Home | History | Annotate | Download | only in btm
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 1999-2012 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 /******************************************************************************
     20  *
     21  *  This file contains functions for BLE device control utilities, and LE
     22  *  security functions.
     23  *
     24  ******************************************************************************/
     25 
     26 #include <string.h>
     27 
     28 #include "bt_types.h"
     29 #include "hcimsgs.h"
     30 #include "btu.h"
     31 #include "btm_int.h"
     32 #include "btm_ble_api.h"
     33 #include "smp_api.h"
     34 #include "l2c_int.h"
     35 #include "gap_api.h"
     36 
     37 #if SMP_INCLUDED == TRUE
     38 extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature);
     39 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable);
     40 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda);
     41 #endif
     42 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr);
     43 
     44 /*******************************************************************************/
     45 /* External Function to be called by other modules                             */
     46 /*******************************************************************************/
     47 /********************************************************
     48 **
     49 ** Function         BTM_SecAddBleDevice
     50 **
     51 ** Description      Add/modify device.  This function will be normally called
     52 **                  during host startup to restore all required information
     53 **                  for a LE device stored in the NVRAM.
     54 **
     55 ** Parameters:      bd_addr          - BD address of the peer
     56 **                  bd_name          - Name of the peer device.  NULL if unknown.
     57 **                  dev_type         - Remote device's device type.
     58 **                  addr_type        - LE device address type.
     59 **
     60 ** Returns          TRUE if added OK, else FALSE
     61 **
     62 *******************************************************************************/
     63 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type,
     64                              tBLE_ADDR_TYPE addr_type)
     65 {
     66 #if BLE_INCLUDED == TRUE
     67     tBTM_SEC_DEV_REC  *p_dev_rec;
     68     UINT8               i = 0;
     69     tBTM_INQ_INFO      *p_info=NULL;
     70 
     71     BTM_TRACE_DEBUG1 ("BTM_SecAddBleDevice dev_type=0x%x", dev_type);
     72     p_dev_rec = btm_find_dev (bd_addr);
     73 
     74     if (!p_dev_rec)
     75     {
     76         BTM_TRACE_DEBUG0("Add a new device");
     77 
     78         /* There is no device record, allocate one.
     79          * If we can not find an empty spot for this one, let it fail. */
     80         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++)
     81         {
     82             if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE))
     83             {
     84                 BTM_TRACE_DEBUG1 ("allocate a new dev rec idx=0x%x ", i );
     85                 p_dev_rec = &btm_cb.sec_dev_rec[i];
     86 
     87                 /* Mark this record as in use and initialize */
     88                 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC));
     89                 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
     90                 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
     91                 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr);
     92 
     93                 /* update conn params, use default value for background connection params */
     94                 p_dev_rec->conn_params.min_conn_int     =
     95                 p_dev_rec->conn_params.max_conn_int     =
     96                 p_dev_rec->conn_params.supervision_tout =
     97                 p_dev_rec->conn_params.slave_latency    = BTM_BLE_CONN_PARAM_UNDEF;
     98 
     99                 BTM_TRACE_DEBUG1 ("hci_handl=0x%x ",  p_dev_rec->hci_handle );
    100                 break;
    101             }
    102         }
    103 
    104         if (!p_dev_rec)
    105             return(FALSE);
    106     }
    107     else
    108     {
    109         BTM_TRACE_DEBUG0("Device already exist");
    110     }
    111 
    112     memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
    113 
    114     if (bd_name && bd_name[0])
    115     {
    116         p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
    117         BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name),
    118                        (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN);
    119     }
    120     p_dev_rec->device_type = dev_type;
    121     p_dev_rec->ble.ble_addr_type = addr_type;
    122     BTM_TRACE_DEBUG3 ("p_dev_rec->device_type =0x%x  addr_type=0x%x sec_flags=0x%x",
    123                       dev_type,  addr_type, p_dev_rec->sec_flags);
    124 
    125     /* sync up with the Inq Data base*/
    126     p_info = BTM_InqDbRead(bd_addr);
    127     if (p_info)
    128     {
    129         p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ;
    130         p_info->results.device_type = p_dev_rec->device_type;
    131         BTM_TRACE_DEBUG2 ("InqDb  device_type =0x%x  addr_type=0x%x",
    132                           p_info->results.device_type, p_info->results.ble_addr_type);
    133     }
    134 
    135 #endif
    136     return(TRUE);
    137 }
    138 
    139 /*******************************************************************************
    140 **
    141 ** Function         BTM_SecAddBleKey
    142 **
    143 ** Description      Add/modify LE device information.  This function will be
    144 **                  normally called during host startup to restore all required
    145 **                  information stored in the NVRAM.
    146 **
    147 ** Parameters:      bd_addr          - BD address of the peer
    148 **                  p_le_key         - LE key values.
    149 **                  key_type         - LE SMP key type.
    150 *
    151 ** Returns          TRUE if added OK, else FALSE
    152 **
    153 *******************************************************************************/
    154 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type)
    155 {
    156 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
    157     tBTM_SEC_DEV_REC  *p_dev_rec;
    158     BTM_TRACE_DEBUG0 ("BTM_SecAddBleKey");
    159     p_dev_rec = btm_find_dev (bd_addr);
    160     if (!p_dev_rec || !p_le_key ||
    161         (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
    162          key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
    163          key_type != BTM_LE_KEY_LCSRK))
    164     {
    165         BTM_TRACE_WARNING3 ("BTM_SecAddBleKey()  Wrong Type, or No Device record \
    166                         for bdaddr: %08x%04x, Type: %d",
    167                             (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    168                             (bd_addr[4]<<8)+bd_addr[5], key_type);
    169         return(FALSE);
    170     }
    171 
    172     BTM_TRACE_DEBUG3 ("BTM_SecAddLeKey()  BDA: %08x%04x, Type: 0x%02x",
    173                       (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    174                       (bd_addr[4]<<8)+bd_addr[5], key_type);
    175 
    176     if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID ||
    177         key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC ||
    178         key_type == BTM_LE_KEY_LCSRK)
    179     {
    180         btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE);
    181     }
    182 
    183 #endif
    184 
    185     return(TRUE);
    186 }
    187 
    188 /*******************************************************************************
    189 **
    190 ** Function         BTM_BleLoadLocalKeys
    191 **
    192 ** Description      Local local identity key, encryption root or sign counter.
    193 **
    194 ** Parameters:      key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER
    195 **                            or BTM_BLE_KEY_TYPE_COUNTER.
    196 **                  p_key: pointer to the key.
    197 *
    198 ** Returns          non2.
    199 **
    200 *******************************************************************************/
    201 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key)
    202 {
    203 #if BLE_INCLUDED == TRUE
    204     tBTM_DEVCB *p_devcb = &btm_cb.devcb;
    205     BTM_TRACE_DEBUG0 ("BTM_BleLoadLocalKeys");
    206     if (p_key != NULL)
    207     {
    208         switch (key_type)
    209         {
    210             case BTM_BLE_KEY_TYPE_ID:
    211                 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
    212                 break;
    213 
    214             case BTM_BLE_KEY_TYPE_ER:
    215                 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16));
    216                 break;
    217 
    218             default:
    219                 BTM_TRACE_ERROR1("unknow local key type: %d", key_type);
    220                 break;
    221         }
    222     }
    223 #endif
    224 }
    225 
    226 /*******************************************************************************
    227 **
    228 ** Function         BTM_GetDeviceEncRoot
    229 **
    230 ** Description      This function is called to read the local device encryption
    231 **                  root.
    232 **
    233 ** Returns          void
    234 **                  the local device ER is copied into er
    235 **
    236 *******************************************************************************/
    237 void BTM_GetDeviceEncRoot (BT_OCTET16 er)
    238 {
    239     BTM_TRACE_DEBUG0 ("BTM_GetDeviceEncRoot");
    240 
    241 #if BLE_INCLUDED == TRUE
    242     memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN);
    243 #endif
    244 }
    245 
    246 /*******************************************************************************
    247 **
    248 ** Function         BTM_GetDeviceIDRoot
    249 **
    250 ** Description      This function is called to read the local device identity
    251 **                  root.
    252 **
    253 ** Returns          void
    254 **                  the local device IR is copied into irk
    255 **
    256 *******************************************************************************/
    257 void BTM_GetDeviceIDRoot (BT_OCTET16 irk)
    258 {
    259     BTM_TRACE_DEBUG0 ("BTM_GetDeviceIDRoot ");
    260 
    261 #if BLE_INCLUDED == TRUE
    262     memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
    263 #endif
    264 }
    265 
    266 /*******************************************************************************
    267 **
    268 ** Function         BTM_GetDeviceDHK
    269 **
    270 ** Description      This function is called to read the local device DHK.
