collision_start_time = 0;
4014
4015 btm_restore_mode();
4016
4017 /* Check if connection was made just to do bonding. If we authenticate
4018 the connection that is up, this is the last event received.
4019 */
4020 if (p_dev_rec
4021 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4022 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4023 {
4024 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4025
4026 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4027 }
4028
4029 if (!p_dev_rec)
4030 return;
4031
4032 /* keep the old sm4 flag and clear the retry bit in control block */
4033 old_sm4 = p_dev_rec->sm4;
4034 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4035
4036 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4037 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4038 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4039 are_bonding = TRUE;
4040
4041 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4042 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4043 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4044
4045 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4046 {
4047 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4048 && (old_state != BTM_PAIR_STATE_IDLE) )
4049 {
4050 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4051 p_dev_rec->dev_class,
4052 p_dev_rec->sec_bd_name, status);
4053 }
4054 return;
4055 }
4056
4057 /* There can be a race condition, when we are starting authentication and
4058 ** the peer device is doing encryption.
4059 ** If first we receive encryption change up, then initiated authentication
4060 ** can not be performed. According to the spec we can not do authentication
4061 ** on the encrypted link, so device is correct.
4062 */
4063 if ((status == HCI_ERR_COMMAND_DISALLOWED)
4064 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4065 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4066 {
4067 status = HCI_SUCCESS;
4068 }
4069 /* Currently we do not notify user if it is a keyboard which connects */
4070 /* User probably Disabled the keyboard while it was asleap. Let her try */
4071 if (btm_cb.api.p_auth_complete_callback)
4072 {
4073 /* report the suthentication status */
4074 if (old_state != BTM_PAIR_STATE_IDLE)
4075 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4076 p_dev_rec->dev_class,
4077 p_dev_rec->sec_bd_name, status);
4078 }
4079
4080 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4081
4082 /* If this is a bonding procedure can disconnect the link now */
4083 if (are_bonding)
4084 {
4085 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4086
4087 if (status != HCI_SUCCESS)
4088 {
4089 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4090 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4091 }
4092 else
4093 {
4094 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4095 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4096 /* no LE keys are available, do deriving */
4097 && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4098 /* or BR key is higher security than existing LE keys */
4099 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4100 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4101 {
4102 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4103
4104 if (btm_sec_is_master(p_dev_rec))
4105 {
4106 // Encryption is required to start SM over BR/EDR
4107 // indicate that this is encryption after authentication
4108 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL, 0);
4109 }
4110 }
4111 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4112 }
4113
4114 return;
4115 }
4116
4117 /* If authentication failed, notify the waiting layer */
4118 if (status != HCI_SUCCESS)
4119 {
4120 if ((old_sm4 & BTM_SM4_RETRY) == 0)
4121 {
4122 /* allow retry only once */
4123 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4124 {
4125 /* not retried yet. set the retry bit */
4126 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4127 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4128 }
4129 /* this retry for missing key is for Lisbon or later only.
4130 * Legacy device do not need this. the controller will drive the retry automatically */
4131 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4132 {
4133 /* not retried yet. set the retry bit */
4134 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4135 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4136 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4137
4138 /* With BRCM controller, we do not need to delete the stored link key in controller.
4139 If the stack may sit on top of other controller, we may need this
4140 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4141 }
4142
4143 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4144 {
4145 btm_sec_execute_procedure (p_dev_rec);
4146 return;
4147 }
4148 }
4149
4150 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4151
4152 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4153 {
4154 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4155 }
4156 return;
4157 }
4158
4159 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4160
4161 if (p_dev_rec->pin_code_length >= 16 ||
4162 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4163 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4164 // If we have MITM protection we have a higher level of security than
4165 // provided by 16 digits PIN
4166 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4167 }
4168
4169 /* Authentication succeeded, execute the next security procedure, if any */
4170 status = btm_sec_execute_procedure (p_dev_rec);
4171
4172 /* If there is no next procedure, or procedure failed to start, notify the caller */
4173 if (status != BTM_CMD_STARTED)
4174 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4175 }
4176
4177 /*******************************************************************************
4178 **
4179 ** Function btm_sec_encrypt_change
4180 **
4181 ** Description This function is when encryption of the connection is
4182 ** completed by the LM
4183 **
4184 ** Returns void
4185 **
4186 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4187 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4188 {
4189 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4190 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4191 tACL_CONN *p_acl = NULL;
4192 UINT8 acl_idx = btm_handle_to_acl_index(handle);
4193 #endif
4194 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4195 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4196 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4197
4198 /* For transaction collision we need to wait and repeat. There is no need */
4199 /* for random timeout because only slave should receive the result */
4200 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4201 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4202 {
4203 btm_sec_auth_collision(handle);
4204 return;
4205 }
4206 btm_cb.collision_start_time = 0;
4207
4208 if (!p_dev_rec)
4209 return;
4210
4211 if ((status == HCI_SUCCESS) && encr_enable)
4212 {
4213 if (p_dev_rec->hci_handle == handle) {
4214 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4215 if (p_dev_rec->pin_code_length >= 16 ||
4216 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4217 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4218 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4219 }
4220 }
4221 else
4222 {
4223 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4224 }
4225 }
4226
4227 /* It is possible that we decrypted the link to perform role switch */
4228 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4229 if ((status == HCI_SUCCESS) && !encr_enable)
4230 {
4231 if (p_dev_rec->hci_handle == handle)
4232 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4233 else
4234 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4235 }
4236
4237 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4238
4239 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4240 if (acl_idx != MAX_L2CAP_LINKS)
4241 p_acl = &btm_cb.acl_db[acl_idx];
4242
4243 if (p_acl != NULL)
4244 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4245
4246 if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4247 {
4248 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4249 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4250 {
4251 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4252 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4253 }
4254 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4255 return;
4256 }
4257 else
4258 {
4259 /* BR/EDR connection, update the encryption key size to be 16 as always */
4260 p_dev_rec->enc_key_size = 16;
4261 }
4262
4263 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4264 __func__, p_dev_rec->new_encryption_key_is_p256);
4265
4266 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4267 {
4268 if (p_dev_rec->new_encryption_key_is_p256)
4269 {
4270 if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4271 btm_sec_is_master(p_dev_rec) &&
4272 /* if LE key is not known, do deriving */
4273 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4274 /* or BR key is higher security than existing LE keys */
4275 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4276 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4277 {
4278 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4279 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4280
4281 if (p_dev_rec->no_smp_on_br)
4282 {
4283 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4284 }
4285 else
4286 {
4287 BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4288 SMP_BR_PairWith(p_dev_rec->bd_addr);
4289 }
4290 }
4291 }
4292 else
4293 {
4294 // BR/EDR is successfully encrypted. Correct LK type if needed
4295 // (BR/EDR LK derived from LE LTK was used for encryption)
4296 if ((encr_enable == 1) && /* encryption is ON for SSP */
4297 /* LK type is for BR/EDR SC */
4298 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4299 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4300 {
4301 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4302 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4303 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4304 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4305
4306 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4307 btm_send_link_key_notif(p_dev_rec);
4308 }
4309 }
4310 }
4311 #else
4312 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4313 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4314
4315 /* If this encryption was started by peer do not need to do anything */
4316 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4317 {
4318 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4319 {
4320 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4321 p_dev_rec->p_callback = NULL;
4322 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4323 }
4324 return;
4325 }
4326
4327 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4328 /* If encryption setup failed, notify the waiting layer */
4329 if (status != HCI_SUCCESS)
4330 {
4331 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4332 return;
4333 }
4334
4335 /* Encryption setup succeeded, execute the next security procedure, if any */
4336 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4337 /* If there is no next procedure, or procedure failed to start, notify the caller */
4338 if (status != BTM_CMD_STARTED)
4339 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4340 }
4341
4342 /*******************************************************************************
4343 **
4344 ** Function btm_sec_connect_after_reject_timeout
4345 **
4346 ** Description Connection for bonding could not start because of the collision
4347 ** Initiate outgoing connection
4348 **
4349 ** Returns Pointer to the TLE struct
4350 **
4351 *******************************************************************************/
btm_sec_connect_after_reject_timeout(UNUSED_ATTR void * data)4352 static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void *data)
4353 {
4354 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4355
4356 BTM_TRACE_EVENT("%s", __func__);
4357 btm_cb.p_collided_dev_rec = 0;
4358
4359 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4360 {
4361 BTM_TRACE_WARNING("Security Manager: %s: failed to start connection",
4362 __func__);
4363
4364 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4365
4366 if (btm_cb.api.p_auth_complete_callback)
4367 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4368 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4369 }
4370 }
4371
4372 /*******************************************************************************
4373 **
4374 ** Function btm_sec_connected
4375 **
4376 ** Description This function is when a connection to the peer device is
4377 ** establsihed
4378 **
4379 ** Returns void
4380 **
4381 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4382 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4383 {
4384 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4385 UINT8 res;
4386 BOOLEAN is_pairing_device = FALSE;
4387 tACL_CONN *p_acl_cb;
4388 UINT8 bit_shift = 0;
4389
4390 btm_acl_resubmit_page();
4391
4392 /* Commenting out trace due to obf/compilation problems.
