1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bt_btm_sec"
26
27 #include <stdarg.h>
28 #include <stdio.h>
29 #include <string.h>
30
31 #include "device/include/controller.h"
32 #include "osi/include/log.h"
33 #include "osi/include/osi.h"
34 #include "osi/include/time.h"
35
36 #include "bt_types.h"
37 #include "bt_utils.h"
38 #include "btm_int.h"
39 #include "btu.h"
40 #include "hcimsgs.h"
41 #include "l2c_int.h"
42
43 #include "gatt_int.h"
44
45 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
46
47 #ifdef APPL_AUTH_WRITE_EXCEPTION
48 bool(APPL_AUTH_WRITE_EXCEPTION)(const RawAddress& bd_addr);
49 #endif
50
51 /*******************************************************************************
52 * L O C A L F U N C T I O N P R O T O T Y P E S *
53 ******************************************************************************/
54 tBTM_SEC_SERV_REC* btm_sec_find_first_serv(bool is_originator, uint16_t psm);
55 static tBTM_SEC_SERV_REC* btm_sec_find_next_serv(tBTM_SEC_SERV_REC* p_cur);
56 static tBTM_SEC_SERV_REC* btm_sec_find_mx_serv(uint8_t is_originator,
57 uint16_t psm,
58 uint32_t mx_proto_id,
59 uint32_t mx_chan_id);
60
61 static bool btm_sec_start_get_name(tBTM_SEC_DEV_REC* p_dev_rec);
62 static void btm_sec_start_authentication(tBTM_SEC_DEV_REC* p_dev_rec);
63 static void btm_sec_start_encryption(tBTM_SEC_DEV_REC* p_dev_rec);
64 static void btm_sec_collision_timeout(void* data);
65 static void btm_restore_mode(void);
66 static void btm_sec_pairing_timeout(void* data);
67 static tBTM_STATUS btm_sec_dd_create_conn(tBTM_SEC_DEV_REC* p_dev_rec);
68 static void btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state);
69
70 static const char* btm_pair_state_descr(tBTM_PAIRING_STATE state);
71
72 static void btm_sec_check_pending_reqs(void);
73 static bool btm_sec_queue_mx_request(const RawAddress& bd_addr, uint16_t psm,
74 bool is_orig, uint32_t mx_proto_id,
75 uint32_t mx_chan_id,
76 tBTM_SEC_CALLBACK* p_callback,
77 void* p_ref_data);
78 static void btm_sec_bond_cancel_complete(void);
79 static void btm_send_link_key_notif(tBTM_SEC_DEV_REC* p_dev_rec);
80 static bool btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC* p_dev_rec);
81
82 static uint8_t btm_sec_start_authorization(tBTM_SEC_DEV_REC* p_dev_rec);
83 bool btm_sec_are_all_trusted(uint32_t p_mask[]);
84
85 static tBTM_STATUS btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC* p_dev_rec,
86 uint8_t reason,
87 uint16_t conn_handle);
88 uint8_t btm_sec_start_role_switch(tBTM_SEC_DEV_REC* p_dev_rec);
89 tBTM_SEC_DEV_REC* btm_sec_find_dev_by_sec_state(uint8_t state);
90
91 static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
92 const char* p_name, uint8_t service_id,
93 uint16_t sec_level, uint16_t psm,
94 uint32_t mx_proto_id,
95 uint32_t mx_chan_id);
96
97 static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
98 static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
99 static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
100 static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
101 tBTM_SEC_SERV_REC* p_serv_rec);
102 static bool btm_sec_is_serv_level0(uint16_t psm);
103 static uint16_t btm_sec_set_serv_level4_flags(uint16_t cur_security,
104 bool is_originator);
105
106 static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
107 tBT_TRANSPORT transport,
108 tBTM_SEC_CALLBACK* p_callback,
109 void* p_ref_data,
110 tBTM_BLE_SEC_ACT sec_act);
111 static void btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC* p_dev_rec,
112 tBT_TRANSPORT transport,
113 uint8_t encr_enable);
114
115 static bool btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC* p_dev_rec);
116 static bool btm_sec_is_master(tBTM_SEC_DEV_REC* p_dev_rec);
117
118 /* true - authenticated link key is possible */
119 static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
120 /* OUT, IO, IN, NONE */
121 /* OUT */ {false, false, true, false},
122 /* IO */ {false, true, true, false},
123 /* IN */ {true, true, true, false},
124 /* NONE */ {false, false, false, false}};
125 /* BTM_IO_CAP_OUT 0 DisplayOnly */
126 /* BTM_IO_CAP_IO 1 DisplayYesNo */
127 /* BTM_IO_CAP_IN 2 KeyboardOnly */
128 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
129
130 /*******************************************************************************
131 *
132 * Function btm_dev_authenticated
133 *
134 * Description check device is authenticated
135 *
136 * Returns bool true or false
137 *
138 ******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)139 static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
140 if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
141 return (true);
142 }
143 return (false);
144 }
145
146 /*******************************************************************************
147 *
148 * Function btm_dev_encrypted
149 *
150 * Description check device is encrypted
151 *
152 * Returns bool true or false
153 *
154 ******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)155 static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec) {
156 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) {
157 return (true);
158 }
159 return (false);
160 }
161
162 /*******************************************************************************
163 *
164 * Function btm_dev_authorized
165 *
166 * Description check device is authorized
167 *
168 * Returns bool true or false
169 *
170 ******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)171 static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec) {
172 if (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) {
173 return (true);
174 }
175 return (false);
176 }
177
178 /*******************************************************************************
179 *
180 * Function btm_dev_16_digit_authenticated
181 *
182 * Description check device is authenticated by using 16 digit pin or MITM
183 *
184 * Returns bool true or false
185 *
186 ******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)187 static bool btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
188 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
189 if (p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) {
190 return (true);
191 }
192 return (false);
193 }
194
195 /*******************************************************************************
196 *
197 * Function btm_serv_trusted
198 *
199 * Description check service is trusted
200 *
201 * Returns bool true or false
202 *
203 ******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)204 static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
205 tBTM_SEC_SERV_REC* p_serv_rec) {
206 if (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
207 p_serv_rec->service_id)) {
208 return (true);
209 }
210 return (false);
211 }
212
213 /*******************************************************************************
214 *
215 * Function BTM_SecRegister
216 *
217 * Description Application manager calls this function to register for
218 * security services. There can be one and only one
219 * application saving link keys. BTM allows only first
220 * registration.
221 *
222 * Returns true if registered OK, else false
223 *
224 ******************************************************************************/
BTM_SecRegister(const tBTM_APPL_INFO * p_cb_info)225 bool BTM_SecRegister(const tBTM_APPL_INFO* p_cb_info) {
226 BT_OCTET16 temp_value = {0};
227
228 BTM_TRACE_EVENT("%s application registered", __func__);
229
230 LOG_INFO(LOG_TAG, "%s p_cb_info->p_le_callback == 0x%p", __func__,
231 p_cb_info->p_le_callback);
232 if (p_cb_info->p_le_callback) {
233 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
234 SMP_Register(btm_proc_smp_cback);
235 /* if no IR is loaded, need to regenerate all the keys */
236 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) {
237 btm_ble_reset_id();
238 }
239 } else {
240 LOG_WARN(LOG_TAG, "%s p_cb_info->p_le_callback == NULL", __func__);
241 }
242
243 btm_cb.api = *p_cb_info;
244 LOG_INFO(LOG_TAG, "%s btm_cb.api.p_le_callback = 0x%p ", __func__,
245 btm_cb.api.p_le_callback);
246 BTM_TRACE_EVENT("%s application registered", __func__);
247 return (true);
248 }
249
250 /*******************************************************************************
251 *
252 * Function BTM_SecRegisterLinkKeyNotificationCallback
253 *
254 * Description Application manager calls this function to register for
255 * link key notification. When there is nobody registered
256 * we should avoid changing link key
257 *
258 * Returns true if registered OK, else false
259 *
260 ******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)261 bool BTM_SecRegisterLinkKeyNotificationCallback(
262 tBTM_LINK_KEY_CALLBACK* p_callback) {
263 btm_cb.api.p_link_key_callback = p_callback;
264 return true;
265 }
266
267 /*******************************************************************************
268 *
269 * Function BTM_SecAddRmtNameNotifyCallback
270 *
271 * Description Any profile can register to be notified when name of the
272 * remote device is resolved.
273 *
274 * Returns true if registered OK, else false
275 *
276 ******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)277 bool BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK* p_callback) {
278 int i;
279
280 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
281 if (btm_cb.p_rmt_name_callback[i] == NULL) {
282 btm_cb.p_rmt_name_callback[i] = p_callback;
283 return (true);
284 }
285 }
286
287 return (false);
288 }
289
290 /*******************************************************************************
291 *
292 * Function BTM_SecDeleteRmtNameNotifyCallback
293 *
294 * Description Any profile can deregister notification when a new Link Key
295 * is generated per connection.
296 *
297 * Returns true if OK, else false
298 *
299 ******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)300 bool BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK* p_callback) {
301 int i;
302
303 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
304 if (btm_cb.p_rmt_name_callback[i] == p_callback) {
305 btm_cb.p_rmt_name_callback[i] = NULL;
306 return (true);
307 }
308 }
309
310 return (false);
311 }
312
313 /*******************************************************************************
314 *
315 * Function BTM_GetSecurityFlags
316 *
317 * Description Get security flags for the device
318 *
319 * Returns bool true or false is device found
320 *
321 ******************************************************************************/
BTM_GetSecurityFlags(const RawAddress & bd_addr,uint8_t * p_sec_flags)322 bool BTM_GetSecurityFlags(const RawAddress& bd_addr, uint8_t* p_sec_flags) {
323 tBTM_SEC_DEV_REC* p_dev_rec;
324
325 p_dev_rec = btm_find_dev(bd_addr);
326 if (p_dev_rec != NULL) {
327 *p_sec_flags = (uint8_t)p_dev_rec->sec_flags;
328 return (true);
329 }
330 BTM_TRACE_ERROR("BTM_GetSecurityFlags false");
331 return (false);
332 }
333
334 /*******************************************************************************
335 *
336 * Function BTM_GetSecurityFlagsByTransport
337 *
338 * Description Get security flags for the device on a particular transport
339 *
340 * Returns bool true or false is device found
341 *
342 ******************************************************************************/
BTM_GetSecurityFlagsByTransport(const RawAddress & bd_addr,uint8_t * p_sec_flags,tBT_TRANSPORT transport)343 bool BTM_GetSecurityFlagsByTransport(const RawAddress& bd_addr,
344 uint8_t* p_sec_flags,
345 tBT_TRANSPORT transport) {
346 tBTM_SEC_DEV_REC* p_dev_rec;
347
348 p_dev_rec = btm_find_dev(bd_addr);
349 if (p_dev_rec != NULL) {
350 if (transport == BT_TRANSPORT_BR_EDR)
351 *p_sec_flags = (uint8_t)p_dev_rec->sec_flags;
352 else
353 *p_sec_flags = (uint8_t)(p_dev_rec->sec_flags >> 8);
354
355 return (true);
356 }
357 BTM_TRACE_ERROR("BTM_GetSecurityFlags false");
358 return (false);
359 }
360
361 /*******************************************************************************
362 *
363 * Function BTM_SetPinType
364 *
365 * Description Set PIN type for the device.
366 *
367 * Returns void
368 *
369 ******************************************************************************/
BTM_SetPinType(uint8_t pin_type,PIN_CODE pin_code,uint8_t pin_code_len)370 void BTM_SetPinType(uint8_t pin_type, PIN_CODE pin_code, uint8_t pin_code_len) {
371 BTM_TRACE_API(
372 "BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
373 pin_type, (char*)pin_code, pin_code_len);
374
375 /* If device is not up security mode will be set as a part of startup */
376 if ((btm_cb.cfg.pin_type != pin_type) &&
377 controller_get_interface()->get_is_ready()) {
378 btsnd_hcic_write_pin_type(pin_type);
379 }
380
381 btm_cb.cfg.pin_type = pin_type;
382 btm_cb.cfg.pin_code_len = pin_code_len;
383 memcpy(btm_cb.cfg.pin_code, pin_code, pin_code_len);
384 }
385
386 /*******************************************************************************
387 *
388 * Function BTM_SetPairableMode
389 *
390 * Description Enable or disable pairing
391 *
392 * Parameters allow_pairing - (true or false) whether or not the device
393 * allows pairing.
394 * connect_only_paired - (true or false) whether or not to
395 * only allow paired devices to connect.
396 *
397 * Returns void
398 *
399 ******************************************************************************/
BTM_SetPairableMode(bool allow_pairing,bool connect_only_paired)400 void BTM_SetPairableMode(bool allow_pairing, bool connect_only_paired) {
401 BTM_TRACE_API(
402 "BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u",
403 allow_pairing, connect_only_paired);
404
405 btm_cb.pairing_disabled = !allow_pairing;
406 btm_cb.connect_only_paired = connect_only_paired;
407 }
408
409 /*******************************************************************************
410 *
411 * Function BTM_SetSecureConnectionsOnly
412 *
413 * Description Enable or disable default treatment for Mode 4 Level 0
414 * services
415 *
416 * Parameter secure_connections_only_mode -
417 * true means that the device should treat Mode 4 Level 0
418 * services as services of other levels.
419 * false means that the device should provide default
420 * treatment for Mode 4 Level 0 services.
421 *
422 * Returns void
423 *
424 ******************************************************************************/
BTM_SetSecureConnectionsOnly(bool secure_connections_only_mode)425 void BTM_SetSecureConnectionsOnly(bool secure_connections_only_mode) {
426 BTM_TRACE_API("%s: Mode : %u", __func__, secure_connections_only_mode);
427
428 btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
429 btm_cb.security_mode = BTM_SEC_MODE_SC;
430 }
431 #define BTM_NO_AVAIL_SEC_SERVICES ((uint16_t)0xffff)
432
433 /*******************************************************************************
434 *
435 * Function BTM_SetSecurityLevel
436 *
437 * Description Register service security level with Security Manager
438 *
439 * Parameters: is_originator - true if originating the connection
440 * p_name - Name of the service relevant only if
441 * authorization will show this name to user.
442 * Ignored if BTM_SEC_SERVICE_NAME_LEN is 0.
443 * service_id - service ID for the service passed to
444 * authorization callback
445 * sec_level - bit mask of the security features
446 * psm - L2CAP PSM
447 * mx_proto_id - protocol ID of multiplexing proto below
448 * mx_chan_id - channel ID of multiplexing proto below
449 *
450 * Returns true if registered OK, else false
451 *
452 ******************************************************************************/
BTM_SetSecurityLevel(bool is_originator,const char * p_name,uint8_t service_id,uint16_t sec_level,uint16_t psm,uint32_t mx_proto_id,uint32_t mx_chan_id)453 bool BTM_SetSecurityLevel(bool is_originator, const char* p_name,
454 uint8_t service_id, uint16_t sec_level, uint16_t psm,
455 uint32_t mx_proto_id, uint32_t mx_chan_id) {
456 return (btm_sec_set_security_level(is_originator, p_name, service_id,
457 sec_level, psm, mx_proto_id, mx_chan_id));
458 }
459
460 /*******************************************************************************
461 *
462 * Function btm_sec_set_security_level
463 *
464 * Description Register service security level with Security Manager
465 *
466 * Parameters: conn_type - true if originating the connection
467 * p_name - Name of the service relevant only if
468 * authorization will show this name to user.
469 * Ignored if BTM_SEC_SERVICE_NAME_LEN is 0.
470 * service_id - service ID for the service passed to
471 * authorization callback
472 * sec_level - bit mask of the security features
473 * psm - L2CAP PSM
474 * mx_proto_id - protocol ID of multiplexing proto below
475 * mx_chan_id - channel ID of multiplexing proto below
476 *
477 * Returns true if registered OK, else false
478 *
479 ******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,const char * p_name,uint8_t service_id,uint16_t sec_level,uint16_t psm,uint32_t mx_proto_id,uint32_t mx_chan_id)480 static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
481 const char* p_name, uint8_t service_id,
482 uint16_t sec_level, uint16_t psm,
483 uint32_t mx_proto_id,
484 uint32_t mx_chan_id) {
485 tBTM_SEC_SERV_REC* p_srec;
486 uint16_t index;
487 uint16_t first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
488 bool record_allocated = false;
489 bool is_originator;
490 is_originator = conn_type;
491
492 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
493
494 /* See if the record can be reused (same service name, psm, mx_proto_id,
495 service_id, and mx_chan_id), or obtain the next unused record */
496
497 p_srec = &btm_cb.sec_serv_rec[0];
498
499 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) {
500 /* Check if there is already a record for this service */
501 if (p_srec->security_flags & BTM_SEC_IN_USE) {
502 #if BTM_SEC_SERVICE_NAME_LEN > 0
503 if (p_srec->psm == psm && p_srec->mx_proto_id == mx_proto_id &&
504 service_id == p_srec->service_id && p_name &&
505 (!strncmp(p_name, (char*)p_srec->orig_service_name,
506 /* strlcpy replaces end char with termination char*/
507 BTM_SEC_SERVICE_NAME_LEN - 1) ||
508 !strncmp(p_name, (char*)p_srec->term_service_name,
509 /* strlcpy replaces end char with termination char*/
510 BTM_SEC_SERVICE_NAME_LEN - 1)))
511 #else
512 if (p_srec->psm == psm && p_srec->mx_proto_id == mx_proto_id &&
513 service_id == p_srec->service_id)
514 #endif
515 {
516 record_allocated = true;
517 break;
518 }
519 }
520 /* Mark the first available service record */
521 else if (!record_allocated) {
522 memset(p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
523 record_allocated = true;
524 first_unused_record = index;
525 }
526 }
527
528 if (!record_allocated) {
529 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)",
530 BTM_SEC_MAX_SERVICE_RECORDS);
531 return (record_allocated);
532 }
533
534 /* Process the request if service record is valid */
535 /* If a duplicate service wasn't found, use the first available */
536 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) {
537 index = first_unused_record;
538 p_srec = &btm_cb.sec_serv_rec[index];
539 }
540
541 p_srec->psm = psm;
542 p_srec->service_id = service_id;
543 p_srec->mx_proto_id = mx_proto_id;
544
545 if (is_originator) {
546 p_srec->orig_mx_chan_id = mx_chan_id;
547 #if BTM_SEC_SERVICE_NAME_LEN > 0
548 strlcpy((char*)p_srec->orig_service_name, p_name,
549 BTM_SEC_SERVICE_NAME_LEN + 1);
550 #endif
551 /* clear out the old setting, just in case it exists */
552 {
553 p_srec->security_flags &= ~(
554 BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT |
555 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | BTM_SEC_FORCE_MASTER |
556 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
557 }
558
559 /* Parameter validation. Originator should not set requirements for
560 * incoming connections */
561 sec_level &=
562 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE |
563 BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN);
564
565 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
566 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
567 btm_cb.security_mode == BTM_SEC_MODE_SC) {
568 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) sec_level |= BTM_SEC_OUT_MITM;
569 }
570
571 /* Make sure the authenticate bit is set, when encrypt bit is set */
572 if (sec_level & BTM_SEC_OUT_ENCRYPT) sec_level |= BTM_SEC_OUT_AUTHENTICATE;
573
574 /* outgoing connections usually set the security level right before
575 * the connection is initiated.
576 * set it to be the outgoing service */
577 btm_cb.p_out_serv = p_srec;
578 } else {
579 p_srec->term_mx_chan_id = mx_chan_id;
580 #if BTM_SEC_SERVICE_NAME_LEN > 0
581 strlcpy((char*)p_srec->term_service_name, p_name,
582 BTM_SEC_SERVICE_NAME_LEN + 1);
583 #endif
584 /* clear out the old setting, just in case it exists */
585 {
586 p_srec->security_flags &=
587 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT |
588 BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | BTM_SEC_FORCE_MASTER |
589 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE |
590 BTM_SEC_ATTEMPT_SLAVE | BTM_SEC_IN_MIN_16_DIGIT_PIN);
591 }
592
593 /* Parameter validation. Acceptor should not set requirements for outgoing
594 * connections */
595 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT |
596 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
597
598 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
599 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
600 btm_cb.security_mode == BTM_SEC_MODE_SC) {
601 if (sec_level & BTM_SEC_IN_AUTHENTICATE) sec_level |= BTM_SEC_IN_MITM;
602 }
603
604 /* Make sure the authenticate bit is set, when encrypt bit is set */
605 if (sec_level & BTM_SEC_IN_ENCRYPT) sec_level |= BTM_SEC_IN_AUTHENTICATE;
606 }
607
608 p_srec->security_flags |= (uint16_t)(sec_level | BTM_SEC_IN_USE);
609
610 BTM_TRACE_API(
611 "BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
612 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
613
614 #if BTM_SEC_SERVICE_NAME_LEN > 0
615 BTM_TRACE_API(
616 " : sec: 0x%x, service name [%s] (up to %d chars saved)",
617 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
618 #endif
619
620 return (record_allocated);
621 }
622
623 /*******************************************************************************
624 *
625 * Function BTM_SecClrService
626 *
627 * Description Removes specified service record(s) from the security
628 * database. All service records with the specified name are
629 * removed. Typically used only by devices with limited RAM so
630 * that it can reuse an old security service record.
631 *
632 * Note: Unpredictable results may occur if a service is
633 * cleared that is still in use by an application/profile.
634 *
635 * Parameters Service ID - Id of the service to remove. '0' removes all
636 * service records (except SDP).
637 *
638 * Returns Number of records that were freed.
639 *
640 ******************************************************************************/
BTM_SecClrService(uint8_t service_id)641 uint8_t BTM_SecClrService(uint8_t service_id) {
642 tBTM_SEC_SERV_REC* p_srec = &btm_cb.sec_serv_rec[0];
643 uint8_t num_freed = 0;
644 int i;
645
646 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) {
647 /* Delete services with specified name (if in use and not SDP) */
648 if ((p_srec->security_flags & BTM_SEC_IN_USE) &&
649 (p_srec->psm != BT_PSM_SDP) &&
650 (!service_id || (service_id == p_srec->service_id))) {
651 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
652 p_srec->security_flags = 0;
653 num_freed++;
654 }
655 }
656
657 return (num_freed);
658 }
659
660 /*******************************************************************************
661 *
662 * Function btm_sec_clr_service_by_psm
663 *
664 * Description Removes specified service record from the security database.
665 * All service records with the specified psm are removed.
666 * Typically used by L2CAP to free up the service record used
667 * by dynamic PSM clients when the channel is closed.
668 * The given psm must be a virtual psm.
669 *
670 * Parameters Service ID - Id of the service to remove. '0' removes all
671 * service records (except SDP).
672 *
673 * Returns Number of records that were freed.
674 *
675 ******************************************************************************/
btm_sec_clr_service_by_psm(uint16_t psm)676 uint8_t btm_sec_clr_service_by_psm(uint16_t psm) {
677 tBTM_SEC_SERV_REC* p_srec = &btm_cb.sec_serv_rec[0];
678 uint8_t num_freed = 0;
679 int i;
680
681 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) {
682 /* Delete services with specified name (if in use and not SDP) */
683 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm)) {
684 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
685 p_srec->security_flags = 0;
686 num_freed++;
687 }
688 }
689 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm,
690 num_freed);
691
692 return (num_freed);
693 }
694
695 /*******************************************************************************
696 *
697 * Function btm_sec_clr_temp_auth_service
698 *
699 * Description Removes specified device record's temporary authorization
700 * flag from the security database.
701 *
702 * Parameters Device address to be cleared
703 *
704 * Returns void.
705 *
706 ******************************************************************************/
btm_sec_clr_temp_auth_service(const RawAddress & bda)707 void btm_sec_clr_temp_auth_service(const RawAddress& bda) {
708 tBTM_SEC_DEV_REC* p_dev_rec;
709
710 p_dev_rec = btm_find_dev(bda);
711 if (p_dev_rec == NULL) {
712 BTM_TRACE_WARNING("btm_sec_clr_temp_auth_service() - no dev CB");
713 return;
714 }
715
716 /* Reset the temporary authorized flag so that next time (untrusted) service
717 * is accessed autorization will take place */
718 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID &&
719 p_dev_rec->p_cur_service) {
720 VLOG(1) << __func__ << " clearing device: " << bda;
721
722 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
723 }
724 }
725
726 /*******************************************************************************
727 *
728 * Function BTM_PINCodeReply
729 *
730 * Description This function is called after Security Manager submitted
731 * PIN code request to the UI.
