1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the Bluetooth Security Manager 22 * 23 ******************************************************************************/ 24 25 #define LOG_TAG "bt_btm_sec" 26 27 #include <stdarg.h> 28 #include <string.h> 29 30 #include "bt_types.h" 31 #include "device/include/controller.h" 32 #include "hcimsgs.h" 33 #include "btu.h" 34 #include "btm_int.h" 35 #include "l2c_int.h" 36 #include "bt_utils.h" 37 #include "osi/include/log.h" 38 39 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) 40 /* needed for sprintf() */ 41 #include <stdio.h> 42 #endif 43 44 #if BLE_INCLUDED == TRUE 45 #include "gatt_int.h" 46 #endif 47 48 #define BTM_SEC_MAX_COLLISION_DELAY (5000) 49 50 #ifdef APPL_AUTH_WRITE_EXCEPTION 51 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr); 52 #endif 53 54 55 /******************************************************************************** 56 ** L O C A L F U N C T I O N P R O T O T Y P E S * 57 *********************************************************************************/ 58 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm); 59 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur); 60 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 61 UINT32 mx_proto_id, 62 UINT32 mx_chan_id); 63 64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec); 65 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec); 66 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec); 67 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec); 68 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle); 69 static void btm_restore_mode(void); 70 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle); 71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec); 72 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state); 73 74 #if (BT_USE_TRACES == TRUE) 75 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state); 76 #endif 77 78 static void btm_sec_check_pending_reqs(void); 79 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 80 UINT32 mx_proto_id, UINT32 mx_chan_id, 81 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data); 82 static void btm_sec_bond_cancel_complete (void); 83 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec); 84 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec); 85 86 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec); 87 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]); 88 89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle); 90 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec); 91 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state); 92 93 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 94 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 95 UINT32 mx_chan_id); 96 97 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec); 98 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec); 99 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec); 100 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec); 101 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm); 102 static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator); 103 104 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport, 105 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data); 106 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ; 107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport, 108 UINT8 encr_enable); 109 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec); 110 111 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec); 112 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec); 113 114 /* TRUE - authenticated link key is possible */ 115 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = 116 { 117 /* OUT, IO, IN, NONE */ 118 /* OUT */ {FALSE, FALSE, TRUE, FALSE}, 119 /* IO */ {FALSE, TRUE, TRUE, FALSE}, 120 /* IN */ {TRUE, TRUE, TRUE, FALSE}, 121 /* NONE */ {FALSE, FALSE, FALSE, FALSE} 122 }; 123 /* BTM_IO_CAP_OUT 0 DisplayOnly */ 124 /* BTM_IO_CAP_IO 1 DisplayYesNo */ 125 /* BTM_IO_CAP_IN 2 KeyboardOnly */ 126 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */ 127 128 /******************************************************************************* 129 ** 130 ** Function btm_dev_authenticated 131 ** 132 ** Description check device is authenticated 133 ** 134 ** Returns BOOLEAN TRUE or FALSE 135 ** 136 *******************************************************************************/ 137 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec) 138 { 139 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) 140 { 141 return(TRUE); 142 } 143 return(FALSE); 144 } 145 146 /******************************************************************************* 147 ** 148 ** Function btm_dev_encrypted 149 ** 150 ** Description check device is encrypted 151 ** 152 ** Returns BOOLEAN TRUE or FALSE 153 ** 154 *******************************************************************************/ 155 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec) 156 { 157 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 158 { 159 return(TRUE); 160 } 161 return(FALSE); 162 } 163 164 /******************************************************************************* 165 ** 166 ** Function btm_dev_authorized 167 ** 168 ** Description check device is authorized 169 ** 170 ** Returns BOOLEAN TRUE or FALSE 171 ** 172 *******************************************************************************/ 173 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec) 174 { 175 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) 176 { 177 return(TRUE); 178 } 179 return(FALSE); 180 } 181 182 /******************************************************************************* 183 ** 184 ** Function btm_dev_16_digit_authenticated 185 ** 186 ** Description check device is authenticated by using 16 digit pin or MITM 187 ** 188 ** Returns BOOLEAN TRUE or FALSE 189 ** 190 *******************************************************************************/ 191 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec) 192 { 193 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used 194 if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 195 { 196 return(TRUE); 197 } 198 return(FALSE); 199 } 200 201 /******************************************************************************* 202 ** 203 ** Function btm_serv_trusted 204 ** 205 ** Description check service is trusted 206 ** 207 ** Returns BOOLEAN TRUE or FALSE 208 ** 209 *******************************************************************************/ 210 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec) 211 { 212 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) 213 { 214 return(TRUE); 215 } 216 return(FALSE); 217 } 218 219 /******************************************************************************* 220 ** 221 ** Function BTM_SecRegister 222 ** 223 ** Description Application manager calls this function to register for 224 ** security services. There can be one and only one application 225 ** saving link keys. BTM allows only first registration. 226 ** 227 ** Returns TRUE if registered OK, else FALSE 228 ** 229 *******************************************************************************/ 230 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info) 231 { 232 #if BLE_INCLUDED == TRUE 233 BT_OCTET16 temp_value = {0}; 234 #endif 235 236 BTM_TRACE_EVENT("%s application registered", __func__); 237 238 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 239 LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback); 240 if (p_cb_info->p_le_callback) 241 { 242 #if SMP_INCLUDED == TRUE 243 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__); 244 SMP_Register(btm_proc_smp_cback); 245 #endif 246 /* if no IR is loaded, need to regenerate all the keys */ 247 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) 248 { 249 btm_ble_reset_id(); 250 } 251 } 252 else 253 { 254 LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__); 255 } 256 #endif 257 258 btm_cb.api = *p_cb_info; 259 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 260 LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback); 261 #endif 262 BTM_TRACE_EVENT("%s application registered", __func__); 263 return(TRUE); 264 } 265 266 /******************************************************************************* 267 ** 268 ** Function BTM_SecRegisterLinkKeyNotificationCallback 269 ** 270 ** Description Application manager calls this function to register for 271 ** link key notification. When there is nobody registered 272 ** we should avoid changing link key 273 ** 274 ** Returns TRUE if registered OK, else FALSE 275 ** 276 *******************************************************************************/ 277 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback) 278 { 279 btm_cb.api.p_link_key_callback = p_callback; 280 return TRUE; 281 } 282 283 /******************************************************************************* 284 ** 285 ** Function BTM_SecAddRmtNameNotifyCallback 286 ** 287 ** Description Any profile can register to be notified when name of the 288 ** remote device is resolved. 289 ** 290 ** Returns TRUE if registered OK, else FALSE 291 ** 292 *******************************************************************************/ 293 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 294 { 295 int i; 296 297 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 298 { 299 if (btm_cb.p_rmt_name_callback[i] == NULL) 300 { 301 btm_cb.p_rmt_name_callback[i] = p_callback; 302 return(TRUE); 303 } 304 } 305 306 return(FALSE); 307 } 308 309 310 /******************************************************************************* 311 ** 312 ** Function BTM_SecDeleteRmtNameNotifyCallback 313 ** 314 ** Description Any profile can deregister notification when a new Link Key 315 ** is generated per connection. 316 ** 317 ** Returns TRUE if OK, else FALSE 318 ** 319 *******************************************************************************/ 320 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 321 { 322 int i; 323 324 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 325 { 326 if (btm_cb.p_rmt_name_callback[i] == p_callback) 327 { 328 btm_cb.p_rmt_name_callback[i] = NULL; 329 return(TRUE); 330 } 331 } 332 333 return(FALSE); 334 } 335 336 /******************************************************************************* 337 ** 338 ** Function BTM_GetSecurityFlags 339 ** 340 ** Description Get security flags for the device 341 ** 342 ** Returns BOOLEAN TRUE or FALSE is device found 343 ** 344 *******************************************************************************/ 345 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags) 346 { 347 tBTM_SEC_DEV_REC *p_dev_rec; 348 349 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 350 { 351 *p_sec_flags = (UINT8) p_dev_rec->sec_flags; 352 return(TRUE); 353 } 354 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false"); 355 return(FALSE); 356 } 357 358 /******************************************************************************* 359 ** 360 ** Function BTM_GetSecurityFlagsByTransport 361 ** 362 ** Description Get security flags for the device on a particular transport 363 ** 364 ** Returns BOOLEAN TRUE or FALSE is device found 365 ** 366 *******************************************************************************/ 367 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags, 368 tBT_TRANSPORT transport) 369 { 370 tBTM_SEC_DEV_REC *p_dev_rec; 371 372 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 373 { 374 if (transport == BT_TRANSPORT_BR_EDR) 375 *p_sec_flags = (UINT8) p_dev_rec->sec_flags; 376 else 377 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8); 378 379 return(TRUE); 380 } 381 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false"); 382 return(FALSE); 383 } 384 385 /******************************************************************************* 386 ** 387 ** Function BTM_SetPinType 388 ** 389 ** Description Set PIN type for the device. 390 ** 391 ** Returns void 392 ** 393 *******************************************************************************/ 394 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len) 395 { 396 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d", 397 pin_type, (char *) pin_code, pin_code_len); 398 399 /* If device is not up security mode will be set as a part of startup */ 400 if ( (btm_cb.cfg.pin_type != pin_type) 401 && controller_get_interface()->get_is_ready() ) 402 { 403 btsnd_hcic_write_pin_type (pin_type); 404 } 405 406 btm_cb.cfg.pin_type = pin_type; 407 btm_cb.cfg.pin_code_len = pin_code_len; 408 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len); 409 } 410 411 /******************************************************************************* 412 ** 413 ** Function BTM_SetPairableMode 414 ** 415 ** Description Enable or disable pairing 416 ** 417 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device 418 ** allows pairing. 419 ** connect_only_paired - (TRUE or FALSE) whether or not to 420 ** only allow paired devices to connect. 421 ** 422 ** Returns void 423 ** 424 *******************************************************************************/ 425 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired) 426 { 427 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired); 428 429 btm_cb.pairing_disabled = !allow_pairing; 430 btm_cb.connect_only_paired = connect_only_paired; 431 } 432 433 /******************************************************************************* 434 ** 435 ** Function BTM_SetSecureConnectionsOnly 436 ** 437 ** Description Enable or disable default treatment for Mode 4 Level 0 services 438 ** 439 ** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device 440 ** TRUE means that the device should treat Mode 4 Level 0 services as 441 ** services of other levels. (Secure_connections_only_mode) 442 ** FALSE means that the device should provide default treatment for 443 ** Mode 4 Level 0 services. 444 ** 445 ** Returns void 446 ** 447 *******************************************************************************/ 448 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode) 449 { 450 BTM_TRACE_API("%s: Mode : %u", __FUNCTION__, 451 secure_connections_only_mode); 452 453 btm_cb.devcb.secure_connections_only = secure_connections_only_mode; 454 btm_cb.security_mode = BTM_SEC_MODE_SC; 455 } 456 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff) 457 458 /******************************************************************************* 459 ** 460 ** Function BTM_SetSecurityLevel 461 ** 462 ** Description Register service security level with Security Manager 463 ** 464 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not 465 ** p_name - Name of the service relevant only if 466 ** authorization will show this name to user. ignored 467 ** if BTM_SEC_SERVICE_NAME_LEN is 0. 468 ** service_id - service ID for the service passed to authorization callback 469 ** sec_level - bit mask of the security features 470 ** psm - L2CAP PSM 471 ** mx_proto_id - protocol ID of multiplexing proto below 472 ** mx_chan_id - channel ID of multiplexing proto below 473 ** 474 ** Returns TRUE if registered OK, else FALSE 475 ** 476 *******************************************************************************/ 477 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id, 478 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 479 UINT32 mx_chan_id) 480 { 481 #if (L2CAP_UCD_INCLUDED == TRUE) 482 CONNECTION_TYPE conn_type; 483 484 if (is_originator) 485 conn_type = CONN_ORIENT_ORIG; 486 else 487 conn_type = CONN_ORIENT_TERM; 488 489 return(btm_sec_set_security_level (conn_type, p_name, service_id, 490 sec_level, psm, mx_proto_id, mx_chan_id)); 491 #else 492 return(btm_sec_set_security_level (is_originator, p_name, service_id, 493 sec_level, psm, mx_proto_id, mx_chan_id)); 494 #endif 495 } 496 497 /******************************************************************************* 498 ** 499 ** Function btm_sec_set_security_level 500 ** 501 ** Description Register service security level with Security Manager 502 ** 503 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not 504 ** p_name - Name of the service relevant only if 505 ** authorization will show this name to user. ignored 506 ** if BTM_SEC_SERVICE_NAME_LEN is 0. 507 ** service_id - service ID for the service passed to authorization callback 508 ** sec_level - bit mask of the security features 509 ** psm - L2CAP PSM 510 ** mx_proto_id - protocol ID of multiplexing proto below 511 ** mx_chan_id - channel ID of multiplexing proto below 512 ** 513 ** Returns TRUE if registered OK, else FALSE 514 ** 515 *******************************************************************************/ 516 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 517 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 518 UINT32 mx_chan_id) 519 { 520 tBTM_SEC_SERV_REC *p_srec; 521 UINT16 index; 522 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES; 523 BOOLEAN record_allocated = FALSE; 524 BOOLEAN is_originator; 525 #if (L2CAP_UCD_INCLUDED == TRUE) 526 BOOLEAN is_ucd; 527 528 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 529 is_originator = TRUE; 530 else 531 is_originator = FALSE; 532 533 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 534 { 535 is_ucd = TRUE; 536 } 537 else 538 { 539 is_ucd = FALSE; 540 } 541 #else 542 is_originator = conn_type; 543 #endif 544 545 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level); 546 547 /* See if the record can be reused (same service name, psm, mx_proto_id, 548 service_id, and mx_chan_id), or obtain the next unused record */ 549 550 p_srec = &btm_cb.sec_serv_rec[0]; 551 552 553 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) 554 { 555 /* Check if there is already a record for this service */ 556 if (p_srec->security_flags & BTM_SEC_IN_USE) 557 { 558 #if BTM_SEC_SERVICE_NAME_LEN > 0 559 if (p_srec->psm == psm && 560 p_srec->mx_proto_id == mx_proto_id && 561 service_id == p_srec->service_id && 562 (!strncmp (p_name, (char *) p_srec->orig_service_name, 563 BTM_SEC_SERVICE_NAME_LEN) || 564 !strncmp (p_name, (char *) p_srec->term_service_name, 565 BTM_SEC_SERVICE_NAME_LEN))) 566 #else 567 if (p_srec->psm == psm && 568 p_srec->mx_proto_id == mx_proto_id && 569 service_id == p_srec->service_id) 570 #endif 571 { 572 record_allocated = TRUE; 573 break; 574 } 575 } 576 /* Mark the first available service record */ 577 else if (!record_allocated) 578 { 579 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC)); 580 record_allocated = TRUE; 581 first_unused_record = index; 582 } 583 } 584 585 if (!record_allocated) 586 { 587 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS); 588 return(record_allocated); 589 } 590 591 /* Process the request if service record is valid */ 592 /* If a duplicate service wasn't found, use the first available */ 593 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) 594 { 595 index = first_unused_record; 596 p_srec = &btm_cb.sec_serv_rec[index]; 597 } 598 599 p_srec->psm = psm; 600 p_srec->service_id = service_id; 601 p_srec->mx_proto_id = mx_proto_id; 602 603 if (is_originator) 604 { 605 p_srec->orig_mx_chan_id = mx_chan_id; 606 #if BTM_SEC_SERVICE_NAME_LEN > 0 607 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN); 608 #endif 609 /* clear out the old setting, just in case it exists */ 610 #if (L2CAP_UCD_INCLUDED == TRUE) 611 if ( is_ucd ) 612 { 613 p_srec->ucd_security_flags &= 614 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 615 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 616 } 617 else 618 #endif 619 { 620 p_srec->security_flags &= 621 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 622 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 623 } 624 625 /* Parameter validation. Originator should not set requirements for incoming connections */ 626 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE 627 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN ); 628 629 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 630 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 631 btm_cb.security_mode == BTM_SEC_MODE_SC) 632 { 633 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) 634 sec_level |= BTM_SEC_OUT_MITM; 635 } 636 637 /* Make sure the authenticate bit is set, when encrypt bit is set */ 638 if (sec_level & BTM_SEC_OUT_ENCRYPT) 639 sec_level |= BTM_SEC_OUT_AUTHENTICATE; 640 641 /* outgoing connections usually set the security level right before 642 * the connection is initiated. 643 * set it to be the outgoing service */ 644 #if (L2CAP_UCD_INCLUDED == TRUE) 645 if ( is_ucd == FALSE ) 646 #endif 647 { 648 btm_cb.p_out_serv = p_srec; 649 } 650 } 651 else 652 { 653 p_srec->term_mx_chan_id = mx_chan_id; 654 #if BTM_SEC_SERVICE_NAME_LEN > 0 655 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN); 656 #endif 657 /* clear out the old setting, just in case it exists */ 658 #if (L2CAP_UCD_INCLUDED == TRUE) 659 if ( is_ucd ) 660 { 661 p_srec->ucd_security_flags &= 662 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 663 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE 664 | BTM_SEC_IN_MIN_16_DIGIT_PIN); 665 } 666 else 667 #endif 668 { 669 p_srec->security_flags &= 670 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 671 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE 672 | BTM_SEC_IN_MIN_16_DIGIT_PIN); 673 } 674 675 /* Parameter validation. Acceptor should not set requirements for outgoing connections */ 676 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM); 677 678 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 679 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 680 btm_cb.security_mode == BTM_SEC_MODE_SC) 681 { 682 if (sec_level & BTM_SEC_IN_AUTHENTICATE) 683 sec_level |= BTM_SEC_IN_MITM; 684 } 685 686 /* Make sure the authenticate bit is set, when encrypt bit is set */ 687 if (sec_level & BTM_SEC_IN_ENCRYPT) 688 sec_level |= BTM_SEC_IN_AUTHENTICATE; 689 } 690 691 #if (L2CAP_UCD_INCLUDED == TRUE) 692 if ( is_ucd ) 693 { 694 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE); 695 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 696 } 697 else 698 { 699 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 700 } 701 702 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d", 703 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id); 704 705 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x", 706 p_srec->security_flags, p_srec->ucd_security_flags); 707 708 #if BTM_SEC_SERVICE_NAME_LEN > 0 709 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)", 710 p_name, BTM_SEC_SERVICE_NAME_LEN); 711 #endif 712 #else 713 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 714 715 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d", 716 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id); 717 718 #if BTM_SEC_SERVICE_NAME_LEN > 0 719 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)", 720 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN); 721 #endif 722 #endif 723 724 725 return(record_allocated); 726 } 727 728 /******************************************************************************* 729 ** 730 ** Function BTM_SecClrService 731 ** 732 ** Description Removes specified service record(s) from the security database. 733 ** All service records with the specified name are removed. 734 ** Typically used only by devices with limited RAM so that it can 735 ** reuse an old security service record. 736 ** 737 ** Note: Unpredictable results may occur if a service is cleared 738 ** that is still in use by an application/profile. 739 ** 740 ** Parameters Service ID - Id of the service to remove. ('0' removes all service 741 ** records (except SDP). 742 ** 743 ** Returns Number of records that were freed. 744 ** 745 *******************************************************************************/ 746 UINT8 BTM_SecClrService (UINT8 service_id) 747 { 748 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 749 UINT8 num_freed = 0; 750 int i; 751 752 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 753 { 754 /* Delete services with specified name (if in use and not SDP) */ 755 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) && 756 (!service_id || (service_id == p_srec->service_id))) 757 { 758 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id); 759 p_srec->security_flags = 0; 760 #if (L2CAP_UCD_INCLUDED == TRUE) 761 p_srec->ucd_security_flags = 0; 762 #endif 763 num_freed++; 764 } 765 } 766 767 return(num_freed); 768 } 769 770 /******************************************************************************* 771 ** 772 ** Function btm_sec_clr_service_by_psm 773 ** 774 ** Description Removes specified service record from the security database. 775 ** All service records with the specified psm are removed. 776 ** Typically used by L2CAP to free up the service record used 777 ** by dynamic PSM clients when the channel is closed. 778 ** The given psm must be a virtual psm. 779 ** 780 ** Parameters Service ID - Id of the service to remove. ('0' removes all service 781 ** records (except SDP). 782 ** 783 ** Returns Number of records that were freed. 784 ** 785 *******************************************************************************/ 786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm) 787 { 788 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 789 UINT8 num_freed = 0; 790 int i; 791 792 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 793 { 794 /* Delete services with specified name (if in use and not SDP) */ 795 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) ) 796 { 797 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id); 798 p_srec->security_flags = 0; 799 num_freed++; 800 } 801 } 802 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed); 803 804 return(num_freed); 805 } 806 807 /******************************************************************************* 808 ** 809 ** Function btm_sec_clr_temp_auth_service 810 ** 811 ** Description Removes specified device record's temporary authorization 812 ** flag from the security database. 