1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE device control utilities, and LE
22 * security functions.
23 *
24 ******************************************************************************/
25
26 #define LOG_TAG "bt_btm_ble"
27
28 #include "bt_target.h"
29
30 #include <base/bind.h>
31 #include <string.h>
32
33 #include "bt_types.h"
34 #include "bt_utils.h"
35 #include "btm_ble_api.h"
36 #include "btm_int.h"
37 #include "btu.h"
38 #include "device/include/controller.h"
39 #include "gap_api.h"
40 #include "gatt_api.h"
41 #include "hcimsgs.h"
42 #include "l2c_int.h"
43 #include "osi/include/log.h"
44 #include "osi/include/osi.h"
45 #include "smp_api.h"
46
47 extern bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input,
48 uint16_t length, uint16_t tlen,
49 uint8_t* p_signature);
50 extern void gatt_notify_phy_updated(uint8_t status, uint16_t handle,
51 uint8_t tx_phy, uint8_t rx_phy);
52 extern void btm_ble_advertiser_notify_terminated_legacy(
53 uint8_t status, uint16_t connection_handle);
54
55 /******************************************************************************/
56 /* External Function to be called by other modules */
57 /******************************************************************************/
58 /********************************************************
59 *
60 * Function BTM_SecAddBleDevice
61 *
62 * Description Add/modify device. This function will be normally called
63 * during host startup to restore all required information
64 * for a LE device stored in the NVRAM.
65 *
66 * Parameters: bd_addr - BD address of the peer
67 * bd_name - Name of the peer device. NULL if unknown.
68 * dev_type - Remote device's device type.
69 * addr_type - LE device address type.
70 *
71 * Returns true if added OK, else false
72 *
73 ******************************************************************************/
BTM_SecAddBleDevice(const RawAddress & bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)74 bool BTM_SecAddBleDevice(const RawAddress& bd_addr, BD_NAME bd_name,
75 tBT_DEVICE_TYPE dev_type, tBLE_ADDR_TYPE addr_type) {
76 BTM_TRACE_DEBUG("%s: dev_type=0x%x", __func__, dev_type);
77
78 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
79 if (!p_dev_rec) {
80 p_dev_rec = btm_sec_allocate_dev_rec();
81
82 p_dev_rec->bd_addr = bd_addr;
83 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
84 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
85
86 /* update conn params, use default value for background connection params */
87 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
88 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
89 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
90 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF;
91
92 BTM_TRACE_DEBUG("%s: Device added, handle=0x%x, p_dev_rec=%p, bd_addr=%s",
93 __func__, p_dev_rec->ble_hci_handle, p_dev_rec,
94 bd_addr.ToString().c_str());
95 }
96
97 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
98
99 if (bd_name && bd_name[0]) {
100 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
101 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
102 BTM_MAX_REM_BD_NAME_LEN);
103 }
104 p_dev_rec->device_type |= dev_type;
105 p_dev_rec->ble.ble_addr_type = addr_type;
106
107 p_dev_rec->ble.pseudo_addr = bd_addr;
108 /* sync up with the Inq Data base*/
109 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr);
110 if (p_info) {
111 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type;
112 p_info->results.device_type = p_dev_rec->device_type;
113 BTM_TRACE_DEBUG("InqDb device_type =0x%x addr_type=0x%x",
114 p_info->results.device_type, p_info->results.ble_addr_type);
115 }
116
117 return true;
118 }
119
120 /*******************************************************************************
121 *
122 * Function BTM_SecAddBleKey
123 *
124 * Description Add/modify LE device information. This function will be
125 * normally called during host startup to restore all required
126 * information stored in the NVRAM.
127 *
128 * Parameters: bd_addr - BD address of the peer
129 * p_le_key - LE key values.
130 * key_type - LE SMP key type.
131 *
132 * Returns true if added OK, else false
133 *
134 ******************************************************************************/
BTM_SecAddBleKey(const RawAddress & bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)135 bool BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key,
136 tBTM_LE_KEY_TYPE key_type) {
137 tBTM_SEC_DEV_REC* p_dev_rec;
138 BTM_TRACE_DEBUG("BTM_SecAddBleKey");
139 p_dev_rec = btm_find_dev(bd_addr);
140 if (!p_dev_rec || !p_le_key ||
141 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
142 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
143 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) {
144 LOG(WARNING) << __func__
145 << " Wrong Type, or No Device record for bdaddr: " << bd_addr
146 << ", Type: " << key_type;
147 return (false);
148 }
149
150 VLOG(1) << __func__ << " BDA: " << bd_addr << ", Type: " << key_type;
151
152 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false);
153
154 #if (BLE_PRIVACY_SPT == TRUE)
155 if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID)
156 btm_ble_resolving_list_load_dev(p_dev_rec);
157 #endif
158
159 return (true);
160 }
161
162 /*******************************************************************************
163 *
164 * Function BTM_BleLoadLocalKeys
165 *
166 * Description Local local identity key, encryption root or sign counter.
167 *
168 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID,
169 * BTM_BLE_KEY_TYPE_ER
170 * or BTM_BLE_KEY_TYPE_COUNTER.
171 * p_key: pointer to the key.
172 *
173 * Returns non2.
174 *
175 ******************************************************************************/
BTM_BleLoadLocalKeys(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)176 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) {
177 tBTM_DEVCB* p_devcb = &btm_cb.devcb;
178 BTM_TRACE_DEBUG("%s", __func__);
179 if (p_key != NULL) {
180 switch (key_type) {
181 case BTM_BLE_KEY_TYPE_ID:
182 memcpy(&p_devcb->id_keys, &p_key->id_keys,
183 sizeof(tBTM_BLE_LOCAL_ID_KEYS));
184 break;
185
186 case BTM_BLE_KEY_TYPE_ER:
187 memcpy(p_devcb->ble_encryption_key_value, p_key->er,
188 sizeof(BT_OCTET16));
189 break;
190
191 default:
192 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
193 break;
194 }
195 }
196 }
197
198 /*******************************************************************************
199 *
200 * Function BTM_GetDeviceEncRoot
201 *
202 * Description This function is called to read the local device encryption
203 * root.
204 *
205 * Returns void
206 * the local device ER is copied into ble_encr_key_value
207 *
208 ******************************************************************************/
BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value)209 void BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value) {
210 BTM_TRACE_DEBUG("%s", __func__);
211 memcpy(ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value,
212 BT_OCTET16_LEN);
213 }
214
215 /*******************************************************************************
216 *
217 * Function BTM_GetDeviceIDRoot
218 *
219 * Description This function is called to read the local device identity
220 * root.
221 *
222 * Returns void
223 * the local device IR is copied into irk
224 *
225 ******************************************************************************/
BTM_GetDeviceIDRoot(BT_OCTET16 irk)226 void BTM_GetDeviceIDRoot(BT_OCTET16 irk) {
227 BTM_TRACE_DEBUG("BTM_GetDeviceIDRoot ");
228
229 memcpy(irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
230 }
231
232 /*******************************************************************************
233 *
234 * Function BTM_GetDeviceDHK
235 *
236 * Description This function is called to read the local device DHK.
237 *
238 * Returns void
239 * the local device DHK is copied into dhk
240 *
241 ******************************************************************************/
BTM_GetDeviceDHK(BT_OCTET16 dhk)242 void BTM_GetDeviceDHK(BT_OCTET16 dhk) {
243 BTM_TRACE_DEBUG("BTM_GetDeviceDHK");
244 memcpy(dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
245 }
246
247 /*******************************************************************************
248 *
249 * Function BTM_ReadConnectionAddr
250 *
251 * Description This function is called to get the local device address
252 * information.
253 *
254 * Returns void
255 *
256 ******************************************************************************/
BTM_ReadConnectionAddr(const RawAddress & remote_bda,RawAddress & local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)257 void BTM_ReadConnectionAddr(const RawAddress& remote_bda,
258 RawAddress& local_conn_addr,
259 tBLE_ADDR_TYPE* p_addr_type) {
260 tACL_CONN* p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
261
262 if (p_acl == NULL) {
263 BTM_TRACE_ERROR("No connection exist!");
264 return;
265 }
266 local_conn_addr = p_acl->conn_addr;
267 *p_addr_type = p_acl->conn_addr_type;
268
269 BTM_TRACE_DEBUG("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
270 p_acl->conn_addr_type, p_acl->conn_addr.address[0]);
271 }
272
273 /*******************************************************************************
274 *
275 * Function BTM_IsBleConnection
276 *
277 * Description This function is called to check if the connection handle
278 * for an LE link
279 *
280 * Returns true if connection is LE link, otherwise false.
281 *
282 ******************************************************************************/
BTM_IsBleConnection(uint16_t conn_handle)283 bool BTM_IsBleConnection(uint16_t conn_handle) {
284 uint8_t xx;
285 tACL_CONN* p;
286
287 BTM_TRACE_API("BTM_IsBleConnection: conn_handle: %d", conn_handle);
288
289 xx = btm_handle_to_acl_index(conn_handle);
290 if (xx >= MAX_L2CAP_LINKS) return false;
291
292 p = &btm_cb.acl_db[xx];
293
294 return (p->transport == BT_TRANSPORT_LE);
295 }
296
297 /*******************************************************************************
298 *
299 * Function BTM_ReadRemoteConnectionAddr
300 *
301 * Description This function is read the remote device address currently used
302 *
303 * Parameters pseudo_addr: pseudo random address available
304 * conn_addr:connection address used
305 * p_addr_type : BD Address type, Public or Random of the address
306 * used
307 *
308 * Returns bool, true if connection to remote device exists, else false
309 *
310 ******************************************************************************/
BTM_ReadRemoteConnectionAddr(const RawAddress & pseudo_addr,RawAddress & conn_addr,tBLE_ADDR_TYPE * p_addr_type)311 bool BTM_ReadRemoteConnectionAddr(const RawAddress& pseudo_addr,
312 RawAddress& conn_addr,
313 tBLE_ADDR_TYPE* p_addr_type) {
314 bool st = true;
315 #if (BLE_PRIVACY_SPT == TRUE)
316 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
317
318 if (p == NULL) {
319 BTM_TRACE_ERROR(
320 "BTM_ReadRemoteConnectionAddr can not find connection"
321 " with matching address");
322 return false;
323 }
324
325 conn_addr = p->active_remote_addr;
326 *p_addr_type = p->active_remote_addr_type;
327 #else
328 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(pseudo_addr);
329
330 conn_addr = pseudo_addr;
331 if (p_dev_rec != NULL) {
332 *p_addr_type = p_dev_rec->ble.ble_addr_type;
333 }
334 #endif
335 return st;
336 }
337 /*******************************************************************************
338 *
339 * Function BTM_SecurityGrant
340 *
341 * Description This function is called to grant security process.
342 *
343 * Parameters bd_addr - peer device bd address.
344 * res - result of the operation BTM_SUCCESS if success.
345 * Otherwise, BTM_REPEATED_ATTEMPTS if too many
346 * attempts.