4393 */
4394 #if (BT_USE_TRACES == TRUE)
4395 if (p_dev_rec)
4396 {
4397 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4398 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4399 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4400 p_dev_rec->sec_bd_name);
4401 }
4402 else
4403 {
4404 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4405 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4406 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4407 }
4408 #endif
4409
4410 if (!p_dev_rec)
4411 {
4412 /* There is no device record for new connection. Allocate one */
4413 if (status == HCI_SUCCESS)
4414 {
4415 p_dev_rec = btm_sec_alloc_dev (bda);
4416 }
4417 else
4418 {
4419 /* If the device matches with stored paring address
4420 * reset the paring state to idle */
4421 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4422 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4423 {
4424 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4425 }
4426
4427 /* can not find the device record and the status is error,
4428 * just ignore it */
4429 return;
4430 }
4431 }
4432 else /* Update the timestamp for this device */
4433 {
4434
4435 #if BLE_INCLUDED == TRUE
4436 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4437 #endif
4438 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4439 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4440 {
4441 /* tell L2CAP it's a bonding connection. */
4442 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4443 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4444 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4445 {
4446 /* if incoming connection failed while pairing, then try to connect and continue */
4447 /* Motorola S9 disconnects without asking pin code */
4448 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4449 {
4450 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4451
4452 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4453 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4454 {
4455 /* Start timer with 0 to initiate connection with new LCB */
4456 /* because L2CAP will delete current LCB with this event */
4457 btm_cb.p_collided_dev_rec = p_dev_rec;
4458 alarm_set_on_queue(btm_cb.sec_collision_timer, 0,
4459 btm_sec_connect_after_reject_timeout,
4460 NULL, btu_general_alarm_queue);
4461 }
4462 else
4463 {
4464 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4465 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4466 }
4467 #if BTM_DISC_DURING_RS == TRUE
4468 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4469 #endif
4470 return;
4471 }
4472 else
4473 {
4474 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4475 }
4476 }
4477 /* always clear the pending flag */
4478 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4479 }
4480 }
4481
4482 #if BLE_INCLUDED == TRUE
4483 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4484 #endif
4485
4486 #if BTM_DISC_DURING_RS == TRUE
4487 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4488 #endif
4489
4490 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4491
4492 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4493 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4494 {
4495 /* if we rejected incoming connection from bonding device */
4496 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4497 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4498 {
4499 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4500 btm_cb.pairing_flags, p_dev_rec->sm4);
4501
4502 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4503 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4504 {
4505 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4506 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4507 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4508 return;
4509 }
4510
4511 /* if we already have pin code */
4512 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4513 {
4514 /* Start timer with 0 to initiate connection with new LCB */
4515 /* because L2CAP will delete current LCB with this event */
4516 btm_cb.p_collided_dev_rec = p_dev_rec;
4517 alarm_set_on_queue(btm_cb.sec_collision_timer, 0,
4518 btm_sec_connect_after_reject_timeout,
4519 NULL, btu_general_alarm_queue);
4520 }
4521
4522 return;
4523 }
4524 /* wait for incoming connection without resetting pairing state */
4525 else if (status == HCI_ERR_CONNECTION_EXISTS)
4526 {
4527 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4528 return;
4529 }
4530
4531 is_pairing_device = TRUE;
4532 }
4533
4534 /* If connection was made to do bonding restore link security if changed */
4535 btm_restore_mode();
4536
4537 /* if connection fails during pin request, notify application */
4538 if (status != HCI_SUCCESS)
4539 {
4540 /* If connection failed because of during pairing, need to tell user */
4541 if (is_pairing_device)
4542 {
4543 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4544 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4545 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4546
4547 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4548
4549 /* We need to notify host that the key is not known any more */
4550 if (btm_cb.api.p_auth_complete_callback)
4551 {
4552 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4553 p_dev_rec->dev_class,
4554 p_dev_rec->sec_bd_name, status);
4555 }
4556 }
4557 /*
4558 Do not send authentication failure, if following conditions hold good
4559 1. BTM Sec Pairing state is idle
4560 2. Link key for the remote device is present.
4561 3. Remote is SSP capable.