813 ** 814 ** Parameters Device address to be cleared 815 ** 816 ** Returns void. 817 ** 818 *******************************************************************************/ 819 void btm_sec_clr_temp_auth_service (BD_ADDR bda) 820 { 821 tBTM_SEC_DEV_REC *p_dev_rec; 822 823 if ((p_dev_rec = btm_find_dev (bda)) == NULL) 824 { 825 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB"); 826 return; 827 } 828 829 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */ 830 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service) 831 { 832 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]", 833 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); 834 835 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID; 836 } 837 } 838 839 /******************************************************************************* 840 ** 841 ** Function BTM_PINCodeReply 842 ** 843 ** Description This function is called after Security Manager submitted 844 ** PIN code request to the UI. 845 ** 846 ** Parameters: bd_addr - Address of the device for which PIN was requested 847 ** res - result of the operation BTM_SUCCESS if success 848 ** pin_len - length in bytes of the PIN Code 849 ** p_pin - pointer to array with the PIN Code 850 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 851 ** 852 *******************************************************************************/ 853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 854 { 855 tBTM_SEC_DEV_REC *p_dev_rec; 856 857 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d", 858 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res); 859 860 /* If timeout already expired or has been canceled, ignore the reply */ 861 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 862 { 863 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state); 864 return; 865 } 866 867 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 868 { 869 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr"); 870 return; 871 } 872 873 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 874 { 875 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB"); 876 return; 877 } 878 879 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) ) 880 res = BTM_ILLEGAL_VALUE; 881 882 if (res != BTM_SUCCESS) 883 { 884 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */ 885 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) || 886 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 887 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) ) 888 { 889 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 890 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 891 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 892 893 btsnd_hcic_pin_code_neg_reply (bd_addr); 894 } 895 else 896 { 897 p_dev_rec->security_required = BTM_SEC_NONE; 898 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 899 } 900 return; 901 } 902 if (trusted_mask) 903 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 905 if (pin_len >= 16) { 906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 907 } 908 909 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 910 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 911 && (btm_cb.security_mode_changed == FALSE) ) 912 { 913 /* This is start of the dedicated bonding if local device is 2.0 */ 914 btm_cb.pin_code_len = pin_len; 915 p_dev_rec->pin_code_length = pin_len; 916 memcpy (btm_cb.pin_code, p_pin, pin_len); 917 918 btm_cb.security_mode_changed = TRUE; 919 #ifdef APPL_AUTH_WRITE_EXCEPTION 920 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 921 #endif 922 btsnd_hcic_write_auth_enable (TRUE); 923 924 btm_cb.acl_disc_reason = 0xff ; 925 926 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 927 /* before originating */ 928 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 929 { 930 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection"); 931 /* we change state little bit early so btm_sec_connected() will originate connection */ 932 /* when existing ACL link is down completely */ 933 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 934 } 935 /* if we already accepted incoming connection from pairing device */ 936 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 937 { 938 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer"); 939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 940 } 941 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 942 { 943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 944 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 945 946 if (btm_cb.api.p_auth_complete_callback) 947 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 948 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE); 949 } 950 return; 951 } 952 953 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 954 btm_cb.acl_disc_reason = HCI_SUCCESS; 955 956 #ifdef PORCHE_PAIRING_CONFLICT 957 BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len); 958 /* if this was not pre-fetched, save the PIN */ 959 if (btm_cb.pin_code_len == 0) 960 memcpy (btm_cb.pin_code, p_pin, pin_len); 961 btm_cb.pin_code_len_saved = pin_len; 962 #endif 963 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin); 964 } 965 966 /******************************************************************************* 967 ** 968 ** Function btm_sec_bond_by_transport 969 ** 970 ** Description this is the bond function that will start either SSP or SMP. 971 ** 972 ** Parameters: bd_addr - Address of the device to bond 973 ** pin_len - length in bytes of the PIN Code 974 ** p_pin - pointer to array with the PIN Code 975 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 976 ** 977 ** Note: After 2.1 parameters are not used and preserved here not to change API 978 *******************************************************************************/ 979 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport, 980 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 981 { 982 tBTM_SEC_DEV_REC *p_dev_rec; 983 tBTM_STATUS status; 984 UINT8 *p_features; 985 UINT8 ii; 986 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport); 987 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x", 988 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]); 989 990 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport); 991 992 993 /* Other security process is in progress */ 994 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 995 { 996 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state)); 997 return(BTM_WRONG_MODE); 998 } 999 1000 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL) 1001 { 1002 return(BTM_NO_RESOURCES); 1003 } 1004 1005 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags); 1006 1007 /* Finished if connection is active and already paired */ 1008 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR 1009 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 1010 #if (BLE_INCLUDED == TRUE) 1011 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE 1012 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)) 1013 #endif 1014 1015 ) 1016 { 1017 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired"); 1018 return(BTM_SUCCESS); 1019 } 1020 1021 /* Tell controller to get rid of the link key if it has one stored */ 1022 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS) 1023 return(BTM_NO_RESOURCES); 1024 1025 /* Save the PIN code if we got a valid one */ 1026 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) 1027 { 1028 btm_cb.pin_code_len = pin_len; 1029 p_dev_rec->pin_code_length = pin_len; 1030 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN); 1031 } 1032 1033 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 1034 1035 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD; 1036 1037 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE; 1038 p_dev_rec->is_originator = TRUE; 1039 if (trusted_mask) 1040 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 1041 1042 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1043 if (transport == BT_TRANSPORT_LE) 1044 { 1045 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr); 1046 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK; 1047 1048 if (SMP_Pair(bd_addr) == SMP_STARTED) 1049 { 1050 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 1051 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1052 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1053 return BTM_CMD_STARTED; 1054 } 1055 1056 btm_cb.pairing_flags = 0; 1057 return(BTM_NO_RESOURCES); 1058 } 1059 #endif 1060 1061 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED 1062 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED); 1063 1064 1065 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags); 1066 if (!controller_get_interface()->supports_simple_pairing()) 1067 { 1068 /* The special case when we authenticate keyboard. Set pin type to fixed */ 1069 /* It would be probably better to do it from the application, but it is */ 1070 /* complicated */ 1071 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 1072 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD) 1073 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) 1074 { 1075 btm_cb.pin_type_changed = TRUE; 1076 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED); 1077 } 1078 } 1079 1080 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) 1081 { 1082 p_features = p_dev_rec->features[ii]; 1083 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x", 1084 ii, p_features[0], p_features[1], p_features[2], p_features[3]); 1085 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x", 1086 p_features[4], p_features[5], p_features[6], p_features[7]); 1087 } 1088 1089 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle); 1090 1091 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE 1092 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN; 1093 #endif 1094 1095 /* If connection already exists... */ 1096 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE) 1097 { 1098 if (!btm_sec_start_authentication (p_dev_rec)) 1099 return(BTM_NO_RESOURCES); 1100 1101 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1102 1103 /* Mark lcb as bonding */ 1104 l2cu_update_lcb_4_bonding (bd_addr, TRUE); 1105 return(BTM_CMD_STARTED); 1106 } 1107 1108 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4); 1109 if (!controller_get_interface()->supports_simple_pairing() 1110 || (p_dev_rec->sm4 == BTM_SM4_KNOWN)) 1111 { 1112 if ( btm_sec_check_prefetch_pin (p_dev_rec) ) 1113 return (BTM_CMD_STARTED); 1114 } 1115 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 1116 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 1117 btm_cb.security_mode == BTM_SEC_MODE_SC) && 1118 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 1119 { 1120 /* local is 2.1 and peer is unknown */ 1121 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) 1122 { 1123 /* we are not accepting connection request from peer 1124 * -> RNR (to learn if peer is 2.1) 1125 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 1126 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 1127 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR); 1128 } 1129 else 1130 { 1131 /* We are accepting connection request from peer */ 1132 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1133 } 1134 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d", 1135 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state); 1136 return BTM_CMD_STARTED; 1137 } 1138 1139 /* both local and peer are 2.1 */ 1140 status = btm_sec_dd_create_conn(p_dev_rec); 1141 1142 if (status != BTM_CMD_STARTED) 1143 { 1144 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1145 } 1146 1147 return status; 1148 } 1149 1150 /******************************************************************************* 1151 ** 1152 ** Function BTM_SecBondByTransport 1153 ** 1154 ** Description This function is called to perform bonding with peer device. 1155 ** If the connection is already up, but not secure, pairing 1156 ** is attempted. If already paired BTM_SUCCESS is returned. 1157 ** 1158 ** Parameters: bd_addr - Address of the device to bond 1159 ** transport - doing SSP over BR/EDR or SMP over LE 1160 ** pin_len - length in bytes of the PIN Code 1161 ** p_pin - pointer to array with the PIN Code 1162 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 1163 ** 1164 ** Note: After 2.1 parameters are not used and preserved here not to change API 1165 *******************************************************************************/ 1166 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport, 1167 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 1168 { 1169 #if SMP_INCLUDED == TRUE 1170 tBT_DEVICE_TYPE dev_type; 1171 tBLE_ADDR_TYPE addr_type; 1172 1173 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 1174 /* LE device, do SMP pairing */ 1175 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) || 1176 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0)) 1177 { 1178 return BTM_ILLEGAL_ACTION; 1179 } 1180 #endif 1181 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask); 1182 } 1183 1184 /******************************************************************************* 1185 ** 1186 ** Function BTM_SecBond 1187 ** 1188 ** Description This function is called to perform bonding with peer device. 1189 ** If the connection is already up, but not secure, pairing 1190 ** is attempted. If already paired BTM_SUCCESS is returned. 1191 ** 1192 ** Parameters: bd_addr - Address of the device to bond 1193 ** pin_len - length in bytes of the PIN Code 1194 ** p_pin - pointer to array with the PIN Code 1195 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 1196 ** 1197 ** Note: After 2.1 parameters are not used and preserved here not to change API 1198 *******************************************************************************/ 1199 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 1200 { 1201 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 1202 #if BLE_INCLUDED == TRUE 1203 if (BTM_UseLeLink(bd_addr)) 1204 transport = BT_TRANSPORT_LE; 1205 #endif 1206 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask); 1207 } 1208 /******************************************************************************* 1209 ** 1210 ** Function BTM_SecBondCancel 1211 ** 1212 ** Description This function is called to cancel ongoing bonding process 1213 ** with peer device. 1214 ** 1215 ** Parameters: bd_addr - Address of the peer device 1216 ** transport - FALSE for BR/EDR link; TRUE for LE link 1217 ** 1218 *******************************************************************************/ 1219 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr) 1220 { 1221 tBTM_SEC_DEV_REC *p_dev_rec; 1222 1223 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x", 1224 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags); 1225 1226 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 1227 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1228 return BTM_UNKNOWN_ADDR; 1229 1230 #if SMP_INCLUDED == TRUE 1231 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) 1232 { 1233 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1234 { 1235 BTM_TRACE_DEBUG ("Cancel LE pairing"); 1236 if (SMP_PairCancel(bd_addr)) 1237 { 1238 return BTM_CMD_STARTED; 1239 } 1240 } 1241 return BTM_WRONG_MODE; 1242 } 1243 1244 #endif 1245 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state ); 1246 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 1247 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) 1248 { 1249 /* pre-fetching pin for dedicated bonding */ 1250 btm_sec_bond_cancel_complete(); 1251 return BTM_SUCCESS; 1252 } 1253 1254 /* If this BDA is in a bonding procedure */ 1255 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 1256 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 1257 { 1258 /* If the HCI link is up */ 1259 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1260 { 1261 /* If some other thread disconnecting, we do not send second command */ 1262 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) || 1263 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)) 1264 return(BTM_CMD_STARTED); 1265 1266 /* If the HCI link was set up by Bonding process */ 1267 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1268 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle); 1269 else 1270 l2cu_update_lcb_4_bonding(bd_addr, FALSE); 1271 1272 return BTM_NOT_AUTHORIZED; 1273 } 1274 else /*HCI link is not up */ 1275 { 1276 /* If the HCI link creation was started by Bonding process */ 1277 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1278 { 1279 if (btsnd_hcic_create_conn_cancel(bd_addr)) 1280 return BTM_CMD_STARTED; 1281 1282 return BTM_NO_RESOURCES; 1283 } 1284 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 1285 { 1286 BTM_CancelRemoteDeviceName(); 1287 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD; 1288 return BTM_CMD_STARTED; 1289 } 1290 return BTM_NOT_AUTHORIZED; 1291 } 1292 } 1293 1294 return BTM_WRONG_MODE; 1295 } 1296 1297 /******************************************************************************* 1298 ** 1299 ** Function BTM_SecGetDeviceLinkKey 1300 ** 1301 ** Description This function is called to obtain link key for the device 1302 ** it returns BTM_SUCCESS if link key is available, or 1303 ** BTM_UNKNOWN_ADDR if Security Manager does not know about 1304 ** the device or device record does not contain link key info 1305 ** 1306 ** Parameters: bd_addr - Address of the device 1307 ** link_key - Link Key is copied into this array 1308 ** 1309 *******************************************************************************/ 1310 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key) 1311 { 1312 tBTM_SEC_DEV_REC *p_dev_rec; 1313 1314 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1315 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1316 { 1317 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN); 1318 return(BTM_SUCCESS); 1319 } 1320 return(BTM_UNKNOWN_ADDR); 1321 } 1322 1323 /******************************************************************************* 1324 ** 1325 ** Function BTM_SecGetDeviceLinkKeyType 1326 ** 1327 ** Description This function is called to obtain link key type for the 1328 ** device. 1329 ** it returns BTM_SUCCESS if link key is available, or 1330 ** BTM_UNKNOWN_ADDR if Security Manager does not know about 1331 ** the device or device record does not contain link key info 1332 ** 1333 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type 1334 ** otherwise. 1335 ** 1336 *******************************************************************************/ 1337 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr) 1338 { 1339 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1340 1341 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1342 { 1343 return p_dev_rec->link_key_type; 1344 } 1345 return BTM_LKEY_TYPE_IGNORE; 1346 } 1347 1348 /******************************************************************************* 1349 ** 1350 ** Function BTM_SetEncryption 1351 ** 1352 ** Description This function is called to ensure that connection is 1353 ** encrypted. Should be called only on an open connection. 1354 ** Typically only needed for connections that first want to 1355 ** bring up unencrypted links, then later encrypt them. 1356 ** 1357 ** Parameters: bd_addr - Address of the peer device 1358 ** p_callback - Pointer to callback function called if 1359 ** this function returns PENDING after required 1360 ** procedures are completed. Can be set to NULL 1361 ** if status is not desired. 1362 ** p_ref_data - pointer to any data the caller wishes to receive 1363 ** in the callback function upon completion. 1364 * can be set to NULL if not used. 1365 ** transport - TRUE to encryption the link over LE transport 1366 ** or FALSE for BR/EDR transport 1367 ** 1368 ** Returns BTM_SUCCESS - already encrypted 1369 ** BTM_PENDING - command will be returned in the callback 1370 ** BTM_WRONG_MODE- connection not up. 1371 ** BTM_BUSY - security procedures are currently active 1372 ** BTM_MODE_UNSUPPORTED - if security manager not linked in. 1373 ** 1374 *******************************************************************************/ 1375 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback, 1376 void *p_ref_data) 1377 { 1378 tBTM_STATUS rc = 0; 1379 1380 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1381 if (!p_dev_rec || 1382 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 1383 #if BLE_INCLUDED == TRUE 1384 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) 1385 #endif 1386 ) 1387 { 1388 /* Connection should be up and runnning */ 1389 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected"); 1390 1391 if (p_callback) 1392 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE); 1393 1394 return(BTM_WRONG_MODE); 1395 } 1396 1397 if ((transport == BT_TRANSPORT_BR_EDR && 1398 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)) 1399 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1400 || (transport == BT_TRANSPORT_LE && 1401 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED)) 1402 #endif 1403 ) 1404 { 1405 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted"); 1406 1407 if (p_callback) 1408 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 1409 1410 return(BTM_SUCCESS); 1411 } 1412 1413 /* enqueue security request if security is active */ 1414 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)) 1415 { 1416 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request"); 1417 1418 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data)) 1419 { 1420 return BTM_CMD_STARTED; 1421 } 1422 else 1423 { 1424 if (p_callback) 1425 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES); 1426 return BTM_NO_RESOURCES; 1427 } 1428 } 1429 1430 p_dev_rec->p_callback = p_callback; 1431 p_dev_rec->p_ref_data = p_ref_data; 1432 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 1433 p_dev_rec->is_originator = FALSE; 1434 1435 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x", 1436 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 1437 p_dev_rec->security_required); 1438 1439 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1440 if (transport == BT_TRANSPORT_LE) 1441 { 1442 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport); 1443 if (p) 1444 { 1445 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role); 1446 } 1447 else 1448 { 1449 rc = BTM_WRONG_MODE; 1450 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__); 1451 } 1452 } 1453 else 1454 #endif 1455 rc = btm_sec_execute_procedure (p_dev_rec); 1456 1457 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY) 1458 { 1459 if (p_callback) 1460 { 1461 p_dev_rec->p_callback = NULL; 1462 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc); 1463 } 1464 } 1465 1466 return(rc); 1467 } 1468 1469 /******************************************************************************* 1470 * disconnect the ACL link, if it's not done yet. 1471 *******************************************************************************/ 1472 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle) 1473 { 1474 UINT8 old_state = p_dev_rec->sec_state; 1475 tBTM_STATUS status = BTM_CMD_STARTED; 1476 1477 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x", 1478 conn_handle, reason); 1479 1480 /* send HCI_Disconnect on a transport only once */ 1481 switch (old_state) 1482 { 1483 case BTM_SEC_STATE_DISCONNECTING: 1484 if (conn_handle == p_dev_rec->hci_handle) 1485 return status; 1486 1487 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1488 break; 1489 1490 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1491 case BTM_SEC_STATE_DISCONNECTING_BLE: 1492 if (conn_handle == p_dev_rec->ble_hci_handle) 1493 return status; 1494 1495 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1496 break; 1497 1498 case BTM_SEC_STATE_DISCONNECTING_BOTH: 1499 return status; 1500 #endif 1501 1502 default: 1503 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ? 1504 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE; 1505 1506 break; 1507 } 1508 1509 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */ 1510 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle) 1511 { 1512 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect"); 1513 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING; 1514 status = BTM_SUCCESS; 1515 } 1516 /* Tear down the HCI link */ 1517 else if (!btsnd_hcic_disconnect (conn_handle, reason)) 1518 { 1519 /* could not send disconnect. restore old state */ 1520 p_dev_rec->sec_state = old_state; 1521 status = BTM_NO_RESOURCES; 1522 } 1523 1524 return status; 1525 } 1526 1527 /******************************************************************************* 1528 ** 1529 ** Function BTM_ConfirmReqReply 1530 ** 1531 ** Description This function is called to confirm the numeric value for 1532 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT 1533 ** 1534 ** Parameters: res - result of the operation BTM_SUCCESS if success 1535 ** bd_addr - Address of the peer device 1536 ** 1537 *******************************************************************************/ 1538 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr) 1539 { 1540 tBTM_SEC_DEV_REC *p_dev_rec; 1541 1542 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u", 1543 btm_pair_state_descr(btm_cb.pairing_state), res); 1544 1545 /* If timeout already expired or has been canceled, ignore the reply */ 1546 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM) 1547 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1548 return; 1549 1550 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1551 1552 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) ) 1553 { 1554 btm_cb.acl_disc_reason = HCI_SUCCESS; 1555 1556 if (res == BTM_SUCCESS) 1557 { 1558 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1559 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1560 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 1561 } 1562 1563 btsnd_hcic_user_conf_reply (bd_addr, TRUE); 1564 } 1565 else 1566 { 1567 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */ 1568 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1569 btsnd_hcic_user_conf_reply (bd_addr, FALSE); 1570 } 1571 } 1572 1573 /******************************************************************************* 1574 ** 1575 ** Function BTM_PasskeyReqReply 1576 ** 1577 ** Description This function is called to provide the passkey for 1578 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT 1579 ** 1580 ** Parameters: res - result of the operation BTM_SUCCESS if success 1581 ** bd_addr - Address of the peer device 1582 ** passkey - numeric value in the range of 1583 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)). 1584 ** 1585 *******************************************************************************/ 1586 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1587 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey) 1588 { 1589 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d", 1590 btm_pair_state_descr(btm_cb.pairing_state), res); 1591 1592 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 1593 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1594 { 1595 return; 1596 } 1597 1598 /* If timeout already expired or has been canceled, ignore the reply */ 1599 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) ) 1600 { 1601 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1602 if (p_dev_rec != NULL) 1603 { 1604 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1605 1606 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1607 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 1608 else 1609 BTM_SecBondCancel(bd_addr); 1610 1611 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN); 1612 1613 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1614 return; 1615 } 1616 } 1617 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY) 1618 return; 1619 1620 if (passkey > BTM_MAX_PASSKEY_VAL) 1621 res = BTM_ILLEGAL_VALUE; 1622 1623 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1624 1625 if (res != BTM_SUCCESS) 1626 { 1627 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1628 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1629 btsnd_hcic_user_passkey_neg_reply (bd_addr); 1630 } else { 1631 btm_cb.acl_disc_reason = HCI_SUCCESS; 1632 btsnd_hcic_user_passkey_reply (bd_addr, passkey); 1633 } 1634 } 1635 #endif 1636 1637 /******************************************************************************* 1638 ** 1639 ** Function BTM_SendKeypressNotif 1640 ** 1641 ** Description This function is used during the passkey entry model 1642 ** by a device with KeyboardOnly IO capabilities 1643 ** (very likely to be a HID Device). 1644 ** It is called by a HID Device to inform the remote device when 1645 ** a key has been entered or erased. 