732 *
733 * Parameters: bd_addr - Address of the device for which PIN was
734 * requested
735 * res - result of the operation BTM_SUCCESS
736 * if success
737 * pin_len - length in bytes of the PIN Code
738 * p_pin - pointer to array with the PIN Code
739 * trusted_mask - bitwise OR of trusted services
740 * (array of uint32_t)
741 *
742 ******************************************************************************/
BTM_PINCodeReply(const RawAddress & bd_addr,uint8_t res,uint8_t pin_len,uint8_t * p_pin,uint32_t trusted_mask[])743 void BTM_PINCodeReply(const RawAddress& bd_addr, uint8_t res, uint8_t pin_len,
744 uint8_t* p_pin, uint32_t trusted_mask[]) {
745 tBTM_SEC_DEV_REC* p_dev_rec;
746
747 BTM_TRACE_API(
748 "BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d "
749 "Result:%d",
750 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len,
751 res);
752
753 /* If timeout already expired or has been canceled, ignore the reply */
754 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) {
755 BTM_TRACE_WARNING("BTM_PINCodeReply() - Wrong State: %d",
756 btm_cb.pairing_state);
757 return;
758 }
759
760 if (bd_addr != btm_cb.pairing_bda) {
761 BTM_TRACE_ERROR("BTM_PINCodeReply() - Wrong BD Addr");
762 return;
763 }
764
765 p_dev_rec = btm_find_dev(bd_addr);
766 if (p_dev_rec == NULL) {
767 BTM_TRACE_ERROR("BTM_PINCodeReply() - no dev CB");
768 return;
769 }
770
771 if ((pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL))
772 res = BTM_ILLEGAL_VALUE;
773
774 if (res != BTM_SUCCESS) {
775 /* if peer started dd OR we started dd and pre-fetch pin was not used send
776 * negative reply */
777 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
778 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
779 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))) {
780 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed
781 * event */
782 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
783 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
784
785 btsnd_hcic_pin_code_neg_reply(bd_addr);
786 } else {
787 p_dev_rec->security_required = BTM_SEC_NONE;
788 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
789 }
790 return;
791 }
792 if (trusted_mask)
793 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
794 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
795 p_dev_rec->pin_code_length = pin_len;
796 if (pin_len >= 16) {
797 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
798 }
799
800 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
801 (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) &&
802 (!btm_cb.security_mode_changed)) {
803 /* This is start of the dedicated bonding if local device is 2.0 */
804 btm_cb.pin_code_len = pin_len;
805 memcpy(btm_cb.pin_code, p_pin, pin_len);
806
807 btm_cb.security_mode_changed = true;
808 #ifdef APPL_AUTH_WRITE_EXCEPTION
809 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
810 #endif
811 btsnd_hcic_write_auth_enable(true);
812
813 btm_cb.acl_disc_reason = 0xff;
814
815 /* if we rejected incoming connection request, we have to wait
816 * HCI_Connection_Complete event */
817 /* before originating */
818 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) {
819 BTM_TRACE_WARNING(
820 "BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected "
821 "incoming connection");
822 /* we change state little bit early so btm_sec_connected() will originate
823 * connection */
824 /* when existing ACL link is down completely */
825 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
826 }
827 /* if we already accepted incoming connection from pairing device */
828 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) {
829 BTM_TRACE_WARNING(
830 "BTM_PINCodeReply(): link is connecting so wait pin code request "
831 "from peer");
832 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
833 } else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
834 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
835 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
836
837 if (btm_cb.api.p_auth_complete_callback)
838 (*btm_cb.api.p_auth_complete_callback)(
839 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
840 HCI_ERR_AUTH_FAILURE);
841 }
842 return;
843 }
844
845 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
846 btm_cb.acl_disc_reason = HCI_SUCCESS;
847
848 btsnd_hcic_pin_code_req_reply(bd_addr, pin_len, p_pin);
849 }
850
851 /*******************************************************************************
852 *
853 * Function btm_sec_bond_by_transport
854 *
855 * Description this is the bond function that will start either SSP or SMP.
856 *
857 * Parameters: bd_addr - Address of the device to bond
858 * pin_len - length in bytes of the PIN Code
859 * p_pin - pointer to array with the PIN Code
860 * trusted_mask - bitwise OR of trusted services
861 * (array of uint32_t)
862 *
863 * Note: After 2.1 parameters are not used and preserved here not to change API
864 ******************************************************************************/
btm_sec_bond_by_transport(const RawAddress & bd_addr,tBT_TRANSPORT transport,uint8_t pin_len,uint8_t * p_pin,uint32_t trusted_mask[])865 tBTM_STATUS btm_sec_bond_by_transport(const RawAddress& bd_addr,
866 tBT_TRANSPORT transport, uint8_t pin_len,
867 uint8_t* p_pin, uint32_t trusted_mask[]) {
868 tBTM_SEC_DEV_REC* p_dev_rec;
869 tBTM_STATUS status;
870 uint8_t* p_features;
871 uint8_t ii;
872 tACL_CONN* p = btm_bda_to_acl(bd_addr, transport);
873 VLOG(1) << __func__ << " BDA: " << bd_addr;
874
875 BTM_TRACE_DEBUG("%s: Transport used %d, bd_addr=%s", __func__, transport,
876 bd_addr.ToString().c_str());
877
878 /* Other security process is in progress */
879 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
880 BTM_TRACE_ERROR("BTM_SecBond: already busy in state: %s",
881 btm_pair_state_descr(btm_cb.pairing_state));
882 return (BTM_WRONG_MODE);
883 }
884
885 p_dev_rec = btm_find_or_alloc_dev(bd_addr);
886 if (p_dev_rec == NULL) {
887 return (BTM_NO_RESOURCES);
888 }
889
890 if (!controller_get_interface()->get_is_ready()) {
891 BTM_TRACE_ERROR("%s controller module is not ready", __func__);
892 return (BTM_NO_RESOURCES);
893 }
894
895 BTM_TRACE_DEBUG("before update sec_flags=0x%x", p_dev_rec->sec_flags);
896
897 /* Finished if connection is active and already paired */
898 if (((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) &&
899 transport == BT_TRANSPORT_BR_EDR &&
900 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) ||
901 ((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) &&
902 transport == BT_TRANSPORT_LE &&
903 (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))) {
904 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
905 return (BTM_SUCCESS);
906 }
907
908 /* Tell controller to get rid of the link key if it has one stored */
909 if ((BTM_DeleteStoredLinkKey(&bd_addr, NULL)) != BTM_SUCCESS)
910 return (BTM_NO_RESOURCES);
911
912 /* Save the PIN code if we got a valid one */
913 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) {
914 btm_cb.pin_code_len = pin_len;
915 p_dev_rec->pin_code_length = pin_len;
916 memcpy(btm_cb.pin_code, p_pin, PIN_CODE_LEN);
917 }
918
919 btm_cb.pairing_bda = bd_addr;
920
921 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
922
923 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
924 p_dev_rec->is_originator = true;
925 if (trusted_mask)
926 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
927
928 if (transport == BT_TRANSPORT_LE) {
929 btm_ble_init_pseudo_addr(p_dev_rec, bd_addr);
930 p_dev_rec->sec_flags &= ~BTM_SEC_LE_MASK;
931
932 if (SMP_Pair(bd_addr) == SMP_STARTED) {
933 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
934 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
935 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
936 return BTM_CMD_STARTED;
937 }
938
939 btm_cb.pairing_flags = 0;
940 return (BTM_NO_RESOURCES);
941 }
942
943 p_dev_rec->sec_flags &=
944 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED |
945 BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
946
947 BTM_TRACE_DEBUG("after update sec_flags=0x%x", p_dev_rec->sec_flags);
948 if (!controller_get_interface()->supports_simple_pairing()) {
949 /* The special case when we authenticate keyboard. Set pin type to fixed */
950 /* It would be probably better to do it from the application, but it is */
951 /* complicated */
952 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) ==
953 BTM_COD_MAJOR_PERIPHERAL) &&
954 (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD) &&
955 (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) {
956 btm_cb.pin_type_changed = true;
957 btsnd_hcic_write_pin_type(HCI_PIN_TYPE_FIXED);
958 }
959 }
960
961 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) {
962 p_features = p_dev_rec->feature_pages[ii];
963 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x", ii,
964 p_features[0], p_features[1], p_features[2], p_features[3]);
965 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
966 p_features[4], p_features[5], p_features[6], p_features[7]);
967 }
968
969 BTM_TRACE_EVENT("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x",
970 p_dev_rec->sm4, p_dev_rec->hci_handle);
971
972 #if (BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE)
973 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
974 #endif
975
976 /* If connection already exists... */
977 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE) {
978 btm_sec_start_authentication(p_dev_rec);
979
980 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
981
982 /* Mark lcb as bonding */
983 l2cu_update_lcb_4_bonding(bd_addr, true);
984 return (BTM_CMD_STARTED);
985 }
986
987 BTM_TRACE_DEBUG("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
988 if (!controller_get_interface()->supports_simple_pairing() ||
989 (p_dev_rec->sm4 == BTM_SM4_KNOWN)) {
990 if (btm_sec_check_prefetch_pin(p_dev_rec)) return (BTM_CMD_STARTED);
991 }
992 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
993 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
994 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
995 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
996 /* local is 2.1 and peer is unknown */
997 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) {
998 /* we are not accepting connection request from peer
999 * -> RNR (to learn if peer is 2.1)
1000 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1001 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME);
1002 status = BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1003 } else {
1004 /* We are accepting connection request from peer */
1005 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
1006 status = BTM_CMD_STARTED;
1007 }
1008 BTM_TRACE_DEBUG("State:%s sm4: 0x%x sec_state:%d",
1009 btm_pair_state_descr(btm_cb.pairing_state), p_dev_rec->sm4,
1010 p_dev_rec->sec_state);
1011 } else {
1012 /* both local and peer are 2.1 */
1013 status = btm_sec_dd_create_conn(p_dev_rec);
1014 }
1015
1016 if (status != BTM_CMD_STARTED) {
1017 BTM_TRACE_ERROR(
1018 "%s BTM_ReadRemoteDeviceName or btm_sec_dd_create_conn error: 0x%x",
1019 __func__, (int)status);
1020 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
1021 }
1022
1023 return status;
1024 }
1025
1026 /*******************************************************************************
1027 *
1028 * Function BTM_SecBondByTransport
1029 *
1030 * Description This function is called to perform bonding with peer device.
1031 * If the connection is already up, but not secure, pairing
1032 * is attempted. If already paired BTM_SUCCESS is returned.
1033 *
1034 * Parameters: bd_addr - Address of the device to bond
1035 * transport - doing SSP over BR/EDR or SMP over LE
1036 * pin_len - length in bytes of the PIN Code
1037 * p_pin - pointer to array with the PIN Code
1038 * trusted_mask - bitwise OR of trusted services
1039 * (array of uint32_t)
1040 *
1041 * Note: After 2.1 parameters are not used and preserved here not to change API
1042 ******************************************************************************/
BTM_SecBondByTransport(const RawAddress & bd_addr,tBT_TRANSPORT transport,uint8_t pin_len,uint8_t * p_pin,uint32_t trusted_mask[])1043 tBTM_STATUS BTM_SecBondByTransport(const RawAddress& bd_addr,
1044 tBT_TRANSPORT transport, uint8_t pin_len,
1045 uint8_t* p_pin, uint32_t trusted_mask[]) {
1046 tBT_DEVICE_TYPE dev_type;
1047 tBLE_ADDR_TYPE addr_type;
1048
1049 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1050 /* LE device, do SMP pairing */
1051 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1052 (transport == BT_TRANSPORT_BR_EDR &&
1053 (dev_type & BT_DEVICE_TYPE_BREDR) == 0)) {
1054 return BTM_ILLEGAL_ACTION;
1055 }
1056 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin,
1057 trusted_mask);
1058 }
1059
1060 /*******************************************************************************
1061 *
1062 * Function BTM_SecBond
1063 *
1064 * Description This function is called to perform bonding with peer device.
1065 * If the connection is already up, but not secure, pairing
1066 * is attempted. If already paired BTM_SUCCESS is returned.
1067 *
1068 * Parameters: bd_addr - Address of the device to bond
1069 * pin_len - length in bytes of the PIN Code
1070 * p_pin - pointer to array with the PIN Code
1071 * trusted_mask - bitwise OR of trusted services
1072 * (array of uint32_t)
1073 *
1074 * Note: After 2.1 parameters are not used and preserved here not to change API
1075 ******************************************************************************/
BTM_SecBond(const RawAddress & bd_addr,uint8_t pin_len,uint8_t * p_pin,uint32_t trusted_mask[])1076 tBTM_STATUS BTM_SecBond(const RawAddress& bd_addr, uint8_t pin_len,
1077 uint8_t* p_pin, uint32_t trusted_mask[]) {
1078 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1079 if (BTM_UseLeLink(bd_addr)) transport = BT_TRANSPORT_LE;
1080 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin,
1081 trusted_mask);
1082 }
1083 /*******************************************************************************
1084 *
1085 * Function BTM_SecBondCancel
1086 *
1087 * Description This function is called to cancel ongoing bonding process
1088 * with peer device.
1089 *
1090 * Parameters: bd_addr - Address of the peer device
1091 * transport - false for BR/EDR link; true for LE link
1092 *
1093 ******************************************************************************/
BTM_SecBondCancel(const RawAddress & bd_addr)1094 tBTM_STATUS BTM_SecBondCancel(const RawAddress& bd_addr) {
1095 tBTM_SEC_DEV_REC* p_dev_rec;
1096
1097 BTM_TRACE_API("BTM_SecBondCancel() State: %s flags:0x%x",
1098 btm_pair_state_descr(btm_cb.pairing_state),
1099 btm_cb.pairing_flags);
1100 p_dev_rec = btm_find_dev(bd_addr);
1101 if (!p_dev_rec || btm_cb.pairing_bda != bd_addr) {
1102 return BTM_UNKNOWN_ADDR;
1103 }
1104
1105 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) {
1106 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1107 BTM_TRACE_DEBUG("Cancel LE pairing");
1108 if (SMP_PairCancel(bd_addr)) {
1109 return BTM_CMD_STARTED;
1110 }
1111 }
1112 return BTM_WRONG_MODE;
1113 }
1114
1115 BTM_TRACE_DEBUG("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle,
1116 p_dev_rec->sec_state);
1117 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1118 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) {
1119 /* pre-fetching pin for dedicated bonding */
1120 btm_sec_bond_cancel_complete();
1121 return BTM_SUCCESS;
1122 }
1123
1124 /* If this BDA is in a bonding procedure */
1125 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
1126 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
1127 /* If the HCI link is up */
1128 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) {
1129 /* If some other thread disconnecting, we do not send second command */
1130 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1131 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1132 return (BTM_CMD_STARTED);
1133
1134 /* If the HCI link was set up by Bonding process */
1135 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1136 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER,
1137 p_dev_rec->hci_handle);
1138 else
1139 l2cu_update_lcb_4_bonding(bd_addr, false);
1140
1141 return BTM_NOT_AUTHORIZED;
1142 } else /*HCI link is not up */
1143 {
1144 /* If the HCI link creation was started by Bonding process */
1145 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) {
1146 btsnd_hcic_create_conn_cancel(bd_addr);
1147 return BTM_CMD_STARTED;
1148 }
1149 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) {
1150 BTM_CancelRemoteDeviceName();
1151 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1152 return BTM_CMD_STARTED;
1153 }
1154 return BTM_NOT_AUTHORIZED;
1155 }
1156 }
1157
1158 return BTM_WRONG_MODE;
1159 }
1160
1161 /*******************************************************************************
1162 *
1163 * Function BTM_SecGetDeviceLinkKey
1164 *
1165 * Description This function is called to obtain link key for the device
1166 * it returns BTM_SUCCESS if link key is available, or
1167 * BTM_UNKNOWN_ADDR if Security Manager does not know about
1168 * the device or device record does not contain link key info
1169 *
1170 * Parameters: bd_addr - Address of the device
1171 * link_key - Link Key is copied into this array
1172 *
1173 ******************************************************************************/
BTM_SecGetDeviceLinkKey(const RawAddress & bd_addr,LINK_KEY link_key)1174 tBTM_STATUS BTM_SecGetDeviceLinkKey(const RawAddress& bd_addr,
1175 LINK_KEY link_key) {
1176 tBTM_SEC_DEV_REC* p_dev_rec;
1177 p_dev_rec = btm_find_dev(bd_addr);
1178 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
1179 memcpy(link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1180 return (BTM_SUCCESS);
1181 }
1182 return (BTM_UNKNOWN_ADDR);
1183 }
1184
1185 /*******************************************************************************
1186 *
1187 * Function BTM_SecGetDeviceLinkKeyType
1188 *
1189 * Description This function is called to obtain link key type for the
1190 * device.
1191 * it returns BTM_SUCCESS if link key is available, or
1192 * BTM_UNKNOWN_ADDR if Security Manager does not know about
1193 * the device or device record does not contain link key info
1194 *
1195 * Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1196 * otherwise.
1197 *
1198 ******************************************************************************/
BTM_SecGetDeviceLinkKeyType(const RawAddress & bd_addr)1199 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType(const RawAddress& bd_addr) {
1200 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1201
1202 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
1203 return p_dev_rec->link_key_type;
1204 }
1205 return BTM_LKEY_TYPE_IGNORE;
1206 }
1207
1208 /*******************************************************************************
1209 *
1210 * Function BTM_SetEncryption
1211 *
1212 * Description This function is called to ensure that connection is
1213 * encrypted. Should be called only on an open connection.
1214 * Typically only needed for connections that first want to
1215 * bring up unencrypted links, then later encrypt them.
1216 *
1217 * Parameters: bd_addr - Address of the peer device
1218 * transport - Link transport
1219 * p_callback - Pointer to callback function called if
1220 * this function returns PENDING after required
1221 * procedures are completed. Can be set to
1222 * NULL if status is not desired.
1223 * p_ref_data - pointer to any data the caller wishes to
1224 * receive in the callback function upon
1225 * completion. can be set to NULL if not used.
1226 * sec_act - LE security action, unused for BR/EDR
1227 *
1228 * Returns BTM_SUCCESS - already encrypted
1229 * BTM_PENDING - command will be returned in the callback
1230 * BTM_WRONG_MODE- connection not up.
1231 * BTM_BUSY - security procedures are currently active
1232 * BTM_MODE_UNSUPPORTED - if security manager not linked in.
1233 *
1234 ******************************************************************************/
BTM_SetEncryption(const RawAddress & bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)1235 tBTM_STATUS BTM_SetEncryption(const RawAddress& bd_addr,
1236 tBT_TRANSPORT transport,
1237 tBTM_SEC_CBACK* p_callback, void* p_ref_data,
1238 tBTM_BLE_SEC_ACT sec_act) {
1239 tBTM_STATUS rc = 0;
1240
1241 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1242 if (!p_dev_rec ||
1243 (transport == BT_TRANSPORT_BR_EDR &&
1244 p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) ||
1245 (transport == BT_TRANSPORT_LE &&
1246 p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)) {
1247 /* Connection should be up and runnning */
1248 BTM_TRACE_WARNING("Security Manager: BTM_SetEncryption not connected");
1249
1250 if (p_callback)
1251 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1252
1253 return (BTM_WRONG_MODE);
1254 }
1255
1256 if (transport == BT_TRANSPORT_BR_EDR &&
1257 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)) {
1258 BTM_TRACE_EVENT("Security Manager: BTM_SetEncryption already encrypted");
1259
1260 if (*p_callback)
1261 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS);
1262
1263 return (BTM_SUCCESS);
1264 }
1265
1266 /* enqueue security request if security is active */
1267 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)) {
1268 BTM_TRACE_WARNING(
1269 "Security Manager: BTM_SetEncryption busy, enqueue request");
1270
1271 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback,
1272 p_ref_data, sec_act)) {
1273 return BTM_CMD_STARTED;
1274 } else {
1275 if (p_callback)
1276 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1277 return BTM_NO_RESOURCES;
1278 }
1279 }
1280
1281 p_dev_rec->p_callback = p_callback;
1282 p_dev_rec->p_ref_data = p_ref_data;
1283 p_dev_rec->security_required |=
1284 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1285 p_dev_rec->is_originator = false;
1286
1287 BTM_TRACE_API(
1288 "Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x "
1289 "Required:0x%x, p_dev_rec=%p, p_callback=%p",
1290 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1291 p_dev_rec->security_required, p_dev_rec, p_callback);
1292
1293 if (transport == BT_TRANSPORT_LE) {
1294 tACL_CONN* p = btm_bda_to_acl(bd_addr, transport);
1295 if (p) {
1296 rc = btm_ble_set_encryption(bd_addr, sec_act, p->link_role);
1297 } else {
1298 rc = BTM_WRONG_MODE;
1299 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL",
1300 __func__);
1301 }
1302 } else {
1303 rc = btm_sec_execute_procedure(p_dev_rec);
1304 }
1305
1306 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY) {
1307 if (p_callback) {
1308 BTM_TRACE_DEBUG(
1309 "%s: clearing p_callback=%p, p_dev_rec=%p, transport=%d, "
1310 "bd_addr=%s",
1311 __func__, p_callback, p_dev_rec, transport,
1312 bd_addr.ToString().c_str());
1313 p_dev_rec->p_callback = NULL;
1314 (*p_callback)(&bd_addr, transport, p_dev_rec->p_ref_data, rc);
1315 }
1316 }
1317
1318 return (rc);
1319 }
1320
1321 /*******************************************************************************
1322 * disconnect the ACL link, if it's not done yet.
1323 ******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,uint8_t reason,uint16_t conn_handle)1324 static tBTM_STATUS btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC* p_dev_rec,
1325 uint8_t reason,
1326 uint16_t conn_handle) {
1327 uint8_t old_state = p_dev_rec->sec_state;
1328 tBTM_STATUS status = BTM_CMD_STARTED;
1329
1330 BTM_TRACE_EVENT("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1331 conn_handle, reason);
1332
1333 /* send HCI_Disconnect on a transport only once */
1334 switch (old_state) {
1335 case BTM_SEC_STATE_DISCONNECTING:
1336 if (conn_handle == p_dev_rec->hci_handle) return status;
1337
1338 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1339 break;
1340
1341 case BTM_SEC_STATE_DISCONNECTING_BLE:
1342 if (conn_handle == p_dev_rec->ble_hci_handle) return status;
1343
1344 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1345 break;
1346
1347 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1348 return status;
1349
1350 default:
1351 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle)
1352 ? BTM_SEC_STATE_DISCONNECTING
1353 : BTM_SEC_STATE_DISCONNECTING_BLE;
1354
1355 break;
1356 }
1357
1358 /* If a role switch is in progress, delay the HCI Disconnect to avoid
1359 * controller problem */
1360 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING &&
1361 p_dev_rec->hci_handle == conn_handle) {
1362 BTM_TRACE_DEBUG(
1363 "RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect "
1364 "to delay disconnect");
1365 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1366 status = BTM_SUCCESS;
1367 }
1368 /* Tear down the HCI link */
1369 else {
1370 btsnd_hcic_disconnect(conn_handle, reason);
1371 }
1372
1373 return status;
1374 }
1375
1376 /*******************************************************************************
1377 *
1378 * Function BTM_ConfirmReqReply
1379 *
1380 * Description This function is called to confirm the numeric value for
1381 * Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1382 *
1383 * Parameters: res - result of the operation BTM_SUCCESS if
1384 * success
1385 * bd_addr - Address of the peer device
1386 *
1387 ******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,const RawAddress & bd_addr)1388 void BTM_ConfirmReqReply(tBTM_STATUS res, const RawAddress& bd_addr) {
1389 tBTM_SEC_DEV_REC* p_dev_rec;
1390
1391 BTM_TRACE_EVENT("BTM_ConfirmReqReply() State: %s Res: %u",
1392 btm_pair_state_descr(btm_cb.pairing_state), res);
1393
1394 /* If timeout already expired or has been canceled, ignore the reply */
1395 if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM) ||
1396 (btm_cb.pairing_bda != bd_addr))
1397 return;
1398
1399 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1400
1401 if ((res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY)) {
1402 btm_cb.acl_disc_reason = HCI_SUCCESS;
1403
1404 if (res == BTM_SUCCESS) {
1405 p_dev_rec = btm_find_dev(bd_addr);
1406 if (p_dev_rec != NULL) {
1407 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1408 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1409 }
1410 }
1411
1412 btsnd_hcic_user_conf_reply(bd_addr, true);
1413 } else {
1414 /* Report authentication failed event from state
1415 * BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1416 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1417 btsnd_hcic_user_conf_reply(bd_addr, false);
1418 }
1419 }
1420
1421 /*******************************************************************************
1422 *
1423 * Function BTM_PasskeyReqReply
1424 *
1425 * Description This function is called to provide the passkey for
1426 * Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1427 *
1428 * Parameters: res - result of the operation BTM_SUCCESS if success
1429 * bd_addr - Address of the peer device
1430 * passkey - numeric value in the range of
1431 * BTM_MIN_PASSKEY_VAL(0) -
1432 * BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1433 *
1434 ******************************************************************************/
1435 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,const RawAddress & bd_addr,uint32_t passkey)1436 void BTM_PasskeyReqReply(tBTM_STATUS res, const RawAddress& bd_addr,
1437 uint32_t passkey) {
1438 BTM_TRACE_API("BTM_PasskeyReqReply: State: %s res:%d",
1439 btm_pair_state_descr(btm_cb.pairing_state), res);
1440
1441 if ((btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) ||
1442 (btm_cb.pairing_bda != bd_addr)) {
1443 return;
1444 }
1445
1446 /* If timeout already expired or has been canceled, ignore the reply */
1447 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) &&
1448 (res != BTM_SUCCESS)) {
1449 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1450 if (p_dev_rec != NULL) {
1451 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1452
1453 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1454 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE,
1455 p_dev_rec->hci_handle);
1456 else
1457 BTM_SecBondCancel(bd_addr);
1458
1459 p_dev_rec->sec_flags &=
1460 ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1461
1462 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
1463 return;
1464 }
1465 } else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1466 return;
1467
1468 if (passkey > BTM_MAX_PASSKEY_VAL) res = BTM_ILLEGAL_VALUE;
1469
1470 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1471
1472 if (res != BTM_SUCCESS) {
1473 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed
1474 * event */
1475 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1476 btsnd_hcic_user_passkey_neg_reply(bd_addr);
1477 } else {
1478 btm_cb.acl_disc_reason = HCI_SUCCESS;
1479 btsnd_hcic_user_passkey_reply(bd_addr, passkey);
1480 }
1481 }
1482 #endif
1483
1484 /*******************************************************************************
1485 *
1486 * Function BTM_SendKeypressNotif
1487 *
1488 * Description This function is used during the passkey entry model
1489 * by a device with KeyboardOnly IO capabilities
1490 * (very likely to be a HID Device).
1491 * It is called by a HID Device to inform the remote device
1492 * when a key has been entered or erased.