    271 **
    272 ** Returns          void
    273 **                  the local device DHK is copied into dhk
    274 **
    275 *******************************************************************************/
    276 void BTM_GetDeviceDHK (BT_OCTET16 dhk)
    277 {
    278 #if BLE_INCLUDED == TRUE
    279     BTM_TRACE_DEBUG0 ("BTM_GetDeviceDHK");
    280     memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
    281 #endif
    282 }
    283 
    284 /*******************************************************************************
    285 **
    286 ** Function         BTM_ReadConnectionAddr
    287 **
    288 ** Description      This function is called to get the local device address information
    289 **                  .
    290 **
    291 ** Returns          void
    292 **
    293 *******************************************************************************/
    294 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type)
    295 {
    296 #if BLE_INCLUDED == TRUE
    297     tACL_CONN       *p_acl = btm_bda_to_acl(remote_bda);
    298 
    299     if (p_acl == NULL)
    300     {
    301         BTM_TRACE_ERROR0("No connection exist!");
    302         return;
    303     }
    304     memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN);
    305     * p_addr_type = p_acl->conn_addr_type;
    306 
    307     BTM_TRACE_DEBUG2 ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
    308                     p_acl->conn_addr_type, p_acl->conn_addr[0]);
    309 
    310 #endif
    311 }
    312 
    313 /*******************************************************************************
    314 **
    315 ** Function         BTM_ReadRemoteConnectionAddr
    316 **
    317 ** Description      This function is read the remote device address currently used
    318 **                  .
    319 **
    320 ** Returns          void
    321 **
    322 *******************************************************************************/
    323 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, tBLE_ADDR_TYPE *p_addr_type)
    324 {
    325     BOOLEAN         st = TRUE;
    326 #if BLE_INCLUDED == TRUE
    327     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr);
    328 
    329     memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN);
    330     *p_addr_type = p_dev_rec->ble.ble_addr_type;
    331 #endif
    332     return st;
    333 }
    334 /*******************************************************************************
    335 **
    336 ** Function         BTM_SecurityGrant
    337 **
    338 ** Description      This function is called to grant security process.
    339 **
    340 ** Parameters       bd_addr - peer device bd address.
    341 **                  res     - result of the operation BTM_SUCCESS if success.
    342 **                            Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts.
    343 **
    344 ** Returns          None
    345 **
    346 *******************************************************************************/
    347 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res)
    348 {
    349 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
    350     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
    351     BTM_TRACE_DEBUG0 ("BTM_SecurityGrant");
    352     SMP_SecurityGrant(bd_addr, res_smp);
    353 #endif
    354 }
    355 
    356 /*******************************************************************************
    357 **
    358 ** Function         BTM_BlePasskeyReply
    359 **
    360 ** Description      This function is called after Security Manager submitted
    361 **                  passkey request to the application.
    362 **
    363 ** Parameters:      bd_addr      - Address of the device for which passkey was requested
    364 **                  res          - result of the operation BTM_SUCCESS if success
    365 **                  key_len      - length in bytes of the Passkey
    366 **                  p_passkey        - pointer to array with the passkey
    367 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
    368 **
    369 *******************************************************************************/
    370 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
    371 {
    372 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
    373     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    374     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
    375 
    376     if (p_dev_rec == NULL)
    377     {
    378         BTM_TRACE_ERROR0("Passkey reply to Unknown device");
    379         return;
    380     }
    381 
    382     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
    383     BTM_TRACE_DEBUG0 ("BTM_BlePasskeyReply");
    384     SMP_PasskeyReply(bd_addr, res_smp, passkey);
    385 #endif
    386 }
    387 
    388 /*******************************************************************************
    389 **
    390 ** Function         BTM_BleOobDataReply
    391 **
    392 ** Description      This function is called to provide the OOB data for
    393 **                  SMP in response to BTM_LE_OOB_REQ_EVT
    394 **
    395 ** Parameters:      bd_addr     - Address of the peer device
    396 **                  res         - result of the operation SMP_SUCCESS if success
    397 **                  p_data      - simple pairing Randomizer  C.
    398 **
    399 *******************************************************************************/
    400 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data)
    401 {
    402 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
    403     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
    404     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    405 
    406     BTM_TRACE_DEBUG0 ("BTM_BleOobDataReply");
    407 
    408     if (p_dev_rec == NULL)
    409     {
    410         BTM_TRACE_ERROR0("BTM_BleOobDataReply() to Unknown device");
    411         return;
    412     }
    413 
    414     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
    415     SMP_OobDataReply(bd_addr, res_smp, len, p_data);
    416 #endif
    417 }
    418 
    419 /******************************************************************************
    420 **
    421 ** Function         BTM_BleSetConnScanParams
    422 **
    423 ** Description      Set scan parameter used in BLE connection request
    424 **
    425 ** Parameters:      scan_interval: scan interval
    426 **                  scan_window: scan window
    427 **
    428 ** Returns          void
    429 **
    430 *******************************************************************************/
    431 void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window)
    432 {
    433 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
    434     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
    435     BOOLEAN     new_param = FALSE;
    436 
    437     if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) &&
    438         BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX))
    439     {
    440         btu_stop_timer(&p_ble_cb->scan_param_idle_timer);
    441 
    442         if (p_ble_cb->scan_int != scan_interval)
    443         {
    444             p_ble_cb->scan_int = scan_interval;
    445             new_param = TRUE;
    446         }
    447 
    448         if (p_ble_cb->scan_win != scan_window)
    449         {
    450             p_ble_cb->scan_win = scan_window;
    451             new_param = TRUE;
    452         }
    453 
    454         if (new_param && p_ble_cb->conn_state == BLE_BG_CONN)
    455         {
    456             btm_ble_suspend_bg_conn();
    457         }
    458     }
    459     else
    460     {
    461         BTM_TRACE_ERROR0("Illegal Connection Scan Parameters");
    462     }
    463 #endif
    464 }
    465 
    466 /********************************************************
    467 **
    468 ** Function         BTM_BleSetPrefConnParams
    469 **
    470 ** Description      Set a peripheral's preferred connection parameters
    471 **
    472 ** Parameters:      bd_addr          - BD address of the peripheral
    473 **                  scan_interval: scan interval
    474 **                  scan_window: scan window
    475 **                  min_conn_int     - minimum preferred connection interval
    476 **                  max_conn_int     - maximum preferred connection interval
    477 **                  slave_latency    - preferred slave latency
    478 **                  supervision_tout - preferred supervision timeout
    479 **
    480 ** Returns          void
    481 **
    482 *******************************************************************************/
    483 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr,
    484                                UINT16 min_conn_int, UINT16 max_conn_int,
    485                                UINT16 slave_latency, UINT16 supervision_tout)
    486 {
    487 #if BLE_INCLUDED == TRUE
    488     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    489 
    490     BTM_TRACE_API4 ("BTM_BleSetPrefConnParams min: %u  max: %u  latency: %u  \
    491                     tout: %u",
    492                     min_conn_int, max_conn_int, slave_latency, supervision_tout);
    493 
    494     if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
    495         BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
    496         BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) &&
    497         (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF))
    498     {
    499         if (p_dev_rec)
    500         {
    501             /* expect conn int and stout and slave latency to be updated all together */
    502             if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    503             {
    504                 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    505                     p_dev_rec->conn_params.min_conn_int = min_conn_int;
    506                 else
    507                     p_dev_rec->conn_params.min_conn_int = max_conn_int;
    508 
    509                 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    510                     p_dev_rec->conn_params.max_conn_int = max_conn_int;
    511                 else
    512                     p_dev_rec->conn_params.max_conn_int = min_conn_int;
    513 
    514                 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
    515                     p_dev_rec->conn_params.slave_latency = slave_latency;
    516                 else
    517                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
    518 
    519                 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
    520                     p_dev_rec->conn_params.supervision_tout = supervision_tout;
    521                 else
    522                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_TIMEOUT_DEF;
    523 
    524             }
    525 
    526         }
    527         else
    528         {
    529             BTM_TRACE_ERROR0("Unknown Device, setting rejected");
    530         }
    531     }
    532     else
    533     {
    534         BTM_TRACE_ERROR0("Illegal Connection Parameters");
    535     }
    536 #endif  /* BLE_INCLUDED */
    537 }
    538 
    539 /*******************************************************************************
    540 **
    541 ** Function         BTM_ReadDevInfo
    542 **
    543 ** Description      This function is called to read the device/address type
    544 **                  of BD address.
    545 **
    546 ** Parameter        remote_bda: remote device address
    547 **                  p_dev_type: output parameter to read the device type.
    548 **                  p_addr_type: output parameter to read the address type.
