1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for BLE device control utilities, and LE 22 * security functions. 23 * 24 ******************************************************************************/ 25 26 #include <string.h> 27 28 #include "bt_types.h" 29 #include "hcimsgs.h" 30 #include "btu.h" 31 #include "btm_int.h" 32 #include "btm_ble_api.h" 33 #include "smp_api.h" 34 #include "l2c_int.h" 35 #include "gap_api.h" 36 37 #if SMP_INCLUDED == TRUE 38 extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature); 39 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable); 40 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda); 41 #endif 42 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr); 43 44 /*******************************************************************************/ 45 /* External Function to be called by other modules */ 46 /*******************************************************************************/ 47 /******************************************************** 48 ** 49 ** Function BTM_SecAddBleDevice 50 ** 51 ** Description Add/modify device. This function will be normally called 52 ** during host startup to restore all required information 53 ** for a LE device stored in the NVRAM. 54 ** 55 ** Parameters: bd_addr - BD address of the peer 56 ** bd_name - Name of the peer device. NULL if unknown. 57 ** dev_type - Remote device's device type. 58 ** addr_type - LE device address type. 59 ** 60 ** Returns TRUE if added OK, else FALSE 61 ** 62 *******************************************************************************/ 63 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type, 64 tBLE_ADDR_TYPE addr_type) 65 { 66 #if BLE_INCLUDED == TRUE 67 tBTM_SEC_DEV_REC *p_dev_rec; 68 UINT8 i = 0; 69 tBTM_INQ_INFO *p_info=NULL; 70 71 BTM_TRACE_DEBUG1 ("BTM_SecAddBleDevice dev_type=0x%x", dev_type); 72 p_dev_rec = btm_find_dev (bd_addr); 73 74 if (!p_dev_rec) 75 { 76 BTM_TRACE_DEBUG0("Add a new device"); 77 78 /* There is no device record, allocate one. 79 * If we can not find an empty spot for this one, let it fail. */ 80 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++) 81 { 82 if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE)) 83 { 84 BTM_TRACE_DEBUG1 ("allocate a new dev rec idx=0x%x ", i ); 85 p_dev_rec = &btm_cb.sec_dev_rec[i]; 86 87 /* Mark this record as in use and initialize */ 88 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC)); 89 p_dev_rec->sec_flags = BTM_SEC_IN_USE; 90 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN); 91 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr); 92 93 /* update conn params, use default value for background connection params */ 94 p_dev_rec->conn_params.min_conn_int = 95 p_dev_rec->conn_params.max_conn_int = 96 p_dev_rec->conn_params.supervision_tout = 97 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF; 98 99 BTM_TRACE_DEBUG1 ("hci_handl=0x%x ", p_dev_rec->hci_handle ); 100 break; 101 } 102 } 103 104 if (!p_dev_rec) 105 return(FALSE); 106 } 107 else 108 { 109 BTM_TRACE_DEBUG0("Device already exist"); 110 } 111 112 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 113 114 if (bd_name && bd_name[0]) 115 { 116 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 117 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), 118 (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN); 119 } 120 p_dev_rec->device_type = dev_type; 121 p_dev_rec->ble.ble_addr_type = addr_type; 122 BTM_TRACE_DEBUG3 ("p_dev_rec->device_type =0x%x addr_type=0x%x sec_flags=0x%x", 123 dev_type, addr_type, p_dev_rec->sec_flags); 124 125 /* sync up with the Inq Data base*/ 126 p_info = BTM_InqDbRead(bd_addr); 127 if (p_info) 128 { 129 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ; 130 p_info->results.device_type = p_dev_rec->device_type; 131 BTM_TRACE_DEBUG2 ("InqDb device_type =0x%x addr_type=0x%x", 132 p_info->results.device_type, p_info->results.ble_addr_type); 133 } 134 135 #endif 136 return(TRUE); 137 } 138 139 /******************************************************************************* 140 ** 141 ** Function BTM_SecAddBleKey 142 ** 143 ** Description Add/modify LE device information. This function will be 144 ** normally called during host startup to restore all required 145 ** information stored in the NVRAM. 146 ** 147 ** Parameters: bd_addr - BD address of the peer 148 ** p_le_key - LE key values. 149 ** key_type - LE SMP key type. 150 * 151 ** Returns TRUE if added OK, else FALSE 152 ** 153 *******************************************************************************/ 154 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type) 155 { 156 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 157 tBTM_SEC_DEV_REC *p_dev_rec; 158 BTM_TRACE_DEBUG0 ("BTM_SecAddBleKey"); 159 p_dev_rec = btm_find_dev (bd_addr); 160 if (!p_dev_rec || !p_le_key || 161 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && 162 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC && 163 key_type != BTM_LE_KEY_LCSRK)) 164 { 165 BTM_TRACE_WARNING3 ("BTM_SecAddBleKey() Wrong Type, or No Device record \ 166 for bdaddr: %08x%04x, Type: %d", 167 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 168 (bd_addr[4]<<8)+bd_addr[5], key_type); 169 return(FALSE); 170 } 171 172 BTM_TRACE_DEBUG3 ("BTM_SecAddLeKey() BDA: %08x%04x, Type: 0x%02x", 173 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 174 (bd_addr[4]<<8)+bd_addr[5], key_type); 175 176 if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID || 177 key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC || 178 key_type == BTM_LE_KEY_LCSRK) 179 { 180 btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE); 181 } 182 183 #endif 184 185 return(TRUE); 186 } 187 188 /******************************************************************************* 189 ** 190 ** Function BTM_BleLoadLocalKeys 191 ** 192 ** Description Local local identity key, encryption root or sign counter. 193 ** 194 ** Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER 195 ** or BTM_BLE_KEY_TYPE_COUNTER. 196 ** p_key: pointer to the key. 197 * 198 ** Returns non2. 199 ** 200 *******************************************************************************/ 201 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key) 202 { 203 #if BLE_INCLUDED == TRUE 204 tBTM_DEVCB *p_devcb = &btm_cb.devcb; 205 BTM_TRACE_DEBUG0 ("BTM_BleLoadLocalKeys"); 206 if (p_key != NULL) 207 { 208 switch (key_type) 209 { 210 case BTM_BLE_KEY_TYPE_ID: 211 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 212 break; 213 214 case BTM_BLE_KEY_TYPE_ER: 215 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16)); 216 break; 217 218 default: 219 BTM_TRACE_ERROR1("unknow local key type: %d", key_type); 220 break; 221 } 222 } 223 #endif 224 } 225 226 /******************************************************************************* 227 ** 228 ** Function BTM_GetDeviceEncRoot 229 ** 230 ** Description This function is called to read the local device encryption 231 ** root. 232 ** 233 ** Returns void 234 ** the local device ER is copied into er 235 ** 236 *******************************************************************************/ 237 void BTM_GetDeviceEncRoot (BT_OCTET16 er) 238 { 239 BTM_TRACE_DEBUG0 ("BTM_GetDeviceEncRoot"); 240 241 #if BLE_INCLUDED == TRUE 242 memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN); 243 #endif 244 } 245 246 /******************************************************************************* 247 ** 248 ** Function BTM_GetDeviceIDRoot 249 ** 250 ** Description This function is called to read the local device identity 251 ** root. 252 ** 253 ** Returns void 254 ** the local device IR is copied into irk 255 ** 256 *******************************************************************************/ 257 void BTM_GetDeviceIDRoot (BT_OCTET16 irk) 258 { 259 BTM_TRACE_DEBUG0 ("BTM_GetDeviceIDRoot "); 260 261 #if BLE_INCLUDED == TRUE 262 memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN); 263 #endif 264 } 265 266 /******************************************************************************* 267 ** 268 ** Function BTM_GetDeviceDHK 269 ** 270 ** Description This function is called to read the local device DHK. 271 ** 272 ** Returns void 273 ** the local device DHK is copied into dhk 274 ** 275 *******************************************************************************/ 276 void BTM_GetDeviceDHK (BT_OCTET16 dhk) 277 { 278 #if BLE_INCLUDED == TRUE 279 BTM_TRACE_DEBUG0 ("BTM_GetDeviceDHK"); 280 memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN); 281 #endif 282 } 283 284 /******************************************************************************* 285 ** 286 ** Function BTM_ReadConnectionAddr 287 ** 288 ** Description This function is called to get the local device address information 289 ** . 