347 *
348 * Returns None
349 *
350 ******************************************************************************/
BTM_SecurityGrant(const RawAddress & bd_addr,uint8_t res)351 void BTM_SecurityGrant(const RawAddress& bd_addr, uint8_t res) {
352 tSMP_STATUS res_smp =
353 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
354 BTM_TRACE_DEBUG("BTM_SecurityGrant");
355 SMP_SecurityGrant(bd_addr, res_smp);
356 }
357
358 /*******************************************************************************
359 *
360 * Function BTM_BlePasskeyReply
361 *
362 * Description This function is called after Security Manager submitted
363 * passkey request to the application.
364 *
365 * Parameters: bd_addr - Address of the device for which passkey was
366 * requested
367 * res - result of the operation BTM_SUCCESS if success
368 * key_len - length in bytes of the Passkey
369 * p_passkey - pointer to array with the passkey
370 * trusted_mask - bitwise OR of trusted services (array of
371 * uint32_t)
372 *
373 ******************************************************************************/
BTM_BlePasskeyReply(const RawAddress & bd_addr,uint8_t res,uint32_t passkey)374 void BTM_BlePasskeyReply(const RawAddress& bd_addr, uint8_t res,
375 uint32_t passkey) {
376 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
377 tSMP_STATUS res_smp =
378 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
379
380 if (p_dev_rec == NULL) {
381 BTM_TRACE_ERROR("Passkey reply to Unknown device");
382 return;
383 }
384
385 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
386 BTM_TRACE_DEBUG("BTM_BlePasskeyReply");
387 SMP_PasskeyReply(bd_addr, res_smp, passkey);
388 }
389
390 /*******************************************************************************
391 *
392 * Function BTM_BleConfirmReply
393 *
394 * Description This function is called after Security Manager submitted
395 * numeric comparison request to the application.
396 *
397 * Parameters: bd_addr - Address of the device with which numeric
398 * comparison was requested
399 * res - comparison result BTM_SUCCESS if success
400 *
401 ******************************************************************************/
BTM_BleConfirmReply(const RawAddress & bd_addr,uint8_t res)402 void BTM_BleConfirmReply(const RawAddress& bd_addr, uint8_t res) {
403 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
404 tSMP_STATUS res_smp =
405 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
406
407 if (p_dev_rec == NULL) {
408 BTM_TRACE_ERROR("Passkey reply to Unknown device");
409 return;
410 }
411
412 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
413 BTM_TRACE_DEBUG("%s", __func__);
414 SMP_ConfirmReply(bd_addr, res_smp);
415 }
416
417 /*******************************************************************************
418 *
419 * Function BTM_BleOobDataReply
420 *
421 * Description This function is called to provide the OOB data for
422 * SMP in response to BTM_LE_OOB_REQ_EVT
423 *
424 * Parameters: bd_addr - Address of the peer device
425 * res - result of the operation SMP_SUCCESS if success
426 * p_data - oob data, depending on transport and
427 * capabilities.
428 * Might be "Simple Pairing Randomizer", or
429 * "Security Manager TK Value".
430 *
431 ******************************************************************************/
BTM_BleOobDataReply(const RawAddress & bd_addr,uint8_t res,uint8_t len,uint8_t * p_data)432 void BTM_BleOobDataReply(const RawAddress& bd_addr, uint8_t res, uint8_t len,
433 uint8_t* p_data) {
434 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
435 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
436
437 BTM_TRACE_DEBUG("%s:", __func__);
438
439 if (p_dev_rec == NULL) {
440 BTM_TRACE_ERROR("%s: Unknown device", __func__);
441 return;
442 }
443
444 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
445 SMP_OobDataReply(bd_addr, res_smp, len, p_data);
446 }
447
448 /*******************************************************************************
449 *
450 * Function BTM_BleSecureConnectionOobDataReply
451 *
452 * Description This function is called to provide the OOB data for
453 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection
454 * data is available
455 *
456 * Parameters: bd_addr - Address of the peer device
457 * p_c - pointer to Confirmation.
458 * p_r - pointer to Randomizer
459 *
460 ******************************************************************************/
BTM_BleSecureConnectionOobDataReply(const RawAddress & bd_addr,uint8_t * p_c,uint8_t * p_r)461 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr,
462 uint8_t* p_c, uint8_t* p_r) {
463 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
464
465 BTM_TRACE_DEBUG("%s:", __func__);
466
467 if (p_dev_rec == NULL) {
468 BTM_TRACE_ERROR("%s: Unknown device", __func__);
469 return;
470 }
471
472 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
473
474 tSMP_SC_OOB_DATA oob;
475 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA));
476
477 oob.peer_oob_data.present = true;
478 memcpy(&oob.peer_oob_data.randomizer, p_r, BT_OCTET16_LEN);
479 memcpy(&oob.peer_oob_data.commitment, p_c, BT_OCTET16_LEN);
480 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.ble_addr_type;
481 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr;
482
483 SMP_SecureConnectionOobDataReply((uint8_t*)&oob);
484 }
485
486 /******************************************************************************
487 *
488 * Function BTM_BleSetConnScanParams
489 *
490 * Description Set scan parameter used in BLE connection request
491 *
492 * Parameters: scan_interval: scan interval
493 * scan_window: scan window
494 *
495 * Returns void
496 *
497 ******************************************************************************/
BTM_BleSetConnScanParams(uint32_t scan_interval,uint32_t scan_window)498 void BTM_BleSetConnScanParams(uint32_t scan_interval, uint32_t scan_window) {
499 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
500 bool new_param = false;
501
502 if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN,
503 BTM_BLE_SCAN_INT_MAX) &&
504 BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN,
505 BTM_BLE_SCAN_WIN_MAX)) {
506 if (p_ble_cb->scan_int != scan_interval) {
507 p_ble_cb->scan_int = scan_interval;
508 new_param = true;
509 }
510
511 if (p_ble_cb->scan_win != scan_window) {
512 p_ble_cb->scan_win = scan_window;
513 new_param = true;
514 }
515
516 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) {
517 btm_ble_suspend_bg_conn();
518 }
519 } else {
520 BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
521 }
522 }
523
524 /********************************************************
525 *
526 * Function BTM_BleSetPrefConnParams
527 *
528 * Description Set a peripheral's preferred connection parameters
529 *
530 * Parameters: bd_addr - BD address of the peripheral
531 * scan_interval: scan interval
532 * scan_window: scan window
533 * min_conn_int - minimum preferred connection interval
534 * max_conn_int - maximum preferred connection interval
535 * slave_latency - preferred slave latency
536 * supervision_tout - preferred supervision timeout
537 *
538 * Returns void
539 *
540 ******************************************************************************/
BTM_BleSetPrefConnParams(const RawAddress & bd_addr,uint16_t min_conn_int,uint16_t max_conn_int,uint16_t slave_latency,uint16_t supervision_tout)541 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int,
542 uint16_t max_conn_int, uint16_t slave_latency,
543 uint16_t supervision_tout) {
544 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
545
546 BTM_TRACE_API(
547 "BTM_BleSetPrefConnParams min: %u max: %u latency: %u \
548 tout: %u",
549 min_conn_int, max_conn_int, slave_latency, supervision_tout);
550
551 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN,
552 BTM_BLE_CONN_INT_MAX) &&
553 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN,
554 BTM_BLE_CONN_INT_MAX) &&
555 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN,
556 BTM_BLE_CONN_SUP_TOUT_MAX) &&
557 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX ||
558 slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) {
559 if (p_dev_rec) {
560 /* expect conn int and stout and slave latency to be updated all together
561 */
562 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF ||
563 max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
564 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
565 p_dev_rec->conn_params.min_conn_int = min_conn_int;
566 else
567 p_dev_rec->conn_params.min_conn_int = max_conn_int;
568
569 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
570 p_dev_rec->conn_params.max_conn_int = max_conn_int;
571 else
572 p_dev_rec->conn_params.max_conn_int = min_conn_int;
573
574 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
575 p_dev_rec->conn_params.slave_latency = slave_latency;
576 else
577 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
578
579 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
580 p_dev_rec->conn_params.supervision_tout = supervision_tout;
581 else
582 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
583 }
584
585 } else {
586 BTM_TRACE_ERROR("Unknown Device, setting rejected");
587 }
588 } else {
589 BTM_TRACE_ERROR("Illegal Connection Parameters");
590 }
591 }
592
593 /*******************************************************************************
594 *
595 * Function BTM_ReadDevInfo
596 *
597 * Description This function is called to read the device/address type
598 * of BD address.
599 *
600 * Parameter remote_bda: remote device address
601 * p_dev_type: output parameter to read the device type.
602 * p_addr_type: output parameter to read the address type.