    549 **
    550 *******************************************************************************/
    551 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type)
    552 {
    553 #if BLE_INCLUDED == TRUE
    554     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (remote_bda);
    555     tBTM_INQ_INFO     *p_inq_info = BTM_InqDbRead(remote_bda);
    556 
    557     *p_dev_type = BT_DEVICE_TYPE_BREDR;
    558     *p_addr_type = BLE_ADDR_PUBLIC;
    559 
    560     if (!p_dev_rec)
    561     {
    562         /* Check with the BT manager if details about remote device are known */
    563         if (p_inq_info != NULL)
    564         {
    565             *p_dev_type = p_inq_info->results.device_type ;
    566             *p_addr_type = p_inq_info->results.ble_addr_type;
    567         }
    568         /* unknown device, assume BR/EDR */
    569     }
    570     else /* there is a security device record exisitng */
    571     {
    572         /* new inquiry result, overwrite device type in security device record */
    573         if (p_inq_info)
    574         {
    575             p_dev_rec->device_type          = p_inq_info->results.device_type;
    576             p_dev_rec->ble.ble_addr_type    = p_inq_info->results.ble_addr_type;
    577         }
    578         *p_dev_type = p_dev_rec->device_type;
    579         *p_addr_type = p_dev_rec->ble.ble_addr_type;
    580 
    581     }
    582 
    583     BTM_TRACE_DEBUG2 ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type);
    584 #endif
    585 
    586     return;
    587 }
    588 
    589 #if BLE_INCLUDED == TRUE
    590 
    591 /*******************************************************************************
    592 **
    593 ** Function         BTM_BleReceiverTest
    594 **
    595 ** Description      This function is called to start the LE Receiver test
    596 **
    597 ** Parameter       rx_freq - Frequency Range
    598 **               p_cmd_cmpl_cback - Command Complete callback
    599 **
    600 *******************************************************************************/
    601 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback)
    602 {
    603      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    604 
    605      if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE)
    606      {
    607           BTM_TRACE_ERROR1("%s: Unable to Trigger LE receiver test", __FUNCTION__);
    608      }
    609 }
    610 
    611 /*******************************************************************************
    612 **
    613 ** Function         BTM_BleTransmitterTest
    614 **
    615 ** Description      This function is called to start the LE Transmitter test
    616 **
    617 ** Parameter       tx_freq - Frequency Range
    618 **                       test_data_len - Length in bytes of payload data in each packet
    619 **                       packet_payload - Pattern to use in the payload
    620 **                       p_cmd_cmpl_cback - Command Complete callback
    621 **
    622 *******************************************************************************/
    623 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len,
    624                                  UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback)
    625 {
    626      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    627      if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE)
    628      {
    629           BTM_TRACE_ERROR1("%s: Unable to Trigger LE transmitter test", __FUNCTION__);
    630      }
    631 }
    632 
    633 /*******************************************************************************
    634 **
    635 ** Function         BTM_BleTestEnd
    636 **
    637 ** Description      This function is called to stop the in-progress TX or RX test
    638 **
    639 ** Parameter       p_cmd_cmpl_cback - Command complete callback
    640 **
    641 *******************************************************************************/
    642 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback)
    643 {
    644      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    645 
    646      if (btsnd_hcic_ble_test_end() == FALSE)
    647      {
    648           BTM_TRACE_ERROR1("%s: Unable to End the LE TX/RX test", __FUNCTION__);
    649      }
    650 }
    651 
    652 #endif
    653 
    654 /*******************************************************************************
    655 ** Internal Functions
    656 *******************************************************************************/
    657 #if BLE_INCLUDED == TRUE
    658 
    659 void btm_ble_test_command_complete(UINT8 *p)
    660 {
    661     tBTM_CMPL_CB   *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
    662     UINT8           status;
    663 
    664     btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
    665 
    666     if (p_cb)
    667     {
    668         (*p_cb)(p);
    669     }
    670 }
    671 
    672 /*******************************************************************************
    673 **
    674 ** Function         btm_ble_check_link_type
    675 **
    676 ** Description      This function is to check the link type is BLE or BR/EDR.
    677 **
    678 ** Returns          TRUE if BLE link; FALSE if BR/EDR.
    679 **
    680 *******************************************************************************/
    681 BOOLEAN btm_ble_check_link_type (BD_ADDR bd_addr)
    682 {
    683     tACL_CONN         *p;
    684     BTM_TRACE_DEBUG0 ("btm_ble_check_link_type");
    685     if ((p = btm_bda_to_acl(bd_addr)) != NULL)
    686         return p->is_le_link;
    687     else
    688         return FALSE;
    689 }
    690 
    691 /*******************************************************************************
    692 **
    693 ** Function         btm_ble_rand_enc_complete
    694 **
    695 ** Description      This function is the callback functions for HCI_Rand command
    696 **                  and HCI_Encrypt command is completed.
    697 **                  This message is received from the HCI.
    698 **
    699 ** Returns          void
    700 **
    701 *******************************************************************************/
    702 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback)
    703 {
    704     tBTM_RAND_ENC   params;
    705     UINT8           *p_dest = params.param_buf;
    706 
    707     BTM_TRACE_DEBUG0 ("btm_ble_rand_enc_complete");
    708 
    709     memset(&params, 0, sizeof(tBTM_RAND_ENC));
    710 
    711     /* If there was a callback address for vcs complete, call it */
    712     if (p_enc_cplt_cback && p)
    713     {
    714         /* Pass paramters to the callback function */
    715         STREAM_TO_UINT8(params.status, p); /* command status */
    716 
    717         if (params.status == HCI_SUCCESS)
    718         {
    719             params.opcode = op_code;
    720 
    721             if (op_code == HCI_BLE_RAND)
    722                 params.param_len = BT_OCTET8_LEN;
    723             else
    724                 params.param_len = BT_OCTET16_LEN;
    725 
    726             memcpy(p_dest, p, params.param_len);  /* Fetch return info from HCI event message */
    727         }
    728         if (p_enc_cplt_cback)
    729             (*p_enc_cplt_cback)(&params);  /* Call the Encryption complete callback function */
    730     }
    731 }
    732 
    733 
    734     #if (SMP_INCLUDED == TRUE)
    735 
    736 /*******************************************************************************
    737 **
    738 ** Function         btm_ble_get_enc_key_type
    739 **
    740 ** Description      This function is to increment local sign counter
    741 ** Returns         None
    742 **
    743 *******************************************************************************/
    744 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local )
    745 {
    746     tBTM_SEC_DEV_REC *p_dev_rec;
    747 
    748     BTM_TRACE_DEBUG1 ("btm_ble_increment_sign_ctr is_local=%d", is_local);
    749 
    750     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
    751     {
    752         if (is_local)
    753             p_dev_rec->ble.keys.local_counter++;
    754         else
    755             p_dev_rec->ble.keys.counter++;
    756         BTM_TRACE_DEBUG3 ("is_local=%d local sign counter=%d peer sign counter=%d",
    757                           is_local,
    758                           p_dev_rec->ble.keys.local_counter,
    759                           p_dev_rec->ble.keys.counter);
    760     }
    761 }
    762 
    763 /*******************************************************************************
    764 **
    765 ** Function         btm_ble_get_enc_key_type
    766 **
    767 ** Description      This function is to get the BLE key type that has been exchanged
    768 **                  in betweem local device and peer device.
    769 **
    770 ** Returns          p_key_type: output parameter to carry the key type value.
    771 **
    772 *******************************************************************************/
    773 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types)
    774 {
    775     tBTM_SEC_DEV_REC *p_dev_rec;
    776 
    777     BTM_TRACE_DEBUG0 ("btm_ble_get_enc_key_type");
    778 
    779     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
    780     {
    781         *p_key_types = p_dev_rec->ble.key_type;
    782         return TRUE;
    783     }
    784     return FALSE;
    785 }
    786 
    787 /*******************************************************************************
    788 **
    789 ** Function         btm_get_local_div
    790 **
    791 ** Description      This function is called to read the local DIV
    792 **
    793 ** Returns          TURE - if a valid DIV is availavle
    794 *******************************************************************************/
    795 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div)
    796 {
    797     tBTM_SEC_DEV_REC   *p_dev_rec;
    798     BOOLEAN            status = FALSE;
    799     BTM_TRACE_DEBUG0 ("btm_get_local_div");
    800 
    801     BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
    802                      bd_addr[0],bd_addr[1],
    803                      bd_addr[2],bd_addr[3],
    804                      bd_addr[4],bd_addr[5]);
    805 
    806     p_dev_rec = btm_find_dev (bd_addr);
    807 
    808     if (p_dev_rec && p_dev_rec->ble.keys.div)
    809     {
    810         status = TRUE;
    811         *p_div = p_dev_rec->ble.keys.div;
    812     }
    813     BTM_TRACE_DEBUG2 ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div);
    814     return status;
    815 }
    816 
    817 /*******************************************************************************
    818 **
    819 ** Function         btm_sec_save_le_key
    820 **
    821 ** Description      This function is called by the SMP to update
    822 **                  an  BLE key.  SMP is internal, whereas all the keys shall
    823 **                  be sent to the application.  The function is also called
    824 **                  when application passes ble key stored in NVRAM to the btm_sec.