290 ** 291 ** Returns void 292 ** 293 *******************************************************************************/ 294 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type) 295 { 296 #if BLE_INCLUDED == TRUE 297 tACL_CONN *p_acl = btm_bda_to_acl(remote_bda); 298 299 if (p_acl == NULL) 300 { 301 BTM_TRACE_ERROR0("No connection exist!"); 302 return; 303 } 304 memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN); 305 * p_addr_type = p_acl->conn_addr_type; 306 307 BTM_TRACE_DEBUG2 ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x", 308 p_acl->conn_addr_type, p_acl->conn_addr[0]); 309 310 #endif 311 } 312 313 /******************************************************************************* 314 ** 315 ** Function BTM_ReadRemoteConnectionAddr 316 ** 317 ** Description This function is read the remote device address currently used 318 ** . 319 ** 320 ** Returns void 321 ** 322 *******************************************************************************/ 323 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, tBLE_ADDR_TYPE *p_addr_type) 324 { 325 BOOLEAN st = TRUE; 326 #if BLE_INCLUDED == TRUE 327 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr); 328 329 memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN); 330 *p_addr_type = p_dev_rec->ble.ble_addr_type; 331 #endif 332 return st; 333 } 334 /******************************************************************************* 335 ** 336 ** Function BTM_SecurityGrant 337 ** 338 ** Description This function is called to grant security process. 339 ** 340 ** Parameters bd_addr - peer device bd address. 341 ** res - result of the operation BTM_SUCCESS if success. 342 ** Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts. 343 ** 344 ** Returns None 345 ** 346 *******************************************************************************/ 347 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res) 348 { 349 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 350 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS; 351 BTM_TRACE_DEBUG0 ("BTM_SecurityGrant"); 352 SMP_SecurityGrant(bd_addr, res_smp); 353 #endif 354 } 355 356 /******************************************************************************* 357 ** 358 ** Function BTM_BlePasskeyReply 359 ** 360 ** Description This function is called after Security Manager submitted 361 ** passkey request to the application. 362 ** 363 ** Parameters: bd_addr - Address of the device for which passkey was requested 364 ** res - result of the operation BTM_SUCCESS if success 365 ** key_len - length in bytes of the Passkey 366 ** p_passkey - pointer to array with the passkey 367 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 368 ** 369 *******************************************************************************/ 370 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey) 371 { 372 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 373 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 374 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 375 376 if (p_dev_rec == NULL) 377 { 378 BTM_TRACE_ERROR0("Passkey reply to Unknown device"); 379 return; 380 } 381 382 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 383 BTM_TRACE_DEBUG0 ("BTM_BlePasskeyReply"); 384 SMP_PasskeyReply(bd_addr, res_smp, passkey); 385 #endif 386 } 387 388 /******************************************************************************* 389 ** 390 ** Function BTM_BleOobDataReply 391 ** 392 ** Description This function is called to provide the OOB data for 393 ** SMP in response to BTM_LE_OOB_REQ_EVT 394 ** 395 ** Parameters: bd_addr - Address of the peer device 396 ** res - result of the operation SMP_SUCCESS if success 397 ** p_data - simple pairing Randomizer C. 398 ** 399 *******************************************************************************/ 400 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data) 401 { 402 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 403 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL; 404 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 405 406 BTM_TRACE_DEBUG0 ("BTM_BleOobDataReply"); 407 408 if (p_dev_rec == NULL) 409 { 410 BTM_TRACE_ERROR0("BTM_BleOobDataReply() to Unknown device"); 411 return; 412 } 413 414 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 415 SMP_OobDataReply(bd_addr, res_smp, len, p_data); 416 #endif 417 } 418 419 /****************************************************************************** 420 ** 421 ** Function BTM_BleSetConnScanParams 422 ** 423 ** Description Set scan parameter used in BLE connection request 424 ** 425 ** Parameters: scan_interval: scan interval 426 ** scan_window: scan window 427 ** 428 ** Returns void 429 ** 430 *******************************************************************************/ 431 void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window) 432 { 433 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 434 tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb; 435 BOOLEAN new_param = FALSE; 436 437 if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) && 438 BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX)) 439 { 440 btu_stop_timer(&p_ble_cb->scan_param_idle_timer); 441 442 if (p_ble_cb->scan_int != scan_interval) 443 { 444 p_ble_cb->scan_int = scan_interval; 445 new_param = TRUE; 446 } 447 448 if (p_ble_cb->scan_win != scan_window) 449 { 450 p_ble_cb->scan_win = scan_window; 451 new_param = TRUE; 452 } 453 454 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) 455 { 456 btm_ble_suspend_bg_conn(); 457 } 458 } 459 else 460 { 461 BTM_TRACE_ERROR0("Illegal Connection Scan Parameters"); 462 } 463 #endif 464 } 465 466 /******************************************************** 467 ** 468 ** Function BTM_BleSetPrefConnParams 469 ** 470 ** Description Set a peripheral's preferred connection parameters 471 ** 472 ** Parameters: bd_addr - BD address of the peripheral 473 ** scan_interval: scan interval 474 ** scan_window: scan window 475 ** min_conn_int - minimum preferred connection interval 476 ** max_conn_int - maximum preferred connection interval 477 ** slave_latency - preferred slave latency 478 ** supervision_tout - preferred supervision timeout 479 ** 480 ** Returns void 481 ** 482 *******************************************************************************/ 483 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr, 484 UINT16 min_conn_int, UINT16 max_conn_int, 485 UINT16 slave_latency, UINT16 supervision_tout) 486 { 487 #if BLE_INCLUDED == TRUE 488 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 489 490 BTM_TRACE_API4 ("BTM_BleSetPrefConnParams min: %u max: %u latency: %u \ 491 tout: %u", 492 min_conn_int, max_conn_int, slave_latency, supervision_tout); 493 494 if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 495 BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 496 BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) && 497 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) 498 { 499 if (p_dev_rec) 500 { 501 /* expect conn int and stout and slave latency to be updated all together */ 502 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 503 { 504 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 505 p_dev_rec->conn_params.min_conn_int = min_conn_int; 506 else 507 p_dev_rec->conn_params.min_conn_int = max_conn_int; 508 509 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 510 p_dev_rec->conn_params.max_conn_int = max_conn_int; 511 else 512 p_dev_rec->conn_params.max_conn_int = min_conn_int; 513 514 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF) 515 p_dev_rec->conn_params.slave_latency = slave_latency; 516 else 517 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF; 518 519 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) 520 p_dev_rec->conn_params.supervision_tout = supervision_tout; 521 else 522 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_TIMEOUT_DEF; 523 524 } 525 526 } 527 else 528 { 529 BTM_TRACE_ERROR0("Unknown Device, setting rejected"); 530 } 531 } 532 else 533 { 534 BTM_TRACE_ERROR0("Illegal Connection Parameters"); 535 } 536 #endif /* BLE_INCLUDED */ 537 } 538 539 /******************************************************************************* 540 ** 541 ** Function BTM_ReadDevInfo 542 ** 543 ** Description This function is called to read the device/address type 544 ** of BD address. 