1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the Bluetooth Security Manager 22 * 23 ******************************************************************************/ 24 25 #include <string.h> 26 #include "bt_types.h" 27 #include "hcimsgs.h" 28 #include "btu.h" 29 #include "btm_int.h" 30 #include "l2c_int.h" 31 32 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) 33 /* needed for sprintf() */ 34 #include <stdio.h> 35 #endif 36 37 #if BLE_INCLUDED == TRUE 38 #include "gatt_int.h" 39 #endif 40 41 #define BTM_SEC_MAX_COLLISION_DELAY (GKI_SECS_TO_TICKS(5)) 42 43 #ifdef APPL_AUTH_WRITE_EXCEPTION 44 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr); 45 #endif 46 47 48 /******************************************************************************** 49 ** L O C A L F U N C T I O N P R O T O T Y P E S * 50 *********************************************************************************/ 51 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm); 52 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur); 53 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 54 UINT32 mx_proto_id, 55 UINT32 mx_chan_id); 56 57 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec); 58 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec); 59 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec); 60 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec); 61 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle); 62 static void btm_restore_mode(void); 63 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle); 64 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec); 65 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state); 66 67 #if (BT_USE_TRACES == TRUE) 68 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state); 69 #endif 70 71 static void btm_sec_check_pending_reqs(void); 72 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 73 UINT32 mx_proto_id, UINT32 mx_chan_id, 74 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data); 75 static void btm_sec_bond_cancel_complete (void); 76 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec); 77 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec); 78 79 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec); 80 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]); 81 82 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason); 83 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state); 84 85 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 86 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 87 UINT32 mx_chan_id); 88 89 /* TRUE - authenticated link key is possible */ 90 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = 91 { 92 /* OUT, IO, IN, NONE */ 93 /* OUT */ {FALSE, FALSE, TRUE, FALSE}, 94 /* IO */ {FALSE, TRUE, TRUE, FALSE}, 95 /* IN */ {TRUE, TRUE, TRUE, FALSE}, 96 /* NONE */ {FALSE, FALSE, FALSE, FALSE} 97 }; 98 /* BTM_IO_CAP_OUT 0 DisplayOnly */ 99 /* BTM_IO_CAP_IO 1 DisplayYesNo */ 100 /* BTM_IO_CAP_IN 2 KeyboardOnly */ 101 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */ 102 103 /******************************************************************************* 104 ** 105 ** Function BTM_SecRegister 106 ** 107 ** Description Application manager calls this function to register for 108 ** security services. There can be one and only one application 109 ** saving link keys. BTM allows only first registration. 110 ** 111 ** Returns TRUE if registered OK, else FALSE 112 ** 113 *******************************************************************************/ 114 BOOLEAN BTM_SecRegister (tBTM_APPL_INFO *p_cb_info) 115 { 116 #if BLE_INCLUDED == TRUE 117 BT_OCTET16 temp_value = {0}; 118 #endif 119 120 BTM_TRACE_EVENT0 ("BTM_Sec: application registered"); 121 122 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 123 BTM_TRACE_ERROR1 ("BTM_SecRegister:p_cb_info->p_le_callback == 0x%x ", p_cb_info->p_le_callback); 124 125 if (p_cb_info->p_le_callback) 126 { 127 #if SMP_INCLUDED == TRUE 128 BTM_TRACE_EVENT0 ("BTM_Sec: SMP_Register( btm_proc_smp_cback )"); 129 SMP_Register(btm_proc_smp_cback); 130 #endif 131 /* if no IR is loaded, need to regenerate all the keys */ 132 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) 133 { 134 btm_ble_reset_id(); 135 } 136 } 137 else 138 { 139 BTM_TRACE_ERROR0 ("BTM_SecRegister:p_cb_info->p_le_callback == NULL "); 140 } 141 #endif 142 143 144 145 btm_cb.api = *p_cb_info; 146 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 147 BTM_TRACE_ERROR1 ("BTM_SecRegister: btm_cb.api.p_le_callback = 0x%x ", btm_cb.api.p_le_callback); 148 #endif 149 BTM_TRACE_EVENT0 ("BTM_Sec: application registered"); 150 return(TRUE); 151 } 152 153 154 /******************************************************************************* 155 ** 156 ** Function BTM_SecRegisterLinkKeyNotificationCallback 157 ** 158 ** Description Application manager calls this function to register for 159 ** link key notification. When there is nobody registered 160 ** we should avoid changing link key 161 ** 162 ** Returns TRUE if registered OK, else FALSE 163 ** 164 *******************************************************************************/ 165 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback) 166 { 167 btm_cb.api.p_link_key_callback = p_callback; 168 return(TRUE); 169 } 170 171 172 /******************************************************************************* 173 ** 174 ** Function BTM_SecAddRmtNameNotifyCallback 175 ** 176 ** Description Any profile can register to be notified when name of the 177 ** remote device is resolved. 178 ** 179 ** Returns TRUE if registered OK, else FALSE 180 ** 181 *******************************************************************************/ 182 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 183 { 184 int i; 185 186 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 187 { 188 if (btm_cb.p_rmt_name_callback[i] == NULL) 189 { 190 btm_cb.p_rmt_name_callback[i] = p_callback; 191 return(TRUE); 192 } 193 } 194 195 return(FALSE); 196 } 197 198 199 /******************************************************************************* 200 ** 201 ** Function BTM_SecDeleteRmtNameNotifyCallback 202 ** 203 ** Description Any profile can deregister notification when a new Link Key 204 ** is generated per connection. 205 ** 206 ** Returns TRUE if OK, else FALSE 207 ** 208 *******************************************************************************/ 209 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 210 { 211 int i; 212 213 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 214 { 215 if (btm_cb.p_rmt_name_callback[i] == p_callback) 216 { 217 btm_cb.p_rmt_name_callback[i] = NULL; 218 return(TRUE); 219 } 220 } 221 222 return(FALSE); 223 } 224 225 226 /******************************************************************************* 227 ** 228 ** Function BTM_SecSetConnectFilterCallback 229 ** 230 ** Description Host can register to be asked whenever a HCI connection 231 ** request is received. In the registered function host 232 ** suppose to check connectibility filters. Yes/No result 233 ** should be returned syncronously 234 ** 235 ** Returns void 236 ** 237 *******************************************************************************/ 238 void BTM_SecSetConnectFilterCallback (tBTM_FILTER_CB *p_callback) 239 { 240 btm_cb.p_conn_filter_cb = p_callback; 241 } 242 243 /******************************************************************************* 244 ** 245 ** Function BTM_GetSecurityMode 246 ** 247 ** Description Get security mode for the device 248 ** 249 ** Returns void 250 ** 251 *******************************************************************************/ 252 UINT8 BTM_GetSecurityMode (void) 253 { 254 return(btm_cb.security_mode); 255 } 256 257 /******************************************************************************* 258 ** 259 ** Function BTM_GetSecurityFlags 260 ** 261 ** Description Get security flags for the device 262 ** 263 ** Returns BOOLEAN TRUE or FALSE is device found 264 ** 265 *******************************************************************************/ 266 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags) 267 { 268 tBTM_SEC_DEV_REC *p_dev_rec; 269 270 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 271 { 272 *p_sec_flags = p_dev_rec->sec_flags; 273 return(TRUE); 274 } 275 BTM_TRACE_ERROR0 ("BTM_GetSecurityFlags false"); 276 return(FALSE); 277 } 278 279 /******************************************************************************* 280 ** 281 ** Function BTM_SetSecurityMode 282 ** 283 ** Description Set security mode for the device 284 ** 285 ** Returns void 286 ** 287 *******************************************************************************/ 288 void BTM_SetSecurityMode (UINT8 security_mode) 289 { 290 UINT8 old_mode = btm_cb.security_mode; 291 292 UINT8 sp_mode = HCI_SP_MODE_ENABLED; 293 UINT8 sp_debug_mode = HCI_SPD_MODE_DISABLED; 294 295 switch (security_mode) 296 { 297 #if (BTM_PRE_LISBON_INCLUDED == TRUE) 298 case BTM_SEC_MODE_NONE: 299 case BTM_SEC_MODE_SERVICE: 300 case BTM_SEC_MODE_LINK: 301 break; 302 #endif 303 304 case BTM_SEC_MODE_SP_DEBUG: 305 sp_debug_mode = HCI_SPD_MODE_ENABLED; 306 break; 307 case BTM_SEC_MODE_SP: 308 /* the default is enabled */ 309 break; 310 default: 311 BTM_TRACE_ERROR1 ("BTM_SetSecurityMode: unknown mode:%d", security_mode); 312 return; 313 } 314 btm_cb.security_mode = security_mode; 315 316 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])) 317 { 318 /* Lisbon devices and only use BTM_SEC_MODE_SP */ 319 btm_cb.security_mode = BTM_SEC_MODE_SP; 320 BTM_TRACE_DEBUG2("BTM_SetSecurityMode: SP:%d, debug:%d", sp_mode, sp_debug_mode); 321 btsnd_hcic_write_simple_pairing_mode(sp_mode); 322 btsnd_hcic_write_simp_pair_debug_mode(sp_debug_mode); 323 return; 324 } 325 326 /* must be a pre-Lisbon device */ 327 #if (BTM_PRE_LISBON_INCLUDED == TRUE) 328 /* If previously security mode was Link Level and now lesser notify */ 329 /* controller not to perform authentication, encryption on startup */ 330 if ((old_mode == BTM_SEC_MODE_LINK) 331 && ( security_mode != BTM_SEC_MODE_LINK)) 332 { 333 BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> FALSE"); 334 btsnd_hcic_write_auth_enable (FALSE); 335 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_DISABLED); 336 } 337 338 /* If previously security is increased to Link Level notify */ 339 /* controller to perform authentication, encryption on startup */ 340 if ((old_mode != BTM_SEC_MODE_LINK) 341 && ( security_mode == BTM_SEC_MODE_LINK)) 342 { 343 BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> TRUE"); 344 btsnd_hcic_write_auth_enable (TRUE); 345 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT); 346 } 347 #endif /* BTM_PRE_LISBON_INCLUDED == TRUE */ 348 } 349 350 /******************************************************************************* 351 ** 352 ** Function BTM_SetPinType 353 ** 354 ** Description Set PIN type for the device. 355 ** 356 ** Returns void 357 ** 358 *******************************************************************************/ 359 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len) 360 { 361 BTM_TRACE_API3 ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d", 362 pin_type, (char *) pin_code, pin_code_len); 363 364 /* If device is not up security mode will be set as a part of startup */ 365 if ( (btm_cb.cfg.pin_type != pin_type) 366 && (btm_cb.devcb.state > BTM_DEV_STATE_WAIT_AFTER_RESET) ) 367 { 368 btsnd_hcic_write_pin_type (pin_type); 369 } 370 371 btm_cb.cfg.pin_type = pin_type; 372 btm_cb.cfg.pin_code_len = pin_code_len; 373 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len); 374 } 375 376 /******************************************************************************* 377 ** 378 ** Function BTM_SetPairableMode 379 ** 380 ** Description Enable or disable pairing 381 ** 382 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device 383 ** allows pairing. 384 ** connect_only_paired - (TRUE or FALSE) whether or not to 385 ** only allow paired devices to connect. 386 ** 387 ** Returns void 388 ** 389 *******************************************************************************/ 390 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired) 391 { 392 BTM_TRACE_API2 ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired); 393 394 btm_cb.pairing_disabled = !allow_pairing; 395 btm_cb.connect_only_paired = connect_only_paired; 396 } 397 398 399 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff) 400 401 /******************************************************************************* 402 ** 403 ** Function BTM_SetUCDSecurityLevel 404 ** 405 ** Description Register UCD service security level with Security Manager 406 ** 407 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not 408 ** p_name - Name of the service relevant only if 409 ** authorization will show this name to user. ignored 410 ** if BTM_SEC_SERVICE_NAME_LEN is 0. 411 ** service_id - service ID for the service passed to authorization callback 412 ** sec_level - bit mask of the security features 413 ** psm - L2CAP PSM 414 ** mx_proto_id - protocol ID of multiplexing proto below 415 ** mx_chan_id - channel ID of multiplexing proto below 416 ** 417 ** Returns TRUE if registered OK, else FALSE 418 ** 419 *******************************************************************************/ 420 BOOLEAN BTM_SetUCDSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id, 421 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 422 UINT32 mx_chan_id) 423 { 424 #if (L2CAP_UCD_INCLUDED == TRUE) 425 CONNECTION_TYPE conn_type; 426 427 if (is_originator) 428 conn_type = CONNLESS_ORIG; 429 else 430 conn_type = CONNLESS_TERM; 431 432 return(btm_sec_set_security_level (conn_type, p_name, service_id, 433 sec_level, psm, mx_proto_id, mx_chan_id)); 434 #else 435 return FALSE; 436 #endif 437 } 438 439 /******************************************************************************* 440 ** 441 ** Function BTM_SetSecurityLevel 442 ** 443 ** Description Register service security level with Security Manager 444 ** 445 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not 446 ** p_name - Name of the service relevant only if 447 ** authorization will show this name to user. ignored 448 ** if BTM_SEC_SERVICE_NAME_LEN is 0. 449 ** service_id - service ID for the service passed to authorization callback 450 ** sec_level - bit mask of the security features 451 ** psm - L2CAP PSM 452 ** mx_proto_id - protocol ID of multiplexing proto below 453 ** mx_chan_id - channel ID of multiplexing proto below 454 ** 455 ** Returns TRUE if registered OK, else FALSE 456 ** 457 *******************************************************************************/ 458 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id, 459 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 460 UINT32 mx_chan_id) 461 { 462 #if (L2CAP_UCD_INCLUDED == TRUE) 463 CONNECTION_TYPE conn_type; 464 465 if (is_originator) 466 conn_type = CONN_ORIENT_ORIG; 467 else 468 conn_type = CONN_ORIENT_TERM; 469 470 return(btm_sec_set_security_level (conn_type, p_name, service_id, 471 sec_level, psm, mx_proto_id, mx_chan_id)); 472 #else 473 return(btm_sec_set_security_level (is_originator, p_name, service_id, 474 sec_level, psm, mx_proto_id, mx_chan_id)); 475 #endif 476 } 477 478 /******************************************************************************* 479 ** 480 ** Function btm_sec_set_security_level 481 ** 482 ** Description Register service security level with Security Manager 483 ** 484 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not 485 ** p_name - Name of the service relevant only if 486 ** authorization will show this name to user. ignored 487 ** if BTM_SEC_SERVICE_NAME_LEN is 0. 488 ** service_id - service ID for the service passed to authorization callback 489 ** sec_level - bit mask of the security features 490 ** psm - L2CAP PSM 491 ** mx_proto_id - protocol ID of multiplexing proto below 492 ** mx_chan_id - channel ID of multiplexing proto below 493 ** 494 ** Returns TRUE if registered OK, else FALSE 495 ** 496 *******************************************************************************/ 497 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 498 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 499 UINT32 mx_chan_id) 500 { 501 tBTM_SEC_SERV_REC *p_srec; 502 UINT16 index; 503 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES; 504 BOOLEAN record_allocated = FALSE; 505 BOOLEAN is_originator; 506 #if (L2CAP_UCD_INCLUDED == TRUE) 507 BOOLEAN is_ucd; 508 509 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 510 is_originator = TRUE; 511 else 512 is_originator = FALSE; 513 514 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 515 { 516 is_ucd = TRUE; 517 } 518 else 519 { 520 is_ucd = FALSE; 521 } 522 #else 523 is_originator = conn_type; 524 #endif 525 526 /* See if the record can be reused (same service name, psm, mx_proto_id, 527 service_id, and mx_chan_id), or obtain the next unused record */ 528 529 p_srec = &btm_cb.sec_serv_rec[0]; 530 531 532 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) 533 { 534 /* Check if there is already a record for this service */ 535 if (p_srec->security_flags & BTM_SEC_IN_USE) 536 { 537 #if BTM_SEC_SERVICE_NAME_LEN > 0 538 if (p_srec->psm == psm && 539 p_srec->mx_proto_id == mx_proto_id && 540 service_id == p_srec->service_id && 541 (!strncmp (p_name, (char *) p_srec->orig_service_name, 542 BTM_SEC_SERVICE_NAME_LEN) || 543 !strncmp (p_name, (char *) p_srec->term_service_name, 544 BTM_SEC_SERVICE_NAME_LEN))) 545 #else 546 if (p_srec->psm == psm && 547 p_srec->mx_proto_id == mx_proto_id && 548 service_id == p_srec->service_id) 549 #endif 550 { 551 record_allocated = TRUE; 552 break; 553 } 554 } 555 /* Mark the first available service record */ 556 else if (!record_allocated) 557 { 558 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC)); 559 record_allocated = TRUE; 560 first_unused_record = index; 561 } 562 } 563 564 if (!record_allocated) 565 { 566 BTM_TRACE_WARNING1("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS); 567 return(record_allocated); 568 } 569 570 /* Process the request if service record is valid */ 571 /* If a duplicate service wasn't found, use the first available */ 572 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) 573 { 574 index = first_unused_record; 575 p_srec = &btm_cb.sec_serv_rec[index]; 576 } 577 578 p_srec->psm = psm; 579 p_srec->service_id = service_id; 580 p_srec->mx_proto_id = mx_proto_id; 581 582 if (is_originator) 583 { 584 p_srec->orig_mx_chan_id = mx_chan_id; 585 #if BTM_SEC_SERVICE_NAME_LEN > 0 586 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN); 587 #endif 588 /* clear out the old setting, just in case it exists */ 589 #if (L2CAP_UCD_INCLUDED == TRUE) 590 if ( is_ucd ) 591 { 592 p_srec->ucd_security_flags &= 593 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 594 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 595 } 596 else 597 #endif 598 { 599 p_srec->security_flags &= 600 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 601 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 602 } 603 604 /* Parameter validation. Originator should not set requirements for incoming connections */ 605 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM); 606 607 if (btm_cb.security_mode == BTM_SEC_MODE_SP) 608 { 609 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) 610 sec_level |= BTM_SEC_OUT_MITM; 611 } 612 613 /* Make sure the authenticate bit is set, when encrypt bit is set */ 614 if (sec_level & BTM_SEC_OUT_ENCRYPT) 615 sec_level |= BTM_SEC_OUT_AUTHENTICATE; 616 617 /* outgoing connections usually set the security level right before 618 * the connection is initiated. 619 * set it to be the outgoing service */ 620 #if (L2CAP_UCD_INCLUDED == TRUE) 621 if ( is_ucd == FALSE ) 622 #endif 623 { 624 btm_cb.p_out_serv = p_srec; 625 } 626 } 627 else 628 { 629 p_srec->term_mx_chan_id = mx_chan_id; 630 #if BTM_SEC_SERVICE_NAME_LEN > 0 631 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN); 632 #endif 633 /* clear out the old setting, just in case it exists */ 634 #if (L2CAP_UCD_INCLUDED == TRUE) 635 if ( is_ucd ) 636 { 637 p_srec->ucd_security_flags &= 638 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 639 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 640 } 641 else 642 #endif 643 { 644 p_srec->security_flags &= 645 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 646 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 647 } 648 649 /* Parameter validation. Acceptor should not set requirements for outgoing connections */ 650 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM); 651 652 if (btm_cb.security_mode == BTM_SEC_MODE_SP) 653 { 654 if (sec_level & BTM_SEC_IN_AUTHENTICATE) 655 sec_level |= BTM_SEC_IN_MITM; 656 } 657 658 /* Make sure the authenticate bit is set, when encrypt bit is set */ 659 if (sec_level & BTM_SEC_IN_ENCRYPT) 660 sec_level |= BTM_SEC_IN_AUTHENTICATE; 661 } 662 663 #if (L2CAP_UCD_INCLUDED == TRUE) 664 if ( is_ucd ) 665 { 666 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE); 667 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 668 } 669 else 670 { 671 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 672 } 673 674 BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d", 675 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id); 676 677 BTM_TRACE_API2(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x", 678 p_srec->security_flags, p_srec->ucd_security_flags); 679 680 #if BTM_SEC_SERVICE_NAME_LEN > 0 681 BTM_TRACE_API2(" : service name [%s] (up to %d chars saved)", 682 p_name, BTM_SEC_SERVICE_NAME_LEN); 683 #endif 684 #else 685 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 686 687 BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d", 688 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id); 689 690 #if BTM_SEC_SERVICE_NAME_LEN > 0 691 BTM_TRACE_API3(" : sec: 0x%x, service name [%s] (up to %d chars saved)", 692 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN); 693 #endif 694 #endif 695 696 697 return(record_allocated); 698 } 699 700 /******************************************************************************* 701 ** 702 ** Function BTM_SecClrService 703 ** 704 ** Description Removes specified service record(s) from the security database. 705 ** All service records with the specified name are removed. 706 ** Typically used only by devices with limited RAM so that it can 707 ** reuse an old security service record. 708 ** 709 ** Note: Unpredictable results may occur if a service is cleared 710 ** that is still in use by an application/profile. 711 ** 712 ** Parameters Service ID - Id of the service to remove. ('0' removes all service 713 ** records (except SDP). 714 ** 715 ** Returns Number of records that were freed. 716 ** 717 *******************************************************************************/ 718 UINT8 BTM_SecClrService (UINT8 service_id) 719 { 720 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 721 UINT8 num_freed = 0; 722 int i; 723 724 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 725 { 726 /* Delete services with specified name (if in use and not SDP) */ 727 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) && 728 (!service_id || (service_id == p_srec->service_id))) 729 { 730 BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d", i, service_id); 731 p_srec->security_flags = 0; 732 #if (L2CAP_UCD_INCLUDED == TRUE) 733 p_srec->ucd_security_flags = 0; 734 #endif 735 num_freed++; 736 } 737 } 738 739 return(num_freed); 740 } 741 742 /******************************************************************************* 743 ** 744 ** Function btm_sec_clr_service_by_psm 745 ** 746 ** Description Removes specified service record from the security database. 747 ** All service records with the specified psm are removed. 748 ** Typically used by L2CAP to free up the service record used 749 ** by dynamic PSM clients when the channel is closed. 750 ** The given psm must be a virtual psm. 751 ** 752 ** Parameters Service ID - Id of the service to remove. ('0' removes all service 753 ** records (except SDP). 754 ** 755 ** Returns Number of records that were freed. 