1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for BLE device control utilities, and LE 22 * security functions. 23 * 24 ******************************************************************************/ 25 26 #define LOG_TAG "bt_btm_ble" 27 28 #include "bt_target.h" 29 30 #if BLE_INCLUDED == TRUE 31 32 #include <string.h> 33 34 #include "bt_types.h" 35 #include "bt_utils.h" 36 #include "btm_ble_api.h" 37 #include "btm_int.h" 38 #include "btu.h" 39 #include "device/include/controller.h" 40 #include "gap_api.h" 41 #include "hcimsgs.h" 42 #include "l2c_int.h" 43 #include "osi/include/log.h" 44 #include "smp_api.h" 45 46 #if SMP_INCLUDED == TRUE 47 extern BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length, 48 UINT16 tlen, UINT8 *p_signature); 49 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable); 50 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda); 51 #endif 52 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr); 53 54 /*******************************************************************************/ 55 /* External Function to be called by other modules */ 56 /*******************************************************************************/ 57 /******************************************************** 58 ** 59 ** Function BTM_SecAddBleDevice 60 ** 61 ** Description Add/modify device. This function will be normally called 62 ** during host startup to restore all required information 63 ** for a LE device stored in the NVRAM. 64 ** 65 ** Parameters: bd_addr - BD address of the peer 66 ** bd_name - Name of the peer device. NULL if unknown. 67 ** dev_type - Remote device's device type. 68 ** addr_type - LE device address type. 69 ** 70 ** Returns TRUE if added OK, else FALSE 71 ** 72 *******************************************************************************/ 73 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type, 74 tBLE_ADDR_TYPE addr_type) 75 { 76 BTM_TRACE_DEBUG ("%s: dev_type=0x%x", __func__, dev_type); 77 78 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(bd_addr); 79 if (!p_dev_rec) 80 { 81 p_dev_rec = btm_sec_allocate_dev_rec(); 82 83 memcpy(p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN); 84 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR); 85 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE); 86 87 /* update conn params, use default value for background connection params */ 88 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF; 89 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF; 90 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF; 91 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF; 92 93 BTM_TRACE_DEBUG("%s: Device added, handle=0x%x ", __func__, p_dev_rec->ble_hci_handle); 94 } 95 96 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 97 98 if (bd_name && bd_name[0]) 99 { 100 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 101 strlcpy((char *)p_dev_rec->sec_bd_name, 102 (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN); 103 } 104 p_dev_rec->device_type |= dev_type; 105 p_dev_rec->ble.ble_addr_type = addr_type; 106 107 memcpy(p_dev_rec->ble.pseudo_addr, bd_addr, BD_ADDR_LEN); 108 /* sync up with the Inq Data base*/ 109 tBTM_INQ_INFO *p_info = BTM_InqDbRead(bd_addr); 110 if (p_info) 111 { 112 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ; 113 p_info->results.device_type = p_dev_rec->device_type; 114 BTM_TRACE_DEBUG("InqDb device_type =0x%x addr_type=0x%x", 115 p_info->results.device_type, p_info->results.ble_addr_type); 116 } 117 118 return TRUE; 119 } 120 121 /******************************************************************************* 122 ** 123 ** Function BTM_SecAddBleKey 124 ** 125 ** Description Add/modify LE device information. This function will be 126 ** normally called during host startup to restore all required 127 ** information stored in the NVRAM. 128 ** 129 ** Parameters: bd_addr - BD address of the peer 130 ** p_le_key - LE key values. 