4562 */
4563 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4564 (((status == HCI_ERR_AUTH_FAILURE) ||
4565 (status == HCI_ERR_KEY_MISSING) ||
4566 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4567 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4568 (status == HCI_ERR_UNIT_KEY_USED) ||
4569 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4570 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4571 (status == HCI_ERR_REPEATED_ATTEMPTS))))
4572 {
4573 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4574 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4575
4576 #ifdef BRCM_NOT_4_BTE
4577 /* If we rejected pairing, pass this special result code */
4578 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4579 {
4580 status = HCI_ERR_HOST_REJECT_SECURITY;
4581 }
4582 #endif
4583
4584 /* We need to notify host that the key is not known any more */
4585 if (btm_cb.api.p_auth_complete_callback)
4586 {
4587 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4588 p_dev_rec->dev_class,
4589 p_dev_rec->sec_bd_name, status);
4590 }
4591 }
4592
4593 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4594 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4595 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4596 else
4597 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4598
4599 return;
4600 }
4601
4602 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4603 /* If dedicated bonding, and we now have a link key, we are all done */
4604 if ( is_pairing_device
4605 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4606 {
4607 if (p_dev_rec->link_key_not_sent)
4608 {
4609 p_dev_rec->link_key_not_sent = FALSE;
4610 btm_send_link_key_notif(p_dev_rec);
4611 }
4612
4613 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4614
4615 /* remember flag before it is initialized */
4616 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4617 res = TRUE;
4618 else
4619 res = FALSE;
4620
4621 if (btm_cb.api.p_auth_complete_callback)
4622 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4623 p_dev_rec->dev_class,
4624 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4625
4626 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4627
4628 if ( res )
4629 {
4630 /* Let l2cap start bond timer */
4631 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4632 }
4633
4634 return;
4635 }
4636
4637 p_dev_rec->hci_handle = handle;
4638
4639 /* role may not be correct here, it will be updated by l2cap, but we need to */
4640 /* notify btm_acl that link is up, so starting of rmt name request will not */
4641 /* set paging flag up */
4642 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4643 if (p_acl_cb)
4644 {
4645 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4646 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4647 /* For now there are a some devices that do not like sending */
4648 /* commands events and data at the same time. */
4649 /* Set the packet types to the default allowed by the device */
4650 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4651
4652 if (btm_cb.btm_def_link_policy)
4653 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4654 #endif
4655 }
4656 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4657
4658 /* Initialize security flags. We need to do that because some */
4659 /* authorization complete could have come after the connection is dropped */
4660 /* and that would set wrong flag that link has been authorized already */
4661 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4662 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4663
4664 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4665 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4666
4667 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4668 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4669
4670 if (p_dev_rec->pin_code_length >= 16 ||
4671 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4672 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4673 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4674 }
4675
4676 p_dev_rec->link_key_changed = FALSE;
4677
4678 /* After connection is established we perform security if we do not know */
4679 /* the name, or if we are originator because some procedure can have */
4680 /* been scheduled while connection was down */
4681 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4682 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4683 {
4684 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4685 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4686 }
4687 return;
4688 }
4689
4690 /*******************************************************************************
4691 **
4692 ** Function btm_sec_disconnect
4693 **
4694 ** Description This function is called to disconnect HCI link
4695 **
4696 ** Returns btm status
4697 **
4698 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4699 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4700 {
4701 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4702
4703 /* In some weird race condition we may not have a record */
4704 if (!p_dev_rec)
4705 {
4706 btsnd_hcic_disconnect (handle, reason);
4707 return(BTM_SUCCESS);
4708 }
4709
4710 /* If we are in the process of bonding we need to tell client that auth failed */
4711 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4712 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4713 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4714 {
4715 /* we are currently doing bonding. Link will be disconnected when done */
4716 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4717 return(BTM_BUSY);
4718 }
4719
4720 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4721 }
4722
4723 /*******************************************************************************
4724 **
4725 ** Function btm_sec_disconnected
4726 **
4727 ** Description This function is when a connection to the peer device is
4728 ** dropped
4729 **
4730 ** Returns void
4731 **
4732 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4733 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4734 {
4735 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4736 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4737 int result = HCI_ERR_AUTH_FAILURE;
4738 tBTM_SEC_CALLBACK *p_callback = NULL;
4739 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4740
4741 /* If page was delayed for disc complete, can do it now */
4742 btm_cb.discing = FALSE;
4743
4744 btm_acl_resubmit_page();
4745
4746 if (!p_dev_rec)
4747 return;
4748
4749 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4750
4751 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4752
4753 #if BTM_DISC_DURING_RS == TRUE
4754 LOG_INFO(LOG_TAG, "%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4755 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4756 #endif
4757
4758 /* clear unused flags */
4759 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4760
4761 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4762 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4763 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4764 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4765
4766 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4767
4768 /* If we are in the process of bonding we need to tell client that auth failed */
4769 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4770 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4771 {
4772 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4773 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4774 if (btm_cb.api.p_auth_complete_callback)
4775 {
4776 /* If the disconnection reason is REPEATED_ATTEMPTS,
4777 send this error message to complete callback function
4778 to display the error message of Repeated attempts.
4779 All others, send HCI_ERR_AUTH_FAILURE. */
4780 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4781 {
4782 result = HCI_ERR_REPEATED_ATTEMPTS;
4783 }
4784 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4785 {
4786 result = HCI_ERR_HOST_REJECT_SECURITY;
4787 }
4788 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4789 p_dev_rec->sec_bd_name, result);
4790 }
4791 }
4792
4793 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4794 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4795 /* see sec_flags processing in btm_acl_removed */
4796
4797 if (transport == BT_TRANSPORT_LE)
4798 {
4799 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4800 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4801 p_dev_rec->enc_key_size = 0;
4802 }
4803 else
4804 #endif
4805 {
4806 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4807 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4808 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4809 }
4810
4811 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4812 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4813 {
4814 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4815 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4816 return;
4817 }
4818 #endif
4819 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4820 p_dev_rec->security_required = BTM_SEC_NONE;
4821
4822 p_callback = p_dev_rec->p_callback;
4823
4824 /* if security is pending, send callback to clean up the security state */
4825 if(p_callback)
4826 {
4827 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4828 we do, this call back must be reset here */
4829 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4830 }
4831
4832 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4833 }
4834
4835 /*******************************************************************************
4836 **
4837 ** Function btm_sec_link_key_notification
4838 **
4839 ** Description This function is called when a new connection link key is
4840 ** generated
4841 **
4842 ** Returns Pointer to the record or NULL
4843 **
4844 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4845 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4846 {
4847 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4848 BOOLEAN we_are_bonding = FALSE;
4849 BOOLEAN ltk_derived_lk = FALSE;
4850
4851 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4852 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4853 key_type);
4854
4855 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4856 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4857 {
4858 ltk_derived_lk = TRUE;
4859 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4860 }
4861 /* If connection was made to do bonding restore link security if changed */
4862 btm_restore_mode();
4863
4864 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4865 p_dev_rec->link_key_type = key_type;
4866
4867 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4868
4869 /*
4870 * Until this point in time, we do not know if MITM was enabled, hence we
4871 * add the extended security flag here.