603 *
604 ******************************************************************************/
BTM_ReadDevInfo(const RawAddress & remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)605 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type,
606 tBLE_ADDR_TYPE* p_addr_type) {
607 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda);
608 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda);
609
610 *p_addr_type = BLE_ADDR_PUBLIC;
611
612 if (!p_dev_rec) {
613 *p_dev_type = BT_DEVICE_TYPE_BREDR;
614 /* Check with the BT manager if details about remote device are known */
615 if (p_inq_info != NULL) {
616 *p_dev_type = p_inq_info->results.device_type;
617 *p_addr_type = p_inq_info->results.ble_addr_type;
618 } else {
619 /* unknown device, assume BR/EDR */
620 BTM_TRACE_DEBUG("btm_find_dev_type - unknown device, BR/EDR assumed");
621 }
622 } else /* there is a security device record exisitng */
623 {
624 /* new inquiry result, overwrite device type in security device record */
625 if (p_inq_info) {
626 p_dev_rec->device_type = p_inq_info->results.device_type;
627 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
628 }
629 if (p_dev_rec->bd_addr == remote_bda &&
630 p_dev_rec->ble.pseudo_addr == remote_bda) {
631 *p_dev_type = p_dev_rec->device_type;
632 *p_addr_type = p_dev_rec->ble.ble_addr_type;
633 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) {
634 *p_dev_type = BT_DEVICE_TYPE_BLE;
635 *p_addr_type = p_dev_rec->ble.ble_addr_type;
636 } else /* matching static adddress only */
637 {
638 *p_dev_type = BT_DEVICE_TYPE_BREDR;
639 *p_addr_type = BLE_ADDR_PUBLIC;
640 }
641 }
642
643 BTM_TRACE_DEBUG("btm_find_dev_type - device_type = %d addr_type = %d",
644 *p_dev_type, *p_addr_type);
645 }
646
647 /*******************************************************************************
648 *
649 * Function BTM_ReadConnectedTransportAddress
650 *
651 * Description This function is called to read the paired device/address
652 * type of other device paired corresponding to the BD_address
653 *
654 * Parameter remote_bda: remote device address, carry out the transport
655 * address
656 * transport: active transport
657 *
658 * Return true if an active link is identified; false otherwise
659 *
660 ******************************************************************************/
BTM_ReadConnectedTransportAddress(RawAddress * remote_bda,tBT_TRANSPORT transport)661 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda,
662 tBT_TRANSPORT transport) {
663 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda);
664
665 /* if no device can be located, return */
666 if (p_dev_rec == NULL) return false;
667
668 if (transport == BT_TRANSPORT_BR_EDR) {
669 if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL) {
670 *remote_bda = p_dev_rec->bd_addr;
671 return true;
672 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) {
673 *remote_bda = p_dev_rec->bd_addr;
674 } else
675 *remote_bda = RawAddress::kEmpty;
676 return false;
677 }
678
679 if (transport == BT_TRANSPORT_LE) {
680 *remote_bda = p_dev_rec->ble.pseudo_addr;
681 if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL)
682 return true;
683 else
684 return false;
685 }
686
687 return false;
688 }
689
690 /*******************************************************************************
691 *
692 * Function BTM_BleReceiverTest
693 *
694 * Description This function is called to start the LE Receiver test
695 *
696 * Parameter rx_freq - Frequency Range
697 * p_cmd_cmpl_cback - Command Complete callback
698 *
699 ******************************************************************************/
BTM_BleReceiverTest(uint8_t rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)700 void BTM_BleReceiverTest(uint8_t rx_freq, tBTM_CMPL_CB* p_cmd_cmpl_cback) {
701 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
702
703 btsnd_hcic_ble_receiver_test(rx_freq);
704 }
705
706 /*******************************************************************************
707 *
708 * Function BTM_BleTransmitterTest
709 *
710 * Description This function is called to start the LE Transmitter test
711 *
712 * Parameter tx_freq - Frequency Range
713 * test_data_len - Length in bytes of payload data in each
714 * packet
715 * packet_payload - Pattern to use in the payload
716 * p_cmd_cmpl_cback - Command Complete callback
717 *
718 ******************************************************************************/
BTM_BleTransmitterTest(uint8_t tx_freq,uint8_t test_data_len,uint8_t packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)719 void BTM_BleTransmitterTest(uint8_t tx_freq, uint8_t test_data_len,
720 uint8_t packet_payload,
721 tBTM_CMPL_CB* p_cmd_cmpl_cback) {
722 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
723 btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload);
724 }
725
726 /*******************************************************************************
727 *
728 * Function BTM_BleTestEnd
729 *
730 * Description This function is called to stop the in-progress TX or RX
731 * test
732 *
733 * Parameter p_cmd_cmpl_cback - Command complete callback
734 *
735 ******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)736 void BTM_BleTestEnd(tBTM_CMPL_CB* p_cmd_cmpl_cback) {
737 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
738
739 btsnd_hcic_ble_test_end();
740 }
741
742 /*******************************************************************************
743 * Internal Functions
744 ******************************************************************************/
btm_ble_test_command_complete(uint8_t * p)745 void btm_ble_test_command_complete(uint8_t* p) {
746 tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
747
748 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
749
750 if (p_cb) {
751 (*p_cb)(p);
752 }
753 }
754
755 /*******************************************************************************
756 *
757 * Function BTM_UseLeLink
758 *
759 * Description This function is to select the underlying physical link to
760 * use.
761 *
762 * Returns true to use LE, false use BR/EDR.
763 *
764 ******************************************************************************/
BTM_UseLeLink(const RawAddress & bd_addr)765 bool BTM_UseLeLink(const RawAddress& bd_addr) {
766 tACL_CONN* p;
767 tBT_DEVICE_TYPE dev_type;
768 tBLE_ADDR_TYPE addr_type;
769 bool use_le = false;
770
771 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR);
772 if (p != NULL) {
773 return use_le;
774 } else {
775 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
776 if (p != NULL) {
777 use_le = true;
778 } else {
779 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
780 use_le = (dev_type == BT_DEVICE_TYPE_BLE);
781 }
782 }
783 return use_le;
784 }
785
786 /*******************************************************************************
787 *
788 * Function BTM_SetBleDataLength
789 *
790 * Description This function is to set maximum BLE transmission packet size
791 *
792 * Returns BTM_SUCCESS if success; otherwise failed.
793 *
794 ******************************************************************************/
BTM_SetBleDataLength(const RawAddress & bd_addr,uint16_t tx_pdu_length)795 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr,
796 uint16_t tx_pdu_length) {
797 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
798
799 if (p_acl == NULL) {
800 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
801 __func__);
802 return BTM_WRONG_MODE;
803 }
804
805 BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __func__, tx_pdu_length);
806
807 if (!controller_get_interface()->supports_ble_packet_extension()) {
808 BTM_TRACE_ERROR("%s failed, request not supported", __func__);
809 return BTM_ILLEGAL_VALUE;
810 }
811
812 if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
813 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
814 return BTM_ILLEGAL_VALUE;
815 }
816
817 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
818 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX;
819 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
820 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN;
821
822 /* always set the TxTime to be max, as controller does not care for now */
823 btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length,
824 BTM_BLE_DATA_TX_TIME_MAX);
825
826 return BTM_SUCCESS;
827 }
828
read_phy_cb(base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb,uint8_t * data,uint16_t len)829 void read_phy_cb(
830 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb,
831 uint8_t* data, uint16_t len) {
832 uint8_t status, tx_phy, rx_phy;
833 uint16_t handle;
834
835 LOG_ASSERT(len == 5) << "Received bad response length: " << len;
836 uint8_t* pp = data;
837 STREAM_TO_UINT8(status, pp);
838 STREAM_TO_UINT16(handle, pp);
839 handle = handle & 0x0FFF;
840 STREAM_TO_UINT8(tx_phy, pp);
841 STREAM_TO_UINT8(rx_phy, pp);
842
843 DVLOG(1) << __func__ << " Received read_phy_cb";
844 cb.Run(tx_phy, rx_phy, status);
845 }
846
847 /*******************************************************************************
848 *
849 * Function BTM_BleReadPhy
850 *
851 * Description To read the current PHYs for specified LE connection
852 *
853 *
854 * Returns BTM_SUCCESS if command successfully sent to controller,
855 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
856 * 2M or LE Coded PHY,
857 * BTM_WRONG_MODE if Device in wrong mode for request.
858 *
859 ******************************************************************************/
BTM_BleReadPhy(const RawAddress & bd_addr,base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb)860 void BTM_BleReadPhy(
861 const RawAddress& bd_addr,
862 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb) {
863 BTM_TRACE_DEBUG("%s", __func__);
864
865 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
866
867 if (p_acl == NULL) {
868 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
869 __func__);
870 cb.Run(0, 0, HCI_ERR_NO_CONNECTION);
871 return;
872 }
873
874 // checking if local controller supports it!
875 if (!controller_get_interface()->supports_ble_2m_phy() &&
876 !controller_get_interface()->supports_ble_coded_phy()) {
877 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
878 __func__);
879 cb.Run(0, 0, GATT_REQ_NOT_SUPPORTED);
880 return;
881 }
882
883 uint16_t handle = p_acl->hci_handle;
884
885 const uint8_t len = HCIC_PARAM_SIZE_BLE_READ_PHY;
886 uint8_t data[len];
887 uint8_t* pp = data;
888 UINT16_TO_STREAM(pp, handle);
889 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_READ_PHY, data, len,
890 base::Bind(&read_phy_cb, std::move(cb)));
891 return;
892 }
893
doNothing(uint8_t * data,uint16_t len)894 void doNothing(uint8_t* data, uint16_t len) {}
895
896 /*******************************************************************************
897 *
898 * Function BTM_BleSetDefaultPhy
899 *
900 * Description To set preferred PHY for ensuing LE connections
901 *
902 *
903 * Returns BTM_SUCCESS if command successfully sent to controller,
904 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
905 * 2M or LE Coded PHY
906 *
907 ******************************************************************************/
BTM_BleSetDefaultPhy(uint8_t all_phys,uint8_t tx_phys,uint8_t rx_phys)908 tBTM_STATUS BTM_BleSetDefaultPhy(uint8_t all_phys, uint8_t tx_phys,
909 uint8_t rx_phys) {
910 BTM_TRACE_DEBUG("%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x",
911 __func__, all_phys, tx_phys, rx_phys);
912
913 // checking if local controller supports it!
914 if (!controller_get_interface()->supports_ble_2m_phy() &&
915 !controller_get_interface()->supports_ble_coded_phy()) {
916 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
917 __func__);
918 return BTM_MODE_UNSUPPORTED;
919 }
920
921 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_DEFAULT_PHY;
922 uint8_t data[len];
923 uint8_t* pp = data;
924 UINT8_TO_STREAM(pp, all_phys);
925 UINT8_TO_STREAM(pp, tx_phys);
926 UINT8_TO_STREAM(pp, rx_phys);
927 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_DEFAULT_PHY, data, len,
928 base::Bind(doNothing));
929 return BTM_SUCCESS;
930 }
931
932 /*******************************************************************************
933 *
934 * Function BTM_BleSetPhy
935 *
936 * Description To set PHY preferences for specified LE connection
937 *
938 *
939 * Returns BTM_SUCCESS if command successfully sent to controller,
940 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
941 * 2M or LE Coded PHY,
942 * BTM_ILLEGAL_VALUE if specified remote doesn't support LE 2M
943 * or LE Coded PHY,
944 * BTM_WRONG_MODE if Device in wrong mode for request.
945 *
946 ******************************************************************************/
BTM_BleSetPhy(const RawAddress & bd_addr,uint8_t tx_phys,uint8_t rx_phys,uint16_t phy_options)947 void BTM_BleSetPhy(const RawAddress& bd_addr, uint8_t tx_phys, uint8_t rx_phys,
948 uint16_t phy_options) {
949 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
950
951 if (p_acl == NULL) {
952 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
953 __func__);
954 return;
955 }
956
957 uint8_t all_phys = 0;
958 if (tx_phys == 0) all_phys &= 0x01;
959 if (rx_phys == 0) all_phys &= 0x02;
960
961 BTM_TRACE_DEBUG(
962 "%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x, phy_options "
963 "= 0x%04x",
964 __func__, all_phys, tx_phys, rx_phys, phy_options);
965
966 uint16_t handle = p_acl->hci_handle;
967
968 // checking if local controller supports it!
969 if (!controller_get_interface()->supports_ble_2m_phy() &&
970 !controller_get_interface()->supports_ble_coded_phy()) {
971 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
972 __func__);
973 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
974 return;
975 }
976
977 if (!HCI_LE_2M_PHY_SUPPORTED(p_acl->peer_le_features) &&
978 !HCI_LE_CODED_PHY_SUPPORTED(p_acl->peer_le_features)) {
979 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
980 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
981 return;
982 }
983
984 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_PHY;
985 uint8_t data[len];
986 uint8_t* pp = data;
987 UINT16_TO_STREAM(pp, handle);
988 UINT8_TO_STREAM(pp, all_phys);
989 UINT8_TO_STREAM(pp, tx_phys);
990 UINT8_TO_STREAM(pp, rx_phys);
991 UINT16_TO_STREAM(pp, phy_options);
992 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_PHY, data, len,
993 base::Bind(doNothing));
994 }
995
996 /*******************************************************************************
997 *
998 * Function btm_ble_determine_security_act
999 *
1000 * Description This function checks the security of current LE link
1001 * and returns the appropriate action that needs to be
1002 * taken to achieve the required security.