756 ** 757 *******************************************************************************/ 758 UINT8 btm_sec_clr_service_by_psm (UINT16 psm) 759 { 760 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 761 UINT8 num_freed = 0; 762 int i; 763 764 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 765 { 766 /* Delete services with specified name (if in use and not SDP) */ 767 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) ) 768 { 769 BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id); 770 p_srec->security_flags = 0; 771 num_freed++; 772 } 773 } 774 BTM_TRACE_API2("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed); 775 776 return(num_freed); 777 } 778 779 /******************************************************************************* 780 ** 781 ** Function btm_sec_clr_temp_auth_service 782 ** 783 ** Description Removes specified device record's temporary authorization 784 ** flag from the security database. 785 ** 786 ** Parameters Device address to be cleared 787 ** 788 ** Returns void. 789 ** 790 *******************************************************************************/ 791 void btm_sec_clr_temp_auth_service (BD_ADDR bda) 792 { 793 tBTM_SEC_DEV_REC *p_dev_rec; 794 795 if ((p_dev_rec = btm_find_dev (bda)) == NULL) 796 { 797 BTM_TRACE_WARNING0 ("btm_sec_clr_temp_auth_service() - no dev CB"); 798 return; 799 } 800 801 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */ 802 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service) 803 { 804 BTM_TRACE_DEBUG6 ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]", 805 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); 806 807 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID; 808 } 809 } 810 811 /******************************************************************************* 812 ** 813 ** 814 ** Function BTM_SecClrUCDService 815 ** 816 ** Description 817 ** 818 ** Parameters Service ID - Id of the service to remove. 819 ** ('0' removes all service records ) 820 ** 821 ** Returns Number of records that were cleared. 822 ** 823 *******************************************************************************/ 824 UINT8 BTM_SecClrUCDService (UINT8 service_id) 825 { 826 #if (L2CAP_UCD_INCLUDED == TRUE) 827 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 828 UINT8 num_cleared = 0; 829 int i; 830 831 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 832 { 833 /* Delete services with specified name (if in use and not SDP) */ 834 if ((p_srec->security_flags & BTM_SEC_IN_USE) && 835 (!service_id || (service_id == (UINT32)p_srec->service_id))) 836 { 837 BTM_TRACE_API2("BTM_UCD_SEC_CLR[%d]: id %d", i, service_id); 838 p_srec->ucd_security_flags = 0; 839 num_cleared++; 840 } 841 } 842 843 return(num_cleared); 844 #else 845 return(0); 846 #endif 847 } 848 849 /******************************************************************************* 850 ** 851 ** Function BTM_PINCodeReply 852 ** 853 ** Description This function is called after Security Manager submitted 854 ** PIN code request to the UI. 855 ** 856 ** Parameters: bd_addr - Address of the device for which PIN was requested 857 ** res - result of the operation BTM_SUCCESS if success 858 ** pin_len - length in bytes of the PIN Code 859 ** p_pin - pointer to array with the PIN Code 860 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 861 ** 862 *******************************************************************************/ 863 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 864 { 865 tBTM_SEC_DEV_REC *p_dev_rec; 866 867 BTM_TRACE_API4 ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d", 868 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res); 869 870 /* If timeout already expired or has been canceled, ignore the reply */ 871 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 872 { 873 BTM_TRACE_WARNING1 ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state); 874 return; 875 } 876 877 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 878 { 879 BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - Wrong BD Addr"); 880 return; 881 } 882 883 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 884 { 885 BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - no dev CB"); 886 return; 887 } 888 889 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) ) 890 res = BTM_ILLEGAL_VALUE; 891 892 if (res != BTM_SUCCESS) 893 { 894 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */ 895 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) || 896 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 897 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) ) 898 { 899 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 900 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 901 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 902 903 btsnd_hcic_pin_code_neg_reply (bd_addr); 904 } 905 else 906 { 907 p_dev_rec->security_required = BTM_SEC_NONE; 908 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 909 } 910 return; 911 } 912 if (trusted_mask) 913 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 914 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 915 916 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 917 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 918 && (btm_cb.security_mode_changed == FALSE) ) 919 { 920 /* This is start of the dedicated bonding if local device is 2.0 */ 921 btm_cb.pin_code_len = pin_len; 922 memcpy (btm_cb.pin_code, p_pin, pin_len); 923 924 btm_cb.security_mode_changed = TRUE; 925 #ifdef APPL_AUTH_WRITE_EXCEPTION 926 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 927 #endif 928 btsnd_hcic_write_auth_enable (TRUE); 929 930 btm_cb.acl_disc_reason = 0xff ; 931 932 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 933 /* before originating */ 934 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 935 { 936 BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection"); 937 /* we change state little bit early so btm_sec_connected() will originate connection */ 938 /* when existing ACL link is down completely */ 939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 940 } 941 /* if we already accepted incoming connection from pairing device */ 942 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 943 { 944 BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer"); 945 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 946 } 947 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 948 { 949 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 950 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 951 952 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 953 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE); 954 } 955 return; 956 } 957 958 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 959 btm_cb.acl_disc_reason = HCI_SUCCESS; 960 961 #ifdef PORCHE_PAIRING_CONFLICT 962 BTM_TRACE_EVENT2("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len); 963 /* if this was not pre-fetched, save the PIN */ 964 if (btm_cb.pin_code_len == 0) 965 memcpy (btm_cb.pin_code, p_pin, pin_len); 966 btm_cb.pin_code_len_saved = pin_len; 967 #endif 968 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin); 969 } 970 971 972 /******************************************************************************* 973 ** 974 ** Function BTM_DeviceAuthorized 975 ** 976 ** Description This function is called after Security Manager submitted 977 ** authorization request to the UI. 978 ** 979 ** Parameters: bd_addr - Address of the device for which PIN was requested 980 ** res - result of the operation BTM_SUCCESS if success 981 ** 982 *******************************************************************************/ 983 void BTM_DeviceAuthorized (BD_ADDR bd_addr, UINT8 res, UINT32 trusted_mask[]) 984 { 985 tBTM_SEC_DEV_REC *p_dev_rec; 986 987 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 988 { 989 BTM_TRACE_WARNING6 ("Security Manager: Attempting Authorization of Unknown Device Address [%02x%02x%02x%02x%02x%02x]", 990 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]); 991 return; 992 } 993 994 BTM_TRACE_EVENT4 ("Security Manager: authorized status:%d State:%d Trusted:%08x %08x", 995 res, (p_dev_rec) ? p_dev_rec->sec_state : 0, trusted_mask[0], trusted_mask[1]); 996 997 if (res == BTM_SUCCESS) 998 { 999 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED; 1000 if (trusted_mask) 1001 { 1002 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 1003 } 1004 1005 /* Save the currently authorized service in case we are asked again 1006 by another multiplexer layer */ 1007 if (!p_dev_rec->is_originator) 1008 { 1009 BTM_TRACE_DEBUG1("BTM_DeviceAuthorized: Setting last_author_service_id to %d", 1010 p_dev_rec->p_cur_service->service_id); 1011 p_dev_rec->last_author_service_id = p_dev_rec->p_cur_service->service_id; 1012 } 1013 } 1014 1015 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) 1016 return; 1017 1018 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1019 1020 if (res != BTM_SUCCESS) 1021 { 1022 btm_sec_dev_rec_cback_event (p_dev_rec, res); 1023 return; 1024 } 1025 1026 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 1027 { 1028 btm_sec_dev_rec_cback_event (p_dev_rec, res); 1029 } 1030 } 1031 1032 1033 1034 /******************************************************************************* 1035 ** 1036 ** Function BTM_SecBond 1037 ** 1038 ** Description This function is called to perform bonding with peer device. 1039 ** If the connection is already up, but not secure, pairing 1040 ** is attempted. If already paired BTM_SUCCESS is returned. 1041 ** 1042 ** Parameters: bd_addr - Address of the device to bond 1043 ** pin_len - length in bytes of the PIN Code 1044 ** p_pin - pointer to array with the PIN Code 1045 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 1046 ** 1047 ** Note: After 2.1 parameters are not used and preserved here not to change API 1048 *******************************************************************************/ 1049 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 1050 { 1051 tBTM_SEC_DEV_REC *p_dev_rec; 1052 tBTM_STATUS status; 1053 UINT8 *p_features; 1054 UINT8 ii; 1055 1056 BTM_TRACE_API6 ("BTM_SecBond BDA: %02x:%02x:%02x:%02x:%02x:%02x", 1057 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]); 1058 1059 /* Other security process is in progress */ 1060 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 1061 { 1062 BTM_TRACE_ERROR1 ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state)); 1063 return(BTM_WRONG_MODE); 1064 } 1065 1066 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL) 1067 { 1068 return(BTM_NO_RESOURCES); 1069 } 1070 1071 BTM_TRACE_DEBUG1 ("before update sec_flags=0x%x", p_dev_rec->sec_flags); 1072 1073 /* Finished if connection is active and already paired */ 1074 if ( (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1075 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) ) 1076 { 1077 BTM_TRACE_WARNING0("BTM_SecBond -> Already Paired"); 1078 return(BTM_SUCCESS); 1079 } 1080 1081 /* Tell controller to get rid of the link key if it has one stored */ 1082 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS) 1083 return(BTM_NO_RESOURCES); 1084 1085 /* Save the PIN code if we got a valid one */ 1086 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) 1087 { 1088 btm_cb.pin_code_len = pin_len; 1089 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN); 1090 } 1091 1092 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 1093 1094 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD; 1095 1096 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE; 1097 p_dev_rec->is_originator = TRUE; 1098 if (trusted_mask) 1099 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 1100 1101 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED 1102 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED); 1103 1104 1105 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1106 /* LE device, do SMP pairing */ 1107 if (BTM_UseLeLink(bd_addr)) 1108 { 1109 if (SMP_Pair(bd_addr) == SMP_STARTED) 1110 { 1111 btm_cb.pairing_state = BTM_PAIR_STATE_WAIT_AUTH_COMPLETE; 1112 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1113 return BTM_CMD_STARTED; 1114 } 1115 else 1116 return(BTM_NO_RESOURCES); 1117 } 1118 #endif 1119 1120 BTM_TRACE_DEBUG1 ("after update sec_flags=0x%x", p_dev_rec->sec_flags); 1121 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])) 1122 { 1123 /* The special case when we authenticate keyboard. Set pin type to fixed */ 1124 /* It would be probably better to do it from the application, but it is */ 1125 /* complicated */ 1126 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 1127 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD) 1128 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) 1129 { 1130 btm_cb.pin_type_changed = TRUE; 1131 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED); 1132 } 1133 } 1134 1135 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) 1136 { 1137 p_features = p_dev_rec->features[ii]; 1138 BTM_TRACE_EVENT5(" remote_features page[%1d] = %02x-%02x-%02x-%02x", 1139 ii, p_features[0], p_features[1], p_features[2], p_features[3]); 1140 BTM_TRACE_EVENT4(" %02x-%02x-%02x-%02x", 1141 p_features[4], p_features[5], p_features[6], p_features[7]); 1142 } 1143 1144 BTM_TRACE_EVENT2 ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle); 1145 1146 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE 1147 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN; 1148 #endif 1149 1150 /* If connection already exists... */ 1151 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1152 { 1153 if (!btm_sec_start_authentication (p_dev_rec)) 1154 return(BTM_NO_RESOURCES); 1155 1156 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1157 1158 /* Mark lcb as bonding */ 1159 l2cu_update_lcb_4_bonding (bd_addr, TRUE); 1160 return(BTM_CMD_STARTED); 1161 } 1162 1163 BTM_TRACE_DEBUG2 ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4); 1164 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]) 1165 || (p_dev_rec->sm4 == BTM_SM4_KNOWN)) 1166 { 1167 if ( btm_sec_check_prefetch_pin (p_dev_rec) ) 1168 return(BTM_CMD_STARTED); 1169 } 1170 if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 1171 { 1172 /* local is 2.1 and peer is unknown */ 1173 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) 1174 { 1175 /* we are not accepting connection request from peer 1176 * -> RNR (to learn if peer is 2.1) 1177 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 1178 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 1179 BTM_ReadRemoteDeviceName(bd_addr, NULL); 1180 } 1181 else 1182 { 1183 /* We are accepting connection request from peer */ 1184 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1185 } 1186 BTM_TRACE_DEBUG3 ("State:%s sm4: 0x%x sec_state:%d", btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state); 1187 return BTM_CMD_STARTED; 1188 } 1189 1190 /* both local and peer are 2.1 */ 1191 status = btm_sec_dd_create_conn(p_dev_rec); 1192 1193 if (status != BTM_CMD_STARTED) 1194 { 1195 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1196 } 1197 1198 return status; 1199 } 1200 1201 1202 /******************************************************************************* 1203 ** 1204 ** Function BTM_SecBondCancel 1205 ** 1206 ** Description This function is called to cancel ongoing bonding process 1207 ** with peer device. 1208 ** 1209 ** Parameters: bd_addr - Address of the peer device 1210 ** 1211 *******************************************************************************/ 1212 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr) 1213 { 1214 tBTM_SEC_DEV_REC *p_dev_rec; 1215 #if SMP_INCLUDED == TRUE 1216 tACL_CONN *p=NULL; 1217 #endif 1218 1219 BTM_TRACE_API2 ("BTM_SecBondCancel() State: %s flags:0x%x", 1220 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags); 1221 1222 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 1223 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1224 return BTM_UNKNOWN_ADDR; 1225 1226 #if SMP_INCLUDED == TRUE 1227 p = btm_bda_to_acl(bd_addr); 1228 if (p && p->is_le_link && 1229 (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)) 1230 { 1231 BTM_TRACE_DEBUG0 ("Cancel LE pairing"); 1232 if (SMP_PairCancel(bd_addr)) 1233 { 1234 return BTM_CMD_STARTED; 1235 } 1236 else 1237 { 1238 return BTM_WRONG_MODE; 1239 } 1240 } 1241 1242 #endif 1243 BTM_TRACE_DEBUG2 ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state ); 1244 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 1245 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) 1246 { 1247 /* pre-fetching pin for dedicated bonding */ 1248 btm_sec_bond_cancel_complete(); 1249 return BTM_SUCCESS; 1250 } 1251 1252 /* If this BDA is in a bonding procedure */ 1253 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 1254 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 1255 { 1256 /* If the HCI link is up */ 1257 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1258 { 1259 /* If some other thread disconnecting, we do not send second command */ 1260 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) 1261 return(BTM_CMD_STARTED); 1262 1263 /* If the HCI link was set up by Bonding process */ 1264 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1265 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER); 1266 else 1267 l2cu_update_lcb_4_bonding(bd_addr, FALSE); 1268 1269 return BTM_NOT_AUTHORIZED; 1270 } 1271 else /*HCI link is not up */ 1272 { 1273 /* If the HCI link creation was started by Bonding process */ 1274 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1275 { 1276 if (btsnd_hcic_create_conn_cancel(bd_addr)) 1277 return BTM_CMD_STARTED; 1278 1279 return BTM_NO_RESOURCES; 1280 } 1281 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 1282 { 1283 BTM_CancelRemoteDeviceName(); 1284 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD; 1285 return BTM_CMD_STARTED; 1286 } 1287 return BTM_NOT_AUTHORIZED; 1288 } 1289 } 1290 1291 return BTM_WRONG_MODE; 1292 } 1293 1294 /******************************************************************************* 1295 ** 1296 ** Function BTM_SecUseMasterLinkKey 1297 ** 1298 ** Description This function is called to tell master of the piconet to 1299 ** switch to master link key 1300 ** 1301 ** Parameters: use_master_key - If true Master Link Key shoul be used 1302 ** 1303 *******************************************************************************/ 1304 tBTM_STATUS BTM_SecUseMasterLinkKey (BOOLEAN use_master_key) 1305 { 1306 return(btsnd_hcic_master_link_key (use_master_key) ? BTM_SUCCESS : 1307 BTM_NO_RESOURCES); 1308 } 1309 1310 /******************************************************************************* 1311 ** 1312 ** Function BTM_SetMasterKeyCompCback 1313 ** 1314 ** Description This function is called to register for the master key complete 1315 ** status event. 1316 ** 1317 ** Parameters: mkey_cback - callback registered with the security manager 1318 ** 1319 *******************************************************************************/ 1320 void BTM_SetMasterKeyCompCback( tBTM_MKEY_CALLBACK *mkey_cback ) 1321 { 1322 btm_cb.mkey_cback = mkey_cback; 1323 } 1324 1325 /******************************************************************************* 1326 ** 1327 ** Function BTM_SecGetDeviceLinkKey 1328 ** 1329 ** Description This function is called to obtain link key for the device 1330 ** it returns BTM_SUCCESS if link key is available, or 1331 ** BTM_UNKNOWN_ADDR if Security Manager does not know about 1332 ** the device or device record does not contain link key info 1333 ** 1334 ** Parameters: bd_addr - Address of the device 1335 ** link_key - Link Key is copied into this array 1336 ** 1337 *******************************************************************************/ 1338 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key) 1339 { 1340 tBTM_SEC_DEV_REC *p_dev_rec; 1341 1342 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1343 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1344 { 1345 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN); 1346 return(BTM_SUCCESS); 1347 } 1348 return(BTM_UNKNOWN_ADDR); 1349 } 1350 1351 1352 /******************************************************************************* 1353 ** 1354 ** Function BTM_SetEncryption 1355 ** 1356 ** Description This function is called to ensure that connection is 1357 ** encrypted. Should be called only on an open connection. 1358 ** Typically only needed for connections that first want to 1359 ** bring up unencrypted links, then later encrypt them. 1360 ** 1361 ** Parameters: bd_addr - Address of the peer device 1362 ** p_callback - Pointer to callback function called if 1363 ** this function returns PENDING after required 1364 ** procedures are completed. Can be set to NULL 1365 ** if status is not desired. 1366 ** p_ref_data - pointer to any data the caller wishes to receive 1367 ** in the callback function upon completion. 1368 * can be set to NULL if not used. 1369 ** 1370 ** Returns BTM_SUCCESS - already encrypted 1371 ** BTM_PENDING - command will be returned in the callback 1372 ** BTM_WRONG_MODE- connection not up. 1373 ** BTM_BUSY - security procedures are currently active 1374 ** BTM_MODE_UNSUPPORTED - if security manager not linked in. 1375 ** 1376 *******************************************************************************/ 1377 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBTM_SEC_CBACK *p_callback, 1378 void *p_ref_data) 1379 { 1380 tBTM_SEC_DEV_REC *p_dev_rec; 1381 tBTM_STATUS rc; 1382 1383 #if BLE_INCLUDED == TRUE 1384 tACL_CONN *p; 1385 p = btm_bda_to_acl(bd_addr); 1386 #endif 1387 1388 p_dev_rec = btm_find_dev (bd_addr); 1389 if (!p_dev_rec || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) 1390 { 1391 /* Connection should be up and runnning */ 1392 BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption not connected"); 1393 1394 if (p_callback) 1395 (*p_callback) (bd_addr, p_ref_data, BTM_WRONG_MODE); 1396 1397 return(BTM_WRONG_MODE); 1398 } 1399 1400 1401 if ( 1402 #if BLE_INCLUDED == TRUE 1403 !p->is_le_link && 1404 #endif 1405 (p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) 1406 == (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) 1407 { 1408 BTM_TRACE_EVENT0 ("Security Manager: BTM_SetEncryption already encrypted"); 1409 1410 if (p_callback) 1411 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS); 1412 1413 return(BTM_SUCCESS); 1414 } 1415 1416 if (p_dev_rec->p_callback) 1417 { 1418 /* Connection should be up and runnning */ 1419 BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption busy"); 1420 1421 if (p_callback) 1422 (*p_callback) (bd_addr, p_ref_data, BTM_BUSY); 1423 1424 return(BTM_BUSY); 1425 } 1426 1427 p_dev_rec->p_callback = p_callback; 1428 p_dev_rec->p_ref_data = p_ref_data; 1429 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 1430 p_dev_rec->is_originator = FALSE; 1431 1432 BTM_TRACE_API4 ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x", 1433 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 1434 p_dev_rec->security_required); 1435 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1436 if (p->is_le_link) 1437 { 1438 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role); 1439 } 1440 else 1441 #endif 1442 1443 rc = btm_sec_execute_procedure (p_dev_rec); 1444 1445 if ( rc != BTM_CMD_STARTED) 1446 { 1447 if (p_callback) 1448 { 1449 p_dev_rec->p_callback = NULL; 1450 (*p_callback) (bd_addr, p_dev_rec->p_ref_data, rc); 1451 } 1452 } 1453 return(rc); 1454 } 1455 1456 /******************************************************************************* 1457 * disconnect the ACL link, if it's not done yet. 1458 *******************************************************************************/ 1459 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason) 1460 { 1461 UINT8 old_state = p_dev_rec->sec_state; 1462 tBTM_STATUS status = BTM_CMD_STARTED; 1463 1464 BTM_TRACE_EVENT2 ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x", 1465 p_dev_rec->hci_handle, reason); 1466 1467 /* if some other thread disconnecting, we do not send second command */ 1468 if (BTM_SEC_STATE_DISCONNECTING != old_state) 1469 { 1470 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING; 1471 1472 #if BTM_DISC_DURING_RS == TRUE 1473 /* If a Role Switch is in progress, delay the HCI Disconnect to avoid controller problem (4329B1) */ 1474 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING) 1475 { 1476 BTM_TRACE_ERROR0("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect"); 1477 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING; 1478 status = BTM_SUCCESS; 1479 } 1480 else 1481 #endif 1482 /* Tear down the HCI link */ 1483 if (!btsnd_hcic_disconnect (p_dev_rec->hci_handle, reason)) 1484 { 1485 /* could not send disconnect. restore old state */ 1486 p_dev_rec->sec_state = old_state; 1487 status = BTM_NO_RESOURCES; 1488 } 1489 } 1490 return (status); 1491 } 1492 1493 /******************************************************************************* 1494 ** 1495 ** Function BTM_ConfirmReqReply 1496 ** 1497 ** Description This function is called to confirm the numeric value for 1498 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT 1499 ** 1500 ** Parameters: res - result of the operation BTM_SUCCESS if success 1501 ** bd_addr - Address of the peer device 1502 ** 1503 *******************************************************************************/ 1504 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr) 1505 { 1506 tBTM_SEC_DEV_REC *p_dev_rec; 1507 1508 BTM_TRACE_EVENT2 ("BTM_ConfirmReqReply() State: %s Res: %u", 1509 btm_pair_state_descr(btm_cb.pairing_state), res); 1510 1511 /* If timeout already expired or has been canceled, ignore the reply */ 1512 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM) 1513 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1514 return; 1515 1516 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1517 1518 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) ) 1519 { 1520 btm_cb.acl_disc_reason = HCI_SUCCESS; 1521 1522 if (res == BTM_SUCCESS) 1523 { 1524 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1525 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1526 } 1527 1528 btsnd_hcic_user_conf_reply (bd_addr, TRUE); 1529 } 1530 else 1531 { 1532 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */ 1533 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1534 btsnd_hcic_user_conf_reply (bd_addr, FALSE); 1535 } 1536 } 1537 1538 /******************************************************************************* 1539 ** 1540 ** Function BTM_PasskeyReqReply 1541 ** 1542 ** Description This function is called to provide the passkey for 1543 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT 1544 ** 1545 ** Parameters: res - result of the operation BTM_SUCCESS if success 1546 ** bd_addr - Address of the peer device 1547 ** passkey - numeric value in the range of 1548 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)). 