4872 */
4873 if (p_dev_rec->pin_code_length >= 16 ||
4874 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4875 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4876 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4877 }
4878
4879 #if (BLE_INCLUDED == TRUE)
4880 /* BR/EDR connection, update the encryption key size to be 16 as always */
4881 p_dev_rec->enc_key_size = 16;
4882 #endif
4883 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4884
4885 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4886 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4887 {
4888 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4889 we_are_bonding = TRUE;
4890 else
4891 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4892 }
4893
4894 /* save LTK derived LK no matter what */
4895 if (ltk_derived_lk)
4896 {
4897 if (btm_cb.api.p_link_key_callback)
4898 {
4899 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4900 __FUNCTION__, p_dev_rec->link_key_type);
4901 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4902 p_dev_rec->sec_bd_name,
4903 p_link_key, p_dev_rec->link_key_type);
4904 }
4905 }
4906 else
4907 {
4908 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4909 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4910 {
4911 p_dev_rec->new_encryption_key_is_p256 = TRUE;
4912 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4913 __func__, p_dev_rec->new_encryption_key_is_p256);
4914 }
4915 }
4916
4917 /* If name is not known at this point delay calling callback until the name is */
4918 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4919 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4920 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4921 && !ltk_derived_lk)
4922 {
4923 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4924 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4925 (p_bda[4] << 8) + p_bda[5], key_type);
4926
4927 p_dev_rec->link_key_not_sent = TRUE;
4928
4929 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4930 if (we_are_bonding)
4931 {
4932 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4933 btm_inq_rmt_name_failed();
4934 }
4935
4936 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4937 return;
4938 }
4939
4940 /* If its not us who perform authentication, we should tell stackserver */
4941 /* that some authentication has been completed */
4942 /* This is required when different entities receive link notification and auth complete */
4943 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4944 /* for derived key, always send authentication callback for BR channel */
4945 || ltk_derived_lk)
4946 {
4947 if (btm_cb.api.p_auth_complete_callback)
4948 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4949 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4950 }
4951
4952 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4953 #ifdef BRCM_NONE_BTE
4954 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4955 #endif
4956 {
4957 if (btm_cb.api.p_link_key_callback)
4958 {
4959 if (ltk_derived_lk)
4960 {
4961 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already"
4962 " (key_type = %d)", p_dev_rec->link_key_type);
4963 }
4964 else
4965 {
4966 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4967 p_dev_rec->sec_bd_name,
4968 p_link_key, p_dev_rec->link_key_type);
4969 }
4970 }
4971 }
4972 }
4973
4974 /*******************************************************************************
4975 **
4976 ** Function btm_sec_link_key_request
4977 **
4978 ** Description This function is called when controller requests link key
4979 **
4980 ** Returns Pointer to the record or NULL
4981 **
4982 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4983 void btm_sec_link_key_request (UINT8 *p_bda)
4984 {
4985 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4986
4987 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4988 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4989
4990 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4991 (btm_cb.collision_start_time != 0) &&
4992 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
4993 {
4994 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4995 "State: %d START_TIMEOUT : %d",
4996 btm_cb.pairing_state, btm_cb.collision_start_time);
4997 btsnd_hcic_link_key_neg_reply (p_bda);
4998 return;
4999 }
5000 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5001 {
5002 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5003 return;
5004 }
5005
5006 /* Notify L2CAP to increase timeout */
5007 l2c_pin_code_request (p_bda);
5008
5009 /* The link key is not in the database and it is not known to the manager */
5010 btsnd_hcic_link_key_neg_reply (p_bda);
5011 }
5012
5013 /*******************************************************************************
5014 **
5015 ** Function btm_sec_pairing_timeout
5016 **
5017 ** Description This function is called when host does not provide PIN
5018 ** within requested time
5019 **
5020 ** Returns Pointer to the TLE struct
5021 **
5022 *******************************************************************************/
btm_sec_pairing_timeout(UNUSED_ATTR void * data)5023 static void btm_sec_pairing_timeout(UNUSED_ATTR void *data)
5024 {
5025 tBTM_CB *p_cb = &btm_cb;
5026 tBTM_SEC_DEV_REC *p_dev_rec;
5027 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5028 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
5029 #else
5030 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
5031 #endif
5032 UINT8 name[2];
5033
5034 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5035 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5036 */
5037 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5038
5039 BTM_TRACE_EVENT ("%s State: %s Flags: %u", __func__,
5040 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5041
5042 switch (p_cb->pairing_state)
5043 {
5044 case BTM_PAIR_STATE_WAIT_PIN_REQ:
5045 btm_sec_bond_cancel_complete();
5046 break;
5047
5048 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5049 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5050 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5051 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5052 /* We need to notify the UI that no longer need the PIN */
5053 if (btm_cb.api.p_auth_complete_callback)
5054 {
5055 if (p_dev_rec == NULL)
5056 {
5057 name[0] = 0;
5058 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5059 NULL,
5060 name, HCI_ERR_CONNECTION_TOUT);
5061 }
5062 else
5063 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5064 p_dev_rec->dev_class,
5065 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5066 }
5067 break;
5068
5069 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5070 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5071 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5072 break;
5073
5074 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5075 case BTM_PAIR_STATE_KEY_ENTRY:
5076 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5077 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5078 break;
5079 #endif /* !BTM_IO_CAP_NONE */
5080
5081 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5082 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5083 auth_req |= BTM_AUTH_DD_BOND;
5084
5085 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5086 BTM_OOB_NONE, auth_req);
5087 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5088 break;
5089
5090 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5091 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5092 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5093 break;
5094
5095 case BTM_PAIR_STATE_WAIT_DISCONNECT:
5096 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5097 * now it's time to tear down the ACL link*/
5098 if (p_dev_rec == NULL)
5099 {
5100 BTM_TRACE_ERROR("%s BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5101 __func__,
5102 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5103 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5104 break;
5105 }
5106 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5107 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5108 break;
5109
5110 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5111 case BTM_PAIR_STATE_GET_REM_NAME:
5112 /* We need to notify the UI that timeout has happened while waiting for authentication*/
5113 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5114 if (btm_cb.api.p_auth_complete_callback)
5115 {
5116 if (p_dev_rec == NULL)
5117 {
5118 name[0] = 0;
5119 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5120 NULL,
5121 name, HCI_ERR_CONNECTION_TOUT);
5122 }
5123 else
5124 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5125 p_dev_rec->dev_class,
5126 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5127 }
5128 break;
5129
5130 default:
5131 BTM_TRACE_WARNING("%s not processed state: %s", __func__,
5132 btm_pair_state_descr(btm_cb.pairing_state));
5133 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5134 break;
5135 }
5136 }
5137
5138 /*******************************************************************************
5139 **
5140 ** Function btm_sec_pin_code_request
5141 **
5142 ** Description This function is called when controller requests PIN code
5143 **
5144 ** Returns Pointer to the record or NULL
5145 **