545 ** 546 ** Parameter remote_bda: remote device address 547 ** p_dev_type: output parameter to read the device type. 548 ** p_addr_type: output parameter to read the address type. 549 ** 550 *******************************************************************************/ 551 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type) 552 { 553 #if BLE_INCLUDED == TRUE 554 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (remote_bda); 555 tBTM_INQ_INFO *p_inq_info = BTM_InqDbRead(remote_bda); 556 557 *p_dev_type = BT_DEVICE_TYPE_BREDR; 558 *p_addr_type = BLE_ADDR_PUBLIC; 559 560 if (!p_dev_rec) 561 { 562 /* Check with the BT manager if details about remote device are known */ 563 if (p_inq_info != NULL) 564 { 565 *p_dev_type = p_inq_info->results.device_type ; 566 *p_addr_type = p_inq_info->results.ble_addr_type; 567 } 568 /* unknown device, assume BR/EDR */ 569 } 570 else /* there is a security device record exisitng */ 571 { 572 /* new inquiry result, overwrite device type in security device record */ 573 if (p_inq_info) 574 { 575 p_dev_rec->device_type = p_inq_info->results.device_type; 576 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 577 } 578 *p_dev_type = p_dev_rec->device_type; 579 *p_addr_type = p_dev_rec->ble.ble_addr_type; 580 581 } 582 583 BTM_TRACE_DEBUG2 ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type); 584 #endif 585 586 return; 587 } 588 589 #if BLE_INCLUDED == TRUE 590 591 /******************************************************************************* 592 ** 593 ** Function BTM_BleReceiverTest 594 ** 595 ** Description This function is called to start the LE Receiver test 596 ** 597 ** Parameter rx_freq - Frequency Range 598 ** p_cmd_cmpl_cback - Command Complete callback 599 ** 600 *******************************************************************************/ 601 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback) 602 { 603 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 604 605 if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE) 606 { 607 BTM_TRACE_ERROR1("%s: Unable to Trigger LE receiver test", __FUNCTION__); 608 } 609 } 610 611 /******************************************************************************* 612 ** 613 ** Function BTM_BleTransmitterTest 614 ** 615 ** Description This function is called to start the LE Transmitter test 616 ** 617 ** Parameter tx_freq - Frequency Range 618 ** test_data_len - Length in bytes of payload data in each packet 619 ** packet_payload - Pattern to use in the payload 620 ** p_cmd_cmpl_cback - Command Complete callback 621 ** 622 *******************************************************************************/ 623 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len, 624 UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback) 625 { 626 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 627 if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE) 628 { 629 BTM_TRACE_ERROR1("%s: Unable to Trigger LE transmitter test", __FUNCTION__); 630 } 631 } 632 633 /******************************************************************************* 634 ** 635 ** Function BTM_BleTestEnd 636 ** 637 ** Description This function is called to stop the in-progress TX or RX test 638 ** 639 ** Parameter p_cmd_cmpl_cback - Command complete callback 640 ** 641 *******************************************************************************/ 642 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback) 643 { 644 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 645 646 if (btsnd_hcic_ble_test_end() == FALSE) 647 { 648 BTM_TRACE_ERROR1("%s: Unable to End the LE TX/RX test", __FUNCTION__); 649 } 650 } 651 652 #endif 653 654 /******************************************************************************* 655 ** Internal Functions 656 *******************************************************************************/ 657 #if BLE_INCLUDED == TRUE 658 659 void btm_ble_test_command_complete(UINT8 *p) 660 { 661 tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb; 662 UINT8 status; 663 664 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL; 665 666 if (p_cb) 667 { 668 (*p_cb)(p); 669 } 670 } 671 672 /******************************************************************************* 673 ** 674 ** Function btm_ble_check_link_type 675 ** 676 ** Description This function is to check the link type is BLE or BR/EDR. 677 ** 678 ** Returns TRUE if BLE link; FALSE if BR/EDR. 679 ** 680 *******************************************************************************/ 681 BOOLEAN btm_ble_check_link_type (BD_ADDR bd_addr) 682 { 683 tACL_CONN *p; 684 BTM_TRACE_DEBUG0 ("btm_ble_check_link_type"); 685 if ((p = btm_bda_to_acl(bd_addr)) != NULL) 686 return p->is_le_link; 687 else 688 return FALSE; 689 } 690 691 /******************************************************************************* 692 ** 693 ** Function btm_ble_rand_enc_complete 694 ** 695 ** Description This function is the callback functions for HCI_Rand command 696 ** and HCI_Encrypt command is completed. 697 ** This message is received from the HCI. 698 ** 699 ** Returns void 700 ** 701 *******************************************************************************/ 702 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback) 703 { 704 tBTM_RAND_ENC params; 705 UINT8 *p_dest = params.param_buf; 706 707 BTM_TRACE_DEBUG0 ("btm_ble_rand_enc_complete"); 708 709 memset(¶ms, 0, sizeof(tBTM_RAND_ENC)); 710 711 /* If there was a callback address for vcs complete, call it */ 712 if (p_enc_cplt_cback && p) 713 { 714 /* Pass paramters to the callback function */ 715 STREAM_TO_UINT8(params.status, p); /* command status */ 716 717 if (params.status == HCI_SUCCESS) 718 { 719 params.opcode = op_code; 720 721 if (op_code == HCI_BLE_RAND) 722 params.param_len = BT_OCTET8_LEN; 723 else 724 params.param_len = BT_OCTET16_LEN; 725 726 memcpy(p_dest, p, params.param_len); /* Fetch return info from HCI event message */ 727 } 728 if (p_enc_cplt_cback) 729 (*p_enc_cplt_cback)(¶ms); /* Call the Encryption complete callback function */ 730 } 731 } 732 733 734 #if (SMP_INCLUDED == TRUE) 735 736 /******************************************************************************* 737 ** 738 ** Function btm_ble_get_enc_key_type 739 ** 740 ** Description This function is to increment local sign counter 741 ** Returns None 742 ** 743 *******************************************************************************/ 744 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local ) 745 { 746 tBTM_SEC_DEV_REC *p_dev_rec; 747 748 BTM_TRACE_DEBUG1 ("btm_ble_increment_sign_ctr is_local=%d", is_local); 749 750 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 751 { 752 if (is_local) 753 p_dev_rec->ble.keys.local_counter++; 754 else 755 p_dev_rec->ble.keys.counter++; 756 BTM_TRACE_DEBUG3 ("is_local=%d local sign counter=%d peer sign counter=%d", 757 is_local, 758 p_dev_rec->ble.keys.local_counter, 759 p_dev_rec->ble.keys.counter); 760 } 761 } 762 763 /******************************************************************************* 764 ** 765 ** Function btm_ble_get_enc_key_type 766 ** 767 ** Description This function is to get the BLE key type that has been exchanged 768 ** in betweem local device and peer device. 769 ** 770 ** Returns p_key_type: output parameter to carry the key type value. 