1493 *
1494 * Parameters: bd_addr - Address of the peer device
1495 * type - notification type
1496 *
1497 ******************************************************************************/
1498 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(const RawAddress & bd_addr,tBTM_SP_KEY_TYPE type)1499 void BTM_SendKeypressNotif(const RawAddress& bd_addr, tBTM_SP_KEY_TYPE type) {
1500 /* This API only make sense between PASSKEY_REQ and SP complete */
1501 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1502 btsnd_hcic_send_keypress_notif(bd_addr, type);
1503 }
1504 #endif
1505
1506 /*******************************************************************************
1507 *
1508 * Function BTM_IoCapRsp
1509 *
1510 * Description This function is called in response to BTM_SP_IO_REQ_EVT
1511 * When the event data io_req.oob_data is set to
1512 * BTM_OOB_UNKNOWN by the tBTM_SP_CALLBACK implementation,
1513 * this function is called to provide the actual response
1514 *
1515 * Parameters: bd_addr - Address of the peer device
1516 * io_cap - The IO capability of local device.
1517 * oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1518 * auth_req- MITM protection required or not.
1519 *
1520 ******************************************************************************/
BTM_IoCapRsp(const RawAddress & bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1521 void BTM_IoCapRsp(const RawAddress& bd_addr, tBTM_IO_CAP io_cap,
1522 tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req) {
1523 BTM_TRACE_EVENT("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1524 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1525
1526 if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS) ||
1527 (btm_cb.pairing_bda != bd_addr))
1528 return;
1529
1530 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) {
1531 btm_cb.devcb.loc_auth_req = auth_req;
1532 btm_cb.devcb.loc_io_caps = io_cap;
1533
1534 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1535 auth_req = (BTM_AUTH_DD_BOND | (auth_req & BTM_AUTH_YN_BIT));
1536
1537 btsnd_hcic_io_cap_req_reply(bd_addr, io_cap, oob, auth_req);
1538 }
1539 }
1540
1541 /*******************************************************************************
1542 *
1543 * Function BTM_ReadLocalOobData
1544 *
1545 * Description This function is called to read the local OOB data from
1546 * LM
1547 *
1548 ******************************************************************************/
BTM_ReadLocalOobData(void)1549 void BTM_ReadLocalOobData(void) { btsnd_hcic_read_local_oob_data(); }
1550
1551 /*******************************************************************************
1552 *
1553 * Function BTM_RemoteOobDataReply
1554 *
1555 * Description This function is called to provide the remote OOB data for
1556 * Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1557 *
1558 * Parameters: bd_addr - Address of the peer device
1559 * c - simple pairing Hash C.
1560 * r - simple pairing Randomizer C.
1561 *
1562 ******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,const RawAddress & bd_addr,BT_OCTET16 c,BT_OCTET16 r)1563 void BTM_RemoteOobDataReply(tBTM_STATUS res, const RawAddress& bd_addr,
1564 BT_OCTET16 c, BT_OCTET16 r) {
1565 BTM_TRACE_EVENT("%s() - State: %s res: %d", __func__,
1566 btm_pair_state_descr(btm_cb.pairing_state), res);
1567
1568 /* If timeout already expired or has been canceled, ignore the reply */
1569 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) return;
1570
1571 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1572
1573 if (res != BTM_SUCCESS) {
1574 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed
1575 * event */
1576 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1577 btsnd_hcic_rem_oob_neg_reply(bd_addr);
1578 } else {
1579 btm_cb.acl_disc_reason = HCI_SUCCESS;
1580 btsnd_hcic_rem_oob_reply(bd_addr, c, r);
1581 }
1582 }
1583
1584 /*******************************************************************************
1585 *
1586 * Function BTM_BuildOobData
1587 *
1588 * Description This function is called to build the OOB data payload to
1589 * be sent over OOB (non-Bluetooth) link
1590 *
1591 * Parameters: p_data - the location for OOB data
1592 * max_len - p_data size.
1593 * c - simple pairing Hash C.
1594 * r - simple pairing Randomizer C.
1595 * name_len- 0, local device name would not be included.
1596 * otherwise, the local device name is included for
1597 * up to this specified length
1598 *
1599 * Returns Number of bytes in p_data.
1600 *
1601 ******************************************************************************/
BTM_BuildOobData(uint8_t * p_data,uint16_t max_len,BT_OCTET16 c,BT_OCTET16 r,uint8_t name_len)1602 uint16_t BTM_BuildOobData(uint8_t* p_data, uint16_t max_len, BT_OCTET16 c,
1603 BT_OCTET16 r, uint8_t name_len) {
1604 uint8_t* p = p_data;
1605 uint16_t len = 0;
1606 uint16_t name_size;
1607 uint8_t name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1608
1609 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) {
1610 /* add mandatory part */
1611 UINT16_TO_STREAM(p, len);
1612 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address());
1613
1614 len = BTM_OOB_MANDATORY_SIZE;
1615 max_len -= len;
1616
1617 /* now optional part */
1618
1619 /* add Hash C */
1620 uint16_t delta = BTM_OOB_HASH_C_SIZE + 2;
1621 if (max_len >= delta) {
1622 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1623 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1624 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1625 len += delta;
1626 max_len -= delta;
1627 }
1628
1629 /* add Rand R */
1630 delta = BTM_OOB_RAND_R_SIZE + 2;
1631 if (max_len >= delta) {
1632 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1633 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1634 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1635 len += delta;
1636 max_len -= delta;
1637 }
1638
1639 /* add class of device */
1640 delta = BTM_OOB_COD_SIZE + 2;
1641 if (max_len >= delta) {
1642 *p++ = BTM_OOB_COD_SIZE + 1;
1643 *p++ = BTM_EIR_OOB_COD_TYPE;
1644 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1645 len += delta;
1646 max_len -= delta;
1647 }
1648 name_size = name_len;
1649 if (name_size > strlen(btm_cb.cfg.bd_name)) {
1650 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1651 name_size = (uint16_t)strlen(btm_cb.cfg.bd_name);
1652 }
1653 delta = name_size + 2;
1654 if (max_len >= delta) {
1655 *p++ = name_size + 1;
1656 *p++ = name_type;
1657 ARRAY_TO_STREAM(p, btm_cb.cfg.bd_name, name_size);
1658 len += delta;
1659 max_len -= delta;
1660 }
1661 /* update len */
1662 p = p_data;
1663 UINT16_TO_STREAM(p, len);
1664 }
1665 return len;
1666 }
1667
1668 /*******************************************************************************
1669 *
1670 * Function BTM_BothEndsSupportSecureConnections
1671 *
1672 * Description This function is called to check if both the local device
1673 * and the peer device specified by bd_addr support BR/EDR
1674 * Secure Connections.
1675 *
1676 * Parameters: bd_addr - address of the peer
1677 *
1678 * Returns true if BR/EDR Secure Connections are supported by both
1679 * local and the remote device, else false.
1680 *
1681 ******************************************************************************/
BTM_BothEndsSupportSecureConnections(const RawAddress & bd_addr)1682 bool BTM_BothEndsSupportSecureConnections(const RawAddress& bd_addr) {
1683 return ((controller_get_interface()->supports_secure_connections()) &&
1684 (BTM_PeerSupportsSecureConnections(bd_addr)));
1685 }
1686
1687 /*******************************************************************************
1688 *
1689 * Function BTM_PeerSupportsSecureConnections
1690 *
1691 * Description This function is called to check if the peer supports
1692 * BR/EDR Secure Connections.
1693 *
1694 * Parameters: bd_addr - address of the peer
1695 *
1696 * Returns true if BR/EDR Secure Connections are supported by the peer,
1697 * else false.
1698 *
1699 ******************************************************************************/
BTM_PeerSupportsSecureConnections(const RawAddress & bd_addr)1700 bool BTM_PeerSupportsSecureConnections(const RawAddress& bd_addr) {
1701 tBTM_SEC_DEV_REC* p_dev_rec;
1702
1703 p_dev_rec = btm_find_dev(bd_addr);
1704 if (p_dev_rec == NULL) {
1705 LOG(WARNING) << __func__ << ": unknown BDA: " << bd_addr;
1706 return false;
1707 }
1708
1709 return (p_dev_rec->remote_supports_secure_connections);
1710 }
1711
1712 /*******************************************************************************
1713 *
1714 * Function BTM_ReadOobData
1715 *
1716 * Description This function is called to parse the OOB data payload
1717 * received over OOB (non-Bluetooth) link
1718 *
1719 * Parameters: p_data - the location for OOB data
1720 * eir_tag - The associated EIR tag to read the data.
1721 * *p_len(output) - the length of the data with the given tag.
1722 *
1723 * Returns the beginning of the data with the given tag.
1724 * NULL, if the tag is not found.
1725 *
1726 ******************************************************************************/
BTM_ReadOobData(uint8_t * p_data,uint8_t eir_tag,uint8_t * p_len)1727 uint8_t* BTM_ReadOobData(uint8_t* p_data, uint8_t eir_tag, uint8_t* p_len) {
1728 uint8_t* p = p_data;
1729 uint16_t max_len;
1730 uint8_t len, type;
1731 uint8_t* p_ret = NULL;
1732 uint8_t ret_len = 0;
1733
1734 if (p_data) {
1735 STREAM_TO_UINT16(max_len, p);
1736 if (max_len >= BTM_OOB_MANDATORY_SIZE) {
1737 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) {
1738 p_ret = p; /* the location for bd_addr */
1739 ret_len = BTM_OOB_BD_ADDR_SIZE;
1740 } else {
1741 p += BD_ADDR_LEN;
1742 max_len -= BTM_OOB_MANDATORY_SIZE;
1743 /* now the optional data in EIR format */
1744 while (max_len > 0) {
1745 len = *p++; /* tag data len + 1 */
1746 type = *p++;
1747 if (eir_tag == type) {
1748 p_ret = p;
1749 ret_len = len - 1;
1750 break;
1751 }
1752 /* the data size of this tag is len + 1 (tag data len + 2) */
1753 if (max_len > len) {
1754 max_len -= len;
1755 max_len--;
1756 len--;
1757 p += len;
1758 } else
1759 max_len = 0;
1760 }
1761 }
1762 }
1763 }
1764
1765 if (p_len) *p_len = ret_len;
1766
1767 return p_ret;
1768 }
1769
1770 /*******************************************************************************
1771 *
1772 * Function BTM_SetOutService
1773 *
1774 * Description This function is called to set the service for
1775 * outgoing connections.
1776 *
1777 * If the profile/application calls BTM_SetSecurityLevel
1778 * before initiating a connection, this function does not
1779 * need to be called.
1780 *
1781 * Returns void
1782 *
1783 ******************************************************************************/
BTM_SetOutService(const RawAddress & bd_addr,uint8_t service_id,uint32_t mx_chan_id)1784 void BTM_SetOutService(const RawAddress& bd_addr, uint8_t service_id,
1785 uint32_t mx_chan_id) {
1786 tBTM_SEC_DEV_REC* p_dev_rec;
1787 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0];
1788
1789 btm_cb.p_out_serv = p_serv_rec;
1790 p_dev_rec = btm_find_dev(bd_addr);
1791
1792 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
1793 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) &&
1794 (p_serv_rec->service_id == service_id) &&
1795 (p_serv_rec->orig_mx_chan_id == mx_chan_id)) {
1796 BTM_TRACE_API(
1797 "BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, "
1798 "chan_id %d",
1799 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id,
1800 p_serv_rec->orig_mx_chan_id);
1801 btm_cb.p_out_serv = p_serv_rec;
1802 if (p_dev_rec) p_dev_rec->p_cur_service = p_serv_rec;
1803 break;
1804 }
1805 }
1806 }
1807
1808 /************************************************************************
1809 * I N T E R N A L F U N C T I O N S
1810 ************************************************************************/
1811 /*******************************************************************************
1812 *
1813 * Function btm_sec_is_upgrade_possible
1814 *
1815 * Description This function returns true if the existing link key
1816 * can be upgraded or if the link key does not exist.
1817 *
1818 * Returns bool
1819 *
1820 ******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,bool is_originator)1821 static bool btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC* p_dev_rec,
1822 bool is_originator) {
1823 uint16_t mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
1824 bool is_possible = true;
1825
1826 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) {
1827 is_possible = false;
1828 if (p_dev_rec->p_cur_service) {
1829 BTM_TRACE_DEBUG(
1830 "%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, "
1831 "flags: 0x%x",
1832 __func__, p_dev_rec->p_cur_service->service_id,
1833 p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check,
1834 p_dev_rec->p_cur_service->security_flags);
1835 } else {
1836 BTM_TRACE_DEBUG(
1837 "%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x", __func__,
1838 p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
1839 }
1840 /* Already have a link key to the connected peer. Is the link key secure
1841 *enough?
1842 ** Is a link key upgrade even possible?
1843 */
1844 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
1845 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
1846 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
1847 /* has unauthenticated
1848 link key */
1849 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
1850 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
1851 /* authenticated
1852 link key is possible */
1853 {
1854 /* upgrade is possible: check if the application wants the upgrade.
1855 * If the application is configured to use a global MITM flag,
1856 * it probably would not want to upgrade the link key based on the
1857 * security level database */
1858 is_possible = true;
1859 }
1860 }
1861 BTM_TRACE_DEBUG("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible,
1862 p_dev_rec->sec_flags);
1863 return is_possible;
1864 }
1865
1866 /*******************************************************************************
1867 *
1868 * Function btm_sec_check_upgrade
1869 *
1870 * Description This function is called to check if the existing link key
1871 * needs to be upgraded.
1872 *
1873 * Returns void
1874 *
1875 ******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,bool is_originator)1876 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC* p_dev_rec,
1877 bool is_originator) {
1878 BTM_TRACE_DEBUG("%s()", __func__);
1879
1880 /* Only check if link key already exists */
1881 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) return;
1882
1883 if (btm_sec_is_upgrade_possible(p_dev_rec, is_originator)) {
1884 BTM_TRACE_DEBUG("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
1885 /* upgrade is possible: check if the application wants the upgrade.
1886 * If the application is configured to use a global MITM flag,
1887 * it probably would not want to upgrade the link key based on the security
1888 * level database */
1889 tBTM_SP_UPGRADE evt_data;
1890 evt_data.bd_addr = p_dev_rec->bd_addr;
1891 evt_data.upgrade = true;
1892 if (btm_cb.api.p_sp_callback)
1893 (*btm_cb.api.p_sp_callback)(BTM_SP_UPGRADE_EVT,
1894 (tBTM_SP_EVT_DATA*)&evt_data);
1895
1896 BTM_TRACE_DEBUG("evt_data.upgrade:0x%x", evt_data.upgrade);
1897 if (evt_data.upgrade) {
1898 /* if the application confirms the upgrade, set the upgrade bit */
1899 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
1900
1901 /* Clear the link key known to go through authentication/pairing again */
1902 p_dev_rec->sec_flags &=
1903 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
1904 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
1905 BTM_TRACE_DEBUG("sec_flags:0x%x", p_dev_rec->sec_flags);
1906 }
1907 }
1908 }
1909
1910 /*******************************************************************************
1911 *
1912 * Function btm_sec_l2cap_access_req
1913 *
1914 * Description This function is called by the L2CAP to grant permission to
1915 * establish L2CAP connection to or from the peer device.
1916 *
1917 * Parameters: bd_addr - Address of the peer device
1918 * psm - L2CAP PSM
1919 * is_originator - true if protocol above L2CAP originates
1920 * connection
1921 * p_callback - Pointer to callback function called if
1922 * this function returns PENDING after required
1923 * procedures are complete. MUST NOT BE NULL.
1924 *
1925 * Returns tBTM_STATUS
1926 *
1927 ******************************************************************************/
btm_sec_l2cap_access_req(const RawAddress & bd_addr,uint16_t psm,uint16_t handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)1928 tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
1929 uint16_t handle, CONNECTION_TYPE conn_type,
1930 tBTM_SEC_CALLBACK* p_callback,
1931 void* p_ref_data) {
1932 tBTM_SEC_DEV_REC* p_dev_rec;
1933 tBTM_SEC_SERV_REC* p_serv_rec;
1934 uint16_t security_required;
1935 uint16_t old_security_required;
1936 bool old_is_originator;
1937 tBTM_STATUS rc = BTM_SUCCESS;
1938 bool chk_acp_auth_done = false;
1939 bool is_originator;
1940 tBT_TRANSPORT transport =
1941 BT_TRANSPORT_BR_EDR; /* should check PSM range in LE connection oriented
1942 L2CAP connection */
1943
1944 is_originator = conn_type;
1945
1946 BTM_TRACE_DEBUG("%s() is_originator:%d, 0x%x, psm=0x%04x", __func__,
1947 is_originator, p_ref_data, psm);
1948
1949 /* Find or get oldest record */
1950 p_dev_rec = btm_find_or_alloc_dev(bd_addr);
1951
1952 p_dev_rec->hci_handle = handle;
1953
1954 /* Find the service record for the PSM */
1955 p_serv_rec = btm_sec_find_first_serv(conn_type, psm);
1956
1957 /* If there is no application registered with this PSM do not allow connection
1958 */
1959 if (!p_serv_rec) {
1960 BTM_TRACE_WARNING("%s() PSM: %d no application registerd", __func__, psm);
1961 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
1962 return (BTM_MODE_UNSUPPORTED);
1963 }
1964
1965 /* Services level0 by default have no security */
1966 if ((btm_sec_is_serv_level0(psm)) &&
1967 (!btm_cb.devcb.secure_connections_only)) {
1968 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
1969 return (BTM_SUCCESS);
1970 }
1971 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
1972 security_required = btm_sec_set_serv_level4_flags(
1973 p_serv_rec->security_flags, is_originator);
1974 } else {
1975 security_required = p_serv_rec->security_flags;
1976 }
1977
1978 BTM_TRACE_DEBUG(
1979 "%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x",
1980 __func__, security_required, is_originator, psm);
1981
1982 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4)) {
1983 bool local_supports_sc =
1984 controller_get_interface()->supports_secure_connections();
1985 /* acceptor receives L2CAP Channel Connect Request for Secure Connections
1986 * Only service */
1987 if (!(local_supports_sc) ||
1988 !(p_dev_rec->remote_supports_secure_connections)) {
1989 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
1990 "rmt_support_for_sc : %d -> fail pairing", __func__,
1991 local_supports_sc,
1992 p_dev_rec->remote_supports_secure_connections);
1993 if (p_callback)
1994 (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
1995 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
1996
1997 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
1998 }
1999 }
2000
2001 /* there are some devices (moto KRZR) which connects to several services at
2002 * the same time */
2003 /* we will process one after another */
2004 if ((p_dev_rec->p_callback) ||
2005 (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)) {
2006 BTM_TRACE_EVENT("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x",
2007 __func__, psm, btm_pair_state_descr(btm_cb.pairing_state),
2008 btm_cb.security_mode, p_dev_rec->sm4);
2009 BTM_TRACE_EVENT("security_flags:x%x, sec_flags:x%x", security_required,
2010 p_dev_rec->sec_flags);
2011 rc = BTM_CMD_STARTED;
2012 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2013 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2014 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2015 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2016 (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
2017 (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2018 (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) {
2019 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2020 * or SM4 with no possibility of link key upgrade */
2021 if (is_originator) {
2022 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2023 ((((security_required & BTM_SEC_OUT_FLAGS) ==
2024 BTM_SEC_OUT_AUTHENTICATE) &&
2025 btm_dev_authenticated(p_dev_rec))) ||
2026 ((((security_required & BTM_SEC_OUT_FLAGS) ==
2027 (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) &&
2028 btm_dev_encrypted(p_dev_rec))) ||
2029 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) &&
2030 btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec)))) {
2031 rc = BTM_SUCCESS;
2032 }
2033 } else {
2034 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2035 (((security_required & BTM_SEC_IN_FLAGS) ==
2036 BTM_SEC_IN_AUTHENTICATE) &&
2037 btm_dev_authenticated(p_dev_rec)) ||
2038 (((security_required & BTM_SEC_IN_FLAGS) ==
2039 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) &&
2040 btm_dev_encrypted(p_dev_rec)) ||
2041 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) &&
2042 (btm_dev_authorized(p_dev_rec) ||
2043 btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2044 (((security_required & BTM_SEC_IN_FLAGS) ==
2045 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) &&
2046 ((btm_dev_authorized(p_dev_rec) ||
2047 btm_serv_trusted(p_dev_rec, p_serv_rec)) &&
2048 btm_dev_authenticated(p_dev_rec))) ||
2049 (((security_required & BTM_SEC_IN_FLAGS) ==
2050 (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) &&
2051 ((btm_dev_authorized(p_dev_rec) ||
2052 btm_serv_trusted(p_dev_rec, p_serv_rec)) &&
2053 btm_dev_encrypted(p_dev_rec))) ||
2054 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) &&
2055 btm_dev_encrypted(p_dev_rec) &&
2056 (btm_dev_authorized(p_dev_rec) ||
2057 btm_serv_trusted(p_dev_rec, p_serv_rec)))) {
2058 // Check for 16 digits (or MITM)
2059 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2060 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) ==
2061 BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2062 btm_dev_16_digit_authenticated(p_dev_rec))) {
2063 rc = BTM_SUCCESS;
2064 }
2065 }
2066 }
2067
2068 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2069 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2070 rc = BTM_CMD_STARTED;
2071 }
2072
2073 if (rc == BTM_SUCCESS) {
2074 if (p_callback)
2075 (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
2076 return (BTM_SUCCESS);
2077 }
2078 }
2079
2080 btm_cb.sec_req_pending = true;
2081 return (BTM_CMD_STARTED);
2082 }
2083
2084 /* Save pointer to service record */
2085 p_dev_rec->p_cur_service = p_serv_rec;
2086
2087 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2088 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2089 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2090 btm_cb.security_mode == BTM_SEC_MODE_SC) {
2091 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2092 if (is_originator) {
2093 /* SM4 to SM4 -> always authenticate & encrypt */
2094 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2095 } else /* acceptor */
2096 {
2097 /* SM4 to SM4: the acceptor needs to make sure the authentication is
2098 * already done */
2099 chk_acp_auth_done = true;
2100 /* SM4 to SM4 -> always authenticate & encrypt */
2101 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2102 }
2103 } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
2104 /* the remote features are not known yet */
2105 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x",
2106 __func__, (is_originator) ? "initiator" : "acceptor",
2107 p_dev_rec->sec_flags);
2108
2109 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2110 return (BTM_CMD_STARTED);
2111 }
2112 }
2113
2114 BTM_TRACE_DEBUG(
2115 "%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2116 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required,
2117 chk_acp_auth_done);
2118
2119 old_security_required = p_dev_rec->security_required;
2120 old_is_originator = p_dev_rec->is_originator;
2121 p_dev_rec->security_required = security_required;
2122 p_dev_rec->p_ref_data = p_ref_data;
2123 p_dev_rec->is_originator = is_originator;
2124
2125 /* If there are multiple service records used through the same PSM */
2126 /* leave security decision for the multiplexor on the top */
2127 if ((btm_sec_find_next_serv(p_serv_rec)) != NULL) {
2128 BTM_TRACE_DEBUG("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4,
2129 chk_acp_auth_done);
2130 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2131 BTM_TRACE_EVENT(
2132 "Security Manager: l2cap_access_req PSM:%d postponed for multiplexer",
2133 psm);
2134 /* pre-Lisbon: restore the old settings */
2135 p_dev_rec->security_required = old_security_required;
2136 p_dev_rec->is_originator = old_is_originator;
2137
2138 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS);
2139
2140 return (BTM_SUCCESS);
2141 }
2142 }
2143
2144 /* if the originator is using dynamic PSM in legacy mode, do not start any
2145 * security process now
2146 * The layer above L2CAP needs to carry out the security requirement after
2147 * L2CAP connect
2148 * response is received */
2149 if (is_originator &&
2150 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2151 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2152 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2153 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2154 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) &&
2155 (psm >= 0x1001)) {
2156 BTM_TRACE_EVENT(
2157 "dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2158 /* restore the old settings */
2159 p_dev_rec->security_required = old_security_required;
2160 p_dev_rec->is_originator = old_is_originator;
2161
2162 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS);
2163
2164 return (BTM_SUCCESS);
2165 }
2166
2167 if (chk_acp_auth_done) {
2168 BTM_TRACE_DEBUG(
2169 "(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: "
2170 "x%x",
2171 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED),
2172 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2173 /* SM4, but we do not know for sure which level of security we need.
2174 * as long as we have a link key, it's OK */
2175 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) ||
2176 (0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) {
2177 rc = BTM_DELAY_CHECK;
2178 /*
2179 2046 may report HCI_Encryption_Change and L2C Connection Request out of
2180 sequence
2181 because of data path issues. Delay this disconnect a little bit
2182 */
2183 LOG_INFO(
2184 LOG_TAG,
2185 "%s peer should have initiated security process by now (SM4 to SM4)",
2186 __func__);
2187 p_dev_rec->p_callback = p_callback;
2188 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2189 (*p_callback)(&bd_addr, transport, p_ref_data, rc);
2190
2191 return BTM_SUCCESS;
2192 }
2193 }
2194
2195 p_dev_rec->p_callback = p_callback;
2196
2197 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID ||
2198 p_dev_rec->last_author_service_id !=
2199 p_dev_rec->p_cur_service->service_id) {
2200 /* Although authentication and encryption are per connection
2201 ** authorization is per access request. For example when serial connection
2202 ** is up and authorized and client requests to read file (access to other
2203 ** scn), we need to request user's permission again.