5146 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5147 void btm_sec_pin_code_request (UINT8 *p_bda)
5148 {
5149 tBTM_SEC_DEV_REC *p_dev_rec;
5150 tBTM_CB *p_cb = &btm_cb;
5151
5152 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
5153 btm_pair_state_descr(btm_cb.pairing_state),
5154 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5155
5156 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5157 {
5158 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
5159 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5160 {
5161 btsnd_hcic_pin_code_neg_reply (p_bda);
5162 return;
5163 }
5164 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5165 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5166 {
5167 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5168 btm_pair_state_descr(btm_cb.pairing_state));
5169 btsnd_hcic_pin_code_neg_reply (p_bda);
5170 return;
5171 }
5172 }
5173
5174 p_dev_rec = btm_find_or_alloc_dev (p_bda);
5175 /* received PIN code request. must be non-sm4 */
5176 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5177
5178 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5179 {
5180 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5181
5182 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5183 /* Make sure we reset the trusted mask to help against attacks */
5184 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5185 }
5186
5187 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5188 {
5189 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5190 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5191 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5192 return;
5193 }
5194
5195 /* Use the connecting device's CoD for the connection */
5196 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5197 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5198 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5199
5200 /* We could have started connection after asking user for the PIN code */
5201 if (btm_cb.pin_code_len != 0)
5202 {
5203 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5204 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5205
5206 /* Mark that we forwarded received from the user PIN code */
5207 btm_cb.pin_code_len = 0;
5208
5209 /* We can change mode back right away, that other connection being established */
5210 /* is not forced to be secure - found a FW issue, so we can not do this
5211 btm_restore_mode(); */
5212
5213 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5214 }
5215
5216 /* If pairing disabled OR (no PIN callback and not bonding) */
5217 /* OR we could not allocate entry in the database reject pairing request */
5218 else if (p_cb->pairing_disabled
5219 || (p_cb->api.p_pin_callback == NULL)
5220
5221 /* OR Microsoft keyboard can for some reason try to establish connection */
5222 /* the only thing we can do here is to shut it up. Normally we will be originator */
5223 /* for keyboard bonding */
5224 || (!p_dev_rec->is_originator
5225 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5226 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5227 {
5228 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5229 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5230
5231 btsnd_hcic_pin_code_neg_reply (p_bda);
5232 }
5233 /* Notify upper layer of PIN request and start expiration timer */
5234 else
5235 {
5236 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5237 /* Pin code request can not come at the same time as connection request */
5238 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5239 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
5240
5241 /* Check if the name is known */
5242 /* Even if name is not known we might not be able to get one */
5243 /* this is the case when we are already getting something from the */
5244 /* device, so HCI level is flow controlled */
5245 /* Also cannot send remote name request while paging, i.e. connection is not completed */
5246 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5247 {
5248 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5249
5250 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5251 if (p_cb->api.p_pin_callback) {
5252 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5253 (p_dev_rec->p_cur_service == NULL) ? FALSE
5254 : (p_dev_rec->p_cur_service->security_flags
5255 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5256 }
5257 }
5258 else
5259 {
5260 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5261
5262 /* We received PIN code request for the device with unknown name */
5263 /* it is not user friendly just to ask for the PIN without name */
5264 /* try to get name at first */
5265 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5266 HCI_PAGE_SCAN_REP_MODE_R1,
5267 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5268 {
5269 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5270 p_dev_rec->sec_bd_name[0] = 'f';
5271 p_dev_rec->sec_bd_name[1] = '0';
5272 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5273
5274 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5275 if (p_cb->api.p_pin_callback)
5276 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5277 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5278 : (p_dev_rec->p_cur_service->security_flags
5279 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5280 }
5281 }
5282 }
5283
5284 return;
5285 }
5286
5287 /*******************************************************************************
5288 **
5289 ** Function btm_sec_update_clock_offset
5290 **
5291 ** Description This function is called to update clock offset
5292 **
5293 ** Returns void
5294 **
5295 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5296 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5297 {
5298 tBTM_SEC_DEV_REC *p_dev_rec;
5299 tBTM_INQ_INFO *p_inq_info;
5300
5301 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5302 return;
5303
5304 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5305
5306 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5307 return;
5308
5309 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5310 }
5311
5312 /******************************************************************
5313 ** S T A T I C F U N C T I O N S
5314 *******************************************************************/
5315
5316 /*******************************************************************************
5317 **
5318 ** Function btm_sec_execute_procedure
5319 **
5320 ** Description This function is called to start required security
5321 ** procedure. There is a case when multiplexing protocol
5322 ** calls this function on the originating side, connection to
5323 ** the peer will not be established. This function in this
5324 ** case performs only authorization.
5325 **
5326 ** Returns BTM_SUCCESS - permission is granted
5327 ** BTM_CMD_STARTED - in process
5328 ** BTM_NO_RESOURCES - permission declined
5329 **
5330 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5331 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5332 {
5333 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5334 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5335
5336 /* There is a chance that we are getting name. Wait until done. */
5337 if (p_dev_rec->sec_state != 0)
5338 return(BTM_CMD_STARTED);
5339
5340 /* If any security is required, get the name first */
5341 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5342 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5343 {
5344 BTM_TRACE_EVENT ("Security Manager: Start get name");
5345 if (!btm_sec_start_get_name (p_dev_rec))
5346 {
5347 return(BTM_NO_RESOURCES);
5348 }
5349 return(BTM_CMD_STARTED);
5350 }
5351
5352 /* If connection is not authenticated and authentication is required */
5353 /* start authentication and return PENDING to the caller */
5354 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5355 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5356 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5357 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5358 && (!p_dev_rec->is_originator
5359 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5360 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5361 {
5362 /*
5363 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5364 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5365 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5366 * authenticated connections, hence we cannot distinguish here.
5367 */
5368
5369 #if (L2CAP_UCD_INCLUDED == TRUE)
5370 /* if incoming UCD packet, discard it */
5371 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5372 return(BTM_FAILED_ON_SECURITY);
5373 #endif
5374
5375 BTM_TRACE_EVENT ("Security Manager: Start authentication");
5376
5377 /*
5378 * If we do have a link-key, but we end up here because we need an
5379 * upgrade, then clear the link-key known and authenticated flag before
5380 * restarting authentication.
5381 * WARNING: If the controller has link-key, it is optional and
5382 * recommended for the controller to send a Link_Key_Request.
5383 * In case we need an upgrade, the only alternative would be to delete
5384 * the existing link-key. That could lead to very bad user experience
5385 * or even IOP issues, if a reconnect causes a new connection that
5386 * requires an upgrade.