    825 **                  pass_to_application parameter is false in this case.
    826 **
    827 ** Returns          void
    828 **
    829 *******************************************************************************/
    830 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys,
    831                          BOOLEAN pass_to_application)
    832 {
    833     tBTM_SEC_DEV_REC *p_rec;
    834     tBTM_LE_EVT_DATA    cb_data;
    835     UINT8 i;
    836 
    837     BTM_TRACE_DEBUG2 ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application);
    838     /* Store the updated key in the device database */
    839 
    840     BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
    841                      bd_addr[0],bd_addr[1],
    842                      bd_addr[2],bd_addr[3],
    843                      bd_addr[4],bd_addr[5]);
    844 
    845     if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys)
    846     {
    847         switch (key_type)
    848         {
    849             case BTM_LE_KEY_PENC:
    850                 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
    851                 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
    852                 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
    853                 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
    854                 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
    855                 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
    856                 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
    857                 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
    858                     p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
    859                 else
    860                     p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
    861                 BTM_TRACE_DEBUG3("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
    862                                  p_rec->ble.key_type,
    863                                  p_rec->sec_flags,
    864                                  p_rec->ble.keys.sec_level);
    865                 break;
    866 
    867             case BTM_LE_KEY_PID:
    868                 for (i=0; i<BT_OCTET16_LEN; i++)
    869                 {
    870                     p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
    871                 }
    872 
    873                  //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system
    874                 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
    875                 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
    876                 p_rec->ble.key_type |= BTM_LE_KEY_PID;
    877                 BTM_TRACE_DEBUG1("BTM_LE_KEY_PID key_type=0x%x save peer IRK",  p_rec->ble.key_type);
    878                 break;
    879 
    880             case BTM_LE_KEY_PCSRK:
    881                 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
    882                 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
    883                 p_rec->ble.keys.counter  = p_keys->pcsrk_key.counter;
    884                 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
    885                 p_rec->sec_flags |=  BTM_SEC_LINK_KEY_KNOWN;
    886                 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED)
    887                     p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
    888                 else
    889                     p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
    890 
    891                 BTM_TRACE_DEBUG4("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d",
    892                                  p_rec->ble.key_type,
    893                                  p_rec->sec_flags,
    894                                  p_rec->ble.keys.srk_sec_level,
    895                                  p_rec->ble.keys.counter );
    896                 break;
    897 
    898             case BTM_LE_KEY_LENC:
    899                 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
    900                 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
    901                 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
    902                 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
    903 
    904                 BTM_TRACE_DEBUG4("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x",
    905                                  p_rec->ble.key_type,
    906                                  p_rec->ble.keys.div,
    907                                  p_rec->ble.keys.key_size,
    908                                  p_rec->ble.keys.sec_level );
    909                 break;
    910 
    911             case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */
    912                 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
    913                 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
    914                 p_rec->ble.keys.local_counter  = p_keys->lcsrk_key.counter;
    915                 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
    916                 BTM_TRACE_DEBUG4("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d",
    917                                  p_rec->ble.key_type,
    918                                  p_rec->ble.keys.div,
    919                                  p_rec->ble.keys.local_csrk_sec_level,
    920                                  p_rec->ble.keys.local_counter );
    921                 break;
    922 
    923             default:
    924                 BTM_TRACE_WARNING1("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type);
    925                 return;
    926         }
    927 
    928         BTM_TRACE_DEBUG3 ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type,
    929                           (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    930                           (bd_addr[4]<<8)+bd_addr[5]);
    931 
    932         /* Notify the application that one of the BLE keys has been updated
    933            If link key is in progress, it will get sent later.*/
    934         if (pass_to_application && btm_cb.api.p_le_callback)
    935         {
    936             cb_data.key.p_key_value = p_keys;
    937             cb_data.key.key_type = key_type;
    938             (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data);
    939         }
    940         return;
    941     }
    942 
    943     BTM_TRACE_WARNING3 ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type,
    944                         (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    945                         (bd_addr[4]<<8)+bd_addr[5]);
    946 
    947     if (p_rec)
    948     {
    949         BTM_TRACE_DEBUG1 ("sec_flags=0x%x", p_rec->sec_flags);
    950     }
    951 }
    952 
    953 /*******************************************************************************
    954 **
    955 ** Function         btm_ble_update_sec_key_size
    956 **
    957 ** Description      update the current lin kencryption key size
    958 **
    959 ** Returns          void
    960 **
    961 *******************************************************************************/
    962 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size)
    963 {
    964     tBTM_SEC_DEV_REC *p_rec;
    965 
    966     BTM_TRACE_DEBUG1("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size);
    967 
    968     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
    969     {
    970         p_rec->enc_key_size = enc_key_size;
    971     }
    972 }
    973 
    974 /*******************************************************************************
    975 **
    976 ** Function         btm_ble_read_sec_key_size
    977 **
    978 ** Description      update the current lin kencryption key size
    979 **
    980 ** Returns          void
    981 **
    982 *******************************************************************************/
    983 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr)
    984 {
    985     tBTM_SEC_DEV_REC *p_rec;
    986 
    987     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
    988     {
    989         return p_rec->enc_key_size;
    990     }
    991     else
    992         return 0;
    993 }
    994 
    995 /*******************************************************************************
    996 **
    997 ** Function         btm_ble_link_sec_check
    998 **
    999 ** Description      Check BLE link security level match.
   1000 **
   1001 ** Returns          TRUE: check is OK and the *p_sec_req_act contain the action
   1002 **
   1003 *******************************************************************************/
   1004 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act)
   1005 {
   1006     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
   1007     UINT8 req_sec_level, cur_sec_level;
   1008 
   1009     BTM_TRACE_DEBUG1 ("btm_ble_link_sec_check auth_req =0x%x", auth_req);
   1010 
   1011     if (p_dev_rec == NULL)
   1012     {
   1013         BTM_TRACE_ERROR0 ("btm_ble_link_sec_check received for unknown device");
   1014         return;
   1015     }
   1016 
   1017     if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
   1018         p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
   1019     {
   1020         /* race condition: discard the security request while master is encrypting the link */
   1021         *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
   1022     }
   1023     else
   1024     {
   1025         req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
   1026         if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) ||
   1027             (auth_req == (BTM_LE_AUTH_REQ_MITM)) )
   1028         {
   1029             req_sec_level = BTM_LE_SEC_AUTHENTICATED;
   1030         }
   1031 
   1032         BTM_TRACE_DEBUG1 ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
   1033 
   1034         /* currently encrpted  */
   1035         if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
   1036         {
   1037             if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
   1038                 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
   1039             else
   1040                 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
   1041         }
   1042         else /* unencrypted link */
   1043         {
   1044             /* if bonded, get the key security level */
   1045             if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
   1046                 cur_sec_level = p_dev_rec->ble.keys.sec_level;
   1047             else
   1048                 cur_sec_level = BTM_LE_SEC_NONE;
   1049         }
   1050 
   1051         if (cur_sec_level >= req_sec_level)
   1052         {
   1053             if (cur_sec_level == BTM_LE_SEC_NONE)
   1054             {
   1055                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE;
   1056             }
   1057             else
   1058             {
   1059                 /* To avoid re-encryption on an encrypted link for an equal condition encryption */
   1060                 /* if link has been encrypted, do nothing, go straight to furhter action
   1061                 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
   1062                     *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
   1063                 else
   1064                 */
   1065                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
   1066             }
   1067         }
   1068         else
   1069         {
   1070             *p_sec_req_act =  BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/
   1071         }
   1072     }
   1073 
   1074     BTM_TRACE_DEBUG3("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
   1075                      cur_sec_level,
   1076                      req_sec_level,
   1077                      *p_sec_req_act);
   1078 
   1079 }
   1080 
   1081 /*******************************************************************************
   1082 **
   1083 ** Function         btm_ble_set_encryption
   1084 **
   1085 ** Description      This function is called to ensure that LE connection is
   1086 **                  encrypted.  Should be called only on an open connection.
   1087 **                  Typically only needed for connections that first want to
   1088 **                  bring up unencrypted links, then later encrypt them.
