1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Device Manager
22 *
23 ******************************************************************************/
24
25 #include <stddef.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29
30 #include "bt_common.h"
31 #include "bt_types.h"
32 #include "btm_api.h"
33 #include "btm_int.h"
34 #include "btu.h"
35 #include "device/include/controller.h"
36 #include "hcidefs.h"
37 #include "hcimsgs.h"
38 #include "l2c_api.h"
39
40 /*******************************************************************************
41 *
42 * Function BTM_SecAddDevice
43 *
44 * Description Add/modify device. This function will be normally called
45 * during host startup to restore all required information
46 * stored in the NVRAM.
47 *
48 * Parameters: bd_addr - BD address of the peer
49 * dev_class - Device Class
50 * bd_name - Name of the peer device. NULL if unknown.
51 * features - Remote device's features (up to 3 pages).
52 * NULL if not known
53 * trusted_mask - Bitwise OR of services that do not
54 * require authorization.
55 * (array of uint32_t)
56 * link_key - Connection link key. NULL if unknown.
57 *
58 * Returns true if added OK, else false
59 *
60 ******************************************************************************/
BTM_SecAddDevice(BD_ADDR bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,uint8_t * features,uint32_t trusted_mask[],LINK_KEY link_key,uint8_t key_type,tBTM_IO_CAP io_cap,uint8_t pin_length)61 bool BTM_SecAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name,
62 uint8_t* features, uint32_t trusted_mask[],
63 LINK_KEY link_key, uint8_t key_type, tBTM_IO_CAP io_cap,
64 uint8_t pin_length) {
65 BTM_TRACE_API("%s: link key type:%x", __func__, key_type);
66
67 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
68 if (!p_dev_rec) {
69 p_dev_rec = btm_sec_allocate_dev_rec();
70
71 memcpy(p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
72 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
73
74 /* use default value for background connection params */
75 /* update conn params, use default value for background connection params */
76 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
77 } else {
78 /* "Bump" timestamp for existing record */
79 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
80
81 /* TODO(eisenbach):
82 * Small refactor, but leaving original logic for now.
83 * On the surface, this does not make any sense at all. Why change the
84 * bond state for an existing device here? This logic should be verified
85 * as part of a larger refactor.
86 */
87 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
88 }
89
90 if (dev_class) memcpy(p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN);
91
92 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
93
94 if (bd_name && bd_name[0]) {
95 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
96 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
97 BTM_MAX_REM_BD_NAME_LEN);
98 }
99
100 p_dev_rec->num_read_pages = 0;
101 if (features) {
102 bool found = false;
103 memcpy(p_dev_rec->feature_pages, features,
104 sizeof(p_dev_rec->feature_pages));
105 for (int i = HCI_EXT_FEATURES_PAGE_MAX; !found && i >= 0; i--) {
106 for (int j = 0; j < HCI_FEATURE_BYTES_PER_PAGE; j++) {
107 if (p_dev_rec->feature_pages[i][j] != 0) {
108 found = true;
109 p_dev_rec->num_read_pages = i + 1;
110 break;
111 }
112 }
113 }
114 } else {
115 memset(p_dev_rec->feature_pages, 0, sizeof(p_dev_rec->feature_pages));
116 }
117
118 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
119
120 if (link_key) {
121 BTM_TRACE_EVENT("%s: BDA: %02x:%02x:%02x:%02x:%02x:%02x", __func__,
122 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4],
123 bd_addr[5]);
124 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
125 memcpy(p_dev_rec->link_key, link_key, LINK_KEY_LEN);
126 p_dev_rec->link_key_type = key_type;
127 p_dev_rec->pin_code_length = pin_length;
128
129 if (pin_length >= 16 || key_type == BTM_LKEY_TYPE_AUTH_COMB ||
130 key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
131 // Set the flag if the link key was made by using either a 16 digit
132 // pin or MITM.
