1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for BLE device control utilities, and LE 22 * security functions. 23 * 24 ******************************************************************************/ 25 26 #include <string.h> 27 28 #include "bt_types.h" 29 #include "hcimsgs.h" 30 #include "btu.h" 31 #include "btm_int.h" 32 #include "btm_ble_api.h" 33 #include "smp_api.h" 34 #include "l2c_int.h" 35 #include "gap_api.h" 36 37 #if SMP_INCLUDED == TRUE 38 extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature); 39 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable); 40 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda); 41 #endif 42 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr); 43 44 /*******************************************************************************/ 45 /* External Function to be called by other modules */ 46 /*******************************************************************************/ 47 /******************************************************** 48 ** 49 ** Function BTM_SecAddBleDevice 50 ** 51 ** Description Add/modify device. This function will be normally called 52 ** during host startup to restore all required information 53 ** for a LE device stored in the NVRAM. 54 ** 55 ** Parameters: bd_addr - BD address of the peer 56 ** bd_name - Name of the peer device. NULL if unknown. 57 ** dev_type - Remote device's device type. 58 ** addr_type - LE device address type. 59 ** 60 ** Returns TRUE if added OK, else FALSE 61 ** 62 *******************************************************************************/ 63 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type, 64 tBLE_ADDR_TYPE addr_type) 65 { 66 #if BLE_INCLUDED == TRUE 67 tBTM_SEC_DEV_REC *p_dev_rec; 68 UINT8 i = 0; 69 tBTM_INQ_INFO *p_info=NULL; 70 71 BTM_TRACE_DEBUG1 ("BTM_SecAddBleDevice dev_type=0x%x", dev_type); 72 p_dev_rec = btm_find_dev (bd_addr); 73 74 if (!p_dev_rec) 75 { 76 BTM_TRACE_DEBUG0("Add a new device"); 77 78 /* There is no device record, allocate one. 79 * If we can not find an empty spot for this one, let it fail. */ 80 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++) 81 { 82 if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE)) 83 { 84 BTM_TRACE_DEBUG1 ("allocate a new dev rec idx=0x%x ", i ); 85 p_dev_rec = &btm_cb.sec_dev_rec[i]; 86 87 /* Mark this record as in use and initialize */ 88 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC)); 89 p_dev_rec->sec_flags = BTM_SEC_IN_USE; 90 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN); 91 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr); 92 93 /* update conn params, use default value for background connection params */ 94 p_dev_rec->conn_params.min_conn_int = 95 p_dev_rec->conn_params.max_conn_int = 96 p_dev_rec->conn_params.supervision_tout = 97 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF; 98 99 BTM_TRACE_DEBUG1 ("hci_handl=0x%x ", p_dev_rec->hci_handle ); 100 break; 101 } 102 } 103 104 if (!p_dev_rec) 105 return(FALSE); 106 } 107 else 108 { 109 BTM_TRACE_DEBUG0("Device already exist"); 110 } 111 112 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 113 114 if (bd_name && bd_name[0]) 115 { 116 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 117 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), 118 (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN); 119 } 120 p_dev_rec->device_type = dev_type; 121 p_dev_rec->ble.ble_addr_type = addr_type; 122 BTM_TRACE_DEBUG3 ("p_dev_rec->device_type =0x%x addr_type=0x%x sec_flags=0x%x", 123 dev_type, addr_type, p_dev_rec->sec_flags); 124 125 /* sync up with the Inq Data base*/ 126 p_info = BTM_InqDbRead(bd_addr); 127 if (p_info) 128 { 129 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ; 130 p_info->results.device_type = p_dev_rec->device_type; 131 BTM_TRACE_DEBUG2 ("InqDb device_type =0x%x addr_type=0x%x", 132 p_info->results.device_type, p_info->results.ble_addr_type); 133 } 134 135 #endif 136 return(TRUE); 137 } 138 139 /******************************************************************************* 140 ** 141 ** Function BTM_SecAddBleKey 142 ** 143 ** Description Add/modify LE device information. This function will be 144 ** normally called during host startup to restore all required 145 ** information stored in the NVRAM. 146 ** 147 ** Parameters: bd_addr - BD address of the peer 148 ** p_le_key - LE key values. 149 ** key_type - LE SMP key type. 150 * 151 ** Returns TRUE if added OK, else FALSE 152 ** 153 *******************************************************************************/ 154 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type) 155 { 156 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 157 tBTM_SEC_DEV_REC *p_dev_rec; 158 BTM_TRACE_DEBUG0 ("BTM_SecAddBleKey"); 159 p_dev_rec = btm_find_dev (bd_addr); 160 if (!p_dev_rec || !p_le_key || 161 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && 162 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC && 163 key_type != BTM_LE_KEY_LCSRK)) 164 { 165 BTM_TRACE_WARNING3 ("BTM_SecAddBleKey() Wrong Type, or No Device record \ 166 for bdaddr: %08x%04x, Type: %d", 167 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 168 (bd_addr[4]<<8)+bd_addr[5], key_type); 169 return(FALSE); 170 } 171 172 BTM_TRACE_DEBUG3 ("BTM_SecAddLeKey() BDA: %08x%04x, Type: 0x%02x", 173 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 174 (bd_addr[4]<<8)+bd_addr[5], key_type); 175 176 if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID || 177 key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC || 178 key_type == BTM_LE_KEY_LCSRK) 179 { 180 btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE); 181 } 182 183 #endif 184 185 return(TRUE); 186 } 187 188 /******************************************************************************* 189 ** 190 ** Function BTM_BleLoadLocalKeys 191 ** 192 ** Description Local local identity key, encryption root or sign counter. 193 ** 194 ** Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER 195 ** or BTM_BLE_KEY_TYPE_COUNTER. 196 ** p_key: pointer to the key. 197 * 198 ** Returns non2. 199 ** 200 *******************************************************************************/ 201 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key) 202 { 203 #if BLE_INCLUDED == TRUE 204 tBTM_DEVCB *p_devcb = &btm_cb.devcb; 205 BTM_TRACE_DEBUG0 ("BTM_BleLoadLocalKeys"); 206 if (p_key != NULL) 207 { 208 switch (key_type) 209 { 210 case BTM_BLE_KEY_TYPE_ID: 211 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 212 break; 213 214 case BTM_BLE_KEY_TYPE_ER: 215 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16)); 216 break; 217 218 default: 219 BTM_TRACE_ERROR1("unknow local key type: %d", key_type); 220 break; 221 } 222 } 223 #endif 224 } 225 226 /******************************************************************************* 227 ** 228 ** Function BTM_GetDeviceEncRoot 229 ** 230 ** Description This function is called to read the local device encryption 231 ** root. 232 ** 233 ** Returns void 234 ** the local device ER is copied into er 235 ** 236 *******************************************************************************/ 237 void BTM_GetDeviceEncRoot (BT_OCTET16 er) 238 { 239 BTM_TRACE_DEBUG0 ("BTM_GetDeviceEncRoot"); 240 241 #if BLE_INCLUDED == TRUE 242 memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN); 243 #endif 244 } 245 246 /******************************************************************************* 247 ** 248 ** Function BTM_GetDeviceIDRoot 249 ** 250 ** Description This function is called to read the local device identity 251 ** root. 252 ** 253 ** Returns void 254 ** the local device IR is copied into irk 255 ** 256 *******************************************************************************/ 257 void BTM_GetDeviceIDRoot (BT_OCTET16 irk) 258 { 259 BTM_TRACE_DEBUG0 ("BTM_GetDeviceIDRoot "); 260 261 #if BLE_INCLUDED == TRUE 262 memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN); 263 #endif 264 } 265 266 /******************************************************************************* 267 ** 268 ** Function BTM_GetDeviceDHK 269 ** 270 ** Description This function is called to read the local device DHK. 271 ** 272 ** Returns void 273 ** the local device DHK is copied into dhk 274 ** 275 *******************************************************************************/ 276 void BTM_GetDeviceDHK (BT_OCTET16 dhk) 277 { 278 #if BLE_INCLUDED == TRUE 279 BTM_TRACE_DEBUG0 ("BTM_GetDeviceDHK"); 280 memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN); 281 #endif 282 } 283 284 /******************************************************************************* 285 ** 286 ** Function BTM_ReadConnectionAddr 287 ** 288 ** Description This function is called to get the local device address information 289 ** . 