   1089 **
   1090 ** Returns          void
   1091 **                  the local device ER is copied into er
   1092 **
   1093 *******************************************************************************/
   1094 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role)
   1095 {
   1096     tBTM_STATUS         cmd = BTM_NO_RESOURCES;
   1097     tBTM_BLE_SEC_ACT    sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ;
   1098     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1099 
   1100     if (p_rec == NULL)
   1101     {
   1102         BTM_TRACE_WARNING1 ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
   1103         return(BTM_WRONG_MODE);
   1104     }
   1105 
   1106     BTM_TRACE_DEBUG2 ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master);
   1107 
   1108     if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM)
   1109     {
   1110         p_rec->security_required |= BTM_SEC_IN_MITM;
   1111     }
   1112 
   1113     switch (sec_act)
   1114     {
   1115         case BTM_BLE_SEC_ENCRYPT:
   1116             if (link_role == BTM_ROLE_MASTER)
   1117             {
   1118                 /* start link layer encryption using the security info stored */
   1119                 if (btm_ble_start_encrypt(bd_addr, FALSE, NULL))
   1120                 {
   1121                     p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
   1122                     cmd = BTM_CMD_STARTED;
   1123                 }
   1124                 break;
   1125             }
   1126             /* if salve role then fall through to call SMP_Pair below which will send a
   1127                sec_request to request the master to encrypt the link */
   1128         case BTM_BLE_SEC_ENCRYPT_NO_MITM:
   1129         case BTM_BLE_SEC_ENCRYPT_MITM:
   1130 
   1131             if (SMP_Pair(bd_addr) == SMP_STARTED)
   1132             {
   1133                 cmd = BTM_CMD_STARTED;
   1134                 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
   1135             }
   1136             break;
   1137 
   1138         default:
   1139             cmd = BTM_SUCCESS;
   1140             break;
   1141     }
   1142     return cmd;
   1143 }
   1144 
   1145 /*******************************************************************************
   1146 **
   1147 ** Function         btm_ble_ltk_request
   1148 **
   1149 ** Description      This function is called when encryption request is received
   1150 **                  on a slave device.
   1151 **
   1152 **
   1153 ** Returns          void
   1154 **
   1155 *******************************************************************************/
   1156 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv)
   1157 {
   1158     tBTM_CB *p_cb = &btm_cb;
   1159     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
   1160     BT_OCTET8 dummy_stk = {0};
   1161 
   1162     BTM_TRACE_DEBUG0 ("btm_ble_ltk_request");
   1163 
   1164     p_cb->ediv = ediv;
   1165 
   1166     memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
   1167 
   1168     if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
   1169         btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk);
   1170 
   1171 
   1172 }
   1173 
   1174 /*******************************************************************************
   1175 **
   1176 ** Function         btm_ble_start_encrypt
   1177 **
   1178 ** Description      This function is called to start LE encryption.
   1179 **
   1180 **
   1181 ** Returns          void
   1182 **
   1183 *******************************************************************************/
   1184 BOOLEAN btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk)
   1185 {
   1186     tBTM_CB *p_cb = &btm_cb;
   1187     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
   1188     BT_OCTET8    dummy_rand = {0};
   1189 
   1190     BTM_TRACE_DEBUG0 ("btm_ble_start_encrypt");
   1191 
   1192     if (!p_rec ||
   1193         (p_rec && p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING))
   1194         return FALSE;
   1195 
   1196     if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
   1197         p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
   1198     p_cb->enc_handle = p_rec->hci_handle;
   1199 
   1200     if (use_stk)
   1201     {
   1202         if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, dummy_rand, 0, stk))
   1203             return FALSE;
   1204     }
   1205     else if (p_rec->ble.key_type & BTM_LE_KEY_PENC)
   1206     {
   1207         if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, p_rec->ble.keys.rand,
   1208                                       p_rec->ble.keys.ediv, p_rec->ble.keys.ltk))
   1209             return FALSE;
   1210     }
   1211     else
   1212     {
   1213         return FALSE;
   1214     }
   1215 
   1216     return TRUE;
   1217 }
   1218 
   1219 /*******************************************************************************
   1220 **
   1221 ** Function         btm_ble_link_encrypted
   1222 **
   1223 ** Description      This function is called when LE link encrption status is changed.
   1224 **
   1225 ** Returns          void
   1226 **
   1227 *******************************************************************************/
   1228 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
   1229 {
   1230     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
   1231     BOOLEAN             enc_cback;
   1232 
   1233     if (!p_dev_rec)
   1234     {
   1235         BTM_TRACE_WARNING1 ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable);
   1236         return;
   1237     }
   1238 
   1239     BTM_TRACE_DEBUG1 ("btm_ble_link_encrypted encr_enable=%d", encr_enable);
   1240 
   1241     enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
   1242 
   1243     smp_link_encrypted(bd_addr, encr_enable);
   1244 
   1245     BTM_TRACE_DEBUG1(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
   1246 
   1247     if (encr_enable && p_dev_rec->enc_key_size == 0)
   1248         p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
   1249 
   1250     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
   1251     if (p_dev_rec->p_callback && enc_cback)
   1252     {
   1253         if (encr_enable)
   1254             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS);
   1255         else if (p_dev_rec->role_master)
   1256             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING);
   1257 
   1258     }
   1259     /* to notify GATT to send data if any request is pending */
   1260     gatt_notify_enc_cmpl(p_dev_rec->bd_addr);
   1261 }
   1262 
   1263 /*******************************************************************************
   1264 ** Function         btm_enc_proc_ltk
   1265 ** Description      send LTK reply when it's ready.
   1266 *******************************************************************************/
   1267 static void btm_enc_proc_ltk(tSMP_ENC *p)
   1268 {
   1269     UINT8   i;
   1270     BTM_TRACE_DEBUG0 ("btm_enc_proc_ltk");
   1271     if (p && p->param_len == BT_OCTET16_LEN)
   1272     {
   1273         for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++)
   1274             p->param_buf[BT_OCTET16_LEN - i - 1] = 0;
   1275         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf);
   1276     }
   1277 }
   1278 
   1279 /*******************************************************************************
   1280 ** Function         btm_enc_proc_slave_y
   1281 ** Description      calculate LTK when Y is ready
   1282 *******************************************************************************/
   1283 static void btm_enc_proc_slave_y(tSMP_ENC *p)
   1284 {
   1285     UINT16  div, y;
   1286     UINT8   *pp = p->param_buf;
   1287     tBTM_CB *p_cb = &btm_cb;
   1288     tSMP_ENC output;
   1289     tBTM_SEC_DEV_REC *p_dev_rec;
   1290 
   1291     BTM_TRACE_DEBUG0 ("btm_enc_proc_slave_y");
   1292     if (p != NULL)
   1293     {
   1294         STREAM_TO_UINT16(y, pp);
   1295 
   1296         div = p_cb->ediv ^ y;
   1297         p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle);
   1298 
   1299         if ( p_dev_rec &&
   1300              p_dev_rec->ble.keys.div == div )
   1301         {
   1302             BTM_TRACE_DEBUG0 ("LTK request OK");
   1303             /* calculating LTK , LTK = E er(div) */
   1304             SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output);
   1305             btm_enc_proc_ltk(&output);
   1306         }
   1307         else
   1308         {
   1309             BTM_TRACE_DEBUG0 ("LTK request failed - send negative reply");
   1310             btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle);
   1311             if (p_dev_rec)
   1312                 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0);
   1313 
   1314         }
   1315     }
   1316 }
   1317 
   1318 /*******************************************************************************
   1319 **
   1320 ** Function         btm_ble_ltk_request_reply
   1321 **
   1322 ** Description      This function is called to send a LTK request reply on a slave
   1323 **                  device.
   1324 **
   1325 ** Returns          void
   1326 **
   1327 *******************************************************************************/
   1328 void btm_ble_ltk_request_reply(BD_ADDR bda,  BOOLEAN use_stk, BT_OCTET16 stk)
   1329 {
   1330     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
   1331     tBTM_CB *p_cb = &btm_cb;
   1332     tSMP_ENC output;
   1333 
   1334     if (p_rec == NULL)
   1335     {
   1336         BTM_TRACE_ERROR0("btm_ble_ltk_request_reply received for unknown device");
   1337         return;
   1338     }
   1339 
   1340     BTM_TRACE_DEBUG0 ("btm_ble_ltk_request_reply");
   1341     p_cb->enc_handle = p_rec->hci_handle;
   1342     p_cb->key_size = p_rec->ble.keys.key_size;
   1343 
   1344     BTM_TRACE_ERROR1("key size = %d", p_rec->ble.keys.key_size);
   1345     if (use_stk)
   1346     {
   1347         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
   1348     }
   1349     else /* calculate LTK using peer device  */
   1350     {
   1351         /* generate Y= Encrypt(DHK, Rand) received from encrypt request  */
   1352         SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand,
   1353                     BT_OCTET8_LEN, &output);
   1354         btm_enc_proc_slave_y(&output);
   1355     }
   1356 }
   1357 
   1358 /*******************************************************************************
   1359 **
   1360 ** Function         btm_ble_io_capabilities_req
   1361 **
   1362 ** Description      This function is called to handle SMP get IO capability request.