1549 ** 1550 *******************************************************************************/ 1551 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1552 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey) 1553 { 1554 tBTM_SEC_DEV_REC *p_dev_rec; 1555 1556 BTM_TRACE_API2 ("BTM_PasskeyReqReply: State: %s res:%d", 1557 btm_pair_state_descr(btm_cb.pairing_state), res); 1558 1559 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 1560 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1561 { 1562 return; 1563 } 1564 1565 /* If timeout already expired or has been canceled, ignore the reply */ 1566 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) ) 1567 { 1568 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1569 { 1570 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1571 1572 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1573 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE); 1574 else 1575 BTM_SecBondCancel(bd_addr); 1576 1577 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN); 1578 1579 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1580 return; 1581 } 1582 } 1583 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY) 1584 return; 1585 1586 if (passkey > BTM_MAX_PASSKEY_VAL) 1587 res = BTM_ILLEGAL_VALUE; 1588 1589 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1590 1591 if (res != BTM_SUCCESS) 1592 { 1593 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1594 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1595 btsnd_hcic_user_passkey_neg_reply (bd_addr); 1596 } 1597 else 1598 { 1599 btm_cb.acl_disc_reason = HCI_SUCCESS; 1600 btsnd_hcic_user_passkey_reply (bd_addr, passkey); 1601 } 1602 } 1603 #endif 1604 1605 /******************************************************************************* 1606 ** 1607 ** Function BTM_SendKeypressNotif 1608 ** 1609 ** Description This function is used during the passkey entry model 1610 ** by a device with KeyboardOnly IO capabilities 1611 ** (very likely to be a HID Device). 1612 ** It is called by a HID Device to inform the remote device when 1613 ** a key has been entered or erased. 1614 ** 1615 ** Parameters: bd_addr - Address of the peer device 1616 ** type - notification type 1617 ** 1618 *******************************************************************************/ 1619 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1620 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type) 1621 { 1622 /* This API only make sense between PASSKEY_REQ and SP complete */ 1623 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY) 1624 btsnd_hcic_send_keypress_notif (bd_addr, type); 1625 } 1626 #endif 1627 1628 #if BTM_OOB_INCLUDED == TRUE 1629 /******************************************************************************* 1630 ** 1631 ** Function BTM_IoCapRsp 1632 ** 1633 ** Description This function is called in response to BTM_SP_IO_REQ_EVT 1634 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN 1635 ** by the tBTM_SP_CALLBACK implementation, this function is 1636 ** called to provide the actual response 1637 ** 1638 ** Parameters: bd_addr - Address of the peer device 1639 ** io_cap - The IO capability of local device. 1640 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT. 1641 ** auth_req- MITM protection required or not. 1642 ** 1643 *******************************************************************************/ 1644 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req) 1645 { 1646 BTM_TRACE_EVENT3 ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d", 1647 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap); 1648 1649 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS) 1650 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1651 return; 1652 1653 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) 1654 { 1655 btm_cb.devcb.loc_auth_req = auth_req; 1656 btm_cb.devcb.loc_io_caps = io_cap; 1657 1658 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 1659 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT)); 1660 1661 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req); 1662 } 1663 } 1664 1665 /******************************************************************************* 1666 ** 1667 ** Function BTM_ReadLocalOobData 1668 ** 1669 ** Description This function is called to read the local OOB data from 1670 ** LM 1671 ** 1672 *******************************************************************************/ 1673 tBTM_STATUS BTM_ReadLocalOobData(void) 1674 { 1675 tBTM_STATUS status = BTM_SUCCESS; 1676 1677 if (btsnd_hcic_read_local_oob_data() == FALSE) 1678 status = BTM_NO_RESOURCES; 1679 1680 return status; 1681 } 1682 1683 /******************************************************************************* 1684 ** 1685 ** Function BTM_RemoteOobDataReply 1686 ** 1687 ** Description This function is called to provide the remote OOB data for 1688 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT 1689 ** 1690 ** Parameters: bd_addr - Address of the peer device 1691 ** c - simple pairing Hash C. 1692 ** r - simple pairing Randomizer C. 1693 ** 1694 *******************************************************************************/ 1695 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r) 1696 { 1697 BTM_TRACE_EVENT2 ("BTM_RemoteOobDataReply(): State: %s res:%d", 1698 btm_pair_state_descr(btm_cb.pairing_state), res); 1699 1700 /* If timeout already expired or has been canceled, ignore the reply */ 1701 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) 1702 return; 1703 1704 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1705 1706 if (res != BTM_SUCCESS) 1707 { 1708 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1709 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1710 btsnd_hcic_rem_oob_neg_reply (bd_addr); 1711 } 1712 else 1713 { 1714 btm_cb.acl_disc_reason = HCI_SUCCESS; 1715 btsnd_hcic_rem_oob_reply (bd_addr, c, r); 1716 } 1717 } 1718 1719 /******************************************************************************* 1720 ** 1721 ** Function BTM_BuildOobData 1722 ** 1723 ** Description This function is called to build the OOB data payload to 1724 ** be sent over OOB (non-Bluetooth) link 1725 ** 1726 ** Parameters: p_data - the location for OOB data 1727 ** max_len - p_data size. 1728 ** c - simple pairing Hash C. 1729 ** r - simple pairing Randomizer C. 1730 ** name_len- 0, local device name would not be included. 1731 ** otherwise, the local device name is included for 1732 ** up to this specified length 1733 ** 1734 ** Returns Number of bytes in p_data. 1735 ** 1736 *******************************************************************************/ 1737 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c, 1738 BT_OCTET16 r, UINT8 name_len) 1739 { 1740 UINT8 *p = p_data; 1741 UINT16 len = 0; 1742 UINT16 delta; 1743 #if BTM_MAX_LOC_BD_NAME_LEN > 0 1744 UINT16 name_size; 1745 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE; 1746 #endif 1747 1748 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) 1749 { 1750 /* add mandatory part */ 1751 UINT16_TO_STREAM(p, len); 1752 BDADDR_TO_STREAM(p, btm_cb.devcb.local_addr); 1753 1754 len = BTM_OOB_MANDATORY_SIZE; 1755 max_len -= len; 1756 1757 /* now optional part */ 1758 1759 /* add Hash C */ 1760 delta = BTM_OOB_HASH_C_SIZE + 2; 1761 if (max_len >= delta) 1762 { 1763 *p++ = BTM_OOB_HASH_C_SIZE + 1; 1764 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE; 1765 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE); 1766 len += delta; 1767 max_len -= delta; 1768 } 1769 1770 /* add Rand R */ 1771 delta = BTM_OOB_RAND_R_SIZE + 2; 1772 if (max_len >= delta) 1773 { 1774 *p++ = BTM_OOB_RAND_R_SIZE + 1; 1775 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE; 1776 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE); 1777 len += delta; 1778 max_len -= delta; 1779 } 1780 1781 /* add class of device */ 1782 delta = BTM_OOB_COD_SIZE + 2; 1783 if (max_len >= delta) 1784 { 1785 *p++ = BTM_OOB_COD_SIZE + 1; 1786 *p++ = BTM_EIR_OOB_COD_TYPE; 1787 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class); 1788 len += delta; 1789 max_len -= delta; 1790 } 1791 #if BTM_MAX_LOC_BD_NAME_LEN > 0 1792 name_size = name_len; 1793 if (name_size > strlen(btm_cb.cfg.bd_name)) 1794 { 1795 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE; 1796 name_size = (UINT16)strlen(btm_cb.cfg.bd_name); 1797 } 1798 delta = name_size + 2; 1799 if (max_len >= delta) 1800 { 1801 *p++ = name_size + 1; 1802 *p++ = name_type; 1803 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size); 1804 len += delta; 1805 max_len -= delta; 1806 } 1807 #endif 1808 /* update len */ 1809 p = p_data; 1810 UINT16_TO_STREAM(p, len); 1811 } 1812 return len; 1813 } 1814 1815 /******************************************************************************* 1816 ** 1817 ** Function BTM_ReadOobData 1818 ** 1819 ** Description This function is called to parse the OOB data payload 1820 ** received over OOB (non-Bluetooth) link 1821 ** 1822 ** Parameters: p_data - the location for OOB data 1823 ** eir_tag - The associated EIR tag to read the data. 1824 ** *p_len(output) - the length of the data with the given tag. 1825 ** 1826 ** Returns the beginning of the data with the given tag. 1827 ** NULL, if the tag is not found. 1828 ** 1829 *******************************************************************************/ 1830 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len) 1831 { 1832 UINT8 *p = p_data; 1833 UINT16 max_len; 1834 UINT8 len, type; 1835 UINT8 *p_ret = NULL; 1836 UINT8 ret_len = 0; 1837 1838 if (p_data) 1839 { 1840 STREAM_TO_UINT16(max_len, p); 1841 if (max_len >= BTM_OOB_MANDATORY_SIZE) 1842 { 1843 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) 1844 { 1845 p_ret = p; /* the location for bd_addr */ 1846 ret_len = BTM_OOB_BD_ADDR_SIZE; 1847 } 1848 else 1849 { 1850 p += BD_ADDR_LEN; 1851 max_len -= BTM_OOB_MANDATORY_SIZE; 1852 /* now the optional data in EIR format */ 1853 while (max_len > 0) 1854 { 1855 len = *p++; /* tag data len + 1 */ 1856 type = *p++; 1857 if (eir_tag == type) 1858 { 1859 p_ret = p; 1860 ret_len = len - 1; 1861 break; 1862 } 1863 /* the data size of this tag is len + 1 (tag data len + 2) */ 1864 if (max_len > len) 1865 { 1866 max_len -= len; 1867 max_len--; 1868 len--; 1869 p += len; 1870 } 1871 else 1872 max_len = 0; 1873 } 1874 } 1875 } 1876 } 1877 1878 if (p_len) 1879 *p_len = ret_len; 1880 1881 return p_ret; 1882 } 1883 #endif 1884 1885 /******************************************************************************* 1886 ** 1887 ** Function BTM_SetOutService 1888 ** 1889 ** Description This function is called to set the service for 1890 ** outgoing connections. 1891 ** 1892 ** If the profile/application calls BTM_SetSecurityLevel 1893 ** before initiating a connection, this function does not 1894 ** need to be called. 1895 ** 1896 ** Returns void 1897 ** 1898 *******************************************************************************/ 1899 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id) 1900 { 1901 tBTM_SEC_DEV_REC *p_dev_rec; 1902 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 1903 int i; 1904 1905 btm_cb.p_out_serv = p_serv_rec; 1906 p_dev_rec = btm_find_dev (bd_addr); 1907 1908 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 1909 { 1910 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 1911 && (p_serv_rec->service_id == service_id) 1912 && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 1913 { 1914 BTM_TRACE_API4("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d", 1915 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id); 1916 btm_cb.p_out_serv = p_serv_rec; 1917 if (p_dev_rec) 1918 p_dev_rec->p_cur_service = p_serv_rec; 1919 break; 1920 } 1921 } 1922 } 1923 1924 /************************************************************************ 1925 ** I N T E R N A L F U N C T I O N S 1926 *************************************************************************/ 1927 /******************************************************************************* 1928 ** 1929 ** Function btm_sec_is_upgrade_possible 1930 ** 1931 ** Description This function returns TRUE if the existing link key 1932 ** can be upgraded or if the link key does not exist. 1933 ** 1934 ** Returns BOOLEAN 1935 ** 1936 *******************************************************************************/ 1937 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 1938 { 1939 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM; 1940 BOOLEAN is_possible = TRUE; 1941 1942 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 1943 { 1944 is_possible = FALSE; 1945 BTM_TRACE_DEBUG5 ("btm_sec_is_upgrade_possible id:%d, link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, flags:x%x", 1946 p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, 1947 mtm_check, p_dev_rec->p_cur_service->security_flags); 1948 /* Already have a link key to the connected peer. Is the link key secure enough? 1949 ** Is a link key upgrade even possible? 1950 */ 1951 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */ 1952 && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */ 1953 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */ 1954 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */ 1955 { 1956 /* upgrade is possible: check if the application wants the upgrade. 1957 * If the application is configured to use a global MITM flag, 1958 * it probably would not want to upgrade the link key based on the security level database */ 1959 is_possible = TRUE; 1960 } 1961 } 1962 BTM_TRACE_DEBUG2 ("btm_sec_is_upgrade_possible is_possible:%d sec_flags:0x%x", is_possible, p_dev_rec->sec_flags); 1963 return is_possible; 1964 } 1965 1966 /******************************************************************************* 1967 ** 1968 ** Function btm_sec_check_upgrade 1969 ** 1970 ** Description This function is called to check if the existing link key 1971 ** needs to be upgraded. 1972 ** 1973 ** Returns void 1974 ** 1975 *******************************************************************************/ 1976 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 1977 { 1978 tBTM_SP_UPGRADE evt_data; 1979 1980 BTM_TRACE_DEBUG0 ("btm_sec_check_upgrade..."); 1981 1982 /* Only check if link key already exists */ 1983 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1984 return; 1985 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE) 1986 { 1987 BTM_TRACE_DEBUG1 ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags); 1988 /* upgrade is possible: check if the application wants the upgrade. 1989 * If the application is configured to use a global MITM flag, 1990 * it probably would not want to upgrade the link key based on the security level database */ 1991 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 1992 evt_data.upgrade = TRUE; 1993 if (btm_cb.api.p_sp_callback) 1994 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 1995 1996 BTM_TRACE_DEBUG1 ("evt_data.upgrade:0x%x", evt_data.upgrade); 1997 if (evt_data.upgrade) 1998 { 1999 /* if the application confirms the upgrade, set the upgrade bit */ 2000 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2001 2002 /* Clear the link key known to go through authentication/pairing again */ 2003 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED); 2004 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED; 2005 BTM_TRACE_DEBUG1 ("sec_flags:0x%x", p_dev_rec->sec_flags); 2006 } 2007 } 2008 } 2009 2010 /******************************************************************************* 2011 ** 2012 ** Function btm_sec_l2cap_access_req 2013 ** 2014 ** Description This function is called by the L2CAP to grant permission to 2015 ** establish L2CAP connection to or from the peer device. 2016 ** 2017 ** Parameters: bd_addr - Address of the peer device 2018 ** psm - L2CAP PSM 2019 ** is_originator - TRUE if protocol above L2CAP originates 2020 ** connection 2021 ** p_callback - Pointer to callback function called if 2022 ** this function returns PENDING after required 2023 ** procedures are complete. MUST NOT BE NULL. 2024 ** 2025 ** Returns tBTM_STATUS 2026 ** 2027 *******************************************************************************/ 2028 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE) 2029 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE) 2030 2031 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle, 2032 CONNECTION_TYPE conn_type, 2033 tBTM_SEC_CALLBACK *p_callback, 2034 void *p_ref_data) 2035 { 2036 tBTM_SEC_DEV_REC *p_dev_rec; 2037 tBTM_SEC_SERV_REC *p_serv_rec; 2038 UINT16 security_required; 2039 UINT16 old_security_required; 2040 BOOLEAN old_is_originator; 2041 tBTM_STATUS rc = BTM_SUCCESS; 2042 BOOLEAN chk_acp_auth_done = FALSE; 2043 BOOLEAN is_originator; 2044 2045 #if (L2CAP_UCD_INCLUDED == TRUE) 2046 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 2047 is_originator = TRUE; 2048 else 2049 is_originator = FALSE; 2050 2051 BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req conn_type:0x%x, 0x%x", conn_type, p_ref_data); 2052 #else 2053 is_originator = conn_type; 2054 2055 BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req is_originator:%d, 0x%x", is_originator, p_ref_data); 2056 #endif 2057 2058 /* Find or get oldest record */ 2059 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2060 2061 p_dev_rec->hci_handle = handle; 2062 2063 /* Find the service record for the PSM */ 2064 p_serv_rec = btm_sec_find_first_serv (conn_type, psm); 2065 2066 /* If there is no application registered with this PSM do not allow connection */ 2067 if (!p_serv_rec) 2068 { 2069 BTM_TRACE_WARNING1 ("btm_sec_l2cap_access_req() PSM:%d no application registerd", psm); 2070 2071 (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED); 2072 2073 return(BTM_MODE_UNSUPPORTED); 2074 } 2075 2076 /* SDP connection we will always let through */ 2077 if (BT_PSM_SDP == psm) 2078 { 2079 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS_NO_SECURITY); 2080 2081 return(BTM_SUCCESS); 2082 } 2083 #if (L2CAP_UCD_INCLUDED == TRUE) 2084 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2085 { 2086 security_required = p_serv_rec->ucd_security_flags; 2087 2088 rc = BTM_CMD_STARTED; 2089 if (is_originator) 2090 { 2091 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2092 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2093 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2094 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2095 { 2096 rc = BTM_SUCCESS; 2097 } 2098 } 2099 else 2100 { 2101 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2102 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2103 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2104 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2105 { 2106 rc = BTM_SUCCESS; 2107 } 2108 } 2109 2110 if (rc == BTM_SUCCESS) 2111 { 2112 if (p_callback) 2113 (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS); 2114 2115 return(BTM_SUCCESS); 2116 } 2117 } 2118 else 2119 #endif 2120 { 2121 security_required = p_serv_rec->security_flags; 2122 } 2123 2124 /* there are some devices (moto KRZR) which connects to several services at the same time */ 2125 /* we will process one after another */ 2126 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2127 { 2128 BTM_TRACE_EVENT4 ("btm_sec_l2cap_access_req() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", 2129 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4); 2130 BTM_TRACE_EVENT2 ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags); 2131 rc = BTM_CMD_STARTED; 2132 if ((BTM_SEC_MODE_SP != btm_cb.security_mode) 2133 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4)) 2134 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)) 2135 ) 2136 { 2137 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2138 * or SM4 with no possibility of link key upgrade */ 2139 if (is_originator) 2140 { 2141 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2142 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2143 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2144 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2145 { 2146 rc = BTM_SUCCESS; 2147 } 2148 } 2149 else 2150 { 2151 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2152 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2153 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2154 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2155 { 2156 rc = BTM_SUCCESS; 2157 } 2158 } 2159 2160 if (rc == BTM_SUCCESS) 2161 { 2162 if (p_callback) 2163 (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS); 2164 2165 return(BTM_SUCCESS); 2166 } 2167 } 2168 2169 btm_cb.sec_req_pending = TRUE; 2170 return(BTM_CMD_STARTED); 2171 } 2172 2173 /* Save pointer to service record */ 2174 p_dev_rec->p_cur_service = p_serv_rec; 2175 2176 2177 /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */ 2178 if (btm_cb.security_mode == BTM_SEC_MODE_SP) 2179 { 2180 if (is_originator) 2181 { 2182 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2183 { 2184 /* SM4 to SM4 -> always authenticate & encrypt */ 2185 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); 2186 } 2187 else 2188 { 2189 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4)) 2190 { 2191 BTM_TRACE_DEBUG1 ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags); 2192 /* the remote features are not known yet */ 2193 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND; 2194 2195 return(BTM_CMD_STARTED); 2196 } 2197 } 2198 } 2199 else 2200 { 2201 /* responder */ 2202 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2203 { 2204 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */ 2205 chk_acp_auth_done = TRUE; 2206 /* SM4 to SM4 -> always authenticate & encrypt */ 2207 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 2208 } 2209 else 2210 { 2211 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4)) 2212 { 2213 BTM_TRACE_DEBUG1 ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags); 2214 /* the remote features are not known yet */ 2215 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND; 2216 2217 return(BTM_CMD_STARTED); 2218 } 2219 } 2220 } 2221 } 2222 2223 BTM_TRACE_DEBUG4 ("btm_sec_l2cap_access_req() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", 2224 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done); 2225 2226 old_security_required = p_dev_rec->security_required; 2227 old_is_originator = p_dev_rec->is_originator; 2228 p_dev_rec->security_required = security_required; 2229 p_dev_rec->p_ref_data = p_ref_data; 2230 p_dev_rec->is_originator = is_originator; 2231 2232 #if (L2CAP_UCD_INCLUDED == TRUE) 2233 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2234 p_dev_rec->is_ucd = TRUE; 2235 else 2236 p_dev_rec->is_ucd = FALSE; 2237 #endif 2238 2239 /* If there are multiple service records used through the same PSM */ 2240 /* leave security decision for the multiplexor on the top */ 2241 #if (L2CAP_UCD_INCLUDED == TRUE) 2242 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2243 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */ 2244 #else 2245 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2246 #endif 2247 { 2248 BTM_TRACE_DEBUG2 ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done); 2249 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2250 { 2251 BTM_TRACE_EVENT1 ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm); 2252 /* pre-Lisbon: restore the old settings */ 2253 p_dev_rec->security_required = old_security_required; 2254 p_dev_rec->is_originator = old_is_originator; 2255 2256 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS); 2257 2258 return(BTM_SUCCESS); 2259 } 2260 } 2261 2262 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now. 2263 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/ 2264 if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001)) 2265 { 2266 BTM_TRACE_EVENT1 ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm); 2267 /* restore the old settings */ 2268 p_dev_rec->security_required = old_security_required; 2269 p_dev_rec->is_originator = old_is_originator; 2270 2271 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS); 2272 2273 return(BTM_SUCCESS); 2274 } 2275 2276 if (chk_acp_auth_done) 2277 { 2278 BTM_TRACE_DEBUG2 ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x", 2279 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)); 2280 /* SM4, but we do not know for sure which level of security we need. 2281 * as long as we have a link key, it's OK */ 2282 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 2283 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) 2284 { 2285 rc = BTM_DELAY_CHECK; 2286 /* 2287 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence 2288 because of data path issues. Delay this disconnect a little bit 2289 */ 2290 BTM_TRACE_ERROR0 ("peer should have initiated security process by now (SM4 to SM4)"); 2291 p_dev_rec->p_callback = p_callback; 2292 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC; 2293 (*p_callback) (bd_addr, p_ref_data, rc); 2294 2295 return(BTM_SUCCESS); 2296 } 2297 } 2298 2299 p_dev_rec->p_callback = p_callback; 2300 2301 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 2302 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id) 2303 { 2304 /* Although authentication and encryption are per connection 2305 ** authorization is per access request. For example when serial connection 2306 ** is up and authorized and client requests to read file (access to other 2307 ** scn), we need to request user's permission again. 