Home | History | Annotate | Download | only in btm
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 1999-2012 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 /******************************************************************************
     20  *
     21  *  This file contains functions for BLE device control utilities, and LE
     22  *  security functions.
     23  *
     24  ******************************************************************************/
     25 #include "bt_target.h"
     26 
     27 #if BLE_INCLUDED == TRUE
     28 
     29 #include <string.h>
     30 
     31 #include "bt_types.h"
     32 #include "hcimsgs.h"
     33 #include "btu.h"
     34 #include "btm_int.h"
     35 #include "btm_ble_api.h"
     36 #include "smp_api.h"
     37 #include "l2c_int.h"
     38 #include "gap_api.h"
     39 #include "bt_utils.h"
     40 
     41 #include "vendor_ble.h"
     42 
     43 #if SMP_INCLUDED == TRUE
     44 extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature);
     45 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable);
     46 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda);
     47 #endif
     48 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr);
     49 /*******************************************************************************/
     50 /* External Function to be called by other modules                             */
     51 /*******************************************************************************/
     52 /********************************************************
     53 **
     54 ** Function         BTM_SecAddBleDevice
     55 **
     56 ** Description      Add/modify device.  This function will be normally called
     57 **                  during host startup to restore all required information
     58 **                  for a LE device stored in the NVRAM.
     59 **
     60 ** Parameters:      bd_addr          - BD address of the peer
     61 **                  bd_name          - Name of the peer device.  NULL if unknown.
     62 **                  dev_type         - Remote device's device type.
     63 **                  addr_type        - LE device address type.
     64 **
     65 ** Returns          TRUE if added OK, else FALSE
     66 **
     67 *******************************************************************************/
     68 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type,
     69                              tBLE_ADDR_TYPE addr_type)
     70 {
     71     tBTM_SEC_DEV_REC  *p_dev_rec;
     72     UINT8               i = 0;
     73     tBTM_INQ_INFO      *p_info=NULL;
     74 
     75     BTM_TRACE_DEBUG ("BTM_SecAddBleDevice dev_type=0x%x", dev_type);
     76     p_dev_rec = btm_find_dev (bd_addr);
     77 
     78     if (!p_dev_rec)
     79     {
     80         BTM_TRACE_DEBUG("Add a new device");
     81 
     82         /* There is no device record, allocate one.
     83          * If we can not find an empty spot for this one, let it fail. */
     84         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++)
     85         {
     86             if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE))
     87             {
     88                 BTM_TRACE_DEBUG ("allocate a new dev rec idx=0x%x ", i );
     89                 p_dev_rec = &btm_cb.sec_dev_rec[i];
     90 
     91                 /* Mark this record as in use and initialize */
     92                 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC));
     93                 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
     94                 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
     95                 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_BR_EDR);
     96                 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_LE);
     97 
     98                 /* update conn params, use default value for background connection params */
     99                 p_dev_rec->conn_params.min_conn_int     =
    100                 p_dev_rec->conn_params.max_conn_int     =
    101                 p_dev_rec->conn_params.supervision_tout =
    102                 p_dev_rec->conn_params.slave_latency    = BTM_BLE_CONN_PARAM_UNDEF;
    103 
    104                 BTM_TRACE_DEBUG ("hci_handl=0x%x ",  p_dev_rec->ble_hci_handle );
    105                 break;
    106             }
    107         }
    108 
    109         if (!p_dev_rec)
    110             return(FALSE);
    111     }
    112     else
    113     {
    114         BTM_TRACE_DEBUG("Device already exist");
    115     }
    116 
    117     memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
    118 
    119     if (bd_name && bd_name[0])
    120     {
    121         p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
    122         BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name),
    123                        (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN);
    124     }
    125     p_dev_rec->device_type = dev_type;
    126     p_dev_rec->ble.ble_addr_type = addr_type;
    127     BTM_TRACE_DEBUG ("p_dev_rec->device_type =0x%x  addr_type=0x%x sec_flags=0x%x",
    128                       dev_type,  addr_type, p_dev_rec->sec_flags);
    129 
    130     /* sync up with the Inq Data base*/
    131     p_info = BTM_InqDbRead(bd_addr);
    132     if (p_info)
    133     {
    134         p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ;
    135         p_info->results.device_type = p_dev_rec->device_type;
    136         BTM_TRACE_DEBUG ("InqDb  device_type =0x%x  addr_type=0x%x",
    137                           p_info->results.device_type, p_info->results.ble_addr_type);
    138     }
    139 
    140     return(TRUE);
    141 }
    142 
    143 /*******************************************************************************
    144 **
    145 ** Function         BTM_SecAddBleKey
    146 **
    147 ** Description      Add/modify LE device information.  This function will be
    148 **                  normally called during host startup to restore all required
    149 **                  information stored in the NVRAM.
    150 **
    151 ** Parameters:      bd_addr          - BD address of the peer
    152 **                  p_le_key         - LE key values.
    153 **                  key_type         - LE SMP key type.
    154 *
    155 ** Returns          TRUE if added OK, else FALSE
    156 **
    157 *******************************************************************************/
    158 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type)
    159 {
    160 #if SMP_INCLUDED == TRUE
    161     tBTM_SEC_DEV_REC  *p_dev_rec;
    162     BTM_TRACE_DEBUG ("BTM_SecAddBleKey");
    163     p_dev_rec = btm_find_dev (bd_addr);
    164     if (!p_dev_rec || !p_le_key ||
    165         (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
    166          key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
    167          key_type != BTM_LE_KEY_LCSRK))
    168     {
    169         BTM_TRACE_WARNING ("BTM_SecAddBleKey()  Wrong Type, or No Device record \
    170                         for bdaddr: %08x%04x, Type: %d",
    171                             (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    172                             (bd_addr[4]<<8)+bd_addr[5], key_type);
    173         return(FALSE);
    174     }
    175 
    176     BTM_TRACE_DEBUG ("BTM_SecAddLeKey()  BDA: %08x%04x, Type: 0x%02x",
    177                       (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    178                       (bd_addr[4]<<8)+bd_addr[5], key_type);
    179 
    180     if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID ||
    181         key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC ||
    182         key_type == BTM_LE_KEY_LCSRK)
    183     {
    184         btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE);
    185     }
    186 
    187 #endif
    188 
    189     return(TRUE);
    190 }
    191 
    192 /*******************************************************************************
    193 **
    194 ** Function         BTM_BleLoadLocalKeys
    195 **
    196 ** Description      Local local identity key, encryption root or sign counter.
    197 **
    198 ** Parameters:      key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER
    199 **                            or BTM_BLE_KEY_TYPE_COUNTER.
    200 **                  p_key: pointer to the key.
    201 *
    202 ** Returns          non2.
    203 **
    204 *******************************************************************************/
    205 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key)
    206 {
    207     tBTM_DEVCB *p_devcb = &btm_cb.devcb;
    208     BTM_TRACE_DEBUG ("BTM_BleLoadLocalKeys");
    209     if (p_key != NULL)
    210     {
    211         switch (key_type)
    212         {
    213             case BTM_BLE_KEY_TYPE_ID:
    214                 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
    215                 break;
    216 
    217             case BTM_BLE_KEY_TYPE_ER:
    218                 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16));
    219                 break;
    220 
    221             default:
    222                 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
    223                 break;
    224         }
    225     }
    226 }
    227 
    228 /*******************************************************************************
    229 **
    230 ** Function         BTM_GetDeviceEncRoot
    231 **
    232 ** Description      This function is called to read the local device encryption
    233 **                  root.
    234 **
    235 ** Returns          void
    236 **                  the local device ER is copied into er
    237 **
    238 *******************************************************************************/
    239 void BTM_GetDeviceEncRoot (BT_OCTET16 er)
    240 {
    241     BTM_TRACE_DEBUG ("BTM_GetDeviceEncRoot");
    242 
    243     memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN);
    244 }
    245 
    246 /*******************************************************************************
    247 **
    248 ** Function         BTM_GetDeviceIDRoot
    249 **
    250 ** Description      This function is called to read the local device identity
    251 **                  root.
    252 **
    253 ** Returns          void
    254 **                  the local device IR is copied into irk
    255 **
    256 *******************************************************************************/
    257 void BTM_GetDeviceIDRoot (BT_OCTET16 irk)
    258 {
    259     BTM_TRACE_DEBUG ("BTM_GetDeviceIDRoot ");
    260 
    261     memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
    262 }
    263 
    264 /*******************************************************************************
    265 **
    266 ** Function         BTM_GetDeviceDHK
    267 **
    268 ** Description      This function is called to read the local device DHK.
    269 **
    270 ** Returns          void
    271 **                  the local device DHK is copied into dhk
    272 **
    273 *******************************************************************************/
    274 void BTM_GetDeviceDHK (BT_OCTET16 dhk)
    275 {
    276     BTM_TRACE_DEBUG ("BTM_GetDeviceDHK");
    277     memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
    278 }
    279 
    280 /*******************************************************************************
    281 **
    282 ** Function         BTM_ReadConnectionAddr
    283 **
    284 ** Description      This function is called to get the local device address information
    285 **                  .
    286 **
    287 ** Returns          void
    288 **
    289 *******************************************************************************/
    290 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type)
    291 {
    292     tACL_CONN       *p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
    293 
    294     if (p_acl == NULL)
    295     {
    296         BTM_TRACE_ERROR("No connection exist!");
    297         return;
    298     }
    299     memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN);
    300     * p_addr_type = p_acl->conn_addr_type;
    301 
    302     BTM_TRACE_DEBUG ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
    303                     p_acl->conn_addr_type, p_acl->conn_addr[0]);
    304 }
    305 
    306 /*******************************************************************************
    307 **
    308 ** Function         BTM_IsBleConnection
    309 **
    310 ** Description      This function is called to check if the connection handle
    311 **                  for an LE link
    312 **
    313 ** Returns          TRUE if connection is LE link, otherwise FALSE.