771 ** 772 *******************************************************************************/ 773 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types) 774 { 775 tBTM_SEC_DEV_REC *p_dev_rec; 776 777 BTM_TRACE_DEBUG0 ("btm_ble_get_enc_key_type"); 778 779 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 780 { 781 *p_key_types = p_dev_rec->ble.key_type; 782 return TRUE; 783 } 784 return FALSE; 785 } 786 787 /******************************************************************************* 788 ** 789 ** Function btm_get_local_div 790 ** 791 ** Description This function is called to read the local DIV 792 ** 793 ** Returns TURE - if a valid DIV is availavle 794 *******************************************************************************/ 795 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div) 796 { 797 tBTM_SEC_DEV_REC *p_dev_rec; 798 BOOLEAN status = FALSE; 799 BTM_TRACE_DEBUG0 ("btm_get_local_div"); 800 801 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 802 bd_addr[0],bd_addr[1], 803 bd_addr[2],bd_addr[3], 804 bd_addr[4],bd_addr[5]); 805 806 p_dev_rec = btm_find_dev (bd_addr); 807 808 if (p_dev_rec && p_dev_rec->ble.keys.div) 809 { 810 status = TRUE; 811 *p_div = p_dev_rec->ble.keys.div; 812 } 813 BTM_TRACE_DEBUG2 ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div); 814 return status; 815 } 816 817 /******************************************************************************* 818 ** 819 ** Function btm_sec_save_le_key 820 ** 821 ** Description This function is called by the SMP to update 822 ** an BLE key. SMP is internal, whereas all the keys shall 823 ** be sent to the application. The function is also called 824 ** when application passes ble key stored in NVRAM to the btm_sec. 825 ** pass_to_application parameter is false in this case. 826 ** 827 ** Returns void 828 ** 829 *******************************************************************************/ 830 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys, 831 BOOLEAN pass_to_application) 832 { 833 tBTM_SEC_DEV_REC *p_rec; 834 tBTM_LE_EVT_DATA cb_data; 835 UINT8 i; 836 837 BTM_TRACE_DEBUG2 ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application); 838 /* Store the updated key in the device database */ 839 840 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 841 bd_addr[0],bd_addr[1], 842 bd_addr[2],bd_addr[3], 843 bd_addr[4],bd_addr[5]); 844 845 if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys) 846 { 847 switch (key_type) 848 { 849 case BTM_LE_KEY_PENC: 850 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN); 851 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN); 852 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level; 853 p_rec->ble.keys.ediv = p_keys->penc_key.ediv; 854 p_rec->ble.keys.key_size = p_keys->penc_key.key_size; 855 p_rec->ble.key_type |= BTM_LE_KEY_PENC; 856 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 857 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) 858 p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 859 else 860 p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 861 BTM_TRACE_DEBUG3("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x", 862 p_rec->ble.key_type, 863 p_rec->sec_flags, 864 p_rec->ble.keys.sec_level); 865 break; 866 867 case BTM_LE_KEY_PID: 868 for (i=0; i<BT_OCTET16_LEN; i++) 869 { 870 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i]; 871 } 872 873 //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system 874 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN); 875 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type; 876 p_rec->ble.key_type |= BTM_LE_KEY_PID; 877 BTM_TRACE_DEBUG1("BTM_LE_KEY_PID key_type=0x%x save peer IRK", p_rec->ble.key_type); 878 break; 879 880 case BTM_LE_KEY_PCSRK: 881 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN); 882 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level; 883 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter; 884 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK; 885 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 886 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED) 887 p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 888 else 889 p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 890 891 BTM_TRACE_DEBUG4("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d", 892 p_rec->ble.key_type, 893 p_rec->sec_flags, 894 p_rec->ble.keys.srk_sec_level, 895 p_rec->ble.keys.counter ); 896 break; 897 898 case BTM_LE_KEY_LENC: 899 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */ 900 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level; 901 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size; 902 p_rec->ble.key_type |= BTM_LE_KEY_LENC; 903 904 BTM_TRACE_DEBUG4("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x", 905 p_rec->ble.key_type, 906 p_rec->ble.keys.div, 907 p_rec->ble.keys.key_size, 908 p_rec->ble.keys.sec_level ); 909 break; 910 911 case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */ 912 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */ 913 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level; 914 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter; 915 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK; 916 BTM_TRACE_DEBUG4("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d", 917 p_rec->ble.key_type, 918 p_rec->ble.keys.div, 919 p_rec->ble.keys.local_csrk_sec_level, 920 p_rec->ble.keys.local_counter ); 921 break; 922 923 default: 924 BTM_TRACE_WARNING1("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type); 925 return; 926 } 927 928 BTM_TRACE_DEBUG3 ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type, 929 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 930 (bd_addr[4]<<8)+bd_addr[5]); 931 932 /* Notify the application that one of the BLE keys has been updated 933 If link key is in progress, it will get sent later.*/ 934 if (pass_to_application && btm_cb.api.p_le_callback) 935 { 936 cb_data.key.p_key_value = p_keys; 937 cb_data.key.key_type = key_type; 938 (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data); 939 } 940 return; 941 } 942 943 BTM_TRACE_WARNING3 ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type, 944 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 945 (bd_addr[4]<<8)+bd_addr[5]); 946 947 if (p_rec) 948 { 949 BTM_TRACE_DEBUG1 ("sec_flags=0x%x", p_rec->sec_flags); 950 } 951 } 952 953 /******************************************************************************* 954 ** 955 ** Function btm_ble_update_sec_key_size 956 ** 957 ** Description update the current lin kencryption key size 958 ** 959 ** Returns void 960 ** 961 *******************************************************************************/ 962 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size) 963 { 964 tBTM_SEC_DEV_REC *p_rec; 965 966 BTM_TRACE_DEBUG1("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size); 967 968 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 969 { 970 p_rec->enc_key_size = enc_key_size; 971 } 972 } 973 974 /******************************************************************************* 975 ** 976 ** Function btm_ble_read_sec_key_size 977 ** 978 ** Description update the current lin kencryption key size 979 ** 980 ** Returns void 981 ** 982 *******************************************************************************/ 983 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr) 984 { 985 tBTM_SEC_DEV_REC *p_rec; 986 987 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 988 { 989 return p_rec->enc_key_size; 990 } 991 else 992 return 0; 993 } 994 995 /******************************************************************************* 996 ** 997 ** Function btm_ble_link_sec_check 998 ** 999 ** Description Check BLE link security level match. 1000 ** 1001 ** Returns TRUE: check is OK and the *p_sec_req_act contain the action 1002 ** 1003 *******************************************************************************/ 1004 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act) 1005 { 1006 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1007 UINT8 req_sec_level, cur_sec_level; 1008 1009 BTM_TRACE_DEBUG1 ("btm_ble_link_sec_check auth_req =0x%x", auth_req); 1010 1011 if (p_dev_rec == NULL) 1012 { 1013 BTM_TRACE_ERROR0 ("btm_ble_link_sec_check received for unknown device"); 1014 return; 1015 } 1016 1017 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 1018 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1019 { 1020 /* race condition: discard the security request while master is encrypting the link */ 1021 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1022 } 1023 else 1024 { 1025 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1026 if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) || 1027 (auth_req == (BTM_LE_AUTH_REQ_MITM)) ) 1028 { 1029 req_sec_level = BTM_LE_SEC_AUTHENTICATED; 1030 } 1031 1032 BTM_TRACE_DEBUG1 ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags); 1033 1034 /* currently encrpted */ 1035 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 1036 { 1037 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 1038 cur_sec_level = BTM_LE_SEC_AUTHENTICATED; 1039 else 1040 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1041 } 1042 else /* unencrypted link */ 1043 { 1044 /* if bonded, get the key security level */ 1045 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 1046 cur_sec_level = p_dev_rec->ble.keys.sec_level; 1047 else 1048 cur_sec_level = BTM_LE_SEC_NONE; 1049 } 1050 1051 if (cur_sec_level >= req_sec_level) 1052 { 1053 if (cur_sec_level == BTM_LE_SEC_NONE) 1054 { 1055 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE; 1056 } 1057 else 1058 { 1059 /* To avoid re-encryption on an encrypted link for an equal condition encryption */ 1060 /* if link has been encrypted, do nothing, go straight to furhter action 1061 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 1062 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1063 else 1064 */ 1065 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT; 1066 } 1067 } 1068 else 1069 { 1070 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/ 1071 } 1072 } 1073 1074 BTM_TRACE_DEBUG3("cur_sec_level=%d req_sec_level=%d sec_req_act=%d", 1075 cur_sec_level, 1076 req_sec_level, 1077 *p_sec_req_act); 1078 1079 } 1080 1081 /******************************************************************************* 1082 ** 1083 ** Function btm_ble_set_encryption 1084 ** 1085 ** Description This function is called to ensure that LE connection is 1086 ** encrypted. Should be called only on an open connection. 