133 p_dev_rec->sec_flags |=
134 BTM_SEC_16_DIGIT_PIN_AUTHED | BTM_SEC_LINK_KEY_AUTHED;
135 }
136 }
137
138 #if (BTIF_MIXED_MODE_INCLUDED == TRUE)
139 if (key_type < BTM_MAX_PRE_SM4_LKEY_TYPE)
140 p_dev_rec->sm4 = BTM_SM4_KNOWN;
141 else
142 p_dev_rec->sm4 = BTM_SM4_TRUE;
143 #endif
144
145 p_dev_rec->rmt_io_caps = io_cap;
146 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
147
148 return true;
149 }
150
151 /*******************************************************************************
152 *
153 * Function BTM_SecDeleteDevice
154 *
155 * Description Free resources associated with the device.
156 *
157 * Parameters: bd_addr - BD address of the peer
158 *
159 * Returns true if removed OK, false if not found or ACL link is active
160 *
161 ******************************************************************************/
BTM_SecDeleteDevice(BD_ADDR bd_addr)162 bool BTM_SecDeleteDevice(BD_ADDR bd_addr) {
163 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
164 BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
165 BTM_TRACE_WARNING("%s FAILED: Cannot Delete when connection is active",
166 __func__);
167 return false;
168 }
169
170 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
171 if (p_dev_rec != NULL) {
172 btm_sec_free_dev(p_dev_rec);
173 /* Tell controller to get rid of the link key, if it has one stored */
174 BTM_DeleteStoredLinkKey(p_dev_rec->bd_addr, NULL);
175 }
176
177 return true;
178 }
179
180 /*******************************************************************************
181 *
182 * Function BTM_SecClearSecurityFlags
183 *
184 * Description Reset the security flags (mark as not-paired) for a given
185 * remove device.
186 *
187 ******************************************************************************/
BTM_SecClearSecurityFlags(BD_ADDR bd_addr)188 extern void BTM_SecClearSecurityFlags(BD_ADDR bd_addr) {
189 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
190 if (p_dev_rec == NULL) return;
191
192 p_dev_rec->sec_flags = 0;
193 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
194 p_dev_rec->sm4 = BTM_SM4_UNKNOWN;
195 }
196
197 /*******************************************************************************
198 *
199 * Function BTM_SecReadDevName
200 *
201 * Description Looks for the device name in the security database for the
202 * specified BD address.
203 *
204 * Returns Pointer to the name or NULL
205 *
206 ******************************************************************************/
BTM_SecReadDevName(BD_ADDR bd_addr)207 char* BTM_SecReadDevName(BD_ADDR bd_addr) {
208 char* p_name = NULL;
209 tBTM_SEC_DEV_REC* p_srec;
210
211 p_srec = btm_find_dev(bd_addr);
212 if (p_srec != NULL) p_name = (char*)p_srec->sec_bd_name;
213
214 return (p_name);
215 }
216
is_bd_addr_equal(void * data,void * context)217 bool is_bd_addr_equal(void* data, void* context) {
218 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
219 BD_ADDR* bd_addr = static_cast<BD_ADDR*>(context);
220
221 if (!memcmp(p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN)) return false;
222
223 return true;
224 }
225
226 /*******************************************************************************
227 *
228 * Function btm_sec_alloc_dev
229 *
230 * Description Look for the record in the device database for the record
231 * with specified address
232 *
233 * Returns Pointer to the record or NULL
234 *
235 ******************************************************************************/
btm_sec_alloc_dev(BD_ADDR bd_addr)236 tBTM_SEC_DEV_REC* btm_sec_alloc_dev(BD_ADDR bd_addr) {
237 tBTM_INQ_INFO* p_inq_info;
238 BTM_TRACE_EVENT("btm_sec_alloc_dev");
239
240 tBTM_SEC_DEV_REC* p_dev_rec = btm_sec_allocate_dev_rec();
241
242 /* Check with the BT manager if details about remote device are known */
243 /* outgoing connection */
244 p_inq_info = BTM_InqDbRead(bd_addr);
245 if (p_inq_info != NULL) {
246 memcpy(p_dev_rec->dev_class, p_inq_info->results.dev_class, DEV_CLASS_LEN);
247
248 p_dev_rec->device_type = p_inq_info->results.device_type;