290 ** 291 ** Returns void 292 ** 293 *******************************************************************************/ 294 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type) 295 { 296 #if BLE_INCLUDED == TRUE 297 tACL_CONN *p_acl = btm_bda_to_acl(remote_bda); 298 299 if (p_acl == NULL) 300 { 301 BTM_TRACE_ERROR0("No connection exist!"); 302 return; 303 } 304 memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN); 305 * p_addr_type = p_acl->conn_addr_type; 306 307 BTM_TRACE_DEBUG2 ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x", 308 p_acl->conn_addr_type, p_acl->conn_addr[0]); 309 310 #endif 311 } 312 /******************************************************************************* 313 ** 314 ** Function BTM_IsBleConnection 315 ** 316 ** Description This function is called to check if the connection handle 317 ** for an LE link 318 ** 319 ** Returns TRUE if connection is LE link, otherwise FALSE. 320 ** 321 *******************************************************************************/ 322 BOOLEAN BTM_IsBleConnection (UINT16 conn_handle) 323 { 324 #if (BLE_INCLUDED == TRUE) 325 UINT8 xx; 326 tACL_CONN *p; 327 328 BTM_TRACE_API1 ("BTM_IsBleConnection: conn_handle: %d", conn_handle); 329 330 xx = btm_handle_to_acl_index (conn_handle); 331 if (xx >= MAX_L2CAP_LINKS) 332 return FALSE; 333 334 p = &btm_cb.acl_db[xx]; 335 336 return(p->is_le_link); 337 #else 338 return FALSE; 339 #endif 340 } 341 342 /******************************************************************************* 343 ** 344 ** Function BTM_ReadRemoteConnectionAddr 345 ** 346 ** Description This function is read the remote device address currently used 347 ** . 348 ** 349 ** Returns void 350 ** 351 *******************************************************************************/ 352 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, tBLE_ADDR_TYPE *p_addr_type) 353 { 354 BOOLEAN st = TRUE; 355 #if BLE_INCLUDED == TRUE 356 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr); 357 358 memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN); 359 if (p_dev_rec != NULL) 360 { 361 *p_addr_type = p_dev_rec->ble.ble_addr_type; 362 } 363 #endif 364 return st; 365 } 366 /******************************************************************************* 367 ** 368 ** Function BTM_SecurityGrant 369 ** 370 ** Description This function is called to grant security process. 371 ** 372 ** Parameters bd_addr - peer device bd address. 373 ** res - result of the operation BTM_SUCCESS if success. 374 ** Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts. 375 ** 376 ** Returns None 377 ** 378 *******************************************************************************/ 379 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res) 380 { 381 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 382 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS; 383 BTM_TRACE_DEBUG0 ("BTM_SecurityGrant"); 384 SMP_SecurityGrant(bd_addr, res_smp); 385 #endif 386 } 387 388 /******************************************************************************* 389 ** 390 ** Function BTM_BlePasskeyReply 391 ** 392 ** Description This function is called after Security Manager submitted 393 ** passkey request to the application. 394 ** 395 ** Parameters: bd_addr - Address of the device for which passkey was requested 396 ** res - result of the operation BTM_SUCCESS if success 397 ** key_len - length in bytes of the Passkey 398 ** p_passkey - pointer to array with the passkey 399 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 400 ** 401 *******************************************************************************/ 402 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey) 403 { 404 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 405 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 406 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 407 408 if (p_dev_rec == NULL) 409 { 410 BTM_TRACE_ERROR0("Passkey reply to Unknown device"); 411 return; 412 } 413 414 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 415 BTM_TRACE_DEBUG0 ("BTM_BlePasskeyReply"); 416 SMP_PasskeyReply(bd_addr, res_smp, passkey); 417 #endif 418 } 419 420 /******************************************************************************* 421 ** 422 ** Function BTM_BleOobDataReply 423 ** 424 ** Description This function is called to provide the OOB data for 425 ** SMP in response to BTM_LE_OOB_REQ_EVT 426 ** 427 ** Parameters: bd_addr - Address of the peer device 428 ** res - result of the operation SMP_SUCCESS if success 429 ** p_data - simple pairing Randomizer C. 430 ** 431 *******************************************************************************/ 432 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data) 433 { 434 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 435 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL; 436 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 437 438 BTM_TRACE_DEBUG0 ("BTM_BleOobDataReply"); 439 440 if (p_dev_rec == NULL) 441 { 442 BTM_TRACE_ERROR0("BTM_BleOobDataReply() to Unknown device"); 443 return; 444 } 445 446 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 447 SMP_OobDataReply(bd_addr, res_smp, len, p_data); 448 #endif 449 } 450 451 /****************************************************************************** 452 ** 453 ** Function BTM_BleSetConnScanParams 454 ** 455 ** Description Set scan parameter used in BLE connection request 456 ** 457 ** Parameters: scan_interval: scan interval 458 ** scan_window: scan window 459 ** 460 ** Returns void 461 ** 462 *******************************************************************************/ 463 void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window) 464 { 465 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 466 tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb; 467 BOOLEAN new_param = FALSE; 468 469 if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) && 470 BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX)) 471 { 472 btu_stop_timer(&p_ble_cb->scan_param_idle_timer); 473 474 if (p_ble_cb->scan_int != scan_interval) 475 { 476 p_ble_cb->scan_int = scan_interval; 477 new_param = TRUE; 478 } 479 480 if (p_ble_cb->scan_win != scan_window) 481 { 482 p_ble_cb->scan_win = scan_window; 483 new_param = TRUE; 484 } 485 486 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) 487 { 488 btm_ble_suspend_bg_conn(); 489 } 490 } 491 else 492 { 493 BTM_TRACE_ERROR0("Illegal Connection Scan Parameters"); 494 } 495 #endif 496 } 497 498 /******************************************************** 499 ** 500 ** Function BTM_BleSetPrefConnParams 501 ** 502 ** Description Set a peripheral's preferred connection parameters 503 ** 504 ** Parameters: bd_addr - BD address of the peripheral 505 ** scan_interval: scan interval 506 ** scan_window: scan window 507 ** min_conn_int - minimum preferred connection interval 508 ** max_conn_int - maximum preferred connection interval 509 ** slave_latency - preferred slave latency 510 ** supervision_tout - preferred supervision timeout 511 ** 512 ** Returns void 513 ** 514 *******************************************************************************/ 515 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr, 516 UINT16 min_conn_int, UINT16 max_conn_int, 517 UINT16 slave_latency, UINT16 supervision_tout) 518 { 519 #if BLE_INCLUDED == TRUE 520 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 521 522 BTM_TRACE_API4 ("BTM_BleSetPrefConnParams min: %u max: %u latency: %u \ 523 tout: %u", 524 min_conn_int, max_conn_int, slave_latency, supervision_tout); 525 526 if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 527 BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 528 BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) && 529 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) 530 { 531 if (p_dev_rec) 532 { 533 /* expect conn int and stout and slave latency to be updated all together */ 534 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 535 { 536 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 537 p_dev_rec->conn_params.min_conn_int = min_conn_int; 538 else 539 p_dev_rec->conn_params.min_conn_int = max_conn_int; 540 541 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 542 p_dev_rec->conn_params.max_conn_int = max_conn_int; 543 else 544 p_dev_rec->conn_params.max_conn_int = min_conn_int; 545 546 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF) 547 p_dev_rec->conn_params.slave_latency = slave_latency; 548 else 549 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF; 550 551 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) 552 p_dev_rec->conn_params.supervision_tout = supervision_tout; 553 else 554 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_TIMEOUT_DEF; 555 556 } 557 558 } 559 else 560 { 561 BTM_TRACE_ERROR0("Unknown Device, setting rejected"); 562 } 563 } 564 else 565 { 566 BTM_TRACE_ERROR0("Illegal Connection Parameters"); 567 } 568 #endif /* BLE_INCLUDED */ 569 } 570 571 /******************************************************************************* 572 ** 573 ** Function BTM_ReadDevInfo 574 ** 575 ** Description This function is called to read the device/address type 576 ** of BD address. 