2308 */ 2309 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED; 2310 } 2311 2312 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2313 { 2314 /* If we already have a link key to the connected peer, is the link key secure enough ? */ 2315 btm_sec_check_upgrade(p_dev_rec, is_originator); 2316 } 2317 2318 BTM_TRACE_EVENT6 ("Security Manager: l2cap_access_req PSM:%d Handle:%d State:%d Flags:0x%x Required:0x%x Service ID:%d", 2319 psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2320 2321 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2322 { 2323 p_dev_rec->p_callback = NULL; 2324 (*p_callback) (bd_addr, p_dev_rec->p_ref_data, (UINT8)rc); 2325 } 2326 2327 return(rc); 2328 } 2329 2330 /******************************************************************************* 2331 ** 2332 ** Function btm_sec_mx_access_request 2333 ** 2334 ** Description This function is called by all Multiplexing Protocols during 2335 ** establishing connection to or from peer device to grant 2336 ** permission to establish application connection. 2337 ** 2338 ** Parameters: bd_addr - Address of the peer device 2339 ** psm - L2CAP PSM 2340 ** is_originator - TRUE if protocol above L2CAP originates 2341 ** connection 2342 ** mx_proto_id - protocol ID of the multiplexer 2343 ** mx_chan_id - multiplexer channel to reach application 2344 ** p_callback - Pointer to callback function called if 2345 ** this function returns PENDING after required 2346 ** procedures are completed 2347 ** p_ref_data - Pointer to any reference data needed by the 2348 ** the callback function. 2349 ** 2350 ** Returns BTM_CMD_STARTED 2351 ** 2352 *******************************************************************************/ 2353 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator, 2354 UINT32 mx_proto_id, UINT32 mx_chan_id, 2355 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 2356 2357 { 2358 tBTM_SEC_DEV_REC *p_dev_rec; 2359 tBTM_SEC_SERV_REC *p_serv_rec; 2360 tBTM_STATUS rc; 2361 UINT16 security_required; 2362 2363 BTM_TRACE_DEBUG1 ("btm_sec_mx_access_request is_originator:%d", is_originator); 2364 /* Find or get oldest record */ 2365 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2366 2367 /* Find the service record for the PSM */ 2368 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id); 2369 2370 /* If there is no application registered with this PSM do not allow connection */ 2371 if (!p_serv_rec) 2372 { 2373 if (p_callback) 2374 (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED); 2375 2376 BTM_TRACE_ERROR3 ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d", 2377 psm, mx_proto_id, mx_chan_id); 2378 return BTM_NO_RESOURCES; 2379 } 2380 2381 /* there are some devices (moto phone) which connects to several services at the same time */ 2382 /* we will process one after another */ 2383 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2384 { 2385 BTM_TRACE_EVENT4 ("btm_sec_mx_access_request service PSM:%d Proto:%d SCN:%d delayed state: %s", 2386 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state)); 2387 2388 rc = BTM_CMD_STARTED; 2389 security_required = p_serv_rec->security_flags; 2390 if ((BTM_SEC_MODE_SP != btm_cb.security_mode) 2391 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4)) 2392 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)) 2393 ) 2394 { 2395 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2396 * or SM4 with no possibility of link key upgrade */ 2397 if (is_originator) 2398 { 2399 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2400 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2401 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) 2402 ) 2403 { 2404 rc = BTM_SUCCESS; 2405 } 2406 } 2407 else 2408 { 2409 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2410 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2411 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) 2412 ) 2413 { 2414 rc = BTM_SUCCESS; 2415 } 2416 } 2417 } 2418 if (rc == BTM_CMD_STARTED) 2419 { 2420 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data); 2421 return rc; 2422 } 2423 } 2424 2425 p_dev_rec->p_cur_service = p_serv_rec; 2426 p_dev_rec->security_required = p_serv_rec->security_flags; 2427 2428 if (BTM_SEC_MODE_SP == btm_cb.security_mode) 2429 { 2430 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2431 { 2432 /* If we already have a link key, check if that link key is good enough */ 2433 btm_sec_check_upgrade(p_dev_rec, is_originator); 2434 } 2435 } 2436 2437 p_dev_rec->is_originator = is_originator; 2438 p_dev_rec->p_callback = p_callback; 2439 p_dev_rec->p_ref_data = p_ref_data; 2440 2441 /* Although authentication and encryption are per connection */ 2442 /* authorization is per access request. For example when serial connection */ 2443 /* is up and authorized and client requests to read file (access to other */ 2444 /* scn, we need to request user's permission again. */ 2445 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED); 2446 2447 BTM_TRACE_EVENT6 ("Security Manager: mx_access_req proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d", 2448 mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2449 2450 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2451 { 2452 if (p_callback) 2453 { 2454 p_dev_rec->p_callback = NULL; 2455 2456 (*p_callback) (bd_addr, p_ref_data, (UINT8)rc); 2457 } 2458 } 2459 2460 return rc; 2461 } 2462 2463 /******************************************************************************* 2464 ** 2465 ** Function btm_sec_conn_req 2466 ** 2467 ** Description This function is when the peer device is requesting 2468 ** connection 2469 ** 2470 ** Returns void 2471 ** 2472 *******************************************************************************/ 2473 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) 2474 { 2475 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 2476 2477 /* Some device may request a connection before we are done with the HCI_Reset sequence */ 2478 if (btm_cb.devcb.state != BTM_DEV_STATE_READY) 2479 { 2480 BTM_TRACE_EVENT0 ("Security Manager: connect request when device not ready"); 2481 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2482 return; 2483 } 2484 2485 /* Security guys wants us not to allow connection from not paired devices */ 2486 2487 /* Check if connection is allowed for only paired devices */ 2488 if (btm_cb.connect_only_paired) 2489 { 2490 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) 2491 { 2492 BTM_TRACE_EVENT0 ("Security Manager: connect request from non-paired device"); 2493 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2494 return; 2495 } 2496 } 2497 2498 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE 2499 /* If non-discoverable, only allow known devices to connect */ 2500 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) 2501 { 2502 if (!p_dev_rec) 2503 { 2504 BTM_TRACE_EVENT0 ("Security Manager: connect request from not paired device"); 2505 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2506 return; 2507 } 2508 } 2509 #endif 2510 2511 /* Host can be registered to verify comming BDA or DC */ 2512 if (btm_cb.p_conn_filter_cb) 2513 { 2514 if (!(* btm_cb.p_conn_filter_cb) (bda, dc)) 2515 { 2516 BTM_TRACE_EVENT0 ("Security Manager: connect request did not pass filter"); 2517 2518 /* incomming call did not pass connection filters. Reject */ 2519 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2520 return; 2521 } 2522 } 2523 2524 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 2525 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 2526 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN))) 2527 { 2528 BTM_TRACE_EVENT0 ("Security Manager: reject connect request from bonding device"); 2529 2530 /* incoming connection from bonding device is rejected */ 2531 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT; 2532 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2533 return; 2534 } 2535 2536 /* Host is not interested or approved connection. Save BDA and DC and */ 2537 /* pass request to L2CAP */ 2538 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN); 2539 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN); 2540 2541 if (l2c_link_hci_conn_req (bda)) 2542 { 2543 if (!p_dev_rec) 2544 { 2545 /* accept the connection -> allocate a device record */ 2546 p_dev_rec = btm_sec_alloc_dev (bda); 2547 } 2548 if (p_dev_rec) 2549 { 2550 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND; 2551 } 2552 } 2553 } 2554 2555 /******************************************************************************* 2556 ** 2557 ** Function btm_sec_bond_cancel_complete 2558 ** 2559 ** Description This function is called to report bond cancel complete 2560 ** event. 2561 ** 2562 ** Returns void 2563 ** 2564 *******************************************************************************/ 2565 static void btm_sec_bond_cancel_complete (void) 2566 { 2567 tBTM_SEC_DEV_REC *p_dev_rec; 2568 2569 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) || 2570 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 2571 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) || 2572 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME && 2573 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) 2574 { 2575 /* for dedicated bonding in legacy mode, authentication happens at "link level" 2576 * btm_sec_connected is called with failed status. 2577 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code. 2578 * However, this function may clean out the security related flags and btm_sec_connected would not know 2579 * this function also needs to do proper clean up. 2580 */ 2581 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL) 2582 p_dev_rec->security_required = BTM_SEC_NONE; 2583 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2584 2585 /* Notify application that the cancel succeeded */ 2586 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2587 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS); 2588 } 2589 } 2590 2591 /******************************************************************************* 2592 ** 2593 ** Function btm_create_conn_cancel_complete 2594 ** 2595 ** Description This function is called when the command complete message 2596 ** is received from the HCI for the create connection cancel 2597 ** command. 2598 ** 2599 ** Returns void 2600 ** 2601 *******************************************************************************/ 2602 void btm_create_conn_cancel_complete (UINT8 *p) 2603 { 2604 UINT8 status; 2605 2606 STREAM_TO_UINT8 (status, p); 2607 BTM_TRACE_EVENT2 ("btm_create_conn_cancel_complete(): in State: %s status:%d", 2608 btm_pair_state_descr(btm_cb.pairing_state), status); 2609 2610 /* if the create conn cancel cmd was issued by the bond cancel, 2611 ** the application needs to be notified that bond cancel succeeded 2612 */ 2613 switch (status) 2614 { 2615 case HCI_SUCCESS: 2616 btm_sec_bond_cancel_complete(); 2617 break; 2618 case HCI_ERR_CONNECTION_EXISTS: 2619 case HCI_ERR_NO_CONNECTION: 2620 default: 2621 /* Notify application of the error */ 2622 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2623 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING); 2624 break; 2625 } 2626 } 2627 2628 /******************************************************************************* 2629 ** 2630 ** Function btm_sec_check_pending_reqs 2631 ** 2632 ** Description This function is called at the end of the security procedure 2633 ** to let L2CAP and RFCOMM know to re-submit any pending requests 2634 ** 2635 ** Returns void 2636 ** 2637 *******************************************************************************/ 2638 void btm_sec_check_pending_reqs (void) 2639 { 2640 tBTM_SEC_QUEUE_ENTRY *p_e; 2641 BUFFER_Q bq; 2642 2643 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 2644 { 2645 /* First, resubmit L2CAP requests */ 2646 if (btm_cb.sec_req_pending) 2647 { 2648 btm_cb.sec_req_pending = FALSE; 2649 l2cu_resubmit_pending_sec_req (NULL); 2650 } 2651 2652 /* Now, re-submit anything in the mux queue */ 2653 bq = btm_cb.sec_pending_q; 2654 2655 GKI_init_q (&btm_cb.sec_pending_q); 2656 2657 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL) 2658 { 2659 /* Check that the ACL is still up before starting security procedures */ 2660 if (btm_bda_to_acl(p_e->bd_addr) != NULL) 2661 { 2662 BTM_TRACE_EVENT4 ("btm_sec_check_pending_reqs() submitting PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u", 2663 p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id); 2664 2665 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig, 2666 p_e->mx_proto_id, p_e->mx_chan_id, 2667 p_e->p_callback, p_e->p_ref_data); 2668 } 2669 2670 GKI_freebuf (p_e); 2671 } 2672 } 2673 } 2674 2675 /******************************************************************************* 2676 ** 2677 ** Function btm_sec_init 2678 ** 2679 ** Description This function is on the SEC startup 2680 ** 2681 ** Returns void 2682 ** 2683 *******************************************************************************/ 2684 void btm_sec_init (UINT8 sec_mode) 2685 { 2686 #if 0 /* cleared in btm_init; put back in if calling from anywhere else! */ 2687 int i; 2688 2689 memset (btm_cb.sec_serv_rec, 0, sizeof (btm_cb.sec_serv_rec)); 2690 memset (btm_cb.sec_dev_rec, 0, sizeof (btm_cb.sec_dev_rec)); 2691 memset (&btm_cb.pairing_tle, 0, sizeof(TIMER_LIST_ENT)); 2692 2693 #endif 2694 btm_cb.security_mode = sec_mode; 2695 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 2696 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY; 2697 } 2698 2699 /******************************************************************************* 2700 ** 2701 ** Function btm_sec_device_down 2702 ** 2703 ** Description This function should be called when device is disabled or 2704 ** turned off 2705 ** 2706 ** Returns void 2707 ** 2708 *******************************************************************************/ 2709 void btm_sec_device_down (void) 2710 { 2711 BTM_TRACE_EVENT1 ("btm_sec_device_down() State: %s", btm_pair_state_descr(btm_cb.pairing_state)); 2712 2713 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2714 } 2715 2716 /******************************************************************************* 2717 ** 2718 ** Function btm_sec_dev_reset 2719 ** 2720 ** Description This function should be called after device reset 2721 ** 2722 ** Returns void 2723 ** 2724 *******************************************************************************/ 2725 void btm_sec_dev_reset (void) 2726 { 2727 #if (BTM_PRE_LISBON_INCLUDED == TRUE) 2728 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) 2729 { 2730 btsnd_hcic_write_auth_enable (TRUE); 2731 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT); 2732 } 2733 #endif 2734 #if (BTM_PRE_LISBON_INCLUDED == TRUE) 2735 else 2736 #endif 2737 /* btm_sec_dev_reset() is only called from btm_decode_ext_features_page(...) 2738 * right now. */ 2739 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])) 2740 { 2741 #if BLE_INCLUDED == TRUE 2742 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID, 2743 (UINT8 *)HCI_DUMO_EVENT_MASK_EXT); 2744 #else 2745 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID, 2746 (UINT8 *)HCI_LISBON_EVENT_MASK_EXT); 2747 #endif 2748 /* set the default IO capabilities */ 2749 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS; 2750 /* add mx service to use no security */ 2751 #if (RFCOMM_INCLUDED == TRUE) 2752 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX, 2753 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0); 2754 #endif 2755 } 2756 else 2757 { 2758 btm_cb.security_mode = BTM_SEC_MODE_SERVICE; 2759 } 2760 2761 BTM_TRACE_DEBUG1 ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode); 2762 } 2763 2764 /******************************************************************************* 2765 ** 2766 ** Function btm_sec_abort_access_req 2767 ** 2768 ** Description This function is called by the L2CAP or RFCOMM to abort 2769 ** the pending operation. 2770 ** 2771 ** Parameters: bd_addr - Address of the peer device 2772 ** 2773 ** Returns void 2774 ** 2775 *******************************************************************************/ 2776 void btm_sec_abort_access_req (BD_ADDR bd_addr) 2777 { 2778 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 2779 2780 if (!p_dev_rec) 2781 return; 2782 2783 if (btm_cb.api.p_abort_callback) 2784 (*btm_cb.api.p_abort_callback)(bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name); 2785 2786 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) 2787 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)) 2788 return; 2789 2790 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2791 p_dev_rec->p_callback = NULL; 2792 } 2793 2794 /******************************************************************************* 2795 ** 2796 ** Function btm_sec_dd_create_conn 2797 ** 2798 ** Description This function is called to create the ACL connection for 2799 ** the dedicated boding process 2800 ** 2801 ** Returns void 2802 ** 2803 *******************************************************************************/ 2804 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec) 2805 { 2806 tL2C_LCB *p_lcb; 2807 2808 /* Make sure an L2cap link control block is available */ 2809 if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE)) == NULL) 2810 { 2811 BTM_TRACE_WARNING6 ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]", 2812 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 2813 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 2814 2815 return(BTM_NO_RESOURCES); 2816 } 2817 2818 /* set up the control block to indicated dedicated bonding */ 2819 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 2820 2821 if (l2cu_create_conn(p_lcb) == FALSE) 2822 { 2823 BTM_TRACE_WARNING6 ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]", 2824 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 2825 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 2826 2827 l2cu_release_lcb(p_lcb); 2828 return(BTM_NO_RESOURCES); 2829 } 2830 2831 #if (defined(BTM_BUSY_LEVEL_CHANGE_INCLUDED) && BTM_BUSY_LEVEL_CHANGE_INCLUDED == TRUE) 2832 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT); 2833 #endif 2834 2835 BTM_TRACE_DEBUG6 ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]", 2836 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 2837 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 2838 2839 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 2840 2841 return(BTM_CMD_STARTED); 2842 } 2843 2844 /******************************************************************************* 2845 ** 2846 ** Function btm_sec_rmt_name_request_complete 2847 ** 2848 ** Description This function is called when remote name was obtained from 2849 ** the peer device 2850 ** 2851 ** Returns void 2852 ** 2853 *******************************************************************************/ 2854 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status) 2855 { 2856 tBTM_SEC_DEV_REC *p_dev_rec; 2857 int i; 2858 DEV_CLASS dev_class; 2859 UINT8 old_sec_state; 2860 2861 BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete"); 2862 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda)) 2863 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr))) 2864 { 2865 btm_acl_resubmit_page(); 2866 } 2867 2868 /* If remote name request failed, p_bd_addr is null and we need to search */ 2869 /* based on state assuming that we are doing 1 at a time */ 2870 if (p_bd_addr) 2871 p_dev_rec = btm_find_dev (p_bd_addr); 2872 else 2873 { 2874 p_dev_rec = &btm_cb.sec_dev_rec[0]; 2875 2876 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 2877 { 2878 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE) 2879 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)) 2880 { 2881 p_bd_addr = p_dev_rec->bd_addr; 2882 break; 2883 } 2884 } 2885 2886 if (i == BTM_SEC_MAX_DEVICE_RECORDS) 2887 p_dev_rec = NULL; 2888 } 2889 2890 2891 /* Commenting out trace due to obf/compilation problems. 