1087 ** Typically only needed for connections that first want to 1088 ** bring up unencrypted links, then later encrypt them. 1089 ** 1090 ** Returns void 1091 ** the local device ER is copied into er 1092 ** 1093 *******************************************************************************/ 1094 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role) 1095 { 1096 tBTM_STATUS cmd = BTM_NO_RESOURCES; 1097 tBTM_BLE_SEC_ACT sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ; 1098 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1099 1100 if (p_rec == NULL) 1101 { 1102 BTM_TRACE_WARNING1 ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act); 1103 return(BTM_WRONG_MODE); 1104 } 1105 1106 BTM_TRACE_DEBUG2 ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master); 1107 1108 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) 1109 { 1110 p_rec->security_required |= BTM_SEC_IN_MITM; 1111 } 1112 1113 switch (sec_act) 1114 { 1115 case BTM_BLE_SEC_ENCRYPT: 1116 if (link_role == BTM_ROLE_MASTER) 1117 { 1118 /* start link layer encryption using the security info stored */ 1119 if (btm_ble_start_encrypt(bd_addr, FALSE, NULL)) 1120 { 1121 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1122 cmd = BTM_CMD_STARTED; 1123 } 1124 break; 1125 } 1126 /* if salve role then fall through to call SMP_Pair below which will send a 1127 sec_request to request the master to encrypt the link */ 1128 case BTM_BLE_SEC_ENCRYPT_NO_MITM: 1129 case BTM_BLE_SEC_ENCRYPT_MITM: 1130 1131 if (SMP_Pair(bd_addr) == SMP_STARTED) 1132 { 1133 cmd = BTM_CMD_STARTED; 1134 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1135 } 1136 break; 1137 1138 default: 1139 cmd = BTM_SUCCESS; 1140 break; 1141 } 1142 return cmd; 1143 } 1144 1145 /******************************************************************************* 1146 ** 1147 ** Function btm_ble_ltk_request 1148 ** 1149 ** Description This function is called when encryption request is received 1150 ** on a slave device. 1151 ** 1152 ** 1153 ** Returns void 1154 ** 1155 *******************************************************************************/ 1156 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv) 1157 { 1158 tBTM_CB *p_cb = &btm_cb; 1159 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 1160 BT_OCTET8 dummy_stk = {0}; 1161 1162 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request"); 1163 1164 p_cb->ediv = ediv; 1165 1166 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 1167 1168 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) 1169 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk); 1170 1171 1172 } 1173 1174 /******************************************************************************* 1175 ** 1176 ** Function btm_ble_start_encrypt 1177 ** 1178 ** Description This function is called to start LE encryption. 1179 ** 1180 ** 1181 ** Returns void 1182 ** 1183 *******************************************************************************/ 1184 BOOLEAN btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1185 { 1186 tBTM_CB *p_cb = &btm_cb; 1187 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1188 BT_OCTET8 dummy_rand = {0}; 1189 1190 BTM_TRACE_DEBUG0 ("btm_ble_start_encrypt"); 1191 1192 if (!p_rec || 1193 (p_rec && p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)) 1194 return FALSE; 1195 1196 if (p_rec->sec_state == BTM_SEC_STATE_IDLE) 1197 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1198 p_cb->enc_handle = p_rec->hci_handle; 1199 1200 if (use_stk) 1201 { 1202 if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, dummy_rand, 0, stk)) 1203 return FALSE; 1204 } 1205 else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) 1206 { 1207 if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, p_rec->ble.keys.rand, 1208 p_rec->ble.keys.ediv, p_rec->ble.keys.ltk)) 1209 return FALSE; 1210 } 1211 else 1212 { 1213 return FALSE; 1214 } 1215 1216 return TRUE; 1217 } 1218 1219 /******************************************************************************* 1220 ** 1221 ** Function btm_ble_link_encrypted 1222 ** 1223 ** Description This function is called when LE link encrption status is changed. 1224 ** 1225 ** Returns void 1226 ** 1227 *******************************************************************************/ 1228 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable) 1229 { 1230 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1231 BOOLEAN enc_cback; 1232 1233 if (!p_dev_rec) 1234 { 1235 BTM_TRACE_WARNING1 ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable); 1236 return; 1237 } 1238 1239 BTM_TRACE_DEBUG1 ("btm_ble_link_encrypted encr_enable=%d", encr_enable); 1240 1241 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING); 1242 1243 smp_link_encrypted(bd_addr, encr_enable); 1244 1245 BTM_TRACE_DEBUG1(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags); 1246 1247 if (encr_enable && p_dev_rec->enc_key_size == 0) 1248 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size; 1249 1250 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1251 if (p_dev_rec->p_callback && enc_cback) 1252 { 1253 if (encr_enable) 1254 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS); 1255 else if (p_dev_rec->role_master) 1256 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING); 1257 1258 } 1259 /* to notify GATT to send data if any request is pending */ 1260 gatt_notify_enc_cmpl(p_dev_rec->bd_addr); 1261 } 1262 1263 /******************************************************************************* 1264 ** Function btm_enc_proc_ltk 1265 ** Description send LTK reply when it's ready. 1266 *******************************************************************************/ 1267 static void btm_enc_proc_ltk(tSMP_ENC *p) 1268 { 1269 UINT8 i; 1270 BTM_TRACE_DEBUG0 ("btm_enc_proc_ltk"); 1271 if (p && p->param_len == BT_OCTET16_LEN) 1272 { 1273 for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++) 1274 p->param_buf[BT_OCTET16_LEN - i - 1] = 0; 1275 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf); 1276 } 1277 } 1278 1279 /******************************************************************************* 1280 ** Function btm_enc_proc_slave_y 1281 ** Description calculate LTK when Y is ready 1282 *******************************************************************************/ 1283 static void btm_enc_proc_slave_y(tSMP_ENC *p) 1284 { 1285 UINT16 div, y; 1286 UINT8 *pp = p->param_buf; 1287 tBTM_CB *p_cb = &btm_cb; 1288 tSMP_ENC output; 1289 tBTM_SEC_DEV_REC *p_dev_rec; 1290 1291 BTM_TRACE_DEBUG0 ("btm_enc_proc_slave_y"); 1292 if (p != NULL) 1293 { 1294 STREAM_TO_UINT16(y, pp); 1295 1296 div = p_cb->ediv ^ y; 1297 p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle); 1298 1299 if ( p_dev_rec && 1300 p_dev_rec->ble.keys.div == div ) 1301 { 1302 BTM_TRACE_DEBUG0 ("LTK request OK"); 1303 /* calculating LTK , LTK = E er(div) */ 1304 SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output); 1305 btm_enc_proc_ltk(&output); 1306 } 1307 else 1308 { 1309 BTM_TRACE_DEBUG0 ("LTK request failed - send negative reply"); 1310 btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle); 1311 if (p_dev_rec) 1312 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0); 1313 1314 } 1315 } 1316 } 1317 1318 /******************************************************************************* 1319 ** 1320 ** Function btm_ble_ltk_request_reply 1321 ** 1322 ** Description This function is called to send a LTK request reply on a slave 1323 ** device. 