1003 *
1004 * Parameter is_originator - True if outgoing connection
1005 * bdaddr: remote device address
1006 * security_required: Security required for the service.
1007 *
1008 * Returns The appropriate security action required.
1009 *
1010 ******************************************************************************/
btm_ble_determine_security_act(bool is_originator,const RawAddress & bdaddr,uint16_t security_required)1011 tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator,
1012 const RawAddress& bdaddr,
1013 uint16_t security_required) {
1014 tBTM_LE_AUTH_REQ auth_req = 0x00;
1015
1016 if (is_originator) {
1017 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
1018 (security_required & BTM_SEC_OUT_MITM) == 0) {
1019 BTM_TRACE_DEBUG("%s No security required for outgoing connection",
1020 __func__);
1021 return BTM_SEC_OK;
1022 }
1023
1024 if (security_required & BTM_SEC_OUT_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1025 } else {
1026 if ((security_required & BTM_SEC_IN_FLAGS) == 0 &&
1027 (security_required & BTM_SEC_IN_MITM) == 0) {
1028 BTM_TRACE_DEBUG("%s No security required for incoming connection",
1029 __func__);
1030 return BTM_SEC_OK;
1031 }
1032
1033 if (security_required & BTM_SEC_IN_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1034 }
1035
1036 tBTM_BLE_SEC_REQ_ACT ble_sec_act;
1037 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
1038
1039 BTM_TRACE_DEBUG("%s ble_sec_act %d", __func__, ble_sec_act);
1040
1041 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) return BTM_SEC_ENC_PENDING;
1042
1043 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) return BTM_SEC_OK;
1044
1045 uint8_t sec_flag = 0;
1046 BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE);
1047
1048 bool is_link_encrypted = false;
1049 bool is_key_mitm = false;
1050 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED | BTM_SEC_FLAG_LKEY_KNOWN)) {
1051 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) is_link_encrypted = true;
1052
1053 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) is_key_mitm = true;
1054 }
1055
1056 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1057 if (!is_key_mitm) {
1058 return BTM_SEC_ENCRYPT_MITM;
1059 } else {
1060 if (is_link_encrypted)
1061 return BTM_SEC_OK;
1062 else
1063 return BTM_SEC_ENCRYPT;
1064 }
1065 } else {
1066 if (is_link_encrypted)
1067 return BTM_SEC_OK;
1068 else
1069 return BTM_SEC_ENCRYPT_NO_MITM;
1070 }
1071
1072 return BTM_SEC_OK;
1073 }
1074
1075 /*******************************************************************************
1076 *
1077 * Function btm_ble_start_sec_check
1078 *
1079 * Description This function is to check and set the security required for
1080 * LE link for LE COC.
1081 *
1082 * Parameter bdaddr: remote device address.
1083 * psm : PSM of the LE COC sevice.
1084 * is_originator: true if outgoing connection.
1085 * p_callback : Pointer to the callback function.
1086 * p_ref_data : Pointer to be returned along with the callback.
1087 *
1088 * Returns true if link already meets the required security; otherwise
1089 * false.
1090 *
1091 ******************************************************************************/
btm_ble_start_sec_check(const RawAddress & bd_addr,uint16_t psm,bool is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)1092 bool btm_ble_start_sec_check(const RawAddress& bd_addr, uint16_t psm,
1093 bool is_originator, tBTM_SEC_CALLBACK* p_callback,
1094 void* p_ref_data) {
1095 /* Find the service record for the PSM */
1096 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_find_first_serv(is_originator, psm);
1097
1098 /* If there is no application registered with this PSM do not allow connection
1099 */
1100 if (!p_serv_rec) {
1101 BTM_TRACE_WARNING("%s PSM: %d no application registerd", __func__, psm);
1102 (*p_callback)(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED);
1103 return false;
1104 }
1105
1106 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(
1107 is_originator, bd_addr, p_serv_rec->security_flags);
1108
1109 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
1110 bool status = false;
1111
1112 switch (sec_act) {
1113 case BTM_SEC_OK:
1114 BTM_TRACE_DEBUG("%s Security met", __func__);
1115 p_callback(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS);
1116 status = true;
1117 break;
1118
1119 case BTM_SEC_ENCRYPT:
1120 BTM_TRACE_DEBUG("%s Encryption needs to be done", __func__);
1121 ble_sec_act = BTM_BLE_SEC_ENCRYPT;
1122 break;
1123
1124 case BTM_SEC_ENCRYPT_MITM:
1125 BTM_TRACE_DEBUG("%s Pairing with MITM needs to be done", __func__);
1126 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
1127 break;
1128
1129 case BTM_SEC_ENCRYPT_NO_MITM:
1130 BTM_TRACE_DEBUG("%s Pairing with No MITM needs to be done", __func__);
1131 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
1132 break;
1133
1134 case BTM_SEC_ENC_PENDING:
1135 BTM_TRACE_DEBUG("%s Ecryption pending", __func__);
1136 break;
1137 }
1138
1139 if (ble_sec_act == BTM_BLE_SEC_NONE) return status;
1140
1141 tL2C_LCB* p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE);
1142 p_lcb->sec_act = sec_act;
1143 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data,
1144 ble_sec_act);
1145
1146 return false;
1147 }
1148
1149 /*******************************************************************************
1150 *
1151 * Function btm_ble_rand_enc_complete
1152 *
1153 * Description This function is the callback functions for HCI_Rand command
1154 * and HCI_Encrypt command is completed.
1155 * This message is received from the HCI.
1156 *
1157 * Returns void
1158 *
1159 ******************************************************************************/
btm_ble_rand_enc_complete(uint8_t * p,uint16_t op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)1160 void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
1161 tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
1162 tBTM_RAND_ENC params;
1163 uint8_t* p_dest = params.param_buf;
1164
1165 BTM_TRACE_DEBUG("btm_ble_rand_enc_complete");
1166
1167 memset(¶ms, 0, sizeof(tBTM_RAND_ENC));
1168
1169 /* If there was a callback address for vcs complete, call it */
1170 if (p_enc_cplt_cback && p) {
1171 /* Pass paramters to the callback function */
1172 STREAM_TO_UINT8(params.status, p); /* command status */
1173
1174 if (params.status == HCI_SUCCESS) {
1175 params.opcode = op_code;
1176
1177 if (op_code == HCI_BLE_RAND)
1178 params.param_len = BT_OCTET8_LEN;
1179 else
1180 params.param_len = BT_OCTET16_LEN;
1181
1182 /* Fetch return info from HCI event message */
1183 memcpy(p_dest, p, params.param_len);
1184 }
1185 if (p_enc_cplt_cback) /* Call the Encryption complete callback function */
1186 (*p_enc_cplt_cback)(¶ms);
1187 }
1188 }
1189
1190 /*******************************************************************************
1191 *
1192 * Function btm_ble_get_enc_key_type
1193 *
1194 * Description This function is to increment local sign counter
1195 * Returns None
1196 *
1197 ******************************************************************************/
btm_ble_increment_sign_ctr(const RawAddress & bd_addr,bool is_local)1198 void btm_ble_increment_sign_ctr(const RawAddress& bd_addr, bool is_local) {
1199 tBTM_SEC_DEV_REC* p_dev_rec;
1200
1201 BTM_TRACE_DEBUG("btm_ble_increment_sign_ctr is_local=%d", is_local);
1202
1203 p_dev_rec = btm_find_dev(bd_addr);
1204 if (p_dev_rec != NULL) {
1205 if (is_local)
1206 p_dev_rec->ble.keys.local_counter++;
1207 else
1208 p_dev_rec->ble.keys.counter++;
1209 BTM_TRACE_DEBUG("is_local=%d local sign counter=%d peer sign counter=%d",
1210 is_local, p_dev_rec->ble.keys.local_counter,
1211 p_dev_rec->ble.keys.counter);
1212 }
1213 }
1214
1215 /*******************************************************************************
1216 *
1217 * Function btm_ble_get_enc_key_type
1218 *
1219 * Description This function is to get the BLE key type that has been
1220 * exchanged betweem the local device and the peer device.
1221 *
1222 * Returns p_key_type: output parameter to carry the key type value.
1223 *
1224 ******************************************************************************/
btm_ble_get_enc_key_type(const RawAddress & bd_addr,uint8_t * p_key_types)1225 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) {
1226 tBTM_SEC_DEV_REC* p_dev_rec;
1227
1228 BTM_TRACE_DEBUG("btm_ble_get_enc_key_type");
1229
1230 p_dev_rec = btm_find_dev(bd_addr);
1231 if (p_dev_rec != NULL) {
1232 *p_key_types = p_dev_rec->ble.key_type;
1233 return true;
1234 }
1235 return false;
1236 }
1237
1238 /*******************************************************************************
1239 *
1240 * Function btm_get_local_div
1241 *
1242 * Description This function is called to read the local DIV
1243 *
1244 * Returns TURE - if a valid DIV is availavle
1245 ******************************************************************************/
btm_get_local_div(const RawAddress & bd_addr,uint16_t * p_div)1246 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) {
1247 tBTM_SEC_DEV_REC* p_dev_rec;
1248 bool status = false;
1249 VLOG(1) << __func__ << " bd_addr: " << bd_addr;
1250
1251 *p_div = 0;
1252 p_dev_rec = btm_find_dev(bd_addr);
1253
1254 if (p_dev_rec && p_dev_rec->ble.keys.div) {
1255 status = true;
1256 *p_div = p_dev_rec->ble.keys.div;
1257 }
1258 BTM_TRACE_DEBUG("btm_get_local_div status=%d (1-OK) DIV=0x%x", status,
1259 *p_div);
1260 return status;
1261 }
1262
1263 /*******************************************************************************
1264 *
1265 * Function btm_sec_save_le_key
1266 *
1267 * Description This function is called by the SMP to update
1268 * an BLE key. SMP is internal, whereas all the keys shall
1269 * be sent to the application. The function is also called
1270 * when application passes ble key stored in NVRAM to the
1271 * btm_sec.
1272 * pass_to_application parameter is false in this case.