2892 */ 2893 #if (BT_USE_TRACES == TRUE) 2894 if (!p_bd_name) 2895 p_bd_name = (UINT8 *)""; 2896 2897 if (p_dev_rec) 2898 { 2899 BTM_TRACE_EVENT5 ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ", 2900 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 2901 status, p_dev_rec->sec_state, p_dev_rec); 2902 } 2903 else 2904 { 2905 BTM_TRACE_EVENT3 ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d", 2906 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 2907 status); 2908 } 2909 #endif 2910 2911 if (p_dev_rec) 2912 { 2913 old_sec_state = p_dev_rec->sec_state; 2914 if (status == HCI_SUCCESS) 2915 { 2916 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN); 2917 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 2918 BTM_TRACE_EVENT1 ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags); 2919 } 2920 else 2921 { 2922 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */ 2923 p_dev_rec->sec_bd_name[0] = 0; 2924 } 2925 2926 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) 2927 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2928 2929 /* Notify all clients waiting for name to be resolved */ 2930 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 2931 { 2932 if (btm_cb.p_rmt_name_callback[i]) 2933 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class, 2934 p_dev_rec->sec_bd_name); 2935 } 2936 } 2937 else 2938 { 2939 dev_class[0] = 0; 2940 dev_class[1] = 0; 2941 dev_class[2] = 0; 2942 2943 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */ 2944 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 2945 { 2946 if (btm_cb.p_rmt_name_callback[i]) 2947 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)""); 2948 } 2949 2950 return; 2951 } 2952 2953 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */ 2954 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr 2955 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) ) 2956 { 2957 BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback); 2958 2959 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) && 2960 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) && 2961 btm_cb.api.p_pin_callback) 2962 { 2963 BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete() calling pin_callback"); 2964 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 2965 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name); 2966 } 2967 2968 /* Set the same state again to force the timer to be restarted */ 2969 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 2970 return; 2971 } 2972 2973 /* Check if we were delaying bonding because name was not resolved */ 2974 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 2975 { 2976 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) 2977 { 2978 BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status); 2979 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) 2980 { 2981 btm_sec_bond_cancel_complete(); 2982 return; 2983 } 2984 2985 if (status != HCI_SUCCESS) 2986 { 2987 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2988 2989 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 2990 p_dev_rec->sec_bd_name, status); 2991 return; 2992 } 2993 2994 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */ 2995 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 2996 { 2997 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set. 2998 * If it is set, there may be a race condition */ 2999 BTM_TRACE_EVENT1 ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x", btm_cb.pairing_flags); 3000 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0) 3001 { 3002 p_dev_rec->sm4 |= BTM_SM4_KNOWN; 3003 } 3004 } 3005 3006 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN. 3007 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed) 3008 */ 3009 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec)) 3010 { 3011 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 3012 /* before originating */ 3013 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 3014 { 3015 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection"); 3016 } 3017 /* Both we and the peer are 2.1 - continue to create connection */ 3018 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 3019 { 3020 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: failed to start connection"); 3021 3022 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3023 3024 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 3025 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 3026 } 3027 } 3028 return; 3029 } 3030 else 3031 { 3032 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA"); 3033 3034 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL); 3035 return; 3036 } 3037 } 3038 3039 /* check if we were delaying link_key_callback because name was not resolved */ 3040 if (p_dev_rec->link_key_not_sent) 3041 { 3042 /* If HCI connection complete has not arrived, wait for it */ 3043 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 3044 return; 3045 3046 p_dev_rec->link_key_not_sent = FALSE; 3047 btm_send_link_key_notif(p_dev_rec); 3048 3049 /* If its not us who perform authentication, we should tell stackserver */ 3050 /* that some authentication has been completed */ 3051 /* This is required when different entities receive link notification and auth complete */ 3052 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 3053 { 3054 if (btm_cb.api.p_auth_complete_callback) 3055 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 3056 p_dev_rec->dev_class, 3057 p_dev_rec->sec_bd_name, HCI_SUCCESS); 3058 3059 } 3060 } 3061 3062 /* If this is a bonding procedure can disconnect the link now */ 3063 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 3064 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 3065 { 3066 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete (none/ce)"); 3067 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE); 3068 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3069 return; 3070 } 3071 3072 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) 3073 return; 3074 3075 /* If get name failed, notify the waiting layer */ 3076 if (status != HCI_SUCCESS) 3077 { 3078 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING); 3079 return; 3080 } 3081 3082 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) 3083 { 3084 BTM_TRACE_EVENT0 ("waiting for remote features!!"); 3085 return; 3086 } 3087 3088 /* Remote Name succeeded, execute the next security procedure, if any */ 3089 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 3090 3091 /* If result is pending reply from the user or from the device is pending */ 3092 if (status == BTM_CMD_STARTED) 3093 return; 3094 3095 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 3096 btm_sec_dev_rec_cback_event (p_dev_rec, status); 3097 } 3098 3099 /******************************************************************************* 3100 ** 3101 ** Function btm_sec_rmt_host_support_feat_evt 3102 ** 3103 ** Description This function is called when the 3104 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received 3105 ** 3106 ** Returns void 3107 ** 3108 *******************************************************************************/ 3109 void btm_sec_rmt_host_support_feat_evt (UINT8 *p) 3110 { 3111 tBTM_SEC_DEV_REC *p_dev_rec; 3112 BD_ADDR bd_addr; /* peer address */ 3113 BD_FEATURES features; 3114 3115 STREAM_TO_BDADDR (bd_addr, p); 3116 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 3117 3118 BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]); 3119 3120 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 3121 { 3122 p_dev_rec->sm4 = BTM_SM4_KNOWN; 3123 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE); 3124 if (HCI_SSP_HOST_SUPPORTED(features)) 3125 { 3126 p_dev_rec->sm4 = BTM_SM4_TRUE; 3127 } 3128 BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]); 3129 } 3130 } 3131 3132 /******************************************************************************* 3133 ** 3134 ** Function btm_io_capabilities_req 3135 ** 3136 ** Description This function is called when LM request for the IO 3137 ** capability of the local device and 3138 ** if the OOB data is present for the device in the event 3139 ** 3140 ** Returns void 3141 ** 3142 *******************************************************************************/ 3143 void btm_io_capabilities_req (UINT8 *p) 3144 { 3145 tBTM_SP_IO_REQ evt_data; 3146 UINT8 err_code = 0; 3147 tBTM_SEC_DEV_REC *p_dev_rec; 3148 BOOLEAN is_orig = TRUE; 3149 UINT8 callback_rc = BTM_SUCCESS; 3150 3151 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3152 3153 /* setup the default response according to compile options */ 3154 /* assume that the local IO capability does not change 3155 * loc_io_caps is initialized with the default value */ 3156 evt_data.io_cap = btm_cb.devcb.loc_io_caps; 3157 evt_data.oob_data = BTM_OOB_NONE; 3158 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ; 3159 3160 BTM_TRACE_EVENT1 ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state)); 3161 3162 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3163 p_dev_rec->sm4 |= BTM_SM4_TRUE; 3164 3165 BTM_TRACE_EVENT3 ("btm_io_capabilities_req() State: %s Flags: 0x%04x p_cur_service: 0x%08x", 3166 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service); 3167 3168 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 3169 { 3170 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP) 3171 { 3172 /* received IO capability response already-> not the originator of SSP */ 3173 is_orig = FALSE; 3174 3175 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) 3176 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3177 } 3178 /* security is already in progress */ 3179 else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) 3180 { 3181 /* coverity[uninit_use_in_call] 3182 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3183 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3184 */ 3185 if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN)) 3186 { 3187 /* and it's not the device in bonding -> reject it */ 3188 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3189 } 3190 else 3191 { 3192 /* local device initiated dedicated bonding */ 3193 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3194 } 3195 } 3196 else 3197 { 3198 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3199 } 3200 } 3201 3202 /* paring is not allowed */ 3203 if (btm_cb.pairing_disabled) 3204 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3205 3206 if (err_code != 0) 3207 { 3208 /* coverity[uninit_use_in_call] 3209 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3210 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3211 */ 3212 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code); 3213 return; 3214 } 3215 3216 evt_data.is_orig = is_orig; 3217 3218 if (is_orig) 3219 { 3220 /* local device initiated the pairing non-bonding -> use p_cur_service */ 3221 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3222 p_dev_rec->p_cur_service && 3223 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) 3224 { 3225 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO; 3226 } 3227 } 3228 3229 /* Notify L2CAP to increase timeout */ 3230 l2c_pin_code_request (evt_data.bd_addr); 3231 3232 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3233 3234 /* coverity[uninit_use_in_call] 3235 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3236 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3237 */ 3238 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3239 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3240 3241 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS); 3242 3243 callback_rc = BTM_SUCCESS; 3244 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) 3245 { 3246 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE; 3247 3248 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */ 3249 evt_data.auth_req = BTM_AUTH_SPGB_YES; 3250 } 3251 else if (btm_cb.api.p_sp_callback) 3252 { 3253 /* the callback function implementation may change the IO capability... */ 3254 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3255 } 3256 3257 #if BTM_OOB_INCLUDED == TRUE 3258 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data)) 3259 #else 3260 if (callback_rc == BTM_SUCCESS) 3261 #endif 3262 { 3263 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 3264 { 3265 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT)); 3266 } 3267 3268 /* if the user does not indicate "reply later" by setting the oob_data to unknown 3269 * send the response right now. Save the current IO capability in the control block */ 3270 btm_cb.devcb.loc_auth_req = evt_data.auth_req; 3271 btm_cb.devcb.loc_io_caps = evt_data.io_cap; 3272 3273 BTM_TRACE_EVENT4 ("btm_io_capabilities_req: State: %s IO_CAP:%d oob_data:%d auth_req:%d", 3274 btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap, 3275 evt_data.oob_data, evt_data.auth_req); 3276 3277 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap, 3278 evt_data.oob_data, evt_data.auth_req); 3279 } 3280 } 3281 3282 /******************************************************************************* 3283 ** 3284 ** Function btm_io_capabilities_rsp 3285 ** 3286 ** Description This function is called when the IO capability of the 3287 ** specified device is received 3288 ** 3289 ** Returns void 3290 ** 3291 *******************************************************************************/ 3292 void btm_io_capabilities_rsp (UINT8 *p) 3293 { 3294 tBTM_SEC_DEV_REC *p_dev_rec; 3295 tBTM_SP_IO_RSP evt_data; 3296 3297 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3298 STREAM_TO_UINT8 (evt_data.io_cap, p); 3299 STREAM_TO_UINT8 (evt_data.oob_data, p); 3300 STREAM_TO_UINT8 (evt_data.auth_req, p); 3301 3302 /* Allocate a new device record or reuse the oldest one */ 3303 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3304 3305 /* If no security is in progress, this indicates incoming security */ 3306 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 3307 { 3308 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3309 3310 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP); 3311 3312 /* Make sure we reset the trusted mask to help against attacks */ 3313 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 3314 3315 /* work around for FW bug */ 3316 btm_inq_stop_on_ssp(); 3317 } 3318 3319 /* Notify L2CAP to increase timeout */ 3320 l2c_pin_code_request (evt_data.bd_addr); 3321 3322 /* We must have a device record here. 3323 * Use the connecting device's CoD for the connection */ 3324 /* coverity[uninit_use_in_call] 3325 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3326 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3327 */ 3328 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3329 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3330 3331 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */ 3332 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */ 3333 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */ 3334 { 3335 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD; 3336 } 3337 3338 /* save the IO capability in the device record */ 3339 p_dev_rec->rmt_io_caps = evt_data.io_cap; 3340 p_dev_rec->rmt_auth_req = evt_data.auth_req; 3341 3342 if (btm_cb.api.p_sp_callback) 3343 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3344 } 3345 3346 /******************************************************************************* 3347 ** 3348 ** Function btm_proc_sp_req_evt 3349 ** 3350 ** Description This function is called to process/report 3351 ** HCI_USER_CONFIRMATION_REQUEST_EVT 3352 ** or HCI_USER_PASSKEY_REQUEST_EVT 3353 ** or HCI_USER_PASSKEY_NOTIFY_EVT 3354 ** 3355 ** Returns void 3356 ** 3357 *******************************************************************************/ 3358 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p) 3359 { 3360 tBTM_STATUS status = BTM_ERR_PROCESSING; 3361 tBTM_SP_EVT_DATA evt_data; 3362 UINT8 *p_bda = evt_data.cfm_req.bd_addr; 3363 tBTM_SEC_DEV_REC *p_dev_rec; 3364 3365 /* All events start with bd_addr */ 3366 STREAM_TO_BDADDR (p_bda, p); 3367 3368 BTM_TRACE_EVENT4 ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s", 3369 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], 3370 event, btm_pair_state_descr(btm_cb.pairing_state)); 3371 3372 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL) 3373 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 3374 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 3375 { 3376 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3377 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3378 3379 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3380 3381 switch (event) 3382 { 3383 case BTM_SP_CFM_REQ_EVT: 3384 /* Numeric confirmation. Need user to conf the passkey */ 3385 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM); 3386 3387 /* The device record must be allocated in the "IO cap exchange" step */ 3388 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p); 3389 3390 evt_data.cfm_req.just_works = TRUE; 3391 3392 /* process user confirm req in association with the auth_req param */ 3393 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO) 3394 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO) 3395 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO) 3396 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) ) 3397 { 3398 /* Both devices are DisplayYesNo and one or both devices want to authenticate 3399 -> use authenticated link key */ 3400 evt_data.cfm_req.just_works = FALSE; 3401 } 3402 #endif 3403 BTM_TRACE_DEBUG5 ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d", 3404 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps, 3405 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req); 3406 3407 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req; 3408 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req; 3409 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps; 3410 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps; 3411 break; 3412 3413 case BTM_SP_KEY_NOTIF_EVT: 3414 /* Passkey notification (other side is a keyboard) */ 3415 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p); 3416 3417 BTM_TRACE_DEBUG1 ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey); 3418 3419 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 3420 break; 3421 3422 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3423 case BTM_SP_KEY_REQ_EVT: 3424 /* HCI_USER_PASSKEY_REQUEST_EVT */ 3425 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY); 3426 break; 3427 #endif 3428 } 3429 3430 if (btm_cb.api.p_sp_callback) 3431 { 3432 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data); 3433 if (status != BTM_NOT_AUTHORIZED) 3434 { 3435 return; 3436 } 3437 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */ 3438 } 3439 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) ) 3440 { 3441 /* automatically reply with just works if no sp_cback */ 3442 status = BTM_SUCCESS; 3443 } 3444 3445 if (event == BTM_SP_CFM_REQ_EVT) 3446 { 3447 BTM_TRACE_DEBUG1 ("calling BTM_ConfirmReqReply with status: %d", status); 3448 BTM_ConfirmReqReply (status, p_bda); 3449 } 3450 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3451 else if (event == BTM_SP_KEY_REQ_EVT) 3452 { 3453 BTM_PasskeyReqReply(status, p_bda, 0); 3454 } 3455 #endif 3456 return; 3457 } 3458 3459 /* Something bad. we can only fail this connection */ 3460 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3461 3462 if (BTM_SP_CFM_REQ_EVT == event) 3463 { 3464 btsnd_hcic_user_conf_reply (p_bda, FALSE); 3465 } 3466 else if (BTM_SP_KEY_NOTIF_EVT == event) 3467 { 3468 /* do nothing -> it very unlikely to happen. 3469 This event is most likely to be received by a HID host when it first connects to a HID device. 3470 Usually the Host initiated the connection in this case. 3471 On Mobile platforms, if there's a security process happening, 3472 the host probably can not initiate another connection. 3473 BTW (PC) is another story. */ 3474 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) ) 3475 { 3476 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE); 3477 } 3478 } 3479 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3480 else 3481 { 3482 btsnd_hcic_user_passkey_neg_reply(p_bda); 3483 } 3484 #endif 3485 } 3486 3487 /******************************************************************************* 3488 ** 3489 ** Function btm_keypress_notif_evt 3490 ** 3491 ** Description This function is called when a key press notification is 3492 ** received 3493 ** 3494 ** Returns void 3495 ** 3496 *******************************************************************************/ 3497 void btm_keypress_notif_evt (UINT8 *p) 3498 { 3499 tBTM_SP_KEYPRESS evt_data; 3500 UINT8 *p_bda; 3501 3502 /* parse & report BTM_SP_KEYPRESS_EVT */ 3503 if (btm_cb.api.p_sp_callback) 3504 { 3505 p_bda = evt_data.bd_addr; 3506 3507 STREAM_TO_BDADDR (p_bda, p); 3508 evt_data.notif_type = *p; 3509 3510 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3511 } 3512 } 3513 3514 /******************************************************************************* 3515 ** 3516 ** Function btm_simple_pair_complete 3517 ** 3518 ** Description This function is called when simple pairing process is 3519 ** complete 3520 ** 3521 ** Returns void 3522 ** 3523 *******************************************************************************/ 3524 void btm_simple_pair_complete (UINT8 *p) 3525 { 3526 tBTM_SP_COMPLT evt_data; 3527 tBTM_SEC_DEV_REC *p_dev_rec; 3528 UINT8 status; 3529 BOOLEAN disc = FALSE; 3530 3531 status = *p++; 3532 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3533 3534 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL) 3535 { 3536 BTM_TRACE_ERROR2 ("btm_simple_pair_complete() with unknown BDA: %08x%04x", 3537 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3], 3538 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]); 3539 return; 3540 } 3541 3542 BTM_TRACE_EVENT3 ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u", 3543 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state); 3544 3545 evt_data.status = BTM_ERR_PROCESSING; 3546 if (status == HCI_SUCCESS) 3547 { 3548 evt_data.status = BTM_SUCCESS; 3549 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3550 } 3551 else 3552 { 3553 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) 3554 { 3555 /* The test spec wants the peer device to get this failure code. */ 3556 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT); 3557 3558 /* Change the timer to 1 second */ 3559 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT); 3560 } 3561 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0) 3562 { 3563 /* stop the timer */ 3564 btu_stop_timer (&btm_cb.pairing_tle); 3565 3566 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 3567 { 3568 /* the initiating side: will receive auth complete event. disconnect ACL at that time */ 3569 disc = TRUE; 3570 } 3571 } 3572 else 3573 disc = TRUE; 3574 } 3575 3576 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */ 3577 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3578 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3579 3580 if (btm_cb.api.p_sp_callback) 3581 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3582 3583 if (disc) 3584 { 3585 /* simple pairing failed */ 3586 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE); 3587 } 3588 } 3589 3590 #if BTM_OOB_INCLUDED == TRUE 3591 /******************************************************************************* 3592 ** 3593 ** Function btm_rem_oob_req 3594 ** 3595 ** Description This function is called to process/report 3596 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT 3597 ** 3598 ** Returns void 3599 ** 3600 *******************************************************************************/ 3601 void btm_rem_oob_req (UINT8 *p) 3602 { 3603 UINT8 *p_bda; 3604 tBTM_SP_RMT_OOB evt_data; 3605 tBTM_SEC_DEV_REC *p_dev_rec; 3606 BT_OCTET16 c; 3607 BT_OCTET16 r; 3608 3609 p_bda = evt_data.bd_addr; 3610 3611 STREAM_TO_BDADDR (p_bda, p); 3612 3613 BTM_TRACE_EVENT6 ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 3614 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 3615 3616 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) && 3617 btm_cb.api.p_sp_callback) 3618 { 3619 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3620 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3621 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1); 3622 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0; 3623 3624 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP); 3625 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED) 3626 { 3627 BTM_RemoteOobDataReply(TRUE, p_bda, c, r); 3628 } 3629 return; 3630 } 3631 3632 /* something bad. we can only fail this connection */ 3633 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3634 btsnd_hcic_rem_oob_neg_reply (p_bda); 3635 } 3636 3637 /******************************************************************************* 3638 ** 3639 ** Function btm_read_local_oob_complete 3640 ** 3641 ** Description This function is called when read local oob data is 3642 ** completed by the LM 3643 ** 3644 ** Returns void 3645 ** 3646 *******************************************************************************/ 3647 void btm_read_local_oob_complete (UINT8 *p) 3648 { 3649 tBTM_SP_LOC_OOB evt_data; 3650 UINT8 status = *p++; 3651 3652 BTM_TRACE_EVENT1 ("btm_read_local_oob_complete:%d", status); 3653 if (status == HCI_SUCCESS) 3654 { 3655 evt_data.status = BTM_SUCCESS; 3656 STREAM_TO_ARRAY16(evt_data.c, p); 3657 STREAM_TO_ARRAY16(evt_data.r, p); 3658 } 3659 else 3660 evt_data.status = BTM_ERR_PROCESSING; 3661 3662 if (btm_cb.api.p_sp_callback) 3663 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3664 } 3665 #endif /* BTM_OOB_INCLUDED */ 3666 3667 /******************************************************************************* 3668 ** 3669 ** Function btm_sec_auth_collision 3670 ** 3671 ** Description This function is called when authentication or encryption 3672 ** needs to be retried at a later time. 3673 ** 3674 ** Returns void 3675 ** 3676 *******************************************************************************/ 3677 static void btm_sec_auth_collision (UINT16 handle) 3678 { 3679 tBTM_SEC_DEV_REC *p_dev_rec; 3680 3681 if (!btm_cb.collision_start_time) 3682 btm_cb.collision_start_time = GKI_get_tick_count (); 3683 3684 if ((GKI_get_tick_count () - btm_cb.collision_start_time) < btm_cb.max_collision_delay) 3685 { 3686 if (handle == BTM_SEC_INVALID_HANDLE) 3687 { 3688 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL) 3689 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING); 3690 } 3691 else 3692 p_dev_rec = btm_find_dev_by_handle (handle); 3693 3694 if (p_dev_rec != NULL) 3695 { 3696 BTM_TRACE_DEBUG1 ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state); 3697 /* We will restart authentication after timeout */ 3698 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 3699 p_dev_rec->sec_state = 0; 3700 3701 btm_cb.p_collided_dev_rec = p_dev_rec; 3702 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout; 3703 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT); 3704 } 3705 } 3706 } 3707 3708 /******************************************************************************* 3709 ** 3710 ** Function btm_sec_auth_complete 3711 ** 3712 ** Description This function is when authentication of the connection is 3713 ** completed by the LM 3714 ** 3715 ** Returns void 3716 ** 3717 *******************************************************************************/ 3718 void btm_sec_auth_complete (UINT16 handle, UINT8 status) 3719 { 3720 UINT8 old_sm4; 3721 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 3722 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 3723 BOOLEAN are_bonding = FALSE; 3724 3725 /* Commenting out trace due to obf/compilation problems. 