1324 ** 1325 ** Returns void 1326 ** 1327 *******************************************************************************/ 1328 void btm_ble_ltk_request_reply(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1329 { 1330 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1331 tBTM_CB *p_cb = &btm_cb; 1332 tSMP_ENC output; 1333 1334 if (p_rec == NULL) 1335 { 1336 BTM_TRACE_ERROR0("btm_ble_ltk_request_reply received for unknown device"); 1337 return; 1338 } 1339 1340 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request_reply"); 1341 p_cb->enc_handle = p_rec->hci_handle; 1342 p_cb->key_size = p_rec->ble.keys.key_size; 1343 1344 BTM_TRACE_ERROR1("key size = %d", p_rec->ble.keys.key_size); 1345 if (use_stk) 1346 { 1347 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk); 1348 } 1349 else /* calculate LTK using peer device */ 1350 { 1351 /* generate Y= Encrypt(DHK, Rand) received from encrypt request */ 1352 SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand, 1353 BT_OCTET8_LEN, &output); 1354 btm_enc_proc_slave_y(&output); 1355 } 1356 } 1357 1358 /******************************************************************************* 1359 ** 1360 ** Function btm_ble_io_capabilities_req 1361 ** 1362 ** Description This function is called to handle SMP get IO capability request. 1363 ** 1364 ** Returns void 1365 ** 1366 *******************************************************************************/ 1367 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data) 1368 { 1369 UINT8 callback_rc = BTM_SUCCESS; 1370 BTM_TRACE_DEBUG0 ("btm_ble_io_capabilities_req"); 1371 if (btm_cb.api.p_le_callback) 1372 { 1373 /* the callback function implementation may change the IO capability... */ 1374 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1375 } 1376 #if BTM_OOB_INCLUDED == TRUE 1377 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) 1378 #else 1379 if (callback_rc == BTM_SUCCESS) 1380 #endif 1381 { 1382 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1383 1384 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d", 1385 p_dev_rec->security_required, p_data->auth_req); 1386 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)", 1387 p_data->init_keys, 1388 p_data->resp_keys); 1389 1390 /* if authentication requires MITM protection, put on the mask */ 1391 if (p_dev_rec->security_required & BTM_SEC_IN_MITM) 1392 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM; 1393 1394 if (!(p_data->auth_req & SMP_AUTH_BOND)) 1395 { 1396 BTM_TRACE_DEBUG0("Non bonding: No keys should be exchanged"); 1397 p_data->init_keys = 0; 1398 p_data->resp_keys = 0; 1399 } 1400 1401 BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req); 1402 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x", 1403 p_data->init_keys, 1404 p_data->resp_keys); 1405 1406 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d", 1407 p_data->io_cap, p_data->auth_req); 1408 1409 /* remove MITM protection requirement if IO cap does not allow it */ 1410 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) 1411 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM; 1412 1413 BTM_TRACE_DEBUG3 ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d", 1414 p_data->io_cap, p_data->oob_data, p_data->auth_req); 1415 } 1416 return callback_rc; 1417 } 1418 1419 /******************************************************************************* 1420 ** 1421 ** Function btm_ble_connected 1422 ** 1423 ** Description This function is when a LE connection to the peer device is 1424 ** establsihed 1425 ** 1426 ** Returns void 1427 ** 1428 *******************************************************************************/ 1429 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role, 1430 tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched) 1431 { 1432 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 1433 tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb; 1434 1435 BTM_TRACE_EVENT0 ("btm_ble_connected"); 1436 1437 /* Commenting out trace due to obf/compilation problems. 1438 */ 1439 #if (BT_USE_TRACES == TRUE) 1440 if (p_dev_rec) 1441 { 1442 BTM_TRACE_EVENT4 ("Security Manager: btm_sec_connected : handle:%d enc_mode:%d bda:%x RName:%s", 1443 handle, enc_mode, 1444 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 1445 p_dev_rec->sec_bd_name); 1446 1447 BTM_TRACE_DEBUG1 ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags); 1448 } 1449 else 1450 { 1451 BTM_TRACE_EVENT3 ("Security Manager: btm_sec_connected: handle:%d enc_mode:%d bda:%x ", 1452 handle, enc_mode, 1453 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 1454 } 1455 #endif 1456 1457 if (!p_dev_rec) 1458 { 1459 /* There is no device record for new connection. Allocate one */ 1460 p_dev_rec = btm_sec_alloc_dev (bda); 1461 } 1462 else /* Update the timestamp for this device */ 1463 { 1464 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 1465 } 1466 1467 /* update device information */ 1468 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE; 1469 p_dev_rec->hci_handle = handle; 1470 p_dev_rec->ble.ble_addr_type = addr_type; 1471 1472 if (role == HCI_ROLE_MASTER) 1473 p_dev_rec->role_master = TRUE; 1474 1475 if (role == HCI_ROLE_SLAVE) 1476 p_cb->inq_var.adv_mode = BTM_BLE_ADV_DISABLE; 1477 p_cb->inq_var.directed_conn = FALSE; 1478 1479 return; 1480 } 1481 1482 /***************************************************************************** 1483 ** Function btm_ble_conn_complete 1484 ** 1485 ** Description LE connection complete. 1486 ** 1487 ******************************************************************************/ 1488 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len) 1489 { 1490 UINT8 role, status, bda_type; 1491 UINT16 handle; 1492 BD_ADDR bda; 1493 UINT16 conn_interval, conn_latency, conn_timeout; 1494 BOOLEAN match = FALSE; 1495 1496 STREAM_TO_UINT8 (status, p); 1497 STREAM_TO_UINT16 (handle, p); 1498 STREAM_TO_UINT8 (role, p); 1499 STREAM_TO_UINT8 (bda_type, p); 1500 STREAM_TO_BDADDR (bda, p); 1501 1502 if (status == 0) 1503 { 1504 STREAM_TO_UINT16 (conn_interval, p); 1505 STREAM_TO_UINT16 (conn_latency, p); 1506 STREAM_TO_UINT16 (conn_timeout, p); 1507 handle = HCID_GET_HANDLE (handle); 1508 1509 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1510 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1511 conn_latency, conn_timeout); 1512 } 1513 else 1514 { 1515 role = HCI_ROLE_UNKNOWN; 1516 1517 if (status == HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT) 1518 btm_ble_dir_adv_tout(); 1519 } 1520 btm_ble_update_mode_operation(role, bda, TRUE); 1521 } 1522 1523 /***************************************************************************** 1524 ** Function btm_proc_smp_cback 1525 ** 1526 ** Description This function is the SMP callback handler. 1527 ** 1528 ******************************************************************************/ 1529 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data) 1530 { 1531 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1532 UINT8 res = 0; 1533 1534 BTM_TRACE_DEBUG1 ("btm_proc_smp_cback event = %d", event); 1535 1536 if (p_dev_rec != NULL) 1537 { 1538 switch (event) 1539 { 1540 case SMP_IO_CAP_REQ_EVT: 1541 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req); 1542 break; 1543 1544 case SMP_PASSKEY_REQ_EVT: 1545 case SMP_PASSKEY_NOTIF_EVT: 1546 case SMP_OOB_REQ_EVT: 1547 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1548 case SMP_SEC_REQUEST_EVT: 1549 case SMP_COMPLT_EVT: 1550 if (btm_cb.api.p_le_callback) 1551 { 1552 /* the callback function implementation may change the IO capability... */ 1553 BTM_TRACE_DEBUG1 ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback ); 1554 (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1555 } 1556 1557 if (event == SMP_COMPLT_EVT) 1558 { 1559 BTM_TRACE_DEBUG2 ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1560 1561 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING; 1562 1563 BTM_TRACE_DEBUG3 ("after update result=%d sec_level=0x%x sec_flags=0x%x", 1564 res, p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1565 1566 btm_sec_dev_rec_cback_event(p_dev_rec, res); 1567 1568 if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback ) 1569 { 1570 BTM_TRACE_DEBUG0 ("Pairing Cancel completed"); 1571 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS); 1572 } 1573 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1574 if (res != BTM_SUCCESS) 1575 { 1576 if (!btm_cb.devcb.no_disc_if_pair_fail) 1577 { 1578 BTM_TRACE_DEBUG0 ("Pairing failed - Remove ACL"); 1579 btm_remove_acl(bd_addr); 1580 } 1581 else 1582 { 1583 BTM_TRACE_DEBUG0 ("Pairing failed - Not Removing ACL"); 1584 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1585 } 1586 } 1587 #else 1588 if (res != BTM_SUCCESS) 1589 btm_remove_acl(bd_addr); 1590 #endif 1591 1592 BTM_TRACE_DEBUG3 ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x", 1593 btm_cb.pairing_state, 1594 btm_cb.pairing_flags, 1595 btm_cb.pin_code_len ); 1596 BTM_TRACE_DEBUG6 ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x", 1597 btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2], 1598 btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]); 1599 1600 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 1601 btm_cb.pairing_flags = 0; 1602 } 1603 break; 1604 1605 default: 1606 BTM_TRACE_DEBUG1 ("unknown event = %d", event); 1607 break; 1608 1609 1610 } 1611 } 1612 else 1613 { 1614 BTM_TRACE_ERROR0("btm_proc_smp_cback received for unknown device"); 1615 } 1616 1617 return 0; 1618 } 1619 1620 #endif /* SMP_INCLUDED */ 1621 #endif /* BLE_INCLUDED */ 1622 1623 1624 /******************************************************************************* 1625 ** 1626 ** Function BTM_BleDataSignature 1627 ** 1628 ** Description This function is called to sign the data using AES128 CMAC 1629 ** algorith. 