577 ** 578 ** Parameter remote_bda: remote device address 579 ** p_dev_type: output parameter to read the device type. 580 ** p_addr_type: output parameter to read the address type. 581 ** 582 *******************************************************************************/ 583 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type) 584 { 585 #if BLE_INCLUDED == TRUE 586 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (remote_bda); 587 tBTM_INQ_INFO *p_inq_info = BTM_InqDbRead(remote_bda); 588 589 *p_dev_type = BT_DEVICE_TYPE_BREDR; 590 *p_addr_type = BLE_ADDR_PUBLIC; 591 592 if (!p_dev_rec) 593 { 594 /* Check with the BT manager if details about remote device are known */ 595 if (p_inq_info != NULL) 596 { 597 *p_dev_type = p_inq_info->results.device_type ; 598 *p_addr_type = p_inq_info->results.ble_addr_type; 599 } else { 600 /* unknown device, assume BR/EDR */ 601 BTM_TRACE_DEBUG0 ("btm_find_dev_type - unknown device, BR/EDR assumed"); 602 } 603 } 604 else /* there is a security device record exisitng */ 605 { 606 /* new inquiry result, overwrite device type in security device record */ 607 if (p_inq_info) 608 { 609 p_dev_rec->device_type = p_inq_info->results.device_type; 610 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 611 } 612 *p_dev_type = p_dev_rec->device_type; 613 *p_addr_type = p_dev_rec->ble.ble_addr_type; 614 615 } 616 617 BTM_TRACE_DEBUG2 ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type); 618 #endif 619 620 return; 621 } 622 623 #if BLE_INCLUDED == TRUE 624 625 /******************************************************************************* 626 ** 627 ** Function BTM_BleReceiverTest 628 ** 629 ** Description This function is called to start the LE Receiver test 630 ** 631 ** Parameter rx_freq - Frequency Range 632 ** p_cmd_cmpl_cback - Command Complete callback 633 ** 634 *******************************************************************************/ 635 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback) 636 { 637 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 638 639 if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE) 640 { 641 BTM_TRACE_ERROR1("%s: Unable to Trigger LE receiver test", __FUNCTION__); 642 } 643 } 644 645 /******************************************************************************* 646 ** 647 ** Function BTM_BleTransmitterTest 648 ** 649 ** Description This function is called to start the LE Transmitter test 650 ** 651 ** Parameter tx_freq - Frequency Range 652 ** test_data_len - Length in bytes of payload data in each packet 653 ** packet_payload - Pattern to use in the payload 654 ** p_cmd_cmpl_cback - Command Complete callback 655 ** 656 *******************************************************************************/ 657 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len, 658 UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback) 659 { 660 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 661 if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE) 662 { 663 BTM_TRACE_ERROR1("%s: Unable to Trigger LE transmitter test", __FUNCTION__); 664 } 665 } 666 667 /******************************************************************************* 668 ** 669 ** Function BTM_BleTestEnd 670 ** 671 ** Description This function is called to stop the in-progress TX or RX test 672 ** 673 ** Parameter p_cmd_cmpl_cback - Command complete callback 674 ** 675 *******************************************************************************/ 676 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback) 677 { 678 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 679 680 if (btsnd_hcic_ble_test_end() == FALSE) 681 { 682 BTM_TRACE_ERROR1("%s: Unable to End the LE TX/RX test", __FUNCTION__); 683 } 684 } 685 686 #endif 687 688 /******************************************************************************* 689 ** Internal Functions 690 *******************************************************************************/ 691 #if BLE_INCLUDED == TRUE 692 693 void btm_ble_test_command_complete(UINT8 *p) 694 { 695 tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb; 696 UINT8 status; 697 698 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL; 699 700 if (p_cb) 701 { 702 (*p_cb)(p); 703 } 704 } 705 706 /******************************************************************************* 707 ** 708 ** Function BTM_IsBleLink 709 ** 710 ** Description This function is to check the link type is BLE or BR/EDR. 711 ** 712 ** Returns TRUE if BLE link; FALSE if BR/EDR. 713 ** 714 *******************************************************************************/ 715 BOOLEAN BTM_IsBleLink (BD_ADDR bd_addr) 716 { 717 #if (BLE_INCLUDED == TRUE) 718 tACL_CONN *p; 719 BTM_TRACE_DEBUG0 ("BTM_IsBleLink"); 720 if ((p = btm_bda_to_acl(bd_addr)) != NULL) 721 return p->is_le_link; 722 else 723 #endif 724 return FALSE; 725 } 726 /******************************************************************************* 727 ** 728 ** Function BTM_UseLeLink 729 ** 730 ** Description This function is to select the underneath physical link to use. 731 ** 732 ** Returns TRUE to use LE, FALSE use BR/EDR. 733 ** 734 *******************************************************************************/ 735 BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr) 736 { 737 tACL_CONN *p; 738 tBT_DEVICE_TYPE dev_type; 739 tBLE_ADDR_TYPE addr_type; 740 BOOLEAN use_le = FALSE; 741 742 if ((p = btm_bda_to_acl(bd_addr)) != NULL) 743 { 744 #if (BLE_INCLUDED == TRUE) 745 use_le = (p->is_le_link); 746 #endif 747 } 748 else 749 { 750 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 751 use_le = (dev_type == BT_DEVICE_TYPE_BLE); 752 } 753 return use_le; 754 } 755 /******************************************************************************* 756 ** 757 ** Function btm_ble_rand_enc_complete 758 ** 759 ** Description This function is the callback functions for HCI_Rand command 760 ** and HCI_Encrypt command is completed. 761 ** This message is received from the HCI. 762 ** 763 ** Returns void 764 ** 765 *******************************************************************************/ 766 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback) 767 { 768 tBTM_RAND_ENC params; 769 UINT8 *p_dest = params.param_buf; 770 771 BTM_TRACE_DEBUG0 ("btm_ble_rand_enc_complete"); 772 773 memset(¶ms, 0, sizeof(tBTM_RAND_ENC)); 774 775 /* If there was a callback address for vcs complete, call it */ 776 if (p_enc_cplt_cback && p) 777 { 778 /* Pass paramters to the callback function */ 779 STREAM_TO_UINT8(params.status, p); /* command status */ 780 781 if (params.status == HCI_SUCCESS) 782 { 783 params.opcode = op_code; 784 785 if (op_code == HCI_BLE_RAND) 786 params.param_len = BT_OCTET8_LEN; 787 else 788 params.param_len = BT_OCTET16_LEN; 789 790 memcpy(p_dest, p, params.param_len); /* Fetch return info from HCI event message */ 791 } 792 if (p_enc_cplt_cback) 793 (*p_enc_cplt_cback)(¶ms); /* Call the Encryption complete callback function */ 794 } 795 } 796 797 798 #if (SMP_INCLUDED == TRUE) 799 800 /******************************************************************************* 801 ** 802 ** Function btm_ble_get_enc_key_type 803 ** 804 ** Description This function is to increment local sign counter 805 ** Returns None 806 ** 807 *******************************************************************************/ 808 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local ) 809 { 810 tBTM_SEC_DEV_REC *p_dev_rec; 811 812 BTM_TRACE_DEBUG1 ("btm_ble_increment_sign_ctr is_local=%d", is_local); 813 814 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 815 { 816 if (is_local) 817 p_dev_rec->ble.keys.local_counter++; 818 else 819 p_dev_rec->ble.keys.counter++; 820 BTM_TRACE_DEBUG3 ("is_local=%d local sign counter=%d peer sign counter=%d", 821 is_local, 822 p_dev_rec->ble.keys.local_counter, 823 p_dev_rec->ble.keys.counter); 824 } 825 } 826 827 /******************************************************************************* 828 ** 829 ** Function btm_ble_get_enc_key_type 830 ** 831 ** Description This function is to get the BLE key type that has been exchanged 832 ** in betweem local device and peer device. 833 ** 834 ** Returns p_key_type: output parameter to carry the key type value. 