   1363 **
   1364 ** Returns          void
   1365 **
   1366 *******************************************************************************/
   1367 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
   1368 {
   1369     UINT8           callback_rc = BTM_SUCCESS;
   1370     BTM_TRACE_DEBUG0 ("btm_ble_io_capabilities_req");
   1371     if (btm_cb.api.p_le_callback)
   1372     {
   1373         /* the callback function implementation may change the IO capability... */
   1374         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data);
   1375     }
   1376 #if BTM_OOB_INCLUDED == TRUE
   1377     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data))
   1378 #else
   1379     if (callback_rc == BTM_SUCCESS)
   1380 #endif
   1381     {
   1382         p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
   1383 
   1384         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d",
   1385                           p_dev_rec->security_required, p_data->auth_req);
   1386         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)",
   1387                           p_data->init_keys,
   1388                           p_data->resp_keys);
   1389 
   1390         /* if authentication requires MITM protection, put on the mask */
   1391         if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
   1392             p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
   1393 
   1394         if (!(p_data->auth_req & SMP_AUTH_BOND))
   1395         {
   1396             BTM_TRACE_DEBUG0("Non bonding: No keys should be exchanged");
   1397             p_data->init_keys = 0;
   1398             p_data->resp_keys = 0;
   1399         }
   1400 
   1401         BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req);
   1402         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
   1403                           p_data->init_keys,
   1404                           p_data->resp_keys);
   1405 
   1406         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
   1407                           p_data->io_cap, p_data->auth_req);
   1408 
   1409         /* remove MITM protection requirement if IO cap does not allow it */
   1410         if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
   1411             p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
   1412 
   1413         BTM_TRACE_DEBUG3 ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d",
   1414                           p_data->io_cap, p_data->oob_data, p_data->auth_req);
   1415     }
   1416     return callback_rc;
   1417 }
   1418 
   1419 /*******************************************************************************
   1420 **
   1421 ** Function         btm_ble_connected
   1422 **
   1423 ** Description      This function is when a LE connection to the peer device is
   1424 **                  establsihed
   1425 **
   1426 ** Returns          void
   1427 **
   1428 *******************************************************************************/
   1429 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
   1430                         tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched)
   1431 {
   1432     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
   1433     tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb;
   1434 
   1435     BTM_TRACE_EVENT0 ("btm_ble_connected");
   1436 
   1437     /* Commenting out trace due to obf/compilation problems.
   1438     */
   1439 #if (BT_USE_TRACES == TRUE)
   1440     if (p_dev_rec)
   1441     {
   1442         BTM_TRACE_EVENT4 ("Security Manager: btm_sec_connected :  handle:%d  enc_mode:%d  bda:%x RName:%s",
   1443                           handle,  enc_mode,
   1444                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
   1445                           p_dev_rec->sec_bd_name);
   1446 
   1447         BTM_TRACE_DEBUG1 ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags);
   1448     }
   1449     else
   1450     {
   1451         BTM_TRACE_EVENT3 ("Security Manager: btm_sec_connected:   handle:%d  enc_mode:%d  bda:%x ",
   1452                           handle,  enc_mode,
   1453                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
   1454     }
   1455 #endif
   1456 
   1457     if (!p_dev_rec)
   1458     {
   1459         /* There is no device record for new connection.  Allocate one */
   1460         p_dev_rec = btm_sec_alloc_dev (bda);
   1461     }
   1462     else    /* Update the timestamp for this device */
   1463     {
   1464         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
   1465     }
   1466 
   1467     /* update device information */
   1468     p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
   1469     p_dev_rec->hci_handle = handle;
   1470     p_dev_rec->ble.ble_addr_type = addr_type;
   1471 
   1472     if (role == HCI_ROLE_MASTER)
   1473         p_dev_rec->role_master = TRUE;
   1474 
   1475     if (role == HCI_ROLE_SLAVE)
   1476         p_cb->inq_var.adv_mode  = BTM_BLE_ADV_DISABLE;
   1477     p_cb->inq_var.directed_conn = FALSE;
   1478 
   1479     return;
   1480 }
   1481 
   1482 /*****************************************************************************
   1483 **  Function        btm_ble_conn_complete
   1484 **
   1485 **  Description     LE connection complete.
   1486 **
   1487 ******************************************************************************/
   1488 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len)
   1489 {
   1490     UINT8       role, status, bda_type;
   1491     UINT16      handle;
   1492     BD_ADDR     bda;
   1493     UINT16      conn_interval, conn_latency, conn_timeout;
   1494     BOOLEAN     match = FALSE;
   1495 
   1496     STREAM_TO_UINT8   (status, p);
   1497     STREAM_TO_UINT16   (handle, p);
   1498     STREAM_TO_UINT8    (role, p);
   1499     STREAM_TO_UINT8    (bda_type, p);
   1500     STREAM_TO_BDADDR   (bda, p);
   1501 
   1502     if (status == 0)
   1503     {
   1504         STREAM_TO_UINT16   (conn_interval, p);
   1505         STREAM_TO_UINT16   (conn_latency, p);
   1506         STREAM_TO_UINT16   (conn_timeout, p);
   1507         handle = HCID_GET_HANDLE (handle);
   1508 
   1509         btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
   1510         l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
   1511                               conn_latency, conn_timeout);
   1512     }
   1513     else
   1514     {
   1515         role = HCI_ROLE_UNKNOWN;
   1516 
   1517         if (status == HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT)
   1518             btm_ble_dir_adv_tout();
   1519     }
   1520     btm_ble_update_mode_operation(role, bda, TRUE);
   1521 }
   1522 
   1523 /*****************************************************************************
   1524 **  Function        btm_proc_smp_cback
   1525 **
   1526 **  Description     This function is the SMP callback handler.
   1527 **
   1528 ******************************************************************************/
   1529 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
   1530 {
   1531     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
   1532     UINT8 res = 0;
   1533 
   1534     BTM_TRACE_DEBUG1 ("btm_proc_smp_cback event = %d", event);
   1535 
   1536     if (p_dev_rec != NULL)
   1537     {
   1538         switch (event)
   1539         {
   1540             case SMP_IO_CAP_REQ_EVT:
   1541                 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
   1542                 break;
   1543 
   1544             case SMP_PASSKEY_REQ_EVT:
   1545             case SMP_PASSKEY_NOTIF_EVT:
   1546             case SMP_OOB_REQ_EVT:
   1547                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
   1548             case SMP_SEC_REQUEST_EVT:
   1549             case SMP_COMPLT_EVT:
   1550                 if (btm_cb.api.p_le_callback)
   1551                 {
   1552                     /* the callback function implementation may change the IO capability... */
   1553                     BTM_TRACE_DEBUG1 ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback );
   1554                    (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data);
   1555                 }
   1556 
   1557                 if (event == SMP_COMPLT_EVT)
   1558                 {
   1559                     BTM_TRACE_DEBUG2 ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
   1560 
   1561                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;
   1562 
   1563                     BTM_TRACE_DEBUG3 ("after update result=%d sec_level=0x%x sec_flags=0x%x",
   1564                                       res, p_data->cmplt.sec_level , p_dev_rec->sec_flags );
   1565 
   1566                     btm_sec_dev_rec_cback_event(p_dev_rec, res);
   1567 
   1568                     if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback )
   1569                     {
   1570                         BTM_TRACE_DEBUG0 ("Pairing Cancel completed");
   1571                         (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
   1572                     }
   1573 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1574                     if (res != BTM_SUCCESS)
   1575                     {
   1576                         if (!btm_cb.devcb.no_disc_if_pair_fail)
   1577                         {
   1578                             BTM_TRACE_DEBUG0 ("Pairing failed - Remove ACL");
   1579                             btm_remove_acl(bd_addr);
   1580                         }
   1581                         else
   1582                         {
   1583                             BTM_TRACE_DEBUG0 ("Pairing failed - Not Removing ACL");
   1584                             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
   1585                         }
   1586                     }
   1587 #else
   1588                     if (res != BTM_SUCCESS)
   1589                         btm_remove_acl(bd_addr);
   1590 #endif
   1591 
   1592                     BTM_TRACE_DEBUG3 ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
   1593                                       btm_cb.pairing_state,
   1594                                       btm_cb.pairing_flags,
   1595                                       btm_cb.pin_code_len  );
   1596                     BTM_TRACE_DEBUG6 ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x",
   1597                                       btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2],
   1598                                       btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]);
   1599 
   1600                     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
   1601                     btm_cb.pairing_flags = 0;
   1602                 }
   1603                 break;
   1604 
   1605             default:
   1606                 BTM_TRACE_DEBUG1 ("unknown event = %d", event);
   1607                 break;
   1608 
   1609 
   1610         }
   1611     }
   1612     else
   1613     {
   1614         BTM_TRACE_ERROR0("btm_proc_smp_cback received for unknown device");
   1615     }
   1616 
   1617     return 0;
   1618 }
   1619 
   1620     #endif  /* SMP_INCLUDED */
   1621 #endif  /* BLE_INCLUDED */
   1622 
   1623 
   1624 /*******************************************************************************
   1625 **
   1626 ** Function         BTM_BleDataSignature
   1627 **
   1628 ** Description      This function is called to sign the data using AES128 CMAC
   1629 **                  algorith.