1630 ** 1631 ** Parameter bd_addr: target device the data to be signed for. 1632 ** p_text: singing data 1633 ** len: length of the data to be signed. 1634 ** signature: output parameter where data signature is going to 1635 ** be stored. 1636 ** 1637 ** Returns TRUE if signing sucessul, otherwise FALSE. 1638 ** 1639 *******************************************************************************/ 1640 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len, 1641 BLE_SIGNATURE signature) 1642 { 1643 BOOLEAN ret = FALSE; 1644 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 1645 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1646 UINT8 *p_buf, *pp; 1647 1648 BT_OCTET16 er; 1649 UINT16 div; 1650 UINT8 temp[4]; /* for (r || DIV) r=1*/ 1651 UINT16 r=1; 1652 UINT8 *p=temp, *p_mac = (UINT8 *)signature; 1653 tSMP_ENC output; 1654 BT_OCTET16 local_csrk; 1655 1656 BTM_TRACE_DEBUG0 ("BTM_BleDataSignature"); 1657 if (p_rec == NULL) 1658 { 1659 BTM_TRACE_ERROR0("data signing can not be done from unknow device"); 1660 } 1661 else 1662 { 1663 if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL) 1664 { 1665 BTM_TRACE_DEBUG0("Start to generate Local CSRK"); 1666 /* prepare plain text */ 1667 if (p_text) 1668 { 1669 memcpy(p_buf, p_text, len); 1670 pp = (p_buf + len); 1671 } 1672 1673 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1674 if ( btm_cb.devcb.enable_test_local_sign_cntr) 1675 { 1676 BTM_TRACE_DEBUG1 ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr); 1677 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr); 1678 } 1679 else 1680 { 1681 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1682 } 1683 #else 1684 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1685 #endif 1686 /* compute local csrk */ 1687 if (btm_get_local_div(bd_addr, &div)) 1688 { 1689 BTM_TRACE_DEBUG1 ("compute_csrk div=%x", div); 1690 BTM_GetDeviceEncRoot(er); 1691 1692 /* CSRK = d1(ER, DIV, 1) */ 1693 UINT16_TO_STREAM(p, div); 1694 UINT16_TO_STREAM(p, r); 1695 1696 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output)) 1697 { 1698 BTM_TRACE_ERROR0("Local CSRK generation failed "); 1699 } 1700 else 1701 { 1702 BTM_TRACE_DEBUG0("local CSRK generation success"); 1703 memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN); 1704 1705 1706 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1707 if (btm_cb.devcb.enable_test_local_sign_cntr) 1708 { 1709 UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr); 1710 } 1711 else 1712 { 1713 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1714 } 1715 #else 1716 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1717 #endif 1718 1719 if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE) 1720 { 1721 btm_ble_increment_sign_ctr(bd_addr, TRUE); 1722 1723 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1724 if ( btm_cb.devcb.enable_test_mac_val) 1725 { 1726 BTM_TRACE_DEBUG0 ("Use MAC value from script"); 1727 memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE); 1728 } 1729 #endif 1730 } 1731 BTM_TRACE_DEBUG1("BTM_BleDataSignature p_mac = %d", p_mac); 1732 BTM_TRACE_DEBUG4("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x", 1733 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3)); 1734 BTM_TRACE_DEBUG4("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x", 1735 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7)); 1736 1737 GKI_freebuf(p_buf); 1738 } 1739 } 1740 } 1741 } 1742 #endif /* BLE_INCLUDED */ 1743 return ret; 1744 } 1745 1746 /******************************************************************************* 1747 ** 1748 ** Function BTM_BleVerifySignature 1749 ** 1750 ** Description This function is called to verify the data signature 1751 ** 1752 ** Parameter bd_addr: target device the data to be signed for. 1753 ** p_orig: original data before signature. 1754 ** len: length of the signing data 1755 ** counter: counter used when doing data signing 1756 ** p_comp: signature to be compared against. 1757 1758 ** Returns TRUE if signature verified correctly; otherwise FALSE. 1759 ** 1760 *******************************************************************************/ 1761 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter, 1762 UINT8 *p_comp) 1763 { 1764 BOOLEAN verified = FALSE; 1765 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 1766 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1767 UINT8 p_mac[BTM_CMAC_TLEN_SIZE]; 1768 1769 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) 1770 { 1771 BTM_TRACE_ERROR0("can not verify signature for unknown device"); 1772 } 1773 else if (counter < p_rec->ble.keys.counter) 1774 { 1775 BTM_TRACE_ERROR0("signature received with out dated sign counter"); 1776 } 1777 else if (p_orig == NULL) 1778 { 1779 BTM_TRACE_ERROR0("No signature to verify"); 1780 } 1781 else 1782 { 1783 BTM_TRACE_DEBUG2 ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter); 1784 1785 if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac)) 1786 { 1787 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) 1788 { 1789 btm_ble_increment_sign_ctr(bd_addr, FALSE); 1790 verified = TRUE; 1791 } 1792 } 1793 } 1794 #endif /* BLE_INCLUDED */ 1795 return verified; 1796 } 1797 1798 #if BLE_INCLUDED == TRUE 1799 /******************************************************************************* 1800 ** Utility functions for LE device IR/ER generation 1801 *******************************************************************************/ 1802 /******************************************************************************* 1803 ** 1804 ** Function btm_notify_new_key 1805 ** 1806 ** Description This function is to notify application new keys have been 1807 ** generated. 1808 ** 1809 ** Returns void 1810 ** 1811 *******************************************************************************/ 1812 static void btm_notify_new_key(UINT8 key_type) 1813 { 1814 tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL; 1815 1816 BTM_TRACE_DEBUG1 ("btm_notify_new_key key_type=%d", key_type); 1817 1818 if (btm_cb.api.p_le_key_callback) 1819 { 1820 switch (key_type) 1821 { 1822 case BTM_BLE_KEY_TYPE_ID: 1823 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ID"); 1824 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys; 1825 break; 1826 1827 case BTM_BLE_KEY_TYPE_ER: 1828 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ER"); 1829 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er; 1830 break; 1831 1832 default: 1833 BTM_TRACE_ERROR1("unknown key type: %d", key_type); 1834 break; 1835 } 1836 if (p_locak_keys != NULL) 1837 (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys); 1838 } 1839 } 1840 1841 /******************************************************************************* 1842 ** 1843 ** Function btm_ble_process_er2 1844 ** 1845 ** Description This function is called when ER is generated, store it in 1846 ** local control block. 1847 ** 1848 ** Returns void 1849 ** 1850 *******************************************************************************/ 1851 static void btm_ble_process_er2(tBTM_RAND_ENC *p) 1852 { 1853 BTM_TRACE_DEBUG0 ("btm_ble_process_er2"); 1854 1855 if (p &&p->opcode == HCI_BLE_RAND) 1856 { 1857 memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN); 1858 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER); 1859 } 1860 else 1861 { 1862 BTM_TRACE_ERROR0("Generating ER2 exception."); 1863 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 1864 } 1865 } 1866 1867 /******************************************************************************* 1868 ** 1869 ** Function btm_ble_process_er 1870 ** 1871 ** Description This function is called when ER is generated, store it in 1872 ** local control block. 