835 ** 836 *******************************************************************************/ 837 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types) 838 { 839 tBTM_SEC_DEV_REC *p_dev_rec; 840 841 BTM_TRACE_DEBUG0 ("btm_ble_get_enc_key_type"); 842 843 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 844 { 845 *p_key_types = p_dev_rec->ble.key_type; 846 return TRUE; 847 } 848 return FALSE; 849 } 850 851 /******************************************************************************* 852 ** 853 ** Function btm_get_local_div 854 ** 855 ** Description This function is called to read the local DIV 856 ** 857 ** Returns TURE - if a valid DIV is availavle 858 *******************************************************************************/ 859 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div) 860 { 861 tBTM_SEC_DEV_REC *p_dev_rec; 862 BOOLEAN status = FALSE; 863 BTM_TRACE_DEBUG0 ("btm_get_local_div"); 864 865 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 866 bd_addr[0],bd_addr[1], 867 bd_addr[2],bd_addr[3], 868 bd_addr[4],bd_addr[5]); 869 870 p_dev_rec = btm_find_dev (bd_addr); 871 872 if (p_dev_rec && p_dev_rec->ble.keys.div) 873 { 874 status = TRUE; 875 *p_div = p_dev_rec->ble.keys.div; 876 } 877 BTM_TRACE_DEBUG2 ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div); 878 return status; 879 } 880 881 /******************************************************************************* 882 ** 883 ** Function btm_sec_save_le_key 884 ** 885 ** Description This function is called by the SMP to update 886 ** an BLE key. SMP is internal, whereas all the keys shall 887 ** be sent to the application. The function is also called 888 ** when application passes ble key stored in NVRAM to the btm_sec. 889 ** pass_to_application parameter is false in this case. 890 ** 891 ** Returns void 892 ** 893 *******************************************************************************/ 894 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys, 895 BOOLEAN pass_to_application) 896 { 897 tBTM_SEC_DEV_REC *p_rec; 898 tBTM_LE_EVT_DATA cb_data; 899 UINT8 i; 900 901 BTM_TRACE_DEBUG2 ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application); 902 /* Store the updated key in the device database */ 903 904 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 905 bd_addr[0],bd_addr[1], 906 bd_addr[2],bd_addr[3], 907 bd_addr[4],bd_addr[5]); 908 909 if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys) 910 { 911 switch (key_type) 912 { 913 case BTM_LE_KEY_PENC: 914 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN); 915 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN); 916 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level; 917 p_rec->ble.keys.ediv = p_keys->penc_key.ediv; 918 p_rec->ble.keys.key_size = p_keys->penc_key.key_size; 919 p_rec->ble.key_type |= BTM_LE_KEY_PENC; 920 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 921 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) 922 p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 923 else 924 p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 925 BTM_TRACE_DEBUG3("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x", 926 p_rec->ble.key_type, 927 p_rec->sec_flags, 928 p_rec->ble.keys.sec_level); 929 break; 930 931 case BTM_LE_KEY_PID: 932 for (i=0; i<BT_OCTET16_LEN; i++) 933 { 934 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i]; 935 } 936 937 //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system 938 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN); 939 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type; 940 p_rec->ble.key_type |= BTM_LE_KEY_PID; 941 BTM_TRACE_DEBUG1("BTM_LE_KEY_PID key_type=0x%x save peer IRK", p_rec->ble.key_type); 942 break; 943 944 case BTM_LE_KEY_PCSRK: 945 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN); 946 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level; 947 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter; 948 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK; 949 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 950 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED) 951 p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 952 else 953 p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 954 955 BTM_TRACE_DEBUG4("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d", 956 p_rec->ble.key_type, 957 p_rec->sec_flags, 958 p_rec->ble.keys.srk_sec_level, 959 p_rec->ble.keys.counter ); 960 break; 961 962 case BTM_LE_KEY_LENC: 963 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */ 964 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level; 965 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size; 966 p_rec->ble.key_type |= BTM_LE_KEY_LENC; 967 968 BTM_TRACE_DEBUG4("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x", 969 p_rec->ble.key_type, 970 p_rec->ble.keys.div, 971 p_rec->ble.keys.key_size, 972 p_rec->ble.keys.sec_level ); 973 break; 974 975 case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */ 976 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */ 977 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level; 978 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter; 979 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK; 980 BTM_TRACE_DEBUG4("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d", 981 p_rec->ble.key_type, 982 p_rec->ble.keys.div, 983 p_rec->ble.keys.local_csrk_sec_level, 984 p_rec->ble.keys.local_counter ); 985 break; 986 987 default: 988 BTM_TRACE_WARNING1("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type); 989 return; 990 } 991 992 BTM_TRACE_DEBUG3 ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type, 993 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 994 (bd_addr[4]<<8)+bd_addr[5]); 995 996 /* Notify the application that one of the BLE keys has been updated 997 If link key is in progress, it will get sent later.*/ 998 if (pass_to_application && btm_cb.api.p_le_callback) 999 { 1000 cb_data.key.p_key_value = p_keys; 1001 cb_data.key.key_type = key_type; 1002 (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data); 1003 } 1004 return; 1005 } 1006 1007 BTM_TRACE_WARNING3 ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type, 1008 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 1009 (bd_addr[4]<<8)+bd_addr[5]); 1010 1011 if (p_rec) 1012 { 1013 BTM_TRACE_DEBUG1 ("sec_flags=0x%x", p_rec->sec_flags); 1014 } 1015 } 1016 1017 /******************************************************************************* 1018 ** 1019 ** Function btm_ble_update_sec_key_size 1020 ** 1021 ** Description update the current lin kencryption key size 1022 ** 1023 ** Returns void 1024 ** 1025 *******************************************************************************/ 1026 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size) 1027 { 1028 tBTM_SEC_DEV_REC *p_rec; 1029 1030 BTM_TRACE_DEBUG1("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size); 1031 1032 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1033 { 1034 p_rec->enc_key_size = enc_key_size; 1035 } 1036 } 1037 1038 /******************************************************************************* 1039 ** 1040 ** Function btm_ble_read_sec_key_size 1041 ** 1042 ** Description update the current lin kencryption key size 1043 ** 1044 ** Returns void 1045 ** 1046 *******************************************************************************/ 1047 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr) 1048 { 1049 tBTM_SEC_DEV_REC *p_rec; 1050 1051 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1052 { 1053 return p_rec->enc_key_size; 1054 } 1055 else 1056 return 0; 1057 } 1058 1059 /******************************************************************************* 1060 ** 1061 ** Function btm_ble_link_sec_check 1062 ** 1063 ** Description Check BLE link security level match. 