    314 **
    315 *******************************************************************************/
    316 BOOLEAN BTM_IsBleConnection (UINT16 conn_handle)
    317 {
    318 #if (BLE_INCLUDED == TRUE)
    319     UINT8                xx;
    320     tACL_CONN            *p;
    321 
    322     BTM_TRACE_API ("BTM_IsBleConnection: conn_handle: %d", conn_handle);
    323 
    324     xx = btm_handle_to_acl_index (conn_handle);
    325     if (xx >= MAX_L2CAP_LINKS)
    326         return FALSE;
    327 
    328     p = &btm_cb.acl_db[xx];
    329 
    330     return (p->transport == BT_TRANSPORT_LE);
    331 #else
    332     return FALSE;
    333 #endif
    334 }
    335 
    336 /*******************************************************************************
    337 **
    338 ** Function         BTM_ReadRemoteConnectionAddr
    339 **
    340 ** Description      This function is read the remote device address currently used
    341 **
    342 ** Parameters     pseudo_addr: pseudo random address available
    343 **                conn_addr:connection address used
    344 **                p_addr_type : BD Address type, Public or Random of the address used
    345 **
    346 ** Returns          BOOLEAN , TRUE if connection to remote device exists, else FALSE
    347 **
    348 *******************************************************************************/
    349 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr,
    350                                                tBLE_ADDR_TYPE *p_addr_type)
    351 {
    352  BOOLEAN         st = TRUE;
    353 #if (BLE_PRIVACY_SPT == TRUE)
    354     tACL_CONN       *p = btm_bda_to_acl (pseudo_addr, BT_TRANSPORT_LE);
    355 
    356     if (p == NULL)
    357     {
    358         BTM_TRACE_ERROR("BTM_ReadRemoteConnectionAddr can not find connection"
    359                         " with matching address");
    360         return FALSE;
    361     }
    362 
    363     memcpy(conn_addr, p->active_remote_addr, BD_ADDR_LEN);
    364     *p_addr_type = p->active_remote_addr_type;
    365 #else
    366     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr);
    367 
    368     memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN);
    369     if (p_dev_rec != NULL)
    370     {
    371         *p_addr_type = p_dev_rec->ble.ble_addr_type;
    372     }
    373 #endif
    374     return st;
    375 
    376 }
    377 /*******************************************************************************
    378 **
    379 ** Function         BTM_SecurityGrant
    380 **
    381 ** Description      This function is called to grant security process.
    382 **
    383 ** Parameters       bd_addr - peer device bd address.
    384 **                  res     - result of the operation BTM_SUCCESS if success.
    385 **                            Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts.
    386 **
    387 ** Returns          None
    388 **
    389 *******************************************************************************/
    390 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res)
    391 {
    392 #if SMP_INCLUDED == TRUE
    393     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
    394     BTM_TRACE_DEBUG ("BTM_SecurityGrant");
    395     SMP_SecurityGrant(bd_addr, res_smp);
    396 #endif
    397 }
    398 
    399 /*******************************************************************************
    400 **
    401 ** Function         BTM_BlePasskeyReply
    402 **
    403 ** Description      This function is called after Security Manager submitted
    404 **                  passkey request to the application.
    405 **
    406 ** Parameters:      bd_addr      - Address of the device for which passkey was requested
    407 **                  res          - result of the operation BTM_SUCCESS if success
    408 **                  key_len      - length in bytes of the Passkey
    409 **                  p_passkey        - pointer to array with the passkey
    410 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
    411 **
    412 *******************************************************************************/
    413 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
    414 {
    415 #if SMP_INCLUDED == TRUE
    416     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    417     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
    418 
    419     if (p_dev_rec == NULL)
    420     {
    421         BTM_TRACE_ERROR("Passkey reply to Unknown device");
    422         return;
    423     }
    424 
    425     p_dev_rec->sec_flags   |= BTM_SEC_LE_LINK_KEY_AUTHED;
    426     BTM_TRACE_DEBUG ("BTM_BlePasskeyReply");
    427     SMP_PasskeyReply(bd_addr, res_smp, passkey);
    428 #endif
    429 }
    430 
    431 /*******************************************************************************
    432 **
    433 ** Function         BTM_BleOobDataReply
    434 **
    435 ** Description      This function is called to provide the OOB data for
    436 **                  SMP in response to BTM_LE_OOB_REQ_EVT
    437 **
    438 ** Parameters:      bd_addr     - Address of the peer device
    439 **                  res         - result of the operation SMP_SUCCESS if success
    440 **                  p_data      - simple pairing Randomizer  C.
    441 **
    442 *******************************************************************************/
    443 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data)
    444 {
    445 #if SMP_INCLUDED == TRUE
    446     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
    447     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    448 
    449     BTM_TRACE_DEBUG ("BTM_BleOobDataReply");
    450 
    451     if (p_dev_rec == NULL)
    452     {
    453         BTM_TRACE_ERROR("BTM_BleOobDataReply() to Unknown device");
    454         return;
    455     }
    456 
    457     p_dev_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
    458     SMP_OobDataReply(bd_addr, res_smp, len, p_data);
    459 #endif
    460 }
    461 
    462 /******************************************************************************
    463 **
    464 ** Function         BTM_BleSetConnScanParams
    465 **
    466 ** Description      Set scan parameter used in BLE connection request
    467 **
    468 ** Parameters:      scan_interval: scan interval
    469 **                  scan_window: scan window
    470 **
    471 ** Returns          void
    472 **
    473 *******************************************************************************/
    474 void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window)
    475 {
    476 #if SMP_INCLUDED == TRUE
    477     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
    478     BOOLEAN     new_param = FALSE;
    479 
    480     if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) &&
    481         BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX))
    482     {
    483         btu_stop_timer(&p_ble_cb->scan_param_idle_timer);
    484 
    485         if (p_ble_cb->scan_int != scan_interval)
    486         {
    487             p_ble_cb->scan_int = scan_interval;
    488             new_param = TRUE;
    489         }
    490 
    491         if (p_ble_cb->scan_win != scan_window)
    492         {
    493             p_ble_cb->scan_win = scan_window;
    494             new_param = TRUE;
    495         }
    496 
    497         if (new_param && p_ble_cb->conn_state == BLE_BG_CONN)
    498         {
    499             btm_ble_suspend_bg_conn();
    500         }
    501     }
    502     else
    503     {
    504         BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
    505     }
    506 #endif
    507 }
    508 
    509 /********************************************************
    510 **
    511 ** Function         BTM_BleSetPrefConnParams
    512 **
    513 ** Description      Set a peripheral's preferred connection parameters
    514 **
    515 ** Parameters:      bd_addr          - BD address of the peripheral
    516 **                  scan_interval: scan interval
    517 **                  scan_window: scan window
    518 **                  min_conn_int     - minimum preferred connection interval
    519 **                  max_conn_int     - maximum preferred connection interval
    520 **                  slave_latency    - preferred slave latency
    521 **                  supervision_tout - preferred supervision timeout
    522 **
    523 ** Returns          void
    524 **
    525 *******************************************************************************/
    526 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr,
    527                                UINT16 min_conn_int, UINT16 max_conn_int,
    528                                UINT16 slave_latency, UINT16 supervision_tout)
    529 {
    530     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
    531 
    532     BTM_TRACE_API ("BTM_BleSetPrefConnParams min: %u  max: %u  latency: %u  \
    533                     tout: %u",
    534                     min_conn_int, max_conn_int, slave_latency, supervision_tout);
    535 
    536     if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
    537         BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
    538         BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) &&
    539         (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF))
    540     {
    541         if (p_dev_rec)
    542         {
    543             /* expect conn int and stout and slave latency to be updated all together */
    544             if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    545             {
    546                 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    547                     p_dev_rec->conn_params.min_conn_int = min_conn_int;
    548                 else
    549                     p_dev_rec->conn_params.min_conn_int = max_conn_int;
    550 
    551                 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
    552                     p_dev_rec->conn_params.max_conn_int = max_conn_int;
    553                 else
    554                     p_dev_rec->conn_params.max_conn_int = min_conn_int;
    555 
    556                 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
    557                     p_dev_rec->conn_params.slave_latency = slave_latency;
    558                 else
    559                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
    560 
    561                 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
    562                     p_dev_rec->conn_params.supervision_tout = supervision_tout;
    563                 else
    564                     p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
    565 
    566             }
    567 
    568         }
    569         else
    570         {
    571             BTM_TRACE_ERROR("Unknown Device, setting rejected");
    572         }
    573     }
    574     else
    575     {
    576         BTM_TRACE_ERROR("Illegal Connection Parameters");
    577     }
    578 }
    579 
    580 /*******************************************************************************
    581 **
    582 ** Function         BTM_ReadDevInfo
    583 **
    584 ** Description      This function is called to read the device/address type
    585 **                  of BD address.
    586 **
    587 ** Parameter        remote_bda: remote device address
    588 **                  p_dev_type: output parameter to read the device type.
    589 **                  p_addr_type: output parameter to read the address type.