1646 ** 1647 ** Parameters: bd_addr - Address of the peer device 1648 ** type - notification type 1649 ** 1650 *******************************************************************************/ 1651 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1652 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type) 1653 { 1654 /* This API only make sense between PASSKEY_REQ and SP complete */ 1655 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY) 1656 btsnd_hcic_send_keypress_notif (bd_addr, type); 1657 } 1658 #endif 1659 1660 #if BTM_OOB_INCLUDED == TRUE 1661 /******************************************************************************* 1662 ** 1663 ** Function BTM_IoCapRsp 1664 ** 1665 ** Description This function is called in response to BTM_SP_IO_REQ_EVT 1666 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN 1667 ** by the tBTM_SP_CALLBACK implementation, this function is 1668 ** called to provide the actual response 1669 ** 1670 ** Parameters: bd_addr - Address of the peer device 1671 ** io_cap - The IO capability of local device. 1672 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT. 1673 ** auth_req- MITM protection required or not. 1674 ** 1675 *******************************************************************************/ 1676 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req) 1677 { 1678 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d", 1679 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap); 1680 1681 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS) 1682 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1683 return; 1684 1685 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) 1686 { 1687 btm_cb.devcb.loc_auth_req = auth_req; 1688 btm_cb.devcb.loc_io_caps = io_cap; 1689 1690 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 1691 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT)); 1692 1693 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req); 1694 } 1695 } 1696 1697 /******************************************************************************* 1698 ** 1699 ** Function BTM_ReadLocalOobData 1700 ** 1701 ** Description This function is called to read the local OOB data from 1702 ** LM 1703 ** 1704 *******************************************************************************/ 1705 tBTM_STATUS BTM_ReadLocalOobData(void) 1706 { 1707 tBTM_STATUS status = BTM_SUCCESS; 1708 1709 if (btsnd_hcic_read_local_oob_data() == FALSE) 1710 status = BTM_NO_RESOURCES; 1711 1712 return status; 1713 } 1714 1715 /******************************************************************************* 1716 ** 1717 ** Function BTM_RemoteOobDataReply 1718 ** 1719 ** Description This function is called to provide the remote OOB data for 1720 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT 1721 ** 1722 ** Parameters: bd_addr - Address of the peer device 1723 ** c - simple pairing Hash C. 1724 ** r - simple pairing Randomizer C. 1725 ** 1726 *******************************************************************************/ 1727 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r) 1728 { 1729 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__, 1730 btm_pair_state_descr(btm_cb.pairing_state), res); 1731 1732 /* If timeout already expired or has been canceled, ignore the reply */ 1733 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) 1734 return; 1735 1736 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1737 1738 if (res != BTM_SUCCESS) 1739 { 1740 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1741 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1742 btsnd_hcic_rem_oob_neg_reply (bd_addr); 1743 } else { 1744 btm_cb.acl_disc_reason = HCI_SUCCESS; 1745 btsnd_hcic_rem_oob_reply (bd_addr, c, r); 1746 } 1747 } 1748 1749 /******************************************************************************* 1750 ** 1751 ** Function BTM_BuildOobData 1752 ** 1753 ** Description This function is called to build the OOB data payload to 1754 ** be sent over OOB (non-Bluetooth) link 1755 ** 1756 ** Parameters: p_data - the location for OOB data 1757 ** max_len - p_data size. 1758 ** c - simple pairing Hash C. 1759 ** r - simple pairing Randomizer C. 1760 ** name_len- 0, local device name would not be included. 1761 ** otherwise, the local device name is included for 1762 ** up to this specified length 1763 ** 1764 ** Returns Number of bytes in p_data. 1765 ** 1766 *******************************************************************************/ 1767 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c, 1768 BT_OCTET16 r, UINT8 name_len) 1769 { 1770 UINT8 *p = p_data; 1771 UINT16 len = 0; 1772 #if BTM_MAX_LOC_BD_NAME_LEN > 0 1773 UINT16 name_size; 1774 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE; 1775 #endif 1776 1777 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) 1778 { 1779 /* add mandatory part */ 1780 UINT16_TO_STREAM(p, len); 1781 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address); 1782 1783 len = BTM_OOB_MANDATORY_SIZE; 1784 max_len -= len; 1785 1786 /* now optional part */ 1787 1788 /* add Hash C */ 1789 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2; 1790 if (max_len >= delta) 1791 { 1792 *p++ = BTM_OOB_HASH_C_SIZE + 1; 1793 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE; 1794 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE); 1795 len += delta; 1796 max_len -= delta; 1797 } 1798 1799 /* add Rand R */ 1800 delta = BTM_OOB_RAND_R_SIZE + 2; 1801 if (max_len >= delta) 1802 { 1803 *p++ = BTM_OOB_RAND_R_SIZE + 1; 1804 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE; 1805 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE); 1806 len += delta; 1807 max_len -= delta; 1808 } 1809 1810 /* add class of device */ 1811 delta = BTM_OOB_COD_SIZE + 2; 1812 if (max_len >= delta) 1813 { 1814 *p++ = BTM_OOB_COD_SIZE + 1; 1815 *p++ = BTM_EIR_OOB_COD_TYPE; 1816 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class); 1817 len += delta; 1818 max_len -= delta; 1819 } 1820 #if BTM_MAX_LOC_BD_NAME_LEN > 0 1821 name_size = name_len; 1822 if (name_size > strlen(btm_cb.cfg.bd_name)) 1823 { 1824 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE; 1825 name_size = (UINT16)strlen(btm_cb.cfg.bd_name); 1826 } 1827 delta = name_size + 2; 1828 if (max_len >= delta) 1829 { 1830 *p++ = name_size + 1; 1831 *p++ = name_type; 1832 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size); 1833 len += delta; 1834 max_len -= delta; 1835 } 1836 #endif 1837 /* update len */ 1838 p = p_data; 1839 UINT16_TO_STREAM(p, len); 1840 } 1841 return len; 1842 } 1843 1844 /******************************************************************************* 1845 ** 1846 ** Function BTM_BothEndsSupportSecureConnections 1847 ** 1848 ** Description This function is called to check if both the local device and the peer device 1849 ** specified by bd_addr support BR/EDR Secure Connections. 1850 ** 1851 ** Parameters: bd_addr - address of the peer 1852 ** 1853 ** Returns TRUE if BR/EDR Secure Connections are supported by both local 1854 ** and the remote device. 1855 ** else FALSE. 1856 ** 1857 *******************************************************************************/ 1858 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr) 1859 { 1860 return ((controller_get_interface()->supports_secure_connections()) && 1861 (BTM_PeerSupportsSecureConnections(bd_addr))); 1862 } 1863 1864 /******************************************************************************* 1865 ** 1866 ** Function BTM_PeerSupportsSecureConnections 1867 ** 1868 ** Description This function is called to check if the peer supports 1869 ** BR/EDR Secure Connections. 1870 ** 1871 ** Parameters: bd_addr - address of the peer 1872 ** 1873 ** Returns TRUE if BR/EDR Secure Connections are supported by the peer, 1874 ** else FALSE. 1875 ** 1876 *******************************************************************************/ 1877 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr) 1878 { 1879 tBTM_SEC_DEV_REC *p_dev_rec; 1880 1881 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL) 1882 { 1883 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__, 1884 (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3], 1885 (bd_addr[4]<< 8) + bd_addr[5]); 1886 return FALSE; 1887 } 1888 1889 return (p_dev_rec->remote_supports_secure_connections); 1890 } 1891 1892 /******************************************************************************* 1893 ** 1894 ** Function BTM_ReadOobData 1895 ** 1896 ** Description This function is called to parse the OOB data payload 1897 ** received over OOB (non-Bluetooth) link 1898 ** 1899 ** Parameters: p_data - the location for OOB data 1900 ** eir_tag - The associated EIR tag to read the data. 1901 ** *p_len(output) - the length of the data with the given tag. 1902 ** 1903 ** Returns the beginning of the data with the given tag. 1904 ** NULL, if the tag is not found. 1905 ** 1906 *******************************************************************************/ 1907 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len) 1908 { 1909 UINT8 *p = p_data; 1910 UINT16 max_len; 1911 UINT8 len, type; 1912 UINT8 *p_ret = NULL; 1913 UINT8 ret_len = 0; 1914 1915 if (p_data) 1916 { 1917 STREAM_TO_UINT16(max_len, p); 1918 if (max_len >= BTM_OOB_MANDATORY_SIZE) 1919 { 1920 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) 1921 { 1922 p_ret = p; /* the location for bd_addr */ 1923 ret_len = BTM_OOB_BD_ADDR_SIZE; 1924 } 1925 else 1926 { 1927 p += BD_ADDR_LEN; 1928 max_len -= BTM_OOB_MANDATORY_SIZE; 1929 /* now the optional data in EIR format */ 1930 while (max_len > 0) 1931 { 1932 len = *p++; /* tag data len + 1 */ 1933 type = *p++; 1934 if (eir_tag == type) 1935 { 1936 p_ret = p; 1937 ret_len = len - 1; 1938 break; 1939 } 1940 /* the data size of this tag is len + 1 (tag data len + 2) */ 1941 if (max_len > len) 1942 { 1943 max_len -= len; 1944 max_len--; 1945 len--; 1946 p += len; 1947 } 1948 else 1949 max_len = 0; 1950 } 1951 } 1952 } 1953 } 1954 1955 if (p_len) 1956 *p_len = ret_len; 1957 1958 return p_ret; 1959 } 1960 #endif 1961 1962 /******************************************************************************* 1963 ** 1964 ** Function BTM_SetOutService 1965 ** 1966 ** Description This function is called to set the service for 1967 ** outgoing connections. 1968 ** 1969 ** If the profile/application calls BTM_SetSecurityLevel 1970 ** before initiating a connection, this function does not 1971 ** need to be called. 1972 ** 1973 ** Returns void 1974 ** 1975 *******************************************************************************/ 1976 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id) 1977 { 1978 tBTM_SEC_DEV_REC *p_dev_rec; 1979 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 1980 1981 btm_cb.p_out_serv = p_serv_rec; 1982 p_dev_rec = btm_find_dev (bd_addr); 1983 1984 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 1985 { 1986 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 1987 && (p_serv_rec->service_id == service_id) 1988 && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 1989 { 1990 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d", 1991 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id); 1992 btm_cb.p_out_serv = p_serv_rec; 1993 if (p_dev_rec) 1994 p_dev_rec->p_cur_service = p_serv_rec; 1995 break; 1996 } 1997 } 1998 } 1999 2000 /************************************************************************ 2001 ** I N T E R N A L F U N C T I O N S 2002 *************************************************************************/ 2003 /******************************************************************************* 2004 ** 2005 ** Function btm_sec_is_upgrade_possible 2006 ** 2007 ** Description This function returns TRUE if the existing link key 2008 ** can be upgraded or if the link key does not exist. 2009 ** 2010 ** Returns BOOLEAN 2011 ** 2012 *******************************************************************************/ 2013 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 2014 { 2015 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM; 2016 BOOLEAN is_possible = TRUE; 2017 2018 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 2019 { 2020 is_possible = FALSE; 2021 if(p_dev_rec->p_cur_service) 2022 { 2023 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x", 2024 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, 2025 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags); 2026 } 2027 else 2028 { 2029 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x", 2030 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check); 2031 } 2032 /* Already have a link key to the connected peer. Is the link key secure enough? 2033 ** Is a link key upgrade even possible? 2034 */ 2035 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */ 2036 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) || 2037 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) 2038 /* has unauthenticated 2039 link key */ 2040 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */ 2041 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) 2042 /* authenticated 2043 link key is possible */ 2044 { 2045 /* upgrade is possible: check if the application wants the upgrade. 2046 * If the application is configured to use a global MITM flag, 2047 * it probably would not want to upgrade the link key based on the security level database */ 2048 is_possible = TRUE; 2049 } 2050 } 2051 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags); 2052 return is_possible; 2053 } 2054 2055 /******************************************************************************* 2056 ** 2057 ** Function btm_sec_check_upgrade 2058 ** 2059 ** Description This function is called to check if the existing link key 2060 ** needs to be upgraded. 2061 ** 2062 ** Returns void 2063 ** 2064 *******************************************************************************/ 2065 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 2066 { 2067 2068 BTM_TRACE_DEBUG ("%s()", __func__); 2069 2070 /* Only check if link key already exists */ 2071 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 2072 return; 2073 2074 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE) 2075 { 2076 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags); 2077 /* upgrade is possible: check if the application wants the upgrade. 2078 * If the application is configured to use a global MITM flag, 2079 * it probably would not want to upgrade the link key based on the security level database */ 2080 tBTM_SP_UPGRADE evt_data; 2081 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 2082 evt_data.upgrade = TRUE; 2083 if (btm_cb.api.p_sp_callback) 2084 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 2085 2086 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade); 2087 if (evt_data.upgrade) 2088 { 2089 /* if the application confirms the upgrade, set the upgrade bit */ 2090 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2091 2092 /* Clear the link key known to go through authentication/pairing again */ 2093 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED); 2094 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED; 2095 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags); 2096 } 2097 } 2098 } 2099 2100 /******************************************************************************* 2101 ** 2102 ** Function btm_sec_l2cap_access_req 2103 ** 2104 ** Description This function is called by the L2CAP to grant permission to 2105 ** establish L2CAP connection to or from the peer device. 2106 ** 2107 ** Parameters: bd_addr - Address of the peer device 2108 ** psm - L2CAP PSM 2109 ** is_originator - TRUE if protocol above L2CAP originates 2110 ** connection 2111 ** p_callback - Pointer to callback function called if 2112 ** this function returns PENDING after required 2113 ** procedures are complete. MUST NOT BE NULL. 2114 ** 2115 ** Returns tBTM_STATUS 2116 ** 2117 *******************************************************************************/ 2118 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE) 2119 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE) 2120 2121 #define BTM_SEC_OUT_LEVEL4_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | \ 2122 BTM_SEC_OUT_MITM | BTM_SEC_MODE4_LEVEL4) 2123 2124 #define BTM_SEC_IN_LEVEL4_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | \ 2125 BTM_SEC_IN_MITM | BTM_SEC_MODE4_LEVEL4) 2126 2127 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle, 2128 CONNECTION_TYPE conn_type, 2129 tBTM_SEC_CALLBACK *p_callback, 2130 void *p_ref_data) 2131 { 2132 tBTM_SEC_DEV_REC *p_dev_rec; 2133 tBTM_SEC_SERV_REC *p_serv_rec; 2134 UINT16 security_required; 2135 UINT16 old_security_required; 2136 BOOLEAN old_is_originator; 2137 tBTM_STATUS rc = BTM_SUCCESS; 2138 BOOLEAN chk_acp_auth_done = FALSE; 2139 BOOLEAN is_originator; 2140 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */ 2141 2142 #if (L2CAP_UCD_INCLUDED == TRUE) 2143 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 2144 is_originator = TRUE; 2145 else 2146 is_originator = FALSE; 2147 2148 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data); 2149 #else 2150 is_originator = conn_type; 2151 2152 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data); 2153 #endif 2154 2155 /* Find or get oldest record */ 2156 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2157 2158 p_dev_rec->hci_handle = handle; 2159 2160 /* Find the service record for the PSM */ 2161 p_serv_rec = btm_sec_find_first_serv (conn_type, psm); 2162 2163 /* If there is no application registered with this PSM do not allow connection */ 2164 if (!p_serv_rec) 2165 { 2166 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm); 2167 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 2168 return(BTM_MODE_UNSUPPORTED); 2169 } 2170 2171 /* Services level0 by default have no security */ 2172 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only)) 2173 { 2174 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY); 2175 return(BTM_SUCCESS); 2176 } 2177 #if (L2CAP_UCD_INCLUDED == TRUE) 2178 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2179 { 2180 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 2181 { 2182 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags, 2183 is_originator); 2184 } 2185 else 2186 { 2187 security_required = p_serv_rec->ucd_security_flags; 2188 } 2189 2190 rc = BTM_CMD_STARTED; 2191 if (is_originator) 2192 { 2193 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2194 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2195 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2196 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2197 { 2198 rc = BTM_SUCCESS; 2199 } 2200 } 2201 else 2202 { 2203 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2204 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2205 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2206 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2207 { 2208 // Check for 16 digits (or MITM) 2209 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2210 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && 2211 btm_dev_16_digit_authenticated(p_dev_rec))) { 2212 rc = BTM_SUCCESS; 2213 } 2214 } 2215 } 2216 2217 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2218 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2219 { 2220 rc = BTM_CMD_STARTED; 2221 } 2222 2223 if (rc == BTM_SUCCESS) 2224 { 2225 if (p_callback) 2226 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS); 2227 2228 return(BTM_SUCCESS); 2229 } 2230 } 2231 else 2232 #endif 2233 { 2234 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 2235 { 2236 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags, 2237 is_originator); 2238 } 2239 else 2240 { 2241 security_required = p_serv_rec->security_flags; 2242 } 2243 } 2244 2245 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x", 2246 __FUNCTION__, security_required, is_originator, psm); 2247 2248 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4)) 2249 { 2250 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 2251 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */ 2252 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 2253 { 2254 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d", 2255 "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__, 2256 local_supports_sc, 2257 p_dev_rec->remote_supports_secure_connections); 2258 if (p_callback) 2259 (*p_callback) (bd_addr, transport, (void *)p_ref_data, 2260 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2261 2262 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2263 } 2264 } 2265 2266 /* there are some devices (moto KRZR) which connects to several services at the same time */ 2267 /* we will process one after another */ 2268 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2269 { 2270 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__, 2271 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4); 2272 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags); 2273 rc = BTM_CMD_STARTED; 2274 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2275 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2276 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2277 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2278 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2279 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) 2280 { 2281 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2282 * or SM4 with no possibility of link key upgrade */ 2283 if (is_originator) 2284 { 2285 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2286 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2287 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) || 2288 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) ) 2289 { 2290 rc = BTM_SUCCESS; 2291 } 2292 } 2293 else 2294 { 2295 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2296 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) || 2297 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) || 2298 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2299 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) || 2300 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) || 2301 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)))) 2302 { 2303 // Check for 16 digits (or MITM) 2304 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2305 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) { 2306 rc = BTM_SUCCESS; 2307 } 2308 } 2309 } 2310 2311 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2312 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2313 { 2314 rc = BTM_CMD_STARTED; 2315 } 2316 2317 if (rc == BTM_SUCCESS) 2318 { 2319 if (p_callback) 2320 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS); 2321 return(BTM_SUCCESS); 2322 } 2323 } 2324 2325 btm_cb.sec_req_pending = TRUE; 2326 return(BTM_CMD_STARTED); 2327 } 2328 2329 /* Save pointer to service record */ 2330 p_dev_rec->p_cur_service = p_serv_rec; 2331 2332 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */ 2333 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2334 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2335 btm_cb.security_mode == BTM_SEC_MODE_SC) 2336 { 2337 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2338 { 2339 if (is_originator) 2340 { 2341 /* SM4 to SM4 -> always authenticate & encrypt */ 2342 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); 2343 } 2344 else /* acceptor */ 2345 { 2346 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */ 2347 chk_acp_auth_done = TRUE; 2348 /* SM4 to SM4 -> always authenticate & encrypt */ 2349 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 2350 } 2351 } 2352 else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) 2353 { 2354 /* the remote features are not known yet */ 2355 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__, 2356 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags); 2357 2358 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND; 2359 return (BTM_CMD_STARTED); 2360 } 2361 } 2362 2363 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__, 2364 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done); 2365 2366 old_security_required = p_dev_rec->security_required; 2367 old_is_originator = p_dev_rec->is_originator; 2368 p_dev_rec->security_required = security_required; 2369 p_dev_rec->p_ref_data = p_ref_data; 2370 p_dev_rec->is_originator = is_originator; 2371 2372 #if (L2CAP_UCD_INCLUDED == TRUE) 2373 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2374 p_dev_rec->is_ucd = TRUE; 2375 else 2376 p_dev_rec->is_ucd = FALSE; 2377 #endif 2378 2379 /* If there are multiple service records used through the same PSM */ 2380 /* leave security decision for the multiplexor on the top */ 2381 #if (L2CAP_UCD_INCLUDED == TRUE) 2382 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2383 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */ 2384 #else 2385 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2386 #endif 2387 { 2388 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done); 2389 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2390 { 2391 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm); 2392 /* pre-Lisbon: restore the old settings */ 2393 p_dev_rec->security_required = old_security_required; 2394 p_dev_rec->is_originator = old_is_originator; 2395 2396 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 2397 2398 return(BTM_SUCCESS); 2399 } 2400 } 2401 2402 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now 2403 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect 2404 * response is received */ 2405 if (is_originator && 2406 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2407 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2408 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2409 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2410 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001)) 2411 { 2412 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm); 2413 /* restore the old settings */ 2414 p_dev_rec->security_required = old_security_required; 2415 p_dev_rec->is_originator = old_is_originator; 2416 2417 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 2418 2419 return(BTM_SUCCESS); 2420 } 2421 2422 if (chk_acp_auth_done) 2423 { 2424 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x", 2425 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)); 2426 /* SM4, but we do not know for sure which level of security we need. 2427 * as long as we have a link key, it's OK */ 2428 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 2429 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) 2430 { 2431 rc = BTM_DELAY_CHECK; 2432 /* 2433 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence 2434 because of data path issues. Delay this disconnect a little bit 2435 */ 2436 LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__); 2437 p_dev_rec->p_callback = p_callback; 2438 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC; 2439 (*p_callback) (bd_addr, transport, p_ref_data, rc); 2440 2441 return BTM_SUCCESS; 2442 } 2443 } 2444 2445 p_dev_rec->p_callback = p_callback; 2446 2447 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 2448 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id) 2449 { 2450 /* Although authentication and encryption are per connection 2451 ** authorization is per access request. For example when serial connection 2452 ** is up and authorized and client requests to read file (access to other 2453 ** scn), we need to request user's permission again. 