   1630 **
   1631 ** Parameter        bd_addr: target device the data to be signed for.
   1632 **                  p_text: singing data
   1633 **                  len: length of the data to be signed.
   1634 **                  signature: output parameter where data signature is going to
   1635 **                             be stored.
   1636 **
   1637 ** Returns          TRUE if signing sucessul, otherwise FALSE.
   1638 **
   1639 *******************************************************************************/
   1640 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len,
   1641                               BLE_SIGNATURE signature)
   1642 {
   1643     BOOLEAN     ret = FALSE;
   1644 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
   1645     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1646     UINT8   *p_buf, *pp;
   1647 
   1648     BT_OCTET16  er;
   1649     UINT16      div;
   1650     UINT8       temp[4]; /* for (r || DIV)  r=1*/
   1651     UINT16      r=1;
   1652     UINT8       *p=temp, *p_mac = (UINT8 *)signature;
   1653     tSMP_ENC    output;
   1654     BT_OCTET16  local_csrk;
   1655 
   1656     BTM_TRACE_DEBUG0 ("BTM_BleDataSignature");
   1657     if (p_rec == NULL)
   1658     {
   1659         BTM_TRACE_ERROR0("data signing can not be done from unknow device");
   1660     }
   1661     else
   1662     {
   1663         if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL)
   1664         {
   1665             BTM_TRACE_DEBUG0("Start to generate Local CSRK");
   1666             /* prepare plain text */
   1667             if (p_text)
   1668             {
   1669                 memcpy(p_buf, p_text, len);
   1670                 pp = (p_buf + len);
   1671             }
   1672 
   1673 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1674             if ( btm_cb.devcb.enable_test_local_sign_cntr)
   1675             {
   1676                 BTM_TRACE_DEBUG1 ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr);
   1677                 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr);
   1678             }
   1679             else
   1680             {
   1681                 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
   1682             }
   1683 #else
   1684             UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
   1685 #endif
   1686             /* compute local csrk */
   1687             if (btm_get_local_div(bd_addr, &div))
   1688             {
   1689                 BTM_TRACE_DEBUG1 ("compute_csrk div=%x", div);
   1690                 BTM_GetDeviceEncRoot(er);
   1691 
   1692                 /* CSRK = d1(ER, DIV, 1) */
   1693                 UINT16_TO_STREAM(p, div);
   1694                 UINT16_TO_STREAM(p, r);
   1695 
   1696                 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output))
   1697                 {
   1698                     BTM_TRACE_ERROR0("Local CSRK generation failed ");
   1699                 }
   1700                 else
   1701                 {
   1702                     BTM_TRACE_DEBUG0("local CSRK generation success");
   1703                     memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN);
   1704 
   1705 
   1706 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1707                     if (btm_cb.devcb.enable_test_local_sign_cntr)
   1708                     {
   1709                         UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr);
   1710                     }
   1711                     else
   1712                     {
   1713                         UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
   1714                     }
   1715 #else
   1716                     UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
   1717 #endif
   1718 
   1719                     if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE)
   1720                     {
   1721                         btm_ble_increment_sign_ctr(bd_addr, TRUE);
   1722 
   1723 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1724                         if ( btm_cb.devcb.enable_test_mac_val)
   1725                         {
   1726                             BTM_TRACE_DEBUG0 ("Use MAC value from script");
   1727                             memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE);
   1728                         }
   1729 #endif
   1730                     }
   1731                     BTM_TRACE_DEBUG1("BTM_BleDataSignature p_mac = %d", p_mac);
   1732                     BTM_TRACE_DEBUG4("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
   1733                                      *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
   1734                     BTM_TRACE_DEBUG4("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
   1735                                      *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
   1736 
   1737                     GKI_freebuf(p_buf);
   1738                 }
   1739             }
   1740         }
   1741     }
   1742 #endif  /* BLE_INCLUDED */
   1743     return ret;
   1744 }
   1745 
   1746 /*******************************************************************************
   1747 **
   1748 ** Function         BTM_BleVerifySignature
   1749 **
   1750 ** Description      This function is called to verify the data signature
   1751 **
   1752 ** Parameter        bd_addr: target device the data to be signed for.
   1753 **                  p_orig:  original data before signature.
   1754 **                  len: length of the signing data
   1755 **                  counter: counter used when doing data signing
   1756 **                  p_comp: signature to be compared against.
   1757 
   1758 ** Returns          TRUE if signature verified correctly; otherwise FALSE.
   1759 **
   1760 *******************************************************************************/
   1761 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter,
   1762                                 UINT8 *p_comp)
   1763 {
   1764     BOOLEAN             verified = FALSE;
   1765 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
   1766     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1767     UINT8               p_mac[BTM_CMAC_TLEN_SIZE];
   1768 
   1769     if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK)))
   1770     {
   1771         BTM_TRACE_ERROR0("can not verify signature for unknown device");
   1772     }
   1773     else if (counter < p_rec->ble.keys.counter)
   1774     {
   1775         BTM_TRACE_ERROR0("signature received with out dated sign counter");
   1776     }
   1777     else if (p_orig == NULL)
   1778     {
   1779         BTM_TRACE_ERROR0("No signature to verify");
   1780     }
   1781     else
   1782     {
   1783         BTM_TRACE_DEBUG2 ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter);
   1784 
   1785         if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac))
   1786         {
   1787             if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0)
   1788             {
   1789                 btm_ble_increment_sign_ctr(bd_addr, FALSE);
   1790                 verified = TRUE;
   1791             }
   1792         }
   1793     }
   1794 #endif  /* BLE_INCLUDED */
   1795     return verified;
   1796 }
   1797 
   1798 #if BLE_INCLUDED == TRUE
   1799 /*******************************************************************************
   1800 **  Utility functions for LE device IR/ER generation
   1801 *******************************************************************************/
   1802 /*******************************************************************************
   1803 **
   1804 ** Function         btm_notify_new_key
   1805 **
   1806 ** Description      This function is to notify application new keys have been
   1807 **                  generated.
   1808 **
   1809 ** Returns          void
   1810 **
   1811 *******************************************************************************/
   1812 static void btm_notify_new_key(UINT8 key_type)
   1813 {
   1814     tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL;
   1815 
   1816     BTM_TRACE_DEBUG1 ("btm_notify_new_key key_type=%d", key_type);
   1817 
   1818     if (btm_cb.api.p_le_key_callback)
   1819     {
   1820         switch (key_type)
   1821         {
   1822             case BTM_BLE_KEY_TYPE_ID:
   1823                 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ID");
   1824                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys;
   1825                 break;
   1826 
   1827             case BTM_BLE_KEY_TYPE_ER:
   1828                 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ER");
   1829                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er;
   1830                 break;
   1831 
   1832             default:
   1833                 BTM_TRACE_ERROR1("unknown key type: %d", key_type);
   1834                 break;
   1835         }
   1836         if (p_locak_keys != NULL)
   1837             (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys);
   1838     }
   1839 }
   1840 
   1841 /*******************************************************************************
   1842 **
   1843 ** Function         btm_ble_process_er2
   1844 **
   1845 ** Description      This function is called when ER is generated, store it in
   1846 **                  local control block.
   1847 **
   1848 ** Returns          void
   1849 **
   1850 *******************************************************************************/
   1851 static void btm_ble_process_er2(tBTM_RAND_ENC *p)
   1852 {
   1853     BTM_TRACE_DEBUG0 ("btm_ble_process_er2");
   1854 
   1855     if (p &&p->opcode == HCI_BLE_RAND)
   1856     {
   1857         memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN);
   1858         btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
   1859     }
   1860     else
   1861     {
   1862         BTM_TRACE_ERROR0("Generating ER2 exception.");
   1863         memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
   1864     }
   1865 }
   1866 
   1867 /*******************************************************************************
   1868 **
   1869 ** Function         btm_ble_process_er
   1870 **
   1871 ** Description      This function is called when ER is generated, store it in
   1872 **                  local control block.