    590 **
    591 *******************************************************************************/
    592 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type)
    593 {
    594     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (remote_bda);
    595     tBTM_INQ_INFO     *p_inq_info = BTM_InqDbRead(remote_bda);
    596 
    597     *p_dev_type = BT_DEVICE_TYPE_BREDR;
    598     *p_addr_type = BLE_ADDR_PUBLIC;
    599 
    600     if (!p_dev_rec)
    601     {
    602         /* Check with the BT manager if details about remote device are known */
    603         if (p_inq_info != NULL)
    604         {
    605             *p_dev_type = p_inq_info->results.device_type ;
    606             *p_addr_type = p_inq_info->results.ble_addr_type;
    607         } else {
    608             /* unknown device, assume BR/EDR */
    609             BTM_TRACE_DEBUG ("btm_find_dev_type - unknown device, BR/EDR assumed");
    610         }
    611     }
    612     else /* there is a security device record exisitng */
    613     {
    614         /* new inquiry result, overwrite device type in security device record */
    615         if (p_inq_info)
    616         {
    617             p_dev_rec->device_type          = p_inq_info->results.device_type;
    618             p_dev_rec->ble.ble_addr_type    = p_inq_info->results.ble_addr_type;
    619         }
    620         *p_dev_type = p_dev_rec->device_type;
    621         *p_addr_type = p_dev_rec->ble.ble_addr_type;
    622 
    623     }
    624 
    625     BTM_TRACE_DEBUG ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type);
    626 }
    627 
    628 /*******************************************************************************
    629 **
    630 ** Function         BTM_BleReceiverTest
    631 **
    632 ** Description      This function is called to start the LE Receiver test
    633 **
    634 ** Parameter       rx_freq - Frequency Range
    635 **               p_cmd_cmpl_cback - Command Complete callback
    636 **
    637 *******************************************************************************/
    638 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback)
    639 {
    640      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    641 
    642      if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE)
    643      {
    644           BTM_TRACE_ERROR("%s: Unable to Trigger LE receiver test", __FUNCTION__);
    645      }
    646 }
    647 
    648 /*******************************************************************************
    649 **
    650 ** Function         BTM_BleTransmitterTest
    651 **
    652 ** Description      This function is called to start the LE Transmitter test
    653 **
    654 ** Parameter       tx_freq - Frequency Range
    655 **                       test_data_len - Length in bytes of payload data in each packet
    656 **                       packet_payload - Pattern to use in the payload
    657 **                       p_cmd_cmpl_cback - Command Complete callback
    658 **
    659 *******************************************************************************/
    660 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len,
    661                                  UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback)
    662 {
    663      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    664      if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE)
    665      {
    666           BTM_TRACE_ERROR("%s: Unable to Trigger LE transmitter test", __FUNCTION__);
    667      }
    668 }
    669 
    670 /*******************************************************************************
    671 **
    672 ** Function         BTM_BleTestEnd
    673 **
    674 ** Description      This function is called to stop the in-progress TX or RX test
    675 **
    676 ** Parameter       p_cmd_cmpl_cback - Command complete callback
    677 **
    678 *******************************************************************************/
    679 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback)
    680 {
    681      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
    682 
    683      if (btsnd_hcic_ble_test_end() == FALSE)
    684      {
    685           BTM_TRACE_ERROR("%s: Unable to End the LE TX/RX test", __FUNCTION__);
    686      }
    687 }
    688 
    689 /*******************************************************************************
    690 ** Internal Functions
    691 *******************************************************************************/
    692 void btm_ble_test_command_complete(UINT8 *p)
    693 {
    694     tBTM_CMPL_CB   *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
    695     UINT8           status;
    696 
    697     btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
    698 
    699     if (p_cb)
    700     {
    701         (*p_cb)(p);
    702     }
    703 }
    704 
    705 /*******************************************************************************
    706 **
    707 ** Function         BTM_UseLeLink
    708 **
    709 ** Description      This function is to select the underneath physical link to use.
    710 **
    711 ** Returns          TRUE to use LE, FALSE use BR/EDR.
    712 **
    713 *******************************************************************************/
    714 BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr)
    715 {
    716     tACL_CONN         *p;
    717     tBT_DEVICE_TYPE     dev_type;
    718     tBLE_ADDR_TYPE      addr_type;
    719     BOOLEAN             use_le = FALSE;
    720 
    721     if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR)) != NULL)
    722     {
    723         return use_le;
    724     }
    725     else if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE)) != NULL)
    726     {
    727         use_le = TRUE;
    728     }
    729     else
    730     {
    731         BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
    732         use_le = (dev_type == BT_DEVICE_TYPE_BLE);
    733     }
    734     return use_le;
    735 }
    736 /*******************************************************************************
    737 **
    738 ** Function         btm_ble_rand_enc_complete
    739 **
    740 ** Description      This function is the callback functions for HCI_Rand command
    741 **                  and HCI_Encrypt command is completed.
    742 **                  This message is received from the HCI.
    743 **
    744 ** Returns          void
    745 **
    746 *******************************************************************************/
    747 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback)
    748 {
    749     tBTM_RAND_ENC   params;
    750     UINT8           *p_dest = params.param_buf;
    751 
    752     BTM_TRACE_DEBUG ("btm_ble_rand_enc_complete");
    753 
    754     memset(&params, 0, sizeof(tBTM_RAND_ENC));
    755 
    756     /* If there was a callback address for vcs complete, call it */
    757     if (p_enc_cplt_cback && p)
    758     {
    759         /* Pass paramters to the callback function */
    760         STREAM_TO_UINT8(params.status, p); /* command status */
    761 
    762         if (params.status == HCI_SUCCESS)
    763         {
    764             params.opcode = op_code;
    765 
    766             if (op_code == HCI_BLE_RAND)
    767                 params.param_len = BT_OCTET8_LEN;
    768             else
    769                 params.param_len = BT_OCTET16_LEN;
    770 
    771             memcpy(p_dest, p, params.param_len);  /* Fetch return info from HCI event message */
    772         }
    773         if (p_enc_cplt_cback)
    774             (*p_enc_cplt_cback)(&params);  /* Call the Encryption complete callback function */
    775     }
    776 }
    777 
    778 
    779     #if (SMP_INCLUDED == TRUE)
    780 
    781 /*******************************************************************************
    782 **
    783 ** Function         btm_ble_get_enc_key_type
    784 **
    785 ** Description      This function is to increment local sign counter
    786 ** Returns         None
    787 **
    788 *******************************************************************************/
    789 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local )
    790 {
    791     tBTM_SEC_DEV_REC *p_dev_rec;
    792 
    793     BTM_TRACE_DEBUG ("btm_ble_increment_sign_ctr is_local=%d", is_local);
    794 
    795     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
    796     {
    797         if (is_local)
    798             p_dev_rec->ble.keys.local_counter++;
    799         else
    800             p_dev_rec->ble.keys.counter++;
    801         BTM_TRACE_DEBUG ("is_local=%d local sign counter=%d peer sign counter=%d",
    802                           is_local,
    803                           p_dev_rec->ble.keys.local_counter,
    804                           p_dev_rec->ble.keys.counter);
    805     }
    806 }
    807 
    808 /*******************************************************************************
    809 **
    810 ** Function         btm_ble_get_enc_key_type
    811 **
    812 ** Description      This function is to get the BLE key type that has been exchanged
    813 **                  in betweem local device and peer device.
    814 **
    815 ** Returns          p_key_type: output parameter to carry the key type value.
    816 **
    817 *******************************************************************************/
    818 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types)
    819 {
    820     tBTM_SEC_DEV_REC *p_dev_rec;
    821 
    822     BTM_TRACE_DEBUG ("btm_ble_get_enc_key_type");
    823 
    824     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
    825     {
    826         *p_key_types = p_dev_rec->ble.key_type;
    827         return TRUE;
    828     }
    829     return FALSE;
    830 }
    831 
    832 /*******************************************************************************
    833 **
    834 ** Function         btm_get_local_div
    835 **
    836 ** Description      This function is called to read the local DIV
    837 **
    838 ** Returns          TURE - if a valid DIV is availavle
    839 *******************************************************************************/
    840 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div)
    841 {
    842     tBTM_SEC_DEV_REC   *p_dev_rec;
    843     BOOLEAN            status = FALSE;
    844     BTM_TRACE_DEBUG ("btm_get_local_div");
    845 
    846     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
    847                      bd_addr[0],bd_addr[1],
    848                      bd_addr[2],bd_addr[3],
    849                      bd_addr[4],bd_addr[5]);
    850 
    851     *p_div = 0;
    852     p_dev_rec = btm_find_dev (bd_addr);
    853 
    854     if (p_dev_rec && p_dev_rec->ble.keys.div)
    855     {
    856         status = TRUE;
    857         *p_div = p_dev_rec->ble.keys.div;
    858     }
    859     BTM_TRACE_DEBUG ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div);
    860     return status;
    861 }
    862 
    863 /*******************************************************************************
    864 **
    865 ** Function         btm_sec_save_le_key
    866 **
    867 ** Description      This function is called by the SMP to update
    868 **                  an  BLE key.  SMP is internal, whereas all the keys shall
    869 **                  be sent to the application.  The function is also called
    870 **                  when application passes ble key stored in NVRAM to the btm_sec.
    871 **                  pass_to_application parameter is false in this case.