2454 */ 2455 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED; 2456 } 2457 2458 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2459 { 2460 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2461 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2462 { 2463 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */ 2464 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) 2465 { 2466 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2467 } 2468 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2469 BTM_SEC_AUTHENTICATED); 2470 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags); 2471 } 2472 else 2473 { 2474 /* If we already have a link key to the connected peer, is it secure enough? */ 2475 btm_sec_check_upgrade(p_dev_rec, is_originator); 2476 } 2477 } 2478 2479 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d", 2480 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 2481 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2482 2483 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2484 { 2485 p_dev_rec->p_callback = NULL; 2486 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc); 2487 } 2488 2489 return(rc); 2490 } 2491 2492 /******************************************************************************* 2493 ** 2494 ** Function btm_sec_mx_access_request 2495 ** 2496 ** Description This function is called by all Multiplexing Protocols during 2497 ** establishing connection to or from peer device to grant 2498 ** permission to establish application connection. 2499 ** 2500 ** Parameters: bd_addr - Address of the peer device 2501 ** psm - L2CAP PSM 2502 ** is_originator - TRUE if protocol above L2CAP originates 2503 ** connection 2504 ** mx_proto_id - protocol ID of the multiplexer 2505 ** mx_chan_id - multiplexer channel to reach application 2506 ** p_callback - Pointer to callback function called if 2507 ** this function returns PENDING after required 2508 ** procedures are completed 2509 ** p_ref_data - Pointer to any reference data needed by the 2510 ** the callback function. 2511 ** 2512 ** Returns BTM_CMD_STARTED 2513 ** 2514 *******************************************************************************/ 2515 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator, 2516 UINT32 mx_proto_id, UINT32 mx_chan_id, 2517 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 2518 { 2519 tBTM_SEC_DEV_REC *p_dev_rec; 2520 tBTM_SEC_SERV_REC *p_serv_rec; 2521 tBTM_STATUS rc; 2522 UINT16 security_required; 2523 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */ 2524 2525 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator); 2526 /* Find or get oldest record */ 2527 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2528 2529 /* Find the service record for the PSM */ 2530 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id); 2531 2532 /* If there is no application registered with this PSM do not allow connection */ 2533 if (!p_serv_rec) 2534 { 2535 if (p_callback) 2536 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 2537 2538 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d", 2539 psm, mx_proto_id, mx_chan_id); 2540 return BTM_NO_RESOURCES; 2541 } 2542 2543 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm))) 2544 { 2545 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags, 2546 is_originator); 2547 } 2548 else 2549 { 2550 security_required = p_serv_rec->security_flags; 2551 } 2552 2553 /* there are some devices (moto phone) which connects to several services at the same time */ 2554 /* we will process one after another */ 2555 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2556 { 2557 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__, 2558 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state)); 2559 2560 rc = BTM_CMD_STARTED; 2561 2562 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2563 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2564 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2565 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2566 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2567 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) 2568 { 2569 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2570 * or SM4 with no possibility of link key upgrade */ 2571 if (is_originator) 2572 { 2573 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2574 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2575 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) 2576 ) 2577 { 2578 rc = BTM_SUCCESS; 2579 } 2580 } 2581 else 2582 { 2583 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2584 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2585 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2586 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) || 2587 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) || 2588 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) 2589 ) 2590 { 2591 // Check for 16 digits (or MITM) 2592 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2593 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) { 2594 rc = BTM_SUCCESS; 2595 } 2596 } 2597 } 2598 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2599 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2600 { 2601 rc = BTM_CMD_STARTED; 2602 } 2603 } 2604 2605 if (rc == BTM_SUCCESS) 2606 { 2607 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__); 2608 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */ 2609 /* btm_sec_execute_procedure */ 2610 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) || 2611 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE))) 2612 { 2613 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__); 2614 rc = BTM_CMD_STARTED; 2615 } 2616 } 2617 2618 /* Check whether there is a pending security procedure, if so we should always queue */ 2619 /* the new security request */ 2620 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE) 2621 { 2622 BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__); 2623 rc = BTM_CMD_STARTED; 2624 } 2625 if (rc == BTM_CMD_STARTED) 2626 { 2627 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__); 2628 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, 2629 mx_chan_id, p_callback, p_ref_data); 2630 } 2631 else /* rc == BTM_SUCCESS */ 2632 { 2633 /* access granted */ 2634 if (p_callback) 2635 { 2636 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc); 2637 } 2638 } 2639 2640 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc, 2641 btm_pair_state_descr(btm_cb.pairing_state)); 2642 return rc; 2643 } 2644 2645 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) || 2646 (btm_cb.security_mode == BTM_SEC_MODE_SC))) 2647 { 2648 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 2649 /* acceptor receives service connection establishment Request for */ 2650 /* Secure Connections Only service */ 2651 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 2652 { 2653 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,", 2654 "remote_support_for_sc %d: fail pairing",__FUNCTION__, 2655 local_supports_sc, p_dev_rec->remote_supports_secure_connections); 2656 2657 if (p_callback) 2658 (*p_callback) (bd_addr, transport, (void *)p_ref_data, 2659 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2660 2661 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2662 } 2663 } 2664 2665 p_dev_rec->p_cur_service = p_serv_rec; 2666 p_dev_rec->security_required = security_required; 2667 2668 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2669 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2670 btm_cb.security_mode == BTM_SEC_MODE_SC) 2671 { 2672 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2673 { 2674 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2675 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2676 { 2677 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */ 2678 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) 2679 { 2680 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2681 } 2682 2683 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2684 BTM_SEC_AUTHENTICATED); 2685 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags); 2686 } 2687 else 2688 { 2689 /* If we already have a link key, check if that link key is good enough */ 2690 btm_sec_check_upgrade(p_dev_rec, is_originator); 2691 } 2692 } 2693 } 2694 2695 p_dev_rec->is_originator = is_originator; 2696 p_dev_rec->p_callback = p_callback; 2697 p_dev_rec->p_ref_data = p_ref_data; 2698 2699 /* Although authentication and encryption are per connection */ 2700 /* authorization is per access request. For example when serial connection */ 2701 /* is up and authorized and client requests to read file (access to other */ 2702 /* scn, we need to request user's permission again. */ 2703 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED); 2704 2705 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d", 2706 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, 2707 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2708 2709 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2710 { 2711 if (p_callback) 2712 { 2713 p_dev_rec->p_callback = NULL; 2714 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc); 2715 } 2716 } 2717 2718 return rc; 2719 } 2720 2721 /******************************************************************************* 2722 ** 2723 ** Function btm_sec_conn_req 2724 ** 2725 ** Description This function is when the peer device is requesting 2726 ** connection 2727 ** 2728 ** Returns void 2729 ** 2730 *******************************************************************************/ 2731 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) 2732 { 2733 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 2734 2735 /* Some device may request a connection before we are done with the HCI_Reset sequence */ 2736 if (!controller_get_interface()->get_is_ready()) 2737 { 2738 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready"); 2739 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2740 return; 2741 } 2742 2743 /* Security guys wants us not to allow connection from not paired devices */ 2744 2745 /* Check if connection is allowed for only paired devices */ 2746 if (btm_cb.connect_only_paired) 2747 { 2748 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) 2749 { 2750 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device"); 2751 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2752 return; 2753 } 2754 } 2755 2756 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE 2757 /* If non-discoverable, only allow known devices to connect */ 2758 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) 2759 { 2760 if (!p_dev_rec) 2761 { 2762 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device"); 2763 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2764 return; 2765 } 2766 } 2767 #endif 2768 2769 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 2770 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 2771 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN))) 2772 { 2773 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device"); 2774 2775 /* incoming connection from bonding device is rejected */ 2776 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT; 2777 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2778 return; 2779 } 2780 2781 /* Host is not interested or approved connection. Save BDA and DC and */ 2782 /* pass request to L2CAP */ 2783 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN); 2784 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN); 2785 2786 if (l2c_link_hci_conn_req (bda)) 2787 { 2788 if (!p_dev_rec) 2789 { 2790 /* accept the connection -> allocate a device record */ 2791 p_dev_rec = btm_sec_alloc_dev (bda); 2792 } 2793 if (p_dev_rec) 2794 { 2795 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND; 2796 } 2797 } 2798 } 2799 2800 /******************************************************************************* 2801 ** 2802 ** Function btm_sec_bond_cancel_complete 2803 ** 2804 ** Description This function is called to report bond cancel complete 2805 ** event. 2806 ** 2807 ** Returns void 2808 ** 2809 *******************************************************************************/ 2810 static void btm_sec_bond_cancel_complete (void) 2811 { 2812 tBTM_SEC_DEV_REC *p_dev_rec; 2813 2814 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) || 2815 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 2816 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) || 2817 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME && 2818 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) 2819 { 2820 /* for dedicated bonding in legacy mode, authentication happens at "link level" 2821 * btm_sec_connected is called with failed status. 2822 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code. 2823 * However, this function may clean out the security related flags and btm_sec_connected would not know 2824 * this function also needs to do proper clean up. 2825 */ 2826 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL) 2827 p_dev_rec->security_required = BTM_SEC_NONE; 2828 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2829 2830 /* Notify application that the cancel succeeded */ 2831 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2832 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS); 2833 } 2834 } 2835 2836 /******************************************************************************* 2837 ** 2838 ** Function btm_create_conn_cancel_complete 2839 ** 2840 ** Description This function is called when the command complete message 2841 ** is received from the HCI for the create connection cancel 2842 ** command. 2843 ** 2844 ** Returns void 2845 ** 2846 *******************************************************************************/ 2847 void btm_create_conn_cancel_complete (UINT8 *p) 2848 { 2849 UINT8 status; 2850 2851 STREAM_TO_UINT8 (status, p); 2852 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d", 2853 btm_pair_state_descr(btm_cb.pairing_state), status); 2854 2855 /* if the create conn cancel cmd was issued by the bond cancel, 2856 ** the application needs to be notified that bond cancel succeeded 2857 */ 2858 switch (status) 2859 { 2860 case HCI_SUCCESS: 2861 btm_sec_bond_cancel_complete(); 2862 break; 2863 case HCI_ERR_CONNECTION_EXISTS: 2864 case HCI_ERR_NO_CONNECTION: 2865 default: 2866 /* Notify application of the error */ 2867 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2868 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING); 2869 break; 2870 } 2871 } 2872 2873 /******************************************************************************* 2874 ** 2875 ** Function btm_sec_check_pending_reqs 2876 ** 2877 ** Description This function is called at the end of the security procedure 2878 ** to let L2CAP and RFCOMM know to re-submit any pending requests 2879 ** 2880 ** Returns void 2881 ** 2882 *******************************************************************************/ 2883 void btm_sec_check_pending_reqs (void) 2884 { 2885 tBTM_SEC_QUEUE_ENTRY *p_e; 2886 BUFFER_Q bq; 2887 2888 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 2889 { 2890 /* First, resubmit L2CAP requests */ 2891 if (btm_cb.sec_req_pending) 2892 { 2893 btm_cb.sec_req_pending = FALSE; 2894 l2cu_resubmit_pending_sec_req (NULL); 2895 } 2896 2897 /* Now, re-submit anything in the mux queue */ 2898 bq = btm_cb.sec_pending_q; 2899 2900 GKI_init_q (&btm_cb.sec_pending_q); 2901 2902 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL) 2903 { 2904 /* Check that the ACL is still up before starting security procedures */ 2905 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL) 2906 { 2907 if (p_e->psm != 0) 2908 { 2909 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u", 2910 __FUNCTION__, p_e->psm, p_e->is_orig, 2911 p_e->mx_proto_id, p_e->mx_chan_id); 2912 2913 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig, 2914 p_e->mx_proto_id, p_e->mx_chan_id, 2915 p_e->p_callback, p_e->p_ref_data); 2916 } 2917 else 2918 { 2919 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback, 2920 p_e->p_ref_data); 2921 } 2922 } 2923 2924 GKI_freebuf (p_e); 2925 } 2926 } 2927 } 2928 2929 /******************************************************************************* 2930 ** 2931 ** Function btm_sec_init 2932 ** 2933 ** Description This function is on the SEC startup 2934 ** 2935 ** Returns void 2936 ** 2937 *******************************************************************************/ 2938 void btm_sec_init (UINT8 sec_mode) 2939 { 2940 btm_cb.security_mode = sec_mode; 2941 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 2942 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY; 2943 } 2944 2945 /******************************************************************************* 2946 ** 2947 ** Function btm_sec_device_down 2948 ** 2949 ** Description This function should be called when device is disabled or 2950 ** turned off 2951 ** 2952 ** Returns void 2953 ** 2954 *******************************************************************************/ 2955 void btm_sec_device_down (void) 2956 { 2957 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state)); 2958 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2959 } 2960 2961 /******************************************************************************* 2962 ** 2963 ** Function btm_sec_dev_reset 2964 ** 2965 ** Description This function should be called after device reset 2966 ** 2967 ** Returns void 2968 ** 2969 *******************************************************************************/ 2970 void btm_sec_dev_reset (void) 2971 { 2972 if (controller_get_interface()->supports_simple_pairing()) 2973 { 2974 /* set the default IO capabilities */ 2975 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS; 2976 /* add mx service to use no security */ 2977 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX, 2978 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0); 2979 } 2980 else 2981 { 2982 btm_cb.security_mode = BTM_SEC_MODE_SERVICE; 2983 } 2984 2985 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode); 2986 } 2987 2988 /******************************************************************************* 2989 ** 2990 ** Function btm_sec_abort_access_req 2991 ** 2992 ** Description This function is called by the L2CAP or RFCOMM to abort 2993 ** the pending operation. 2994 ** 2995 ** Parameters: bd_addr - Address of the peer device 2996 ** 2997 ** Returns void 2998 ** 2999 *******************************************************************************/ 3000 void btm_sec_abort_access_req (BD_ADDR bd_addr) 3001 { 3002 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 3003 3004 if (!p_dev_rec) 3005 return; 3006 3007 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) 3008 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)) 3009 return; 3010 3011 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3012 p_dev_rec->p_callback = NULL; 3013 } 3014 3015 /******************************************************************************* 3016 ** 3017 ** Function btm_sec_dd_create_conn 3018 ** 3019 ** Description This function is called to create the ACL connection for 3020 ** the dedicated boding process 3021 ** 3022 ** Returns void 3023 ** 3024 *******************************************************************************/ 3025 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec) 3026 { 3027 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 3028 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING)) 3029 { 3030 BTM_TRACE_WARNING("%s Connection already exists", __func__); 3031 return BTM_CMD_STARTED; 3032 } 3033 3034 /* Make sure an L2cap link control block is available */ 3035 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL) 3036 { 3037 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]", 3038 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3039 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3040 3041 return(BTM_NO_RESOURCES); 3042 } 3043 3044 /* set up the control block to indicated dedicated bonding */ 3045 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 3046 3047 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE) 3048 { 3049 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]", 3050 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3051 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3052 3053 l2cu_release_lcb(p_lcb); 3054 return(BTM_NO_RESOURCES); 3055 } 3056 3057 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT); 3058 3059 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]", 3060 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3061 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3062 3063 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 3064 3065 return(BTM_CMD_STARTED); 3066 } 3067 3068 /******************************************************************************* 3069 ** 3070 ** Function btm_sec_rmt_name_request_complete 3071 ** 3072 ** Description This function is called when remote name was obtained from 3073 ** the peer device 3074 ** 3075 ** Returns void 3076 ** 3077 *******************************************************************************/ 3078 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status) 3079 { 3080 tBTM_SEC_DEV_REC *p_dev_rec; 3081 int i; 3082 DEV_CLASS dev_class; 3083 UINT8 old_sec_state; 3084 3085 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete"); 3086 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda)) 3087 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr))) 3088 { 3089 btm_acl_resubmit_page(); 3090 } 3091 3092 /* If remote name request failed, p_bd_addr is null and we need to search */ 3093 /* based on state assuming that we are doing 1 at a time */ 3094 if (p_bd_addr) 3095 p_dev_rec = btm_find_dev (p_bd_addr); 3096 else 3097 { 3098 p_dev_rec = &btm_cb.sec_dev_rec[0]; 3099 3100 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 3101 { 3102 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE) 3103 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)) 3104 { 3105 p_bd_addr = p_dev_rec->bd_addr; 3106 break; 3107 } 3108 } 3109 3110 if (i == BTM_SEC_MAX_DEVICE_RECORDS) 3111 p_dev_rec = NULL; 3112 } 3113 3114 3115 /* Commenting out trace due to obf/compilation problems. 3116 */ 3117 #if (BT_USE_TRACES == TRUE) 3118 if (!p_bd_name) 3119 p_bd_name = (UINT8 *)""; 3120 3121 if (p_dev_rec) 3122 { 3123 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ", 3124 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 3125 status, p_dev_rec->sec_state, p_dev_rec); 3126 } 3127 else 3128 { 3129 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d", 3130 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 3131 status); 3132 } 3133 #endif 3134 3135 if (p_dev_rec) 3136 { 3137 old_sec_state = p_dev_rec->sec_state; 3138 if (status == HCI_SUCCESS) 3139 { 3140 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3141 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 3142 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags); 3143 } 3144 else 3145 { 3146 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */ 3147 p_dev_rec->sec_bd_name[0] = 0; 3148 } 3149 3150 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) 3151 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3152 3153 /* Notify all clients waiting for name to be resolved */ 3154 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 3155 { 3156 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 3157 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class, 3158 p_dev_rec->sec_bd_name); 3159 } 3160 } 3161 else 3162 { 3163 dev_class[0] = 0; 3164 dev_class[1] = 0; 3165 dev_class[2] = 0; 3166 3167 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */ 3168 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 3169 { 3170 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 3171 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)""); 3172 } 3173 3174 return; 3175 } 3176 3177 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */ 3178 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr 3179 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) ) 3180 { 3181 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback); 3182 3183 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) && 3184 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) && 3185 btm_cb.api.p_pin_callback) 3186 { 3187 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback"); 3188 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 3189 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name, 3190 (p_dev_rec->p_cur_service==NULL) ? FALSE 3191 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 3192 } 3193 3194 /* Set the same state again to force the timer to be restarted */ 3195 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 3196 return; 3197 } 3198 3199 /* Check if we were delaying bonding because name was not resolved */ 3200 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 3201 { 3202 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) 3203 { 3204 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status); 3205 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) 3206 { 3207 btm_sec_bond_cancel_complete(); 3208 return; 3209 } 3210 3211 if (status != HCI_SUCCESS) 3212 { 3213 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3214 3215 if (btm_cb.api.p_auth_complete_callback) 3216 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 3217 p_dev_rec->sec_bd_name, status); 3218 return; 3219 } 3220 3221 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */ 3222 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 3223 { 3224 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/ 3225 /* If it is set, there may be a race condition */ 3226 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x", 3227 btm_cb.pairing_flags); 3228 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0) 3229 { 3230 p_dev_rec->sm4 |= BTM_SM4_KNOWN; 3231 } 3232 } 3233 3234 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__, 3235 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4), 3236 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)); 3237 3238 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN. 3239 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed) 3240 */ 3241 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec)) 3242 { 3243 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 3244 /* before originating */ 3245 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 3246 { 3247 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection"); 3248 } 3249 /* Both we and the peer are 2.1 - continue to create connection */ 3250 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 3251 { 3252 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection"); 3253 3254 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3255 3256 if (btm_cb.api.p_auth_complete_callback) 3257 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 3258 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 3259 } 3260 } 3261 return; 3262 } 3263 else 3264 { 3265 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA"); 3266 3267 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR); 3268 return; 3269 } 3270 } 3271 3272 /* check if we were delaying link_key_callback because name was not resolved */ 3273 if (p_dev_rec->link_key_not_sent) 3274 { 3275 /* If HCI connection complete has not arrived, wait for it */ 3276 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 3277 return; 3278 3279 p_dev_rec->link_key_not_sent = FALSE; 3280 btm_send_link_key_notif(p_dev_rec); 3281 3282 /* If its not us who perform authentication, we should tell stackserver */ 3283 /* that some authentication has been completed */ 3284 /* This is required when different entities receive link notification and auth complete */ 3285 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 3286 { 3287 if (btm_cb.api.p_auth_complete_callback) 3288 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 3289 p_dev_rec->dev_class, 3290 p_dev_rec->sec_bd_name, HCI_SUCCESS); 3291 3292 } 3293 } 3294 3295 /* If this is a bonding procedure can disconnect the link now */ 3296 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 3297 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 3298 { 3299 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)"); 3300 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE); 3301 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3302 return; 3303 } 3304 3305 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) 3306 return; 3307 3308 /* If get name failed, notify the waiting layer */ 3309 if (status != HCI_SUCCESS) 3310 { 3311 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 3312 return; 3313 } 3314 3315 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) 3316 { 3317 BTM_TRACE_EVENT ("waiting for remote features!!"); 3318 return; 3319 } 3320 3321 /* Remote Name succeeded, execute the next security procedure, if any */ 3322 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 3323 3324 /* If result is pending reply from the user or from the device is pending */ 3325 if (status == BTM_CMD_STARTED) 3326 return; 3327 3328 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 3329 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 3330 } 3331 3332 /******************************************************************************* 3333 ** 3334 ** Function btm_sec_rmt_host_support_feat_evt 3335 ** 3336 ** Description This function is called when the 3337 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received 3338 ** 3339 ** Returns void 3340 ** 3341 *******************************************************************************/ 3342 void btm_sec_rmt_host_support_feat_evt (UINT8 *p) 3343 { 3344 tBTM_SEC_DEV_REC *p_dev_rec; 3345 BD_ADDR bd_addr; /* peer address */ 3346 BD_FEATURES features; 3347 3348 STREAM_TO_BDADDR (bd_addr, p); 3349 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 3350 3351 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]); 3352 3353 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 3354 { 3355 p_dev_rec->sm4 = BTM_SM4_KNOWN; 3356 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE); 3357 if (HCI_SSP_HOST_SUPPORTED(features)) 3358 { 3359 p_dev_rec->sm4 = BTM_SM4_TRUE; 3360 } 3361 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]); 3362 } 3363 } 3364 3365 /******************************************************************************* 3366 ** 3367 ** Function btm_io_capabilities_req 3368 ** 3369 ** Description This function is called when LM request for the IO 3370 ** capability of the local device and 3371 ** if the OOB data is present for the device in the event 3372 ** 3373 ** Returns void 3374 ** 3375 *******************************************************************************/ 3376 void btm_io_capabilities_req (UINT8 *p) 3377 { 3378 tBTM_SP_IO_REQ evt_data; 3379 UINT8 err_code = 0; 3380 tBTM_SEC_DEV_REC *p_dev_rec; 3381 BOOLEAN is_orig = TRUE; 3382 UINT8 callback_rc = BTM_SUCCESS; 3383 3384 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3385 3386 /* setup the default response according to compile options */ 3387 /* assume that the local IO capability does not change 3388 * loc_io_caps is initialized with the default value */ 3389 evt_data.io_cap = btm_cb.devcb.loc_io_caps; 3390 evt_data.oob_data = BTM_OOB_NONE; 3391 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ; 3392 3393 BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state)); 3394 3395 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3396 3397 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__, 3398 btm_cb.security_mode, p_dev_rec->num_read_pages); 3399 3400 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0)) 3401 { 3402 BTM_TRACE_EVENT("%s: Device security mode is SC only.", 3403 "To continue need to know remote features.", __FUNCTION__); 3404 3405 p_dev_rec->remote_features_needed = TRUE; 3406 return; 3407 } 3408 3409 p_dev_rec->sm4 |= BTM_SM4_TRUE; 3410 3411 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x", 3412 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), 3413 btm_cb.pairing_flags, p_dev_rec->p_cur_service); 3414 3415 if (p_dev_rec->p_cur_service) 3416 { 3417 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x", 3418 __FUNCTION__, p_dev_rec->p_cur_service->psm, 3419 p_dev_rec->p_cur_service->security_flags); 3420 } 3421 3422 switch (btm_cb.pairing_state) 3423 { 3424 /* initiator connecting */ 3425 case BTM_PAIR_STATE_IDLE: 3426 //TODO: Handle Idle pairing state 3427 //security_required = p_dev_rec->security_required; 3428 break; 3429 3430 /* received IO capability response already->acceptor */ 3431 case BTM_PAIR_STATE_INCOMING_SSP: 3432 is_orig = FALSE; 3433 3434 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) 3435 { 3436 /* acceptor in dedicated bonding */ 3437 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3438 } 3439 break; 3440 3441 /* initiator, at this point it is expected to be dedicated bonding 3442 initiated by local device */ 3443 case BTM_PAIR_STATE_WAIT_PIN_REQ: 3444 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN)) 3445 { 3446 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3447 } 3448 else 3449 { 3450 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3451 } 3452 break; 3453 3454 /* any other state is unexpected */ 3455 default: 3456 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3457 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__, 3458 btm_cb.pairing_state); 3459 break; 3460 } 3461 3462 if (btm_cb.pairing_disabled) 3463 { 3464 /* pairing is not allowed */ 3465 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__); 3466 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3467 } 3468 else if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3469 { 3470 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 3471 /* device in Secure Connections Only mode */ 3472 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 3473 { 3474 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,", 3475 " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__, 3476 local_supports_sc, p_dev_rec->remote_supports_secure_connections); 3477 3478 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3479 } 3480 } 3481 3482 if (err_code != 0) 3483 { 3484 /* coverity[uninit_use_in_call] 3485 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3486 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3487 */ 3488 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code); 3489 return; 3490 } 3491 3492 evt_data.is_orig = is_orig; 3493 3494 if (is_orig) 3495 { 3496 /* local device initiated the pairing non-bonding -> use p_cur_service */ 3497 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3498 p_dev_rec->p_cur_service && 3499 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) 3500 { 3501 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3502 { 3503 /* SC only mode device requires MITM protection */ 3504 evt_data.auth_req = BTM_AUTH_SP_YES; 3505 } 3506 else 3507 { 3508 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & 3509 BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO; 3510 } 3511 } 3512 } 3513 3514 /* Notify L2CAP to increase timeout */ 3515 l2c_pin_code_request (evt_data.bd_addr); 3516 3517 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3518 3519 /* coverity[uninit_use_in_call] 3520 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3521 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3522 */ 3523 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3524 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3525 3526 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS); 3527 3528 callback_rc = BTM_SUCCESS; 3529 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) 3530 { 3531 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE; 3532 3533 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */ 3534 evt_data.auth_req = BTM_AUTH_SPGB_YES; 3535 } 3536 else if (btm_cb.api.p_sp_callback) 3537 { 3538 /* the callback function implementation may change the IO capability... */ 3539 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3540 } 3541 3542 #if BTM_OOB_INCLUDED == TRUE 3543 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data)) 3544 #else 3545 if (callback_rc == BTM_SUCCESS) 3546 #endif 3547 { 3548 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 3549 { 3550 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT)); 3551 } 3552 3553 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3554 { 3555 /* At this moment we know that both sides are SC capable, device in */ 3556 /* SC only mode requires MITM for any service so let's set MITM bit */ 3557 evt_data.auth_req |= BTM_AUTH_YN_BIT; 3558 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x", 3559 __FUNCTION__, evt_data.auth_req); 3560 } 3561 3562 /* if the user does not indicate "reply later" by setting the oob_data to unknown */ 3563 /* send the response right now. Save the current IO capability in the control block */ 3564 btm_cb.devcb.loc_auth_req = evt_data.auth_req; 3565 btm_cb.devcb.loc_io_caps = evt_data.io_cap; 3566 3567 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d", 3568 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap, 3569 evt_data.oob_data, evt_data.auth_req); 3570 3571 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap, 3572 evt_data.oob_data, evt_data.auth_req); 3573 } 3574 } 3575 3576 /******************************************************************************* 3577 ** 3578 ** Function btm_io_capabilities_rsp 3579 ** 3580 ** Description This function is called when the IO capability of the 3581 ** specified device is received 3582 ** 3583 ** Returns void 3584 ** 3585 *******************************************************************************/ 3586 void btm_io_capabilities_rsp (UINT8 *p) 3587 { 3588 tBTM_SEC_DEV_REC *p_dev_rec; 3589 tBTM_SP_IO_RSP evt_data; 3590 3591 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3592 STREAM_TO_UINT8 (evt_data.io_cap, p); 3593 STREAM_TO_UINT8 (evt_data.oob_data, p); 3594 STREAM_TO_UINT8 (evt_data.auth_req, p); 3595 3596 /* Allocate a new device record or reuse the oldest one */ 3597 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3598 3599 /* If no security is in progress, this indicates incoming security */ 3600 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 3601 { 3602 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3603 3604 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP); 3605 3606 /* Make sure we reset the trusted mask to help against attacks */ 3607 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 3608 3609 /* work around for FW bug */ 3610 btm_inq_stop_on_ssp(); 3611 } 3612 3613 /* Notify L2CAP to increase timeout */ 3614 l2c_pin_code_request (evt_data.bd_addr); 3615 3616 /* We must have a device record here. 3617 * Use the connecting device's CoD for the connection */ 3618 /* coverity[uninit_use_in_call] 3619 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3620 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3621 */ 3622 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3623 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3624 3625 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */ 3626 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */ 3627 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */ 3628 { 3629 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD; 3630 } 3631 3632 /* save the IO capability in the device record */ 3633 p_dev_rec->rmt_io_caps = evt_data.io_cap; 3634 p_dev_rec->rmt_auth_req = evt_data.auth_req; 3635 3636 if (btm_cb.api.p_sp_callback) 3637 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3638 } 3639 3640 /******************************************************************************* 3641 ** 3642 ** Function btm_proc_sp_req_evt 3643 ** 3644 ** Description This function is called to process/report 3645 ** HCI_USER_CONFIRMATION_REQUEST_EVT 3646 ** or HCI_USER_PASSKEY_REQUEST_EVT 3647 ** or HCI_USER_PASSKEY_NOTIFY_EVT 3648 ** 3649 ** Returns void 3650 ** 3651 *******************************************************************************/ 3652 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p) 3653 { 3654 tBTM_STATUS status = BTM_ERR_PROCESSING; 3655 tBTM_SP_EVT_DATA evt_data; 3656 UINT8 *p_bda = evt_data.cfm_req.bd_addr; 3657 tBTM_SEC_DEV_REC *p_dev_rec; 3658 3659 /* All events start with bd_addr */ 3660 STREAM_TO_BDADDR (p_bda, p); 3661 3662 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s", 3663 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], 3664 event, btm_pair_state_descr(btm_cb.pairing_state)); 3665 3666 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL) 3667 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 3668 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 3669 { 3670 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3671 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3672 3673 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3674 3675 switch (event) 3676 { 3677 case BTM_SP_CFM_REQ_EVT: 3678 /* Numeric confirmation. Need user to conf the passkey */ 3679 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM); 3680 3681 /* The device record must be allocated in the "IO cap exchange" step */ 3682 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p); 3683 3684 evt_data.cfm_req.just_works = TRUE; 3685 3686 /* process user confirm req in association with the auth_req param */ 3687 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO) 3688 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO) 3689 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO) 3690 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) ) 3691 { 3692 /* Both devices are DisplayYesNo and one or both devices want to authenticate 3693 -> use authenticated link key */ 3694 evt_data.cfm_req.just_works = FALSE; 3695 } 3696 #endif 3697 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d", 3698 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps, 3699 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req); 3700 3701 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req; 3702 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req; 3703 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps; 3704 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps; 3705 break; 3706 3707 case BTM_SP_KEY_NOTIF_EVT: 3708 /* Passkey notification (other side is a keyboard) */ 3709 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p); 3710 3711 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey); 3712 3713 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 3714 break; 3715 3716 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3717 case BTM_SP_KEY_REQ_EVT: 3718 /* HCI_USER_PASSKEY_REQUEST_EVT */ 3719 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY); 3720 break; 3721 #endif 3722 } 3723 3724 if (btm_cb.api.p_sp_callback) 3725 { 3726 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data); 3727 if (status != BTM_NOT_AUTHORIZED) 3728 { 3729 return; 3730 } 3731 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */ 3732 } 3733 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) ) 3734 { 3735 /* automatically reply with just works if no sp_cback */ 3736 status = BTM_SUCCESS; 3737 } 3738 3739 if (event == BTM_SP_CFM_REQ_EVT) 3740 { 3741 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status); 3742 BTM_ConfirmReqReply (status, p_bda); 3743 } 3744 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3745 else if (event == BTM_SP_KEY_REQ_EVT) 3746 { 3747 BTM_PasskeyReqReply(status, p_bda, 0); 3748 } 3749 #endif 3750 return; 3751 } 3752 3753 /* Something bad. we can only fail this connection */ 3754 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3755 3756 if (BTM_SP_CFM_REQ_EVT == event) 3757 { 3758 btsnd_hcic_user_conf_reply (p_bda, FALSE); 3759 } 3760 else if (BTM_SP_KEY_NOTIF_EVT == event) 3761 { 3762 /* do nothing -> it very unlikely to happen. 3763 This event is most likely to be received by a HID host when it first connects to a HID device. 3764 Usually the Host initiated the connection in this case. 3765 On Mobile platforms, if there's a security process happening, 3766 the host probably can not initiate another connection. 3767 BTW (PC) is another story. */ 3768 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) ) 3769 { 3770 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE); 3771 } 3772 } 3773 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3774 else 3775 { 3776 btsnd_hcic_user_passkey_neg_reply(p_bda); 3777 } 3778 #endif 3779 } 3780 3781 /******************************************************************************* 3782 ** 3783 ** Function btm_keypress_notif_evt 3784 ** 3785 ** Description This function is called when a key press notification is 3786 ** received 3787 ** 3788 ** Returns void 3789 ** 3790 *******************************************************************************/ 3791 void btm_keypress_notif_evt (UINT8 *p) 3792 { 3793 tBTM_SP_KEYPRESS evt_data; 3794 UINT8 *p_bda; 3795 3796 /* parse & report BTM_SP_KEYPRESS_EVT */ 3797 if (btm_cb.api.p_sp_callback) 3798 { 3799 p_bda = evt_data.bd_addr; 3800 3801 STREAM_TO_BDADDR (p_bda, p); 3802 evt_data.notif_type = *p; 3803 3804 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3805 } 3806 } 3807 3808 /******************************************************************************* 3809 ** 3810 ** Function btm_simple_pair_complete 3811 ** 3812 ** Description This function is called when simple pairing process is 3813 ** complete 3814 ** 3815 ** Returns void 3816 ** 3817 *******************************************************************************/ 3818 void btm_simple_pair_complete (UINT8 *p) 3819 { 3820 tBTM_SP_COMPLT evt_data; 3821 tBTM_SEC_DEV_REC *p_dev_rec; 3822 UINT8 status; 3823 BOOLEAN disc = FALSE; 3824 3825 status = *p++; 3826 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3827 3828 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL) 3829 { 3830 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x", 3831 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3], 3832 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]); 3833 return; 3834 } 3835 3836 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u", 3837 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state); 3838 3839 evt_data.status = BTM_ERR_PROCESSING; 3840 if (status == HCI_SUCCESS) 3841 { 3842 evt_data.status = BTM_SUCCESS; 3843 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3844 } 3845 else 3846 { 3847 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) 3848 { 3849 /* The test spec wants the peer device to get this failure code. */ 3850 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT); 3851 3852 /* Change the timer to 1 second */ 3853 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT); 3854 } 3855 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0) 3856 { 3857 /* stop the timer */ 3858 btu_stop_timer (&btm_cb.pairing_tle); 3859 3860 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 3861 { 3862 /* the initiating side: will receive auth complete event. disconnect ACL at that time */ 3863 disc = TRUE; 3864 } 3865 } 3866 else 3867 disc = TRUE; 3868 } 3869 3870 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */ 3871 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3872 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3873 3874 if (btm_cb.api.p_sp_callback) 3875 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3876 3877 if (disc) 3878 { 3879 /* simple pairing failed */ 3880 /* Avoid sending disconnect on HCI_ERR_PEER_USER */ 3881 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)) 3882 { 3883 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 3884 } 3885 } 3886 } 3887 3888 #if BTM_OOB_INCLUDED == TRUE 3889 /******************************************************************************* 3890 ** 3891 ** Function btm_rem_oob_req 3892 ** 3893 ** Description This function is called to process/report 3894 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT 3895 ** 3896 ** Returns void 3897 ** 3898 *******************************************************************************/ 3899 void btm_rem_oob_req (UINT8 *p) 3900 { 3901 UINT8 *p_bda; 3902 tBTM_SP_RMT_OOB evt_data; 3903 tBTM_SEC_DEV_REC *p_dev_rec; 3904 BT_OCTET16 c; 3905 BT_OCTET16 r; 3906 3907 p_bda = evt_data.bd_addr; 3908 3909 STREAM_TO_BDADDR (p_bda, p); 3910 3911 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 3912 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 3913 3914 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) && 3915 btm_cb.api.p_sp_callback) 3916 { 3917 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3918 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3919 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1); 3920 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0; 3921 3922 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP); 3923 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED) 3924 { 3925 BTM_RemoteOobDataReply(TRUE, p_bda, c, r); 3926 } 3927 return; 3928 } 3929 3930 /* something bad. we can only fail this connection */ 3931 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3932 btsnd_hcic_rem_oob_neg_reply (p_bda); 3933 } 3934 3935 /******************************************************************************* 3936 ** 3937 ** Function btm_read_local_oob_complete 3938 ** 3939 ** Description This function is called when read local oob data is 3940 ** completed by the LM 3941 ** 3942 ** Returns void 3943 ** 3944 *******************************************************************************/ 3945 void btm_read_local_oob_complete (UINT8 *p) 3946 { 3947 tBTM_SP_LOC_OOB evt_data; 3948 UINT8 status = *p++; 3949 3950 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status); 3951 if (status == HCI_SUCCESS) 3952 { 3953 evt_data.status = BTM_SUCCESS; 3954 STREAM_TO_ARRAY16(evt_data.c, p); 3955 STREAM_TO_ARRAY16(evt_data.r, p); 3956 } 3957 else 3958 evt_data.status = BTM_ERR_PROCESSING; 3959 3960 if (btm_cb.api.p_sp_callback) 3961 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3962 } 3963 #endif /* BTM_OOB_INCLUDED */ 3964 3965 /******************************************************************************* 3966 ** 3967 ** Function btm_sec_auth_collision 3968 ** 3969 ** Description This function is called when authentication or encryption 3970 ** needs to be retried at a later time. 3971 ** 3972 ** Returns void 3973 ** 3974 *******************************************************************************/ 3975 static void btm_sec_auth_collision (UINT16 handle) 3976 { 3977 tBTM_SEC_DEV_REC *p_dev_rec; 3978 3979 if (!btm_cb.collision_start_time) 3980 btm_cb.collision_start_time = GKI_get_os_tick_count(); 3981 3982 if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay) 3983 { 3984 if (handle == BTM_SEC_INVALID_HANDLE) 3985 { 3986 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL) 3987 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING); 3988 } 3989 else 3990 p_dev_rec = btm_find_dev_by_handle (handle); 3991 3992 if (p_dev_rec != NULL) 3993 { 3994 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state); 3995 /* We will restart authentication after timeout */ 3996 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 3997 p_dev_rec->sec_state = 0; 3998 3999 btm_cb.p_collided_dev_rec = p_dev_rec; 4000 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout; 4001 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT); 4002 } 4003 } 4004 } 4005 4006 /******************************************************************************* 4007 ** 4008 ** Function btm_sec_auth_complete 4009 ** 4010 ** Description This function is when authentication of the connection is 4011 ** completed by the LM 4012 ** 4013 ** Returns void 4014 ** 4015 *******************************************************************************/ 4016 void btm_sec_auth_complete (UINT16 handle, UINT8 status) 4017 { 4018 UINT8 old_sm4; 4019 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 4020 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4021 BOOLEAN are_bonding = FALSE; 4022 4023 /* Commenting out trace due to obf/compilation problems. 4024 */ 4025 #if (BT_USE_TRACES == TRUE) 4026 if (p_dev_rec) 4027 { 4028 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s", 4029 btm_pair_state_descr (btm_cb.pairing_state), 4030 handle, status, 4031 p_dev_rec->sec_state, 4032 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], 4033 p_dev_rec->sec_bd_name); 4034 } 4035 else 4036 { 4037 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d", 4038 btm_pair_state_descr (btm_cb.pairing_state), 4039 handle, status); 4040 } 4041 #endif 4042 4043 /* For transaction collision we need to wait and repeat. There is no need */ 4044 /* for random timeout because only slave should receive the result */ 4045 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 4046 { 4047 btm_sec_auth_collision(handle); 4048 return; 4049 } 4050 btm_cb.collision_start_time = 0; 4051 4052 btm_restore_mode(); 4053 4054 /* Check if connection was made just to do bonding. If we authenticate 4055 the connection that is up, this is the last event received. 4056 */ 4057 if (p_dev_rec 4058 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4059 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) 4060 { 4061 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4062 4063 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 4064 } 4065 4066 if (!p_dev_rec) 4067 return; 4068 4069 /* keep the old sm4 flag and clear the retry bit in control block */ 4070 old_sm4 = p_dev_rec->sm4; 4071 p_dev_rec->sm4 &= ~BTM_SM4_RETRY; 4072 4073 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4074 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4075 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) 4076 are_bonding = TRUE; 4077 4078 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4079 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) 4080 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4081 4082 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 4083 { 4084 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS) 4085 && (old_state != BTM_PAIR_STATE_IDLE) ) 4086 { 4087 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4088 p_dev_rec->dev_class, 4089 p_dev_rec->sec_bd_name, status); 4090 } 4091 return; 4092 } 4093 4094 /* There can be a race condition, when we are starting authentication and 4095 ** the peer device is doing encryption. 4096 ** If first we receive encryption change up, then initiated authentication 4097 ** can not be performed. According to the spec we can not do authentication 4098 ** on the encrypted link, so device is correct. 