1873 ** 1874 ** Returns void 1875 ** 1876 *******************************************************************************/ 1877 static void btm_ble_process_er(tBTM_RAND_ENC *p) 1878 { 1879 BTM_TRACE_DEBUG0 ("btm_ble_process_er"); 1880 1881 if (p &&p->opcode == HCI_BLE_RAND) 1882 { 1883 memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN); 1884 1885 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2)) 1886 { 1887 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 1888 BTM_TRACE_ERROR0("Generating ER2 failed."); 1889 } 1890 } 1891 else 1892 { 1893 BTM_TRACE_ERROR0("Generating ER1 exception."); 1894 } 1895 } 1896 1897 /******************************************************************************* 1898 ** 1899 ** Function btm_ble_process_irk 1900 ** 1901 ** Description This function is called when IRK is generated, store it in 1902 ** local control block. 1903 ** 1904 ** Returns void 1905 ** 1906 *******************************************************************************/ 1907 static void btm_ble_process_irk(tSMP_ENC *p) 1908 { 1909 BTM_TRACE_DEBUG0 ("btm_ble_process_irk"); 1910 if (p &&p->opcode == HCI_BLE_ENCRYPT) 1911 { 1912 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN); 1913 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID); 1914 } 1915 else 1916 { 1917 BTM_TRACE_ERROR0("Generating IRK exception."); 1918 } 1919 1920 /* proceed generate ER */ 1921 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er)) 1922 { 1923 BTM_TRACE_ERROR0("Generating ER failed."); 1924 } 1925 } 1926 1927 /******************************************************************************* 1928 ** 1929 ** Function btm_ble_process_dhk 1930 ** 1931 ** Description This function is called when DHK is calculated, store it in 1932 ** local control block, and proceed to generate ER, a 128-bits 1933 ** random number. 1934 ** 1935 ** Returns void 1936 ** 1937 *******************************************************************************/ 1938 static void btm_ble_process_dhk(tSMP_ENC *p) 1939 { 1940 #if SMP_INCLUDED == TRUE 1941 UINT8 btm_ble_irk_pt = 0x01; 1942 tSMP_ENC output; 1943 1944 BTM_TRACE_DEBUG0 ("btm_ble_process_dhk"); 1945 1946 if (p && p->opcode == HCI_BLE_ENCRYPT) 1947 { 1948 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN); 1949 BTM_TRACE_DEBUG0("BLE DHK generated."); 1950 1951 /* IRK = D1(IR, 1) */ 1952 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt, 1953 1, &output)) 1954 { 1955 /* reset all identity root related key */ 1956 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 1957 } 1958 else 1959 { 1960 btm_ble_process_irk(&output); 1961 } 1962 } 1963 else 1964 { 1965 /* reset all identity root related key */ 1966 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 1967 } 1968 #endif 1969 } 1970 1971 /******************************************************************************* 1972 ** 1973 ** Function btm_ble_process_ir2 1974 ** 1975 ** Description This function is called when IR is generated, proceed to calculate 1976 ** DHK = Eir({0x03, 0, 0 ...}) 1977 ** 1978 ** 1979 ** Returns void 1980 ** 1981 *******************************************************************************/ 1982 static void btm_ble_process_ir2(tBTM_RAND_ENC *p) 1983 { 1984 #if SMP_INCLUDED == TRUE 1985 UINT8 btm_ble_dhk_pt = 0x03; 1986 tSMP_ENC output; 1987 1988 BTM_TRACE_DEBUG0 ("btm_ble_process_ir2"); 1989 1990 if (p && p->opcode == HCI_BLE_RAND) 1991 { 1992 /* remembering in control block */ 1993 memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN); 1994 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */ 1995 1996 1997 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 1998 1, &output); 1999 btm_ble_process_dhk(&output); 2000 2001 BTM_TRACE_DEBUG0("BLE IR generated."); 2002 } 2003 else 2004 { 2005 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2006 } 2007 #endif 2008 } 2009 2010 /******************************************************************************* 2011 ** 2012 ** Function btm_ble_process_ir 2013 ** 2014 ** Description This function is called when IR is generated, proceed to calculate 2015 ** DHK = Eir({0x02, 0, 0 ...}) 2016 ** 2017 ** 2018 ** Returns void 2019 ** 2020 *******************************************************************************/ 2021 static void btm_ble_process_ir(tBTM_RAND_ENC *p) 2022 { 2023 BTM_TRACE_DEBUG0 ("btm_ble_process_ir"); 2024 2025 if (p && p->opcode == HCI_BLE_RAND) 2026 { 2027 /* remembering in control block */ 2028 memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN); 2029 2030 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2)) 2031 { 2032 BTM_TRACE_ERROR0("Generating IR2 failed."); 2033 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2034 } 2035 } 2036 } 2037 2038 /******************************************************************************* 2039 ** 2040 ** Function btm_ble_reset_id 2041 ** 2042 ** Description This function is called to reset LE device identity. 2043 ** 2044 ** Returns void 2045 ** 2046 *******************************************************************************/ 2047 void btm_ble_reset_id( void ) 2048 { 2049 BTM_TRACE_DEBUG0 ("btm_ble_reset_id"); 2050 2051 /* regenrate Identity Root*/ 2052 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir)) 2053 { 2054 BTM_TRACE_DEBUG0("Generating IR failed."); 2055 } 2056 } 2057 2058 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2059 /******************************************************************************* 2060 ** 2061 ** Function btm_ble_set_no_disc_if_pair_fail 2062 ** 2063 ** Description This function indicates that whether no disconnect of the ACL 2064 ** should be used if pairing failed 2065 ** 2066 ** Returns void 2067 ** 2068 *******************************************************************************/ 2069 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc ) 2070 { 2071 BTM_TRACE_DEBUG1 ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc); 2072 btm_cb.devcb.no_disc_if_pair_fail = disable_disc; 2073 } 2074 2075 /******************************************************************************* 2076 ** 2077 ** Function btm_ble_set_test_mac_value 2078 ** 2079 ** Description This function set test MAC value 2080 ** 2081 ** Returns void 2082 ** 2083 *******************************************************************************/ 2084 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val ) 2085 { 2086 BTM_TRACE_DEBUG1 ("btm_ble_set_test_mac_value enable=%d", enable); 2087 btm_cb.devcb.enable_test_mac_val = enable; 2088 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN); 2089 } 2090 2091 /******************************************************************************* 2092 ** 2093 ** Function btm_ble_set_test_local_sign_cntr_value 2094 ** 2095 ** Description This function set test local sign counter value 2096 ** 2097 ** Returns void 2098 ** 2099 *******************************************************************************/ 2100 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr ) 2101 { 2102 BTM_TRACE_DEBUG2 ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d", 2103 enable, test_local_sign_cntr); 2104 btm_cb.devcb.enable_test_local_sign_cntr = enable; 2105 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr; 2106 } 2107 2108 /******************************************************************************* 2109 ** 2110 ** Function btm_set_random_address 2111 ** 2112 ** Description This function set a random address to local controller. 2113 ** 2114 ** Returns void 2115 ** 2116 *******************************************************************************/ 2117 void btm_set_random_address(BD_ADDR random_bda) 2118 { 2119 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 2120 BOOLEAN adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ; 2121 2122 BTM_TRACE_DEBUG0 ("btm_set_random_address"); 2123 2124 if (adv_mode == BTM_BLE_ADV_ENABLE) 2125 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE); 2126 2127 memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN); 2128 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 2129 2130 if (adv_mode == BTM_BLE_ADV_ENABLE) 2131 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE); 2132 2133 2134 } 2135 #endif /* BTM_BLE_CONFORMANCE_TESTING */ 2136 2137 2138 #endif /* BLE_INCLUDED */ 2139