    872 **
    873 ** Returns          void
    874 **
    875 *******************************************************************************/
    876 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys,
    877                          BOOLEAN pass_to_application)
    878 {
    879     tBTM_SEC_DEV_REC *p_rec;
    880     tBTM_LE_EVT_DATA    cb_data;
    881     UINT8 i;
    882 
    883     BTM_TRACE_DEBUG ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application);
    884     /* Store the updated key in the device database */
    885 
    886     BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
    887                      bd_addr[0],bd_addr[1],
    888                      bd_addr[2],bd_addr[3],
    889                      bd_addr[4],bd_addr[5]);
    890 
    891     if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys)
    892     {
    893         switch (key_type)
    894         {
    895             case BTM_LE_KEY_PENC:
    896                 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
    897                 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
    898                 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
    899                 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
    900                 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
    901                 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
    902                 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
    903                 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
    904                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
    905                 else
    906                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
    907                 BTM_TRACE_DEBUG("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
    908                                  p_rec->ble.key_type,
    909                                  p_rec->sec_flags,
    910                                  p_rec->ble.keys.sec_level);
    911                 break;
    912 
    913             case BTM_LE_KEY_PID:
    914                 for (i=0; i<BT_OCTET16_LEN; i++)
    915                 {
    916                     p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
    917                 }
    918 
    919                  //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system
    920                 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
    921                 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
    922                 p_rec->ble.key_type |= BTM_LE_KEY_PID;
    923                 BTM_TRACE_DEBUG("BTM_LE_KEY_PID key_type=0x%x save peer IRK",  p_rec->ble.key_type);
    924                 break;
    925 
    926             case BTM_LE_KEY_PCSRK:
    927                 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
    928                 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
    929                 p_rec->ble.keys.counter  = p_keys->pcsrk_key.counter;
    930                 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
    931                 p_rec->sec_flags |=  BTM_SEC_LE_LINK_KEY_KNOWN;
    932                 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED)
    933                     p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
    934                 else
    935                     p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
    936 
    937                 BTM_TRACE_DEBUG("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d",
    938                                  p_rec->ble.key_type,
    939                                  p_rec->sec_flags,
    940                                  p_rec->ble.keys.srk_sec_level,
    941                                  p_rec->ble.keys.counter );
    942                 break;
    943 
    944             case BTM_LE_KEY_LENC:
    945                 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
    946                 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
    947                 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
    948                 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
    949 
    950                 BTM_TRACE_DEBUG("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x",
    951                                  p_rec->ble.key_type,
    952                                  p_rec->ble.keys.div,
    953                                  p_rec->ble.keys.key_size,
    954                                  p_rec->ble.keys.sec_level );
    955                 break;
    956 
    957             case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */
    958                 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
    959                 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
    960                 p_rec->ble.keys.local_counter  = p_keys->lcsrk_key.counter;
    961                 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
    962                 BTM_TRACE_DEBUG("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d",
    963                                  p_rec->ble.key_type,
    964                                  p_rec->ble.keys.div,
    965                                  p_rec->ble.keys.local_csrk_sec_level,
    966                                  p_rec->ble.keys.local_counter );
    967                 break;
    968 
    969             default:
    970                 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type);
    971                 return;
    972         }
    973 
    974         BTM_TRACE_DEBUG ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type,
    975                           (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    976                           (bd_addr[4]<<8)+bd_addr[5]);
    977 
    978         /* Notify the application that one of the BLE keys has been updated
    979            If link key is in progress, it will get sent later.*/
    980         if (pass_to_application && btm_cb.api.p_le_callback)
    981         {
    982             cb_data.key.p_key_value = p_keys;
    983             cb_data.key.key_type = key_type;
    984             (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data);
    985         }
    986         return;
    987     }
    988 
    989     BTM_TRACE_WARNING ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type,
    990                         (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
    991                         (bd_addr[4]<<8)+bd_addr[5]);
    992 
    993     if (p_rec)
    994     {
    995         BTM_TRACE_DEBUG ("sec_flags=0x%x", p_rec->sec_flags);
    996     }
    997 }
    998 
    999 /*******************************************************************************
   1000 **
   1001 ** Function         btm_ble_update_sec_key_size
   1002 **
   1003 ** Description      update the current lin kencryption key size
   1004 **
   1005 ** Returns          void
   1006 **
   1007 *******************************************************************************/
   1008 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size)
   1009 {
   1010     tBTM_SEC_DEV_REC *p_rec;
   1011 
   1012     BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size);
   1013 
   1014     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
   1015     {
   1016         p_rec->enc_key_size = enc_key_size;
   1017     }
   1018 }
   1019 
   1020 /*******************************************************************************
   1021 **
   1022 ** Function         btm_ble_read_sec_key_size
   1023 **
   1024 ** Description      update the current lin kencryption key size
   1025 **
   1026 ** Returns          void
   1027 **
   1028 *******************************************************************************/
   1029 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr)
   1030 {
   1031     tBTM_SEC_DEV_REC *p_rec;
   1032 
   1033     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
   1034     {
   1035         return p_rec->enc_key_size;
   1036     }
   1037     else
   1038         return 0;
   1039 }
   1040 
   1041 /*******************************************************************************
   1042 **
   1043 ** Function         btm_ble_link_sec_check
   1044 **
   1045 ** Description      Check BLE link security level match.
   1046 **
   1047 ** Returns          TRUE: check is OK and the *p_sec_req_act contain the action
   1048 **
   1049 *******************************************************************************/
   1050 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act)
   1051 {
   1052     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
   1053     UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
   1054 
   1055     BTM_TRACE_DEBUG ("btm_ble_link_sec_check auth_req =0x%x", auth_req);
   1056 
   1057     if (p_dev_rec == NULL)
   1058     {
   1059         BTM_TRACE_ERROR ("btm_ble_link_sec_check received for unknown device");
   1060         return;
   1061     }
   1062 
   1063     if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
   1064         p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
   1065     {
   1066         /* race condition: discard the security request while master is encrypting the link */
   1067         *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
   1068     }
   1069     else
   1070     {
   1071         req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
   1072         if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) ||
   1073             (auth_req == (BTM_LE_AUTH_REQ_MITM)) )
   1074         {
   1075             req_sec_level = BTM_LE_SEC_AUTHENTICATED;
   1076         }
   1077 
   1078         BTM_TRACE_DEBUG ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
   1079 
   1080         /* currently encrpted  */
   1081         if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED)
   1082         {
   1083             if (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
   1084                 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
   1085             else
   1086                 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
   1087         }
   1088         else /* unencrypted link */
   1089         {
   1090             /* if bonded, get the key security level */
   1091             if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
   1092                 cur_sec_level = p_dev_rec->ble.keys.sec_level;
   1093             else
   1094                 cur_sec_level = BTM_LE_SEC_NONE;
   1095         }
   1096 
   1097         if (cur_sec_level >= req_sec_level)
   1098         {
   1099             if (cur_sec_level == BTM_LE_SEC_NONE)
   1100             {
   1101                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE;
   1102             }
   1103             else
   1104             {
   1105                 /* To avoid re-encryption on an encrypted link for an equal condition encryption */
   1106                 /* if link has been encrypted, do nothing, go straight to furhter action
   1107                 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
   1108                     *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
   1109                 else
   1110                 */
   1111                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
   1112             }
   1113         }
   1114         else
   1115         {
   1116             *p_sec_req_act =  BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/
   1117         }
   1118     }
   1119 
   1120     BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
   1121                      cur_sec_level,
   1122                      req_sec_level,
   1123                      *p_sec_req_act);
   1124 
   1125 }
   1126 
   1127 /*******************************************************************************
   1128 **
   1129 ** Function         btm_ble_set_encryption
   1130 **
   1131 ** Description      This function is called to ensure that LE connection is
   1132 **                  encrypted.  Should be called only on an open connection.
   1133 **                  Typically only needed for connections that first want to
   1134 **                  bring up unencrypted links, then later encrypt them.
   1135 **
   1136 ** Returns          void
   1137 **                  the local device ER is copied into er
   1138 **
   1139 *******************************************************************************/
   1140 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role)
   1141 {
   1142     tBTM_STATUS         cmd = BTM_NO_RESOURCES;
   1143     tBTM_BLE_SEC_ACT    sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ;
   1144     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1145 
   1146     if (p_rec == NULL)
   1147     {
   1148         BTM_TRACE_WARNING ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
   1149         return(BTM_WRONG_MODE);
   1150     }
   1151 
   1152     BTM_TRACE_DEBUG ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master);
   1153 
   1154     if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM)
   1155     {
   1156         p_rec->security_required |= BTM_SEC_IN_MITM;
   1157     }
   1158 
   1159     switch (sec_act)
   1160     {
   1161         case BTM_BLE_SEC_ENCRYPT:
   1162             if (link_role == BTM_ROLE_MASTER)
   1163             {
   1164                 if(p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
   1165                     BTM_TRACE_DEBUG ("State is already encrypting::");
   1166                     cmd = BTM_CMD_STARTED;
   1167                 }
   1168                 else {
   1169                     /* start link layer encryption using the security info stored */
   1170                     if (btm_ble_start_encrypt(bd_addr, FALSE, NULL))
   1171                     {
   1172                         p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
   1173                         cmd = BTM_CMD_STARTED;
   1174                     }
   1175                 }
   1176                 break;
   1177             }
   1178             /* if salve role then fall through to call SMP_Pair below which will send a
   1179                sec_request to request the master to encrypt the link */
   1180         case BTM_BLE_SEC_ENCRYPT_NO_MITM:
   1181         case BTM_BLE_SEC_ENCRYPT_MITM:
   1182 
   1183             if (SMP_Pair(bd_addr) == SMP_STARTED)
   1184             {
   1185                 cmd = BTM_CMD_STARTED;
   1186                 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
   1187             }
   1188             break;
   1189 
   1190         default:
   1191             cmd = BTM_WRONG_MODE;
   1192             break;
   1193     }
   1194     return cmd;
   1195 }
   1196 
   1197 /*******************************************************************************
   1198 **
   1199 ** Function         btm_ble_ltk_request
   1200 **
   1201 ** Description      This function is called when encryption request is received
   1202 **                  on a slave device.