3726 */ 3727 #if (BT_USE_TRACES == TRUE) 3728 if (p_dev_rec) 3729 { 3730 BTM_TRACE_EVENT6 ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s", 3731 btm_pair_state_descr (btm_cb.pairing_state), 3732 handle, status, 3733 p_dev_rec->sec_state, 3734 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], 3735 p_dev_rec->sec_bd_name); 3736 } 3737 else 3738 { 3739 BTM_TRACE_EVENT3 ("Security Manager: auth_complete PairState: %s handle:%u status:%d", 3740 btm_pair_state_descr (btm_cb.pairing_state), 3741 handle, status); 3742 } 3743 #endif 3744 3745 /* For transaction collision we need to wait and repeat. There is no need */ 3746 /* for random timeout because only slave should receive the result */ 3747 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 3748 { 3749 btm_sec_auth_collision(handle); 3750 return; 3751 } 3752 btm_cb.collision_start_time = 0; 3753 3754 btm_restore_mode(); 3755 3756 /* Check if connection was made just to do bonding. If we authenticate 3757 the connection that is up, this is the last event received. 3758 */ 3759 if (p_dev_rec 3760 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 3761 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) 3762 { 3763 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 3764 3765 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 3766 } 3767 3768 if (!p_dev_rec) 3769 return; 3770 3771 /* keep the old sm4 flag and clear the retry bit in control block */ 3772 old_sm4 = p_dev_rec->sm4; 3773 p_dev_rec->sm4 &= ~BTM_SM4_RETRY; 3774 3775 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 3776 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 3777 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) 3778 are_bonding = TRUE; 3779 3780 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3781 3782 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 3783 { 3784 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS) 3785 && (old_state != BTM_PAIR_STATE_IDLE) ) 3786 { 3787 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 3788 p_dev_rec->dev_class, 3789 p_dev_rec->sec_bd_name, status); 3790 } 3791 return; 3792 } 3793 3794 /* There can be a race condition, when we are starting authentication and 3795 ** the peer device is doing encryption. 3796 ** If first we receive encryption change up, then initiated authentication 3797 ** can not be performed. According to the spec we can not do authentication 3798 ** on the encrypted link, so device is correct. 3799 */ 3800 if ((status == HCI_ERR_COMMAND_DISALLOWED) 3801 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) == 3802 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) 3803 { 3804 status = HCI_SUCCESS; 3805 } 3806 /* Currently we do not notify user if it is a keyboard which connects */ 3807 /* User probably Disabled the keyboard while it was asleap. Let her try */ 3808 if (btm_cb.api.p_auth_complete_callback) 3809 { 3810 /* report the suthentication status */ 3811 if (old_state != BTM_PAIR_STATE_IDLE) 3812 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 3813 p_dev_rec->dev_class, 3814 p_dev_rec->sec_bd_name, status); 3815 } 3816 3817 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3818 3819 /* If this is a bonding procedure can disconnect the link now */ 3820 if (are_bonding) 3821 { 3822 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 3823 3824 if (status != HCI_SUCCESS) 3825 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER); 3826 else 3827 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 3828 3829 return; 3830 } 3831 3832 /* If authentication failed, notify the waiting layer */ 3833 if (status != HCI_SUCCESS) 3834 { 3835 if ((old_sm4 & BTM_SM4_RETRY) == 0) 3836 { 3837 /* allow retry only once */ 3838 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION) 3839 { 3840 /* not retried yet. set the retry bit */ 3841 p_dev_rec->sm4 |= BTM_SM4_RETRY; 3842 BTM_TRACE_DEBUG2 ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 3843 } 3844 /* this retry for missing key is for Lisbon or later only. 3845 * Legacy device do not need this. the controller will drive the retry automatically */ 3846 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4)) 3847 { 3848 /* not retried yet. set the retry bit */ 3849 p_dev_rec->sm4 |= BTM_SM4_RETRY; 3850 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 3851 BTM_TRACE_DEBUG2 ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 3852 3853 /* With BRCM controller, we do not need to delete the stored link key in controller. 3854 If the stack may sit on top of other controller, we may need this 3855 BTM_DeleteStoredLinkKey (bd_addr, NULL); */ 3856 } 3857 3858 if (p_dev_rec->sm4 & BTM_SM4_RETRY) 3859 { 3860 btm_sec_execute_procedure (p_dev_rec); 3861 return; 3862 } 3863 } 3864 3865 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING); 3866 3867 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 3868 { 3869 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE); 3870 } 3871 return; 3872 } 3873 3874 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3875 3876 /* Authentication succeeded, execute the next security procedure, if any */ 3877 status = btm_sec_execute_procedure (p_dev_rec); 3878 3879 /* If there is no next procedure, or procedure failed to start, notify the caller */ 3880 if (status != BTM_CMD_STARTED) 3881 btm_sec_dev_rec_cback_event (p_dev_rec, status); 3882 } 3883 3884 /******************************************************************************* 3885 ** 3886 ** Function btm_sec_mkey_comp_event 3887 ** 3888 ** Description This function is when encryption of the connection is 3889 ** completed by the LM 3890 ** 3891 ** Returns void 3892 ** 3893 *******************************************************************************/ 3894 void btm_sec_mkey_comp_event (UINT16 handle, UINT8 status, UINT8 key_flg) 3895 { 3896 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 3897 UINT8 bd_addr[BD_ADDR_LEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ; 3898 3899 BTM_TRACE_EVENT2 ("Security Manager: mkey comp status:%d State:%d", 3900 status, (p_dev_rec) ? p_dev_rec->sec_state : 0); 3901 3902 /* If encryption setup failed, notify the waiting layer */ 3903 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 3904 if (btm_cb.mkey_cback) 3905 { 3906 if (!p_dev_rec) 3907 (btm_cb.mkey_cback)(bd_addr, status, key_flg ); 3908 else 3909 (btm_cb.mkey_cback)(p_dev_rec->bd_addr, status, key_flg ); 3910 } 3911 } 3912 3913 /******************************************************************************* 3914 ** 3915 ** Function btm_sec_encrypt_change 3916 ** 3917 ** Description This function is when encryption of the connection is 3918 ** completed by the LM 3919 ** 3920 ** Returns void 3921 ** 3922 *******************************************************************************/ 3923 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable) 3924 { 3925 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 3926 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 3927 tACL_CONN *p_acl; 3928 #endif 3929 BTM_TRACE_EVENT3 ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d", 3930 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable); 3931 BTM_TRACE_DEBUG1 ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 ); 3932 3933 /* For transaction collision we need to wait and repeat. There is no need */ 3934 /* for random timeout because only slave should receive the result */ 3935 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 3936 { 3937 btm_sec_auth_collision(handle); 3938 return; 3939 } 3940 btm_cb.collision_start_time = 0; 3941 3942 if (!p_dev_rec) 3943 return; 3944 3945 if ((status == HCI_SUCCESS) && encr_enable) 3946 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED); 3947 3948 /* It is possible that we decrypted the link to perform role switch */ 3949 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */ 3950 if ((status == HCI_SUCCESS) && !encr_enable) 3951 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED; 3952 3953 BTM_TRACE_DEBUG1 ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags ); 3954 3955 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 3956 p_acl = btm_bda_to_acl(p_dev_rec->bd_addr); 3957 3958 if (p_acl && p_acl->is_le_link) 3959 { 3960 btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable); 3961 return; 3962 } 3963 else 3964 /* BR/EDR connection, update the encryption key size to be 16 as always */ 3965 p_dev_rec->enc_key_size = 16; 3966 #endif 3967 3968 /* If this encryption was started by peer do not need to do anything */ 3969 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) 3970 { 3971 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) 3972 { 3973 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3974 p_dev_rec->p_callback = NULL; 3975 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr); 3976 } 3977 return; 3978 } 3979 3980 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3981 3982 /* If encryption setup failed, notify the waiting layer */ 3983 if (status != HCI_SUCCESS) 3984 { 3985 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING); 3986 return; 3987 } 3988 3989 /* Encryption setup succeeded, execute the next security procedure, if any */ 3990 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 3991 3992 /* If there is no next procedure, or procedure failed to start, notify the caller */ 3993 if (status != BTM_CMD_STARTED) 3994 btm_sec_dev_rec_cback_event (p_dev_rec, status); 3995 } 3996 3997 /******************************************************************************* 3998 ** 3999 ** Function btm_sec_create_conn 4000 ** 4001 ** Description This function records current role and forwards request to 4002 ** HCI 4003 ** 4004 ** Returns void 4005 ** 4006 *******************************************************************************/ 4007 BOOLEAN btm_sec_create_conn (BD_ADDR bda, UINT16 packet_types, 4008 UINT8 page_scan_rep_mode, UINT8 page_scan_mode, 4009 UINT16 clock_offset, UINT8 allow_switch) 4010 { 4011 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (bda); 4012 4013 memcpy (btm_cb.connecting_bda, p_dev_rec->bd_addr, BD_ADDR_LEN); 4014 memcpy (btm_cb.connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN); 4015 4016 btm_cb.acl_disc_reason = 0xff ; 4017 4018 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4019 p_dev_rec->role_master = TRUE; 4020 4021 /* If any SCO link up, do not allow a switch */ 4022 if (BTM_GetNumScoLinks() != 0) 4023 allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH; 4024 4025 return(btsnd_hcic_create_conn (bda, packet_types, page_scan_rep_mode, 4026 page_scan_mode, clock_offset, allow_switch)); 4027 } 4028 4029 /******************************************************************************* 4030 ** 4031 ** Function btm_sec_connect_after_reject_timeout 4032 ** 4033 ** Description Connection for bonding could not start because of the collision 4034 ** Initiate outgoing connection 4035 ** 4036 ** Returns Pointer to the TLE struct 4037 ** 4038 *******************************************************************************/ 4039 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle) 4040 { 4041 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec; 4042 4043 BTM_TRACE_EVENT0 ("btm_sec_connect_after_reject_timeout()"); 4044 btm_cb.sec_collision_tle.param = 0; 4045 btm_cb.p_collided_dev_rec = 0; 4046 4047 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 4048 { 4049 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection"); 4050 4051 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4052 4053 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4054 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 4055 } 4056 } 4057 4058 /******************************************************************************* 4059 ** 4060 ** Function btm_sec_connected 4061 ** 4062 ** Description This function is when a connection to the peer device is 4063 ** establsihed 4064 ** 4065 ** Returns void 4066 ** 4067 *******************************************************************************/ 4068 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode) 4069 { 4070 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 4071 UINT8 res; 4072 BOOLEAN is_pairing_device = FALSE; 4073 tACL_CONN *p_acl_cb; 4074 4075 btm_acl_resubmit_page(); 4076 4077 /* Commenting out trace due to obf/compilation problems. 4078 */ 4079 #if (BT_USE_TRACES == TRUE) 4080 if (p_dev_rec) 4081 { 4082 BTM_TRACE_EVENT6 ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s", 4083 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4084 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 4085 p_dev_rec->sec_bd_name); 4086 } 4087 else 4088 { 4089 BTM_TRACE_EVENT5 ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ", 4090 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4091 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 4092 } 4093 #endif 4094 4095 if (!p_dev_rec) 4096 { 4097 /* There is no device record for new connection. Allocate one */ 4098 if (status == HCI_SUCCESS) 4099 { 4100 p_dev_rec = btm_sec_alloc_dev (bda); 4101 #if BLE_INCLUDED == TRUE 4102 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR; 4103 #endif 4104 } 4105 else 4106 { 4107 /* can not find the device record and the status is error, 4108 * just ignore it */ 4109 return; 4110 } 4111 } 4112 else /* Update the timestamp for this device */ 4113 { 4114 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 4115 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 4116 { 4117 /* tell L2CAP it's a bonding connection. */ 4118 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4119 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4120 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4121 { 4122 /* if incoming connection failed while pairing, then try to connect and continue */ 4123 /* Motorola S9 disconnects without asking pin code */ 4124 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) 4125 { 4126 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN"); 4127 4128 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4129 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4130 { 4131 /* Start timer with 0 to initiate connection with new LCB */ 4132 /* because L2CAP will delete current LCB with this event */ 4133 btm_cb.p_collided_dev_rec = p_dev_rec; 4134 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout; 4135 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0); 4136 } 4137 else 4138 { 4139 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4140 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL); 4141 } 4142 #if BTM_DISC_DURING_RS == TRUE 4143 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4144 #endif 4145 return; 4146 } 4147 else 4148 { 4149 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE); 4150 } 4151 } 4152 /* always clear the pending flag */ 4153 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4154 } 4155 } 4156 4157 #if BTM_DISC_DURING_RS == TRUE 4158 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4159 #endif 4160 4161 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4162 4163 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4164 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) ) 4165 { 4166 /* if we rejected incoming connection from bonding device */ 4167 if ((status == HCI_ERR_HOST_REJECT_DEVICE) 4168 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) 4169 { 4170 BTM_TRACE_WARNING2 ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x", 4171 btm_cb.pairing_flags, p_dev_rec->sm4); 4172 4173 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT; 4174 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 4175 { 4176 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 4177 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4178 BTM_ReadRemoteDeviceName(bda, NULL); 4179 return; 4180 } 4181 4182 /* if we already have pin code */ 4183 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 4184 { 4185 /* Start timer with 0 to initiate connection with new LCB */ 4186 /* because L2CAP will delete current LCB with this event */ 4187 btm_cb.p_collided_dev_rec = p_dev_rec; 4188 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout; 4189 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0); 4190 } 4191 4192 return; 4193 } 4194 /* wait for incoming connection without resetting pairing state */ 4195 else if (status == HCI_ERR_CONNECTION_EXISTS) 4196 { 4197 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: Wait for incoming connection"); 4198 return; 4199 } 4200 4201 is_pairing_device = TRUE; 4202 } 4203 4204 /* If connection was made to do bonding restore link security if changed */ 4205 btm_restore_mode(); 4206 4207 /* if connection fails during pin request, notify application */ 4208 if (status != HCI_SUCCESS) 4209 { 4210 /* If connection failed because of during pairing, need to tell user */ 4211 if (is_pairing_device) 4212 { 4213 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4214 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED); 4215 BTM_TRACE_DEBUG1 ("security_required:%x ", p_dev_rec->security_required ); 4216 4217 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4218 4219 /* We need to notify host that the key is not known any more */ 4220 if (btm_cb.api.p_auth_complete_callback) 4221 { 4222 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4223 p_dev_rec->dev_class, 4224 p_dev_rec->sec_bd_name, status); 4225 } 4226 } 4227 else if ((status == HCI_ERR_AUTH_FAILURE) || 4228 (status == HCI_ERR_KEY_MISSING) || 4229 (status == HCI_ERR_HOST_REJECT_SECURITY) || 4230 (status == HCI_ERR_PAIRING_NOT_ALLOWED) || 4231 (status == HCI_ERR_UNIT_KEY_USED) || 4232 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) || 4233 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) || 4234 (status == HCI_ERR_REPEATED_ATTEMPTS)) 4235 { 4236 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4237 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4238 4239 /* We need to notify host that the key is not known any more */ 4240 if (btm_cb.api.p_auth_complete_callback) 4241 { 4242 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4243 p_dev_rec->dev_class, 4244 p_dev_rec->sec_bd_name, status); 4245 } 4246 } 4247 4248 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT || 4249 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT) 4250 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT); 4251 else 4252 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING); 4253 4254 return; 4255 } 4256 4257 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */ 4258 /* If dedicated bonding, and we now have a link key, we are all done */ 4259 if ( is_pairing_device 4260 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) ) 4261 { 4262 if (p_dev_rec->link_key_not_sent) 4263 { 4264 p_dev_rec->link_key_not_sent = FALSE; 4265 btm_send_link_key_notif(p_dev_rec); 4266 } 4267 4268 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4269 4270 /* remember flag before it is initialized */ 4271 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4272 res = TRUE; 4273 else 4274 res = FALSE; 4275 4276 if (btm_cb.api.p_auth_complete_callback) 4277 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4278 p_dev_rec->dev_class, 4279 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4280 4281 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4282 4283 if ( res ) 4284 { 4285 /* Let l2cap start bond timer */ 4286 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE); 4287 } 4288 4289 return; 4290 } 4291 4292 p_dev_rec->hci_handle = handle; 4293 4294 /* role may not be correct here, it will be updated by l2cap, but we need to */ 4295 /* notify btm_acl that link is up, so starting of rmt name request will not */ 4296 /* set paging flag up */ 4297 p_acl_cb = btm_bda_to_acl(bda); 4298 if (p_acl_cb) 4299 { 4300 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */ 4301 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE) 4302 /* For now there are a some devices that do not like sending */ 4303 /* commands events and data at the same time. */ 4304 /* Set the packet types to the default allowed by the device */ 4305 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported); 4306 4307 if (btm_cb.btm_def_link_policy) 4308 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy); 4309 #endif 4310 } 4311 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, FALSE); 4312 4313 /* Initialize security flags. We need to do that because some */ 4314 /* authorization complete could have come after the connection is dropped */ 4315 /* and that would set wrong flag that link has been authorized already */ 4316 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | 4317 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED); 4318 4319 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED) 4320 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED); 4321 4322 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) 4323 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 4324 4325 p_dev_rec->link_key_changed = FALSE; 4326 4327 /* After connection is established we perform security if we do not know */ 4328 /* the name, or if we are originator because some procedure can have */ 4329 /* been scheduled while connection was down */ 4330 BTM_TRACE_DEBUG1 ("is_originator:%d ", p_dev_rec->is_originator); 4331 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator) 4332 { 4333 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 4334 btm_sec_dev_rec_cback_event (p_dev_rec, res); 4335 } 4336 return; 4337 } 4338 4339 /******************************************************************************* 4340 ** 4341 ** Function btm_sec_role_changed 4342 ** 4343 ** Description This function is colled when controller reports role 4344 ** changed, or failed command status for Role Change request 4345 ** 4346 ** Returns void 4347 ** 4348 *******************************************************************************/ 4349 void btm_sec_role_changed (void *p_ref_data) 4350 { 4351 tBTM_SEC_DEV_REC *p_dev_rec = (tBTM_SEC_DEV_REC *)p_ref_data; 4352 UINT8 res; 4353 4354 BTM_TRACE_EVENT0 ("Security Manager: role changed"); 4355 4356 /* If this role switch was started by peer do not need to do anything */ 4357 if (p_dev_rec->sec_state != BTM_SEC_STATE_SWITCHING_ROLE) 4358 return; 4359 4360 /* If serurity required was to FORCE switch and it failed, notify the waiting layer */ 4361 if (((p_dev_rec->security_required & BTM_SEC_FORCE_MASTER) && !p_dev_rec->role_master) 4362 || ((p_dev_rec->security_required & BTM_SEC_FORCE_SLAVE) && p_dev_rec->role_master)) 4363 { 4364 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING); 4365 return; 4366 } 4367 4368 p_dev_rec->sec_flags |= BTM_SEC_ROLE_SWITCHED; 4369 4370 p_dev_rec->security_required &= ~(BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | 4371 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 4372 4373 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4374 4375 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 4376 { 4377 btm_sec_dev_rec_cback_event (p_dev_rec, res); 4378 } 4379 } 4380 4381 /******************************************************************************* 4382 ** 4383 ** Function btm_sec_disconnect 4384 ** 4385 ** Description This function is called to disconnect HCI link 4386 ** 4387 ** Returns btm status 4388 ** 4389 *******************************************************************************/ 4390 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason) 4391 { 4392 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4393 4394 /* In some weird race condition we may not have a record */ 4395 if (!p_dev_rec) 4396 { 4397 btsnd_hcic_disconnect (handle, reason); 4398 return(BTM_SUCCESS); 4399 } 4400 4401 /* If we are in the process of bonding we need to tell client that auth failed */ 4402 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4403 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4404 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4405 { 4406 /* we are currently doing bonding. Link will be disconnected when done */ 4407 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 4408 return(BTM_BUSY); 4409 } 4410 4411 return(btm_sec_send_hci_disconnect(p_dev_rec, reason)); 4412 } 4413 4414 /******************************************************************************* 4415 ** 4416 ** Function btm_sec_disconnected 4417 ** 4418 ** Description This function is when a connection to the peer device is 4419 ** dropped 4420 ** 4421 ** Returns void 4422 ** 4423 *******************************************************************************/ 4424 void btm_sec_disconnected (UINT16 handle, UINT8 reason) 4425 { 4426 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4427 UINT8 old_pairing_flags = btm_cb.pairing_flags; 4428 int result = HCI_ERR_AUTH_FAILURE; 4429 tBTM_SEC_CALLBACK *p_callback = NULL; 4430 4431 /* If page was delayed for disc complete, can do it now */ 4432 btm_cb.discing = FALSE; 4433 4434 btm_acl_resubmit_page(); 4435 4436 if (!p_dev_rec) 4437 return; 4438 4439 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4440 4441 #if BTM_DISC_DURING_RS == TRUE 4442 BTM_TRACE_ERROR0("btm_sec_disconnected - Clearing Pending flag"); 4443 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4444 #endif 4445 4446 /* clear unused flags */ 4447 p_dev_rec->sm4 &= BTM_SM4_TRUE; 4448 4449 BTM_TRACE_EVENT6("btm_sec_disconnected() sec_req:x%x State: %s reason:%d bda:%04x%08x RName:%s", 4450 p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), reason, (p_dev_rec->bd_addr[0]<<8)+p_dev_rec->bd_addr[1], 4451 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], p_dev_rec->sec_bd_name); 4452 4453 BTM_TRACE_EVENT1("before Update sec_flags=0x%x", p_dev_rec->sec_flags); 4454 4455 /* If we are in the process of bonding we need to tell client that auth failed */ 4456 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4457 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)) 4458 { 4459 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4460 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4461 if (btm_cb.api.p_auth_complete_callback) 4462 { 4463 /* If the disconnection reason is REPEATED_ATTEMPTS, 4464 send this error message to complete callback function 4465 to display the error message of Repeated attempts. 