   1873 **
   1874 ** Returns          void
   1875 **
   1876 *******************************************************************************/
   1877 static void btm_ble_process_er(tBTM_RAND_ENC *p)
   1878 {
   1879     BTM_TRACE_DEBUG0 ("btm_ble_process_er");
   1880 
   1881     if (p &&p->opcode == HCI_BLE_RAND)
   1882     {
   1883         memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN);
   1884 
   1885         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2))
   1886         {
   1887             memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
   1888             BTM_TRACE_ERROR0("Generating ER2 failed.");
   1889         }
   1890     }
   1891     else
   1892     {
   1893         BTM_TRACE_ERROR0("Generating ER1 exception.");
   1894     }
   1895 }
   1896 
   1897 /*******************************************************************************
   1898 **
   1899 ** Function         btm_ble_process_irk
   1900 **
   1901 ** Description      This function is called when IRK is generated, store it in
   1902 **                  local control block.
   1903 **
   1904 ** Returns          void
   1905 **
   1906 *******************************************************************************/
   1907 static void btm_ble_process_irk(tSMP_ENC *p)
   1908 {
   1909     BTM_TRACE_DEBUG0 ("btm_ble_process_irk");
   1910     if (p &&p->opcode == HCI_BLE_ENCRYPT)
   1911     {
   1912         memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
   1913         btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
   1914     }
   1915     else
   1916     {
   1917         BTM_TRACE_ERROR0("Generating IRK exception.");
   1918     }
   1919 
   1920     /* proceed generate ER */
   1921     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er))
   1922     {
   1923         BTM_TRACE_ERROR0("Generating ER failed.");
   1924     }
   1925 }
   1926 
   1927 /*******************************************************************************
   1928 **
   1929 ** Function         btm_ble_process_dhk
   1930 **
   1931 ** Description      This function is called when DHK is calculated, store it in
   1932 **                  local control block, and proceed to generate ER, a 128-bits
   1933 **                  random number.
   1934 **
   1935 ** Returns          void
   1936 **
   1937 *******************************************************************************/
   1938 static void btm_ble_process_dhk(tSMP_ENC *p)
   1939 {
   1940 #if SMP_INCLUDED == TRUE
   1941     UINT8 btm_ble_irk_pt = 0x01;
   1942     tSMP_ENC output;
   1943 
   1944     BTM_TRACE_DEBUG0 ("btm_ble_process_dhk");
   1945 
   1946     if (p && p->opcode == HCI_BLE_ENCRYPT)
   1947     {
   1948         memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
   1949         BTM_TRACE_DEBUG0("BLE DHK generated.");
   1950 
   1951         /* IRK = D1(IR, 1) */
   1952         if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
   1953                          1,   &output))
   1954         {
   1955             /* reset all identity root related key */
   1956             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   1957         }
   1958         else
   1959         {
   1960             btm_ble_process_irk(&output);
   1961         }
   1962     }
   1963     else
   1964     {
   1965         /* reset all identity root related key */
   1966         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   1967     }
   1968 #endif
   1969 }
   1970 
   1971 /*******************************************************************************
   1972 **
   1973 ** Function         btm_ble_process_ir2
   1974 **
   1975 ** Description      This function is called when IR is generated, proceed to calculate
   1976 **                  DHK = Eir({0x03, 0, 0 ...})
   1977 **
   1978 **
   1979 ** Returns          void
   1980 **
   1981 *******************************************************************************/
   1982 static void btm_ble_process_ir2(tBTM_RAND_ENC *p)
   1983 {
   1984 #if SMP_INCLUDED == TRUE
   1985     UINT8 btm_ble_dhk_pt = 0x03;
   1986     tSMP_ENC output;
   1987 
   1988     BTM_TRACE_DEBUG0 ("btm_ble_process_ir2");
   1989 
   1990     if (p && p->opcode == HCI_BLE_RAND)
   1991     {
   1992         /* remembering in control block */
   1993         memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN);
   1994         /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
   1995 
   1996 
   1997         SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt,
   1998                     1, &output);
   1999         btm_ble_process_dhk(&output);
   2000 
   2001         BTM_TRACE_DEBUG0("BLE IR generated.");
   2002     }
   2003     else
   2004     {
   2005         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2006     }
   2007 #endif
   2008 }
   2009 
   2010 /*******************************************************************************
   2011 **
   2012 ** Function         btm_ble_process_ir
   2013 **
   2014 ** Description      This function is called when IR is generated, proceed to calculate
   2015 **                  DHK = Eir({0x02, 0, 0 ...})
   2016 **
   2017 **
   2018 ** Returns          void
   2019 **
   2020 *******************************************************************************/
   2021 static void btm_ble_process_ir(tBTM_RAND_ENC *p)
   2022 {
   2023     BTM_TRACE_DEBUG0 ("btm_ble_process_ir");
   2024 
   2025     if (p && p->opcode == HCI_BLE_RAND)
   2026     {
   2027         /* remembering in control block */
   2028         memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN);
   2029 
   2030         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2))
   2031         {
   2032             BTM_TRACE_ERROR0("Generating IR2 failed.");
   2033             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2034         }
   2035     }
   2036 }
   2037 
   2038 /*******************************************************************************
   2039 **
   2040 ** Function         btm_ble_reset_id
   2041 **
   2042 ** Description      This function is called to reset LE device identity.
   2043 **
   2044 ** Returns          void
   2045 **
   2046 *******************************************************************************/
   2047 void btm_ble_reset_id( void )
   2048 {
   2049     BTM_TRACE_DEBUG0 ("btm_ble_reset_id");
   2050 
   2051     /* regenrate Identity Root*/
   2052     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir))
   2053     {
   2054         BTM_TRACE_DEBUG0("Generating IR failed.");
   2055     }
   2056 }
   2057 
   2058     #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   2059 /*******************************************************************************
   2060 **
   2061 ** Function         btm_ble_set_no_disc_if_pair_fail
   2062 **
   2063 ** Description      This function indicates that whether no disconnect of the ACL
   2064 **                  should be used if pairing failed
   2065 **
   2066 ** Returns          void
   2067 **
   2068 *******************************************************************************/
   2069 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc )
   2070 {
   2071     BTM_TRACE_DEBUG1 ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc);
   2072     btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
   2073 }
   2074 
   2075 /*******************************************************************************
   2076 **
   2077 ** Function         btm_ble_set_test_mac_value
   2078 **
   2079 ** Description      This function set test MAC value
   2080 **
   2081 ** Returns          void
   2082 **
   2083 *******************************************************************************/
   2084 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val )
   2085 {
   2086     BTM_TRACE_DEBUG1 ("btm_ble_set_test_mac_value enable=%d", enable);
   2087     btm_cb.devcb.enable_test_mac_val = enable;
   2088     memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
   2089 }
   2090 
   2091 /*******************************************************************************
   2092 **
   2093 ** Function         btm_ble_set_test_local_sign_cntr_value
   2094 **
   2095 ** Description      This function set test local sign counter value
   2096 **
   2097 ** Returns          void
   2098 **
   2099 *******************************************************************************/
   2100 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr )
   2101 {
   2102     BTM_TRACE_DEBUG2 ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
   2103                       enable, test_local_sign_cntr);
   2104     btm_cb.devcb.enable_test_local_sign_cntr = enable;
   2105     btm_cb.devcb.test_local_sign_cntr =  test_local_sign_cntr;
   2106 }
   2107 
   2108 /*******************************************************************************
   2109 **
   2110 ** Function         btm_set_random_address
   2111 **
   2112 ** Description      This function set a random address to local controller.
   2113 **
   2114 ** Returns          void
   2115 **
   2116 *******************************************************************************/
   2117 void btm_set_random_address(BD_ADDR random_bda)
   2118 {
   2119     tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
   2120     BOOLEAN     adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ;
   2121 
   2122     BTM_TRACE_DEBUG0 ("btm_set_random_address");
   2123 
   2124     if (adv_mode  == BTM_BLE_ADV_ENABLE)
   2125         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE);
   2126 
   2127     memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN);
   2128     btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
   2129 
   2130     if (adv_mode  == BTM_BLE_ADV_ENABLE)
   2131         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE);
   2132 
   2133 
   2134 }
   2135 #endif /* BTM_BLE_CONFORMANCE_TESTING */
   2136 
   2137 
   2138 #endif /* BLE_INCLUDED */
   2139