   1203 **
   1204 **
   1205 ** Returns          void
   1206 **
   1207 *******************************************************************************/
   1208 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv)
   1209 {
   1210     tBTM_CB *p_cb = &btm_cb;
   1211     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
   1212     BT_OCTET8 dummy_stk = {0};
   1213 
   1214     BTM_TRACE_DEBUG ("btm_ble_ltk_request");
   1215 
   1216     p_cb->ediv = ediv;
   1217 
   1218     memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
   1219 
   1220     if (p_dev_rec != NULL)
   1221     {
   1222         if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
   1223             btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk);
   1224     }
   1225 
   1226 }
   1227 
   1228 /*******************************************************************************
   1229 **
   1230 ** Function         btm_ble_start_encrypt
   1231 **
   1232 ** Description      This function is called to start LE encryption.
   1233 **
   1234 **
   1235 ** Returns          BTM_SUCCESS if encryption was started successfully
   1236 **
   1237 *******************************************************************************/
   1238 tBTM_STATUS btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk)
   1239 {
   1240     tBTM_CB *p_cb = &btm_cb;
   1241     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
   1242     BT_OCTET8    dummy_rand = {0};
   1243     tBTM_STATUS  rt = BTM_NO_RESOURCES;
   1244 
   1245     BTM_TRACE_DEBUG ("btm_ble_start_encrypt");
   1246 
   1247     if (!p_rec )
   1248     {
   1249         BTM_TRACE_ERROR("Link is not active, can not encrypt!");
   1250         return BTM_WRONG_MODE;
   1251     }
   1252 
   1253     if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
   1254     {
   1255         BTM_TRACE_WARNING("Link Encryption is active, Busy!");
   1256         return BTM_BUSY;
   1257     }
   1258 
   1259     p_cb->enc_handle = p_rec->ble_hci_handle;
   1260 
   1261     if (use_stk)
   1262     {
   1263         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk))
   1264             rt = BTM_CMD_STARTED;
   1265     }
   1266     else if (p_rec->ble.key_type & BTM_LE_KEY_PENC)
   1267     {
   1268         if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
   1269                                       p_rec->ble.keys.ediv, p_rec->ble.keys.ltk))
   1270             rt = BTM_CMD_STARTED;
   1271     }
   1272     else
   1273     {
   1274         BTM_TRACE_ERROR("No key available to encrypt the link");
   1275     }
   1276     if (rt == BTM_CMD_STARTED)
   1277     {
   1278         if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
   1279             p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
   1280     }
   1281 
   1282     return rt;
   1283 }
   1284 
   1285 /*******************************************************************************
   1286 **
   1287 ** Function         btm_ble_link_encrypted
   1288 **
   1289 ** Description      This function is called when LE link encrption status is changed.
   1290 **
   1291 ** Returns          void
   1292 **
   1293 *******************************************************************************/
   1294 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
   1295 {
   1296     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
   1297     BOOLEAN             enc_cback;
   1298 
   1299     if (!p_dev_rec)
   1300     {
   1301         BTM_TRACE_WARNING ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable);
   1302         return;
   1303     }
   1304 
   1305     BTM_TRACE_DEBUG ("btm_ble_link_encrypted encr_enable=%d", encr_enable);
   1306 
   1307     enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
   1308 
   1309     smp_link_encrypted(bd_addr, encr_enable);
   1310 
   1311     BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
   1312 
   1313     if (encr_enable && p_dev_rec->enc_key_size == 0)
   1314         p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
   1315 
   1316     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
   1317     if (p_dev_rec->p_callback && enc_cback)
   1318     {
   1319         if (encr_enable)
   1320             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE);
   1321         else if (p_dev_rec->role_master)
   1322             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE);
   1323 
   1324     }
   1325     /* to notify GATT to send data if any request is pending */
   1326     gatt_notify_enc_cmpl(p_dev_rec->bd_addr);
   1327 }
   1328 
   1329 /*******************************************************************************
   1330 ** Function         btm_enc_proc_ltk
   1331 ** Description      send LTK reply when it's ready.
   1332 *******************************************************************************/
   1333 static void btm_enc_proc_ltk(tSMP_ENC *p)
   1334 {
   1335     UINT8   i;
   1336     BTM_TRACE_DEBUG ("btm_enc_proc_ltk");
   1337     if (p && p->param_len == BT_OCTET16_LEN)
   1338     {
   1339         for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++)
   1340             p->param_buf[BT_OCTET16_LEN - i - 1] = 0;
   1341         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf);
   1342     }
   1343 }
   1344 
   1345 /*******************************************************************************
   1346 ** Function         btm_enc_proc_slave_y
   1347 ** Description      calculate LTK when Y is ready
   1348 *******************************************************************************/
   1349 static void btm_enc_proc_slave_y(tSMP_ENC *p)
   1350 {
   1351     UINT16  div, y;
   1352     UINT8   *pp = p->param_buf;
   1353     tBTM_CB *p_cb = &btm_cb;
   1354     tSMP_ENC output;
   1355     tBTM_SEC_DEV_REC *p_dev_rec;
   1356 
   1357     BTM_TRACE_DEBUG ("btm_enc_proc_slave_y");
   1358     if (p != NULL)
   1359     {
   1360         STREAM_TO_UINT16(y, pp);
   1361 
   1362         div = p_cb->ediv ^ y;
   1363         p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle);
   1364 
   1365         if ( p_dev_rec &&
   1366              p_dev_rec->ble.keys.div == div )
   1367         {
   1368             BTM_TRACE_DEBUG ("LTK request OK");
   1369             /* calculating LTK , LTK = E er(div) */
   1370             SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output);
   1371             btm_enc_proc_ltk(&output);
   1372         }
   1373         else
   1374         {
   1375             BTM_TRACE_DEBUG ("LTK request failed - send negative reply");
   1376             btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle);
   1377             if (p_dev_rec)
   1378                 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0);
   1379 
   1380         }
   1381     }
   1382 }
   1383 
   1384 /*******************************************************************************
   1385 **
   1386 ** Function         btm_ble_ltk_request_reply
   1387 **
   1388 ** Description      This function is called to send a LTK request reply on a slave
   1389 **                  device.
   1390 **
   1391 ** Returns          void
   1392 **
   1393 *******************************************************************************/
   1394 void btm_ble_ltk_request_reply(BD_ADDR bda,  BOOLEAN use_stk, BT_OCTET16 stk)
   1395 {
   1396     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
   1397     tBTM_CB *p_cb = &btm_cb;
   1398     tSMP_ENC output;
   1399 
   1400     if (p_rec == NULL)
   1401     {
   1402         BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
   1403         return;
   1404     }
   1405 
   1406     BTM_TRACE_DEBUG ("btm_ble_ltk_request_reply");
   1407     p_cb->enc_handle = p_rec->ble_hci_handle;
   1408     p_cb->key_size = p_rec->ble.keys.key_size;
   1409 
   1410     BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
   1411     if (use_stk)
   1412     {
   1413         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
   1414     }
   1415     else /* calculate LTK using peer device  */
   1416     {
   1417         /* generate Y= Encrypt(DHK, Rand) received from encrypt request  */
   1418         SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand,
   1419                     BT_OCTET8_LEN, &output);
   1420         btm_enc_proc_slave_y(&output);
   1421     }
   1422 }
   1423 
   1424 /*******************************************************************************
   1425 **
   1426 ** Function         btm_ble_io_capabilities_req
   1427 **
   1428 ** Description      This function is called to handle SMP get IO capability request.
   1429 **
   1430 ** Returns          void
   1431 **
   1432 *******************************************************************************/
   1433 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
   1434 {
   1435     UINT8           callback_rc = BTM_SUCCESS;
   1436     BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req");
   1437     if (btm_cb.api.p_le_callback)
   1438     {
   1439         /* the callback function implementation may change the IO capability... */
   1440         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data);
   1441     }
   1442 #if BTM_OOB_INCLUDED == TRUE
   1443     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data))
   1444 #else
   1445     if (callback_rc == BTM_SUCCESS)
   1446 #endif
   1447     {
   1448 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1449         if (btm_cb.devcb.keep_rfu_in_auth_req)
   1450         {
   1451             BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
   1452                 btm_cb.devcb.keep_rfu_in_auth_req);
   1453             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
   1454             btm_cb.devcb.keep_rfu_in_auth_req = FALSE;
   1455         }
   1456         else
   1457         {   /* default */
   1458             p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
   1459         }
   1460 #else
   1461         p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
   1462 #endif
   1463 
   1464         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d",
   1465                           p_dev_rec->security_required, p_data->auth_req);
   1466         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)",
   1467                           p_data->init_keys,
   1468                           p_data->resp_keys);
   1469 
   1470         /* if authentication requires MITM protection, put on the mask */
   1471         if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
   1472             p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
   1473 
   1474         if (!(p_data->auth_req & SMP_AUTH_BOND))
   1475         {
   1476             BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
   1477             p_data->init_keys = 0;
   1478             p_data->resp_keys = 0;
   1479         }
   1480 
   1481         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req);
   1482         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
   1483                           p_data->init_keys,
   1484                           p_data->resp_keys);
   1485 
   1486         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
   1487                           p_data->io_cap, p_data->auth_req);
   1488 
   1489         /* remove MITM protection requirement if IO cap does not allow it */
   1490         if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
   1491             p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
   1492 
   1493         BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d",
   1494                           p_data->io_cap, p_data->oob_data, p_data->auth_req);
   1495     }
   1496     return callback_rc;
   1497 }
   1498 
   1499 #if (BLE_PRIVACY_SPT == TRUE )
   1500 /*******************************************************************************
   1501 **
   1502 ** Function         btm_ble_resolve_random_addr_on_conn_cmpl
   1503 **
   1504 ** Description      resolve random address complete on connection complete event.