249 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
250 } else if (!memcmp(bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
251 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
252
253 /* update conn params, use default value for background connection params */
254 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
255
256 memcpy(p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
257
258 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
259 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
260
261 return (p_dev_rec);
262 }
263
264 /*******************************************************************************
265 *
266 * Function btm_sec_free_dev
267 *
268 * Description Mark device record as not used
269 *
270 ******************************************************************************/
btm_sec_free_dev(tBTM_SEC_DEV_REC * p_dev_rec)271 void btm_sec_free_dev(tBTM_SEC_DEV_REC* p_dev_rec) {
272 /* Clear out any saved BLE keys */
273 btm_sec_clear_ble_keys(p_dev_rec);
274 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
275 }
276
277 /*******************************************************************************
278 *
279 * Function btm_dev_support_switch
280 *
281 * Description This function is called by the L2CAP to check if remote
282 * device supports role switch
283 *
284 * Parameters: bd_addr - Address of the peer device
285 *
286 * Returns true if device is known and role switch is supported
287 *
288 ******************************************************************************/
btm_dev_support_switch(BD_ADDR bd_addr)289 bool btm_dev_support_switch(BD_ADDR bd_addr) {
290 tBTM_SEC_DEV_REC* p_dev_rec;
291 uint8_t xx;
292 bool feature_empty = true;
293
294 #if (BTM_SCO_INCLUDED == TRUE)
295 /* Role switch is not allowed if a SCO is up */
296 if (btm_is_sco_active_by_bdaddr(bd_addr)) return (false);
297 #endif
298 p_dev_rec = btm_find_dev(bd_addr);
299 if (p_dev_rec &&
300 controller_get_interface()->supports_master_slave_role_switch()) {
301 if (HCI_SWITCH_SUPPORTED(p_dev_rec->feature_pages[0])) {
302 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature found)");
303 return (true);
304 }
305
306 /* If the feature field is all zero, we never received them */
307 for (xx = 0; xx < BD_FEATURES_LEN; xx++) {
308 if (p_dev_rec->feature_pages[0][xx] != 0x00) {
309 feature_empty = false; /* at least one is != 0 */
310 break;
311 }
312 }
313
314 /* If we don't know peer's capabilities, assume it supports Role-switch */
315 if (feature_empty) {
316 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature empty)");
317 return (true);
318 }
319 }
320
321 BTM_TRACE_DEBUG("btm_dev_support_switch return false");
322 return (false);
323 }
324
is_handle_equal(void * data,void * context)325 bool is_handle_equal(void* data, void* context) {
326 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
327 uint16_t* handle = static_cast<uint16_t*>(context);
328
329 if (p_dev_rec->hci_handle == *handle || p_dev_rec->ble_hci_handle == *handle)
330 return false;
331
332 return true;
333 }
334
335 /*******************************************************************************
336 *
337 * Function btm_find_dev_by_handle
338 *
339 * Description Look for the record in the device database for the record
340 * with specified handle
341 *
342 * Returns Pointer to the record or NULL
343 *
344 ******************************************************************************/
btm_find_dev_by_handle(uint16_t handle)345 tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle) {
346 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_handle_equal, &handle);
347 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
348
349 return NULL;
350 }
351
is_address_equal(void * data,void * context)352 bool is_address_equal(void* data, void* context) {
353 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
354 BD_ADDR* bd_addr = static_cast<BD_ADDR*>(context);
355
356 if (!memcmp(p_dev_rec->bd_addr, *bd_addr, BD_ADDR_LEN)) return false;
357 // If a LE random address is looking for device record