131 ** key_type - LE SMP key type. 132 * 133 ** Returns TRUE if added OK, else FALSE 134 ** 135 *******************************************************************************/ 136 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type) 137 { 138 #if SMP_INCLUDED == TRUE 139 tBTM_SEC_DEV_REC *p_dev_rec; 140 BTM_TRACE_DEBUG ("BTM_SecAddBleKey"); 141 p_dev_rec = btm_find_dev (bd_addr); 142 if (!p_dev_rec || !p_le_key || 143 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && 144 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC && 145 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) 146 { 147 BTM_TRACE_WARNING ("BTM_SecAddBleKey() Wrong Type, or No Device record \ 148 for bdaddr: %08x%04x, Type: %d", 149 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 150 (bd_addr[4]<<8)+bd_addr[5], key_type); 151 return(FALSE); 152 } 153 154 BTM_TRACE_DEBUG ("BTM_SecAddLeKey() BDA: %08x%04x, Type: 0x%02x", 155 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 156 (bd_addr[4]<<8)+bd_addr[5], key_type); 157 158 btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE); 159 160 #if (BLE_PRIVACY_SPT == TRUE) 161 if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID) 162 btm_ble_resolving_list_load_dev (p_dev_rec); 163 #endif 164 165 #endif 166 167 return(TRUE); 168 } 169 170 /******************************************************************************* 171 ** 172 ** Function BTM_BleLoadLocalKeys 173 ** 174 ** Description Local local identity key, encryption root or sign counter. 175 ** 176 ** Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER 177 ** or BTM_BLE_KEY_TYPE_COUNTER. 178 ** p_key: pointer to the key. 179 * 180 ** Returns non2. 181 ** 182 *******************************************************************************/ 183 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key) 184 { 185 tBTM_DEVCB *p_devcb = &btm_cb.devcb; 186 BTM_TRACE_DEBUG ("%s", __func__); 187 if (p_key != NULL) 188 { 189 switch (key_type) 190 { 191 case BTM_BLE_KEY_TYPE_ID: 192 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 193 break; 194 195 case BTM_BLE_KEY_TYPE_ER: 196 memcpy(p_devcb->ble_encryption_key_value, p_key->er, sizeof(BT_OCTET16)); 197 break; 198 199 default: 200 BTM_TRACE_ERROR("unknow local key type: %d", key_type); 201 break; 202 } 203 } 204 } 205 206 /******************************************************************************* 207 ** 208 ** Function BTM_GetDeviceEncRoot 209 ** 210 ** Description This function is called to read the local device encryption 211 ** root. 212 ** 213 ** Returns void 214 ** the local device ER is copied into ble_encr_key_value 215 ** 216 *******************************************************************************/ 217 void BTM_GetDeviceEncRoot (BT_OCTET16 ble_encr_key_value) 218 { 219 BTM_TRACE_DEBUG ("%s", __func__); 220 memcpy (ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value, BT_OCTET16_LEN); 221 } 222 223 /******************************************************************************* 224 ** 225 ** Function BTM_GetDeviceIDRoot 226 ** 227 ** Description This function is called to read the local device identity 228 ** root. 229 ** 230 ** Returns void 231 ** the local device IR is copied into irk 232 ** 233 *******************************************************************************/ 234 void BTM_GetDeviceIDRoot (BT_OCTET16 irk) 235 { 236 BTM_TRACE_DEBUG ("BTM_GetDeviceIDRoot "); 237 238 memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN); 239 } 240 241 /******************************************************************************* 242 ** 243 ** Function BTM_GetDeviceDHK 244 ** 245 ** Description This function is called to read the local device DHK. 246 ** 247 ** Returns void 248 ** the local device DHK is copied into dhk 249 ** 250 *******************************************************************************/ 251 void BTM_GetDeviceDHK (BT_OCTET16 dhk) 252 { 253 BTM_TRACE_DEBUG ("BTM_GetDeviceDHK"); 254 memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN); 255 } 256 257 /******************************************************************************* 258 ** 259 ** Function BTM_ReadConnectionAddr 260 ** 261 ** Description This function is called to get the local device address information 262 ** . 