   1505 **
   1506 ** Returns          void
   1507 **
   1508 *******************************************************************************/
   1509 static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data)
   1510 {
   1511     UINT8   *p = (UINT8 *)p_data;
   1512     tBTM_SEC_DEV_REC    *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
   1513     UINT8       role, status, bda_type;
   1514     UINT16      handle;
   1515     BD_ADDR     bda;
   1516     UINT16      conn_interval, conn_latency, conn_timeout;
   1517     BOOLEAN     match = FALSE;
   1518 
   1519     STREAM_TO_UINT8   (status, p);
   1520     STREAM_TO_UINT16   (handle, p);
   1521     STREAM_TO_UINT8    (role, p);
   1522     STREAM_TO_UINT8    (bda_type, p);
   1523     STREAM_TO_BDADDR   (bda, p);
   1524     STREAM_TO_UINT16   (conn_interval, p);
   1525     STREAM_TO_UINT16   (conn_latency, p);
   1526     STREAM_TO_UINT16   (conn_timeout, p);
   1527 
   1528     handle = HCID_GET_HANDLE (handle);
   1529 
   1530     BTM_TRACE_EVENT ("btm_ble_resolve_random_addr_master_cmpl");
   1531 
   1532     if (match_rec)
   1533     {
   1534         BTM_TRACE_ERROR("Random match");
   1535         match = TRUE;
   1536         match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
   1537         memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
   1538         memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
   1539     }
   1540     else
   1541     {
   1542         BTM_TRACE_ERROR("Random unmatch");
   1543     }
   1544 
   1545     btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
   1546 
   1547     l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
   1548                       conn_latency, conn_timeout);
   1549 
   1550     return;
   1551 }
   1552 #endif
   1553 
   1554 /*******************************************************************************
   1555 **
   1556 ** Function         btm_ble_connected
   1557 **
   1558 ** Description      This function is when a LE connection to the peer device is
   1559 **                  establsihed
   1560 **
   1561 ** Returns          void
   1562 **
   1563 *******************************************************************************/
   1564 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
   1565                         tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched)
   1566 {
   1567     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
   1568     tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb;
   1569     UNUSED(addr_matched);
   1570 
   1571     BTM_TRACE_EVENT ("btm_ble_connected");
   1572 
   1573     /* Commenting out trace due to obf/compilation problems.
   1574     */
   1575 #if (BT_USE_TRACES == TRUE)
   1576     if (p_dev_rec)
   1577     {
   1578         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected :  handle:%d  enc_mode:%d  bda:%x RName:%s",
   1579                           handle,  enc_mode,
   1580                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
   1581                           p_dev_rec->sec_bd_name);
   1582 
   1583         BTM_TRACE_DEBUG ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags);
   1584     }
   1585     else
   1586     {
   1587         BTM_TRACE_EVENT ("Security Manager: btm_ble_connected:   handle:%d  enc_mode:%d  bda:%x ",
   1588                           handle,  enc_mode,
   1589                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
   1590     }
   1591 #endif
   1592 
   1593     if (!p_dev_rec)
   1594     {
   1595         /* There is no device record for new connection.  Allocate one */
   1596         p_dev_rec = btm_sec_alloc_dev (bda);
   1597     }
   1598     else    /* Update the timestamp for this device */
   1599     {
   1600         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
   1601     }
   1602 
   1603     /* update device information */
   1604     p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
   1605     p_dev_rec->ble_hci_handle = handle;
   1606     p_dev_rec->ble.ble_addr_type = addr_type;
   1607 
   1608     p_dev_rec->role_master = FALSE;
   1609     if (role == HCI_ROLE_MASTER)
   1610         p_dev_rec->role_master = TRUE;
   1611 
   1612 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
   1613     if (!addr_matched)
   1614         p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
   1615 
   1616     if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
   1617         memcpy(p_dev_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
   1618 #endif
   1619 
   1620     if (role == HCI_ROLE_SLAVE)
   1621         p_cb->inq_var.adv_mode  = BTM_BLE_ADV_DISABLE;
   1622     p_cb->inq_var.directed_conn = FALSE;
   1623 
   1624     return;
   1625 }
   1626 
   1627 /*****************************************************************************
   1628 **  Function        btm_ble_conn_complete
   1629 **
   1630 **  Description     LE connection complete.
   1631 **
   1632 ******************************************************************************/
   1633 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len)
   1634 {
   1635 #if (BLE_PRIVACY_SPT == TRUE )
   1636     UINT8       *p_data = p;
   1637 #endif
   1638     UINT8       role, status, bda_type;
   1639     UINT16      handle;
   1640     BD_ADDR     bda = {0};
   1641     UINT16      conn_interval, conn_latency, conn_timeout;
   1642     BOOLEAN     match = FALSE;
   1643     UNUSED(evt_len);
   1644 
   1645     STREAM_TO_UINT8   (status, p);
   1646     STREAM_TO_UINT16   (handle, p);
   1647     STREAM_TO_UINT8    (role, p);
   1648     STREAM_TO_UINT8    (bda_type, p);
   1649     STREAM_TO_BDADDR   (bda, p);
   1650 
   1651     if (status == 0)
   1652     {
   1653 #if (BLE_PRIVACY_SPT == TRUE )
   1654 
   1655         if (btm_cb.cmn_ble_vsc_cb.rpa_offloading == TRUE)
   1656             match = btm_public_addr_to_random_pseudo (bda, &bda_type);
   1657 
   1658         /* possiblly receive connection complete with resolvable random on
   1659            slave role while the device has been paired */
   1660         if (!match && /*role == HCI_ROLE_SLAVE && */BTM_BLE_IS_RESOLVE_BDA(bda))
   1661         {
   1662             btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data);
   1663         }
   1664         else
   1665 #endif
   1666         {
   1667             STREAM_TO_UINT16   (conn_interval, p);
   1668             STREAM_TO_UINT16   (conn_latency, p);
   1669             STREAM_TO_UINT16   (conn_timeout, p);
   1670             handle = HCID_GET_HANDLE (handle);
   1671 
   1672             btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
   1673             l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
   1674                               conn_latency, conn_timeout);
   1675         }
   1676     }
   1677     else
   1678     {
   1679         role = HCI_ROLE_UNKNOWN;
   1680 
   1681         if (status != HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT)
   1682         {
   1683             btm_ble_set_conn_st(BLE_CONN_IDLE);
   1684         }
   1685         /* this is to work around broadcom firmware problem to handle
   1686          * unsolicited command complete event for HCI_LE_Create_Connection_Cancel
   1687          * and LE connection complete event with status error code (0x2)
   1688          * unknown connection identifier from bluetooth controller
   1689          * the workaround is to release the HCI connection to avoid out of sync
   1690          * with bluetooth controller, which cause BT can't be turned off.
   1691         */
   1692         else if ((status == HCI_ERR_NO_CONNECTION) &&
   1693                  (btm_ble_get_conn_st() != BLE_CONN_CANCEL))
   1694         {
   1695             tL2C_LCB    *p_lcb;
   1696             handle = HCID_GET_HANDLE (handle);
   1697             p_lcb = l2cu_find_lcb_by_handle (handle);
   1698             if (p_lcb != NULL)
   1699             {
   1700                 l2c_link_hci_disc_comp (handle, HCI_ERR_PEER_USER);
   1701                 btm_sec_disconnected (handle, HCI_ERR_PEER_USER);
   1702             }
   1703         }
   1704     }
   1705     btm_ble_set_conn_st(BLE_CONN_IDLE);
   1706     btm_ble_update_mode_operation(role, bda, status);
   1707 }
   1708 
   1709 /*****************************************************************************
   1710 ** Function btm_ble_create_ll_conn_complete
   1711 **
   1712 ** Description LE connection complete.
   1713 **
   1714 ******************************************************************************/
   1715 void btm_ble_create_ll_conn_complete (UINT8 status)
   1716 {
   1717     if (status != 0)
   1718     {
   1719         btm_ble_set_conn_st(BLE_CONN_IDLE);
   1720         btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status);
   1721     }
   1722 }
   1723 /*****************************************************************************
   1724 **  Function        btm_proc_smp_cback
   1725 **
   1726 **  Description     This function is the SMP callback handler.