1273 *
1274 * Returns void
1275 *
1276 ******************************************************************************/
btm_sec_save_le_key(const RawAddress & bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,bool pass_to_application)1277 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type,
1278 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) {
1279 tBTM_SEC_DEV_REC* p_rec;
1280 tBTM_LE_EVT_DATA cb_data;
1281 uint8_t i;
1282
1283 BTM_TRACE_DEBUG("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",
1284 key_type, pass_to_application);
1285 /* Store the updated key in the device database */
1286
1287 VLOG(1) << "bd_addr:" << bd_addr;
1288
1289 if ((p_rec = btm_find_dev(bd_addr)) != NULL &&
1290 (p_keys || key_type == BTM_LE_KEY_LID)) {
1291 btm_ble_init_pseudo_addr(p_rec, bd_addr);
1292
1293 switch (key_type) {
1294 case BTM_LE_KEY_PENC:
1295 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
1296 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1297 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1298 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1299 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1300 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1301 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1302 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1303 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1304 else
1305 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1306 BTM_TRACE_DEBUG(
1307 "BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1308 p_rec->ble.key_type, p_rec->sec_flags, p_rec->ble.keys.sec_level);
1309 break;
1310
1311 case BTM_LE_KEY_PID:
1312 for (i = 0; i < BT_OCTET16_LEN; i++) {
1313 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
1314 }
1315
1316 // memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo
1317 // will crash the system
1318 p_rec->ble.static_addr = p_keys->pid_key.static_addr;
1319 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
1320 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1321 BTM_TRACE_DEBUG(
1322 "%s: BTM_LE_KEY_PID key_type=0x%x save peer IRK, change bd_addr=%s "
1323 "to static_addr=%s",
1324 __func__, p_rec->ble.key_type, p_rec->bd_addr.ToString().c_str(),
1325 p_keys->pid_key.static_addr.ToString().c_str());
1326 /* update device record address as static address */
1327 p_rec->bd_addr = p_keys->pid_key.static_addr;
1328 /* combine DUMO device security record if needed */
1329 btm_consolidate_dev(p_rec);
1330 break;
1331
1332 case BTM_LE_KEY_PCSRK:
1333 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
1334 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1335 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter;
1336 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1337 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1338 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED)
1339 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1340 else
1341 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1342
1343 BTM_TRACE_DEBUG(
1344 "BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x "
1345 "peer_counter=%d",
1346 p_rec->ble.key_type, p_rec->sec_flags,
1347 p_rec->ble.keys.srk_sec_level, p_rec->ble.keys.counter);
1348 break;
1349
1350 case BTM_LE_KEY_LENC:
1351 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN);
1352 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1353 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1354 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1355 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1356
1357 BTM_TRACE_DEBUG(
1358 "BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x "
1359 "sec_level=0x%x",
1360 p_rec->ble.key_type, p_rec->ble.keys.div, p_rec->ble.keys.key_size,
1361 p_rec->ble.keys.sec_level);
1362 break;
1363
1364 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */
1365 memcpy(p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN);
1366 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1367 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1368 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter;
1369 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1370 BTM_TRACE_DEBUG(
1371 "BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x "
1372 "local_counter=%d",
1373 p_rec->ble.key_type, p_rec->ble.keys.div,
1374 p_rec->ble.keys.local_csrk_sec_level,
1375 p_rec->ble.keys.local_counter);
1376 break;
1377
1378 case BTM_LE_KEY_LID:
1379 p_rec->ble.key_type |= BTM_LE_KEY_LID;
1380 break;
1381 default:
1382 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)",
1383 key_type);
1384 return;
1385 }
1386
1387 VLOG(1) << "BLE key type 0x" << loghex(key_type)
1388 << " updated for BDA: " << bd_addr << " (btm_sec_save_le_key)";
1389
1390 /* Notify the application that one of the BLE keys has been updated
1391 If link key is in progress, it will get sent later.*/
1392 if (pass_to_application && btm_cb.api.p_le_callback) {
1393 cb_data.key.p_key_value = p_keys;
1394 cb_data.key.key_type = key_type;
1395
1396 (*btm_cb.api.p_le_callback)(BTM_LE_KEY_EVT, bd_addr, &cb_data);
1397 }
1398 return;
1399 }
1400
1401 LOG(WARNING) << "BLE key type 0x" << loghex(key_type)
1402 << " called for Unknown BDA or type: " << bd_addr
1403 << "(btm_sec_save_le_key)";
1404
1405 if (p_rec) {
1406 BTM_TRACE_DEBUG("sec_flags=0x%x", p_rec->sec_flags);
1407 }
1408 }
1409
1410 /*******************************************************************************
1411 *
1412 * Function btm_ble_update_sec_key_size
1413 *
1414 * Description update the current lin kencryption key size
1415 *
1416 * Returns void
1417 *
1418 ******************************************************************************/
btm_ble_update_sec_key_size(const RawAddress & bd_addr,uint8_t enc_key_size)1419 void btm_ble_update_sec_key_size(const RawAddress& bd_addr,
1420 uint8_t enc_key_size) {
1421 tBTM_SEC_DEV_REC* p_rec;
1422
1423 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d",
1424 enc_key_size);
1425
1426 p_rec = btm_find_dev(bd_addr);
1427 if (p_rec != NULL) {
1428 p_rec->enc_key_size = enc_key_size;
1429 }
1430 }
1431
1432 /*******************************************************************************
1433 *
1434 * Function btm_ble_read_sec_key_size
1435 *
1436 * Description update the current lin kencryption key size
1437 *
1438 * Returns void
1439 *
1440 ******************************************************************************/
btm_ble_read_sec_key_size(const RawAddress & bd_addr)1441 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) {
1442 tBTM_SEC_DEV_REC* p_rec;
1443
1444 p_rec = btm_find_dev(bd_addr);
1445 if (p_rec != NULL) {
1446 return p_rec->enc_key_size;
1447 } else
1448 return 0;
1449 }
1450
1451 /*******************************************************************************
1452 *
1453 * Function btm_ble_link_sec_check
1454 *
1455 * Description Check BLE link security level match.
1456 *
1457 * Returns true: check is OK and the *p_sec_req_act contain the action
1458 *
1459 ******************************************************************************/
btm_ble_link_sec_check(const RawAddress & bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1460 void btm_ble_link_sec_check(const RawAddress& bd_addr,
1461 tBTM_LE_AUTH_REQ auth_req,
1462 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) {
1463 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1464 uint8_t req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1465
1466 BTM_TRACE_DEBUG("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1467
1468 if (p_dev_rec == NULL) {
1469 BTM_TRACE_ERROR("btm_ble_link_sec_check received for unknown device");
1470 return;
1471 }
1472
1473 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1474 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1475 /* race condition: discard the security request while master is encrypting
1476 * the link */
1477 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1478 } else {
1479 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1480 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1481 req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1482 }
1483
1484 BTM_TRACE_DEBUG("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1485
1486 /* currently encrpted */
1487 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) {
1488 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1489 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1490 else
1491 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1492 } else /* unencrypted link */
1493 {
1494 /* if bonded, get the key security level */
1495 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1496 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1497 else
1498 cur_sec_level = BTM_LE_SEC_NONE;
1499 }
1500
1501 if (cur_sec_level >= req_sec_level) {
1502 /* To avoid re-encryption on an encrypted link for an equal condition
1503 * encryption */
1504 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1505 } else {
1506 /* start the pariring process to upgrade the keys*/
1507 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR;
1508 }
1509 }
1510
1511 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1512 cur_sec_level, req_sec_level, *p_sec_req_act);
1513 }
1514
1515 /*******************************************************************************
1516 *
1517 * Function btm_ble_set_encryption
1518 *
1519 * Description This function is called to ensure that LE connection is
1520 * encrypted. Should be called only on an open connection.
1521 * Typically only needed for connections that first want to
1522 * bring up unencrypted links, then later encrypt them.
1523 *
1524 * Returns void
1525 * the local device ER is copied into er
1526 *
1527 ******************************************************************************/
btm_ble_set_encryption(const RawAddress & bd_addr,tBTM_BLE_SEC_ACT sec_act,uint8_t link_role)1528 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr,
1529 tBTM_BLE_SEC_ACT sec_act,
1530 uint8_t link_role) {
1531 tBTM_STATUS cmd = BTM_NO_RESOURCES;
1532 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1533 tBTM_BLE_SEC_REQ_ACT sec_req_act;
1534 tBTM_LE_AUTH_REQ auth_req;
1535
1536 if (p_rec == NULL) {
1537 BTM_TRACE_WARNING(
1538 "btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1539 return (BTM_WRONG_MODE);
1540 }
1541
1542 BTM_TRACE_DEBUG("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act,
1543 p_rec->role_master);
1544
1545 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) {
1546 p_rec->security_required |= BTM_SEC_IN_MITM;
1547 }
1548
1549 switch (sec_act) {
1550 case BTM_BLE_SEC_ENCRYPT:
1551 if (link_role == BTM_ROLE_MASTER) {
1552 /* start link layer encryption using the security info stored */
1553 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1554 break;
1555 }
1556 /* if salve role then fall through to call SMP_Pair below which will send a
1557 sec_request to request the master to encrypt the link */
1558 case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1559 case BTM_BLE_SEC_ENCRYPT_MITM:
1560 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1561 ? SMP_AUTH_BOND
1562 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT);
1563 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act);
1564 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE ||
1565 sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
1566 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__);
1567 cmd = BTM_SUCCESS;
1568 break;
1569 }
1570 if (link_role == BTM_ROLE_MASTER) {
1571 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) {
1572 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1573 break;
1574 }
1575 }
1576
1577 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1578 cmd = BTM_CMD_STARTED;
1579 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1580 }
1581 break;
1582
1583 default:
1584 cmd = BTM_WRONG_MODE;
1585 break;
1586 }
1587 return cmd;
1588 }
1589
1590 /*******************************************************************************
1591 *
1592 * Function btm_ble_ltk_request
1593 *
1594 * Description This function is called when encryption request is received
1595 * on a slave device.
1596 *
1597 *
1598 * Returns void
1599 *
1600 ******************************************************************************/
btm_ble_ltk_request(uint16_t handle,uint8_t rand[8],uint16_t ediv)1601 void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8], uint16_t ediv) {
1602 tBTM_CB* p_cb = &btm_cb;
1603 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
1604 BT_OCTET8 dummy_stk = {0};
1605
1606 BTM_TRACE_DEBUG("btm_ble_ltk_request");
1607
1608 p_cb->ediv = ediv;
1609
1610 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1611
1612 if (p_dev_rec != NULL) {
1613 if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
1614 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, dummy_stk);
1615 }
1616 }
1617
1618 /*******************************************************************************
1619 *
1620 * Function btm_ble_start_encrypt
1621 *
1622 * Description This function is called to start LE encryption.