2204 */
2205 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2206 }
2207
2208 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2209 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2210 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2211 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case
2212 */
2213 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) {
2214 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2215 }
2216 p_dev_rec->sec_flags &=
2217 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2218 BTM_SEC_AUTHENTICATED);
2219 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __func__, p_dev_rec->sec_flags);
2220 } else {
2221 /* If we already have a link key to the connected peer, is it secure
2222 * enough? */
2223 btm_sec_check_upgrade(p_dev_rec, is_originator);
2224 }
2225 }
2226
2227 BTM_TRACE_EVENT(
2228 "%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2229 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2230 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2231
2232 rc = btm_sec_execute_procedure(p_dev_rec);
2233 if (rc != BTM_CMD_STARTED) {
2234 BTM_TRACE_DEBUG("%s: p_dev_rec=%p, clearing callback. old p_callback=%p",
2235 __func__, p_dev_rec, p_dev_rec->p_callback);
2236 p_dev_rec->p_callback = NULL;
2237 (*p_callback)(&bd_addr, transport, p_dev_rec->p_ref_data, (uint8_t)rc);
2238 }
2239
2240 return (rc);
2241 }
2242
2243 /*******************************************************************************
2244 *
2245 * Function btm_sec_mx_access_request
2246 *
2247 * Description This function is called by all Multiplexing Protocols during
2248 * establishing connection to or from peer device to grant
2249 * permission to establish application connection.
2250 *
2251 * Parameters: bd_addr - Address of the peer device
2252 * psm - L2CAP PSM
2253 * is_originator - true if protocol above L2CAP originates
2254 * connection
2255 * mx_proto_id - protocol ID of the multiplexer
2256 * mx_chan_id - multiplexer channel to reach application
2257 * p_callback - Pointer to callback function called if
2258 * this function returns PENDING after required
2259 * procedures are completed
2260 * p_ref_data - Pointer to any reference data needed by the
2261 * the callback function.
2262 *
2263 * Returns BTM_CMD_STARTED
2264 *
2265 ******************************************************************************/
btm_sec_mx_access_request(const RawAddress & bd_addr,uint16_t psm,bool is_originator,uint32_t mx_proto_id,uint32_t mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2266 tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
2267 bool is_originator, uint32_t mx_proto_id,
2268 uint32_t mx_chan_id,
2269 tBTM_SEC_CALLBACK* p_callback,
2270 void* p_ref_data) {
2271 tBTM_SEC_DEV_REC* p_dev_rec;
2272 tBTM_SEC_SERV_REC* p_serv_rec;
2273 tBTM_STATUS rc;
2274 uint16_t security_required;
2275 bool transport = false; /* should check PSM range in LE connection oriented
2276 L2CAP connection */
2277
2278 BTM_TRACE_DEBUG("%s() is_originator: %d", __func__, is_originator);
2279 /* Find or get oldest record */
2280 p_dev_rec = btm_find_or_alloc_dev(bd_addr);
2281
2282 /* Find the service record for the PSM */
2283 p_serv_rec =
2284 btm_sec_find_mx_serv(is_originator, psm, mx_proto_id, mx_chan_id);
2285
2286 /* If there is no application registered with this PSM do not allow connection
2287 */
2288 if (!p_serv_rec) {
2289 if (p_callback)
2290 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2291
2292 BTM_TRACE_ERROR(
2293 "Security Manager: MX service not found PSM:%d Proto:%d SCN:%d", psm,
2294 mx_proto_id, mx_chan_id);
2295 return BTM_NO_RESOURCES;
2296 }
2297
2298 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) &&
2299 (!btm_sec_is_serv_level0(psm))) {
2300 security_required = btm_sec_set_serv_level4_flags(
2301 p_serv_rec->security_flags, is_originator);
2302 } else {
2303 security_required = p_serv_rec->security_flags;
2304 }
2305
2306 /* there are some devices (moto phone) which connects to several services at
2307 * the same time */
2308 /* we will process one after another */
2309 if ((p_dev_rec->p_callback) ||
2310 (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)) {
2311 BTM_TRACE_EVENT("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s",
2312 __func__, psm, mx_proto_id, mx_chan_id,
2313 btm_pair_state_descr(btm_cb.pairing_state));
2314
2315 rc = BTM_CMD_STARTED;
2316
2317 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2318 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2319 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2320 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2321 (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
2322 (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2323 (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) {
2324 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2325 * or SM4 with no possibility of link key upgrade */
2326 if (is_originator) {
2327 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2328 ((((security_required & BTM_SEC_OUT_FLAGS) ==
2329 BTM_SEC_OUT_AUTHENTICATE) &&
2330 btm_dev_authenticated(p_dev_rec))) ||
2331 ((((security_required & BTM_SEC_OUT_FLAGS) ==
2332 (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) &&
2333 btm_dev_encrypted(p_dev_rec)))) {
2334 rc = BTM_SUCCESS;
2335 }
2336 } else {
2337 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2338 ((((security_required & BTM_SEC_IN_FLAGS) ==
2339 BTM_SEC_IN_AUTHENTICATE) &&
2340 btm_dev_authenticated(p_dev_rec))) ||
2341 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) &&
2342 (btm_dev_authorized(p_dev_rec) ||
2343 btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2344 (((security_required & BTM_SEC_IN_FLAGS) ==
2345 (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) &&
2346 ((btm_dev_authorized(p_dev_rec) ||
2347 btm_serv_trusted(p_dev_rec, p_serv_rec)) &&
2348 btm_dev_authenticated(p_dev_rec))) ||
2349 (((security_required & BTM_SEC_IN_FLAGS) ==
2350 (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) &&
2351 ((btm_dev_authorized(p_dev_rec) ||
2352 btm_serv_trusted(p_dev_rec, p_serv_rec)) &&
2353 btm_dev_encrypted(p_dev_rec))) ||
2354 ((((security_required & BTM_SEC_IN_FLAGS) ==
2355 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) &&
2356 btm_dev_encrypted(p_dev_rec)))) {
2357 // Check for 16 digits (or MITM)
2358 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2359 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) ==
2360 BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2361 btm_dev_16_digit_authenticated(p_dev_rec))) {
2362 rc = BTM_SUCCESS;
2363 }
2364 }
2365 }
2366 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2367 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2368 rc = BTM_CMD_STARTED;
2369 }
2370 }
2371
2372 if (rc == BTM_SUCCESS) {
2373 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __func__);
2374 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the
2375 * requirements in */
2376 /* btm_sec_execute_procedure */
2377 if ((is_originator &&
2378 (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2379 (!is_originator &&
2380 (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE))) {
2381 BTM_TRACE_EVENT("%s: still need authorization", __func__);
2382 rc = BTM_CMD_STARTED;
2383 }
2384 }
2385
2386 /* Check whether there is a pending security procedure, if so we should
2387 * always queue */
2388 /* the new security request */
2389 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE) {
2390 BTM_TRACE_EVENT("%s: There is a pending security procedure", __func__);
2391 rc = BTM_CMD_STARTED;
2392 }
2393 if (rc == BTM_CMD_STARTED) {
2394 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __func__);
2395 btm_sec_queue_mx_request(bd_addr, psm, is_originator, mx_proto_id,
2396 mx_chan_id, p_callback, p_ref_data);
2397 } else /* rc == BTM_SUCCESS */
2398 {
2399 /* access granted */
2400 if (p_callback) {
2401 (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);
2402 }
2403 }
2404
2405 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __func__,
2406 rc, btm_pair_state_descr(btm_cb.pairing_state));
2407 return rc;
2408 }
2409
2410 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2411 (btm_cb.security_mode == BTM_SEC_MODE_SC))) {
2412 bool local_supports_sc =
2413 controller_get_interface()->supports_secure_connections();
2414 /* acceptor receives service connection establishment Request for */
2415 /* Secure Connections Only service */
2416 if (!(local_supports_sc) ||
2417 !(p_dev_rec->remote_supports_secure_connections)) {
2418 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2419 "remote_support_for_sc %d: fail pairing", __func__,
2420 local_supports_sc,
2421 p_dev_rec->remote_supports_secure_connections);
2422
2423 if (p_callback)
2424 (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
2425 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2426
2427 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2428 }
2429 }
2430
2431 p_dev_rec->p_cur_service = p_serv_rec;
2432 p_dev_rec->security_required = security_required;
2433
2434 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2435 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2436 btm_cb.security_mode == BTM_SEC_MODE_SC) {
2437 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2438 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2439 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2440 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case
2441 */
2442 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) {
2443 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2444 }
2445
2446 p_dev_rec->sec_flags &=
2447 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2448 BTM_SEC_AUTHENTICATED);
2449 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __func__, p_dev_rec->sec_flags);
2450 } else {
2451 /* If we already have a link key, check if that link key is good enough
2452 */
2453 btm_sec_check_upgrade(p_dev_rec, is_originator);
2454 }
2455 }
2456 }
2457
2458 p_dev_rec->is_originator = is_originator;
2459 p_dev_rec->p_callback = p_callback;
2460 p_dev_rec->p_ref_data = p_ref_data;
2461
2462 /* Although authentication and encryption are per connection */
2463 /* authorization is per access request. For example when serial connection */
2464 /* is up and authorized and client requests to read file (access to other */
2465 /* scn, we need to request user's permission again. */
2466 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2467
2468 BTM_TRACE_EVENT(
2469 "%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service "
2470 "ID:%d",
2471 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state,
2472 p_dev_rec->sec_flags, p_dev_rec->security_required,
2473 p_dev_rec->p_cur_service->service_id);
2474
2475 rc = btm_sec_execute_procedure(p_dev_rec);
2476 if (rc != BTM_CMD_STARTED) {
2477 if (p_callback) {
2478 p_dev_rec->p_callback = NULL;
2479 (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);
2480 }
2481 }
2482
2483 return rc;
2484 }
2485
2486 /*******************************************************************************
2487 *
2488 * Function btm_sec_conn_req
2489 *
2490 * Description This function is when the peer device is requesting
2491 * connection
2492 *
2493 * Returns void
2494 *
2495 ******************************************************************************/
btm_sec_conn_req(const RawAddress & bda,uint8_t * dc)2496 void btm_sec_conn_req(const RawAddress& bda, uint8_t* dc) {
2497 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
2498
2499 /* Some device may request a connection before we are done with the HCI_Reset
2500 * sequence */
2501 if (!controller_get_interface()->get_is_ready()) {
2502 BTM_TRACE_EVENT("Security Manager: connect request when device not ready");
2503 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE);
2504 return;
2505 }
2506
2507 /* Security guys wants us not to allow connection from not paired devices */
2508
2509 /* Check if connection is allowed for only paired devices */
2510 if (btm_cb.connect_only_paired) {
2511 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
2512 BTM_TRACE_EVENT(
2513 "Security Manager: connect request from non-paired device");
2514 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE);
2515 return;
2516 }
2517 }
2518
2519 #if (BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE)
2520 /* If non-discoverable, only allow known devices to connect */
2521 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) {
2522 if (!p_dev_rec) {
2523 BTM_TRACE_EVENT(
2524 "Security Manager: connect request from not paired device");
2525 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE);
2526 return;
2527 }
2528 }
2529 #endif
2530
2531 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
2532 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
2533 (btm_cb.pairing_bda == bda)) {
2534 BTM_TRACE_EVENT(
2535 "Security Manager: reject connect request from bonding device");
2536
2537 /* incoming connection from bonding device is rejected */
2538 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2539 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE);
2540 return;
2541 }
2542
2543 /* Host is not interested or approved connection. Save BDA and DC and */
2544 /* pass request to L2CAP */
2545 btm_cb.connecting_bda = bda;
2546 memcpy(btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2547
2548 if (l2c_link_hci_conn_req(bda)) {
2549 if (!p_dev_rec) {
2550 /* accept the connection -> allocate a device record */
2551 p_dev_rec = btm_sec_alloc_dev(bda);
2552 }
2553 if (p_dev_rec) {
2554 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2555 }
2556 }
2557 }
2558
2559 /*******************************************************************************
2560 *
2561 * Function btm_sec_bond_cancel_complete
2562 *
2563 * Description This function is called to report bond cancel complete
2564 * event.
2565 *
2566 * Returns void
2567 *
2568 ******************************************************************************/
btm_sec_bond_cancel_complete(void)2569 static void btm_sec_bond_cancel_complete(void) {
2570 tBTM_SEC_DEV_REC* p_dev_rec;
2571
2572 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2573 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2574 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2575 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2576 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) {
2577 /* for dedicated bonding in legacy mode, authentication happens at "link
2578 * level"
2579 * btm_sec_connected is called with failed status.
2580 * In theory, the code that handles is_pairing_device/true should clean out
2581 * security related code.
2582 * However, this function may clean out the security related flags and
2583 * btm_sec_connected would not know
2584 * this function also needs to do proper clean up.
2585 */
2586 p_dev_rec = btm_find_dev(btm_cb.pairing_bda);
2587 if (p_dev_rec != NULL) p_dev_rec->security_required = BTM_SEC_NONE;
2588 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
2589
2590 /* Notify application that the cancel succeeded */
2591 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2592 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2593 }
2594 }
2595
2596 /*******************************************************************************
2597 *
2598 * Function btm_create_conn_cancel_complete
2599 *
2600 * Description This function is called when the command complete message
2601 * is received from the HCI for the create connection cancel
2602 * command.
2603 *
2604 * Returns void
2605 *
2606 ******************************************************************************/
btm_create_conn_cancel_complete(uint8_t * p)2607 void btm_create_conn_cancel_complete(uint8_t* p) {
2608 uint8_t status;
2609
2610 STREAM_TO_UINT8(status, p);
2611 BTM_TRACE_EVENT("btm_create_conn_cancel_complete(): in State: %s status:%d",
2612 btm_pair_state_descr(btm_cb.pairing_state), status);
2613
2614 /* if the create conn cancel cmd was issued by the bond cancel,
2615 ** the application needs to be notified that bond cancel succeeded
2616 */
2617 switch (status) {
2618 case HCI_SUCCESS:
2619 btm_sec_bond_cancel_complete();
2620 break;
2621 case HCI_ERR_CONNECTION_EXISTS:
2622 case HCI_ERR_NO_CONNECTION:
2623 default:
2624 /* Notify application of the error */
2625 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2626 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2627 break;
2628 }
2629 }
2630
2631 /*******************************************************************************
2632 *
2633 * Function btm_sec_check_pending_reqs
2634 *
2635 * Description This function is called at the end of the security procedure
2636 * to let L2CAP and RFCOMM know to re-submit any pending
2637 * requests
2638 *
2639 * Returns void
2640 *
2641 ******************************************************************************/
btm_sec_check_pending_reqs(void)2642 void btm_sec_check_pending_reqs(void) {
2643 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
2644 /* First, resubmit L2CAP requests */
2645 if (btm_cb.sec_req_pending) {
2646 btm_cb.sec_req_pending = false;
2647 l2cu_resubmit_pending_sec_req(nullptr);
2648 }
2649
2650 /* Now, re-submit anything in the mux queue */
2651 fixed_queue_t* bq = btm_cb.sec_pending_q;
2652
2653 btm_cb.sec_pending_q = fixed_queue_new(SIZE_MAX);
2654
2655 tBTM_SEC_QUEUE_ENTRY* p_e;
2656 while ((p_e = (tBTM_SEC_QUEUE_ENTRY*)fixed_queue_try_dequeue(bq)) != NULL) {
2657 /* Check that the ACL is still up before starting security procedures */
2658 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL) {
2659 if (p_e->psm != 0) {
2660 BTM_TRACE_EVENT(
2661 "%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u", __func__,
2662 p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id);
2663
2664 btm_sec_mx_access_request(p_e->bd_addr, p_e->psm, p_e->is_orig,
2665 p_e->mx_proto_id, p_e->mx_chan_id,
2666 p_e->p_callback, p_e->p_ref_data);
2667 } else {
2668 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2669 p_e->p_ref_data, p_e->sec_act);
2670 }
2671 }
2672
2673 osi_free(p_e);
2674 }
2675 fixed_queue_free(bq, NULL);
2676 }
2677 }
2678
2679 /*******************************************************************************
2680 *
2681 * Function btm_sec_init
2682 *
2683 * Description This function is on the SEC startup
2684 *
2685 * Returns void
2686 *
2687 ******************************************************************************/
btm_sec_init(uint8_t sec_mode)2688 void btm_sec_init(uint8_t sec_mode) {
2689 btm_cb.security_mode = sec_mode;
2690 btm_cb.pairing_bda = RawAddress::kAny;
2691 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2692 }
2693
2694 /*******************************************************************************
2695 *
2696 * Function btm_sec_device_down
2697 *
2698 * Description This function should be called when device is disabled or
2699 * turned off
2700 *
2701 * Returns void
2702 *
2703 ******************************************************************************/
btm_sec_device_down(void)2704 void btm_sec_device_down(void) {
2705 BTM_TRACE_EVENT("%s() State: %s", __func__,
2706 btm_pair_state_descr(btm_cb.pairing_state));
2707 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
2708 }
2709
2710 /*******************************************************************************
2711 *
2712 * Function btm_sec_dev_reset
2713 *
2714 * Description This function should be called after device reset
2715 *
2716 * Returns void
2717 *
2718 ******************************************************************************/
btm_sec_dev_reset(void)2719 void btm_sec_dev_reset(void) {
2720 if (controller_get_interface()->supports_simple_pairing()) {
2721 /* set the default IO capabilities */
2722 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2723 /* add mx service to use no security */
2724 BTM_SetSecurityLevel(false, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2725 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2726 } else {
2727 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2728 }
2729
2730 BTM_TRACE_DEBUG("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2731 }
2732
2733 /*******************************************************************************
2734 *
2735 * Function btm_sec_abort_access_req
2736 *
2737 * Description This function is called by the L2CAP or RFCOMM to abort
2738 * the pending operation.
2739 *
2740 * Parameters: bd_addr - Address of the peer device
2741 *
2742 * Returns void
2743 *
2744 ******************************************************************************/
btm_sec_abort_access_req(const RawAddress & bd_addr)2745 void btm_sec_abort_access_req(const RawAddress& bd_addr) {
2746 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2747
2748 if (!p_dev_rec) return;
2749
2750 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) &&
2751 (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2752 return;
2753
2754 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2755
2756 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p",
2757 __func__, p_dev_rec, p_dev_rec->p_callback);
2758 p_dev_rec->p_callback = NULL;
2759 }
2760
2761 /*******************************************************************************
2762 *
2763 * Function btm_sec_dd_create_conn
2764 *
2765 * Description This function is called to create the ACL connection for
2766 * the dedicated boding process
2767 *
2768 * Returns void
2769 *
2770 ******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2771 static tBTM_STATUS btm_sec_dd_create_conn(tBTM_SEC_DEV_REC* p_dev_rec) {
2772 tL2C_LCB* p_lcb =
2773 l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
2774 if (p_lcb && (p_lcb->link_state == LST_CONNECTED ||
2775 p_lcb->link_state == LST_CONNECTING)) {
2776 BTM_TRACE_WARNING("%s Connection already exists", __func__);
2777 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
2778 return BTM_CMD_STARTED;
2779 }
2780
2781 /* Make sure an L2cap link control block is available */
2782 if (!p_lcb && (p_lcb = l2cu_allocate_lcb(p_dev_rec->bd_addr, true,
2783 BT_TRANSPORT_BR_EDR)) == NULL) {
2784 LOG(WARNING) << "Security Manager: failed allocate LCB "
2785 << p_dev_rec->bd_addr;
2786
2787 return (BTM_NO_RESOURCES);
2788 }
2789
2790 /* set up the control block to indicated dedicated bonding */
2791 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
2792
2793 if (!l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR)) {
2794 LOG(WARNING) << "Security Manager: failed create allocate LCB "
2795 << p_dev_rec->bd_addr;
2796
2797 l2cu_release_lcb(p_lcb);
2798 return (BTM_NO_RESOURCES);
2799 }
2800
2801 btm_acl_update_busy_level(BTM_BLI_PAGE_EVT);
2802
2803 VLOG(1) << "Security Manager: " << p_dev_rec->bd_addr;
2804
2805 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ);
2806
2807 return (BTM_CMD_STARTED);
2808 }
2809
is_state_getting_name(void * data,void * context)2810 bool is_state_getting_name(void* data, void* context) {
2811 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
2812
2813 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) {
2814 return false;
2815 }
2816 return true;
2817 }
2818
2819 /*******************************************************************************
2820 *
2821 * Function btm_sec_rmt_name_request_complete
2822 *
2823 * Description This function is called when remote name was obtained from
2824 * the peer device
2825 *
2826 * Returns void
2827 *
2828 ******************************************************************************/
btm_sec_rmt_name_request_complete(const RawAddress * p_bd_addr,uint8_t * p_bd_name,uint8_t status)2829 void btm_sec_rmt_name_request_complete(const RawAddress* p_bd_addr,
2830 uint8_t* p_bd_name, uint8_t status) {
2831 tBTM_SEC_DEV_REC* p_dev_rec;
2832 int i;
2833 DEV_CLASS dev_class;
2834 uint8_t old_sec_state;
2835
2836 BTM_TRACE_EVENT("btm_sec_rmt_name_request_complete");
2837 if ((!p_bd_addr && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda)) ||
2838 (p_bd_addr && !BTM_ACL_IS_CONNECTED(*p_bd_addr))) {
2839 btm_acl_resubmit_page();
2840 }
2841
2842 /* If remote name request failed, p_bd_addr is null and we need to search */
2843 /* based on state assuming that we are doing 1 at a time */
2844 if (p_bd_addr)
2845 p_dev_rec = btm_find_dev(*p_bd_addr);
2846 else {
2847 list_node_t* node =
2848 list_foreach(btm_cb.sec_dev_rec, is_state_getting_name, NULL);
2849 if (node != NULL) {
2850 p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
2851 p_bd_addr = &p_dev_rec->bd_addr;
2852 } else {
2853 p_dev_rec = NULL;
2854 }
2855 }
2856
2857 /* Commenting out trace due to obf/compilation problems.
2858 */
2859 if (!p_bd_name) p_bd_name = (uint8_t*)"";
2860
2861 if (p_dev_rec) {
2862 BTM_TRACE_EVENT(
2863 "%s PairState: %s RemName: %s status: %d State:%d p_dev_rec: "
2864 "0x%08x ",
2865 __func__, btm_pair_state_descr(btm_cb.pairing_state), p_bd_name, status,
2866 p_dev_rec->sec_state, p_dev_rec);
2867 } else {
2868 BTM_TRACE_EVENT("%s PairState: %s RemName: %s status: %d", __func__,
2869 btm_pair_state_descr(btm_cb.pairing_state), p_bd_name,
2870 status);
2871 }
2872
2873 if (p_dev_rec) {
2874 old_sec_state = p_dev_rec->sec_state;
2875 if (status == HCI_SUCCESS) {
2876 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)p_bd_name,
2877 BTM_MAX_REM_BD_NAME_LEN);
2878 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
2879 BTM_TRACE_EVENT("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x",
2880 p_dev_rec->sec_flags);
2881 } else {
2882 /* Notify all clients waiting for name to be resolved even if it failed so
2883 * clients can continue */
2884 p_dev_rec->sec_bd_name[0] = 0;
2885 }
2886
2887 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
2888 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2889
2890 /* Notify all clients waiting for name to be resolved */
2891 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
2892 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
2893 (*btm_cb.p_rmt_name_callback[i])(*p_bd_addr, p_dev_rec->dev_class,
2894 p_dev_rec->sec_bd_name);
2895 }
2896 } else {
2897 dev_class[0] = 0;
2898 dev_class[1] = 0;
2899 dev_class[2] = 0;
2900
2901 /* Notify all clients waiting for name to be resolved even if not found so
2902 * clients can continue */
2903 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
2904 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
2905 (*btm_cb.p_rmt_name_callback[i])(*p_bd_addr, dev_class, (uint8_t*)"");
2906 }
2907
2908 return;
2909 }
2910
2911 /* If we were delaying asking UI for a PIN because name was not resolved, ask
2912 * now */
2913 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr &&
2914 (btm_cb.pairing_bda == *p_bd_addr)) {
2915 BTM_TRACE_EVENT(
2916 "%s() delayed pin now being requested flags:0x%x, "
2917 "(p_pin_callback=0x%p)",
2918 __func__, btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
2919
2920 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0 &&
2921 btm_cb.api.p_pin_callback) {
2922 BTM_TRACE_EVENT("%s() calling pin_callback", __func__);
2923 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
2924 (*btm_cb.api.p_pin_callback)(
2925 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
2926 (p_dev_rec->p_cur_service == NULL)
2927 ? false
2928 : (p_dev_rec->p_cur_service->security_flags &
2929 BTM_SEC_IN_MIN_16_DIGIT_PIN));
2930 }
2931
2932 /* Set the same state again to force the timer to be restarted */
2933 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN);
2934 return;
2935 }
2936
2937 /* Check if we were delaying bonding because name was not resolved */
2938 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) {
2939 if (p_bd_addr && btm_cb.pairing_bda == *p_bd_addr) {
2940 BTM_TRACE_EVENT("%s() continue bonding sm4: 0x%04x, status:0x%x",
2941 __func__, p_dev_rec->sm4, status);
2942 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) {
2943 btm_sec_bond_cancel_complete();
2944 return;
2945 }
2946
2947 if (status != HCI_SUCCESS) {
2948 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
2949
2950 if (btm_cb.api.p_auth_complete_callback)
2951 (*btm_cb.api.p_auth_complete_callback)(
2952 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
2953 status);
2954 return;
2955 }
2956
2957 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is
2958 * not reported */
2959 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
2960 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not
2961 * set.*/
2962 /* If it is set, there may be a race condition */
2963 BTM_TRACE_DEBUG("%s IS_SM4_UNKNOWN Flags:0x%04x", __func__,
2964 btm_cb.pairing_flags);
2965 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
2966 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
2967 }
2968
2969 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",
2970 __func__, p_dev_rec->sm4,
2971 BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
2972 BTM_SEC_IS_SM4(p_dev_rec->sm4),
2973 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
2974
2975 /* BT 2.1 or carkit, bring up the connection to force the peer to request
2976 *PIN.