   1727 **
   1728 ******************************************************************************/
   1729 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
   1730 {
   1731     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
   1732     UINT8 res = 0;
   1733 
   1734     BTM_TRACE_DEBUG ("btm_proc_smp_cback event = %d", event);
   1735 
   1736     if (p_dev_rec != NULL)
   1737     {
   1738         switch (event)
   1739         {
   1740             case SMP_IO_CAP_REQ_EVT:
   1741                 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
   1742                 break;
   1743 
   1744             case SMP_PASSKEY_REQ_EVT:
   1745             case SMP_PASSKEY_NOTIF_EVT:
   1746             case SMP_OOB_REQ_EVT:
   1747                 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
   1748 
   1749             case SMP_SEC_REQUEST_EVT:
   1750                 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
   1751                 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
   1752                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
   1753                 /* fall through */
   1754             case SMP_COMPLT_EVT:
   1755                 if (btm_cb.api.p_le_callback)
   1756                 {
   1757                     /* the callback function implementation may change the IO capability... */
   1758                     BTM_TRACE_DEBUG ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback );
   1759                    (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data);
   1760                 }
   1761 
   1762                 if (event == SMP_COMPLT_EVT)
   1763                 {
   1764                     BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
   1765 
   1766                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;
   1767 
   1768                     BTM_TRACE_DEBUG ("after update result=%d sec_level=0x%x sec_flags=0x%x",
   1769                                       res, p_data->cmplt.sec_level , p_dev_rec->sec_flags );
   1770 
   1771                     btm_sec_dev_rec_cback_event(p_dev_rec, res, TRUE);
   1772 
   1773                     if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback )
   1774                     {
   1775                         BTM_TRACE_DEBUG ("Pairing Cancel completed");
   1776                         (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
   1777                     }
   1778 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1779                     if (res != BTM_SUCCESS)
   1780                     {
   1781                         if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT)
   1782                         {
   1783                             BTM_TRACE_DEBUG ("Pairing failed - Remove ACL");
   1784                             btm_remove_acl(bd_addr, BT_TRANSPORT_LE);
   1785                         }
   1786                         else
   1787                         {
   1788                             BTM_TRACE_DEBUG ("Pairing failed - Not Removing ACL");
   1789                             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
   1790                         }
   1791                     }
   1792 #else
   1793                     if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT)
   1794                         btm_remove_acl(bd_addr, BT_TRANSPORT_LE);
   1795 #endif
   1796 
   1797                     BTM_TRACE_DEBUG ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
   1798                                       btm_cb.pairing_state,
   1799                                       btm_cb.pairing_flags,
   1800                                       btm_cb.pin_code_len  );
   1801                     BTM_TRACE_DEBUG ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x",
   1802                                       btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2],
   1803                                       btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]);
   1804 
   1805                     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
   1806                     btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
   1807                     btm_cb.pairing_flags = 0;
   1808                 }
   1809                 break;
   1810 
   1811             default:
   1812                 BTM_TRACE_DEBUG ("unknown event = %d", event);
   1813                 break;
   1814 
   1815 
   1816         }
   1817     }
   1818     else
   1819     {
   1820         BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
   1821     }
   1822 
   1823     return 0;
   1824 }
   1825 
   1826     #endif  /* SMP_INCLUDED */
   1827 
   1828 /*******************************************************************************
   1829 **
   1830 ** Function         BTM_BleDataSignature
   1831 **
   1832 ** Description      This function is called to sign the data using AES128 CMAC
   1833 **                  algorith.
   1834 **
   1835 ** Parameter        bd_addr: target device the data to be signed for.
   1836 **                  p_text: singing data
   1837 **                  len: length of the data to be signed.
   1838 **                  signature: output parameter where data signature is going to
   1839 **                             be stored.
   1840 **
   1841 ** Returns          TRUE if signing sucessul, otherwise FALSE.
   1842 **
   1843 *******************************************************************************/
   1844 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len,
   1845                               BLE_SIGNATURE signature)
   1846 {
   1847     BOOLEAN     ret = FALSE;
   1848 #if SMP_INCLUDED == TRUE
   1849     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1850     UINT8   *p_buf, *pp;
   1851 
   1852     BT_OCTET16  er;
   1853     UINT16      div;
   1854     UINT8       temp[4]; /* for (r || DIV)  r=1*/
   1855     UINT16      r=1;
   1856     UINT8       *p=temp, *p_mac = (UINT8 *)signature;
   1857     tSMP_ENC    output;
   1858     BT_OCTET16  local_csrk;
   1859 
   1860     BTM_TRACE_DEBUG ("BTM_BleDataSignature");
   1861     if (p_rec == NULL)
   1862     {
   1863         BTM_TRACE_ERROR("data signing can not be done from unknow device");
   1864     }
   1865     else
   1866     {
   1867         if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL)
   1868         {
   1869             BTM_TRACE_DEBUG("Start to generate Local CSRK");
   1870             pp = p_buf;
   1871             /* prepare plain text */
   1872             if (p_text)
   1873             {
   1874                 memcpy(p_buf, p_text, len);
   1875                 pp = (p_buf + len);
   1876             }
   1877 
   1878 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1879             if ( btm_cb.devcb.enable_test_local_sign_cntr)
   1880             {
   1881                 BTM_TRACE_DEBUG ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr);
   1882                 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr);
   1883             }
   1884             else
   1885             {
   1886                 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
   1887             }
   1888 #else
   1889             UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
   1890 #endif
   1891             /* compute local csrk */
   1892             if (btm_get_local_div(bd_addr, &div))
   1893             {
   1894                 BTM_TRACE_DEBUG ("compute_csrk div=%x", div);
   1895                 BTM_GetDeviceEncRoot(er);
   1896 
   1897                 /* CSRK = d1(ER, DIV, 1) */
   1898                 UINT16_TO_STREAM(p, div);
   1899                 UINT16_TO_STREAM(p, r);
   1900 
   1901                 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output))
   1902                 {
   1903                     BTM_TRACE_ERROR("Local CSRK generation failed ");
   1904                 }
   1905                 else
   1906                 {
   1907                     BTM_TRACE_DEBUG("local CSRK generation success");
   1908                     memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN);
   1909 
   1910 
   1911 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1912                     if (btm_cb.devcb.enable_test_local_sign_cntr)
   1913                     {
   1914                         UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr);
   1915                     }
   1916                     else
   1917                     {
   1918                         UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
   1919                     }
   1920 #else
   1921                     UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
   1922 #endif
   1923 
   1924                     if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE)
   1925                     {
   1926                         btm_ble_increment_sign_ctr(bd_addr, TRUE);
   1927 
   1928 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   1929                         if ( btm_cb.devcb.enable_test_mac_val)
   1930                         {
   1931                             BTM_TRACE_DEBUG ("Use MAC value from script");
   1932                             memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE);
   1933                         }
   1934 #endif
   1935                     }
   1936                     BTM_TRACE_DEBUG("BTM_BleDataSignature p_mac = %d", p_mac);
   1937                     BTM_TRACE_DEBUG("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
   1938                                      *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
   1939                     BTM_TRACE_DEBUG("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
   1940                                      *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
   1941 
   1942                     GKI_freebuf(p_buf);
   1943                 }
   1944             }
   1945         }
   1946     }
   1947 #endif  /* SMP_INCLUDED */
   1948     return ret;
   1949 }
   1950 
   1951 /*******************************************************************************
   1952 **
   1953 ** Function         BTM_BleVerifySignature
   1954 **
   1955 ** Description      This function is called to verify the data signature
   1956 **
   1957 ** Parameter        bd_addr: target device the data to be signed for.
   1958 **                  p_orig:  original data before signature.
   1959 **                  len: length of the signing data
   1960 **                  counter: counter used when doing data signing
   1961 **                  p_comp: signature to be compared against.
   1962 
   1963 ** Returns          TRUE if signature verified correctly; otherwise FALSE.
   1964 **
   1965 *******************************************************************************/
   1966 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter,
   1967                                 UINT8 *p_comp)
   1968 {
   1969     BOOLEAN             verified = FALSE;
   1970 #if SMP_INCLUDED == TRUE
   1971     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
   1972     UINT8               p_mac[BTM_CMAC_TLEN_SIZE];
   1973 
   1974     if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK)))
   1975     {
   1976         BTM_TRACE_ERROR("can not verify signature for unknown device");
   1977     }
   1978     else if (counter < p_rec->ble.keys.counter)
   1979     {
   1980         BTM_TRACE_ERROR("signature received with out dated sign counter");
   1981     }
   1982     else if (p_orig == NULL)
   1983     {
   1984         BTM_TRACE_ERROR("No signature to verify");
   1985     }
   1986     else
   1987     {
   1988         BTM_TRACE_DEBUG ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter);
   1989 
   1990         if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac))
   1991         {
   1992             if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0)
   1993             {
   1994                 btm_ble_increment_sign_ctr(bd_addr, FALSE);
   1995                 verified = TRUE;
   1996             }
   1997         }
   1998     }
   1999 #endif  /* SMP_INCLUDED */
   2000     return verified;
   2001 }
   2002 
   2003 /*******************************************************************************
   2004 **  Utility functions for LE device IR/ER generation
   2005 *******************************************************************************/
   2006 /*******************************************************************************
   2007 **
   2008 ** Function         btm_notify_new_key
   2009 **
   2010 ** Description      This function is to notify application new keys have been
   2011 **                  generated.
   2012 **
   2013 ** Returns          void
   2014 **
   2015 *******************************************************************************/
   2016 static void btm_notify_new_key(UINT8 key_type)
   2017 {
   2018     tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL;
   2019 
   2020     BTM_TRACE_DEBUG ("btm_notify_new_key key_type=%d", key_type);
   2021 
   2022     if (btm_cb.api.p_le_key_callback)
   2023     {
   2024         switch (key_type)
   2025         {
   2026             case BTM_BLE_KEY_TYPE_ID:
   2027                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ID");
   2028                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys;
   2029                 break;
   2030 
   2031             case BTM_BLE_KEY_TYPE_ER:
   2032                 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ER");
   2033                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er;
   2034                 break;
   2035 
   2036             default:
   2037                 BTM_TRACE_ERROR("unknown key type: %d", key_type);
   2038                 break;
   2039         }
   2040         if (p_locak_keys != NULL)
   2041             (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys);
   2042     }
   2043 }
   2044 
   2045 /*******************************************************************************
   2046 **
   2047 ** Function         btm_ble_process_er2
   2048 **
   2049 ** Description      This function is called when ER is generated, store it in
   2050 **                  local control block.