4466 All others, send HCI_ERR_AUTH_FAILURE. */ 4467 if (reason == HCI_ERR_REPEATED_ATTEMPTS) 4468 { 4469 result = HCI_ERR_REPEATED_ATTEMPTS; 4470 } 4471 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4472 { 4473 result = HCI_ERR_HOST_REJECT_SECURITY; 4474 } 4475 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4476 p_dev_rec->sec_bd_name, result); 4477 } 4478 } 4479 4480 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE; 4481 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4482 4483 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4484 p_dev_rec->enc_key_size = 0; 4485 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, FALSE); 4486 /* see sec_flags processing in btm_acl_removed */ 4487 #endif 4488 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED); 4489 4490 p_dev_rec->security_required = BTM_SEC_NONE; 4491 4492 p_callback = p_dev_rec->p_callback; 4493 4494 /* if security is pending, send callback to clean up the security state */ 4495 if(p_callback) 4496 { 4497 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before 4498 we do, this call back must be reset here */ 4499 (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING); 4500 } 4501 4502 BTM_TRACE_EVENT1("after Update sec_flags=0x%x", p_dev_rec->sec_flags); 4503 } 4504 4505 /******************************************************************************* 4506 ** 4507 ** Function btm_sec_link_key_notification 4508 ** 4509 ** Description This function is called when a new connection link key is 4510 ** generated 4511 ** 4512 ** Returns Pointer to the record or NULL 4513 ** 4514 *******************************************************************************/ 4515 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type) 4516 { 4517 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 4518 BOOLEAN we_are_bonding = FALSE; 4519 4520 BTM_TRACE_EVENT3 ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d", 4521 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5], 4522 key_type); 4523 4524 /* If connection was made to do bonding restore link security if changed */ 4525 btm_restore_mode(); 4526 4527 /* Override the key type if version is pre-1.1 */ 4528 if (btm_cb.devcb.local_version.hci_version < HCI_VERSION_1_1) 4529 p_dev_rec->link_key_type = BTM_LKEY_TYPE_IGNORE; 4530 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) 4531 p_dev_rec->link_key_type = key_type; 4532 4533 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 4534 #if (BLE_INCLUDED == TRUE) 4535 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4536 p_dev_rec->enc_key_size = 16; 4537 #endif 4538 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN); 4539 4540 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4541 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 4542 { 4543 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4544 we_are_bonding = TRUE; 4545 else 4546 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4547 } 4548 4549 /* If name is not known at this point delay calling callback until the name is */ 4550 /* resolved. Unless it is a HID Device and we really need to send all link keys. */ 4551 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4552 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) ) 4553 { 4554 BTM_TRACE_EVENT3 ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d", 4555 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], key_type); 4556 4557 p_dev_rec->link_key_not_sent = TRUE; 4558 4559 /* If it is for bonding nothing else will follow, so we need to start name resolution */ 4560 if (we_are_bonding) 4561 { 4562 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0))) 4563 btm_inq_rmt_name_failed(); 4564 } 4565 4566 BTM_TRACE_EVENT3 ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1]) 4567 return; 4568 } 4569 4570 /* If its not us who perform authentication, we should tell stackserver */ 4571 /* that some authentication has been completed */ 4572 /* This is required when different entities receive link notification and auth complete */ 4573 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 4574 { 4575 if (btm_cb.api.p_auth_complete_callback) 4576 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4577 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4578 } 4579 4580 /* We will save link key only if the user authorized it - BTE report link key in all cases */ 4581 #ifdef BRCM_NONE_BTE 4582 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 4583 #endif 4584 { 4585 if (btm_cb.api.p_link_key_callback) 4586 { 4587 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4588 p_link_key, p_dev_rec->link_key_type); 4589 } 4590 } 4591 } 4592 4593 /******************************************************************************* 4594 ** 4595 ** Function btm_sec_link_key_request 4596 ** 4597 ** Description This function is called when controller requests link key 4598 ** 4599 ** Returns Pointer to the record or NULL 4600 ** 4601 *******************************************************************************/ 4602 void btm_sec_link_key_request (UINT8 *p_bda) 4603 { 4604 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 4605 4606 BTM_TRACE_EVENT6 ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 4607 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 4608 4609 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 4610 { 4611 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key); 4612 return; 4613 } 4614 4615 /* Notify L2CAP to increase timeout */ 4616 l2c_pin_code_request (p_bda); 4617 4618 /* Only ask the host for a key if this guy is not already bonding */ 4619 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 4620 || (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) ) 4621 { 4622 if (btm_cb.api.p_link_key_req_callback) 4623 { 4624 if ((*btm_cb.api.p_link_key_req_callback)(p_bda, p_dev_rec->link_key) == BTM_SUCCESS) 4625 { 4626 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key); 4627 return; 4628 } 4629 } 4630 } 4631 4632 /* The link key is not in the database and it is not known to the manager */ 4633 btsnd_hcic_link_key_neg_reply (p_bda); 4634 } 4635 4636 /******************************************************************************* 4637 ** 4638 ** Function btm_sec_pairing_timeout 4639 ** 4640 ** Description This function is called when host does not provide PIN 4641 ** within requested time 4642 ** 4643 ** Returns Pointer to the TLE struct 4644 ** 4645 *******************************************************************************/ 4646 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle) 4647 { 4648 tBTM_CB *p_cb = &btm_cb; 4649 tBTM_SEC_DEV_REC *p_dev_rec; 4650 #if BTM_OOB_INCLUDED == TRUE 4651 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE) 4652 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO; 4653 #else 4654 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES; 4655 #endif 4656 #endif 4657 UINT8 name[2]; 4658 4659 p_cb->pairing_tle.param = 0; 4660 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */ 4661 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue. 4662 */ 4663 p_dev_rec = btm_find_dev (p_cb->pairing_bda); 4664 4665 BTM_TRACE_EVENT2 ("btm_sec_pairing_timeout() State: %s Flags: %u", 4666 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags); 4667 4668 switch (p_cb->pairing_state) 4669 { 4670 case BTM_PAIR_STATE_WAIT_PIN_REQ: 4671 btm_sec_bond_cancel_complete(); 4672 break; 4673 4674 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: 4675 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0) 4676 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda); 4677 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4678 /* We need to notify the UI that no longer need the PIN */ 4679 if (btm_cb.api.p_auth_complete_callback) 4680 { 4681 if (p_dev_rec == NULL) 4682 { 4683 name[0] = 0; 4684 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 4685 NULL, 4686 name, HCI_ERR_CONNECTION_TOUT); 4687 } 4688 else 4689 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4690 p_dev_rec->dev_class, 4691 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 4692 } 4693 break; 4694 4695 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: 4696 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE); 4697 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 4698 break; 4699 4700 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 4701 case BTM_PAIR_STATE_KEY_ENTRY: 4702 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda); 4703 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 4704 break; 4705 #endif /* !BTM_IO_CAP_NONE */ 4706 4707 #if BTM_OOB_INCLUDED == TRUE 4708 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: 4709 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4710 auth_req |= BTM_AUTH_DD_BOND; 4711 4712 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps, 4713 BTM_OOB_NONE, auth_req); 4714 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4715 break; 4716 4717 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: 4718 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda); 4719 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4720 break; 4721 #endif /* BTM_OOB_INCLUDED */ 4722 4723 case BTM_PAIR_STATE_WAIT_DISCONNECT: 4724 /* simple pairing failed. Started a 1-sec timer at simple pairing complete. 4725 * now it's time to tear down the ACL link*/ 4726 if (p_dev_rec == NULL) 4727 { 4728 BTM_TRACE_ERROR2 ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x", 4729 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3], 4730 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]); 4731 break; 4732 } 4733 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE); 4734 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4735 break; 4736 4737 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: 4738 /* We need to notify the UI that timeout has happened while waiting for authentication*/ 4739 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4740 if (btm_cb.api.p_auth_complete_callback) 4741 { 4742 if (p_dev_rec == NULL) 4743 { 4744 name[0] = 0; 4745 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 4746 NULL, 4747 name, HCI_ERR_CONNECTION_TOUT); 4748 } 4749 else 4750 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4751 p_dev_rec->dev_class, 4752 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 4753 } 4754 break; 4755 4756 default: 4757 BTM_TRACE_WARNING1 ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state)); 4758 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4759 break; 4760 } 4761 } 4762 4763 /******************************************************************************* 4764 ** 4765 ** Function btm_sec_pin_code_request 4766 ** 4767 ** Description This function is called when controller requests PIN code 4768 ** 4769 ** Returns Pointer to the record or NULL 4770 ** 4771 *******************************************************************************/ 4772 void btm_sec_pin_code_request (UINT8 *p_bda) 4773 { 4774 tBTM_SEC_DEV_REC *p_dev_rec; 4775 tBTM_CB *p_cb = &btm_cb; 4776 4777 BTM_TRACE_EVENT3 ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x", 4778 btm_pair_state_descr(btm_cb.pairing_state), 4779 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] ); 4780 4781 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4782 { 4783 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) && 4784 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) ) 4785 { 4786 /* fake this out - porshe carkit issue - */ 4787 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 4788 if(! btm_cb.pin_code_len_saved) 4789 { 4790 btsnd_hcic_pin_code_neg_reply (p_bda); 4791 return; 4792 } 4793 else 4794 { 4795 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code); 4796 return; 4797 } 4798 } 4799 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ) 4800 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 4801 { 4802 BTM_TRACE_WARNING1 ("btm_sec_pin_code_request() rejected - state: %s", 4803 btm_pair_state_descr(btm_cb.pairing_state)); 4804 4805 #ifdef PORCHE_PAIRING_CONFLICT 4806 /* reply pin code again due to counter in_rand when local initiates pairing */ 4807 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request from remote dev. for local initiated pairing"); 4808 if(! btm_cb.pin_code_len_saved) 4809 { 4810 btsnd_hcic_pin_code_neg_reply (p_bda); 4811 } 4812 else 4813 { 4814 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 4815 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code); 4816 } 4817 #else 4818 btsnd_hcic_pin_code_neg_reply (p_bda); 4819 #endif 4820 return; 4821 } 4822 } 4823 4824 p_dev_rec = btm_find_or_alloc_dev (p_bda); 4825 /* received PIN code request. must be non-sm4 */ 4826 p_dev_rec->sm4 = BTM_SM4_KNOWN; 4827 4828 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 4829 { 4830 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN); 4831 4832 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD; 4833 /* Make sure we reset the trusted mask to help against attacks */ 4834 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 4835 } 4836 4837 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) 4838 { 4839 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request fixed pin replying"); 4840 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 4841 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code); 4842 return; 4843 } 4844 4845 /* Use the connecting device's CoD for the connection */ 4846 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN)) 4847 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) ) 4848 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN); 4849 4850 /* We could have started connection after asking user for the PIN code */ 4851 if (btm_cb.pin_code_len != 0) 4852 { 4853 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request bonding sending reply"); 4854 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code); 4855 4856 #ifdef PORCHE_PAIRING_CONFLICT 4857 btm_cb.pin_code_len_saved = btm_cb.pin_code_len; 4858 #endif 4859 4860 /* Mark that we forwarded received from the user PIN code */ 4861 btm_cb.pin_code_len = 0; 4862 4863 /* We can change mode back right away, that other connection being established */ 4864 /* is not forced to be secure - found a FW issue, so we can not do this 4865 btm_restore_mode(); */ 4866 4867 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 4868 } 4869 4870 /* If pairing disabled OR (no PIN callback and not bonding) */ 4871 /* OR we could not allocate entry in the database reject pairing request */ 4872 else if (p_cb->pairing_disabled 4873 || (p_cb->api.p_pin_callback == NULL) 4874 4875 /* OR Microsoft keyboard can for some reason try to establish connection */ 4876 /* the only thing we can do here is to shut it up. Normally we will be originator */ 4877 /* for keyboard bonding */ 4878 || (!p_dev_rec->is_originator 4879 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 4880 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) ) 4881 { 4882 BTM_TRACE_WARNING3("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!", 4883 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec); 4884 4885 btsnd_hcic_pin_code_neg_reply (p_bda); 4886 } 4887 /* Notify upper layer of PIN request and start expiration timer */ 4888 else 4889 { 4890 btm_cb.pin_code_len_saved = 0; 4891 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 4892 /* Pin code request can not come at the same time as connection request */ 4893 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN); 4894 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN); 4895 4896 /* Check if the name is known */ 4897 /* Even if name is not known we might not be able to get one */ 4898 /* this is the case when we are already getting something from the */ 4899 /* device, so HCI level is flow controlled */ 4900 /* Also cannot send remote name request while paging, i.e. connection is not completed */ 4901 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4902 { 4903 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for callback"); 4904 4905 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 4906 if (p_cb->api.p_pin_callback) 4907 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name); 4908 } 4909 else 4910 { 4911 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for remote name"); 4912 4913 /* We received PIN code request for the device with unknown name */ 4914 /* it is not user friendly just to ask for the PIN without name */ 4915 /* try to get name at first */ 4916 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr, 4917 HCI_PAGE_SCAN_REP_MODE_R1, 4918 HCI_MANDATARY_PAGE_SCAN_MODE, 0)) 4919 { 4920 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 4921 p_dev_rec->sec_bd_name[0] = 'f'; 4922 p_dev_rec->sec_bd_name[1] = '0'; 4923 BTM_TRACE_ERROR0 ("can not send rmt_name_req?? fake a name and call callback"); 4924 4925 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 4926 if (p_cb->api.p_pin_callback) 4927 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name); 4928 } 4929 } 4930 } 4931 4932 return; 4933 } 4934 4935 /******************************************************************************* 4936 ** 4937 ** Function btm_sec_update_clock_offset 4938 ** 4939 ** Description This function is called to update clock offset 4940 ** 4941 ** Returns void 4942 ** 4943 *******************************************************************************/ 4944 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset) 4945 { 4946 tBTM_SEC_DEV_REC *p_dev_rec; 4947 tBTM_INQ_INFO *p_inq_info; 4948 4949 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL) 4950 return; 4951 4952 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 4953 4954 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL) 4955 return; 4956 4957 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 4958 } 4959 4960 4961 /****************************************************************** 4962 ** S T A T I C F U N C T I O N S 4963 *******************************************************************/ 4964 4965 /******************************************************************************* 4966 ** 4967 ** Function btm_sec_execute_procedure 4968 ** 4969 ** Description This function is called to start required security 4970 ** procedure. There is a case when multiplexing protocol 4971 ** calls this function on the originating side, connection to 4972 ** the peer will not be established. This function in this 4973 ** case performs only authorization. 