2977 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if
2978 *needed)
2979 */
2980 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) ||
2981 !btm_sec_check_prefetch_pin(p_dev_rec)) {
2982 /* if we rejected incoming connection request, we have to wait
2983 * HCI_Connection_Complete event */
2984 /* before originating */
2985 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) {
2986 BTM_TRACE_WARNING(
2987 "%s: waiting HCI_Connection_Complete after rejecting connection",
2988 __func__);
2989 }
2990 /* Both we and the peer are 2.1 - continue to create connection */
2991 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
2992 BTM_TRACE_WARNING("%s: failed to start connection", __func__);
2993
2994 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
2995
2996 if (btm_cb.api.p_auth_complete_callback) {
2997 (*btm_cb.api.p_auth_complete_callback)(
2998 p_dev_rec->bd_addr, p_dev_rec->dev_class,
2999 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3000 }
3001 }
3002 }
3003 return;
3004 } else {
3005 BTM_TRACE_WARNING("%s: wrong BDA, retry with pairing BDA", __func__);
3006 if (BTM_ReadRemoteDeviceName(btm_cb.pairing_bda, NULL,
3007 BT_TRANSPORT_BR_EDR) != BTM_CMD_STARTED) {
3008 BTM_TRACE_ERROR("%s: failed to start remote name request", __func__);
3009 if (btm_cb.api.p_auth_complete_callback) {
3010 (*btm_cb.api.p_auth_complete_callback)(
3011 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
3012 HCI_ERR_MEMORY_FULL);
3013 }
3014 };
3015 return;
3016 }
3017 }
3018
3019 /* check if we were delaying link_key_callback because name was not resolved
3020 */
3021 if (p_dev_rec->link_key_not_sent) {
3022 /* If HCI connection complete has not arrived, wait for it */
3023 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) return;
3024
3025 p_dev_rec->link_key_not_sent = false;
3026 btm_send_link_key_notif(p_dev_rec);
3027
3028 /* If its not us who perform authentication, we should tell stackserver */
3029 /* that some authentication has been completed */
3030 /* This is required when different entities receive link notification and
3031 * auth complete */
3032 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) {
3033 if (btm_cb.api.p_auth_complete_callback)
3034 (*btm_cb.api.p_auth_complete_callback)(
3035 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
3036 HCI_SUCCESS);
3037 }
3038 }
3039
3040 /* If this is a bonding procedure can disconnect the link now */
3041 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3042 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
3043 BTM_TRACE_WARNING("btm_sec_rmt_name_request_complete (none/ce)");
3044 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3045 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3046 return;
3047 }
3048
3049 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) return;
3050
3051 /* If get name failed, notify the waiting layer */
3052 if (status != HCI_SUCCESS) {
3053 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false);
3054 return;
3055 }
3056
3057 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) {
3058 BTM_TRACE_EVENT("waiting for remote features!!");
3059 return;
3060 }
3061
3062 /* Remote Name succeeded, execute the next security procedure, if any */
3063 status = (uint8_t)btm_sec_execute_procedure(p_dev_rec);
3064
3065 /* If result is pending reply from the user or from the device is pending */
3066 if (status == BTM_CMD_STARTED) return;
3067
3068 /* There is no next procedure or start of procedure failed, notify the waiting
3069 * layer */
3070 btm_sec_dev_rec_cback_event(p_dev_rec, status, false);
3071 }
3072
3073 /*******************************************************************************
3074 *
3075 * Function btm_sec_rmt_host_support_feat_evt
3076 *
3077 * Description This function is called when the
3078 * HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3079 *
3080 * Returns void
3081 *
3082 ******************************************************************************/
btm_sec_rmt_host_support_feat_evt(uint8_t * p)3083 void btm_sec_rmt_host_support_feat_evt(uint8_t* p) {
3084 tBTM_SEC_DEV_REC* p_dev_rec;
3085 RawAddress bd_addr; /* peer address */
3086 BD_FEATURES features;
3087
3088 STREAM_TO_BDADDR(bd_addr, p);
3089 p_dev_rec = btm_find_or_alloc_dev(bd_addr);
3090
3091 BTM_TRACE_EVENT("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x",
3092 p_dev_rec->sm4, p[0]);
3093
3094 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
3095 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3096 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3097 if (HCI_SSP_HOST_SUPPORTED(features)) {
3098 p_dev_rec->sm4 = BTM_SM4_TRUE;
3099 }
3100 BTM_TRACE_EVENT(
3101 "btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x",
3102 p_dev_rec->sm4, features[0]);
3103 }
3104 }
3105
3106 /*******************************************************************************
3107 *
3108 * Function btm_io_capabilities_req
3109 *
3110 * Description This function is called when LM request for the IO
3111 * capability of the local device and
3112 * if the OOB data is present for the device in the event
3113 *
3114 * Returns void
3115 *
3116 ******************************************************************************/
btm_io_capabilities_req(const RawAddress & p)3117 void btm_io_capabilities_req(const RawAddress& p) {
3118 tBTM_SP_IO_REQ evt_data;
3119 uint8_t err_code = 0;
3120 tBTM_SEC_DEV_REC* p_dev_rec;
3121 bool is_orig = true;
3122 uint8_t callback_rc = BTM_SUCCESS;
3123
3124 evt_data.bd_addr = p;
3125
3126 /* setup the default response according to compile options */
3127 /* assume that the local IO capability does not change
3128 * loc_io_caps is initialized with the default value */
3129 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3130 evt_data.oob_data = BTM_OOB_NONE;
3131 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3132
3133 BTM_TRACE_EVENT("%s: State: %s", __func__,
3134 btm_pair_state_descr(btm_cb.pairing_state));
3135
3136 p_dev_rec = btm_find_or_alloc_dev(evt_data.bd_addr);
3137
3138 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d",
3139 __func__, btm_cb.security_mode, p_dev_rec->num_read_pages);
3140
3141 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) &&
3142 (p_dev_rec->num_read_pages == 0)) {
3143 BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3144 "To continue need to know remote features.", __func__);
3145
3146 p_dev_rec->remote_features_needed = true;
3147 return;
3148 }
3149
3150 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3151
3152 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3153 __func__, btm_pair_state_descr(btm_cb.pairing_state),
3154 btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3155
3156 if (p_dev_rec->p_cur_service) {
3157 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3158 __func__, p_dev_rec->p_cur_service->psm,
3159 p_dev_rec->p_cur_service->security_flags);
3160 }
3161
3162 switch (btm_cb.pairing_state) {
3163 /* initiator connecting */
3164 case BTM_PAIR_STATE_IDLE:
3165 // TODO: Handle Idle pairing state
3166 // security_required = p_dev_rec->security_required;
3167 break;
3168
3169 /* received IO capability response already->acceptor */
3170 case BTM_PAIR_STATE_INCOMING_SSP:
3171 is_orig = false;
3172
3173 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) {
3174 /* acceptor in dedicated bonding */
3175 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3176 }
3177 break;
3178
3179 /* initiator, at this point it is expected to be dedicated bonding
3180 initiated by local device */
3181 case BTM_PAIR_STATE_WAIT_PIN_REQ:
3182 if (evt_data.bd_addr == btm_cb.pairing_bda) {
3183 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3184 } else {
3185 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3186 }
3187 break;
3188
3189 /* any other state is unexpected */
3190 default:
3191 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3192 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __func__,
3193 btm_cb.pairing_state);
3194 break;
3195 }
3196
3197 if (btm_cb.pairing_disabled) {
3198 /* pairing is not allowed */
3199 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __func__);
3200 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3201 } else if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3202 bool local_supports_sc =
3203 controller_get_interface()->supports_secure_connections();
3204 /* device in Secure Connections Only mode */
3205 if (!(local_supports_sc) ||
3206 !(p_dev_rec->remote_supports_secure_connections)) {
3207 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3208 " remote_support_for_sc 0x%02x -> fail pairing", __func__,
3209 local_supports_sc,
3210 p_dev_rec->remote_supports_secure_connections);
3211
3212 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3213 }
3214 }
3215
3216 if (err_code != 0) {
3217 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3218 return;
3219 }
3220
3221 evt_data.is_orig = is_orig;
3222
3223 if (is_orig) {
3224 /* local device initiated the pairing non-bonding -> use p_cur_service */
3225 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3226 p_dev_rec->p_cur_service &&
3227 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) {
3228 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3229 /* SC only mode device requires MITM protection */
3230 evt_data.auth_req = BTM_AUTH_SP_YES;
3231 } else {
3232 evt_data.auth_req =
3233 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM)
3234 ? BTM_AUTH_SP_YES
3235 : BTM_AUTH_SP_NO;
3236 }
3237 }
3238 }
3239
3240 /* Notify L2CAP to increase timeout */
3241 l2c_pin_code_request(evt_data.bd_addr);
3242
3243 btm_cb.pairing_bda = evt_data.bd_addr;
3244
3245 if (evt_data.bd_addr == btm_cb.connecting_bda)
3246 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3247
3248 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3249
3250 callback_rc = BTM_SUCCESS;
3251 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) {
3252 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3253
3254 /* link key upgrade: always use SPGB_YES - assuming we want to save the link
3255 * key */
3256 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3257 } else if (btm_cb.api.p_sp_callback) {
3258 /* the callback function implementation may change the IO capability... */
3259 callback_rc = (*btm_cb.api.p_sp_callback)(BTM_SP_IO_REQ_EVT,
3260 (tBTM_SP_EVT_DATA*)&evt_data);
3261 }
3262
3263 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data)) {
3264 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
3265 evt_data.auth_req =
3266 (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3267 }
3268
3269 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3270 /* At this moment we know that both sides are SC capable, device in */
3271 /* SC only mode requires MITM for any service so let's set MITM bit */
3272 evt_data.auth_req |= BTM_AUTH_YN_BIT;
3273 BTM_TRACE_DEBUG(
3274 "%s: for device in \"SC only\" mode set auth_req to 0x%02x", __func__,
3275 evt_data.auth_req);
3276 }
3277
3278 /* if the user does not indicate "reply later" by setting the oob_data to
3279 * unknown */
3280 /* send the response right now. Save the current IO capability in the
3281 * control block */
3282 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3283 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3284
3285 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3286 __func__, btm_pair_state_descr(btm_cb.pairing_state),
3287 evt_data.io_cap, evt_data.oob_data, evt_data.auth_req);
3288
3289 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3290 evt_data.oob_data, evt_data.auth_req);
3291 }
3292 }
3293
3294 /*******************************************************************************
3295 *
3296 * Function btm_io_capabilities_rsp
3297 *
3298 * Description This function is called when the IO capability of the
3299 * specified device is received
3300 *
3301 * Returns void
3302 *
3303 ******************************************************************************/
btm_io_capabilities_rsp(uint8_t * p)3304 void btm_io_capabilities_rsp(uint8_t* p) {
3305 tBTM_SEC_DEV_REC* p_dev_rec;
3306 tBTM_SP_IO_RSP evt_data;
3307
3308 STREAM_TO_BDADDR(evt_data.bd_addr, p);
3309 STREAM_TO_UINT8(evt_data.io_cap, p);
3310 STREAM_TO_UINT8(evt_data.oob_data, p);
3311 STREAM_TO_UINT8(evt_data.auth_req, p);
3312
3313 /* Allocate a new device record or reuse the oldest one */
3314 p_dev_rec = btm_find_or_alloc_dev(evt_data.bd_addr);
3315
3316 /* If no security is in progress, this indicates incoming security */
3317 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
3318 btm_cb.pairing_bda = evt_data.bd_addr;
3319
3320 btm_sec_change_pairing_state(BTM_PAIR_STATE_INCOMING_SSP);
3321
3322 /* Make sure we reset the trusted mask to help against attacks */
3323 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3324
3325 /* work around for FW bug */
3326 btm_inq_stop_on_ssp();
3327 }
3328
3329 /* Notify L2CAP to increase timeout */
3330 l2c_pin_code_request(evt_data.bd_addr);
3331
3332 /* We must have a device record here.
3333 * Use the connecting device's CoD for the connection */
3334 if (evt_data.bd_addr == btm_cb.connecting_bda)
3335 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3336
3337 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding
3338 */
3339 if (btm_cb.pairing_state ==
3340 BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3341 && (evt_data.auth_req &
3342 BTM_AUTH_DD_BOND)) /* and dedicated bonding bit is set */
3343 {
3344 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3345 }
3346
3347 /* save the IO capability in the device record */
3348 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3349 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3350
3351 if (btm_cb.api.p_sp_callback)
3352 (*btm_cb.api.p_sp_callback)(BTM_SP_IO_RSP_EVT,
3353 (tBTM_SP_EVT_DATA*)&evt_data);
3354 }
3355
3356 /*******************************************************************************
3357 *
3358 * Function btm_proc_sp_req_evt
3359 *
3360 * Description This function is called to process/report
3361 * HCI_USER_CONFIRMATION_REQUEST_EVT
3362 * or HCI_USER_PASSKEY_REQUEST_EVT
3363 * or HCI_USER_PASSKEY_NOTIFY_EVT
3364 *
3365 * Returns void
3366 *
3367 ******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,uint8_t * p)3368 void btm_proc_sp_req_evt(tBTM_SP_EVT event, uint8_t* p) {
3369 tBTM_STATUS status = BTM_ERR_PROCESSING;
3370 tBTM_SP_EVT_DATA evt_data;
3371 RawAddress& p_bda = evt_data.cfm_req.bd_addr;
3372 tBTM_SEC_DEV_REC* p_dev_rec;
3373
3374 /* All events start with bd_addr */
3375 STREAM_TO_BDADDR(p_bda, p);
3376
3377 VLOG(2) << " BDA: " << p_bda << " event: 0x" << std::hex << +event
3378 << " State: " << btm_pair_state_descr(btm_cb.pairing_state);
3379
3380 p_dev_rec = btm_find_dev(p_bda);
3381 if ((p_dev_rec != NULL) && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
3382 (btm_cb.pairing_bda == p_bda)) {
3383 evt_data.cfm_req.bd_addr = p_dev_rec->bd_addr;
3384 memcpy(evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3385
3386 strlcpy((char*)evt_data.cfm_req.bd_name, (char*)p_dev_rec->sec_bd_name,
3387 BTM_MAX_REM_BD_NAME_LEN);
3388
3389 switch (event) {
3390 case BTM_SP_CFM_REQ_EVT:
3391 /* Numeric confirmation. Need user to conf the passkey */
3392 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3393
3394 /* The device record must be allocated in the "IO cap exchange" step */
3395 STREAM_TO_UINT32(evt_data.cfm_req.num_val, p);
3396 BTM_TRACE_DEBUG("BTM_SP_CFM_REQ_EVT: num_val: %u",
3397 evt_data.cfm_req.num_val);
3398
3399 evt_data.cfm_req.just_works = true;
3400
3401 /* process user confirm req in association with the auth_req param */
3402 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3403 if (p_dev_rec->rmt_io_caps == BTM_IO_CAP_UNKNOWN) {
3404 BTM_TRACE_ERROR(
3405 "%s did not receive IO cap response prior"
3406 " to BTM_SP_CFM_REQ_EVT, failing pairing request",
3407 __func__);
3408 status = BTM_WRONG_MODE;
3409 BTM_ConfirmReqReply(status, p_bda);
3410 return;
3411 }
3412 if ((p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO) &&
3413 (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO) &&
3414 ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) ||
3415 (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES))) {
3416 /* Both devices are DisplayYesNo and one or both devices want to
3417 authenticate -> use authenticated link key */
3418 evt_data.cfm_req.just_works = false;
3419 }
3420 #endif
3421 BTM_TRACE_DEBUG(
3422 "btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth "
3423 "loc:%d, rmt:%d",
3424 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps,
3425 p_dev_rec->rmt_io_caps, btm_cb.devcb.loc_auth_req,
3426 p_dev_rec->rmt_auth_req);
3427
3428 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3429 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3430 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3431 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3432 break;
3433
3434 case BTM_SP_KEY_NOTIF_EVT:
3435 /* Passkey notification (other side is a keyboard) */
3436 STREAM_TO_UINT32(evt_data.key_notif.passkey, p);
3437 BTM_TRACE_DEBUG("BTM_SP_KEY_NOTIF_EVT: passkey: %u",
3438 evt_data.key_notif.passkey);
3439
3440 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3441 break;
3442
3443 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3444 case BTM_SP_KEY_REQ_EVT:
3445 /* HCI_USER_PASSKEY_REQUEST_EVT */
3446 btm_sec_change_pairing_state(BTM_PAIR_STATE_KEY_ENTRY);
3447 break;
3448 #endif
3449 }
3450
3451 if (btm_cb.api.p_sp_callback) {
3452 status = (*btm_cb.api.p_sp_callback)(event, &evt_data);
3453 if (status != BTM_NOT_AUTHORIZED) {
3454 return;
3455 }
3456 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req
3457 * right now */
3458 } else if ((event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works)) {
3459 /* automatically reply with just works if no sp_cback */
3460 status = BTM_SUCCESS;
3461 }
3462
3463 if (event == BTM_SP_CFM_REQ_EVT) {
3464 BTM_TRACE_DEBUG("calling BTM_ConfirmReqReply with status: %d", status);
3465 BTM_ConfirmReqReply(status, p_bda);
3466 }
3467 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3468 else if (event == BTM_SP_KEY_REQ_EVT) {
3469 BTM_PasskeyReqReply(status, p_bda, 0);
3470 }
3471 #endif
3472 return;
3473 }
3474
3475 /* Something bad. we can only fail this connection */
3476 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3477
3478 if (BTM_SP_CFM_REQ_EVT == event) {
3479 btsnd_hcic_user_conf_reply(p_bda, false);
3480 } else if (BTM_SP_KEY_NOTIF_EVT == event) {
3481 /* do nothing -> it very unlikely to happen.
3482 This event is most likely to be received by a HID host when it first
3483 connects to a HID device.
3484 Usually the Host initiated the connection in this case.
3485 On Mobile platforms, if there's a security process happening,
3486 the host probably can not initiate another connection.
3487 BTW (PC) is another story. */
3488 p_dev_rec = btm_find_dev(p_bda);
3489 if (p_dev_rec != NULL) {
3490 btm_sec_disconnect(p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3491 }
3492 }
3493 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3494 else {
3495 btsnd_hcic_user_passkey_neg_reply(p_bda);
3496 }
3497 #endif
3498 }
3499
3500 /*******************************************************************************
3501 *
3502 * Function btm_keypress_notif_evt
3503 *
3504 * Description This function is called when a key press notification is
3505 * received
3506 *
3507 * Returns void
3508 *
3509 ******************************************************************************/
btm_keypress_notif_evt(uint8_t * p)3510 void btm_keypress_notif_evt(uint8_t* p) {
3511 tBTM_SP_KEYPRESS evt_data;
3512
3513 /* parse & report BTM_SP_KEYPRESS_EVT */
3514 if (btm_cb.api.p_sp_callback) {
3515 RawAddress& p_bda = evt_data.bd_addr;
3516
3517 STREAM_TO_BDADDR(p_bda, p);
3518 evt_data.notif_type = *p;
3519
3520 (*btm_cb.api.p_sp_callback)(BTM_SP_KEYPRESS_EVT,
3521 (tBTM_SP_EVT_DATA*)&evt_data);
3522 }
3523 }
3524
3525 /*******************************************************************************
3526 *
3527 * Function btm_simple_pair_complete
3528 *
3529 * Description This function is called when simple pairing process is
3530 * complete
3531 *
3532 * Returns void
3533 *
3534 ******************************************************************************/
btm_simple_pair_complete(uint8_t * p)3535 void btm_simple_pair_complete(uint8_t* p) {
3536 tBTM_SP_COMPLT evt_data;
3537 tBTM_SEC_DEV_REC* p_dev_rec;
3538 uint8_t status;
3539 bool disc = false;
3540
3541 status = *p++;
3542 STREAM_TO_BDADDR(evt_data.bd_addr, p);
3543
3544 p_dev_rec = btm_find_dev(evt_data.bd_addr);
3545 if (p_dev_rec == NULL) {
3546 LOG(ERROR) << __func__ << " with unknown BDA: " << evt_data.bd_addr;
3547 return;
3548 }
3549
3550 BTM_TRACE_EVENT(
3551 "btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3552 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3553
3554 evt_data.status = BTM_ERR_PROCESSING;
3555 if (status == HCI_SUCCESS) {
3556 evt_data.status = BTM_SUCCESS;
3557 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3558 } else {
3559 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) {
3560 /* The test spec wants the peer device to get this failure code. */
3561 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_DISCONNECT);
3562
3563 /* Change the timer to 1 second */
3564 alarm_set_on_mloop(btm_cb.pairing_timer, BT_1SEC_TIMEOUT_MS,
3565 btm_sec_pairing_timeout, NULL);
3566 } else if (btm_cb.pairing_bda == evt_data.bd_addr) {
3567 /* stop the timer */
3568 alarm_cancel(btm_cb.pairing_timer);
3569
3570 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) {
3571 /* the initiating side: will receive auth complete event. disconnect ACL
3572 * at that time */
3573 disc = true;
3574 }
3575 } else
3576 disc = true;
3577 }
3578
3579 /* Let the pairing state stay active, p_auth_complete_callback will report the
3580 * failure */
3581 evt_data.bd_addr = p_dev_rec->bd_addr;
3582 memcpy(evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3583
3584 if (btm_cb.api.p_sp_callback)
3585 (*btm_cb.api.p_sp_callback)(BTM_SP_COMPLT_EVT,
3586 (tBTM_SP_EVT_DATA*)&evt_data);
3587
3588 if (disc) {
3589 /* simple pairing failed */
3590 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3591 if ((status != HCI_ERR_PEER_USER) &&
3592 (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)) {
3593 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE,
3594 p_dev_rec->hci_handle);
3595 }
3596 }
3597 }
3598
3599 /*******************************************************************************
3600 *
3601 * Function btm_rem_oob_req
3602 *
3603 * Description This function is called to process/report
3604 * HCI_REMOTE_OOB_DATA_REQUEST_EVT
3605 *
3606 * Returns void
3607 *
3608 ******************************************************************************/
btm_rem_oob_req(uint8_t * p)3609 void btm_rem_oob_req(uint8_t* p) {
3610 tBTM_SP_RMT_OOB evt_data;
3611 tBTM_SEC_DEV_REC* p_dev_rec;
3612 BT_OCTET16 c;
3613 BT_OCTET16 r;
3614
3615 RawAddress& p_bda = evt_data.bd_addr;
3616
3617 STREAM_TO_BDADDR(p_bda, p);
3618
3619 VLOG(2) << __func__ << " BDA: " << p_bda;
3620 p_dev_rec = btm_find_dev(p_bda);
3621 if ((p_dev_rec != NULL) && btm_cb.api.p_sp_callback) {
3622 evt_data.bd_addr = p_dev_rec->bd_addr;
3623 memcpy(evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3624 strlcpy((char*)evt_data.bd_name, (char*)p_dev_rec->sec_bd_name,
3625 BTM_MAX_REM_BD_NAME_LEN);
3626
3627 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3628 if ((*btm_cb.api.p_sp_callback)(BTM_SP_RMT_OOB_EVT,
3629 (tBTM_SP_EVT_DATA*)&evt_data) ==
3630 BTM_NOT_AUTHORIZED) {
3631 BTM_RemoteOobDataReply(true, p_bda, c, r);
3632 }
3633 return;
3634 }
3635
3636 /* something bad. we can only fail this connection */
3637 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3638 btsnd_hcic_rem_oob_neg_reply(p_bda);
3639 }
3640
3641 /*******************************************************************************
3642 *
3643 * Function btm_read_local_oob_complete
3644 *
3645 * Description This function is called when read local oob data is
3646 * completed by the LM
3647 *
3648 * Returns void
3649 *
3650 ******************************************************************************/
btm_read_local_oob_complete(uint8_t * p)3651 void btm_read_local_oob_complete(uint8_t* p) {
3652 tBTM_SP_LOC_OOB evt_data;
3653 uint8_t status = *p++;
3654
3655 BTM_TRACE_EVENT("btm_read_local_oob_complete:%d", status);
3656 if (status == HCI_SUCCESS) {
3657 evt_data.status = BTM_SUCCESS;
3658 STREAM_TO_ARRAY16(evt_data.c, p);
3659 STREAM_TO_ARRAY16(evt_data.r, p);
3660 } else
3661 evt_data.status = BTM_ERR_PROCESSING;
3662
3663 if (btm_cb.api.p_sp_callback) {
3664 tBTM_SP_EVT_DATA btm_sp_evt_data;
3665 btm_sp_evt_data.loc_oob = evt_data;
3666 (*btm_cb.api.p_sp_callback)(BTM_SP_LOC_OOB_EVT, &btm_sp_evt_data);
3667 }
3668 }
3669
3670 /*******************************************************************************
3671 *
3672 * Function btm_sec_auth_collision
3673 *
3674 * Description This function is called when authentication or encryption
3675 * needs to be retried at a later time.