4099 */ 4100 if ((status == HCI_ERR_COMMAND_DISALLOWED) 4101 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) == 4102 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) 4103 { 4104 status = HCI_SUCCESS; 4105 } 4106 /* Currently we do not notify user if it is a keyboard which connects */ 4107 /* User probably Disabled the keyboard while it was asleap. Let her try */ 4108 if (btm_cb.api.p_auth_complete_callback) 4109 { 4110 /* report the suthentication status */ 4111 if (old_state != BTM_PAIR_STATE_IDLE) 4112 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4113 p_dev_rec->dev_class, 4114 p_dev_rec->sec_bd_name, status); 4115 } 4116 4117 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4118 4119 /* If this is a bonding procedure can disconnect the link now */ 4120 if (are_bonding) 4121 { 4122 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4123 4124 if (status != HCI_SUCCESS) 4125 { 4126 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))) 4127 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle); 4128 } 4129 else 4130 { 4131 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL"); 4132 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec)) 4133 /* no LE keys are available, do deriving */ 4134 && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) || 4135 /* or BR key is higher security than existing LE keys */ 4136 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) && 4137 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) 4138 { 4139 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL"); 4140 4141 if (btm_sec_is_master(p_dev_rec)) 4142 { 4143 // Encryption is required to start SM over BR/EDR 4144 // indicate that this is encryption after authentication 4145 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL); 4146 } 4147 } 4148 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 4149 } 4150 4151 return; 4152 } 4153 4154 /* If authentication failed, notify the waiting layer */ 4155 if (status != HCI_SUCCESS) 4156 { 4157 if ((old_sm4 & BTM_SM4_RETRY) == 0) 4158 { 4159 /* allow retry only once */ 4160 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION) 4161 { 4162 /* not retried yet. set the retry bit */ 4163 p_dev_rec->sm4 |= BTM_SM4_RETRY; 4164 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 4165 } 4166 /* this retry for missing key is for Lisbon or later only. 4167 * Legacy device do not need this. the controller will drive the retry automatically */ 4168 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4)) 4169 { 4170 /* not retried yet. set the retry bit */ 4171 p_dev_rec->sm4 |= BTM_SM4_RETRY; 4172 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4173 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 4174 4175 /* With BRCM controller, we do not need to delete the stored link key in controller. 4176 If the stack may sit on top of other controller, we may need this 4177 BTM_DeleteStoredLinkKey (bd_addr, NULL); */ 4178 } 4179 4180 if (p_dev_rec->sm4 & BTM_SM4_RETRY) 4181 { 4182 btm_sec_execute_procedure (p_dev_rec); 4183 return; 4184 } 4185 } 4186 4187 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4188 4189 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 4190 { 4191 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 4192 } 4193 return; 4194 } 4195 4196 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 4197 4198 if (p_dev_rec->pin_code_length >= 16 || 4199 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4200 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4201 // If we have MITM protection we have a higher level of security than 4202 // provided by 16 digits PIN 4203 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4204 } 4205 4206 /* Authentication succeeded, execute the next security procedure, if any */ 4207 status = btm_sec_execute_procedure (p_dev_rec); 4208 4209 /* If there is no next procedure, or procedure failed to start, notify the caller */ 4210 if (status != BTM_CMD_STARTED) 4211 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 4212 } 4213 4214 /******************************************************************************* 4215 ** 4216 ** Function btm_sec_encrypt_change 4217 ** 4218 ** Description This function is when encryption of the connection is 4219 ** completed by the LM 4220 ** 4221 ** Returns void 4222 ** 4223 *******************************************************************************/ 4224 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable) 4225 { 4226 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4227 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4228 tACL_CONN *p_acl = NULL; 4229 UINT8 acl_idx = btm_handle_to_acl_index(handle); 4230 #endif 4231 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d", 4232 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable); 4233 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 ); 4234 4235 /* For transaction collision we need to wait and repeat. There is no need */ 4236 /* for random timeout because only slave should receive the result */ 4237 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || 4238 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 4239 { 4240 btm_sec_auth_collision(handle); 4241 return; 4242 } 4243 btm_cb.collision_start_time = 0; 4244 4245 if (!p_dev_rec) 4246 return; 4247 4248 if ((status == HCI_SUCCESS) && encr_enable) 4249 { 4250 if (p_dev_rec->hci_handle == handle) { 4251 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED); 4252 if (p_dev_rec->pin_code_length >= 16 || 4253 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4254 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4255 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4256 } 4257 } 4258 else 4259 { 4260 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED); 4261 } 4262 } 4263 4264 /* It is possible that we decrypted the link to perform role switch */ 4265 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */ 4266 if ((status == HCI_SUCCESS) && !encr_enable) 4267 { 4268 if (p_dev_rec->hci_handle == handle) 4269 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED; 4270 else 4271 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED; 4272 } 4273 4274 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags ); 4275 4276 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4277 if (acl_idx != MAX_L2CAP_LINKS) 4278 p_acl = &btm_cb.acl_db[acl_idx]; 4279 4280 if (p_acl != NULL) 4281 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable); 4282 4283 if (p_acl && p_acl->transport == BT_TRANSPORT_LE) 4284 { 4285 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE || 4286 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) 4287 { 4288 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN); 4289 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 4290 } 4291 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable); 4292 return; 4293 } 4294 else 4295 { 4296 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4297 p_dev_rec->enc_key_size = 16; 4298 } 4299 4300 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d", 4301 __func__, p_dev_rec->new_encryption_key_is_p256); 4302 4303 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle)) 4304 { 4305 if (p_dev_rec->new_encryption_key_is_p256) 4306 { 4307 if (btm_sec_use_smp_br_chnl(p_dev_rec) && 4308 btm_sec_is_master(p_dev_rec) && 4309 /* if LE key is not known, do deriving */ 4310 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) || 4311 /* or BR key is higher security than existing LE keys */ 4312 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) 4313 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) 4314 { 4315 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */ 4316 p_dev_rec->new_encryption_key_is_p256 = FALSE; 4317 4318 if (p_dev_rec->no_smp_on_br) 4319 { 4320 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__); 4321 } 4322 else 4323 { 4324 BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__); 4325 SMP_BR_PairWith(p_dev_rec->bd_addr); 4326 } 4327 } 4328 } 4329 else 4330 { 4331 // BR/EDR is successfully encrypted. Correct LK type if needed 4332 // (BR/EDR LK derived from LE LTK was used for encryption) 4333 if ((encr_enable == 1) && /* encryption is ON for SSP */ 4334 /* LK type is for BR/EDR SC */ 4335 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 || 4336 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4337 { 4338 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) 4339 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 4340 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */ 4341 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 4342 4343 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type); 4344 btm_send_link_key_notif(p_dev_rec); 4345 } 4346 } 4347 } 4348 #else 4349 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable); 4350 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */ 4351 4352 /* If this encryption was started by peer do not need to do anything */ 4353 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) 4354 { 4355 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) 4356 { 4357 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4358 p_dev_rec->p_callback = NULL; 4359 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr); 4360 } 4361 return; 4362 } 4363 4364 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4365 /* If encryption setup failed, notify the waiting layer */ 4366 if (status != HCI_SUCCESS) 4367 { 4368 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4369 return; 4370 } 4371 4372 /* Encryption setup succeeded, execute the next security procedure, if any */ 4373 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 4374 /* If there is no next procedure, or procedure failed to start, notify the caller */ 4375 if (status != BTM_CMD_STARTED) 4376 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 4377 } 4378 4379 /******************************************************************************* 4380 ** 4381 ** Function btm_sec_connect_after_reject_timeout 4382 ** 4383 ** Description Connection for bonding could not start because of the collision 4384 ** Initiate outgoing connection 4385 ** 4386 ** Returns Pointer to the TLE struct 4387 ** 4388 *******************************************************************************/ 4389 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle) 4390 { 4391 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec; 4392 UNUSED(p_tle); 4393 4394 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()"); 4395 btm_cb.sec_collision_tle.param = 0; 4396 btm_cb.p_collided_dev_rec = 0; 4397 4398 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 4399 { 4400 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection"); 4401 4402 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4403 4404 if (btm_cb.api.p_auth_complete_callback) 4405 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4406 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 4407 } 4408 } 4409 4410 /******************************************************************************* 4411 ** 4412 ** Function btm_sec_connected 4413 ** 4414 ** Description This function is when a connection to the peer device is 4415 ** establsihed 4416 ** 4417 ** Returns void 4418 ** 4419 *******************************************************************************/ 4420 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode) 4421 { 4422 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 4423 UINT8 res; 4424 BOOLEAN is_pairing_device = FALSE; 4425 tACL_CONN *p_acl_cb; 4426 UINT8 bit_shift = 0; 4427 4428 btm_acl_resubmit_page(); 4429 4430 /* Commenting out trace due to obf/compilation problems. 4431 */ 4432 #if (BT_USE_TRACES == TRUE) 4433 if (p_dev_rec) 4434 { 4435 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s", 4436 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4437 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 4438 p_dev_rec->sec_bd_name); 4439 } 4440 else 4441 { 4442 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ", 4443 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4444 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 4445 } 4446 #endif 4447 4448 if (!p_dev_rec) 4449 { 4450 /* There is no device record for new connection. Allocate one */ 4451 if (status == HCI_SUCCESS) 4452 { 4453 p_dev_rec = btm_sec_alloc_dev (bda); 4454 } 4455 else 4456 { 4457 /* If the device matches with stored paring address 4458 * reset the paring state to idle */ 4459 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4460 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0)) 4461 { 4462 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4463 } 4464 4465 /* can not find the device record and the status is error, 4466 * just ignore it */ 4467 return; 4468 } 4469 } 4470 else /* Update the timestamp for this device */ 4471 { 4472 4473 #if BLE_INCLUDED == TRUE 4474 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0; 4475 #endif 4476 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 4477 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 4478 { 4479 /* tell L2CAP it's a bonding connection. */ 4480 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4481 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4482 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4483 { 4484 /* if incoming connection failed while pairing, then try to connect and continue */ 4485 /* Motorola S9 disconnects without asking pin code */ 4486 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) 4487 { 4488 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN"); 4489 4490 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4491 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4492 { 4493 /* Start timer with 0 to initiate connection with new LCB */ 4494 /* because L2CAP will delete current LCB with this event */ 4495 btm_cb.p_collided_dev_rec = p_dev_rec; 4496 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout; 4497 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0); 4498 } 4499 else 4500 { 4501 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4502 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR); 4503 } 4504 #if BTM_DISC_DURING_RS == TRUE 4505 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4506 #endif 4507 return; 4508 } 4509 else 4510 { 4511 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE); 4512 } 4513 } 4514 /* always clear the pending flag */ 4515 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4516 } 4517 } 4518 4519 #if BLE_INCLUDED == TRUE 4520 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR; 4521 #endif 4522 4523 #if BTM_DISC_DURING_RS == TRUE 4524 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4525 #endif 4526 4527 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4528 4529 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4530 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) ) 4531 { 4532 /* if we rejected incoming connection from bonding device */ 4533 if ((status == HCI_ERR_HOST_REJECT_DEVICE) 4534 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) 4535 { 4536 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x", 4537 btm_cb.pairing_flags, p_dev_rec->sm4); 4538 4539 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT; 4540 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 4541 { 4542 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 4543 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4544 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR); 4545 return; 4546 } 4547 4548 /* if we already have pin code */ 4549 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 4550 { 4551 /* Start timer with 0 to initiate connection with new LCB */ 4552 /* because L2CAP will delete current LCB with this event */ 4553 btm_cb.p_collided_dev_rec = p_dev_rec; 4554 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout; 4555 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0); 4556 } 4557 4558 return; 4559 } 4560 /* wait for incoming connection without resetting pairing state */ 4561 else if (status == HCI_ERR_CONNECTION_EXISTS) 4562 { 4563 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection"); 4564 return; 4565 } 4566 4567 is_pairing_device = TRUE; 4568 } 4569 4570 /* If connection was made to do bonding restore link security if changed */ 4571 btm_restore_mode(); 4572 4573 /* if connection fails during pin request, notify application */ 4574 if (status != HCI_SUCCESS) 4575 { 4576 /* If connection failed because of during pairing, need to tell user */ 4577 if (is_pairing_device) 4578 { 4579 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4580 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift); 4581 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required ); 4582 4583 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4584 4585 /* We need to notify host that the key is not known any more */ 4586 if (btm_cb.api.p_auth_complete_callback) 4587 { 4588 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4589 p_dev_rec->dev_class, 4590 p_dev_rec->sec_bd_name, status); 4591 } 4592 } 4593 /* 4594 Do not send authentication failure, if following conditions hold good 4595 1. BTM Sec Pairing state is idle 4596 2. Link key for the remote device is present. 4597 3. Remote is SSP capable. 4598 */ 4599 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) && 4600 (((status == HCI_ERR_AUTH_FAILURE) || 4601 (status == HCI_ERR_KEY_MISSING) || 4602 (status == HCI_ERR_HOST_REJECT_SECURITY) || 4603 (status == HCI_ERR_PAIRING_NOT_ALLOWED) || 4604 (status == HCI_ERR_UNIT_KEY_USED) || 4605 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) || 4606 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) || 4607 (status == HCI_ERR_REPEATED_ATTEMPTS)))) 4608 { 4609 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4610 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift); 4611 4612 4613 #ifdef BRCM_NOT_4_BTE 4614 /* If we rejected pairing, pass this special result code */ 4615 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY) 4616 { 4617 status = HCI_ERR_HOST_REJECT_SECURITY; 4618 } 4619 #endif 4620 4621 /* We need to notify host that the key is not known any more */ 4622 if (btm_cb.api.p_auth_complete_callback) 4623 { 4624 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4625 p_dev_rec->dev_class, 4626 p_dev_rec->sec_bd_name, status); 4627 } 4628 } 4629 4630 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT || 4631 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT) 4632 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE); 4633 else 4634 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4635 4636 return; 4637 } 4638 4639 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */ 4640 /* If dedicated bonding, and we now have a link key, we are all done */ 4641 if ( is_pairing_device 4642 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) ) 4643 { 4644 if (p_dev_rec->link_key_not_sent) 4645 { 4646 p_dev_rec->link_key_not_sent = FALSE; 4647 btm_send_link_key_notif(p_dev_rec); 4648 } 4649 4650 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4651 4652 /* remember flag before it is initialized */ 4653 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4654 res = TRUE; 4655 else 4656 res = FALSE; 4657 4658 if (btm_cb.api.p_auth_complete_callback) 4659 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4660 p_dev_rec->dev_class, 4661 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4662 4663 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4664 4665 if ( res ) 4666 { 4667 /* Let l2cap start bond timer */ 4668 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE); 4669 } 4670 4671 return; 4672 } 4673 4674 p_dev_rec->hci_handle = handle; 4675 4676 /* role may not be correct here, it will be updated by l2cap, but we need to */ 4677 /* notify btm_acl that link is up, so starting of rmt name request will not */ 4678 /* set paging flag up */ 4679 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR); 4680 if (p_acl_cb) 4681 { 4682 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */ 4683 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE) 4684 /* For now there are a some devices that do not like sending */ 4685 /* commands events and data at the same time. */ 4686 /* Set the packet types to the default allowed by the device */ 4687 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported); 4688 4689 if (btm_cb.btm_def_link_policy) 4690 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy); 4691 #endif 4692 } 4693 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR); 4694 4695 /* Initialize security flags. We need to do that because some */ 4696 /* authorization complete could have come after the connection is dropped */ 4697 /* and that would set wrong flag that link has been authorized already */ 4698 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | 4699 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift); 4700 4701 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED) 4702 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift); 4703 4704 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) 4705 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift); 4706 4707 if (p_dev_rec->pin_code_length >= 16 || 4708 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4709 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4710 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift); 4711 } 4712 4713 p_dev_rec->link_key_changed = FALSE; 4714 4715 /* After connection is established we perform security if we do not know */ 4716 /* the name, or if we are originator because some procedure can have */ 4717 /* been scheduled while connection was down */ 4718 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator); 4719 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator) 4720 { 4721 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 4722 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE); 4723 } 4724 return; 4725 } 4726 4727 /******************************************************************************* 4728 ** 4729 ** Function btm_sec_disconnect 4730 ** 4731 ** Description This function is called to disconnect HCI link 4732 ** 4733 ** Returns btm status 4734 ** 4735 *******************************************************************************/ 4736 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason) 4737 { 4738 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4739 4740 /* In some weird race condition we may not have a record */ 4741 if (!p_dev_rec) 4742 { 4743 btsnd_hcic_disconnect (handle, reason); 4744 return(BTM_SUCCESS); 4745 } 4746 4747 /* If we are in the process of bonding we need to tell client that auth failed */ 4748 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4749 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4750 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4751 { 4752 /* we are currently doing bonding. Link will be disconnected when done */ 4753 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 4754 return(BTM_BUSY); 4755 } 4756 4757 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle)); 4758 } 4759 4760 /******************************************************************************* 4761 ** 4762 ** Function btm_sec_disconnected 4763 ** 4764 ** Description This function is when a connection to the peer device is 4765 ** dropped 4766 ** 4767 ** Returns void 4768 ** 4769 *******************************************************************************/ 4770 void btm_sec_disconnected (UINT16 handle, UINT8 reason) 4771 { 4772 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4773 UINT8 old_pairing_flags = btm_cb.pairing_flags; 4774 int result = HCI_ERR_AUTH_FAILURE; 4775 tBTM_SEC_CALLBACK *p_callback = NULL; 4776 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 4777 4778 /* If page was delayed for disc complete, can do it now */ 4779 btm_cb.discing = FALSE; 4780 4781 btm_acl_resubmit_page(); 4782 4783 if (!p_dev_rec) 4784 return; 4785 4786 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE; 4787 4788 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4789 4790 #if BTM_DISC_DURING_RS == TRUE 4791 LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason); 4792 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4793 #endif 4794 4795 /* clear unused flags */ 4796 p_dev_rec->sm4 &= BTM_SM4_TRUE; 4797 4798 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr; 4799 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x" 4800 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), 4801 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name); 4802 4803 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags); 4804 4805 /* If we are in the process of bonding we need to tell client that auth failed */ 4806 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4807 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)) 4808 { 4809 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4810 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4811 if (btm_cb.api.p_auth_complete_callback) 4812 { 4813 /* If the disconnection reason is REPEATED_ATTEMPTS, 4814 send this error message to complete callback function 4815 to display the error message of Repeated attempts. 4816 All others, send HCI_ERR_AUTH_FAILURE. */ 4817 if (reason == HCI_ERR_REPEATED_ATTEMPTS) 4818 { 4819 result = HCI_ERR_REPEATED_ATTEMPTS; 4820 } 4821 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4822 { 4823 result = HCI_ERR_HOST_REJECT_SECURITY; 4824 } 4825 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4826 p_dev_rec->sec_bd_name, result); 4827 } 4828 } 4829 4830 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4831 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS); 4832 /* see sec_flags processing in btm_acl_removed */ 4833 4834 if (transport == BT_TRANSPORT_LE) 4835 { 4836 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE; 4837 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED); 4838 p_dev_rec->enc_key_size = 0; 4839 } 4840 else 4841 #endif 4842 { 4843 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE; 4844 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED 4845 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED); 4846 } 4847 4848 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4849 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) 4850 { 4851 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ? 