1064 ** 1065 ** Returns TRUE: check is OK and the *p_sec_req_act contain the action 1066 ** 1067 *******************************************************************************/ 1068 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act) 1069 { 1070 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1071 UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE; 1072 1073 BTM_TRACE_DEBUG1 ("btm_ble_link_sec_check auth_req =0x%x", auth_req); 1074 1075 if (p_dev_rec == NULL) 1076 { 1077 BTM_TRACE_ERROR0 ("btm_ble_link_sec_check received for unknown device"); 1078 return; 1079 } 1080 1081 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 1082 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1083 { 1084 /* race condition: discard the security request while master is encrypting the link */ 1085 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1086 } 1087 else 1088 { 1089 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1090 if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) || 1091 (auth_req == (BTM_LE_AUTH_REQ_MITM)) ) 1092 { 1093 req_sec_level = BTM_LE_SEC_AUTHENTICATED; 1094 } 1095 1096 BTM_TRACE_DEBUG1 ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags); 1097 1098 /* currently encrpted */ 1099 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 1100 { 1101 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 1102 cur_sec_level = BTM_LE_SEC_AUTHENTICATED; 1103 else 1104 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1105 } 1106 else /* unencrypted link */ 1107 { 1108 /* if bonded, get the key security level */ 1109 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 1110 cur_sec_level = p_dev_rec->ble.keys.sec_level; 1111 else 1112 cur_sec_level = BTM_LE_SEC_NONE; 1113 } 1114 1115 if (cur_sec_level >= req_sec_level) 1116 { 1117 if (cur_sec_level == BTM_LE_SEC_NONE) 1118 { 1119 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE; 1120 } 1121 else 1122 { 1123 /* To avoid re-encryption on an encrypted link for an equal condition encryption */ 1124 /* if link has been encrypted, do nothing, go straight to furhter action 1125 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 1126 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1127 else 1128 */ 1129 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT; 1130 } 1131 } 1132 else 1133 { 1134 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/ 1135 } 1136 } 1137 1138 BTM_TRACE_DEBUG3("cur_sec_level=%d req_sec_level=%d sec_req_act=%d", 1139 cur_sec_level, 1140 req_sec_level, 1141 *p_sec_req_act); 1142 1143 } 1144 1145 /******************************************************************************* 1146 ** 1147 ** Function btm_ble_set_encryption 1148 ** 1149 ** Description This function is called to ensure that LE connection is 1150 ** encrypted. Should be called only on an open connection. 1151 ** Typically only needed for connections that first want to 1152 ** bring up unencrypted links, then later encrypt them. 1153 ** 1154 ** Returns void 1155 ** the local device ER is copied into er 1156 ** 1157 *******************************************************************************/ 1158 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role) 1159 { 1160 tBTM_STATUS cmd = BTM_NO_RESOURCES; 1161 tBTM_BLE_SEC_ACT sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ; 1162 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1163 1164 if (p_rec == NULL) 1165 { 1166 BTM_TRACE_WARNING1 ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act); 1167 return(BTM_WRONG_MODE); 1168 } 1169 1170 BTM_TRACE_DEBUG2 ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master); 1171 1172 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) 1173 { 1174 p_rec->security_required |= BTM_SEC_IN_MITM; 1175 } 1176 1177 switch (sec_act) 1178 { 1179 case BTM_BLE_SEC_ENCRYPT: 1180 if (link_role == BTM_ROLE_MASTER) 1181 { 1182 if(p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) { 1183 BTM_TRACE_DEBUG0 ("State is already encrypting::"); 1184 cmd = BTM_CMD_STARTED; 1185 } 1186 else { 1187 /* start link layer encryption using the security info stored */ 1188 if (btm_ble_start_encrypt(bd_addr, FALSE, NULL)) 1189 { 1190 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1191 cmd = BTM_CMD_STARTED; 1192 } 1193 } 1194 break; 1195 } 1196 /* if salve role then fall through to call SMP_Pair below which will send a 1197 sec_request to request the master to encrypt the link */ 1198 case BTM_BLE_SEC_ENCRYPT_NO_MITM: 1199 case BTM_BLE_SEC_ENCRYPT_MITM: 1200 1201 if (SMP_Pair(bd_addr) == SMP_STARTED) 1202 { 1203 cmd = BTM_CMD_STARTED; 1204 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1205 } 1206 break; 1207 1208 default: 1209 cmd = BTM_SUCCESS; 1210 break; 1211 } 1212 return cmd; 1213 } 1214 1215 /******************************************************************************* 1216 ** 1217 ** Function btm_ble_ltk_request 1218 ** 1219 ** Description This function is called when encryption request is received 1220 ** on a slave device. 1221 ** 1222 ** 1223 ** Returns void 1224 ** 1225 *******************************************************************************/ 1226 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv) 1227 { 1228 tBTM_CB *p_cb = &btm_cb; 1229 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 1230 BT_OCTET8 dummy_stk = {0}; 1231 1232 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request"); 1233 1234 p_cb->ediv = ediv; 1235 1236 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 1237 1238 if (p_dev_rec != NULL) 1239 { 1240 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) 1241 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk); 1242 } 1243 1244 } 1245 1246 /******************************************************************************* 1247 ** 1248 ** Function btm_ble_start_encrypt 1249 ** 1250 ** Description This function is called to start LE encryption. 1251 ** 1252 ** 1253 ** Returns void 1254 ** 1255 *******************************************************************************/ 1256 BOOLEAN btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1257 { 1258 tBTM_CB *p_cb = &btm_cb; 1259 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1260 BT_OCTET8 dummy_rand = {0}; 1261 BOOLEAN rt = FALSE; 1262 1263 BTM_TRACE_DEBUG0 ("btm_ble_start_encrypt"); 1264 1265 if (!p_rec || 1266 (p_rec && p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)) 1267 return FALSE; 1268 1269 p_cb->enc_handle = p_rec->hci_handle; 1270 1271 if (use_stk) 1272 { 1273 if (btsnd_hcic_ble_start_enc(p_rec->hci_handle, dummy_rand, 0, stk)) 1274 rt = TRUE; 1275 } 1276 else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) 1277 { 1278 if (btsnd_hcic_ble_start_enc(p_rec->hci_handle, p_rec->ble.keys.rand, 1279 p_rec->ble.keys.ediv, p_rec->ble.keys.ltk)) 1280 rt = TRUE; 1281 } 1282 else 1283 { 1284 BTM_TRACE_ERROR0("No key available to encrypt the link"); 1285 } 1286 if (rt) 1287 { 1288 if (p_rec->sec_state == BTM_SEC_STATE_IDLE) 1289 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1290 } 1291 1292 return rt; 1293 } 1294 1295 /******************************************************************************* 1296 ** 1297 ** Function btm_ble_link_encrypted 1298 ** 1299 ** Description This function is called when LE link encrption status is changed. 1300 ** 1301 ** Returns void 1302 ** 1303 *******************************************************************************/ 1304 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable) 1305 { 1306 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1307 BOOLEAN enc_cback; 1308 1309 if (!p_dev_rec) 1310 { 1311 BTM_TRACE_WARNING1 ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable); 1312 return; 1313 } 1314 1315 BTM_TRACE_DEBUG1 ("btm_ble_link_encrypted encr_enable=%d", encr_enable); 1316 1317 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING); 1318 1319 smp_link_encrypted(bd_addr, encr_enable); 1320 1321 BTM_TRACE_DEBUG1(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags); 1322 1323 if (encr_enable && p_dev_rec->enc_key_size == 0) 1324 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size; 1325 1326 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1327 if (p_dev_rec->p_callback && enc_cback) 1328 { 1329 if (encr_enable) 1330 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS); 1331 else if (p_dev_rec->role_master) 1332 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING); 1333 1334 } 1335 /* to notify GATT to send data if any request is pending */ 1336 gatt_notify_enc_cmpl(p_dev_rec->bd_addr); 1337 } 1338 1339 /******************************************************************************* 1340 ** Function btm_enc_proc_ltk 1341 ** Description send LTK reply when it's ready. 1342 *******************************************************************************/ 1343 static void btm_enc_proc_ltk(tSMP_ENC *p) 1344 { 1345 UINT8 i; 1346 BTM_TRACE_DEBUG0 ("btm_enc_proc_ltk"); 1347 if (p && p->param_len == BT_OCTET16_LEN) 1348 { 1349 for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++) 1350 p->param_buf[BT_OCTET16_LEN - i - 1] = 0; 1351 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf); 1352 } 1353 } 1354 1355 /******************************************************************************* 1356 ** Function btm_enc_proc_slave_y 1357 ** Description calculate LTK when Y is ready 1358 *******************************************************************************/ 1359 static void btm_enc_proc_slave_y(tSMP_ENC *p) 1360 { 1361 UINT16 div, y; 1362 UINT8 *pp = p->param_buf; 1363 tBTM_CB *p_cb = &btm_cb; 1364 tSMP_ENC output; 1365 tBTM_SEC_DEV_REC *p_dev_rec; 1366 1367 BTM_TRACE_DEBUG0 ("btm_enc_proc_slave_y"); 1368 if (p != NULL) 1369 { 1370 STREAM_TO_UINT16(y, pp); 1371 1372 div = p_cb->ediv ^ y; 1373 p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle); 1374 1375 if ( p_dev_rec && 1376 p_dev_rec->ble.keys.div == div ) 1377 { 1378 BTM_TRACE_DEBUG0 ("LTK request OK"); 1379 /* calculating LTK , LTK = E er(div) */ 1380 SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output); 1381 btm_enc_proc_ltk(&output); 1382 } 1383 else 1384 { 1385 BTM_TRACE_DEBUG0 ("LTK request failed - send negative reply"); 1386 btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle); 1387 if (p_dev_rec) 1388 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0); 1389 1390 } 1391 } 1392 } 1393 1394 /******************************************************************************* 1395 ** 1396 ** Function btm_ble_ltk_request_reply 1397 ** 1398 ** Description This function is called to send a LTK request reply on a slave 1399 ** device. 