3676 *
3677 * Returns void
3678 *
3679 ******************************************************************************/
btm_sec_auth_collision(uint16_t handle)3680 static void btm_sec_auth_collision(uint16_t handle) {
3681 tBTM_SEC_DEV_REC* p_dev_rec;
3682
3683 if (!btm_cb.collision_start_time)
3684 btm_cb.collision_start_time = time_get_os_boottime_ms();
3685
3686 if ((time_get_os_boottime_ms() - btm_cb.collision_start_time) <
3687 btm_cb.max_collision_delay) {
3688 if (handle == BTM_SEC_INVALID_HANDLE) {
3689 p_dev_rec = btm_sec_find_dev_by_sec_state(BTM_SEC_STATE_AUTHENTICATING);
3690 if (p_dev_rec == NULL)
3691 p_dev_rec = btm_sec_find_dev_by_sec_state(BTM_SEC_STATE_ENCRYPTING);
3692 } else
3693 p_dev_rec = btm_find_dev_by_handle(handle);
3694
3695 if (p_dev_rec != NULL) {
3696 BTM_TRACE_DEBUG(
3697 "btm_sec_auth_collision: state %d (retrying in a moment...)",
3698 p_dev_rec->sec_state);
3699 /* We will restart authentication after timeout */
3700 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING ||
3701 p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3702 p_dev_rec->sec_state = 0;
3703
3704 btm_cb.p_collided_dev_rec = p_dev_rec;
3705 alarm_set_on_mloop(btm_cb.sec_collision_timer, BT_1SEC_TIMEOUT_MS,
3706 btm_sec_collision_timeout, NULL);
3707 }
3708 }
3709 }
3710
3711 /******************************************************************************
3712 *
3713 * Function btm_sec_auth_retry
3714 *
3715 * Description This function is called when authentication or encryption
3716 * needs to be retried at a later time.
3717 *
3718 * Returns TRUE if a security retry required
3719 *
3720 *****************************************************************************/
btm_sec_auth_retry(uint16_t handle,uint8_t status)3721 static bool btm_sec_auth_retry(uint16_t handle, uint8_t status) {
3722 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
3723 if (!p_dev_rec) return false;
3724
3725 /* keep the old sm4 flag and clear the retry bit in control block */
3726 uint8_t old_sm4 = p_dev_rec->sm4;
3727 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3728
3729 if ((btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) &&
3730 ((old_sm4 & BTM_SM4_RETRY) == 0) && (HCI_ERR_KEY_MISSING == status) &&
3731 BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
3732 /* This retry for missing key is for Lisbon or later only.
3733 Legacy device do not need this. the controller will drive the retry
3734 automatically
3735 set the retry bit */
3736 btm_cb.collision_start_time = 0;
3737 btm_restore_mode();
3738 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3739 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
3740 BTM_TRACE_DEBUG("%s Retry for missing key sm4:x%x sec_flags:0x%x", __func__,
3741 p_dev_rec->sm4, p_dev_rec->sec_flags);
3742
3743 /* With BRCM controller, we do not need to delete the stored link key in
3744 controller.
3745 If the stack may sit on top of other controller, we may need this
3746 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
3747 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3748 btm_sec_execute_procedure(p_dev_rec);
3749 return true;
3750 }
3751
3752 return false;
3753 }
3754
3755 /*******************************************************************************
3756 *
3757 * Function btm_sec_auth_complete
3758 *
3759 * Description This function is when authentication of the connection is
3760 * completed by the LM
3761 *
3762 * Returns void
3763 *
3764 ******************************************************************************/
btm_sec_auth_complete(uint16_t handle,uint8_t status)3765 void btm_sec_auth_complete(uint16_t handle, uint8_t status) {
3766 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3767 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
3768 bool are_bonding = false;
3769
3770 if (p_dev_rec) {
3771 VLOG(2) << __func__ << ": Security Manager: in state: "
3772 << btm_pair_state_descr(btm_cb.pairing_state)
3773 << " handle:" << handle << " status:" << status
3774 << "dev->sec_state:" << p_dev_rec->sec_state
3775 << " bda:" << p_dev_rec->bd_addr
3776 << "RName:" << p_dev_rec->sec_bd_name;
3777 } else {
3778 VLOG(2) << __func__ << ": Security Manager: in state: "
3779 << btm_pair_state_descr(btm_cb.pairing_state)
3780 << " handle:" << handle << " status:" << status;
3781 }
3782
3783 /* For transaction collision we need to wait and repeat. There is no need */
3784 /* for random timeout because only slave should receive the result */
3785 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
3786 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) {
3787 btm_sec_auth_collision(handle);
3788 return;
3789 } else if (btm_sec_auth_retry(handle, status)) {
3790 return;
3791 }
3792
3793 btm_cb.collision_start_time = 0;
3794
3795 btm_restore_mode();
3796
3797 /* Check if connection was made just to do bonding. If we authenticate
3798 the connection that is up, this is the last event received.
3799 */
3800 if (p_dev_rec && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3801 !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) {
3802 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3803
3804 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3805 }
3806
3807 if (!p_dev_rec) return;
3808
3809 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
3810 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3811 (p_dev_rec->bd_addr == btm_cb.pairing_bda))
3812 are_bonding = true;
3813
3814 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
3815 (p_dev_rec->bd_addr == btm_cb.pairing_bda))
3816 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
3817
3818 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) {
3819 if ((btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS) &&
3820 (old_state != BTM_PAIR_STATE_IDLE)) {
3821 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr,
3822 p_dev_rec->dev_class,
3823 p_dev_rec->sec_bd_name, status);
3824 }
3825 return;
3826 }
3827
3828 /* There can be a race condition, when we are starting authentication and
3829 ** the peer device is doing encryption.
3830 ** If first we receive encryption change up, then initiated authentication
3831 ** can not be performed. According to the spec we can not do authentication
3832 ** on the encrypted link, so device is correct.
3833 */
3834 if ((status == HCI_ERR_COMMAND_DISALLOWED) &&
3835 ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
3836 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) {
3837 status = HCI_SUCCESS;
3838 }
3839 /* Currently we do not notify user if it is a keyboard which connects */
3840 /* User probably Disabled the keyboard while it was asleap. Let her try */
3841 if (btm_cb.api.p_auth_complete_callback) {
3842 /* report the suthentication status */
3843 if ((old_state != BTM_PAIR_STATE_IDLE) || (status != HCI_SUCCESS))
3844 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr,
3845 p_dev_rec->dev_class,
3846 p_dev_rec->sec_bd_name, status);
3847 }
3848
3849 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3850
3851 /* If this is a bonding procedure can disconnect the link now */
3852 if (are_bonding) {
3853 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3854
3855 if (status != HCI_SUCCESS) {
3856 if (((status != HCI_ERR_PEER_USER) &&
3857 (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
3858 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER,
3859 p_dev_rec->hci_handle);
3860 } else {
3861 BTM_TRACE_DEBUG("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
3862 if (p_dev_rec->new_encryption_key_is_p256 &&
3863 (btm_sec_use_smp_br_chnl(p_dev_rec))
3864 /* no LE keys are available, do deriving */
3865 && (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) ||
3866 /* or BR key is higher security than existing LE keys */
3867 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
3868 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) {
3869 BTM_TRACE_DEBUG(
3870 "link encrypted afer dedic bonding can use SMP_BR_CHNL");
3871
3872 if (btm_sec_is_master(p_dev_rec)) {
3873 // Encryption is required to start SM over BR/EDR
3874 // indicate that this is encryption after authentication
3875 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL,
3876 0);
3877 }
3878 }
3879 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3880 }
3881
3882 return;
3883 }
3884
3885 /* If authentication failed, notify the waiting layer */
3886 if (status != HCI_SUCCESS) {
3887 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false);
3888
3889 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) {
3890 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE,
3891 p_dev_rec->hci_handle);
3892 }
3893 return;
3894 }
3895
3896 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3897
3898 if (p_dev_rec->pin_code_length >= 16 ||
3899 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
3900 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
3901 // If we have MITM protection we have a higher level of security than
3902 // provided by 16 digits PIN
3903 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
3904 }
3905
3906 /* Authentication succeeded, execute the next security procedure, if any */
3907 status = btm_sec_execute_procedure(p_dev_rec);
3908
3909 /* If there is no next procedure, or procedure failed to start, notify the
3910 * caller */
3911 if (status != BTM_CMD_STARTED)
3912 btm_sec_dev_rec_cback_event(p_dev_rec, status, false);
3913 }
3914
3915 /*******************************************************************************
3916 *
3917 * Function btm_sec_encrypt_change
3918 *
3919 * Description This function is when encryption of the connection is
3920 * completed by the LM
3921 *
3922 * Returns void
3923 *
3924 ******************************************************************************/
btm_sec_encrypt_change(uint16_t handle,uint8_t status,uint8_t encr_enable)3925 void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
3926 uint8_t encr_enable) {
3927 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
3928 tACL_CONN* p_acl = NULL;
3929 uint8_t acl_idx = btm_handle_to_acl_index(handle);
3930 BTM_TRACE_EVENT(
3931 "Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
3932 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
3933 BTM_TRACE_DEBUG("before update p_dev_rec->sec_flags=0x%x",
3934 (p_dev_rec) ? p_dev_rec->sec_flags : 0);
3935
3936 /* For transaction collision we need to wait and repeat. There is no need */
3937 /* for random timeout because only slave should receive the result */
3938 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
3939 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) {
3940 btm_sec_auth_collision(handle);
3941 return;
3942 }
3943 btm_cb.collision_start_time = 0;
3944
3945 if (!p_dev_rec) return;
3946
3947 if ((status == HCI_SUCCESS) && encr_enable) {
3948 if (p_dev_rec->hci_handle == handle) {
3949 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
3950 if (p_dev_rec->pin_code_length >= 16 ||
3951 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
3952 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
3953 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
3954 }
3955 } else {
3956 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
3957 }
3958 }
3959
3960 /* It is possible that we decrypted the link to perform role switch */
3961 /* mark link not to be encrypted, so that when we execute security next time
3962 * it will kick in again */
3963 if ((status == HCI_SUCCESS) && !encr_enable) {
3964 if (p_dev_rec->hci_handle == handle)
3965 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
3966 else
3967 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
3968 }
3969
3970 BTM_TRACE_DEBUG("after update p_dev_rec->sec_flags=0x%x",
3971 p_dev_rec->sec_flags);
3972
3973 if (acl_idx != MAX_L2CAP_LINKS) p_acl = &btm_cb.acl_db[acl_idx];
3974
3975 if (p_acl != NULL)
3976 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
3977
3978 if (p_acl && p_acl->transport == BT_TRANSPORT_LE) {
3979 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
3980 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) {
3981 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_LINK_KEY_KNOWN);
3982 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
3983 }
3984 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
3985 return;
3986 } else {
3987 /* BR/EDR connection, update the encryption key size to be 16 as always */
3988 p_dev_rec->enc_key_size = 16;
3989 }
3990
3991 BTM_TRACE_DEBUG("in %s new_encr_key_256 is %d", __func__,
3992 p_dev_rec->new_encryption_key_is_p256);
3993
3994 if ((status == HCI_SUCCESS) && encr_enable &&
3995 (p_dev_rec->hci_handle == handle)) {
3996 /* if BR key is temporary no need for LE LTK derivation */
3997 bool derive_ltk = true;
3998 if (p_dev_rec->rmt_auth_req == BTM_AUTH_SP_NO &&
3999 btm_cb.devcb.loc_auth_req == BTM_AUTH_SP_NO) {
4000 derive_ltk = false;
4001 BTM_TRACE_DEBUG("%s: BR key is temporary, skip derivation of LE LTK",
4002 __func__);
4003 }
4004 if (p_dev_rec->new_encryption_key_is_p256) {
4005 if (btm_sec_use_smp_br_chnl(p_dev_rec) && btm_sec_is_master(p_dev_rec) &&
4006 /* if LE key is not known, do deriving */
4007 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) ||
4008 /* or BR key is higher security than existing LE keys */
4009 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4010 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))) &&
4011 derive_ltk) {
4012 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4013 p_dev_rec->new_encryption_key_is_p256 = false;
4014
4015 if (p_dev_rec->no_smp_on_br) {
4016 BTM_TRACE_DEBUG("%s NO SM over BR/EDR", __func__);
4017 } else {
4018 BTM_TRACE_DEBUG("%s start SM over BR/EDR", __func__);
4019 SMP_BR_PairWith(p_dev_rec->bd_addr);
4020 }
4021 }
4022 } else {
4023 // BR/EDR is successfully encrypted. Correct LK type if needed
4024 // (BR/EDR LK derived from LE LTK was used for encryption)
4025 if ((encr_enable == 1) && /* encryption is ON for SSP */
4026 /* LK type is for BR/EDR SC */
4027 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4028 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4029 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4030 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4031 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4032 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4033
4034 BTM_TRACE_DEBUG("updated link key type to %d",
4035 p_dev_rec->link_key_type);
4036 btm_send_link_key_notif(p_dev_rec);
4037 }
4038 }
4039 }
4040
4041 /* If this encryption was started by peer do not need to do anything */
4042 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) {
4043 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) {
4044 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4045 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p",
4046 __func__, p_dev_rec, p_dev_rec->p_callback);
4047 p_dev_rec->p_callback = NULL;
4048 l2cu_resubmit_pending_sec_req(&p_dev_rec->bd_addr);
4049 }
4050 return;
4051 }
4052
4053 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4054 /* If encryption setup failed, notify the waiting layer */
4055 if (status != HCI_SUCCESS) {
4056 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false);
4057 return;
4058 }
4059
4060 /* Encryption setup succeeded, execute the next security procedure, if any */
4061 status = (uint8_t)btm_sec_execute_procedure(p_dev_rec);
4062 /* If there is no next procedure, or procedure failed to start, notify the
4063 * caller */
4064 if (status != BTM_CMD_STARTED)
4065 btm_sec_dev_rec_cback_event(p_dev_rec, status, false);
4066 }
4067
4068 /*******************************************************************************
4069 *
4070 * Function btm_sec_connect_after_reject_timeout
4071 *
4072 * Description Connection for bonding could not start because of the
4073 * collision. Initiate outgoing connection
4074 *
4075 * Returns Pointer to the TLE struct
4076 *
4077 ******************************************************************************/
btm_sec_connect_after_reject_timeout(UNUSED_ATTR void * data)4078 static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) {
4079 tBTM_SEC_DEV_REC* p_dev_rec = btm_cb.p_collided_dev_rec;
4080
4081 BTM_TRACE_EVENT("%s", __func__);
4082 btm_cb.p_collided_dev_rec = 0;
4083
4084 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
4085 BTM_TRACE_WARNING("Security Manager: %s: failed to start connection",
4086 __func__);
4087
4088 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4089
4090 if (btm_cb.api.p_auth_complete_callback)
4091 (*btm_cb.api.p_auth_complete_callback)(
4092 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4093 HCI_ERR_MEMORY_FULL);
4094 }
4095 }
4096
4097 /*******************************************************************************
4098 *
4099 * Function btm_sec_connected
4100 *
4101 * Description This function is when a connection to the peer device is
4102 * established
4103 *
4104 * Returns void
4105 *
4106 ******************************************************************************/
btm_sec_connected(const RawAddress & bda,uint16_t handle,uint8_t status,uint8_t enc_mode)4107 void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status,
4108 uint8_t enc_mode) {
4109 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
4110 uint8_t res;
4111 bool is_pairing_device = false;
4112 tACL_CONN* p_acl_cb;
4113 uint8_t bit_shift = 0;
4114
4115 btm_acl_resubmit_page();
4116
4117 if (p_dev_rec) {
4118 VLOG(2) << __func__ << ": Security Manager: in state: "
4119 << btm_pair_state_descr(btm_cb.pairing_state)
4120 << " handle:" << handle << " status:" << loghex(status)
4121 << " enc_mode:" << loghex(enc_mode) << " bda:" << bda
4122 << " RName:" << p_dev_rec->sec_bd_name;
4123 } else {
4124 VLOG(2) << __func__ << ": Security Manager: in state: "
4125 << btm_pair_state_descr(btm_cb.pairing_state)
4126 << " handle:" << handle << " status:" << loghex(status)
4127 << " enc_mode:" << loghex(enc_mode) << " bda:" << bda;
4128 }
4129
4130 if (!p_dev_rec) {
4131 /* There is no device record for new connection. Allocate one */
4132 if (status == HCI_SUCCESS) {
4133 p_dev_rec = btm_sec_alloc_dev(bda);
4134 } else {
4135 /* If the device matches with stored paring address
4136 * reset the paring state to idle */
4137 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4138 btm_cb.pairing_bda == bda) {
4139 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4140 }
4141
4142 /* can not find the device record and the status is error,
4143 * just ignore it */
4144 return;
4145 }
4146 } else /* Update the timestamp for this device */
4147 {
4148 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 : 0;
4149 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4150 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) {
4151 /* tell L2CAP it's a bonding connection. */
4152 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4153 (btm_cb.pairing_bda == p_dev_rec->bd_addr) &&
4154 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
4155 /* if incoming connection failed while pairing, then try to connect and
4156 * continue */
4157 /* Motorola S9 disconnects without asking pin code */
4158 if ((status != HCI_SUCCESS) &&
4159 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) {
4160 BTM_TRACE_WARNING(
4161 "Security Manager: btm_sec_connected: incoming connection failed "
4162 "without asking PIN");
4163
4164 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4165 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) {
4166 /* Start timer with 0 to initiate connection with new LCB */
4167 /* because L2CAP will delete current LCB with this event */
4168 btm_cb.p_collided_dev_rec = p_dev_rec;
4169 alarm_set_on_mloop(btm_cb.sec_collision_timer, 0,
4170 btm_sec_connect_after_reject_timeout, NULL);
4171 } else {
4172 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME);
4173 if (BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL,
4174 BT_TRANSPORT_BR_EDR) !=
4175 BTM_CMD_STARTED) {
4176 BTM_TRACE_ERROR("%s cannot read remote name", __func__);
4177 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4178 }
4179 }
4180 #if (BTM_DISC_DURING_RS == TRUE)
4181 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4182 #endif
4183 return;
4184 } else {
4185 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, true);
4186 }
4187 }
4188 /* always clear the pending flag */
4189 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4190 }
4191 }
4192
4193 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4194
4195 #if (BTM_DISC_DURING_RS == TRUE)
4196 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4197 #endif
4198
4199 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4200
4201 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4202 (btm_cb.pairing_bda == bda)) {
4203 /* if we rejected incoming connection from bonding device */
4204 if ((status == HCI_ERR_HOST_REJECT_DEVICE) &&
4205 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) {
4206 BTM_TRACE_WARNING(
4207 "Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, "
4208 "sm4: 0x%x",
4209 btm_cb.pairing_flags, p_dev_rec->sm4);
4210
4211 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4212 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
4213 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4214 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME);
4215 if (BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR) !=
4216 BTM_CMD_STARTED) {
4217 BTM_TRACE_ERROR("%s cannot read remote name", __func__);
4218 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4219 }
4220 return;
4221 }
4222
4223 /* if we already have pin code */
4224 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) {
4225 /* Start timer with 0 to initiate connection with new LCB */
4226 /* because L2CAP will delete current LCB with this event */
4227 btm_cb.p_collided_dev_rec = p_dev_rec;
4228 alarm_set_on_mloop(btm_cb.sec_collision_timer, 0,
4229 btm_sec_connect_after_reject_timeout, NULL);
4230 }
4231
4232 return;
4233 }
4234 /* wait for incoming connection without resetting pairing state */
4235 else if (status == HCI_ERR_CONNECTION_EXISTS) {
4236 BTM_TRACE_WARNING(
4237 "Security Manager: btm_sec_connected: Wait for incoming connection");
4238 return;
4239 }
4240
4241 is_pairing_device = true;
4242 }
4243
4244 /* If connection was made to do bonding restore link security if changed */
4245 btm_restore_mode();
4246
4247 /* if connection fails during pin request, notify application */
4248 if (status != HCI_SUCCESS) {
4249 /* If connection failed because of during pairing, need to tell user */
4250 if (is_pairing_device) {
4251 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4252 p_dev_rec->sec_flags &=
4253 ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4254 BTM_TRACE_DEBUG("security_required:%x ", p_dev_rec->security_required);
4255
4256 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4257
4258 /* We need to notify host that the key is not known any more */
4259 if (btm_cb.api.p_auth_complete_callback) {
4260 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr,
4261 p_dev_rec->dev_class,
4262 p_dev_rec->sec_bd_name, status);
4263 }
4264 }
4265 /*
4266 Do not send authentication failure, if following conditions hold good
4267 1. BTM Sec Pairing state is idle
4268 2. Link key for the remote device is present.
4269 3. Remote is SSP capable.
4270 */
4271 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4272 (((status == HCI_ERR_AUTH_FAILURE) ||
4273 (status == HCI_ERR_KEY_MISSING) ||
4274 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4275 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4276 (status == HCI_ERR_UNIT_KEY_USED) ||
4277 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4278 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4279 (status == HCI_ERR_REPEATED_ATTEMPTS)))) {
4280 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4281 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4282
4283 #ifdef BRCM_NOT_4_BTE
4284 /* If we rejected pairing, pass this special result code */
4285 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY) {
4286 status = HCI_ERR_HOST_REJECT_SECURITY;
4287 }
4288 #endif
4289
4290 /* We need to notify host that the key is not known any more */
4291 if (btm_cb.api.p_auth_complete_callback) {
4292 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr,
4293 p_dev_rec->dev_class,
4294 p_dev_rec->sec_bd_name, status);
4295 }
4296 }
4297
4298 if (btm_cb.pairing_bda != bda) {
4299 /* Don't callback unless this Connection-Complete-failure event has the
4300 * same mac address as the bonding device */
4301 VLOG(1) << __func__
4302 << ": Different mac addresses: pairing_bda=" << btm_cb.pairing_bda
4303 << ", bda=" << bda << ", do not callback";
4304 return;
4305 }
4306
4307 if (status == HCI_ERR_CONNECTION_TOUT ||
4308 status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4309 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4310 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_DEVICE_TIMEOUT, false);
4311 else
4312 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false);
4313
4314 return;
4315 }
4316
4317 /* If initiated dedicated bonding, return the link key now, and initiate
4318 * disconnect */
4319 /* If dedicated bonding, and we now have a link key, we are all done */
4320 if (is_pairing_device && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
4321 if (p_dev_rec->link_key_not_sent) {
4322 p_dev_rec->link_key_not_sent = false;
4323 btm_send_link_key_notif(p_dev_rec);
4324 }
4325
4326 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4327
4328 /* remember flag before it is initialized */
4329 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4330 res = true;
4331 else
4332 res = false;
4333
4334 if (btm_cb.api.p_auth_complete_callback)
4335 (*btm_cb.api.p_auth_complete_callback)(
4336 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4337 HCI_SUCCESS);
4338
4339 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4340
4341 if (res) {
4342 /* Let l2cap start bond timer */
4343 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, true);
4344 }
4345
4346 return;
4347 }
4348
4349 p_dev_rec->hci_handle = handle;
4350
4351 /* role may not be correct here, it will be updated by l2cap, but we need to
4352 */
4353 /* notify btm_acl that link is up, so starting of rmt name request will not */
4354 /* set paging flag up */
4355 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4356 if (p_acl_cb) {
4357 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT
4358 * event */
4359 #if (BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4360 /* For now there are a some devices that do not like sending */
4361 /* commands events and data at the same time. */
4362 /* Set the packet types to the default allowed by the device */
4363 btm_set_packet_types(p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4364
4365 if (btm_cb.btm_def_link_policy)
4366 BTM_SetLinkPolicy(p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4367 #endif
4368 }
4369 btm_acl_created(bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle,
4370 HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4371
4372 /* Initialize security flags. We need to do that because some */
4373 /* authorization complete could have come after the connection is dropped */
4374 /* and that would set wrong flag that link has been authorized already */
4375 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4376 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED)
4377 << bit_shift);
4378
4379 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4380 p_dev_rec->sec_flags |=
4381 ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4382
4383 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4384 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4385
4386 if (p_dev_rec->pin_code_length >= 16 ||
4387 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4388 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4389 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4390 }
4391
4392 p_dev_rec->link_key_changed = false;
4393
4394 /* After connection is established we perform security if we do not know */
4395 /* the name, or if we are originator because some procedure can have */
4396 /* been scheduled while connection was down */
4397 BTM_TRACE_DEBUG("is_originator:%d ", p_dev_rec->is_originator);
4398 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) ||
4399 p_dev_rec->is_originator) {
4400 res = btm_sec_execute_procedure(p_dev_rec);
4401 if (res != BTM_CMD_STARTED)
4402 btm_sec_dev_rec_cback_event(p_dev_rec, res, false);
4403 }
4404 return;
4405 }
4406
4407 /*******************************************************************************
4408 *
4409 * Function btm_sec_disconnect
4410 *
4411 * Description This function is called to disconnect HCI link
4412 *
4413 * Returns btm status
4414 *
4415 ******************************************************************************/
btm_sec_disconnect(uint16_t handle,uint8_t reason)4416 tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) {
4417 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
4418
4419 /* In some weird race condition we may not have a record */
4420 if (!p_dev_rec) {
4421 btsnd_hcic_disconnect(handle, reason);
4422 return (BTM_SUCCESS);
4423 }
4424
4425 /* If we are in the process of bonding we need to tell client that auth failed
4426 */
4427 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4428 (btm_cb.pairing_bda == p_dev_rec->bd_addr) &&
4429 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
4430 /* we are currently doing bonding. Link will be disconnected when done */
4431 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4432 return (BTM_BUSY);
4433 }
4434
4435 return (btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4436 }
4437
4438 /*******************************************************************************
4439 *
4440 * Function btm_sec_disconnected
4441 *
4442 * Description This function is when a connection to the peer device is
4443 * dropped
4444 *
4445 * Returns void
4446 *
4447 ******************************************************************************/
btm_sec_disconnected(uint16_t handle,uint8_t reason)4448 void btm_sec_disconnected(uint16_t handle, uint8_t reason) {
4449 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
4450 uint8_t old_pairing_flags = btm_cb.pairing_flags;
4451 int result = HCI_ERR_AUTH_FAILURE;
4452 tBTM_SEC_CALLBACK* p_callback = NULL;
4453 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4454
4455 /* If page was delayed for disc complete, can do it now */
4456 btm_cb.discing = false;
4457
4458 btm_acl_resubmit_page();
4459
4460 if (!p_dev_rec) return;
4461
4462 transport =
4463 (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR : BT_TRANSPORT_LE;
4464
4465 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4466
4467 #if (BTM_DISC_DURING_RS == TRUE)
4468 LOG_INFO(LOG_TAG, "%s clearing pending flag handle:%d reason:%d", __func__,
4469 handle, reason);
4470 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4471 #endif
4472
4473 /* clear unused flags */
4474 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4475
4476 VLOG(2) << __func__ << " bd_addr: " << p_dev_rec->bd_addr
4477 << " name: " << p_dev_rec->sec_bd_name
4478 << " state: " << btm_pair_state_descr(btm_cb.pairing_state)
4479 << " reason: " << reason << " sec_req: " << std::hex
4480 << p_dev_rec->security_required;
4481
4482 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__,
4483 p_dev_rec->sec_flags);
4484
4485 /* If we are in the process of bonding we need to tell client that auth failed
4486 */
4487 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4488 (btm_cb.pairing_bda == p_dev_rec->bd_addr)) {
4489 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4490 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4491 if (btm_cb.api.p_auth_complete_callback) {
4492 /* If the disconnection reason is REPEATED_ATTEMPTS,
4493 send this error message to complete callback function
4494 to display the error message of Repeated attempts.