5387 */
5388 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5389 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5390 && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5391 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5392 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5393 | BTM_SEC_AUTHENTICATED);
5394 }
5395
5396 if (!btm_sec_start_authentication (p_dev_rec))
5397 {
5398 return(BTM_NO_RESOURCES);
5399 }
5400 return(BTM_CMD_STARTED);
5401 }
5402
5403 /* If connection is not encrypted and encryption is required */
5404 /* start encryption and return PENDING to the caller */
5405 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5406 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5407 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5408 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5409 {
5410 #if (L2CAP_UCD_INCLUDED == TRUE)
5411 /* if incoming UCD packet, discard it */
5412 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5413 return(BTM_FAILED_ON_SECURITY);
5414 #endif
5415
5416 BTM_TRACE_EVENT ("Security Manager: Start encryption");
5417
5418 if (!btm_sec_start_encryption (p_dev_rec))
5419 {
5420 return(BTM_NO_RESOURCES);
5421 }
5422 return(BTM_CMD_STARTED);
5423 }
5424
5425 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5426 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5427 {
5428 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5429 "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5430 return (BTM_FAILED_ON_SECURITY);
5431 }
5432
5433 /* If connection is not authorized and authorization is required */
5434 /* start authorization and return PENDING to the caller */
5435 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5436 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5437 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5438 {
5439 BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5440 p_dev_rec->p_cur_service->service_id,
5441 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5442 p_dev_rec->p_cur_service->service_id)));
5443 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5444 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5445 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5446 p_dev_rec->p_cur_service->service_id) == FALSE))
5447 {
5448 BTM_TRACE_EVENT ("Security Manager: Start authorization");
5449 return(btm_sec_start_authorization (p_dev_rec));
5450 }
5451 }
5452
5453 /* All required security procedures already established */
5454 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5455 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5456 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5457 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5458 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5459
5460 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5461 BTM_TRACE_EVENT ("Security Manager: access granted");
5462
5463 return(BTM_SUCCESS);
5464 }
5465
5466 /*******************************************************************************
5467 **
5468 ** Function btm_sec_start_get_name
5469 **
5470 ** Description This function is called to start get name procedure
5471 **
5472 ** Returns TRUE if started
5473 **
5474 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5475 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5476 {
5477 UINT8 tempstate = p_dev_rec->sec_state;
5478
5479 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5480
5481 /* Device should be connected, no need to provide correct page params */
5482 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5483 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5484 0, NULL)) != BTM_CMD_STARTED)
5485 {
5486 p_dev_rec->sec_state = tempstate;
5487 return(FALSE);
5488 }
5489
5490 return(TRUE);
5491 }
5492
5493 /*******************************************************************************
5494 **
5495 ** Function btm_sec_start_authentication
5496 **
5497 ** Description This function is called to start authentication
5498 **
5499 ** Returns TRUE if started
5500 **
5501 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5502 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5503 {
5504 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5505
5506 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5507 }
5508
5509 /*******************************************************************************
5510 **
5511 ** Function btm_sec_start_encryption
5512 **
5513 ** Description This function is called to start encryption
5514 **
5515 ** Returns TRUE if started
5516 **
5517 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5518 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5519 {
5520 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5521 return(FALSE);
5522
5523 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5524 return(TRUE);
5525 }
5526
5527 /*******************************************************************************
5528 **
5529 ** Function btm_sec_start_authorization
5530 **
5531 ** Description This function is called to start authorization
5532 **
5533 ** Returns TRUE if started
5534 **
5535 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5536 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5537 {
5538 UINT8 result;
5539 UINT8 *p_service_name = NULL;
5540 UINT8 service_id;
5541
5542 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5543 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5544 {
5545 if (!btm_cb.api.p_authorize_callback)
5546 return(BTM_MODE_UNSUPPORTED);
5547
5548 if (p_dev_rec->p_cur_service)
5549 {
5550 #if BTM_SEC_SERVICE_NAME_LEN > 0
5551 if (p_dev_rec->is_originator)
5552 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5553 else
5554 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5555 #endif
5556 service_id = p_dev_rec->p_cur_service->service_id;
5557 }
5558 else
5559 service_id = 0;
5560
5561 /* Send authorization request if not already sent during this service connection */
5562 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5563 || p_dev_rec->last_author_service_id != service_id)
5564 {
5565 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5566 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5567 p_dev_rec->dev_class,
5568 p_dev_rec->sec_bd_name,
5569 p_service_name,
5570 service_id,
5571 p_dev_rec->is_originator);
5572 }
5573
5574 else /* Already authorized once for this L2CAP bringup */
5575 {
5576 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5577 return (BTM_SUCCESS);
5578 }
5579
5580 if (result == BTM_SUCCESS)
5581 {
5582 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5583
5584 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5585 if (!p_dev_rec->is_originator)
5586 p_dev_rec->last_author_service_id = service_id;
5587
5588 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5589 }
5590 return(result);
5591 }
5592 btm_sec_start_get_name (p_dev_rec);
5593 return(BTM_CMD_STARTED);
5594 }
5595
5596 /*******************************************************************************
5597 **
5598 ** Function btm_sec_are_all_trusted
5599 **
5600 ** Description This function is called check if all services are trusted
5601 **
5602 ** Returns TRUE if all are trusted, otherwise FALSE
5603 **
5604 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5605 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5606 {
5607 UINT32 trusted_inx;
5608 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5609 {
5610 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5611 return(FALSE);
5612 }
5613
5614 return(TRUE);
5615 }
5616
5617 /*******************************************************************************
5618 **
5619 ** Function btm_sec_find_first_serv
5620 **
5621 ** Description Look for the first record in the service database
5622 ** with specified PSM
5623 **
5624 ** Returns Pointer to the record or NULL
5625 **
5626 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5627 tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5628 {
5629 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5630 int i;
5631 BOOLEAN is_originator;
5632
5633 #if (L2CAP_UCD_INCLUDED == TRUE)
5634
5635 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5636 is_originator = TRUE;
5637 else
5638 is_originator = FALSE;
5639 #else
5640 is_originator = conn_type;
5641 #endif
5642
5643 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5644 {
5645 /* If this is outgoing connection and the PSM matches p_out_serv,
5646 * use it as the current service */
5647 return btm_cb.p_out_serv;
5648 }
5649
5650 /* otherwise, just find the first record with the specified PSM */
5651 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5652 {
5653 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5654 return(p_serv_rec);
5655 }
5656 return(NULL);
5657 }
5658
5659 /*******************************************************************************
5660 **
5661 ** Function btm_sec_find_next_serv
5662 **
5663 ** Description Look for the next record in the service database
5664 ** with specified PSM
5665 **
5666 ** Returns Pointer to the record or NULL
5667 **
5668 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5669 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5670 {
5671 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5672 int i;
5673
5674 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5675 {
5676 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5677 && (p_serv_rec->psm == p_cur->psm) )
5678 {
5679 if (p_cur != p_serv_rec)
5680 {
5681 return(p_serv_rec);
5682 }
5683 }
5684 }
5685 return(NULL);
5686 }
5687
5688 /*******************************************************************************
5689 **
5690 ** Function btm_sec_find_mx_serv
5691 **
5692 ** Description Look for the record in the service database with specified
5693 ** PSM and multiplexor channel information
5694 **
5695 ** Returns Pointer to the record or NULL
5696 **
5697 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5698 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5699 UINT32 mx_proto_id, UINT32 mx_chan_id)
5700 {
5701 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5702 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5703 int i;
5704
5705 BTM_TRACE_DEBUG ("%s()", __func__);
5706 if (is_originator && p_out_serv && p_out_serv->psm == psm
5707 && p_out_serv->mx_proto_id == mx_proto_id
5708 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5709 {
5710 /* If this is outgoing connection and the parameters match p_out_serv,
5711 * use it as the current service */
5712 return btm_cb.p_out_serv;
5713 }
5714
5715 /* otherwise, the old way */
5716 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5717 {
5718 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5719 && (p_serv_rec->psm == psm)
5720 && (p_serv_rec->mx_proto_id == mx_proto_id)
5721 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5722 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5723 {
5724 return(p_serv_rec);
5725 }
5726 }
5727 return(NULL);
5728 }
5729
5730 /*******************************************************************************
5731 **
5732 ** Function btm_sec_collision_timeout
5733 **
5734 ** Description Encryption could not start because of the collision
5735 ** try to do it again
5736 **
5737 ** Returns Pointer to the TLE struct
5738 **
5739 *******************************************************************************/
btm_sec_collision_timeout(UNUSED_ATTR void * data)5740 static void btm_sec_collision_timeout(UNUSED_ATTR void *data)
5741 {
5742 BTM_TRACE_EVENT ("%s()", __func__);
5743
5744 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5745
5746 /* If result is pending reply from the user or from the device is pending */
5747 if (status != BTM_CMD_STARTED)
5748 {
5749 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5750 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5751 }
5752 }
5753
5754 /*******************************************************************************
5755 **
5756 ** Function btm_sec_link_key_request
5757 **
5758 ** Description This function is called when controller requests link key
5759 **
5760 ** Returns Pointer to the record or NULL
5761 **
5762 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5763 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5764 {
5765 if (btm_cb.api.p_link_key_callback)
5766 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5767 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5768 p_dev_rec->link_key_type);
5769 }
5770
5771 /*******************************************************************************
5772 **
5773 ** Function BTM_ReadTrustedMask
5774 **
5775 ** Description Get trusted mask for the peer device
5776 **
5777 ** Parameters: bd_addr - Address of the device
5778 **
5779 ** Returns NULL, if the device record is not found.