1400 ** 1401 ** Returns void 1402 ** 1403 *******************************************************************************/ 1404 void btm_ble_ltk_request_reply(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1405 { 1406 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1407 tBTM_CB *p_cb = &btm_cb; 1408 tSMP_ENC output; 1409 1410 if (p_rec == NULL) 1411 { 1412 BTM_TRACE_ERROR0("btm_ble_ltk_request_reply received for unknown device"); 1413 return; 1414 } 1415 1416 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request_reply"); 1417 p_cb->enc_handle = p_rec->hci_handle; 1418 p_cb->key_size = p_rec->ble.keys.key_size; 1419 1420 BTM_TRACE_ERROR1("key size = %d", p_rec->ble.keys.key_size); 1421 if (use_stk) 1422 { 1423 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk); 1424 } 1425 else /* calculate LTK using peer device */ 1426 { 1427 /* generate Y= Encrypt(DHK, Rand) received from encrypt request */ 1428 SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand, 1429 BT_OCTET8_LEN, &output); 1430 btm_enc_proc_slave_y(&output); 1431 } 1432 } 1433 1434 /******************************************************************************* 1435 ** 1436 ** Function btm_ble_io_capabilities_req 1437 ** 1438 ** Description This function is called to handle SMP get IO capability request. 1439 ** 1440 ** Returns void 1441 ** 1442 *******************************************************************************/ 1443 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data) 1444 { 1445 UINT8 callback_rc = BTM_SUCCESS; 1446 BTM_TRACE_DEBUG0 ("btm_ble_io_capabilities_req"); 1447 if (btm_cb.api.p_le_callback) 1448 { 1449 /* the callback function implementation may change the IO capability... */ 1450 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1451 } 1452 #if BTM_OOB_INCLUDED == TRUE 1453 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) 1454 #else 1455 if (callback_rc == BTM_SUCCESS) 1456 #endif 1457 { 1458 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1459 1460 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d", 1461 p_dev_rec->security_required, p_data->auth_req); 1462 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)", 1463 p_data->init_keys, 1464 p_data->resp_keys); 1465 1466 /* if authentication requires MITM protection, put on the mask */ 1467 if (p_dev_rec->security_required & BTM_SEC_IN_MITM) 1468 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM; 1469 1470 if (!(p_data->auth_req & SMP_AUTH_BOND)) 1471 { 1472 BTM_TRACE_DEBUG0("Non bonding: No keys should be exchanged"); 1473 p_data->init_keys = 0; 1474 p_data->resp_keys = 0; 1475 } 1476 1477 BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req); 1478 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x", 1479 p_data->init_keys, 1480 p_data->resp_keys); 1481 1482 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d", 1483 p_data->io_cap, p_data->auth_req); 1484 1485 /* remove MITM protection requirement if IO cap does not allow it */ 1486 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) 1487 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM; 1488 1489 BTM_TRACE_DEBUG3 ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d", 1490 p_data->io_cap, p_data->oob_data, p_data->auth_req); 1491 } 1492 return callback_rc; 1493 } 1494 1495 /******************************************************************************* 1496 ** 1497 ** Function btm_ble_connected 1498 ** 1499 ** Description This function is when a LE connection to the peer device is 1500 ** establsihed 1501 ** 1502 ** Returns void 1503 ** 1504 *******************************************************************************/ 1505 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role, 1506 tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched) 1507 { 1508 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 1509 tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb; 1510 1511 BTM_TRACE_EVENT0 ("btm_ble_connected"); 1512 1513 /* Commenting out trace due to obf/compilation problems. 1514 */ 1515 #if (BT_USE_TRACES == TRUE) 1516 if (p_dev_rec) 1517 { 1518 BTM_TRACE_EVENT4 ("Security Manager: btm_sec_connected : handle:%d enc_mode:%d bda:%x RName:%s", 1519 handle, enc_mode, 1520 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 1521 p_dev_rec->sec_bd_name); 1522 1523 BTM_TRACE_DEBUG1 ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags); 1524 } 1525 else 1526 { 1527 BTM_TRACE_EVENT3 ("Security Manager: btm_sec_connected: handle:%d enc_mode:%d bda:%x ", 1528 handle, enc_mode, 1529 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 1530 } 1531 #endif 1532 1533 if (!p_dev_rec) 1534 { 1535 /* There is no device record for new connection. Allocate one */ 1536 p_dev_rec = btm_sec_alloc_dev (bda); 1537 } 1538 else /* Update the timestamp for this device */ 1539 { 1540 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 1541 } 1542 1543 /* update device information */ 1544 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE; 1545 p_dev_rec->hci_handle = handle; 1546 p_dev_rec->ble.ble_addr_type = addr_type; 1547 1548 if (role == HCI_ROLE_MASTER) 1549 p_dev_rec->role_master = TRUE; 1550 1551 if (role == HCI_ROLE_SLAVE) 1552 p_cb->inq_var.adv_mode = BTM_BLE_ADV_DISABLE; 1553 p_cb->inq_var.directed_conn = FALSE; 1554 1555 return; 1556 } 1557 1558 /***************************************************************************** 1559 ** Function btm_ble_conn_complete 1560 ** 1561 ** Description LE connection complete. 1562 ** 1563 ******************************************************************************/ 1564 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len) 1565 { 1566 UINT8 role, status, bda_type; 1567 UINT16 handle; 1568 BD_ADDR bda; 1569 UINT16 conn_interval, conn_latency, conn_timeout; 1570 BOOLEAN match = FALSE; 1571 1572 STREAM_TO_UINT8 (status, p); 1573 STREAM_TO_UINT16 (handle, p); 1574 STREAM_TO_UINT8 (role, p); 1575 STREAM_TO_UINT8 (bda_type, p); 1576 STREAM_TO_BDADDR (bda, p); 1577 1578 if (status == 0) 1579 { 1580 STREAM_TO_UINT16 (conn_interval, p); 1581 STREAM_TO_UINT16 (conn_latency, p); 1582 STREAM_TO_UINT16 (conn_timeout, p); 1583 handle = HCID_GET_HANDLE (handle); 1584 1585 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1586 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1587 conn_latency, conn_timeout); 1588 } 1589 else 1590 { 1591 role = HCI_ROLE_UNKNOWN; 1592 1593 if (status == HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT) 1594 btm_ble_dir_adv_tout(); 1595 } 1596 1597 btm_ble_set_conn_st(BLE_CONN_IDLE); 1598 1599 btm_ble_update_mode_operation(role, bda, TRUE); 1600 } 1601 1602 /***************************************************************************** 1603 ** Function btm_proc_smp_cback 1604 ** 1605 ** Description This function is the SMP callback handler. 1606 ** 1607 ******************************************************************************/ 1608 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data) 1609 { 1610 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1611 UINT8 res = 0; 1612 1613 BTM_TRACE_DEBUG1 ("btm_proc_smp_cback event = %d", event); 1614 1615 if (p_dev_rec != NULL) 1616 { 1617 switch (event) 1618 { 1619 case SMP_IO_CAP_REQ_EVT: 1620 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req); 1621 break; 1622 1623 case SMP_PASSKEY_REQ_EVT: 1624 case SMP_PASSKEY_NOTIF_EVT: 1625 case SMP_OOB_REQ_EVT: 1626 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1627 case SMP_SEC_REQUEST_EVT: 1628 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 1629 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1630 /* fall through */ 1631 case SMP_COMPLT_EVT: 1632 if (btm_cb.api.p_le_callback) 1633 { 1634 /* the callback function implementation may change the IO capability... */ 1635 BTM_TRACE_DEBUG1 ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback ); 1636 (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1637 } 1638 1639 if (event == SMP_COMPLT_EVT) 1640 { 1641 BTM_TRACE_DEBUG2 ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1642 1643 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING; 1644 1645 BTM_TRACE_DEBUG3 ("after update result=%d sec_level=0x%x sec_flags=0x%x", 1646 res, p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1647 1648 btm_sec_dev_rec_cback_event(p_dev_rec, res); 1649 1650 if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback ) 1651 { 1652 BTM_TRACE_DEBUG0 ("Pairing