4495 All others, send HCI_ERR_AUTH_FAILURE. */
4496 if (reason == HCI_ERR_REPEATED_ATTEMPTS) {
4497 result = HCI_ERR_REPEATED_ATTEMPTS;
4498 } else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
4499 result = HCI_ERR_HOST_REJECT_SECURITY;
4500 }
4501 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr,
4502 p_dev_rec->dev_class,
4503 p_dev_rec->sec_bd_name, result);
4504
4505 // |btm_cb.api.p_auth_complete_callback| may cause |p_dev_rec| to be
4506 // deallocated.
4507 p_dev_rec = btm_find_dev_by_handle(handle);
4508 if (!p_dev_rec) {
4509 return;
4510 }
4511 }
4512 }
4513
4514 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, &p_dev_rec->bd_addr,
4515 HCI_SUCCESS);
4516 /* see sec_flags processing in btm_acl_removed */
4517
4518 if (transport == BT_TRANSPORT_LE) {
4519 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4520 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4521 p_dev_rec->enc_key_size = 0;
4522 } else {
4523 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4524 p_dev_rec->sec_flags &=
4525 ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED |
4526 BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4527
4528 // Remove temporary key.
4529 if (p_dev_rec->bond_type == BOND_TYPE_TEMPORARY)
4530 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN);
4531 }
4532
4533 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__,
4534 p_dev_rec->sec_flags);
4535
4536 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) {
4537 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE)
4538 ? BTM_SEC_STATE_DISCONNECTING
4539 : BTM_SEC_STATE_DISCONNECTING_BLE;
4540 return;
4541 }
4542 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4543 p_dev_rec->security_required = BTM_SEC_NONE;
4544
4545 p_callback = p_dev_rec->p_callback;
4546
4547 /* if security is pending, send callback to clean up the security state */
4548 if (p_callback) {
4549 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p",
4550 __func__, p_dev_rec, p_dev_rec->p_callback);
4551 p_dev_rec->p_callback =
4552 NULL; /* when the peer device time out the authentication before
4553 we do, this call back must be reset here */
4554 (*p_callback)(&p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data,
4555 BTM_ERR_PROCESSING);
4556 }
4557 }
4558
4559 /*******************************************************************************
4560 *
4561 * Function btm_sec_link_key_notification
4562 *
4563 * Description This function is called when a new connection link key is
4564 * generated
4565 *
4566 * Returns Pointer to the record or NULL
4567 *
4568 ******************************************************************************/
btm_sec_link_key_notification(const RawAddress & p_bda,uint8_t * p_link_key,uint8_t key_type)4569 void btm_sec_link_key_notification(const RawAddress& p_bda, uint8_t* p_link_key,
4570 uint8_t key_type) {
4571 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(p_bda);
4572 bool we_are_bonding = false;
4573 bool ltk_derived_lk = false;
4574
4575 VLOG(2) << __func__ << " BDA: " << p_bda << ", TYPE: " << +key_type;
4576
4577 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4578 (key_type <=
4579 BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4580 ltk_derived_lk = true;
4581 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4582 }
4583 /* If connection was made to do bonding restore link security if changed */
4584 btm_restore_mode();
4585
4586 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4587 p_dev_rec->link_key_type = key_type;
4588
4589 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4590
4591 /*
4592 * Until this point in time, we do not know if MITM was enabled, hence we
4593 * add the extended security flag here.
4594 */
4595 if (p_dev_rec->pin_code_length >= 16 ||
4596 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4597 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4598 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4599 }
4600
4601 /* BR/EDR connection, update the encryption key size to be 16 as always */
4602 p_dev_rec->enc_key_size = 16;
4603 memcpy(p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4604
4605 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4606 (btm_cb.pairing_bda == p_bda)) {
4607 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4608 we_are_bonding = true;
4609 else
4610 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4611 }
4612
4613 /* save LTK derived LK no matter what */
4614 if (ltk_derived_lk) {
4615 if (btm_cb.api.p_link_key_callback) {
4616 BTM_TRACE_DEBUG("%s() Save LTK derived LK (key_type = %d)", __func__,
4617 p_dev_rec->link_key_type);
4618 (*btm_cb.api.p_link_key_callback)(p_bda, p_dev_rec->dev_class,
4619 p_dev_rec->sec_bd_name, p_link_key,
4620 p_dev_rec->link_key_type);
4621 }
4622 } else {
4623 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4624 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4625 p_dev_rec->new_encryption_key_is_p256 = true;
4626 BTM_TRACE_DEBUG("%s set new_encr_key_256 to %d", __func__,
4627 p_dev_rec->new_encryption_key_is_p256);
4628 }
4629 }
4630
4631 /* If name is not known at this point delay calling callback until the name is
4632 */
4633 /* resolved. Unless it is a HID Device and we really need to send all link
4634 * keys. */
4635 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) &&
4636 ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) !=
4637 BTM_COD_MAJOR_PERIPHERAL)) &&
4638 !ltk_derived_lk) {
4639 VLOG(2) << __func__ << " Delayed BDA: " << p_bda << " Type:" << +key_type;
4640
4641 p_dev_rec->link_key_not_sent = true;
4642
4643 /* If it is for bonding nothing else will follow, so we need to start name
4644 * resolution */
4645 if (we_are_bonding) {
4646 btsnd_hcic_rmt_name_req(p_bda, HCI_PAGE_SCAN_REP_MODE_R1,
4647 HCI_MANDATARY_PAGE_SCAN_MODE, 0);
4648 }
4649
4650 BTM_TRACE_EVENT("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x",
4651 p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags,
4652 p_dev_rec->dev_class[1])
4653 return;
4654 }
4655
4656 /* If its not us who perform authentication, we should tell stackserver */
4657 /* that some authentication has been completed */
4658 /* This is required when different entities receive link notification and auth
4659 * complete */
4660 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4661 /* for derived key, always send authentication callback for BR channel */
4662 || ltk_derived_lk) {
4663 if (btm_cb.api.p_auth_complete_callback)
4664 (*btm_cb.api.p_auth_complete_callback)(
4665 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4666 HCI_SUCCESS);
4667 }
4668
4669 /* We will save link key only if the user authorized it - BTE report link key in
4670 * all cases */
4671 #ifdef BRCM_NONE_BTE
4672 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4673 #endif
4674 {
4675 if (btm_cb.api.p_link_key_callback) {
4676 if (ltk_derived_lk) {
4677 BTM_TRACE_DEBUG(
4678 "btm_sec_link_key_notification() LTK derived LK is saved already"
4679 " (key_type = %d)",
4680 p_dev_rec->link_key_type);
4681 } else {
4682 (*btm_cb.api.p_link_key_callback)(p_bda, p_dev_rec->dev_class,
4683 p_dev_rec->sec_bd_name, p_link_key,
4684 p_dev_rec->link_key_type);
4685 }
4686 }
4687 }
4688 }
4689
4690 /*******************************************************************************
4691 *
4692 * Function btm_sec_link_key_request
4693 *
4694 * Description This function is called when controller requests link key
4695 *
4696 * Returns Pointer to the record or NULL
4697 *
4698 ******************************************************************************/
btm_sec_link_key_request(const RawAddress & bda)4699 void btm_sec_link_key_request(const RawAddress& bda) {
4700 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(bda);
4701
4702 VLOG(2) << __func__ << " bda: " << bda;
4703
4704 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4705 (btm_cb.collision_start_time != 0) &&
4706 (btm_cb.p_collided_dev_rec->bd_addr == bda)) {
4707 BTM_TRACE_EVENT(
4708 "btm_sec_link_key_request() rejecting link key req "
4709 "State: %d START_TIMEOUT : %d",
4710 btm_cb.pairing_state, btm_cb.collision_start_time);
4711 btsnd_hcic_link_key_neg_reply(bda);
4712 return;
4713 }
4714 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) {
4715 btsnd_hcic_link_key_req_reply(bda, p_dev_rec->link_key);
4716 return;
4717 }
4718
4719 /* Notify L2CAP to increase timeout */
4720 l2c_pin_code_request(bda);
4721
4722 /* The link key is not in the database and it is not known to the manager */
4723 btsnd_hcic_link_key_neg_reply(bda);
4724 }
4725
4726 /*******************************************************************************
4727 *
4728 * Function btm_sec_pairing_timeout
4729 *
4730 * Description This function is called when host does not provide PIN
4731 * within requested time
4732 *
4733 * Returns Pointer to the TLE struct
4734 *
4735 ******************************************************************************/
btm_sec_pairing_timeout(UNUSED_ATTR void * data)4736 static void btm_sec_pairing_timeout(UNUSED_ATTR void* data) {
4737 tBTM_CB* p_cb = &btm_cb;
4738 tBTM_SEC_DEV_REC* p_dev_rec;
4739 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4740 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
4741 #else
4742 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
4743 #endif
4744 uint8_t name[2];
4745
4746 p_dev_rec = btm_find_dev(p_cb->pairing_bda);
4747
4748 BTM_TRACE_EVENT("%s State: %s Flags: %u", __func__,
4749 btm_pair_state_descr(p_cb->pairing_state),
4750 p_cb->pairing_flags);
4751
4752 switch (p_cb->pairing_state) {
4753 case BTM_PAIR_STATE_WAIT_PIN_REQ:
4754 btm_sec_bond_cancel_complete();
4755 break;
4756
4757 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4758 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4759 btsnd_hcic_pin_code_neg_reply(p_cb->pairing_bda);
4760 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4761 /* We need to notify the UI that no longer need the PIN */
4762 if (btm_cb.api.p_auth_complete_callback) {
4763 if (p_dev_rec == NULL) {
4764 name[0] = 0;
4765 (*btm_cb.api.p_auth_complete_callback)(p_cb->pairing_bda, NULL, name,
4766 HCI_ERR_CONNECTION_TOUT);
4767 } else
4768 (*btm_cb.api.p_auth_complete_callback)(
4769 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4770 HCI_ERR_CONNECTION_TOUT);
4771 }
4772 break;
4773
4774 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4775 btsnd_hcic_user_conf_reply(p_cb->pairing_bda, false);
4776 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4777 break;
4778
4779 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4780 case BTM_PAIR_STATE_KEY_ENTRY:
4781 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4782 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4783 break;
4784 #endif /* !BTM_IO_CAP_NONE */
4785
4786 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4787 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4788 auth_req |= BTM_AUTH_DD_BOND;
4789
4790 btsnd_hcic_io_cap_req_reply(p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4791 BTM_OOB_NONE, auth_req);
4792 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4793 break;
4794
4795 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
4796 btsnd_hcic_rem_oob_neg_reply(p_cb->pairing_bda);
4797 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4798 break;
4799
4800 case BTM_PAIR_STATE_WAIT_DISCONNECT:
4801 /* simple pairing failed. Started a 1-sec timer at simple pairing
4802 * complete.
4803 * now it's time to tear down the ACL link*/
4804 if (p_dev_rec == NULL) {
4805 LOG(ERROR) << __func__
4806 << " BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: "
4807 << p_cb->pairing_bda;
4808 break;
4809 }
4810 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE,
4811 p_dev_rec->hci_handle);
4812 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4813 break;
4814
4815 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
4816 case BTM_PAIR_STATE_GET_REM_NAME:
4817 /* We need to notify the UI that timeout has happened while waiting for
4818 * authentication*/
4819 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4820 if (btm_cb.api.p_auth_complete_callback) {
4821 if (p_dev_rec == NULL) {
4822 name[0] = 0;
4823 (*btm_cb.api.p_auth_complete_callback)(p_cb->pairing_bda, NULL, name,
4824 HCI_ERR_CONNECTION_TOUT);
4825 } else
4826 (*btm_cb.api.p_auth_complete_callback)(
4827 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4828 HCI_ERR_CONNECTION_TOUT);
4829 }
4830 break;
4831
4832 default:
4833 BTM_TRACE_WARNING("%s not processed state: %s", __func__,
4834 btm_pair_state_descr(btm_cb.pairing_state));
4835 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4836 break;
4837 }
4838 }
4839
4840 /*******************************************************************************
4841 *
4842 * Function btm_sec_pin_code_request
4843 *
4844 * Description This function is called when controller requests PIN code
4845 *
4846 * Returns Pointer to the record or NULL
4847 *
4848 ******************************************************************************/
btm_sec_pin_code_request(const RawAddress & p_bda)4849 void btm_sec_pin_code_request(const RawAddress& p_bda) {
4850 tBTM_SEC_DEV_REC* p_dev_rec;
4851 tBTM_CB* p_cb = &btm_cb;
4852
4853 VLOG(2) << __func__ << " BDA: " << p_bda
4854 << " state: " << btm_pair_state_descr(btm_cb.pairing_state);
4855
4856 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
4857 if ((p_bda == btm_cb.pairing_bda) &&
4858 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE)) {
4859 btsnd_hcic_pin_code_neg_reply(p_bda);
4860 return;
4861 } else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ) ||
4862 p_bda != btm_cb.pairing_bda) {
4863 BTM_TRACE_WARNING("btm_sec_pin_code_request() rejected - state: %s",
4864 btm_pair_state_descr(btm_cb.pairing_state));
4865 btsnd_hcic_pin_code_neg_reply(p_bda);
4866 return;
4867 }
4868 }
4869
4870 p_dev_rec = btm_find_or_alloc_dev(p_bda);
4871 /* received PIN code request. must be non-sm4 */
4872 p_dev_rec->sm4 = BTM_SM4_KNOWN;
4873
4874 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
4875 btm_cb.pairing_bda = p_bda;
4876
4877 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
4878 /* Make sure we reset the trusted mask to help against attacks */
4879 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
4880 }
4881
4882 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) {
4883 BTM_TRACE_EVENT("btm_sec_pin_code_request fixed pin replying");
4884 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4885 btsnd_hcic_pin_code_req_reply(p_bda, p_cb->cfg.pin_code_len,
4886 p_cb->cfg.pin_code);
4887 return;
4888 }
4889
4890 /* Use the connecting device's CoD for the connection */
4891 if ((p_bda == p_cb->connecting_bda) &&
4892 (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] ||
4893 p_cb->connecting_dc[2]))
4894 memcpy(p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
4895
4896 /* We could have started connection after asking user for the PIN code */
4897 if (btm_cb.pin_code_len != 0) {
4898 BTM_TRACE_EVENT("btm_sec_pin_code_request bonding sending reply");
4899 btsnd_hcic_pin_code_req_reply(p_bda, btm_cb.pin_code_len, p_cb->pin_code);
4900
4901 /* Mark that we forwarded received from the user PIN code */
4902 btm_cb.pin_code_len = 0;
4903
4904 /* We can change mode back right away, that other connection being
4905 * established */
4906 /* is not forced to be secure - found a FW issue, so we can not do this
4907 btm_restore_mode(); */
4908
4909 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4910 }
4911
4912 /* If pairing disabled OR (no PIN callback and not bonding) */
4913 /* OR we could not allocate entry in the database reject pairing request */
4914 else if (
4915 p_cb->pairing_disabled ||
4916 (p_cb->api.p_pin_callback == NULL)
4917
4918 /* OR Microsoft keyboard can for some reason try to establish connection
4919 */
4920 /* the only thing we can do here is to shut it up. Normally we will be
4921 originator */
4922 /* for keyboard bonding */
4923 || (!p_dev_rec->is_originator &&
4924 ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) ==
4925 BTM_COD_MAJOR_PERIPHERAL) &&
4926 (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD))) {
4927 BTM_TRACE_WARNING(
4928 "btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev "
4929 "Rec:%x!",
4930 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
4931
4932 btsnd_hcic_pin_code_neg_reply(p_bda);
4933 }
4934 /* Notify upper layer of PIN request and start expiration timer */
4935 else {
4936 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN);
4937 /* Pin code request can not come at the same time as connection request */
4938 p_cb->connecting_bda = p_bda;
4939 memcpy(p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
4940
4941 /* Check if the name is known */
4942 /* Even if name is not known we might not be able to get one */
4943 /* this is the case when we are already getting something from the */
4944 /* device, so HCI level is flow controlled */
4945 /* Also cannot send remote name request while paging, i.e. connection is not
4946 * completed */
4947 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) {
4948 BTM_TRACE_EVENT("btm_sec_pin_code_request going for callback");
4949
4950 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4951 if (p_cb->api.p_pin_callback) {
4952 (*p_cb->api.p_pin_callback)(
4953 p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4954 (p_dev_rec->p_cur_service == NULL)
4955 ? false
4956 : (p_dev_rec->p_cur_service->security_flags &
4957 BTM_SEC_IN_MIN_16_DIGIT_PIN));
4958 }
4959 } else {
4960 BTM_TRACE_EVENT("btm_sec_pin_code_request going for remote name");
4961
4962 /* We received PIN code request for the device with unknown name */
4963 /* it is not user friendly just to ask for the PIN without name */
4964 /* try to get name at first */
4965 btsnd_hcic_rmt_name_req(p_dev_rec->bd_addr, HCI_PAGE_SCAN_REP_MODE_R1,
4966 HCI_MANDATARY_PAGE_SCAN_MODE, 0);
4967 }
4968 }
4969
4970 return;
4971 }
4972
4973 /*******************************************************************************
4974 *
4975 * Function btm_sec_update_clock_offset
4976 *
4977 * Description This function is called to update clock offset
4978 *
4979 * Returns void
4980 *
4981 ******************************************************************************/
btm_sec_update_clock_offset(uint16_t handle,uint16_t clock_offset)4982 void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset) {
4983 tBTM_SEC_DEV_REC* p_dev_rec;
4984 tBTM_INQ_INFO* p_inq_info;
4985
4986 p_dev_rec = btm_find_dev_by_handle(handle);
4987 if (p_dev_rec == NULL) return;
4988
4989 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4990
4991 p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr);
4992 if (p_inq_info == NULL) return;
4993
4994 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4995 }
4996
4997 /******************************************************************
4998 * S T A T I C F U N C T I O N S
4999 ******************************************************************/
5000
5001 /*******************************************************************************
5002 *
5003 * Function btm_sec_execute_procedure
5004 *
5005 * Description This function is called to start required security
5006 * procedure. There is a case when multiplexing protocol
5007 * calls this function on the originating side, connection to
5008 * the peer will not be established. This function in this
5009 * case performs only authorization.
5010 *
5011 * Returns BTM_SUCCESS - permission is granted
5012 * BTM_CMD_STARTED - in process
5013 * BTM_NO_RESOURCES - permission declined
5014 *
5015 ******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5016 tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
5017 BTM_TRACE_EVENT(
5018 "btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5019 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5020
5021 /* There is a chance that we are getting name. Wait until done. */
5022 if (p_dev_rec->sec_state != 0) return (BTM_CMD_STARTED);
5023
5024 /* If any security is required, get the name first */
5025 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) &&
5026 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5027 BTM_TRACE_EVENT("Security Manager: Start get name");
5028 if (!btm_sec_start_get_name(p_dev_rec)) {
5029 return (BTM_NO_RESOURCES);
5030 }
5031 return (BTM_CMD_STARTED);
5032 }
5033
5034 /* If connection is not authenticated and authentication is required */
5035 /* start authentication and return PENDING to the caller */
5036 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) &&
5037 ((p_dev_rec->is_originator &&
5038 (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) ||
5039 (!p_dev_rec->is_originator &&
5040 (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) ||
5041 (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
5042 (!p_dev_rec->is_originator &&
5043 (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) &&
5044 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5045 /*
5046 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5047 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5048 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5049 * authenticated connections, hence we cannot distinguish here.
5050 */
5051
5052 BTM_TRACE_EVENT("Security Manager: Start authentication");
5053
5054 /*
5055 * If we do have a link-key, but we end up here because we need an
5056 * upgrade, then clear the link-key known and authenticated flag before
5057 * restarting authentication.
5058 * WARNING: If the controller has link-key, it is optional and
5059 * recommended for the controller to send a Link_Key_Request.
5060 * In case we need an upgrade, the only alternative would be to delete
5061 * the existing link-key. That could lead to very bad user experience
5062 * or even IOP issues, if a reconnect causes a new connection that
5063 * requires an upgrade.