358 if (!memcmp(p_dev_rec->ble.pseudo_addr, *bd_addr, BD_ADDR_LEN)) return false;
359
360 if (btm_ble_addr_resolvable(*bd_addr, p_dev_rec)) return false;
361 return true;
362 }
363
364 /*******************************************************************************
365 *
366 * Function btm_find_dev
367 *
368 * Description Look for the record in the device database for the record
369 * with specified BD address
370 *
371 * Returns Pointer to the record or NULL
372 *
373 ******************************************************************************/
btm_find_dev(const BD_ADDR bd_addr)374 tBTM_SEC_DEV_REC* btm_find_dev(const BD_ADDR bd_addr) {
375 if (!bd_addr) return NULL;
376
377 list_node_t* n =
378 list_foreach(btm_cb.sec_dev_rec, is_address_equal, (void*)bd_addr);
379 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
380
381 return NULL;
382 }
383
384 /*******************************************************************************
385 *
386 * Function btm_consolidate_dev
387 5**
388 * Description combine security records if identified as same peer
389 *
390 * Returns none
391 *
392 ******************************************************************************/
btm_consolidate_dev(tBTM_SEC_DEV_REC * p_target_rec)393 void btm_consolidate_dev(tBTM_SEC_DEV_REC* p_target_rec) {
394 tBTM_SEC_DEV_REC temp_rec = *p_target_rec;
395
396 BTM_TRACE_DEBUG("%s", __func__);
397
398 list_node_t* end = list_end(btm_cb.sec_dev_rec);
399 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
400 node = list_next(node)) {
401 tBTM_SEC_DEV_REC* p_dev_rec =
402 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
403
404 if (p_target_rec == p_dev_rec) continue;
405
406 if (!memcmp(p_dev_rec->bd_addr, p_target_rec->bd_addr, BD_ADDR_LEN)) {
407 memcpy(p_target_rec, p_dev_rec, sizeof(tBTM_SEC_DEV_REC));
408 p_target_rec->ble = temp_rec.ble;
409 p_target_rec->ble_hci_handle = temp_rec.ble_hci_handle;
410 p_target_rec->enc_key_size = temp_rec.enc_key_size;
411 p_target_rec->conn_params = temp_rec.conn_params;
412 p_target_rec->device_type |= temp_rec.device_type;
413 p_target_rec->sec_flags |= temp_rec.sec_flags;
414
415 p_target_rec->new_encryption_key_is_p256 =
416 temp_rec.new_encryption_key_is_p256;
417 p_target_rec->no_smp_on_br = temp_rec.no_smp_on_br;
418 p_target_rec->bond_type = temp_rec.bond_type;
419
420 /* remove the combined record */
421 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
422 break;
423 }
424
425 /* an RPA device entry is a duplicate of the target record */
426 if (btm_ble_addr_resolvable(p_dev_rec->bd_addr, p_target_rec)) {
427 if (memcmp(p_target_rec->ble.pseudo_addr, p_dev_rec->bd_addr,
428 BD_ADDR_LEN) == 0) {
429 p_target_rec->ble.ble_addr_type = p_dev_rec->ble.ble_addr_type;
430 p_target_rec->device_type |= p_dev_rec->device_type;
431
432 /* remove the combined record */
433 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
434 }
435 break;
436 }
437 }
438 }
439
440 /*******************************************************************************
441 *
442 * Function btm_find_or_alloc_dev
443 *
444 * Description Look for the record in the device database for the record
445 * with specified BD address
446 *
447 * Returns Pointer to the record or NULL
448 *
449 ******************************************************************************/
btm_find_or_alloc_dev(BD_ADDR bd_addr)450 tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(BD_ADDR bd_addr) {
451 tBTM_SEC_DEV_REC* p_dev_rec;
452 BTM_TRACE_EVENT("btm_find_or_alloc_dev");
453 p_dev_rec = btm_find_dev(bd_addr);
454 if (p_dev_rec == NULL) {
455 /* Allocate a new device record or reuse the oldest one */
456 p_dev_rec = btm_sec_alloc_dev(bd_addr);
457 }
458 return (p_dev_rec);
459 }
460
461 /*******************************************************************************
462 *
463 * Function btm_find_oldest_dev_rec
464 *
465 * Description Locates the oldest device in use. It first looks for
466 * the oldest non-paired device. If all devices are paired it
467 * returns the oldest paired device.