4852 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE; 4853 return; 4854 } 4855 #endif 4856 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4857 p_dev_rec->security_required = BTM_SEC_NONE; 4858 4859 p_callback = p_dev_rec->p_callback; 4860 4861 /* if security is pending, send callback to clean up the security state */ 4862 if(p_callback) 4863 { 4864 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before 4865 we do, this call back must be reset here */ 4866 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING); 4867 } 4868 4869 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags); 4870 } 4871 4872 /******************************************************************************* 4873 ** 4874 ** Function btm_sec_link_key_notification 4875 ** 4876 ** Description This function is called when a new connection link key is 4877 ** generated 4878 ** 4879 ** Returns Pointer to the record or NULL 4880 ** 4881 *******************************************************************************/ 4882 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type) 4883 { 4884 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 4885 BOOLEAN we_are_bonding = FALSE; 4886 BOOLEAN ltk_derived_lk = FALSE; 4887 4888 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d", 4889 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5], 4890 key_type); 4891 4892 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) && 4893 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4894 { 4895 ltk_derived_lk = TRUE; 4896 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET; 4897 } 4898 /* If connection was made to do bonding restore link security if changed */ 4899 btm_restore_mode(); 4900 4901 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) 4902 p_dev_rec->link_key_type = key_type; 4903 4904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 4905 4906 /* 4907 * Until this point in time, we do not know if MITM was enabled, hence we 4908 * add the extended security flag here. 4909 */ 4910 if (p_dev_rec->pin_code_length >= 16 || 4911 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4912 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4913 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4914 } 4915 4916 #if (BLE_INCLUDED == TRUE) 4917 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4918 p_dev_rec->enc_key_size = 16; 4919 #endif 4920 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN); 4921 4922 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4923 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 4924 { 4925 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4926 we_are_bonding = TRUE; 4927 else 4928 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4929 } 4930 4931 /* save LTK derived LK no matter what */ 4932 if (ltk_derived_lk) 4933 { 4934 if (btm_cb.api.p_link_key_callback) 4935 { 4936 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)", 4937 __FUNCTION__, p_dev_rec->link_key_type); 4938 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, 4939 p_dev_rec->sec_bd_name, 4940 p_link_key, p_dev_rec->link_key_type); 4941 } 4942 } 4943 else 4944 { 4945 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) || 4946 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4947 { 4948 p_dev_rec->new_encryption_key_is_p256 = TRUE; 4949 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d", 4950 __func__, p_dev_rec->new_encryption_key_is_p256); 4951 } 4952 } 4953 4954 /* If name is not known at this point delay calling callback until the name is */ 4955 /* resolved. Unless it is a HID Device and we really need to send all link keys. */ 4956 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4957 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) 4958 && !ltk_derived_lk) 4959 { 4960 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d", 4961 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], 4962 (p_bda[4] << 8) + p_bda[5], key_type); 4963 4964 p_dev_rec->link_key_not_sent = TRUE; 4965 4966 /* If it is for bonding nothing else will follow, so we need to start name resolution */ 4967 if (we_are_bonding) 4968 { 4969 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0))) 4970 btm_inq_rmt_name_failed(); 4971 } 4972 4973 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1]) 4974 return; 4975 } 4976 4977 /* If its not us who perform authentication, we should tell stackserver */ 4978 /* that some authentication has been completed */ 4979 /* This is required when different entities receive link notification and auth complete */ 4980 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) 4981 /* for derived key, always send authentication callback for BR channel */ 4982 || ltk_derived_lk) 4983 { 4984 if (btm_cb.api.p_auth_complete_callback) 4985 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4986 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4987 } 4988 4989 /* We will save link key only if the user authorized it - BTE report link key in all cases */ 4990 #ifdef BRCM_NONE_BTE 4991 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 4992 #endif 4993 { 4994 if (btm_cb.api.p_link_key_callback) 4995 { 4996 if (ltk_derived_lk) 4997 { 4998 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already" 4999 " (key_type = %d)", p_dev_rec->link_key_type); 5000 } 5001 else 5002 { 5003 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, 5004 p_dev_rec->sec_bd_name, 5005 p_link_key, p_dev_rec->link_key_type); 5006 } 5007 } 5008 } 5009 } 5010 5011 /******************************************************************************* 5012 ** 5013 ** Function btm_sec_link_key_request 5014 ** 5015 ** Description This function is called when controller requests link key 5016 ** 5017 ** Returns Pointer to the record or NULL 5018 ** 5019 *******************************************************************************/ 5020 void btm_sec_link_key_request (UINT8 *p_bda) 5021 { 5022 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 5023 5024 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 5025 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 5026 5027 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) && 5028 (btm_cb.collision_start_time != 0) && 5029 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) ) 5030 { 5031 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req " 5032 "State: %d START_TIMEOUT : %d", 5033 btm_cb.pairing_state, btm_cb.collision_start_time); 5034 btsnd_hcic_link_key_neg_reply (p_bda); 5035 return; 5036 } 5037 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 5038 { 5039 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key); 5040 return; 5041 } 5042 5043 /* Notify L2CAP to increase timeout */ 5044 l2c_pin_code_request (p_bda); 5045 5046 /* The link key is not in the database and it is not known to the manager */ 5047 btsnd_hcic_link_key_neg_reply (p_bda); 5048 } 5049 5050 /******************************************************************************* 5051 ** 5052 ** Function btm_sec_pairing_timeout 5053 ** 5054 ** Description This function is called when host does not provide PIN 5055 ** within requested time 5056 ** 5057 ** Returns Pointer to the TLE struct 5058 ** 5059 *******************************************************************************/ 5060 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle) 5061 { 5062 tBTM_CB *p_cb = &btm_cb; 5063 tBTM_SEC_DEV_REC *p_dev_rec; 5064 #if BTM_OOB_INCLUDED == TRUE 5065 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE) 5066 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO; 5067 #else 5068 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES; 5069 #endif 5070 #endif 5071 UINT8 name[2]; 5072 UNUSED(p_tle); 5073 5074 p_cb->pairing_tle.param = 0; 5075 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */ 5076 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue. 5077 */ 5078 p_dev_rec = btm_find_dev (p_cb->pairing_bda); 5079 5080 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u", 5081 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags); 5082 5083 switch (p_cb->pairing_state) 5084 { 5085 case BTM_PAIR_STATE_WAIT_PIN_REQ: 5086 btm_sec_bond_cancel_complete(); 5087 break; 5088 5089 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: 5090 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0) 5091 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda); 5092 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5093 /* We need to notify the UI that no longer need the PIN */ 5094 if (btm_cb.api.p_auth_complete_callback) 5095 { 5096 if (p_dev_rec == NULL) 5097 { 5098 name[0] = 0; 5099 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 5100 NULL, 5101 name, HCI_ERR_CONNECTION_TOUT); 5102 } 5103 else 5104 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 5105 p_dev_rec->dev_class, 5106 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 5107 } 5108 break; 5109 5110 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: 5111 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE); 5112 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 5113 break; 5114 5115 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 5116 case BTM_PAIR_STATE_KEY_ENTRY: 5117 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda); 5118 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 5119 break; 5120 #endif /* !BTM_IO_CAP_NONE */ 5121 5122 #if BTM_OOB_INCLUDED == TRUE 5123 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: 5124 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 5125 auth_req |= BTM_AUTH_DD_BOND; 5126 5127 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps, 5128 BTM_OOB_NONE, auth_req); 5129 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5130 break; 5131 5132 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: 5133 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda); 5134 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5135 break; 5136 #endif /* BTM_OOB_INCLUDED */ 5137 5138 case BTM_PAIR_STATE_WAIT_DISCONNECT: 5139 /* simple pairing failed. Started a 1-sec timer at simple pairing complete. 5140 * now it's time to tear down the ACL link*/ 5141 if (p_dev_rec == NULL) 5142 { 5143 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x", 5144 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3], 5145 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]); 5146 break; 5147 } 5148 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 5149 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5150 break; 5151 5152 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: 5153 case BTM_PAIR_STATE_GET_REM_NAME: 5154 /* We need to notify the UI that timeout has happened while waiting for authentication*/ 5155 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5156 if (btm_cb.api.p_auth_complete_callback) 5157 { 5158 if (p_dev_rec == NULL) 5159 { 5160 name[0] = 0; 5161 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 5162 NULL, 5163 name, HCI_ERR_CONNECTION_TOUT); 5164 } 5165 else 5166 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 5167 p_dev_rec->dev_class, 5168 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 5169 } 5170 break; 5171 5172 default: 5173 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state)); 5174 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5175 break; 5176 } 5177 } 5178 5179 /******************************************************************************* 5180 ** 5181 ** Function btm_sec_pin_code_request 5182 ** 5183 ** Description This function is called when controller requests PIN code 5184 ** 5185 ** Returns Pointer to the record or NULL 5186 ** 5187 *******************************************************************************/ 5188 void btm_sec_pin_code_request (UINT8 *p_bda) 5189 { 5190 tBTM_SEC_DEV_REC *p_dev_rec; 5191 tBTM_CB *p_cb = &btm_cb; 5192 5193 #ifdef PORCHE_PAIRING_CONFLICT 5194 UINT8 default_pin_code_len = 4; 5195 PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30}; 5196 #endif 5197 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x", 5198 btm_pair_state_descr(btm_cb.pairing_state), 5199 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] ); 5200 5201 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 5202 { 5203 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) && 5204 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) ) 5205 { 5206 /* fake this out - porshe carkit issue - */ 5207 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 5208 if(! btm_cb.pin_code_len_saved) 5209 { 5210 btsnd_hcic_pin_code_neg_reply (p_bda); 5211 return; 5212 } 5213 else 5214 { 5215 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code); 5216 return; 5217 } 5218 } 5219 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ) 5220 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 5221 { 5222 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s", 5223 btm_pair_state_descr(btm_cb.pairing_state)); 5224 5225 #ifdef PORCHE_PAIRING_CONFLICT 5226 /* reply pin code again due to counter in_rand when local initiates pairing */ 5227 BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing"); 5228 if(! btm_cb.pin_code_len_saved) 5229 { 5230 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5231 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code); 5232 } 5233 else 5234 { 5235 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5236 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code); 5237 } 5238 #else 5239 btsnd_hcic_pin_code_neg_reply (p_bda); 5240 #endif 5241 return; 5242 } 5243 } 5244 5245 p_dev_rec = btm_find_or_alloc_dev (p_bda); 5246 /* received PIN code request. must be non-sm4 */ 5247 p_dev_rec->sm4 = BTM_SM4_KNOWN; 5248 5249 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 5250 { 5251 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN); 5252 5253 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD; 5254 /* Make sure we reset the trusted mask to help against attacks */ 5255 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 5256 } 5257 5258 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) 5259 { 5260 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying"); 5261 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5262 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code); 5263 return; 5264 } 5265 5266 /* Use the connecting device's CoD for the connection */ 5267 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN)) 5268 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) ) 5269 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN); 5270 5271 /* We could have started connection after asking user for the PIN code */ 5272 if (btm_cb.pin_code_len != 0) 5273 { 5274 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply"); 5275 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code); 5276 5277 #ifdef PORCHE_PAIRING_CONFLICT 5278 btm_cb.pin_code_len_saved = btm_cb.pin_code_len; 5279 #endif 5280 5281 /* Mark that we forwarded received from the user PIN code */ 5282 btm_cb.pin_code_len = 0; 5283 5284 /* We can change mode back right away, that other connection being established */ 5285 /* is not forced to be secure - found a FW issue, so we can not do this 5286 btm_restore_mode(); */ 5287 5288 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5289 } 5290 5291 /* If pairing disabled OR (no PIN callback and not bonding) */ 5292 /* OR we could not allocate entry in the database reject pairing request */ 5293 else if (p_cb->pairing_disabled 5294 || (p_cb->api.p_pin_callback == NULL) 5295 5296 /* OR Microsoft keyboard can for some reason try to establish connection */ 5297 /* the only thing we can do here is to shut it up. Normally we will be originator */ 5298 /* for keyboard bonding */ 5299 || (!p_dev_rec->is_originator 5300 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 5301 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) ) 5302 { 5303 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!", 5304 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec); 5305 5306 btsnd_hcic_pin_code_neg_reply (p_bda); 5307 } 5308 /* Notify upper layer of PIN request and start expiration timer */ 5309 else 5310 { 5311 btm_cb.pin_code_len_saved = 0; 5312 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 5313 /* Pin code request can not come at the same time as connection request */ 5314 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN); 5315 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN); 5316 5317 /* Check if the name is known */ 5318 /* Even if name is not known we might not be able to get one */ 5319 /* this is the case when we are already getting something from the */ 5320 /* device, so HCI level is flow controlled */ 5321 /* Also cannot send remote name request while paging, i.e. connection is not completed */ 5322 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5323 { 5324 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback"); 5325 5326 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5327 if (p_cb->api.p_pin_callback) { 5328 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 5329 (p_dev_rec->p_cur_service == NULL) ? FALSE 5330 : (p_dev_rec->p_cur_service->security_flags 5331 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 5332 } 5333 } 5334 else 5335 { 5336 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name"); 5337 5338 /* We received PIN code request for the device with unknown name */ 5339 /* it is not user friendly just to ask for the PIN without name */ 5340 /* try to get name at first */ 5341 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr, 5342 HCI_PAGE_SCAN_REP_MODE_R1, 5343 HCI_MANDATARY_PAGE_SCAN_MODE, 0)) 5344 { 5345 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 5346 p_dev_rec->sec_bd_name[0] = 'f'; 5347 p_dev_rec->sec_bd_name[1] = '0'; 5348 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback"); 5349 5350 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5351 if (p_cb->api.p_pin_callback) 5352 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, 5353 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE 5354 : (p_dev_rec->p_cur_service->security_flags 5355 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 5356 } 5357 } 5358 } 5359 5360 return; 5361 } 5362 5363 /******************************************************************************* 5364 ** 5365 ** Function btm_sec_update_clock_offset 5366 ** 5367 ** Description This function is called to update clock offset 5368 ** 5369 ** Returns void 5370 ** 5371 *******************************************************************************/ 5372 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset) 5373 { 5374 tBTM_SEC_DEV_REC *p_dev_rec; 5375 tBTM_INQ_INFO *p_inq_info; 5376 5377 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL) 5378 return; 5379 5380 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 5381 5382 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL) 5383 return; 5384 5385 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 5386 } 5387 5388 5389 /****************************************************************** 5390 ** S T A T I C F U N C T I O N S 5391 *******************************************************************/ 5392 5393 /******************************************************************************* 5394 ** 5395 ** Function btm_sec_execute_procedure 5396 ** 5397 ** Description This function is called to start required security 5398 ** procedure. There is a case when multiplexing protocol 5399 ** calls this function on the originating side, connection to 5400 ** the peer will not be established. This function in this 5401 ** case performs only authorization. 5402 ** 5403 ** Returns BTM_SUCCESS - permission is granted 5404 ** BTM_CMD_STARTED - in process 5405 ** BTM_NO_RESOURCES - permission declined 5406 ** 5407 *******************************************************************************/ 5408 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) 5409 { 5410 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d", 5411 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state); 5412 5413 /* There is a chance that we are getting name. Wait until done. */ 5414 if (p_dev_rec->sec_state != 0) 5415 return(BTM_CMD_STARTED); 5416 5417 /* If any security is required, get the name first */ 5418 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5419 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5420 { 5421 BTM_TRACE_EVENT ("Security Manager: Start get name"); 5422 if (!btm_sec_start_get_name (p_dev_rec)) 5423 { 5424 return(BTM_NO_RESOURCES); 5425 } 5426 return(BTM_CMD_STARTED); 5427 } 5428 5429 /* If connection is not authenticated and authentication is required */ 5430 /* start authentication and return PENDING to the caller */ 5431 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 5432 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 5433 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) 5434 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 5435 && (!p_dev_rec->is_originator 5436 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) 5437 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5438 { 5439 /* 5440 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, 5441 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the 5442 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM 5443 * authenticated connections, hence we cannot distinguish here. 5444 */ 5445 5446 #if (L2CAP_UCD_INCLUDED == TRUE) 5447 /* if incoming UCD packet, discard it */ 5448 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5449 return(BTM_FAILED_ON_SECURITY); 5450 #endif 5451 5452 BTM_TRACE_EVENT ("Security Manager: Start authentication"); 5453 5454 /* 5455 * If we do have a link-key, but we end up here because we need an 5456 * upgrade, then clear the link-key known and authenticated flag before 5457 * restarting authentication. 5458 * WARNING: If the controller has link-key, it is optional and 5459 * recommended for the controller to send a Link_Key_Request. 5460 * In case we need an upgrade, the only alternative would be to delete 5461 * the existing link-key. That could lead to very bad user experience 5462 * or even IOP issues, if a reconnect causes a new connection that 5463 * requires an upgrade. 5464 */ 5465 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 5466 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 5467 && (!p_dev_rec->is_originator && (p_dev_rec->security_required 5468 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { 5469 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED 5470 | BTM_SEC_AUTHENTICATED); 5471 } 5472 5473 if (!btm_sec_start_authentication (p_dev_rec)) 5474 { 5475 return(BTM_NO_RESOURCES); 5476 } 5477 return(BTM_CMD_STARTED); 5478 } 5479 5480 /* If connection is not encrypted and encryption is required */ 5481 /* start encryption and return PENDING to the caller */ 5482 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 5483 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT)) 5484 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT))) 5485 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5486 { 5487 #if (L2CAP_UCD_INCLUDED == TRUE) 5488 /* if incoming UCD packet, discard it */ 5489 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5490 return(BTM_FAILED_ON_SECURITY); 5491 #endif 5492 5493 BTM_TRACE_EVENT ("Security Manager: Start encryption"); 5494 5495 if (!btm_sec_start_encryption (p_dev_rec)) 5496 { 5497 return(BTM_NO_RESOURCES); 5498 } 5499 return(BTM_CMD_STARTED); 5500 } 5501 5502 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 5503 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 5504 { 5505 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -", 5506 "security failure", __FUNCTION__, p_dev_rec->link_key_type); 5507 return (BTM_FAILED_ON_SECURITY); 5508 } 5509 5510 /* If connection is not authorized and authorization is required */ 5511 /* start authorization and return PENDING to the caller */ 5512 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) 5513 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE)) 5514 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) 5515 { 5516 BTM_TRACE_EVENT ("service id:%d, is trusted:%d", 5517 p_dev_rec->p_cur_service->service_id, 5518 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5519 p_dev_rec->p_cur_service->service_id))); 5520 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) && 5521 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && 5522 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5523 p_dev_rec->p_cur_service->service_id) == FALSE)) 5524 { 5525 BTM_TRACE_EVENT ("Security Manager: Start authorization"); 5526 return(btm_sec_start_authorization (p_dev_rec)); 5527 } 5528 } 5529 5530 /* All required security procedures already established */ 5531 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | 5532 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE | 5533 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT | 5534 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | 5535 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 5536 5537 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]); 5538 BTM_TRACE_EVENT ("Security Manager: access granted"); 5539 5540 return(BTM_SUCCESS); 5541 } 5542 5543 5544 /******************************************************************************* 5545 ** 5546 ** Function btm_sec_start_get_name 5547 ** 5548 ** Description This function is called to start get name procedure 5549 ** 5550 ** Returns TRUE if started 5551 ** 5552 *******************************************************************************/ 5553 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec) 5554 { 5555 UINT8 tempstate = p_dev_rec->sec_state; 5556 5557 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME; 5558 5559 /* Device should be connected, no need to provide correct page params */ 5560 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */ 5561 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC, 5562 0, NULL)) != BTM_CMD_STARTED) 5563 { 5564 p_dev_rec->sec_state = tempstate; 5565 return(FALSE); 5566 } 5567 5568 return(TRUE); 5569 } 5570 5571 /******************************************************************************* 5572 ** 5573 ** Function btm_sec_start_authentication 5574 ** 5575 ** Description This function is called to start authentication 5576 ** 5577 ** Returns TRUE if started 5578 ** 5579 *******************************************************************************/ 5580 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec) 5581 { 5582 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 5583 5584 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle)); 5585 } 5586 5587 /******************************************************************************* 5588 ** 5589 ** Function btm_sec_start_encryption 5590 ** 5591 ** Description This function is called to start encryption 5592 ** 5593 ** Returns TRUE if started 5594 ** 5595 *******************************************************************************/ 5596 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec) 5597 { 5598 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE)) 5599 return(FALSE); 5600 5601 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 5602 return(TRUE); 5603 } 5604 5605 5606 /******************************************************************************* 5607 ** 5608 ** Function btm_sec_start_authorization 5609 ** 5610 ** Description This function is called to start authorization 5611 ** 5612 ** Returns TRUE if started 5613 ** 5614 *******************************************************************************/ 5615 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec) 5616 { 5617 UINT8 result; 5618 UINT8 *p_service_name = NULL; 5619 UINT8 service_id; 5620 5621 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5622 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) 5623 { 5624 if (!btm_cb.api.p_authorize_callback) 5625 return(BTM_MODE_UNSUPPORTED); 5626 5627 if (p_dev_rec->p_cur_service) 5628 { 5629 #if BTM_SEC_SERVICE_NAME_LEN > 0 5630 if (p_dev_rec->is_originator) 5631 p_service_name = p_dev_rec->p_cur_service->orig_service_name; 5632 else 5633 p_service_name = p_dev_rec->p_cur_service->term_service_name; 5634 #endif 5635 service_id = p_dev_rec->p_cur_service->service_id; 5636 } 5637 else 5638 service_id = 0; 5639 5640 /* Send authorization request if not already sent during this service connection */ 5641 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 5642 || p_dev_rec->last_author_service_id != service_id) 5643 { 5644 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING; 5645 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr, 5646 p_dev_rec->dev_class, 5647 p_dev_rec->sec_bd_name, 5648 p_service_name, 5649 service_id, 5650 p_dev_rec->is_originator); 5651 } 5652 5653 else /* Already