1623 *
1624 *
1625 * Returns BTM_SUCCESS if encryption was started successfully
1626 *
1627 ******************************************************************************/
btm_ble_start_encrypt(const RawAddress & bda,bool use_stk,BT_OCTET16 stk)1628 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk,
1629 BT_OCTET16 stk) {
1630 tBTM_CB* p_cb = &btm_cb;
1631 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1632 BT_OCTET8 dummy_rand = {0};
1633
1634 BTM_TRACE_DEBUG("btm_ble_start_encrypt");
1635
1636 if (!p_rec) {
1637 BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1638 return BTM_WRONG_MODE;
1639 }
1640
1641 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
1642 BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1643 return BTM_BUSY;
1644 }
1645
1646 p_cb->enc_handle = p_rec->ble_hci_handle;
1647
1648 if (use_stk) {
1649 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk);
1650 } else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) {
1651 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1652 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk);
1653 } else {
1654 BTM_TRACE_ERROR("No key available to encrypt the link");
1655 return BTM_NO_RESOURCES;
1656 }
1657
1658 if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1659 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1660
1661 return BTM_CMD_STARTED;
1662 }
1663
1664 /*******************************************************************************
1665 *
1666 * Function btm_ble_link_encrypted
1667 *
1668 * Description This function is called when LE link encrption status is
1669 * changed.
1670 *
1671 * Returns void
1672 *
1673 ******************************************************************************/
btm_ble_link_encrypted(const RawAddress & bd_addr,uint8_t encr_enable)1674 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) {
1675 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1676 bool enc_cback;
1677
1678 if (!p_dev_rec) {
1679 BTM_TRACE_WARNING(
1680 "btm_ble_link_encrypted (No Device Found!) encr_enable=%d",
1681 encr_enable);
1682 return;
1683 }
1684
1685 BTM_TRACE_DEBUG("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1686
1687 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1688
1689 smp_link_encrypted(bd_addr, encr_enable);
1690
1691 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1692
1693 if (encr_enable && p_dev_rec->enc_key_size == 0)
1694 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1695
1696 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1697 if (p_dev_rec->p_callback && enc_cback) {
1698 if (encr_enable)
1699 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, true);
1700 else if (p_dev_rec->role_master)
1701 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, true);
1702 }
1703 /* to notify GATT to send data if any request is pending */
1704 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1705 }
1706
1707 /*******************************************************************************
1708 *
1709 * Function btm_ble_ltk_request_reply
1710 *
1711 * Description This function is called to send a LTK request reply on a
1712 * slave
1713 * device.
1714 *
1715 * Returns void
1716 *
1717 ******************************************************************************/
btm_ble_ltk_request_reply(const RawAddress & bda,bool use_stk,BT_OCTET16 stk)1718 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk,
1719 BT_OCTET16 stk) {
1720 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1721 tBTM_CB* p_cb = &btm_cb;
1722
1723 if (p_rec == NULL) {
1724 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1725 return;
1726 }
1727
1728 BTM_TRACE_DEBUG("btm_ble_ltk_request_reply");
1729 p_cb->enc_handle = p_rec->ble_hci_handle;
1730 p_cb->key_size = p_rec->ble.keys.key_size;
1731
1732 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1733 if (use_stk) {
1734 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1735 } else /* calculate LTK using peer device */
1736 {
1737 if (p_rec->ble.key_type & BTM_LE_KEY_LENC)
1738 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1739 else
1740 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1741 }
1742 }
1743
1744 /*******************************************************************************
1745 *
1746 * Function btm_ble_io_capabilities_req
1747 *
1748 * Description This function is called to handle SMP get IO capability
1749 * request.
1750 *
1751 * Returns void
1752 *
1753 ******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1754 uint8_t btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec,
1755 tBTM_LE_IO_REQ* p_data) {
1756 uint8_t callback_rc = BTM_SUCCESS;
1757 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req");
1758 if (btm_cb.api.p_le_callback) {
1759 /* the callback function implementation may change the IO capability... */
1760 callback_rc = (*btm_cb.api.p_le_callback)(
1761 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1762 }
1763 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) {
1764 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
1765 if (btm_cb.devcb.keep_rfu_in_auth_req) {
1766 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1767 btm_cb.devcb.keep_rfu_in_auth_req);
1768 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1769 btm_cb.devcb.keep_rfu_in_auth_req = false;
1770 } else { /* default */
1771 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1772 }
1773 #else
1774 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1775 #endif
1776
1777 BTM_TRACE_DEBUG(
1778 "btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d "
1779 "auth_req:%d",
1780 p_dev_rec->security_required, p_data->auth_req);
1781 BTM_TRACE_DEBUG(
1782 "btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK "
1783 "1-IRK 2-CSRK)",
1784 p_data->init_keys, p_data->resp_keys);
1785
1786 /* if authentication requires MITM protection, put on the mask */
1787 if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1788 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1789
1790 if (!(p_data->auth_req & SMP_AUTH_BOND)) {
1791 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1792 p_data->init_keys = 0;
1793 p_data->resp_keys = 0;
1794 }
1795
1796 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 3: auth_req:%d",
1797 p_data->auth_req);
1798 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1799 p_data->init_keys, p_data->resp_keys);
1800
1801 BTM_TRACE_DEBUG(
1802 "btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1803 p_data->io_cap, p_data->auth_req);
1804
1805 /* remove MITM protection requirement if IO cap does not allow it */
1806 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1807 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1808
1809 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) {
1810 /* if Secure Connections are not supported then remove LK derivation,
1811 ** and keypress notifications.
1812 */
1813 BTM_TRACE_DEBUG(
1814 "%s-SC not supported -> No LK derivation, no keypress notifications",
1815 __func__);
1816 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1817 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1818 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1819 }
1820
1821 BTM_TRACE_DEBUG(
1822 "btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1823 p_data->io_cap, p_data->oob_data, p_data->auth_req);
1824 }
1825 return callback_rc;
1826 }
1827
1828 /*******************************************************************************
1829 *
1830 * Function btm_ble_br_keys_req
1831 *
1832 * Description This function is called to handle SMP request for keys sent
1833 * over BR/EDR.
1834 *
1835 * Returns void
1836 *
1837 ******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1838 uint8_t btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec,
1839 tBTM_LE_IO_REQ* p_data) {
1840 uint8_t callback_rc = BTM_SUCCESS;
1841 BTM_TRACE_DEBUG("%s", __func__);
1842 if (btm_cb.api.p_le_callback) {
1843 /* the callback function implementation may change the IO capability... */
1844 callback_rc = (*btm_cb.api.p_le_callback)(
1845 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1846 }
1847
1848 return callback_rc;
1849 }
1850
1851 /*******************************************************************************
1852 *
1853 * Function btm_ble_connected
1854 *
1855 * Description This function is when a LE connection to the peer device is
1856 * establsihed
1857 *
1858 * Returns void
1859 *
1860 ******************************************************************************/
btm_ble_connected(const RawAddress & bda,uint16_t handle,uint8_t enc_mode,uint8_t role,tBLE_ADDR_TYPE addr_type,UNUSED_ATTR bool addr_matched)1861 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t enc_mode,
1862 uint8_t role, tBLE_ADDR_TYPE addr_type,
1863 UNUSED_ATTR bool addr_matched) {
1864 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1865 tBTM_BLE_CB* p_cb = &btm_cb.ble_ctr_cb;
1866
1867 BTM_TRACE_EVENT("btm_ble_connected");
1868
1869 /* Commenting out trace due to obf/compilation problems.
1870 */
1871 if (p_dev_rec) {
1872 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1873 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1874 << " RName: " << p_dev_rec->sec_bd_name
1875 << " p_dev_rec:" << p_dev_rec;
1876
1877 BTM_TRACE_DEBUG("btm_ble_connected sec_flags=0x%x", p_dev_rec->sec_flags);
1878 } else {
1879 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1880 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1881 << " p_dev_rec:" << p_dev_rec;
1882 }
1883
1884 if (!p_dev_rec) {
1885 /* There is no device record for new connection. Allocate one */
1886 p_dev_rec = btm_sec_alloc_dev(bda);
1887 if (p_dev_rec == NULL) return;
1888 } else /* Update the timestamp for this device */
1889 {
1890 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1891 }
1892
1893 /* update device information */
1894 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1895 p_dev_rec->ble_hci_handle = handle;
1896 p_dev_rec->ble.ble_addr_type = addr_type;
1897 /* update pseudo address */
1898 p_dev_rec->ble.pseudo_addr = bda;
1899
1900 p_dev_rec->role_master = false;
1901 if (role == HCI_ROLE_MASTER) p_dev_rec->role_master = true;
1902
1903 #if (BLE_PRIVACY_SPT == TRUE)
1904 if (!addr_matched) p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1905
1906 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
1907 p_dev_rec->ble.cur_rand_addr = bda;
1908 #endif
1909
1910 p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT;
1911
1912 return;
1913 }
1914
1915 /*****************************************************************************
1916 * Function btm_ble_conn_complete
1917 *
1918 * Description LE connection complete.
1919 *
1920 *****************************************************************************/
btm_ble_conn_complete(uint8_t * p,UNUSED_ATTR uint16_t evt_len,bool enhanced)1921 void btm_ble_conn_complete(uint8_t* p, UNUSED_ATTR uint16_t evt_len,
1922 bool enhanced) {
1923 #if (BLE_PRIVACY_SPT == TRUE)
1924 uint8_t peer_addr_type;
1925 #endif
1926 RawAddress local_rpa, peer_rpa;
1927 uint8_t role, status, bda_type;
1928 uint16_t handle;
1929 RawAddress bda;
1930 uint16_t conn_interval, conn_latency, conn_timeout;
1931 bool match = false;
1932
1933 STREAM_TO_UINT8(status, p);
1934 STREAM_TO_UINT16(handle, p);
1935 STREAM_TO_UINT8(role, p);
1936 STREAM_TO_UINT8(bda_type, p);
1937 STREAM_TO_BDADDR(bda, p);
1938
1939 if (status == 0) {
1940 if (enhanced) {
1941 STREAM_TO_BDADDR(local_rpa, p);
1942 STREAM_TO_BDADDR(peer_rpa, p);
1943 }
1944
1945 STREAM_TO_UINT16(conn_interval, p);
1946 STREAM_TO_UINT16(conn_latency, p);
1947 STREAM_TO_UINT16(conn_timeout, p);
1948 handle = HCID_GET_HANDLE(handle);
1949
1950 #if (BLE_PRIVACY_SPT == TRUE)
1951 peer_addr_type = bda_type;
1952 match = btm_identity_addr_to_random_pseudo(&bda, &bda_type, true);
1953
1954 /* possiblly receive connection complete with resolvable random while
1955 the device has been paired */
1956 if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) {
1957 tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
1958 if (match_rec) {
1959 LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
1960 match = true;
1961 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
1962 match_rec->ble.cur_rand_addr = bda;
1963 if (!btm_ble_init_pseudo_addr(match_rec, bda)) {
1964 /* assign the original address to be the current report address */
1965 bda = match_rec->ble.pseudo_addr;
1966 } else {
1967 bda = match_rec->bd_addr;
1968 }
1969 } else {
1970 LOG_INFO(LOG_TAG, "%s unable to match and resolve random address",
1971 __func__);
1972 }
1973 }
1974 #endif
1975
1976 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type,
1977 match);
1978
1979 l2cble_conn_comp(handle, role, bda, bda_type, conn_interval, conn_latency,
1980 conn_timeout);
1981
1982 #if (BLE_PRIVACY_SPT == TRUE)
1983 if (enhanced) {
1984 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
1985
1986 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
1987 btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa,
1988 BLE_ADDR_RANDOM);
1989 }
1990 #endif
1991 } else {
1992 role = HCI_ROLE_UNKNOWN;
1993 if (status != HCI_ERR_ADVERTISING_TIMEOUT) {
1994 btm_ble_set_conn_st(BLE_CONN_IDLE);
1995 #if (BLE_PRIVACY_SPT == TRUE)
1996 btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, true);
1997 #endif
1998 } else {
1999 #if (BLE_PRIVACY_SPT == TRUE)
2000 btm_cb.ble_ctr_cb.inq_var.adv_mode = BTM_BLE_ADV_DISABLE;
2001 btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, true);
2002 #endif
2003 }
2004 }
2005
2006 btm_ble_update_mode_operation(role, &bda, status);
2007
2008 if (role == HCI_ROLE_SLAVE)
2009 btm_ble_advertiser_notify_terminated_legacy(status, handle);
2010 }
2011
2012 /*****************************************************************************
2013 * Function btm_ble_create_ll_conn_complete
2014 *
2015 * Description LE connection complete.