   2051 **
   2052 ** Returns          void
   2053 **
   2054 *******************************************************************************/
   2055 static void btm_ble_process_er2(tBTM_RAND_ENC *p)
   2056 {
   2057     BTM_TRACE_DEBUG ("btm_ble_process_er2");
   2058 
   2059     if (p &&p->opcode == HCI_BLE_RAND)
   2060     {
   2061         memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN);
   2062         btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
   2063     }
   2064     else
   2065     {
   2066         BTM_TRACE_ERROR("Generating ER2 exception.");
   2067         memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
   2068     }
   2069 }
   2070 
   2071 /*******************************************************************************
   2072 **
   2073 ** Function         btm_ble_process_er
   2074 **
   2075 ** Description      This function is called when ER is generated, store it in
   2076 **                  local control block.
   2077 **
   2078 ** Returns          void
   2079 **
   2080 *******************************************************************************/
   2081 static void btm_ble_process_er(tBTM_RAND_ENC *p)
   2082 {
   2083     BTM_TRACE_DEBUG ("btm_ble_process_er");
   2084 
   2085     if (p &&p->opcode == HCI_BLE_RAND)
   2086     {
   2087         memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN);
   2088 
   2089         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2))
   2090         {
   2091             memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
   2092             BTM_TRACE_ERROR("Generating ER2 failed.");
   2093         }
   2094     }
   2095     else
   2096     {
   2097         BTM_TRACE_ERROR("Generating ER1 exception.");
   2098     }
   2099 }
   2100 
   2101 /*******************************************************************************
   2102 **
   2103 ** Function         btm_ble_process_irk
   2104 **
   2105 ** Description      This function is called when IRK is generated, store it in
   2106 **                  local control block.
   2107 **
   2108 ** Returns          void
   2109 **
   2110 *******************************************************************************/
   2111 static void btm_ble_process_irk(tSMP_ENC *p)
   2112 {
   2113     BTM_TRACE_DEBUG ("btm_ble_process_irk");
   2114     if (p &&p->opcode == HCI_BLE_ENCRYPT)
   2115     {
   2116         memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
   2117         btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
   2118     }
   2119     else
   2120     {
   2121         BTM_TRACE_ERROR("Generating IRK exception.");
   2122     }
   2123 
   2124     /* proceed generate ER */
   2125     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er))
   2126     {
   2127         BTM_TRACE_ERROR("Generating ER failed.");
   2128     }
   2129 }
   2130 
   2131 /*******************************************************************************
   2132 **
   2133 ** Function         btm_ble_process_dhk
   2134 **
   2135 ** Description      This function is called when DHK is calculated, store it in
   2136 **                  local control block, and proceed to generate ER, a 128-bits
   2137 **                  random number.
   2138 **
   2139 ** Returns          void
   2140 **
   2141 *******************************************************************************/
   2142 static void btm_ble_process_dhk(tSMP_ENC *p)
   2143 {
   2144 #if SMP_INCLUDED == TRUE
   2145     UINT8 btm_ble_irk_pt = 0x01;
   2146     tSMP_ENC output;
   2147 
   2148     BTM_TRACE_DEBUG ("btm_ble_process_dhk");
   2149 
   2150     if (p && p->opcode == HCI_BLE_ENCRYPT)
   2151     {
   2152         memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
   2153         BTM_TRACE_DEBUG("BLE DHK generated.");
   2154 
   2155         /* IRK = D1(IR, 1) */
   2156         if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
   2157                          1,   &output))
   2158         {
   2159             /* reset all identity root related key */
   2160             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2161         }
   2162         else
   2163         {
   2164             btm_ble_process_irk(&output);
   2165         }
   2166     }
   2167     else
   2168     {
   2169         /* reset all identity root related key */
   2170         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2171     }
   2172 #endif
   2173 }
   2174 
   2175 /*******************************************************************************
   2176 **
   2177 ** Function         btm_ble_process_ir2
   2178 **
   2179 ** Description      This function is called when IR is generated, proceed to calculate
   2180 **                  DHK = Eir({0x03, 0, 0 ...})
   2181 **
   2182 **
   2183 ** Returns          void
   2184 **
   2185 *******************************************************************************/
   2186 static void btm_ble_process_ir2(tBTM_RAND_ENC *p)
   2187 {
   2188 #if SMP_INCLUDED == TRUE
   2189     UINT8 btm_ble_dhk_pt = 0x03;
   2190     tSMP_ENC output;
   2191 
   2192     BTM_TRACE_DEBUG ("btm_ble_process_ir2");
   2193 
   2194     if (p && p->opcode == HCI_BLE_RAND)
   2195     {
   2196         /* remembering in control block */
   2197         memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN);
   2198         /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
   2199 
   2200 
   2201         SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt,
   2202                     1, &output);
   2203         btm_ble_process_dhk(&output);
   2204 
   2205         BTM_TRACE_DEBUG("BLE IR generated.");
   2206     }
   2207     else
   2208     {
   2209         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2210     }
   2211 #endif
   2212 }
   2213 
   2214 /*******************************************************************************
   2215 **
   2216 ** Function         btm_ble_process_ir
   2217 **
   2218 ** Description      This function is called when IR is generated, proceed to calculate
   2219 **                  DHK = Eir({0x02, 0, 0 ...})
   2220 **
   2221 **
   2222 ** Returns          void
   2223 **
   2224 *******************************************************************************/
   2225 static void btm_ble_process_ir(tBTM_RAND_ENC *p)
   2226 {
   2227     BTM_TRACE_DEBUG ("btm_ble_process_ir");
   2228 
   2229     if (p && p->opcode == HCI_BLE_RAND)
   2230     {
   2231         /* remembering in control block */
   2232         memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN);
   2233 
   2234         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2))
   2235         {
   2236             BTM_TRACE_ERROR("Generating IR2 failed.");
   2237             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
   2238         }
   2239     }
   2240 }
   2241 
   2242 /*******************************************************************************
   2243 **
   2244 ** Function         btm_ble_reset_id
   2245 **
   2246 ** Description      This function is called to reset LE device identity.
   2247 **
   2248 ** Returns          void
   2249 **
   2250 *******************************************************************************/
   2251 void btm_ble_reset_id( void )
   2252 {
   2253     BTM_TRACE_DEBUG ("btm_ble_reset_id");
   2254 
   2255     /* regenrate Identity Root*/
   2256     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir))
   2257     {
   2258         BTM_TRACE_DEBUG("Generating IR failed.");
   2259     }
   2260 }
   2261 
   2262     #if BTM_BLE_CONFORMANCE_TESTING == TRUE
   2263 /*******************************************************************************
   2264 **
   2265 ** Function         btm_ble_set_no_disc_if_pair_fail
   2266 **
   2267 ** Description      This function indicates that whether no disconnect of the ACL
   2268 **                  should be used if pairing failed
   2269 **
   2270 ** Returns          void
   2271 **
   2272 *******************************************************************************/
   2273 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc )
   2274 {
   2275     BTM_TRACE_DEBUG ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc);
   2276     btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
   2277 }
   2278 
   2279 /*******************************************************************************
   2280 **
   2281 ** Function         btm_ble_set_test_mac_value
   2282 **
   2283 ** Description      This function set test MAC value
   2284 **
   2285 ** Returns          void
   2286 **
   2287 *******************************************************************************/
   2288 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val )
   2289 {
   2290     BTM_TRACE_DEBUG ("btm_ble_set_test_mac_value enable=%d", enable);
   2291     btm_cb.devcb.enable_test_mac_val = enable;
   2292     memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
   2293 }
   2294 
   2295 /*******************************************************************************
   2296 **
   2297 ** Function         btm_ble_set_test_local_sign_cntr_value
   2298 **
   2299 ** Description      This function set test local sign counter value
   2300 **
   2301 ** Returns          void
   2302 **
   2303 *******************************************************************************/
   2304 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr )
   2305 {
   2306     BTM_TRACE_DEBUG ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
   2307                       enable, test_local_sign_cntr);
   2308     btm_cb.devcb.enable_test_local_sign_cntr = enable;
   2309     btm_cb.devcb.test_local_sign_cntr =  test_local_sign_cntr;
   2310 }
   2311 
   2312 /*******************************************************************************
   2313 **
   2314 ** Function         btm_set_random_address
   2315 **
   2316 ** Description      This function set a random address to local controller.
   2317 **
   2318 ** Returns          void
   2319 **
   2320 *******************************************************************************/
   2321 void btm_set_random_address(BD_ADDR random_bda)
   2322 {
   2323     tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
   2324     BOOLEAN     adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ;
   2325 
   2326     BTM_TRACE_DEBUG ("btm_set_random_address");
   2327 
   2328     if (adv_mode  == BTM_BLE_ADV_ENABLE)
   2329         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE);
   2330 
   2331     memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN);
   2332     btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
   2333 
   2334     if (adv_mode  == BTM_BLE_ADV_ENABLE)
   2335         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE);
   2336 
   2337 
   2338 }
   2339 
   2340 /*******************************************************************************
   2341 **
   2342 ** Function         btm_ble_set_keep_rfu_in_auth_req
   2343 **
   2344 ** Description      This function indicates if RFU bits have to be kept as is
   2345 **                  (by default they have to be set to 0 by the sender).
   2346 **
   2347 ** Returns          void
   2348 **
   2349 *******************************************************************************/
   2350 void btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu)
   2351 {
   2352     BTM_TRACE_DEBUG ("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
   2353     btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
   2354 }
   2355 
   2356 #endif /* BTM_BLE_CONFORMANCE_TESTING */
   2357 
   2358 #endif /* BLE_INCLUDED */
   2359