authorized once for this L2CAP bringup */ 5654 { 5655 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id); 5656 return (BTM_SUCCESS); 5657 } 5658 5659 if (result == BTM_SUCCESS) 5660 { 5661 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED; 5662 5663 /* Save the currently authorized service in case we are asked again by another multiplexer layer */ 5664 if (!p_dev_rec->is_originator) 5665 p_dev_rec->last_author_service_id = service_id; 5666 5667 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 5668 } 5669 return(result); 5670 } 5671 btm_sec_start_get_name (p_dev_rec); 5672 return(BTM_CMD_STARTED); 5673 } 5674 5675 /******************************************************************************* 5676 ** 5677 ** Function btm_sec_are_all_trusted 5678 ** 5679 ** Description This function is called check if all services are trusted 5680 ** 5681 ** Returns TRUE if all are trusted, otherwise FALSE 5682 ** 5683 *******************************************************************************/ 5684 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]) 5685 { 5686 UINT32 trusted_inx; 5687 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++) 5688 { 5689 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) 5690 return(FALSE); 5691 } 5692 5693 return(TRUE); 5694 } 5695 5696 /******************************************************************************* 5697 ** 5698 ** Function btm_sec_find_first_serv 5699 ** 5700 ** Description Look for the first record in the service database 5701 ** with specified PSM 5702 ** 5703 ** Returns Pointer to the record or NULL 5704 ** 5705 *******************************************************************************/ 5706 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm) 5707 { 5708 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5709 int i; 5710 BOOLEAN is_originator; 5711 5712 #if (L2CAP_UCD_INCLUDED == TRUE) 5713 5714 if ( conn_type & CONNECTION_TYPE_ORIG_MASK ) 5715 is_originator = TRUE; 5716 else 5717 is_originator = FALSE; 5718 #else 5719 is_originator = conn_type; 5720 #endif 5721 5722 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) 5723 { 5724 /* If this is outgoing connection and the PSM matches p_out_serv, 5725 * use it as the current service */ 5726 return btm_cb.p_out_serv; 5727 } 5728 5729 /* otherwise, just find the first record with the specified PSM */ 5730 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5731 { 5732 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) ) 5733 return(p_serv_rec); 5734 } 5735 return(NULL); 5736 } 5737 5738 5739 /******************************************************************************* 5740 ** 5741 ** Function btm_sec_find_next_serv 5742 ** 5743 ** Description Look for the next record in the service database 5744 ** with specified PSM 5745 ** 5746 ** Returns Pointer to the record or NULL 5747 ** 5748 *******************************************************************************/ 5749 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur) 5750 { 5751 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5752 int i; 5753 5754 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5755 { 5756 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5757 && (p_serv_rec->psm == p_cur->psm) ) 5758 { 5759 if (p_cur != p_serv_rec) 5760 { 5761 return(p_serv_rec); 5762 } 5763 } 5764 } 5765 return(NULL); 5766 } 5767 5768 5769 /******************************************************************************* 5770 ** 5771 ** Function btm_sec_find_mx_serv 5772 ** 5773 ** Description Look for the record in the service database with specified 5774 ** PSM and multiplexor channel information 5775 ** 5776 ** Returns Pointer to the record or NULL 5777 ** 5778 *******************************************************************************/ 5779 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 5780 UINT32 mx_proto_id, UINT32 mx_chan_id) 5781 { 5782 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv; 5783 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5784 int i; 5785 5786 BTM_TRACE_DEBUG ("%s()", __func__); 5787 if (is_originator && p_out_serv && p_out_serv->psm == psm 5788 && p_out_serv->mx_proto_id == mx_proto_id 5789 && p_out_serv->orig_mx_chan_id == mx_chan_id) 5790 { 5791 /* If this is outgoing connection and the parameters match p_out_serv, 5792 * use it as the current service */ 5793 return btm_cb.p_out_serv; 5794 } 5795 5796 /* otherwise, the old way */ 5797 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5798 { 5799 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5800 && (p_serv_rec->psm == psm) 5801 && (p_serv_rec->mx_proto_id == mx_proto_id) 5802 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 5803 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) 5804 { 5805 return(p_serv_rec); 5806 } 5807 } 5808 return(NULL); 5809 } 5810 5811 5812 /******************************************************************************* 5813 ** 5814 ** Function btm_sec_collision_timeout 5815 ** 5816 ** Description Encryption could not start because of the collision 5817 ** try to do it again 5818 ** 5819 ** Returns Pointer to the TLE struct 5820 ** 5821 *******************************************************************************/ 5822 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle) 5823 { 5824 UNUSED(p_tle); 5825 5826 BTM_TRACE_EVENT ("%s()", __func__); 5827 btm_cb.sec_collision_tle.param = 0; 5828 5829 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec); 5830 5831 /* If result is pending reply from the user or from the device is pending */ 5832 if (status != BTM_CMD_STARTED) 5833 { 5834 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 5835 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE); 5836 } 5837 } 5838 5839 /******************************************************************************* 5840 ** 5841 ** Function btm_sec_link_key_request 5842 ** 5843 ** Description This function is called when controller requests link key 5844 ** 5845 ** Returns Pointer to the record or NULL 5846 ** 5847 *******************************************************************************/ 5848 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec) 5849 { 5850 if (btm_cb.api.p_link_key_callback) 5851 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 5852 p_dev_rec->sec_bd_name, p_dev_rec->link_key, 5853 p_dev_rec->link_key_type); 5854 } 5855 5856 /******************************************************************************* 5857 ** 5858 ** Function BTM_ReadTrustedMask 5859 ** 5860 ** Description Get trusted mask for the peer device 5861 ** 5862 ** Parameters: bd_addr - Address of the device 5863 ** 5864 ** Returns NULL, if the device record is not found. 5865 ** otherwise, the trusted mask 5866 ** 5867 *******************************************************************************/ 5868 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr) 5869 { 5870 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 5871 if (p_dev_rec != NULL) 5872 return(p_dev_rec->trusted_mask); 5873 return NULL; 5874 } 5875 5876 /******************************************************************************* 5877 ** 5878 ** Function btm_restore_mode 5879 ** 5880 ** Description This function returns the security mode to previous setting 5881 ** if it was changed during bonding. 5882 ** 5883 ** 5884 ** Parameters: void 5885 ** 5886 *******************************************************************************/ 5887 static void btm_restore_mode(void) 5888 { 5889 if (btm_cb.security_mode_changed) 5890 { 5891 btm_cb.security_mode_changed = FALSE; 5892 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5893 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5894 } 5895 5896 if (btm_cb.pin_type_changed) 5897 { 5898 btm_cb.pin_type_changed = FALSE; 5899 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type); 5900 } 5901 } 5902 5903 5904 /******************************************************************************* 5905 ** 5906 ** Function btm_sec_find_dev_by_sec_state 5907 ** 5908 ** Description Look for the record in the device database for the device 5909 ** which is being authenticated or encrypted 5910 ** 5911 ** Returns Pointer to the record or NULL 5912 ** 5913 *******************************************************************************/ 5914 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state) 5915 { 5916 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0]; 5917 5918 for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 5919 { 5920 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE) 5921 && (p_dev_rec->sec_state == state)) 5922 return(p_dev_rec); 5923 } 5924 return(NULL); 5925 } 5926 5927 /******************************************************************************* 5928 ** 5929 ** Function btm_sec_change_pairing_state 5930 ** 5931 ** Description This function is called to change pairing state 5932 ** 5933 *******************************************************************************/ 5934 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state) 5935 { 5936 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 5937 5938 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state)); 5939 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__, 5940 btm_pair_state_descr(new_state), btm_cb.pairing_flags); 5941 5942 btm_cb.pairing_state = new_state; 5943 5944 if (new_state == BTM_PAIR_STATE_IDLE) 5945 { 5946 btu_stop_timer (&btm_cb.pairing_tle); 5947 5948 btm_cb.pairing_flags = 0; 5949 btm_cb.pin_code_len = 0; 5950 5951 /* Make sure the the lcb shows we are not bonding */ 5952 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE); 5953 5954 btm_restore_mode(); 5955 btm_sec_check_pending_reqs(); 5956 btm_inq_clear_ssp(); 5957 5958 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN); 5959 } 5960 else 5961 { 5962 /* If transitionng out of idle, mark the lcb as bonding */ 5963 if (old_state == BTM_PAIR_STATE_IDLE) 5964 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE); 5965 5966 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout; 5967 5968 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE); 5969 } 5970 } 5971 5972 5973 /******************************************************************************* 5974 ** 5975 ** Function btm_pair_state_descr 5976 ** 5977 ** Description Return state description for tracing 5978 ** 5979 *******************************************************************************/ 5980 #if (BT_USE_TRACES == TRUE) 5981 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state) 5982 { 5983 #if (BT_TRACE_VERBOSE == TRUE) 5984 switch (state) 5985 { 5986 case BTM_PAIR_STATE_IDLE: return("IDLE"); 5987 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME"); 5988 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ"); 5989 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN"); 5990 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM"); 5991 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY"); 5992 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP"); 5993 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS"); 5994 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP"); 5995 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE"); 5996 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT"); 5997 } 5998 5999 return("???"); 6000 #else 6001 sprintf(btm_cb.state_temp_buffer,"%hhu",state); 6002 6003 return(btm_cb.state_temp_buffer); 6004 #endif 6005 } 6006 #endif 6007 6008 /******************************************************************************* 6009 ** 6010 ** Function btm_sec_dev_rec_cback_event 6011 ** 6012 ** Description This function calls the callback function with the given 6013 ** result and clear the callback function. 6014 ** 6015 ** Parameters: void 6016 ** 6017 *******************************************************************************/ 6018 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport) 6019 { 6020 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback; 6021 6022 if (p_dev_rec->p_callback) 6023 { 6024 p_dev_rec->p_callback = NULL; 6025 6026 #if BLE_INCLUDED == TRUE 6027 if (is_le_transport) 6028 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res); 6029 else 6030 #endif 6031 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res); 6032 } 6033 6034 btm_sec_check_pending_reqs(); 6035 } 6036 6037 /******************************************************************************* 6038 ** 6039 ** Function btm_sec_queue_mx_request 6040 ** 6041 ** Description Return state description for tracing 6042 ** 6043 *******************************************************************************/ 6044 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 6045 UINT32 mx_proto_id, UINT32 mx_chan_id, 6046 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 6047 { 6048 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY)); 6049 6050 if (p_e) 6051 { 6052 p_e->psm = psm; 6053 p_e->is_orig = is_orig; 6054 p_e->p_callback = p_callback; 6055 p_e->p_ref_data = p_ref_data; 6056 p_e->mx_proto_id = mx_proto_id; 6057 p_e->mx_chan_id = mx_chan_id; 6058 p_e->transport = BT_TRANSPORT_BR_EDR; 6059 6060 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN); 6061 6062 BTM_TRACE_EVENT ("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u", 6063 __func__, psm, is_orig, mx_proto_id, mx_chan_id); 6064 6065 GKI_enqueue (&btm_cb.sec_pending_q, p_e); 6066 6067 return(TRUE); 6068 } 6069 6070 return(FALSE); 6071 } 6072 6073 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec) 6074 { 6075 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK); 6076 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK); 6077 BOOLEAN rv = FALSE; 6078 6079 if ((major == BTM_COD_MAJOR_AUDIO) 6080 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) ) 6081 { 6082 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", 6083 __func__, major, minor); 6084 6085 if (btm_cb.security_mode_changed == FALSE) 6086 { 6087 btm_cb.security_mode_changed = TRUE; 6088 #ifdef APPL_AUTH_WRITE_EXCEPTION 6089 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 6090 #endif 6091 btsnd_hcic_write_auth_enable (TRUE); 6092 } 6093 } 6094 else 6095 { 6096 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 6097 6098 /* If we got a PIN, use that, else try to get one */ 6099 if (btm_cb.pin_code_len) 6100 { 6101 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask); 6102 } 6103 else 6104 { 6105 /* pin was not supplied - pre-fetch pin code now */ 6106 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) 6107 { 6108 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__); 6109 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL) 6110 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 6111 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 6112 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE 6113 : (p_dev_rec->p_cur_service->security_flags 6114 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 6115 } 6116 } 6117 6118 rv = TRUE; 6119 } 6120 6121 return rv; 6122 } 6123 6124 /******************************************************************************* 6125 ** 6126 ** Function btm_sec_auth_payload_tout 6127 ** 6128 ** Description Processes the HCI Autheniticated Payload Timeout Event 6129 ** indicating that a packet containing a valid MIC on the 6130 ** connection handle was not received within the programmed 6131 ** timeout value. (Spec Default is 30 secs, but can be 6132 ** changed via the BTM_SecSetAuthPayloadTimeout() function. 6133 ** 6134 *******************************************************************************/ 6135 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len) 6136 { 6137 UINT16 handle; 6138 6139 STREAM_TO_UINT16 (handle, p); 6140 handle = HCID_GET_HANDLE (handle); 6141 6142 /* Will be exposed to upper layers in the future if/when determined necessary */ 6143 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle); 6144 } 6145 6146 /******************************************************************************* 6147 ** 6148 ** Function btm_sec_queue_encrypt_request 6149 ** 6150 ** Description encqueue encryption request when device has active security 6151 ** process pending. 6152 ** 6153 *******************************************************************************/ 6154 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport, 6155 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 6156 { 6157 tBTM_SEC_QUEUE_ENTRY *p_e; 6158 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1); 6159 6160 if (p_e) 6161 { 6162 p_e->psm = 0; /* if PSM 0, encryption request */ 6163 p_e->p_callback = p_callback; 6164 p_e->p_ref_data = (void *)(p_e + 1); 6165 *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data); 6166 p_e->transport = transport; 6167 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN); 6168 GKI_enqueue(&btm_cb.sec_pending_q, p_e); 6169 return TRUE; 6170 } 6171 6172 return FALSE; 6173 } 6174 6175 /******************************************************************************* 6176 ** 6177 ** Function btm_sec_set_peer_sec_caps 6178 ** 6179 ** Description This function is called to set sm4 and rmt_sec_caps fields 6180 ** based on the available peer device features. 6181 ** 6182 ** Returns void 6183 ** 6184 *******************************************************************************/ 6185 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec) 6186 { 6187 BD_ADDR rem_bd_addr; 6188 UINT8 *p_rem_bd_addr; 6189 6190 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 6191 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 6192 btm_cb.security_mode == BTM_SEC_MODE_SC) && 6193 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1])) 6194 { 6195 p_dev_rec->sm4 = BTM_SM4_TRUE; 6196 p_dev_rec->remote_supports_secure_connections = 6197 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1])); 6198 } 6199 else 6200 { 6201 p_dev_rec->sm4 = BTM_SM4_KNOWN; 6202 p_dev_rec->remote_supports_secure_connections = FALSE; 6203 } 6204 6205 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__, 6206 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections); 6207 6208 6209 if (p_dev_rec->remote_features_needed) 6210 { 6211 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!", 6212 __FUNCTION__); 6213 p_rem_bd_addr = (UINT8*) rem_bd_addr; 6214 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr); 6215 p_rem_bd_addr = (UINT8*) rem_bd_addr; 6216 btm_io_capabilities_req(p_rem_bd_addr); 6217 p_dev_rec->remote_features_needed = FALSE; 6218 } 6219 } 6220 6221 /******************************************************************************* 6222 ** 6223 ** Function btm_sec_clean_pending_req_queue 6224 ** 6225 ** Description This function cleans up the pending security request when the 6226 ** link to the target device dropped. 6227 ** 6228 ** Returns void 6229 ** 6230 *******************************************************************************/ 6231 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) 6232 { 6233 tBTM_SEC_QUEUE_ENTRY *p_e; 6234 BUFFER_Q *bq = &btm_cb.sec_pending_q; 6235 6236 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq); 6237 6238 if (p_e != NULL) 6239 { 6240 if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0 6241 #if BLE_INCLUDED == TRUE 6242 && p_e->transport == transport 6243 #endif 6244 ) 6245 { 6246 (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING); 6247 GKI_remove_from_queue(bq, (void *)p_e); 6248 } 6249 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e); 6250 } 6251 } 6252 6253 /******************************************************************************* 6254 ** 6255 ** Function btm_sec_is_serv_level0 6256 ** 6257 ** Description This function is called to check if the service corresponding 6258 ** to PSM is security mode 4 level 0 service. 6259 ** 6260 ** Returns TRUE if the service is security mode 4 level 0 service 6261 ** 6262 *******************************************************************************/ 6263 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm) 6264 { 6265 if (psm == BT_PSM_SDP) 6266 { 6267 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm); 6268 return TRUE; 6269 } 6270 return FALSE; 6271 } 6272 6273 /******************************************************************************* 6274 ** 6275 ** Function btm_sec_check_pending_enc_req 6276 ** 6277 ** Description This function is called to send pending encryption callback if 6278 ** waiting 6279 ** 6280 ** Returns void 6281 ** 6282 *******************************************************************************/ 6283 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport, 6284 UINT8 encr_enable) 6285 { 6286 tBTM_SEC_QUEUE_ENTRY *p_e; 6287 BUFFER_Q *bq = &btm_cb.sec_pending_q; 6288 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING; 6289 6290 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq); 6291 6292 while (p_e != NULL) 6293 { 6294 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0 6295 #if BLE_INCLUDED == TRUE 6296 && p_e->transport == transport 6297 #endif 6298 ) 6299 { 6300 #if BLE_INCLUDED == TRUE 6301 UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data); 6302 #endif 6303 6304 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR 6305 #if BLE_INCLUDED == TRUE 6306 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM) 6307 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags 6308 & BTM_SEC_LE_AUTHENTICATED) 6309 #endif 6310 ) 6311 { 6312 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res); 6313 GKI_remove_from_queue(bq, (void *)p_e); 6314 } 6315 } 6316 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e); 6317 } 6318 } 6319 6320 /******************************************************************************* 6321 ** 6322 ** Function btm_sec_set_serv_level4_flags 6323 ** 6324 ** Description This function is called to set security mode 4 level 4 flags. 6325 ** 6326 ** Returns service security requirements updated to include secure 6327 ** connections only mode. 6328 ** 6329 *******************************************************************************/ 6330 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator) 6331 { 6332 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS; 6333 6334 return cur_security | sec_level4_flags; 6335 } 6336 6337 /******************************************************************************* 6338 ** 6339 ** Function btm_sec_clear_ble_keys 6340 ** 6341 ** Description This function is called to clear out the BLE keys. 6342 ** Typically when devices are removed in BTM_SecDeleteDevice, 6343 ** or when a new BT Link key is generated. 6344 ** 6345 ** Returns void 6346 ** 6347 *******************************************************************************/ 6348 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec) 6349 { 6350 6351 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__); 6352 #if (SMP_INCLUDED== TRUE) 6353 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 6354 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS)); 6355 6356 #if (BLE_PRIVACY_SPT == TRUE) 6357 btm_ble_resolving_list_remove_dev(p_dev_rec); 6358 #endif 6359 #endif 6360 } 6361 6362 /******************************************************************************* 6363 ** 6364 ** Function btm_sec_is_a_bonded_dev 6365 ** 6366 ** Description Is the specified device is a bonded device 6367 ** 6368 ** Returns TRUE - dev is bonded 6369 ** 6370 *******************************************************************************/ 6371 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda) 6372 { 6373 6374 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 6375 BOOLEAN is_bonded= FALSE; 6376 6377 if (p_dev_rec && 6378 #if (SMP_INCLUDED == TRUE) 6379 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))|| 6380 #else 6381 ( 6382 #endif 6383 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) 6384 { 6385 is_bonded = TRUE; 6386 } 6387 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded); 6388 return(is_bonded); 6389 } 6390 6391 /******************************************************************************* 6392 ** 6393 ** Function btm_sec_is_le_capable_dev 6394 ** 6395 ** Description Is the specified device is dual mode or LE only device 6396 ** 6397 ** Returns TRUE - dev is a dual mode 6398 ** 6399 *******************************************************************************/ 6400 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda) 6401 { 6402 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 6403 BOOLEAN le_capable = FALSE; 6404 6405 #if (BLE_INCLUDED== TRUE) 6406 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE) 6407 le_capable = TRUE; 6408 #endif 6409 return le_capable; 6410 } 6411 6412 /******************************************************************************* 6413 ** 6414 ** Function btm_sec_find_bonded_dev 6415 ** 6416 ** Description Find a bonded device starting from the specified index 6417 ** 6418 ** Returns TRUE - found a bonded device 6419 ** 6420 *******************************************************************************/ 6421 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec) 6422 { 6423 BOOLEAN found= FALSE; 6424 6425 #if (SMP_INCLUDED== TRUE) 6426 tBTM_SEC_DEV_REC *p_dev_rec; 6427 int i; 6428 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS) 6429 { 6430 BTM_TRACE_DEBUG ("LE bonded device not found"); 6431 return found; 6432 } 6433 6434 p_dev_rec = &btm_cb.sec_dev_rec[start_idx]; 6435 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++) 6436 { 6437 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 6438 { 6439 *p_found_idx = i; 6440 *p_rec = p_dev_rec; 6441 break; 6442 } 6443 } 6444 BTM_TRACE_DEBUG ("%s() found=%d", __func__, found); 6445 #endif 6446 return(found); 6447 } 6448 6449 /******************************************************************************* 6450 ** 6451 ** Function btm_sec_use_smp_br_chnl 6452 ** 6453 ** Description The function checks if SMP BR connection can be used with 6454 ** the peer. 6455 ** Is called when authentication for dedicated bonding is 6456 ** successfully completed. 6457 ** 6458 ** Returns TRUE - if SMP BR connection can be used (the link key is 6459 ** generated from P-256 and the peer supports Security 6460 ** Manager over BR). 6461 ** 6462 *******************************************************************************/ 6463 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec) 6464 { 6465 UINT32 ext_feat; 6466 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE]; 6467 6468 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__, 6469 p_dev_rec->link_key_type); 6470 6471 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) && 6472 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 6473 return FALSE; 6474 6475 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask)) 6476 return FALSE; 6477 6478 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT)) 6479 return FALSE; 6480 6481 return TRUE; 6482 } 6483 6484 /******************************************************************************* 6485 ** 6486 ** Function btm_sec_is_master 6487 ** 6488 ** Description The function checks if the device is BR/EDR master after 6489 ** pairing is completed. 6490 ** 6491 ** Returns TRUE - if the device is master. 6492 ** 6493 *******************************************************************************/ 6494 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec) 6495 { 6496 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 6497 return (p && (p->link_role == BTM_ROLE_MASTER)); 6498 } 6499 6500