4974 ** 4975 ** Returns BTM_SUCCESS - permission is granted 4976 ** BTM_CMD_STARTED - in process 4977 ** BTM_NO_RESOURCES - permission declined 4978 ** 4979 *******************************************************************************/ 4980 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) 4981 { 4982 BTM_TRACE_EVENT3 ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d", 4983 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state); 4984 4985 /* There is a chance that we are getting name. Wait until done. */ 4986 if (p_dev_rec->sec_state != 0) 4987 return(BTM_CMD_STARTED); 4988 4989 /* If any security is required, get the name first */ 4990 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4991 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 4992 { 4993 BTM_TRACE_EVENT0 ("Security Manager: Start get name"); 4994 if (!btm_sec_start_get_name (p_dev_rec)) 4995 { 4996 return(BTM_NO_RESOURCES); 4997 } 4998 return(BTM_CMD_STARTED); 4999 } 5000 5001 /* If connection is not authenticated and authentication is required */ 5002 /* start authentication and return PENDING to the caller */ 5003 if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 5004 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 5005 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))) 5006 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5007 { 5008 #if (L2CAP_UCD_INCLUDED == TRUE) 5009 /* if incoming UCD packet, discard it */ 5010 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5011 return(BTM_FAILED_ON_SECURITY); 5012 #endif 5013 5014 BTM_TRACE_EVENT0 ("Security Manager: Start authentication"); 5015 5016 if (!btm_sec_start_authentication (p_dev_rec)) 5017 { 5018 return(BTM_NO_RESOURCES); 5019 } 5020 return(BTM_CMD_STARTED); 5021 } 5022 5023 /* If connection is not encrypted and encryption is required */ 5024 /* start encryption and return PENDING to the caller */ 5025 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 5026 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT)) 5027 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT))) 5028 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5029 { 5030 #if (L2CAP_UCD_INCLUDED == TRUE) 5031 /* if incoming UCD packet, discard it */ 5032 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5033 return(BTM_FAILED_ON_SECURITY); 5034 #endif 5035 5036 BTM_TRACE_EVENT0 ("Security Manager: Start encryption"); 5037 5038 if (!btm_sec_start_encryption (p_dev_rec)) 5039 { 5040 return(BTM_NO_RESOURCES); 5041 } 5042 return(BTM_CMD_STARTED); 5043 } 5044 5045 /* If connection is not authorized and authorization is required */ 5046 /* start authorization and return PENDING to the caller */ 5047 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) 5048 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE)) 5049 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) 5050 { 5051 BTM_TRACE_EVENT2 ("service id:%d, is trusted:%d", 5052 p_dev_rec->p_cur_service->service_id, 5053 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5054 p_dev_rec->p_cur_service->service_id))); 5055 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) && 5056 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && 5057 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5058 p_dev_rec->p_cur_service->service_id) == FALSE)) 5059 { 5060 BTM_TRACE_EVENT0 ("Security Manager: Start authorization"); 5061 return(btm_sec_start_authorization (p_dev_rec)); 5062 } 5063 } 5064 5065 /* All required security procedures already established */ 5066 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | 5067 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE | 5068 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT | 5069 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | 5070 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 5071 5072 BTM_TRACE_EVENT2 ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]); 5073 BTM_TRACE_EVENT0 ("Security Manager: access granted"); 5074 5075 return(BTM_SUCCESS); 5076 } 5077 5078 5079 /******************************************************************************* 5080 ** 5081 ** Function btm_sec_start_get_name 5082 ** 5083 ** Description This function is called to start get name procedure 5084 ** 5085 ** Returns TRUE if started 5086 ** 5087 *******************************************************************************/ 5088 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec) 5089 { 5090 UINT8 tempstate = p_dev_rec->sec_state; 5091 5092 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME; 5093 5094 /* Device should be connected, no need to provide correct page params */ 5095 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */ 5096 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC, 5097 0, NULL)) != BTM_CMD_STARTED) 5098 { 5099 p_dev_rec->sec_state = tempstate; 5100 return(FALSE); 5101 } 5102 5103 return(TRUE); 5104 } 5105 5106 /******************************************************************************* 5107 ** 5108 ** Function btm_sec_start_authentication 5109 ** 5110 ** Description This function is called to start authentication 5111 ** 5112 ** Returns TRUE if started 5113 ** 5114 *******************************************************************************/ 5115 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec) 5116 { 5117 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 5118 5119 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle)); 5120 } 5121 5122 /******************************************************************************* 5123 ** 5124 ** Function btm_sec_start_encryption 5125 ** 5126 ** Description This function is called to start encryption 5127 ** 5128 ** Returns TRUE if started 5129 ** 5130 *******************************************************************************/ 5131 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec) 5132 { 5133 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE)) 5134 return(FALSE); 5135 5136 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 5137 return(TRUE); 5138 } 5139 5140 5141 /******************************************************************************* 5142 ** 5143 ** Function btm_sec_start_authorization 5144 ** 5145 ** Description This function is called to start authorization 5146 ** 5147 ** Returns TRUE if started 5148 ** 5149 *******************************************************************************/ 5150 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec) 5151 { 5152 UINT8 result; 5153 UINT8 *p_service_name = NULL; 5154 UINT8 service_id; 5155 5156 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5157 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) 5158 { 5159 if (!btm_cb.api.p_authorize_callback) 5160 return(BTM_MODE_UNSUPPORTED); 5161 5162 if (p_dev_rec->p_cur_service) 5163 { 5164 #if BTM_SEC_SERVICE_NAME_LEN > 0 5165 if (p_dev_rec->is_originator) 5166 p_service_name = p_dev_rec->p_cur_service->orig_service_name; 5167 else 5168 p_service_name = p_dev_rec->p_cur_service->term_service_name; 5169 #endif 5170 service_id = p_dev_rec->p_cur_service->service_id; 5171 } 5172 else 5173 service_id = 0; 5174 5175 /* Send authorization request if not already sent during this service connection */ 5176 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 5177 || p_dev_rec->last_author_service_id != service_id) 5178 { 5179 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING; 5180 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr, 5181 p_dev_rec->dev_class, 5182 p_dev_rec->sec_bd_name, 5183 p_service_name, 5184 service_id, 5185 p_dev_rec->is_originator); 5186 } 5187 5188 else /* Already authorized once for this L2CAP bringup */ 5189 { 5190 BTM_TRACE_DEBUG1 ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id); 5191 return (BTM_SUCCESS); 5192 } 5193 5194 if (result == BTM_SUCCESS) 5195 { 5196 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED; 5197 5198 /* Save the currently authorized service in case we are asked again by another multiplexer layer */ 5199 if (!p_dev_rec->is_originator) 5200 p_dev_rec->last_author_service_id = service_id; 5201 5202 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 5203 } 5204 return(result); 5205 } 5206 btm_sec_start_get_name (p_dev_rec); 5207 return(BTM_CMD_STARTED); 5208 } 5209 5210 /******************************************************************************* 5211 ** 5212 ** Function btm_sec_are_all_trusted 5213 ** 5214 ** Description This function is called check if all services are trusted 5215 ** 5216 ** Returns TRUE if all are trusted, otherwise FALSE 5217 ** 5218 *******************************************************************************/ 5219 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]) 5220 { 5221 UINT32 trusted_inx; 5222 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++) 5223 { 5224 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) 5225 return(FALSE); 5226 } 5227 5228 return(TRUE); 5229 } 5230 5231 /******************************************************************************* 5232 ** 5233 ** Function btm_sec_find_first_serv 5234 ** 5235 ** Description Look for the first record in the service database 5236 ** with specified PSM 5237 ** 5238 ** Returns Pointer to the record or NULL 5239 ** 5240 *******************************************************************************/ 5241 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm) 5242 { 5243 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5244 int i; 5245 BOOLEAN is_originator; 5246 5247 #if (L2CAP_UCD_INCLUDED == TRUE) 5248 5249 if ( conn_type & CONNECTION_TYPE_ORIG_MASK ) 5250 is_originator = TRUE; 5251 else 5252 is_originator = FALSE; 5253 #else 5254 is_originator = conn_type; 5255 #endif 5256 5257 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) 5258 { 5259 /* If this is outgoing connection and the PSM matches p_out_serv, 5260 * use it as the current service */ 5261 return btm_cb.p_out_serv; 5262 } 5263 5264 /* otherwise, just find the first record with the specified PSM */ 5265 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5266 { 5267 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) ) 5268 return(p_serv_rec); 5269 } 5270 return(NULL); 5271 } 5272 5273 5274 /******************************************************************************* 5275 ** 5276 ** Function btm_sec_find_next_serv 5277 ** 5278 ** Description Look for the next record in the service database 5279 ** with specified PSM 5280 ** 5281 ** Returns Pointer to the record or NULL 5282 ** 5283 *******************************************************************************/ 5284 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur) 5285 { 5286 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5287 int i; 5288 5289 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5290 { 5291 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5292 && (p_serv_rec->psm == p_cur->psm) ) 5293 { 5294 if (p_cur != p_serv_rec) 5295 { 5296 return(p_serv_rec); 5297 } 5298 } 5299 } 5300 return(NULL); 5301 } 5302 5303 5304 /******************************************************************************* 5305 ** 5306 ** Function btm_sec_find_mx_serv 5307 ** 5308 ** Description Look for the record in the service database with specified 5309 ** PSM and multiplexor channel information 5310 ** 5311 ** Returns Pointer to the record or NULL 5312 ** 5313 *******************************************************************************/ 5314 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 5315 UINT32 mx_proto_id, UINT32 mx_chan_id) 5316 { 5317 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv; 5318 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5319 int i; 5320 5321 BTM_TRACE_DEBUG0 ("btm_sec_find_mx_serv"); 5322 if (is_originator && p_out_serv && p_out_serv->psm == psm 5323 && p_out_serv->mx_proto_id == mx_proto_id 5324 && p_out_serv->orig_mx_chan_id == mx_chan_id) 5325 { 5326 /* If this is outgoing connection and the parameters match p_out_serv, 5327 * use it as the current service */ 5328 return btm_cb.p_out_serv; 5329 } 5330 5331 /* otherwise, the old way */ 5332 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5333 { 5334 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5335 && (p_serv_rec->psm == psm) 5336 && (p_serv_rec->mx_proto_id == mx_proto_id) 5337 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 5338 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) 5339 { 5340 return(p_serv_rec); 5341 } 5342 } 5343 return(NULL); 5344 } 5345 5346 5347 /******************************************************************************* 5348 ** 5349 ** Function btm_sec_collision_timeout 5350 ** 5351 ** Description Encryption could not start because of the collision 5352 ** try to do it again 5353 ** 5354 ** Returns Pointer to the TLE struct 5355 ** 5356 *******************************************************************************/ 5357 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle) 5358 { 5359 tBTM_STATUS status; 5360 5361 BTM_TRACE_EVENT0 ("btm_sec_collision_timeout()"); 5362 btm_cb.sec_collision_tle.param = 0; 5363 5364 status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec); 5365 5366 /* If result is pending reply from the user or from the device is pending */ 5367 if (status != BTM_CMD_STARTED) 5368 { 5369 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 5370 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status); 5371 } 5372 } 5373 5374 /******************************************************************************* 5375 ** 5376 ** Function btm_sec_link_key_request 5377 ** 5378 ** Description This function is called when controller requests link key 5379 ** 5380 ** Returns Pointer to the record or NULL 5381 ** 5382 *******************************************************************************/ 5383 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec) 5384 { 5385 if (btm_cb.api.p_link_key_callback) 5386 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 5387 p_dev_rec->sec_bd_name, p_dev_rec->link_key, 5388 p_dev_rec->link_key_type); 5389 } 5390 5391 /******************************************************************************* 5392 ** 5393 ** Function BTM_ReadTrustedMask 5394 ** 5395 ** Description Get trusted mask for the peer device 5396 ** 5397 ** Parameters: bd_addr - Address of the device 5398 ** 5399 ** Returns NULL, if the device record is not found. 5400 ** otherwise, the trusted mask 5401 ** 5402 *******************************************************************************/ 5403 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr) 5404 { 5405 tBTM_SEC_DEV_REC *p_dev_rec; 5406 5407 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 5408 { 5409 return(p_dev_rec->trusted_mask); 5410 } 5411 else 5412 { 5413 return NULL; 5414 } 5415 } 5416 5417 /******************************************************************************* 5418 ** 5419 ** Function btm_restore_mode 5420 ** 5421 ** Description This function returns the security mode to previous setting 5422 ** if it was changed during bonding. 5423 ** 5424 ** 5425 ** Parameters: void 5426 ** 5427 *******************************************************************************/ 5428 static void btm_restore_mode(void) 5429 { 5430 if (btm_cb.security_mode_changed) 5431 { 5432 btm_cb.security_mode_changed = FALSE; 5433 BTM_TRACE_DEBUG1("btm_restore_mode: Authen Enable -> %d", (btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5434 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5435 } 5436 5437 if (btm_cb.pin_type_changed) 5438 { 5439 btm_cb.pin_type_changed = FALSE; 5440 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type); 5441 } 5442 } 5443 5444 5445 /******************************************************************************* 5446 ** 5447 ** Function btm_sec_find_dev_by_sec_state 5448 ** 5449 ** Description Look for the record in the device database for the device 5450 ** which is being authenticated or encrypted 5451 ** 5452 ** Returns Pointer to the record or NULL 5453 ** 5454 *******************************************************************************/ 5455 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state) 5456 { 5457 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0]; 5458 int i; 5459 5460 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 5461 { 5462 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE) 5463 && (p_dev_rec->sec_state == state)) 5464 return(p_dev_rec); 5465 } 5466 return(NULL); 5467 } 5468 5469 /******************************************************************************* 5470 ** 5471 ** Function BTM_snd_conn_encrypt 5472 ** 5473 ** Description This function is called to start/stop encryption 5474 ** Used by JSR-82 5475 ** 5476 ** Returns TRUE if request started 5477 ** 5478 *******************************************************************************/ 5479 BOOLEAN BTM_snd_conn_encrypt (UINT16 handle, BOOLEAN enable) 5480 { 5481 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 5482 5483 BTM_TRACE_EVENT2 ("BTM_snd_conn_encrypt Security Manager: encrypt_change p_dev_rec : 0x%x, enable = %s", p_dev_rec, (enable == TRUE) ? "TRUE" : "FALSE"); 5484 5485 if (!p_dev_rec) 5486 { 5487 BTM_TRACE_EVENT1 ("BTM_snd_conn_encrypt Error no p_dev_rec : 0x%x\n", p_dev_rec); 5488 return(FALSE); 5489 } 5490 5491 if ( p_dev_rec->sec_state == BTM_SEC_STATE_IDLE) 5492 { 5493 if (!btsnd_hcic_set_conn_encrypt (handle, enable)) 5494 return(FALSE); 5495 5496 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 5497 5498 return(TRUE); 5499 } 5500 else 5501 return(FALSE); 5502 } 5503 5504 /******************************************************************************* 5505 ** 5506 ** Function btm_sec_change_pairing_state 5507 ** 5508 ** Description This function is called to change pairing state 5509 ** 5510 *******************************************************************************/ 5511 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state) 5512 { 5513 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 5514 5515 BTM_TRACE_EVENT1 ("btm_sec_change_pairing_state Old: %s", btm_pair_state_descr(btm_cb.pairing_state)); 5516 BTM_TRACE_EVENT2 ("btm_sec_change_pairing_state New: %s pairing_flags:0x%x",btm_pair_state_descr(new_state), btm_cb.pairing_flags); 5517 5518 btm_cb.pairing_state = new_state; 5519 5520 if (new_state == BTM_PAIR_STATE_IDLE) 5521 { 5522 btu_stop_timer (&btm_cb.pairing_tle); 5523 5524 btm_cb.pairing_flags = 0; 5525 btm_cb.pin_code_len = 0; 5526 5527 /* Make sure the the lcb shows we are not bonding */ 5528 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE); 5529 5530 btm_restore_mode(); 5531 btm_sec_check_pending_reqs(); 5532 btm_inq_clear_ssp(); 5533 5534 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN); 5535 } 5536 else 5537 { 5538 /* If transitionng out of idle, mark the lcb as bonding */ 5539 if (old_state == BTM_PAIR_STATE_IDLE) 5540 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE); 5541 5542 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout; 5543 5544 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE); 5545 } 5546 } 5547 5548 5549 /******************************************************************************* 5550 ** 5551 ** Function btm_pair_state_descr 5552 ** 5553 ** Description Return state description for tracing 5554 ** 5555 *******************************************************************************/ 5556 #if (BT_USE_TRACES == TRUE) 5557 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state) 5558 { 5559 #if (BT_TRACE_VERBOSE == TRUE) 5560 switch (state) 5561 { 5562 case BTM_PAIR_STATE_IDLE: return("IDLE"); 5563 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME"); 5564 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ"); 5565 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN"); 5566 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM"); 5567 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY"); 5568 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP"); 5569 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS"); 5570 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP"); 5571 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE"); 5572 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT"); 5573 } 5574 5575 return("???"); 5576 #else 5577 sprintf(btm_cb.state_temp_buffer,"%hu",state); 5578 5579 return(btm_cb.state_temp_buffer); 5580 #endif 5581 } 5582 #endif 5583 5584 5585 /******************************************************************************* 5586 ** 5587 ** Function btm_sec_dev_rec_cback_event 5588 ** 5589 ** Description This function calls the callback function with the given 5590 ** result and clear the callback function. 5591 ** 5592 ** Parameters: void 5593 ** 5594 *******************************************************************************/ 5595 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res) 5596 { 5597 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback; 5598 5599 if (p_dev_rec->p_callback) 5600 { 5601 p_dev_rec->p_callback = NULL; 5602 5603 (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, res); 5604 5605 } 5606 btm_sec_check_pending_reqs(); 5607 } 5608 5609 /******************************************************************************* 5610 ** 5611 ** Function btm_sec_queue_mx_request 5612 ** 5613 ** Description Return state description for tracing 5614 ** 5615 *******************************************************************************/ 5616 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 5617 UINT32 mx_proto_id, UINT32 mx_chan_id, 5618 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 5619 { 5620 tBTM_SEC_QUEUE_ENTRY *p_e; 5621 5622 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY)); 5623 5624 if (p_e) 5625 { 5626 p_e->psm = psm; 5627 p_e->is_orig = is_orig; 5628 p_e->p_callback = p_callback; 5629 p_e->p_ref_data = p_ref_data; 5630 p_e->mx_proto_id = mx_proto_id; 5631 p_e->mx_chan_id = mx_chan_id; 5632 5633 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN); 5634 5635 BTM_TRACE_EVENT4 ("btm_sec_queue_mx_request() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u", 5636 psm, is_orig, mx_proto_id, mx_chan_id); 5637 5638 GKI_enqueue (&btm_cb.sec_pending_q, p_e); 5639 5640 return(TRUE); 5641 } 5642 5643 return(FALSE); 5644 } 5645 5646 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec) 5647 { 5648 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK); 5649 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK); 5650 BOOLEAN rv = FALSE; 5651 5652 if ((major == BTM_COD_MAJOR_AUDIO) 5653 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) ) 5654 { 5655 BTM_TRACE_EVENT2 ("btm_sec_check_prefetch_pin: Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", major, minor); 5656 5657 if (btm_cb.security_mode_changed == FALSE) 5658 { 5659 btm_cb.security_mode_changed = TRUE; 5660 #ifdef APPL_AUTH_WRITE_EXCEPTION 5661 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 5662 #endif 5663 btsnd_hcic_write_auth_enable (TRUE); 5664 } 5665 } 5666 else 5667 { 5668 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 5669 5670 /* If we got a PIN, use that, else try to get one */ 5671 if (btm_cb.pin_code_len) 5672 { 5673 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask); 5674 } 5675 else 5676 { 5677 /* pin was not supplied - pre-fetch pin code now */ 5678 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) 5679 { 5680 BTM_TRACE_DEBUG0("btm_sec_check_prefetch_pin: PIN code callback called"); 5681 if (btm_bda_to_acl(p_dev_rec->bd_addr) == NULL) 5682 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5683 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name); 5684 } 5685 } 5686 5687 rv = TRUE; 5688 } 5689 5690 return rv; 5691 } 5692 5693 #if (BLE_INCLUDED == TRUE) 5694 /******************************************************************************* 5695 ** 5696 ** Function btm_sec_clear_ble_keys 5697 ** 5698 ** Description This function is called to clear out the BLE keys. 5699 ** Typically when devices are removed in BTM_SecDeleteDevice, 5700 ** or when a new BT Link key is generated. 5701 ** 5702 ** Returns void 5703 ** 5704 *******************************************************************************/ 5705 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec) 5706 { 5707 5708 BTM_TRACE_DEBUG0 ("btm_sec_clear_ble_keys: Clearing BLE Keys"); 5709 #if (SMP_INCLUDED== TRUE) 5710 p_dev_rec->ble.key_type = 0; 5711 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS)); 5712 #endif 5713 gatt_delete_dev_from_srv_chg_clt_list(p_dev_rec->bd_addr); 5714 } 5715 5716 5717 /******************************************************************************* 5718 ** 5719 ** Function btm_sec_is_a_bonded_dev 5720 ** 5721 ** Description Is the specified device is a bonded device 5722 ** 5723 ** Returns TRUE - dev is bonded 5724 ** 5725 *******************************************************************************/ 5726 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda) 5727 { 5728 5729 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 5730 BOOLEAN is_bonded= FALSE; 5731 5732 #if (SMP_INCLUDED== TRUE) 5733 if (p_dev_rec && (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) 5734 { 5735 is_bonded = TRUE; 5736 } 5737 #endif 5738 BTM_TRACE_DEBUG1 ("btm_sec_is_a_bonded_dev is_bonded=%d", is_bonded); 5739 return(is_bonded); 5740 } 5741 5742 /******************************************************************************* 5743 ** 5744 ** Function btm_sec_is_le_capable_dev 5745 ** 5746 ** Description Is the specified device is dual mode or LE only device 5747 ** 5748 ** Returns TRUE - dev is a dual mode 5749 ** 5750 *******************************************************************************/ 5751 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda) 5752 { 5753 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 5754 BOOLEAN le_capable = FALSE; 5755 5756 #if (BLE_INCLUDED== TRUE) 5757 if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) || 5758 (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) ) 5759 { 5760 le_capable = TRUE; 5761 } 5762 #endif 5763 return le_capable; 5764 } 5765 5766 /******************************************************************************* 5767 ** 5768 ** Function btm_sec_find_bonded_dev 5769 ** 5770 ** Description Find a bonded device starting from the specified index 5771 ** 5772 ** Returns TRUE - found a bonded device 5773 ** 5774 *******************************************************************************/ 5775 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC *p_rec) 5776 { 5777 BOOLEAN found= FALSE; 5778 5779 #if (SMP_INCLUDED== TRUE) 5780 tBTM_SEC_DEV_REC *p_dev_rec; 5781 int i; 5782 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS) 5783 { 5784 BTM_TRACE_DEBUG0 ("LE bonded device not found"); 5785 return found; 5786 } 5787 5788 p_dev_rec = &btm_cb.sec_dev_rec[start_idx]; 5789 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 5790 { 5791 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 5792 { 5793 *p_found_idx = i; 5794 p_rec = p_dev_rec; 5795 break; 5796 } 5797 } 5798 BTM_TRACE_DEBUG1 ("btm_sec_find_bonded_dev=%d", found); 5799 #endif 5800 return(found); 5801 } 5802 #endif /* BLE_INCLUDED */ 5803 5804