5780 ** otherwise, the trusted mask
5781 **
5782 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5783 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5784 {
5785 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5786 if (p_dev_rec != NULL)
5787 return(p_dev_rec->trusted_mask);
5788 return NULL;
5789 }
5790
5791 /*******************************************************************************
5792 **
5793 ** Function btm_restore_mode
5794 **
5795 ** Description This function returns the security mode to previous setting
5796 ** if it was changed during bonding.
5797 **
5798 **
5799 ** Parameters: void
5800 **
5801 *******************************************************************************/
btm_restore_mode(void)5802 static void btm_restore_mode(void)
5803 {
5804 if (btm_cb.security_mode_changed)
5805 {
5806 btm_cb.security_mode_changed = FALSE;
5807 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5808 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5809 }
5810
5811 if (btm_cb.pin_type_changed)
5812 {
5813 btm_cb.pin_type_changed = FALSE;
5814 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5815 }
5816 }
5817
5818
is_sec_state_equal(void * data,void * context)5819 bool is_sec_state_equal(void *data, void *context)
5820 {
5821 tBTM_SEC_DEV_REC *p_dev_rec = data;
5822 UINT8 *state = context;
5823
5824 if (p_dev_rec->sec_state == *state)
5825 return false;
5826
5827 return true;
5828 }
5829
5830 /*******************************************************************************
5831 **
5832 ** Function btm_sec_find_dev_by_sec_state
5833 **
5834 ** Description Look for the record in the device database for the device
5835 ** which is being authenticated or encrypted
5836 **
5837 ** Returns Pointer to the record or NULL
5838 **
5839 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5840 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5841 {
5842 list_node_t *n = list_foreach(btm_cb.sec_dev_rec, is_sec_state_equal, &state);
5843 if (n)
5844 return list_node(n);
5845
5846 return NULL;
5847 }
5848
5849 /*******************************************************************************
5850 **
5851 ** Function btm_sec_change_pairing_state
5852 **
5853 ** Description This function is called to change pairing state
5854 **
5855 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5856 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5857 {
5858 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5859
5860 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5861 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__,
5862 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5863
5864 btm_cb.pairing_state = new_state;
5865
5866 if (new_state == BTM_PAIR_STATE_IDLE)
5867 {
5868 alarm_cancel(btm_cb.pairing_timer);
5869
5870 btm_cb.pairing_flags = 0;
5871 btm_cb.pin_code_len = 0;
5872
5873 /* Make sure the the lcb shows we are not bonding */
5874 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5875
5876 btm_restore_mode();
5877 btm_sec_check_pending_reqs();
5878 btm_inq_clear_ssp();
5879
5880 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5881 }
5882 else
5883 {
5884 /* If transitioning out of idle, mark the lcb as bonding */
5885 if (old_state == BTM_PAIR_STATE_IDLE)
5886 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5887
5888 alarm_set_on_queue(btm_cb.pairing_timer,
5889 BTM_SEC_TIMEOUT_VALUE * 1000,
5890 btm_sec_pairing_timeout, NULL,
5891 btu_general_alarm_queue);
5892 }
5893 }
5894
5895 /*******************************************************************************
5896 **
5897 ** Function btm_pair_state_descr
5898 **
5899 ** Description Return state description for tracing
5900 **
5901 *******************************************************************************/
5902 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5903 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5904 {
5905 #if (BT_TRACE_VERBOSE == TRUE)
5906 switch (state)
5907 {
5908 case BTM_PAIR_STATE_IDLE: return("IDLE");
5909 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5910 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5911 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5912 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5913 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5914 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5915 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5916 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5917 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5918 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5919 }
5920
5921 return("???");
5922 #else
5923 sprintf(btm_cb.state_temp_buffer,"%hhu",state);
5924
5925 return(btm_cb.state_temp_buffer);
5926 #endif
5927 }
5928 #endif
5929
5930 /*******************************************************************************
5931 **
5932 ** Function btm_sec_dev_rec_cback_event
5933 **
5934 ** Description This function calls the callback function with the given
5935 ** result and clear the callback function.
5936 **
5937 ** Parameters: void
5938 **
5939 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5940 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5941 {
5942 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
5943
5944 if (p_dev_rec->p_callback)
5945 {
5946 p_dev_rec->p_callback = NULL;
5947
5948 #if BLE_INCLUDED == TRUE
5949 if (is_le_transport)
5950 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
5951 else
5952 #endif
5953 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
5954 }
5955
5956 btm_sec_check_pending_reqs();
5957 }
5958
5959 /*******************************************************************************
5960 **
5961 ** Function btm_sec_queue_mx_request
5962 **
5963 ** Description Return state description for tracing
5964 **
5965 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5966 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
5967 UINT32 mx_proto_id, UINT32 mx_chan_id,
5968 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5969 {
5970 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY));
5971
5972 p_e->psm = psm;
5973 p_e->is_orig = is_orig;
5974 p_e->p_callback = p_callback;
5975 p_e->p_ref_data = p_ref_data;
5976 p_e->mx_proto_id = mx_proto_id;
5977 p_e->mx_chan_id = mx_chan_id;
5978 p_e->transport = BT_TRANSPORT_BR_EDR;
5979 p_e->sec_act = 0;
5980
5981 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5982
5983 BTM_TRACE_EVENT("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
5984 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
5985
5986 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
5987
5988 return TRUE;
5989 }
5990
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5991 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
5992 {
5993 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5994 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5995 BOOLEAN rv = FALSE;
5996
5997 if ((major == BTM_COD_MAJOR_AUDIO)
5998 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5999 {
6000 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6001 __func__, major, minor);
6002
6003 if (btm_cb.security_mode_changed == FALSE)
6004 {
6005 btm_cb.security_mode_changed = TRUE;
6006 #ifdef APPL_AUTH_WRITE_EXCEPTION
6007 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6008 #endif
6009 btsnd_hcic_write_auth_enable (TRUE);
6010 }
6011 }
6012 else
6013 {
6014 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6015
6016 /* If we got a PIN, use that, else try to get one */
6017 if (btm_cb.pin_code_len)
6018 {
6019 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6020 }
6021 else
6022 {
6023 /* pin was not supplied - pre-fetch pin code now */
6024 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6025 {
6026 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6027 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6028 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6029 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6030 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6031 : (p_dev_rec->p_cur_service->security_flags
6032 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6033 }
6034 }
6035
6036 rv = TRUE;
6037 }
6038
6039 return rv;
6040 }
6041
6042 /*******************************************************************************
6043 **
6044 ** Function btm_sec_auth_payload_tout
6045 **
6046 ** Description Processes the HCI Autheniticated Payload Timeout Event
6047 ** indicating that a packet containing a valid MIC on the
6048 ** connection handle was not received within the programmed
6049 ** timeout value. (Spec Default is 30 secs, but can be
6050 ** changed via the BTM_SecSetAuthPayloadTimeout() function.