Cancel completed"); 1653 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS); 1654 } 1655 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1656 if (res != BTM_SUCCESS) 1657 { 1658 if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT) 1659 { 1660 BTM_TRACE_DEBUG0 ("Pairing failed - Remove ACL"); 1661 btm_remove_acl(bd_addr); 1662 } 1663 else 1664 { 1665 BTM_TRACE_DEBUG0 ("Pairing failed - Not Removing ACL"); 1666 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1667 } 1668 } 1669 #else 1670 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) 1671 btm_remove_acl(bd_addr); 1672 #endif 1673 1674 BTM_TRACE_DEBUG3 ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x", 1675 btm_cb.pairing_state, 1676 btm_cb.pairing_flags, 1677 btm_cb.pin_code_len ); 1678 BTM_TRACE_DEBUG6 ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x", 1679 btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2], 1680 btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]); 1681 1682 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 1683 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 1684 btm_cb.pairing_flags = 0; 1685 } 1686 break; 1687 1688 default: 1689 BTM_TRACE_DEBUG1 ("unknown event = %d", event); 1690 break; 1691 1692 1693 } 1694 } 1695 else 1696 { 1697 BTM_TRACE_ERROR0("btm_proc_smp_cback received for unknown device"); 1698 } 1699 1700 return 0; 1701 } 1702 1703 #endif /* SMP_INCLUDED */ 1704 #endif /* BLE_INCLUDED */ 1705 1706 1707 /******************************************************************************* 1708 ** 1709 ** Function BTM_BleDataSignature 1710 ** 1711 ** Description This function is called to sign the data using AES128 CMAC 1712 ** algorith. 1713 ** 1714 ** Parameter bd_addr: target device the data to be signed for. 1715 ** p_text: singing data 1716 ** len: length of the data to be signed. 1717 ** signature: output parameter where data signature is going to 1718 ** be stored. 1719 ** 1720 ** Returns TRUE if signing sucessul, otherwise FALSE. 1721 ** 1722 *******************************************************************************/ 1723 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len, 1724 BLE_SIGNATURE signature) 1725 { 1726 BOOLEAN ret = FALSE; 1727 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 1728 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1729 UINT8 *p_buf, *pp; 1730 1731 BT_OCTET16 er; 1732 UINT16 div; 1733 UINT8 temp[4]; /* for (r || DIV) r=1*/ 1734 UINT16 r=1; 1735 UINT8 *p=temp, *p_mac = (UINT8 *)signature; 1736 tSMP_ENC output; 1737 BT_OCTET16 local_csrk; 1738 1739 BTM_TRACE_DEBUG0 ("BTM_BleDataSignature"); 1740 if (p_rec == NULL) 1741 { 1742 BTM_TRACE_ERROR0("data signing can not be done from unknow device"); 1743 } 1744 else 1745 { 1746 if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL) 1747 { 1748 BTM_TRACE_DEBUG0("Start to generate Local CSRK"); 1749 pp = p_buf; 1750 /* prepare plain text */ 1751 if (p_text) 1752 { 1753 memcpy(p_buf, p_text, len); 1754 pp = (p_buf + len); 1755 } 1756 1757 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1758 if ( btm_cb.devcb.enable_test_local_sign_cntr) 1759 { 1760 BTM_TRACE_DEBUG1 ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr); 1761 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr); 1762 } 1763 else 1764 { 1765 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1766 } 1767 #else 1768 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1769 #endif 1770 /* compute local csrk */ 1771 if (btm_get_local_div(bd_addr, &div)) 1772 { 1773 BTM_TRACE_DEBUG1 ("compute_csrk div=%x", div); 1774 BTM_GetDeviceEncRoot(er); 1775 1776 /* CSRK = d1(ER, DIV, 1) */ 1777 UINT16_TO_STREAM(p, div); 1778 UINT16_TO_STREAM(p, r); 1779 1780 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output)) 1781 { 1782 BTM_TRACE_ERROR0("Local CSRK generation failed "); 1783 } 1784 else 1785 { 1786 BTM_TRACE_DEBUG0("local CSRK generation success"); 1787 memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN); 1788 1789 1790 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1791 if (btm_cb.devcb.enable_test_local_sign_cntr) 1792 { 1793 UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr); 1794 } 1795 else 1796 { 1797 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1798 } 1799 #else 1800 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1801 #endif 1802 1803 if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE) 1804 { 1805 btm_ble_increment_sign_ctr(bd_addr, TRUE); 1806 1807 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1808 if ( btm_cb.devcb.enable_test_mac_val) 1809 { 1810 BTM_TRACE_DEBUG0 ("Use MAC value from script"); 1811 memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE); 1812 } 1813 #endif 1814 } 1815 BTM_TRACE_DEBUG1("BTM_BleDataSignature p_mac = %d", p_mac); 1816 BTM_TRACE_DEBUG4("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x", 1817 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3)); 1818 BTM_TRACE_DEBUG4("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x", 1819 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7)); 1820 1821 GKI_freebuf(p_buf); 1822 } 1823 } 1824 } 1825 } 1826 #endif /* BLE_INCLUDED */ 1827 return ret; 1828 } 1829 1830 /******************************************************************************* 1831 ** 1832 ** Function BTM_BleVerifySignature 1833 ** 1834 ** Description This function is called to verify the data signature 1835 ** 1836 ** Parameter bd_addr: target device the data to be signed for. 1837 ** p_orig: original data before signature. 1838 ** len: length of the signing data 1839 ** counter: counter used when doing data signing 1840 ** p_comp: signature to be compared against. 1841 1842 ** Returns TRUE if signature verified correctly; otherwise FALSE. 1843 ** 1844 *******************************************************************************/ 1845 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter, 1846 UINT8 *p_comp) 1847 { 1848 BOOLEAN verified = FALSE; 1849 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 1850 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1851 UINT8 p_mac[BTM_CMAC_TLEN_SIZE]; 1852 1853 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) 1854 { 1855 BTM_TRACE_ERROR0("can not verify signature for unknown device"); 1856 } 1857 else if (counter < p_rec->ble.keys.counter) 1858 { 1859 BTM_TRACE_ERROR0("signature received with out dated sign counter"); 1860 } 1861 else if (p_orig == NULL) 1862 { 1863 BTM_TRACE_ERROR0("No signature to verify"); 1864 } 1865 else 1866 { 1867 BTM_TRACE_DEBUG2 ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter); 1868 1869 if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac)) 1870 { 1871 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) 1872 { 1873 btm_ble_increment_sign_ctr(bd_addr, FALSE); 1874 verified = TRUE; 1875 } 1876 } 1877 } 1878 #endif /* BLE_INCLUDED */ 1879 return verified; 1880 } 1881 1882 #if BLE_INCLUDED == TRUE 1883 /******************************************************************************* 1884 ** Utility functions for LE device IR/ER generation 1885 *******************************************************************************/ 1886 /******************************************************************************* 1887 ** 1888 ** Function btm_notify_new_key 1889 ** 1890 ** Description This function is to notify application new keys have been 1891 ** generated. 1892 ** 1893 ** Returns void 1894 ** 1895 *******************************************************************************/ 1896 static void btm_notify_new_key(UINT8 key_type) 1897 { 1898 tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL; 1899 1900 BTM_TRACE_DEBUG1 ("btm_notify_new_key key_type=%d", key_type); 1901 1902 if (btm_cb.api.p_le_key_callback) 1903 { 1904 switch (key_type) 1905 { 1906 case BTM_BLE_KEY_TYPE_ID: 1907 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ID"); 1908 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys; 1909 break; 1910 1911 case BTM_BLE_KEY_TYPE_ER: 1912 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ER"); 1913 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er; 1914 break; 1915 1916 default: 1917 BTM_TRACE_ERROR1("unknown key type: %d", key_type); 1918 break; 1919 } 1920 if (p_locak_keys != NULL) 1921 (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys); 1922 } 1923 } 1924 1925 /******************************************************************************* 1926 ** 1927 ** Function btm_ble_process_er2 1928 ** 1929 ** Description This function is called when ER is generated, store it in 1930 ** local control block. 