5064 */
5065 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
5066 (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
5067 (!p_dev_rec->is_originator &&
5068 (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5069 p_dev_rec->sec_flags &=
5070 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
5071 BTM_SEC_AUTHENTICATED);
5072 }
5073
5074 btm_sec_start_authentication(p_dev_rec);
5075 return (BTM_CMD_STARTED);
5076 }
5077
5078 /* If connection is not encrypted and encryption is required */
5079 /* start encryption and return PENDING to the caller */
5080 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) &&
5081 ((p_dev_rec->is_originator &&
5082 (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT)) ||
5083 (!p_dev_rec->is_originator &&
5084 (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT))) &&
5085 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5086
5087 BTM_TRACE_EVENT("Security Manager: Start encryption");
5088
5089 btm_sec_start_encryption(p_dev_rec);
5090 return (BTM_CMD_STARTED);
5091 }
5092
5093 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5094 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
5095 BTM_TRACE_EVENT(
5096 "%s: Security Manager: SC only service, but link key type is 0x%02x -",
5097 "security failure", __func__, p_dev_rec->link_key_type);
5098 return (BTM_FAILED_ON_SECURITY);
5099 }
5100
5101 /* If connection is not authorized and authorization is required */
5102 /* start authorization and return PENDING to the caller */
5103 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) &&
5104 ((p_dev_rec->is_originator &&
5105 (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE)) ||
5106 (!p_dev_rec->is_originator &&
5107 (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) {
5108 BTM_TRACE_EVENT(
5109 "service id:%d, is trusted:%d", p_dev_rec->p_cur_service->service_id,
5110 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5111 p_dev_rec->p_cur_service->service_id)));
5112 if ((!btm_sec_are_all_trusted(p_dev_rec->trusted_mask)) &&
5113 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5114 (!BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5115 p_dev_rec->p_cur_service->service_id))) {
5116 BTM_TRACE_EVENT("Security Manager: Start authorization");
5117 return (btm_sec_start_authorization(p_dev_rec));
5118 }
5119 }
5120
5121 /* All required security procedures already established */
5122 p_dev_rec->security_required &=
5123 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5124 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5125 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT | BTM_SEC_FORCE_MASTER |
5126 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5127
5128 BTM_TRACE_EVENT("Security Manager: trusted:0x%04x%04x",
5129 p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5130 BTM_TRACE_EVENT("Security Manager: access granted");
5131
5132 return (BTM_SUCCESS);
5133 }
5134
5135 /*******************************************************************************
5136 *
5137 * Function btm_sec_start_get_name
5138 *
5139 * Description This function is called to start get name procedure
5140 *
5141 * Returns true if started
5142 *
5143 ******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5144 static bool btm_sec_start_get_name(tBTM_SEC_DEV_REC* p_dev_rec) {
5145 uint8_t tempstate = p_dev_rec->sec_state;
5146
5147 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5148
5149 /* 0 and NULL are as timeout and callback params because they are not used in
5150 * security get name case */
5151 if ((btm_initiate_rem_name(p_dev_rec->bd_addr, BTM_RMT_NAME_SEC, 0, NULL)) !=
5152 BTM_CMD_STARTED) {
5153 p_dev_rec->sec_state = tempstate;
5154 return (false);
5155 }
5156
5157 return (true);
5158 }
5159
5160 /*******************************************************************************
5161 *
5162 * Function btm_sec_start_authentication
5163 *
5164 * Description This function is called to start authentication
5165 *
5166 ******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5167 static void btm_sec_start_authentication(tBTM_SEC_DEV_REC* p_dev_rec) {
5168 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5169 btsnd_hcic_auth_request(p_dev_rec->hci_handle);
5170 }
5171
5172 /*******************************************************************************
5173 *
5174 * Function btm_sec_start_encryption
5175 *
5176 * Description This function is called to start encryption
5177 *
5178 ******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5179 static void btm_sec_start_encryption(tBTM_SEC_DEV_REC* p_dev_rec) {
5180 btsnd_hcic_set_conn_encrypt(p_dev_rec->hci_handle, true);
5181 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5182 }
5183
5184 /*******************************************************************************
5185 *
5186 * Function btm_sec_start_authorization
5187 *
5188 * Description This function is called to start authorization
5189 *
5190 * Returns true if started
5191 *
5192 ******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5193 static uint8_t btm_sec_start_authorization(tBTM_SEC_DEV_REC* p_dev_rec) {
5194 uint8_t result;
5195 uint8_t* p_service_name = NULL;
5196 uint8_t service_id;
5197
5198 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) ||
5199 (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) {
5200 if (!btm_cb.api.p_authorize_callback) return (BTM_MODE_UNSUPPORTED);
5201
5202 if (p_dev_rec->p_cur_service) {
5203 #if BTM_SEC_SERVICE_NAME_LEN > 0
5204 if (p_dev_rec->is_originator)
5205 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5206 else
5207 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5208 #endif
5209 service_id = p_dev_rec->p_cur_service->service_id;
5210 } else
5211 service_id = 0;
5212
5213 /* Send authorization request if not already sent during this service
5214 * connection */
5215 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID ||
5216 p_dev_rec->last_author_service_id != service_id) {
5217 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5218 result = (*btm_cb.api.p_authorize_callback)(
5219 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5220 p_service_name, service_id, p_dev_rec->is_originator);
5221 }
5222
5223 else /* Already authorized once for this L2CAP bringup */
5224 {
5225 BTM_TRACE_DEBUG(
5226 "btm_sec_start_authorization: (Ignoring extra Authorization prompt "
5227 "for service %d)",
5228 service_id);
5229 return (BTM_SUCCESS);
5230 }
5231
5232 if (result == BTM_SUCCESS) {
5233 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5234
5235 /* Save the currently authorized service in case we are asked again by
5236 * another multiplexer layer */
5237 if (!p_dev_rec->is_originator)
5238 p_dev_rec->last_author_service_id = service_id;
5239
5240 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5241 }
5242 return (result);
5243 }
5244 btm_sec_start_get_name(p_dev_rec);
5245 return (BTM_CMD_STARTED);
5246 }
5247
5248 /*******************************************************************************
5249 *
5250 * Function btm_sec_are_all_trusted
5251 *
5252 * Description This function is called check if all services are trusted
5253 *
5254 * Returns true if all are trusted, otherwise false
5255 *
5256 ******************************************************************************/
btm_sec_are_all_trusted(uint32_t p_mask[])5257 bool btm_sec_are_all_trusted(uint32_t p_mask[]) {
5258 uint32_t trusted_inx;
5259 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE;
5260 trusted_inx++) {
5261 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) return (false);
5262 }
5263
5264 return (true);
5265 }
5266
5267 /*******************************************************************************
5268 *
5269 * Function btm_sec_find_first_serv
5270 *
5271 * Description Look for the first record in the service database
5272 * with specified PSM
5273 *
5274 * Returns Pointer to the record or NULL
5275 *
5276 ******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,uint16_t psm)5277 tBTM_SEC_SERV_REC* btm_sec_find_first_serv(CONNECTION_TYPE conn_type,
5278 uint16_t psm) {
5279 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0];
5280 int i;
5281 bool is_originator = conn_type;
5282
5283 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) {
5284 /* If this is outgoing connection and the PSM matches p_out_serv,
5285 * use it as the current service */
5286 return btm_cb.p_out_serv;
5287 }
5288
5289 /* otherwise, just find the first record with the specified PSM */
5290 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5291 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) &&
5292 (p_serv_rec->psm == psm))
5293 return (p_serv_rec);
5294 }
5295 return (NULL);
5296 }
5297
5298 /*******************************************************************************
5299 *
5300 * Function btm_sec_find_next_serv
5301 *
5302 * Description Look for the next record in the service database
5303 * with specified PSM
5304 *
5305 * Returns Pointer to the record or NULL
5306 *
5307 ******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5308 static tBTM_SEC_SERV_REC* btm_sec_find_next_serv(tBTM_SEC_SERV_REC* p_cur) {
5309 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0];
5310 int i;
5311
5312 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5313 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) &&
5314 (p_serv_rec->psm == p_cur->psm)) {
5315 if (p_cur != p_serv_rec) {
5316 return (p_serv_rec);
5317 }
5318 }
5319 }
5320 return (NULL);
5321 }
5322
5323 /*******************************************************************************
5324 *
5325 * Function btm_sec_find_mx_serv
5326 *
5327 * Description Look for the record in the service database with specified
5328 * PSM and multiplexor channel information
5329 *
5330 * Returns Pointer to the record or NULL
5331 *
5332 ******************************************************************************/
btm_sec_find_mx_serv(uint8_t is_originator,uint16_t psm,uint32_t mx_proto_id,uint32_t mx_chan_id)5333 static tBTM_SEC_SERV_REC* btm_sec_find_mx_serv(uint8_t is_originator,
5334 uint16_t psm,
5335 uint32_t mx_proto_id,
5336 uint32_t mx_chan_id) {
5337 tBTM_SEC_SERV_REC* p_out_serv = btm_cb.p_out_serv;
5338 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0];
5339 int i;
5340
5341 BTM_TRACE_DEBUG("%s()", __func__);
5342 if (is_originator && p_out_serv && p_out_serv->psm == psm &&
5343 p_out_serv->mx_proto_id == mx_proto_id &&
5344 p_out_serv->orig_mx_chan_id == mx_chan_id) {
5345 /* If this is outgoing connection and the parameters match p_out_serv,
5346 * use it as the current service */
5347 return btm_cb.p_out_serv;
5348 }
5349
5350 /* otherwise, the old way */
5351 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5352 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) &&
5353 (p_serv_rec->psm == psm) && (p_serv_rec->mx_proto_id == mx_proto_id) &&
5354 ((is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) ||
5355 (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) {
5356 return (p_serv_rec);
5357 }
5358 }
5359 return (NULL);
5360 }
5361
5362 /*******************************************************************************
5363 *
5364 * Function btm_sec_collision_timeout
5365 *
5366 * Description Encryption could not start because of the collision
5367 * try to do it again
5368 *
5369 * Returns Pointer to the TLE struct
5370 *
5371 ******************************************************************************/
btm_sec_collision_timeout(UNUSED_ATTR void * data)5372 static void btm_sec_collision_timeout(UNUSED_ATTR void* data) {
5373 BTM_TRACE_EVENT("%s()", __func__);
5374
5375 tBTM_STATUS status = btm_sec_execute_procedure(btm_cb.p_collided_dev_rec);
5376
5377 /* If result is pending reply from the user or from the device is pending */
5378 if (status != BTM_CMD_STARTED) {
5379 /* There is no next procedure or start of procedure failed, notify the
5380 * waiting layer */
5381 btm_sec_dev_rec_cback_event(btm_cb.p_collided_dev_rec, status, false);
5382 }
5383 }
5384
5385 /*******************************************************************************
5386 *
5387 * Function btm_send_link_key_notif
5388 *
5389 * Description Call the link key callback.
5390 *
5391 * Returns void
5392 *
5393 ******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5394 static void btm_send_link_key_notif(tBTM_SEC_DEV_REC* p_dev_rec) {
5395 if (btm_cb.api.p_link_key_callback)
5396 (*btm_cb.api.p_link_key_callback)(
5397 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5398 p_dev_rec->link_key, p_dev_rec->link_key_type);
5399 }
5400
5401 /*******************************************************************************
5402 *
5403 * Function BTM_ReadTrustedMask
5404 *
5405 * Description Get trusted mask for the peer device
5406 *
5407 * Parameters: bd_addr - Address of the device
5408 *
5409 * Returns NULL, if the device record is not found.
5410 * otherwise, the trusted mask
5411 *
5412 ******************************************************************************/
BTM_ReadTrustedMask(const RawAddress & bd_addr)5413 uint32_t* BTM_ReadTrustedMask(const RawAddress& bd_addr) {
5414 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
5415 if (p_dev_rec != NULL) return (p_dev_rec->trusted_mask);
5416 return NULL;
5417 }
5418
5419 /*******************************************************************************
5420 *
5421 * Function btm_restore_mode
5422 *
5423 * Description This function returns the security mode to previous setting
5424 * if it was changed during bonding.
5425 *
5426 *
5427 * Parameters: void
5428 *
5429 ******************************************************************************/
btm_restore_mode(void)5430 static void btm_restore_mode(void) {
5431 if (btm_cb.security_mode_changed) {
5432 btm_cb.security_mode_changed = false;
5433 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__,
5434 (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5435 btsnd_hcic_write_auth_enable(
5436 (uint8_t)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5437 }
5438
5439 if (btm_cb.pin_type_changed) {
5440 btm_cb.pin_type_changed = false;
5441 btsnd_hcic_write_pin_type(btm_cb.cfg.pin_type);
5442 }
5443 }
5444
is_sec_state_equal(void * data,void * context)5445 bool is_sec_state_equal(void* data, void* context) {
5446 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
5447 uint8_t* state = static_cast<uint8_t*>(context);
5448
5449 if (p_dev_rec->sec_state == *state) return false;
5450
5451 return true;
5452 }
5453
5454 /*******************************************************************************
5455 *
5456 * Function btm_sec_find_dev_by_sec_state
5457 *
5458 * Description Look for the record in the device database for the device
5459 * which is being authenticated or encrypted
5460 *
5461 * Returns Pointer to the record or NULL
5462 *
5463 ******************************************************************************/
btm_sec_find_dev_by_sec_state(uint8_t state)5464 tBTM_SEC_DEV_REC* btm_sec_find_dev_by_sec_state(uint8_t state) {
5465 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_sec_state_equal, &state);
5466 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
5467
5468 return NULL;
5469 }
5470
5471 /*******************************************************************************
5472 *
5473 * Function btm_sec_change_pairing_state
5474 *
5475 * Description This function is called to change pairing state
5476 *
5477 ******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5478 static void btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state) {
5479 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5480
5481 BTM_TRACE_EVENT("%s() Old: %s", __func__,
5482 btm_pair_state_descr(btm_cb.pairing_state));
5483 BTM_TRACE_EVENT("%s() New: %s pairing_flags:0x%x", __func__,
5484 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5485
5486 btm_cb.pairing_state = new_state;
5487
5488 if (new_state == BTM_PAIR_STATE_IDLE) {
5489 alarm_cancel(btm_cb.pairing_timer);
5490
5491 btm_cb.pairing_flags = 0;
5492 btm_cb.pin_code_len = 0;
5493
5494 /* Make sure the the lcb shows we are not bonding */
5495 l2cu_update_lcb_4_bonding(btm_cb.pairing_bda, false);
5496
5497 btm_restore_mode();
5498 btm_sec_check_pending_reqs();
5499 btm_inq_clear_ssp();
5500
5501 btm_cb.pairing_bda = RawAddress::kAny;
5502 } else {
5503 /* If transitioning out of idle, mark the lcb as bonding */
5504 if (old_state == BTM_PAIR_STATE_IDLE)
5505 l2cu_update_lcb_4_bonding(btm_cb.pairing_bda, true);
5506
5507 alarm_set_on_mloop(btm_cb.pairing_timer, BTM_SEC_TIMEOUT_VALUE * 1000,
5508 btm_sec_pairing_timeout, NULL);
5509 }
5510 }
5511
5512 /*******************************************************************************
5513 *
5514 * Function btm_pair_state_descr
5515 *
5516 * Description Return state description for tracing
5517 *
5518 ******************************************************************************/
btm_pair_state_descr(tBTM_PAIRING_STATE state)5519 static const char* btm_pair_state_descr(tBTM_PAIRING_STATE state) {
5520 switch (state) {
5521 case BTM_PAIR_STATE_IDLE:
5522 return ("IDLE");
5523 case BTM_PAIR_STATE_GET_REM_NAME:
5524 return ("GET_REM_NAME");
5525 case BTM_PAIR_STATE_WAIT_PIN_REQ:
5526 return ("WAIT_PIN_REQ");
5527 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5528 return ("WAIT_LOCAL_PIN");
5529 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5530 return ("WAIT_NUM_CONFIRM");
5531 case BTM_PAIR_STATE_KEY_ENTRY:
5532 return ("KEY_ENTRY");
5533 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5534 return ("WAIT_LOCAL_OOB_RSP");
5535 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5536 return ("WAIT_LOCAL_IOCAPS");
5537 case BTM_PAIR_STATE_INCOMING_SSP:
5538 return ("INCOMING_SSP");
5539 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5540 return ("WAIT_AUTH_COMPLETE");
5541 case BTM_PAIR_STATE_WAIT_DISCONNECT:
5542 return ("WAIT_DISCONNECT");
5543 }
5544
5545 return ("???");
5546 }
5547
5548 /*******************************************************************************
5549 *
5550 * Function btm_sec_dev_rec_cback_event
5551 *
5552 * Description This function calls the callback function with the given
5553 * result and clear the callback function.
5554 *
5555 * Parameters: void
5556 *
5557 ******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,uint8_t res,bool is_le_transport)5558 void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec, uint8_t res,
5559 bool is_le_transport) {
5560 tBTM_SEC_CALLBACK* p_callback = p_dev_rec->p_callback;
5561
5562 BTM_TRACE_DEBUG("%s: p_callback=%p, is_le_transport=%d, res=%d, p_dev_rec=%p",
5563 __func__, p_dev_rec->p_callback, is_le_transport, res,
5564 p_dev_rec);
5565
5566 if (p_dev_rec->p_callback) {
5567 p_dev_rec->p_callback = NULL;
5568
5569 if (is_le_transport)
5570 (*p_callback)(&p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE,
5571 p_dev_rec->p_ref_data, res);
5572 else
5573 (*p_callback)(&p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR,
5574 p_dev_rec->p_ref_data, res);
5575 }
5576
5577 btm_sec_check_pending_reqs();
5578 }
5579
5580 /*******************************************************************************
5581 *
5582 * Function btm_sec_queue_mx_request
5583 *
5584 * Description Return state description for tracing
5585 *
5586 ******************************************************************************/
btm_sec_queue_mx_request(const RawAddress & bd_addr,uint16_t psm,bool is_orig,uint32_t mx_proto_id,uint32_t mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5587 static bool btm_sec_queue_mx_request(const RawAddress& bd_addr, uint16_t psm,
5588 bool is_orig, uint32_t mx_proto_id,
5589 uint32_t mx_chan_id,
5590 tBTM_SEC_CALLBACK* p_callback,
5591 void* p_ref_data) {
5592 tBTM_SEC_QUEUE_ENTRY* p_e =
5593 (tBTM_SEC_QUEUE_ENTRY*)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY));
5594
5595 p_e->psm = psm;
5596 p_e->is_orig = is_orig;
5597 p_e->p_callback = p_callback;
5598 p_e->p_ref_data = p_ref_data;
5599 p_e->mx_proto_id = mx_proto_id;
5600 p_e->mx_chan_id = mx_chan_id;
5601 p_e->transport = BT_TRANSPORT_BR_EDR;
5602 p_e->sec_act = 0;
5603 p_e->bd_addr = bd_addr;
5604
5605 BTM_TRACE_EVENT(
5606 "%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
5607 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
5608
5609 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
5610
5611 return true;
5612 }
5613
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5614 static bool btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC* p_dev_rec) {
5615 uint8_t major = (uint8_t)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5616 uint8_t minor = (uint8_t)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5617 bool rv = false;
5618
5619 if ((major == BTM_COD_MAJOR_AUDIO) &&
5620 ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) ||
5621 (minor == BTM_COD_MINOR_CAR_AUDIO))) {
5622 BTM_TRACE_EVENT(
5623 "%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: "
5624 "0x%02x",
5625 __func__, major, minor);
5626
5627 if (!btm_cb.security_mode_changed) {
5628 btm_cb.security_mode_changed = true;
5629 #ifdef APPL_AUTH_WRITE_EXCEPTION
5630 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5631 #endif
5632 btsnd_hcic_write_auth_enable(true);
5633 }
5634 } else {
5635 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5636
5637 /* If we got a PIN, use that, else try to get one */
5638 if (btm_cb.pin_code_len) {
5639 BTM_PINCodeReply(p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len,
5640 btm_cb.pin_code, p_dev_rec->trusted_mask);
5641 } else {
5642 /* pin was not supplied - pre-fetch pin code now */
5643 if (btm_cb.api.p_pin_callback &&
5644 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) {
5645 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
5646 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
5647 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5648 (btm_cb.api.p_pin_callback)(
5649 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5650 (p_dev_rec->p_cur_service == NULL)
5651 ? false
5652 : (p_dev_rec->p_cur_service->security_flags &
5653 BTM_SEC_IN_MIN_16_DIGIT_PIN));
5654 }
5655 }
5656
5657 rv = true;
5658 }
5659
5660 return rv;
5661 }
5662
5663 /*******************************************************************************
5664 *
5665 * Function btm_sec_auth_payload_tout
5666 *
5667 * Description Processes the HCI Autheniticated Payload Timeout Event
5668 * indicating that a packet containing a valid MIC on the
5669 * connection handle was not received within the programmed
5670 * timeout value. (Spec Default is 30 secs, but can be
5671 * changed via the BTM_SecSetAuthPayloadTimeout() function.
5672 *
5673 ******************************************************************************/
btm_sec_auth_payload_tout(uint8_t * p,uint16_t hci_evt_len)5674 void btm_sec_auth_payload_tout(uint8_t* p, uint16_t hci_evt_len) {
5675 uint16_t handle;
5676
5677 STREAM_TO_UINT16(handle, p);
5678 handle = HCID_GET_HANDLE(handle);
5679
5680 /* Will be exposed to upper layers in the future if/when determined necessary
5681 */
5682 BTM_TRACE_ERROR("%s on handle 0x%02x", __func__, handle);
5683 }
5684
5685 /*******************************************************************************
5686 *
5687 * Function btm_sec_queue_encrypt_request
5688 *
5689 * Description encqueue encryption request when device has active security
5690 * process pending.
5691 *
5692 ******************************************************************************/
btm_sec_queue_encrypt_request(const RawAddress & bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data,tBTM_BLE_SEC_ACT sec_act)5693 static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
5694 tBT_TRANSPORT transport,
5695 tBTM_SEC_CALLBACK* p_callback,
5696 void* p_ref_data,
5697 tBTM_BLE_SEC_ACT sec_act) {
5698 tBTM_SEC_QUEUE_ENTRY* p_e =
5699 (tBTM_SEC_QUEUE_ENTRY*)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
5700
5701 p_e->psm = 0; /* if PSM 0, encryption request */
5702 p_e->p_callback = p_callback;
5703 p_e->p_ref_data = p_ref_data;
5704 p_e->transport = transport;
5705 p_e->sec_act = sec_act;
5706 p_e->bd_addr = bd_addr;
5707 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e);
5708
5709 return true;
5710 }
5711
5712 /*******************************************************************************
5713 *
5714 * Function btm_sec_set_peer_sec_caps
5715 *
5716 * Description This function is called to set sm4 and rmt_sec_caps fields
5717 * based on the available peer device features.
5718 *
5719 * Returns void
5720 *
5721 ******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)5722 void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
5723 tBTM_SEC_DEV_REC* p_dev_rec) {
5724 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
5725 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
5726 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
5727 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) {
5728 p_dev_rec->sm4 = BTM_SM4_TRUE;
5729 p_dev_rec->remote_supports_secure_connections =
5730 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]));
5731 } else {
5732 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5733 p_dev_rec->remote_supports_secure_connections = false;
5734 }
5735
5736 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d",
5737 __func__, p_dev_rec->sm4,
5738 p_dev_rec->remote_supports_secure_connections);
5739
5740 if (p_dev_rec->remote_features_needed) {
5741 BTM_TRACE_EVENT(
5742 "%s: Now device in SC Only mode, waiting for peer remote features!",
5743 __func__);
5744 btm_io_capabilities_req(p_dev_rec->bd_addr);
5745 p_dev_rec->remote_features_needed = false;
5746 }
5747 }
5748
5749 /*******************************************************************************
5750 *
5751 * Function btm_sec_is_serv_level0
5752 *
5753 * Description This function is called to check if the service
5754 * corresponding to PSM is security mode 4 level 0 service.
5755 *
5756 * Returns true if the service is security mode 4 level 0 service
5757 *
5758 ******************************************************************************/
btm_sec_is_serv_level0(uint16_t psm)5759 static bool btm_sec_is_serv_level0(uint16_t psm) {
5760 if (psm == BT_PSM_SDP) {
5761 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __func__, psm);
5762 return true;
5763 }
5764 return false;
5765 }
5766
5767 /*******************************************************************************
5768 *
5769 * Function btm_sec_check_pending_enc_req
5770 *
5771 * Description This function is called to send pending encryption callback
5772 * if waiting
5773 *
5774 * Returns void
5775 *
5776 ******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,uint8_t encr_enable)5777 static void btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC* p_dev_rec,
5778 tBT_TRANSPORT transport,
5779 uint8_t encr_enable) {
5780 if (fixed_queue_is_empty(btm_cb.sec_pending_q)) return;
5781
5782 uint8_t res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
5783 list_t* list = fixed_queue_get_list(btm_cb.sec_pending_q);
5784 for (const list_node_t* node = list_begin(list); node != list_end(list);) {
5785 tBTM_SEC_QUEUE_ENTRY* p_e = (tBTM_SEC_QUEUE_ENTRY*)list_node(node);
5786 node = list_next(node);
5787
5788 if (p_e->bd_addr == p_dev_rec->bd_addr && p_e->psm == 0 &&
5789 p_e->transport == transport) {
5790 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR ||
5791 p_e->sec_act == BTM_BLE_SEC_ENCRYPT ||
5792 p_e->sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM ||
5793 (p_e->sec_act == BTM_BLE_SEC_ENCRYPT_MITM &&
5794 p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)) {
5795 if (p_e->p_callback)
5796 (*p_e->p_callback)(&p_dev_rec->bd_addr, transport, p_e->p_ref_data,
5797 res);
5798 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void*)p_e);
5799 }
5800 }
5801 }
5802 }
5803
5804 /*******************************************************************************
5805 *
5806 * Function btm_sec_set_serv_level4_flags
5807 *
5808 * Description This function is called to set security mode 4 level 4
5809 * flags.
5810 *
5811 * Returns service security requirements updated to include secure
5812 * connections only mode.
5813 *
5814 ******************************************************************************/
btm_sec_set_serv_level4_flags(uint16_t cur_security,bool is_originator)5815 static uint16_t btm_sec_set_serv_level4_flags(uint16_t cur_security,
5816 bool is_originator) {
5817 uint16_t sec_level4_flags =
5818 is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
5819
5820 return cur_security | sec_level4_flags;
5821 }
5822
5823 /*******************************************************************************
5824 *
5825 * Function btm_sec_clear_ble_keys
5826 *
5827 * Description This function is called to clear out the BLE keys.
5828 * Typically when devices are removed in BTM_SecDeleteDevice,
5829 * or when a new BT Link key is generated.
5830 *
5831 * Returns void
5832 *
5833 ******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)5834 void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec) {
5835 BTM_TRACE_DEBUG("%s() Clearing BLE Keys", __func__);
5836 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
5837 memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
5838
5839 #if (BLE_PRIVACY_SPT == TRUE)
5840 btm_ble_resolving_list_remove_dev(p_dev_rec);
5841 #endif
5842 }
5843
5844 /*******************************************************************************
5845 *
5846 * Function btm_sec_is_a_bonded_dev
5847 *
5848 * Description Is the specified device is a bonded device
5849 *
5850 * Returns true - dev is bonded
5851 *
5852 ******************************************************************************/
btm_sec_is_a_bonded_dev(const RawAddress & bda)5853 bool btm_sec_is_a_bonded_dev(const RawAddress& bda) {
5854 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
5855 bool is_bonded = false;
5856
5857 if (p_dev_rec && ((p_dev_rec->ble.key_type &&
5858 (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN)) ||
5859 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) {
5860 is_bonded = true;
5861 }
5862 BTM_TRACE_DEBUG("%s() is_bonded=%d", __func__, is_bonded);
5863 return (is_bonded);
5864 }
5865
5866 /*******************************************************************************
5867 *
5868 * Function btm_sec_is_le_capable_dev
5869 *
5870 * Description Is the specified device is dual mode or LE only device
5871 *
5872 * Returns true - dev is a dual mode
5873 *
5874 ******************************************************************************/
btm_sec_is_le_capable_dev(const RawAddress & bda)5875 bool btm_sec_is_le_capable_dev(const RawAddress& bda) {
5876 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
5877 bool le_capable = false;
5878
5879 if (p_dev_rec &&
5880 (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
5881 le_capable = true;
5882 return le_capable;
5883 }
5884
5885 /*******************************************************************************
5886 *
5887 * Function btm_sec_use_smp_br_chnl
5888 *
5889 * Description The function checks if SMP BR connection can be used with
5890 * the peer.
5891 * Is called when authentication for dedicated bonding is
5892 * successfully completed.
5893 *
5894 * Returns true - if SMP BR connection can be used (the link key is
5895 * generated from P-256 and the peer supports Security
5896 * Manager over BR).
5897 *
5898 ******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)5899 static bool btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC* p_dev_rec) {
5900 uint32_t ext_feat;
5901 uint8_t chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
5902
5903 BTM_TRACE_DEBUG("%s() link_key_type = 0x%x", __func__,
5904 p_dev_rec->link_key_type);
5905
5906 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
5907 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5908 return false;
5909
5910 if (!L2CA_GetPeerFeatures(p_dev_rec->bd_addr, &ext_feat, chnl_mask))
5911 return false;
5912
5913 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT)) return false;
5914
5915 return true;
5916 }
5917
5918 /*******************************************************************************
5919 *
5920 * Function btm_sec_is_master
5921 *
5922 * Description The function checks if the device is BR/EDR master after
5923 * pairing is completed.
5924 *
5925 * Returns true - if the device is master.
5926 *
5927 ******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)5928 static bool btm_sec_is_master(tBTM_SEC_DEV_REC* p_dev_rec) {
5929 tACL_CONN* p = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
5930 return (p && (p->link_role == BTM_ROLE_MASTER));
5931 }
5932