2016 *
2017 *****************************************************************************/
btm_ble_create_ll_conn_complete(uint8_t status)2018 void btm_ble_create_ll_conn_complete(uint8_t status) {
2019 if (status == HCI_SUCCESS) return;
2020
2021 btm_ble_set_conn_st(BLE_CONN_IDLE);
2022 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status);
2023
2024 LOG(WARNING) << "LE Create Connection attempt failed, status="
2025 << loghex(status);
2026
2027 if (status == HCI_ERR_COMMAND_DISALLOWED) {
2028 /* There is already either direct connect, or whitelist connection
2029 * pending, but we don't know which one, or to which state should we
2030 * transition now. This can be triggered only in case of rare race
2031 * condition. Crash to recover. */
2032 LOG(FATAL) << "LE Create Connection - command disallowed";
2033 }
2034 }
2035 /*****************************************************************************
2036 * Function btm_proc_smp_cback
2037 *
2038 * Description This function is the SMP callback handler.
2039 *
2040 *****************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,const RawAddress & bd_addr,tSMP_EVT_DATA * p_data)2041 uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
2042 tSMP_EVT_DATA* p_data) {
2043 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2044 uint8_t res = 0;
2045
2046 BTM_TRACE_DEBUG("btm_proc_smp_cback event = %d", event);
2047
2048 if (p_dev_rec != NULL) {
2049 switch (event) {
2050 case SMP_IO_CAP_REQ_EVT:
2051 btm_ble_io_capabilities_req(p_dev_rec,
2052 (tBTM_LE_IO_REQ*)&p_data->io_req);
2053 break;
2054
2055 case SMP_BR_KEYS_REQ_EVT:
2056 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ*)&p_data->io_req);
2057 break;
2058
2059 case SMP_PASSKEY_REQ_EVT:
2060 case SMP_PASSKEY_NOTIF_EVT:
2061 case SMP_OOB_REQ_EVT:
2062 case SMP_NC_REQ_EVT:
2063 case SMP_SC_OOB_REQ_EVT:
2064 /* fall through */
2065 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
2066
2067 case SMP_SEC_REQUEST_EVT:
2068 if (event == SMP_SEC_REQUEST_EVT &&
2069 btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
2070 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
2071 break;
2072 }
2073 btm_cb.pairing_bda = bd_addr;
2074 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
2075 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
2076 /* fall through */
2077
2078 case SMP_COMPLT_EVT:
2079 if (btm_cb.api.p_le_callback) {
2080 /* the callback function implementation may change the IO
2081 * capability... */
2082 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x",
2083 btm_cb.api.p_le_callback);
2084 (*btm_cb.api.p_le_callback)(event, bd_addr,
2085 (tBTM_LE_EVT_DATA*)p_data);
2086 }
2087
2088 if (event == SMP_COMPLT_EVT) {
2089 BTM_TRACE_DEBUG(
2090 "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
2091 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2092
2093 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS
2094 : BTM_ERR_PROCESSING;
2095
2096 BTM_TRACE_DEBUG(
2097 "after update result=%d sec_level=0x%x sec_flags=0x%x", res,
2098 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2099
2100 if (p_data->cmplt.is_pair_cancel &&
2101 btm_cb.api.p_bond_cancel_cmpl_callback) {
2102 BTM_TRACE_DEBUG("Pairing Cancel completed");
2103 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
2104 }
2105 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
2106 if (res != BTM_SUCCESS) {
2107 if (!btm_cb.devcb.no_disc_if_pair_fail &&
2108 p_data->cmplt.reason != SMP_CONN_TOUT) {
2109 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2110 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2111 } else {
2112 BTM_TRACE_DEBUG("Pairing failed - Not Removing ACL");
2113 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2114 }
2115 }
2116 #else
2117 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) {
2118 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2119 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2120 }
2121 #endif
2122
2123 BTM_TRACE_DEBUG(
2124 "btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
2125 btm_cb.pairing_state, btm_cb.pairing_flags, btm_cb.pin_code_len);
2126 VLOG(1) << "btm_cb.pairing_bda: " << btm_cb.pairing_bda;
2127
2128 /* Reset btm state only if the callback address matches pairing
2129 * address*/
2130 if (bd_addr == btm_cb.pairing_bda) {
2131 btm_cb.pairing_bda = RawAddress::kAny;
2132 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
2133 btm_cb.pairing_flags = 0;
2134 }
2135
2136 if (res == BTM_SUCCESS) {
2137 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2138 #if (BLE_PRIVACY_SPT == TRUE)
2139 /* add all bonded device into resolving list if IRK is available*/
2140 btm_ble_resolving_list_load_dev(p_dev_rec);
2141 #endif
2142 }
2143
2144 btm_sec_dev_rec_cback_event(p_dev_rec, res, true);
2145 }
2146 break;
2147
2148 default:
2149 BTM_TRACE_DEBUG("unknown event = %d", event);
2150 break;
2151 }
2152 } else {
2153 BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
2154 }
2155
2156 return 0;
2157 }
2158
2159 /*******************************************************************************
2160 *
2161 * Function BTM_BleDataSignature
2162 *
2163 * Description This function is called to sign the data using AES128 CMAC
2164 * algorith.
2165 *
2166 * Parameter bd_addr: target device the data to be signed for.
2167 * p_text: singing data
2168 * len: length of the data to be signed.
2169 * signature: output parameter where data signature is going to
2170 * be stored.
2171 *
2172 * Returns true if signing sucessul, otherwise false.
2173 *
2174 ******************************************************************************/
BTM_BleDataSignature(const RawAddress & bd_addr,uint8_t * p_text,uint16_t len,BLE_SIGNATURE signature)2175 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text,
2176 uint16_t len, BLE_SIGNATURE signature) {
2177 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2178
2179 BTM_TRACE_DEBUG("%s", __func__);
2180 bool ret = false;
2181 if (p_rec == NULL) {
2182 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device",
2183 __func__);
2184 } else {
2185 uint8_t* p_mac = (uint8_t*)signature;
2186 uint8_t* pp;
2187 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4);
2188
2189 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2190 pp = p_buf;
2191 /* prepare plain text */
2192 if (p_text) {
2193 memcpy(p_buf, p_text, len);
2194 pp = (p_buf + len);
2195 }
2196
2197 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2198 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2199
2200 ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf,
2201 (uint16_t)(len + 4), BTM_CMAC_TLEN_SIZE,
2202 p_mac);
2203 if (ret) {
2204 btm_ble_increment_sign_ctr(bd_addr, true);
2205 }
2206
2207 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2208 BTM_TRACE_DEBUG(
2209 "p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = "
2210 "0x%02x",
2211 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2212 BTM_TRACE_DEBUG(
2213 "p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = "
2214 "0x%02x",
2215 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2216 osi_free(p_buf);
2217 }
2218 return ret;
2219 }
2220
2221 /*******************************************************************************
2222 *
2223 * Function BTM_BleVerifySignature
2224 *
2225 * Description This function is called to verify the data signature
2226 *
2227 * Parameter bd_addr: target device the data to be signed for.
2228 * p_orig: original data before signature.
2229 * len: length of the signing data
2230 * counter: counter used when doing data signing
2231 * p_comp: signature to be compared against.
2232
2233 * Returns true if signature verified correctly; otherwise false.
2234 *
2235 ******************************************************************************/
BTM_BleVerifySignature(const RawAddress & bd_addr,uint8_t * p_orig,uint16_t len,uint32_t counter,uint8_t * p_comp)2236 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
2237 uint16_t len, uint32_t counter, uint8_t* p_comp) {
2238 bool verified = false;
2239 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2240 uint8_t p_mac[BTM_CMAC_TLEN_SIZE];
2241
2242 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) {
2243 BTM_TRACE_ERROR("can not verify signature for unknown device");
2244 } else if (counter < p_rec->ble.keys.counter) {
2245 BTM_TRACE_ERROR("signature received with out dated sign counter");
2246 } else if (p_orig == NULL) {
2247 BTM_TRACE_ERROR("No signature to verify");
2248 } else {
2249 BTM_TRACE_DEBUG("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2250 p_rec->ble.keys.counter);
2251
2252 if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len,
2253 BTM_CMAC_TLEN_SIZE, p_mac)) {
2254 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
2255 btm_ble_increment_sign_ctr(bd_addr, false);
2256 verified = true;
2257 }
2258 }
2259 }
2260 return verified;
2261 }
2262
2263 /*******************************************************************************
2264 *
2265 * Function BTM_GetLeSecurityState
2266 *
2267 * Description This function is called to get security mode 1 flags and
2268 * encryption key size for LE peer.
2269 *
2270 * Returns bool true if LE device is found, false otherwise.
2271 *
2272 ******************************************************************************/
BTM_GetLeSecurityState(const RawAddress & bd_addr,uint8_t * p_le_dev_sec_flags,uint8_t * p_le_key_size)2273 bool BTM_GetLeSecurityState(const RawAddress& bd_addr,
2274 uint8_t* p_le_dev_sec_flags,
2275 uint8_t* p_le_key_size) {
2276 tBTM_SEC_DEV_REC* p_dev_rec;
2277 uint16_t dev_rec_sec_flags;
2278
2279 *p_le_dev_sec_flags = 0;
2280 *p_le_key_size = 0;
2281
2282 p_dev_rec = btm_find_dev(bd_addr);
2283 if (p_dev_rec == NULL) {
2284 BTM_TRACE_ERROR("%s fails", __func__);
2285 return (false);
2286 }
2287
2288 if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) {
2289 BTM_TRACE_ERROR("%s-this is not LE device", __func__);
2290 return (false);
2291 }
2292
2293 dev_rec_sec_flags = p_dev_rec->sec_flags;
2294
2295 if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED) {
2296 /* link is encrypted with LTK or STK */
2297 *p_le_key_size = p_dev_rec->enc_key_size;
2298 *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED;
2299
2300 *p_le_dev_sec_flags |=
2301 (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED)
2302 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2303 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2304 } else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) {
2305 /* link is unencrypted, still LTK is available */
2306 *p_le_key_size = p_dev_rec->ble.keys.key_size;
2307
2308 *p_le_dev_sec_flags |=
2309 (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
2310 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2311 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2312 }
2313
2314 BTM_TRACE_DEBUG("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d", __func__,
2315 *p_le_dev_sec_flags, *p_le_key_size);
2316
2317 return true;
2318 }
2319
2320 /*******************************************************************************
2321 *
2322 * Function BTM_BleSecurityProcedureIsRunning
2323 *
2324 * Description This function indicates if LE security procedure is
2325 * currently running with the peer.