1931 ** 1932 ** Returns void 1933 ** 1934 *******************************************************************************/ 1935 static void btm_ble_process_er2(tBTM_RAND_ENC *p) 1936 { 1937 BTM_TRACE_DEBUG0 ("btm_ble_process_er2"); 1938 1939 if (p &&p->opcode == HCI_BLE_RAND) 1940 { 1941 memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN); 1942 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER); 1943 } 1944 else 1945 { 1946 BTM_TRACE_ERROR0("Generating ER2 exception."); 1947 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 1948 } 1949 } 1950 1951 /******************************************************************************* 1952 ** 1953 ** Function btm_ble_process_er 1954 ** 1955 ** Description This function is called when ER is generated, store it in 1956 ** local control block. 1957 ** 1958 ** Returns void 1959 ** 1960 *******************************************************************************/ 1961 static void btm_ble_process_er(tBTM_RAND_ENC *p) 1962 { 1963 BTM_TRACE_DEBUG0 ("btm_ble_process_er"); 1964 1965 if (p &&p->opcode == HCI_BLE_RAND) 1966 { 1967 memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN); 1968 1969 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2)) 1970 { 1971 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 1972 BTM_TRACE_ERROR0("Generating ER2 failed."); 1973 } 1974 } 1975 else 1976 { 1977 BTM_TRACE_ERROR0("Generating ER1 exception."); 1978 } 1979 } 1980 1981 /******************************************************************************* 1982 ** 1983 ** Function btm_ble_process_irk 1984 ** 1985 ** Description This function is called when IRK is generated, store it in 1986 ** local control block. 1987 ** 1988 ** Returns void 1989 ** 1990 *******************************************************************************/ 1991 static void btm_ble_process_irk(tSMP_ENC *p) 1992 { 1993 BTM_TRACE_DEBUG0 ("btm_ble_process_irk"); 1994 if (p &&p->opcode == HCI_BLE_ENCRYPT) 1995 { 1996 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN); 1997 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID); 1998 } 1999 else 2000 { 2001 BTM_TRACE_ERROR0("Generating IRK exception."); 2002 } 2003 2004 /* proceed generate ER */ 2005 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er)) 2006 { 2007 BTM_TRACE_ERROR0("Generating ER failed."); 2008 } 2009 } 2010 2011 /******************************************************************************* 2012 ** 2013 ** Function btm_ble_process_dhk 2014 ** 2015 ** Description This function is called when DHK is calculated, store it in 2016 ** local control block, and proceed to generate ER, a 128-bits 2017 ** random number. 2018 ** 2019 ** Returns void 2020 ** 2021 *******************************************************************************/ 2022 static void btm_ble_process_dhk(tSMP_ENC *p) 2023 { 2024 #if SMP_INCLUDED == TRUE 2025 UINT8 btm_ble_irk_pt = 0x01; 2026 tSMP_ENC output; 2027 2028 BTM_TRACE_DEBUG0 ("btm_ble_process_dhk"); 2029 2030 if (p && p->opcode == HCI_BLE_ENCRYPT) 2031 { 2032 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN); 2033 BTM_TRACE_DEBUG0("BLE DHK generated."); 2034 2035 /* IRK = D1(IR, 1) */ 2036 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt, 2037 1, &output)) 2038 { 2039 /* reset all identity root related key */ 2040 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2041 } 2042 else 2043 { 2044 btm_ble_process_irk(&output); 2045 } 2046 } 2047 else 2048 { 2049 /* reset all identity root related key */ 2050 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2051 } 2052 #endif 2053 } 2054 2055 /******************************************************************************* 2056 ** 2057 ** Function btm_ble_process_ir2 2058 ** 2059 ** Description This function is called when IR is generated, proceed to calculate 2060 ** DHK = Eir({0x03, 0, 0 ...}) 2061 ** 2062 ** 2063 ** Returns void 2064 ** 2065 *******************************************************************************/ 2066 static void btm_ble_process_ir2(tBTM_RAND_ENC *p) 2067 { 2068 #if SMP_INCLUDED == TRUE 2069 UINT8 btm_ble_dhk_pt = 0x03; 2070 tSMP_ENC output; 2071 2072 BTM_TRACE_DEBUG0 ("btm_ble_process_ir2"); 2073 2074 if (p && p->opcode == HCI_BLE_RAND) 2075 { 2076 /* remembering in control block */ 2077 memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN); 2078 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */ 2079 2080 2081 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 2082 1, &output); 2083 btm_ble_process_dhk(&output); 2084 2085 BTM_TRACE_DEBUG0("BLE IR generated."); 2086 } 2087 else 2088 { 2089 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2090 } 2091 #endif 2092 } 2093 2094 /******************************************************************************* 2095 ** 2096 ** Function btm_ble_process_ir 2097 ** 2098 ** Description This function is called when IR is generated, proceed to calculate 2099 ** DHK = Eir({0x02, 0, 0 ...}) 2100 ** 2101 ** 2102 ** Returns void 2103 ** 2104 *******************************************************************************/ 2105 static void btm_ble_process_ir(tBTM_RAND_ENC *p) 2106 { 2107 BTM_TRACE_DEBUG0 ("btm_ble_process_ir"); 2108 2109 if (p && p->opcode == HCI_BLE_RAND) 2110 { 2111 /* remembering in control block */ 2112 memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN); 2113 2114 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2)) 2115 { 2116 BTM_TRACE_ERROR0("Generating IR2 failed."); 2117 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2118 } 2119 } 2120 } 2121 2122 /******************************************************************************* 2123 ** 2124 ** Function btm_ble_reset_id 2125 ** 2126 ** Description This function is called to reset LE device identity. 2127 ** 2128 ** Returns void 2129 ** 2130 *******************************************************************************/ 2131 void btm_ble_reset_id( void ) 2132 { 2133 BTM_TRACE_DEBUG0 ("btm_ble_reset_id"); 2134 2135 /* regenrate Identity Root*/ 2136 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir)) 2137 { 2138 BTM_TRACE_DEBUG0("Generating IR failed."); 2139 } 2140 } 2141 2142 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2143 /******************************************************************************* 2144 ** 2145 ** Function btm_ble_set_no_disc_if_pair_fail 2146 ** 2147 ** Description This function indicates that whether no disconnect of the ACL 2148 ** should be used if pairing failed 2149 ** 2150 ** Returns void 2151 ** 2152 *******************************************************************************/ 2153 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc ) 2154 { 2155 BTM_TRACE_DEBUG1 ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc); 2156 btm_cb.devcb.no_disc_if_pair_fail = disable_disc; 2157 } 2158 2159 /******************************************************************************* 2160 ** 2161 ** Function btm_ble_set_test_mac_value 2162 ** 2163 ** Description This function set test MAC value 2164 ** 2165 ** Returns void 2166 ** 2167 *******************************************************************************/ 2168 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val ) 2169 { 2170 BTM_TRACE_DEBUG1 ("btm_ble_set_test_mac_value enable=%d", enable); 2171 btm_cb.devcb.enable_test_mac_val = enable; 2172 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN); 2173 } 2174 2175 /******************************************************************************* 2176 ** 2177 ** Function btm_ble_set_test_local_sign_cntr_value 2178 ** 2179 ** Description This function set test local sign counter value 2180 ** 2181 ** Returns void 2182 ** 2183 *******************************************************************************/ 2184 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr ) 2185 { 2186 BTM_TRACE_DEBUG2 ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d", 2187 enable, test_local_sign_cntr); 2188 btm_cb.devcb.enable_test_local_sign_cntr = enable; 2189 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr; 2190 } 2191 2192 /******************************************************************************* 2193 ** 2194 ** Function btm_set_random_address 2195 ** 2196 ** Description This function set a random address to local controller. 2197 ** 2198 ** Returns void 2199 ** 2200 *******************************************************************************/ 2201 void btm_set_random_address(BD_ADDR random_bda) 2202 { 2203 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 2204 BOOLEAN adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ; 2205 2206 BTM_TRACE_DEBUG0 ("btm_set_random_address"); 2207 2208 if (adv_mode == BTM_BLE_ADV_ENABLE) 2209 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE); 2210 2211 memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN); 2212 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 2213 2214 if (adv_mode == BTM_BLE_ADV_ENABLE) 2215 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE); 2216 2217 2218 } 2219 #endif /* BTM_BLE_CONFORMANCE_TESTING */ 2220 2221 2222 #endif /* BLE_INCLUDED */ 2223