468 *
469 * Returns Pointer to the record or NULL
470 *
471 ******************************************************************************/
btm_find_oldest_dev_rec(void)472 static tBTM_SEC_DEV_REC* btm_find_oldest_dev_rec(void) {
473 tBTM_SEC_DEV_REC* p_oldest = NULL;
474 uint32_t ts_oldest = 0xFFFFFFFF;
475 tBTM_SEC_DEV_REC* p_oldest_paired = NULL;
476 uint32_t ts_oldest_paired = 0xFFFFFFFF;
477
478 list_node_t* end = list_end(btm_cb.sec_dev_rec);
479 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
480 node = list_next(node)) {
481 tBTM_SEC_DEV_REC* p_dev_rec =
482 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
483
484 if ((p_dev_rec->sec_flags &
485 (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LE_LINK_KEY_KNOWN)) == 0) {
486 // Device is not paired
487 if (p_dev_rec->timestamp < ts_oldest) {
488 p_oldest = p_dev_rec;
489 ts_oldest = p_dev_rec->timestamp;
490 }
491 } else {
492 // Paired device
493 if (p_dev_rec->timestamp < ts_oldest_paired) {
494 p_oldest_paired = p_dev_rec;
495 ts_oldest_paired = p_dev_rec->timestamp;
496 }
497 }
498 }
499
500 // If we did not find any non-paired devices, use the oldest paired one...
501 if (ts_oldest == 0xFFFFFFFF) p_oldest = p_oldest_paired;
502
503 return p_oldest;
504 }
505
506 /*******************************************************************************
507 *
508 * Function btm_sec_allocate_dev_rec
509 *
510 * Description Attempts to allocate a new device record. If we have
511 * exceeded the maximum number of allowable records to
512 * allocate, the oldest record will be deleted to make room
513 * for the new record.
514 *
515 * Returns Pointer to the newly allocated record
516 *
517 ******************************************************************************/
btm_sec_allocate_dev_rec(void)518 tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void) {
519 tBTM_SEC_DEV_REC* p_dev_rec = NULL;
520
521 if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
522 p_dev_rec = btm_find_oldest_dev_rec();
523 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
524 }
525
526 p_dev_rec =
527 static_cast<tBTM_SEC_DEV_REC*>(osi_calloc(sizeof(tBTM_SEC_DEV_REC)));
528 list_append(btm_cb.sec_dev_rec, p_dev_rec);
529
530 // Initialize defaults
531 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
532 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
533 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
534 p_dev_rec->rmt_io_caps = BTM_IO_CAP_UNKNOWN;
535
536 return p_dev_rec;
537 }
538
539 /*******************************************************************************
540 *
541 * Function btm_get_bond_type_dev
542 *
543 * Description Get the bond type for a device in the device database
544 * with specified BD address
545 *
546 * Returns The device bond type if known, otherwise BOND_TYPE_UNKNOWN
547 *
548 ******************************************************************************/
btm_get_bond_type_dev(BD_ADDR bd_addr)549 tBTM_BOND_TYPE btm_get_bond_type_dev(BD_ADDR bd_addr) {
550 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
551
552 if (p_dev_rec == NULL) return BOND_TYPE_UNKNOWN;
553
554 return p_dev_rec->bond_type;
555 }
556
557 /*******************************************************************************
558 *
559 * Function btm_set_bond_type_dev
560 *
561 * Description Set the bond type for a device in the device database
562 * with specified BD address
563 *
564 * Returns true on success, otherwise false
565 *
566 ******************************************************************************/
btm_set_bond_type_dev(BD_ADDR bd_addr,tBTM_BOND_TYPE bond_type)567 bool btm_set_bond_type_dev(BD_ADDR bd_addr, tBTM_BOND_TYPE bond_type) {
568 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
569
570 if (p_dev_rec == NULL) return false;
571
572 p_dev_rec->bond_type = bond_type;
573 return true;
574 }
575