2326 *
2327 * Returns bool true if security procedure is running, false
2328 * otherwise.
2329 *
2330 ******************************************************************************/
BTM_BleSecurityProcedureIsRunning(const RawAddress & bd_addr)2331 bool BTM_BleSecurityProcedureIsRunning(const RawAddress& bd_addr) {
2332 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2333
2334 if (p_dev_rec == NULL) {
2335 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2336 << " is not found";
2337 return false;
2338 }
2339
2340 return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
2341 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING);
2342 }
2343
2344 /*******************************************************************************
2345 *
2346 * Function BTM_BleGetSupportedKeySize
2347 *
2348 * Description This function gets the maximum encryption key size in bytes
2349 * the local device can suport.
2350 * record.
2351 *
2352 * Returns the key size or 0 if the size can't be retrieved.
2353 *
2354 ******************************************************************************/
BTM_BleGetSupportedKeySize(const RawAddress & bd_addr)2355 extern uint8_t BTM_BleGetSupportedKeySize(const RawAddress& bd_addr) {
2356 #if (L2CAP_LE_COC_INCLUDED == TRUE)
2357 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2358 tBTM_LE_EVT_DATA btm_le_evt_data;
2359 uint8_t callback_rc;
2360
2361 if (!p_dev_rec) {
2362 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2363 << " is not found";
2364 return 0;
2365 }
2366
2367 if (btm_cb.api.p_le_callback == NULL) {
2368 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2369 return 0;
2370 }
2371
2372 callback_rc = (*btm_cb.api.p_le_callback)(
2373 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, &btm_le_evt_data);
2374
2375 if (callback_rc != BTM_SUCCESS) {
2376 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2377 return 0;
2378 }
2379
2380 BTM_TRACE_DEBUG("%s device supports key size = %d", __func__,
2381 btm_le_evt_data.io_req.max_key_size);
2382 return (btm_le_evt_data.io_req.max_key_size);
2383 #else
2384 return 0;
2385 #endif
2386 }
2387
2388 /*******************************************************************************
2389 * Utility functions for LE device IR/ER generation
2390 ******************************************************************************/
2391 /*******************************************************************************
2392 *
2393 * Function btm_notify_new_key
2394 *
2395 * Description This function is to notify application new keys have been
2396 * generated.
2397 *
2398 * Returns void
2399 *
2400 ******************************************************************************/
btm_notify_new_key(uint8_t key_type)2401 static void btm_notify_new_key(uint8_t key_type) {
2402 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL;
2403
2404 BTM_TRACE_DEBUG("btm_notify_new_key key_type=%d", key_type);
2405
2406 if (btm_cb.api.p_le_key_callback) {
2407 switch (key_type) {
2408 case BTM_BLE_KEY_TYPE_ID:
2409 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ID");
2410 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.id_keys;
2411 break;
2412
2413 case BTM_BLE_KEY_TYPE_ER:
2414 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ER");
2415 p_local_keys =
2416 (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.ble_encryption_key_value;
2417 break;
2418
2419 default:
2420 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2421 break;
2422 }
2423 if (p_local_keys != NULL)
2424 (*btm_cb.api.p_le_key_callback)(key_type, p_local_keys);
2425 }
2426 }
2427
2428 /*******************************************************************************
2429 *
2430 * Function btm_ble_process_irk
2431 *
2432 * Description This function is called when IRK is generated, store it in
2433 * local control block.
2434 *
2435 * Returns void
2436 *
2437 ******************************************************************************/
btm_ble_process_irk(tSMP_ENC * p)2438 static void btm_ble_process_irk(tSMP_ENC* p) {
2439 BTM_TRACE_DEBUG("btm_ble_process_irk");
2440 if (p && p->opcode == HCI_BLE_ENCRYPT) {
2441 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
2442 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2443
2444 #if (BLE_PRIVACY_SPT == TRUE)
2445 /* if privacy is enabled, new RPA should be calculated */
2446 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
2447 btm_gen_resolvable_private_addr(base::Bind(&btm_gen_resolve_paddr_low));
2448 }
2449 #endif
2450 } else {
2451 BTM_TRACE_ERROR("Generating IRK exception.");
2452 }
2453
2454 /* proceed generate ER */
2455 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand1) {
2456 memcpy(&btm_cb.devcb.ble_encryption_key_value[0], rand1, BT_OCTET8_LEN);
2457
2458 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand2) {
2459 memcpy(&btm_cb.devcb.ble_encryption_key_value[8], rand2, BT_OCTET8_LEN);
2460 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2461 }));
2462
2463 }));
2464 }
2465
2466 /*******************************************************************************
2467 *
2468 * Function btm_ble_process_dhk
2469 *
2470 * Description This function is called when DHK is calculated, store it in
2471 * local control block, and proceed to generate ER, a 128-bits
2472 * random number.
2473 *
2474 * Returns void
2475 *
2476 ******************************************************************************/
btm_ble_process_dhk(tSMP_ENC * p)2477 static void btm_ble_process_dhk(tSMP_ENC* p) {
2478 uint8_t btm_ble_irk_pt = 0x01;
2479 tSMP_ENC output;
2480
2481 BTM_TRACE_DEBUG("btm_ble_process_dhk");
2482
2483 if (p && p->opcode == HCI_BLE_ENCRYPT) {
2484 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
2485 BTM_TRACE_DEBUG("BLE DHK generated.");
2486
2487 /* IRK = D1(IR, 1) */
2488 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
2489 1, &output)) {
2490 /* reset all identity root related key */
2491 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2492 } else {
2493 btm_ble_process_irk(&output);
2494 }
2495 } else {
2496 /* reset all identity root related key */
2497 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2498 }
2499 }
2500
2501 /*******************************************************************************
2502 *
2503 * Function btm_ble_reset_id
2504 *
2505 * Description This function is called to reset LE device identity.
2506 *
2507 * Returns void
2508 *
2509 ******************************************************************************/
btm_ble_reset_id(void)2510 void btm_ble_reset_id(void) {
2511 BTM_TRACE_DEBUG("btm_ble_reset_id");
2512
2513 /* Regenerate Identity Root*/
2514 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2515 BTM_TRACE_DEBUG("btm_ble_process_ir1");
2516 memcpy(btm_cb.devcb.id_keys.ir, rand, BT_OCTET8_LEN);
2517
2518 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2519 uint8_t btm_ble_dhk_pt = 0x03;
2520 tSMP_ENC output;
2521
2522 BTM_TRACE_DEBUG("btm_ble_process_ir2");
2523
2524 /* remembering in control block */
2525 memcpy(&btm_cb.devcb.id_keys.ir[8], rand, BT_OCTET8_LEN);
2526 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2527
2528 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 1,
2529 &output);
2530 btm_ble_process_dhk(&output);
2531
2532 BTM_TRACE_DEBUG("BLE IR generated.");
2533 }));
2534 }));
2535 }
2536
2537 /* This function set a random address to local controller. It also temporarily
2538 * disable scans and adv before sending the command to the controller. */
btm_ble_set_random_address(const RawAddress & random_bda)2539 void btm_ble_set_random_address(const RawAddress& random_bda) {
2540 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2541 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
2542 bool adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode;
2543
2544 BTM_TRACE_DEBUG("%s", __func__);
2545 if (btm_ble_get_conn_st() == BLE_DIR_CONN) {
2546 BTM_TRACE_ERROR("%s: Cannot set random address. Direct conn ongoing",
2547 __func__);
2548 return;
2549 }
2550
2551 if (adv_mode == BTM_BLE_ADV_ENABLE)
2552 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_DISABLE);
2553 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_stop_scan();
2554 btm_ble_suspend_bg_conn();
2555
2556 p_cb->private_addr = random_bda;
2557 btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2558
2559 if (adv_mode == BTM_BLE_ADV_ENABLE)
2560 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_ENABLE);
2561 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_start_scan();
2562 btm_ble_resume_bg_conn();
2563 }
2564
2565 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2566 /*******************************************************************************
2567 *
2568 * Function btm_ble_set_no_disc_if_pair_fail
2569 *
2570 * Description This function indicates whether no disconnect of the ACL
2571 * should be used if pairing failed
2572 *
2573 * Returns void
2574 *
2575 ******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(bool disable_disc)2576 void btm_ble_set_no_disc_if_pair_fail(bool disable_disc) {
2577 BTM_TRACE_DEBUG("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d",
2578 disable_disc);
2579 btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2580 }
2581
2582 /*******************************************************************************
2583 *
2584 * Function btm_ble_set_test_mac_value
2585 *
2586 * Description This function set test MAC value
2587 *
2588 * Returns void
2589 *
2590 ******************************************************************************/
btm_ble_set_test_mac_value(bool enable,uint8_t * p_test_mac_val)2591 void btm_ble_set_test_mac_value(bool enable, uint8_t* p_test_mac_val) {
2592 BTM_TRACE_DEBUG("btm_ble_set_test_mac_value enable=%d", enable);
2593 btm_cb.devcb.enable_test_mac_val = enable;
2594 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2595 }
2596
2597 /*******************************************************************************
2598 *
2599 * Function btm_ble_set_test_local_sign_cntr_value
2600 *
2601 * Description This function set test local sign counter value
2602 *
2603 * Returns void
2604 *
2605 ******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(bool enable,uint32_t test_local_sign_cntr)2606 void btm_ble_set_test_local_sign_cntr_value(bool enable,
2607 uint32_t test_local_sign_cntr) {
2608 BTM_TRACE_DEBUG(
2609 "btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2610 enable, test_local_sign_cntr);
2611 btm_cb.devcb.enable_test_local_sign_cntr = enable;
2612 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr;
2613 }
2614
2615 /*******************************************************************************
2616 *
2617 * Function btm_ble_set_keep_rfu_in_auth_req
2618 *
2619 * Description This function indicates if RFU bits have to be kept as is
2620 * (by default they have to be set to 0 by the sender).
2621 *
2622 * Returns void
2623 *
2624 ******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu)2625 void btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu) {
2626 BTM_TRACE_DEBUG("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2627 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2628 }
2629
2630 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2631