6051 **
6052 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6053 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6054 {
6055 UINT16 handle;
6056
6057 STREAM_TO_UINT16 (handle, p);
6058 handle = HCID_GET_HANDLE (handle);
6059
6060 /* Will be exposed to upper layers in the future if/when determined necessary */
6061 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6062 }
6063
6064 /*******************************************************************************
6065 **
6066 ** Function btm_sec_queue_encrypt_request
6067 **
6068 ** Description encqueue encryption request when device has active security
6069 ** process pending.
6070 **
6071 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)6072 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6073 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data,
6074 tBTM_BLE_SEC_ACT sec_act)
6075 {
6076 tBTM_SEC_QUEUE_ENTRY *p_e =
6077 (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6078
6079 p_e->psm = 0; /* if PSM 0, encryption request */
6080 p_e->p_callback = p_callback;
6081 p_e->p_ref_data = p_ref_data;
6082 p_e->transport = transport;
6083 p_e->sec_act = sec_act;
6084 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6085 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
6086
6087 return TRUE;
6088 }
6089
6090 /*******************************************************************************
6091 **
6092 ** Function btm_sec_set_peer_sec_caps
6093 **
6094 ** Description This function is called to set sm4 and rmt_sec_caps fields
6095 ** based on the available peer device features.
6096 **
6097 ** Returns void
6098 **
6099 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6100 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6101 {
6102 BD_ADDR rem_bd_addr;
6103 UINT8 *p_rem_bd_addr;
6104
6105 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6106 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6107 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6108 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6109 {
6110 p_dev_rec->sm4 = BTM_SM4_TRUE;
6111 p_dev_rec->remote_supports_secure_connections =
6112 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6113 }
6114 else
6115 {
6116 p_dev_rec->sm4 = BTM_SM4_KNOWN;
6117 p_dev_rec->remote_supports_secure_connections = FALSE;
6118 }
6119
6120 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6121 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6122
6123 if (p_dev_rec->remote_features_needed)
6124 {
6125 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6126 __FUNCTION__);
6127 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6128 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6129 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6130 btm_io_capabilities_req(p_rem_bd_addr);
6131 p_dev_rec->remote_features_needed = FALSE;
6132 }
6133 }
6134
6135 /*******************************************************************************
6136 **
6137 ** Function btm_sec_is_serv_level0
6138 **
6139 ** Description This function is called to check if the service corresponding
6140 ** to PSM is security mode 4 level 0 service.
6141 **
6142 ** Returns TRUE if the service is security mode 4 level 0 service
6143 **
6144 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6145 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6146 {
6147 if (psm == BT_PSM_SDP)
6148 {
6149 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6150 return TRUE;
6151 }
6152 return FALSE;
6153 }
6154
6155 /*******************************************************************************
6156 **
6157 ** Function btm_sec_check_pending_enc_req
6158 **
6159 ** Description This function is called to send pending encryption callback if
6160 ** waiting
6161 **
6162 ** Returns void
6163 **
6164 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6165 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
6166 UINT8 encr_enable)
6167 {
6168 if (fixed_queue_is_empty(btm_cb.sec_pending_q))
6169 return;
6170
6171 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6172 list_t *list = fixed_queue_get_list(btm_cb.sec_pending_q);
6173 for (const list_node_t *node = list_begin(list); node != list_end(list); ) {
6174 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)list_node(node);
6175 node = list_next(node);
6176
6177 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6178 #if BLE_INCLUDED == TRUE
6179 && p_e->transport == transport
6180 #endif
6181 )
6182 {
6183 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6184 #if BLE_INCLUDED == TRUE
6185 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT
6186 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM
6187 || (p_e->sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6188 & BTM_SEC_LE_AUTHENTICATED)
6189 #endif
6190 )
6191 {
6192 if (p_e->p_callback)
6193 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6194 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void *)p_e);
6195 }
6196 }
6197 }
6198 }
6199
6200 /*******************************************************************************
6201 **
6202 ** Function btm_sec_set_serv_level4_flags
6203 **
6204 ** Description This function is called to set security mode 4 level 4 flags.
6205 **
6206 ** Returns service security requirements updated to include secure
6207 ** connections only mode.
6208 **
6209 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6210 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6211 {
6212 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6213
6214 return cur_security | sec_level4_flags;
6215 }
6216
6217 /*******************************************************************************
6218 **
6219 ** Function btm_sec_clear_ble_keys
6220 **
6221 ** Description This function is called to clear out the BLE keys.
6222 ** Typically when devices are removed in BTM_SecDeleteDevice,
6223 ** or when a new BT Link key is generated.
6224 **
6225 ** Returns void
6226 **
6227 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6228 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
6229 {
6230
6231 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6232 #if (SMP_INCLUDED== TRUE)
6233 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6234 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6235
6236 #if (BLE_PRIVACY_SPT == TRUE)
6237 btm_ble_resolving_list_remove_dev(p_dev_rec);
6238 #endif
6239 #endif
6240 }
6241
6242 /*******************************************************************************
6243 **
6244 ** Function btm_sec_is_a_bonded_dev
6245 **
6246 ** Description Is the specified device is a bonded device
6247 **
6248 ** Returns TRUE - dev is bonded
6249 **
6250 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6251 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6252 {
6253
6254 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6255 BOOLEAN is_bonded= FALSE;
6256
6257 if (p_dev_rec &&
6258 #if (SMP_INCLUDED == TRUE)
6259 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6260 #else
6261 (
6262 #endif
6263 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6264 {
6265 is_bonded = TRUE;
6266 }
6267 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6268 return(is_bonded);
6269 }
6270
6271 /*******************************************************************************
6272 **
6273 ** Function btm_sec_is_le_capable_dev
6274 **
6275 ** Description Is the specified device is dual mode or LE only device
6276 **
6277 ** Returns TRUE - dev is a dual mode
6278 **
6279 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6280 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6281 {
6282 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6283 BOOLEAN le_capable = FALSE;
6284
6285 #if (BLE_INCLUDED== TRUE)
6286 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6287 le_capable = TRUE;
6288 #endif
6289 return le_capable;
6290 }
6291
6292 /*******************************************************************************
6293 **
6294 ** Function btm_sec_use_smp_br_chnl
6295 **
6296 ** Description The function checks if SMP BR connection can be used with
6297 ** the peer.
6298 ** Is called when authentication for dedicated bonding is
6299 ** successfully completed.
6300 **
6301 ** Returns TRUE - if SMP BR connection can be used (the link key is
6302 ** generated from P-256 and the peer supports Security
6303 ** Manager over BR).
6304 **
6305 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6306 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6307 {
6308 UINT32 ext_feat;
6309 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6310
6311 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6312 p_dev_rec->link_key_type);
6313
6314 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6315 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6316 return FALSE;
6317
6318 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6319 return FALSE;
6320
6321 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6322 return FALSE;
6323
6324 return TRUE;
6325 }
6326
6327 /*******************************************************************************
6328 **
6329 ** Function btm_sec_is_master
6330 **
6331 ** Description The function checks if the device is BR/EDR master after
6332 ** pairing is completed.
6333 **
6334 ** Returns TRUE - if the device is master.
6335 **
6336 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6337 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6338 {
6339 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6340 return (p && (p->link_role == BTM_ROLE_MASTER));
6341 }
6342
6343