263 ** 264 ** Returns void 265 ** 266 *******************************************************************************/ 267 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type) 268 { 269 tACL_CONN *p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE); 270 271 if (p_acl == NULL) 272 { 273 BTM_TRACE_ERROR("No connection exist!"); 274 return; 275 } 276 memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN); 277 * p_addr_type = p_acl->conn_addr_type; 278 279 BTM_TRACE_DEBUG ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x", 280 p_acl->conn_addr_type, p_acl->conn_addr[0]); 281 } 282 283 /******************************************************************************* 284 ** 285 ** Function BTM_IsBleConnection 286 ** 287 ** Description This function is called to check if the connection handle 288 ** for an LE link 289 ** 290 ** Returns TRUE if connection is LE link, otherwise FALSE. 291 ** 292 *******************************************************************************/ 293 BOOLEAN BTM_IsBleConnection (UINT16 conn_handle) 294 { 295 #if (BLE_INCLUDED == TRUE) 296 UINT8 xx; 297 tACL_CONN *p; 298 299 BTM_TRACE_API ("BTM_IsBleConnection: conn_handle: %d", conn_handle); 300 301 xx = btm_handle_to_acl_index (conn_handle); 302 if (xx >= MAX_L2CAP_LINKS) 303 return FALSE; 304 305 p = &btm_cb.acl_db[xx]; 306 307 return (p->transport == BT_TRANSPORT_LE); 308 #else 309 return FALSE; 310 #endif 311 } 312 313 /******************************************************************************* 314 ** 315 ** Function BTM_ReadRemoteConnectionAddr 316 ** 317 ** Description This function is read the remote device address currently used 318 ** 319 ** Parameters pseudo_addr: pseudo random address available 320 ** conn_addr:connection address used 321 ** p_addr_type : BD Address type, Public or Random of the address used 322 ** 323 ** Returns BOOLEAN , TRUE if connection to remote device exists, else FALSE 324 ** 325 *******************************************************************************/ 326 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, 327 tBLE_ADDR_TYPE *p_addr_type) 328 { 329 BOOLEAN st = TRUE; 330 #if (BLE_PRIVACY_SPT == TRUE) 331 tACL_CONN *p = btm_bda_to_acl (pseudo_addr, BT_TRANSPORT_LE); 332 333 if (p == NULL) 334 { 335 BTM_TRACE_ERROR("BTM_ReadRemoteConnectionAddr can not find connection" 336 " with matching address"); 337 return FALSE; 338 } 339 340 memcpy(conn_addr, p->active_remote_addr, BD_ADDR_LEN); 341 *p_addr_type = p->active_remote_addr_type; 342 #else 343 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr); 344 345 memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN); 346 if (p_dev_rec != NULL) 347 { 348 *p_addr_type = p_dev_rec->ble.ble_addr_type; 349 } 350 #endif 351 return st; 352 353 } 354 /******************************************************************************* 355 ** 356 ** Function BTM_SecurityGrant 357 ** 358 ** Description This function is called to grant security process. 359 ** 360 ** Parameters bd_addr - peer device bd address. 361 ** res - result of the operation BTM_SUCCESS if success. 362 ** Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts. 363 ** 364 ** Returns None 365 ** 366 *******************************************************************************/ 367 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res) 368 { 369 #if SMP_INCLUDED == TRUE 370 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS; 371 BTM_TRACE_DEBUG ("BTM_SecurityGrant"); 372 SMP_SecurityGrant(bd_addr, res_smp); 373 #endif 374 } 375 376 /******************************************************************************* 377 ** 378 ** Function BTM_BlePasskeyReply 379 ** 380 ** Description This function is called after Security Manager submitted 381 ** passkey request to the application. 382 ** 383 ** Parameters: bd_addr - Address of the device for which passkey was requested 384 ** res - result of the operation BTM_SUCCESS if success 385 ** key_len - length in bytes of the Passkey 386 ** p_passkey - pointer to array with the passkey 387 ** trusted_mask - bitwise OR of trusted services (array of UINT32) 388 ** 389 *******************************************************************************/ 390 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey) 391 { 392 #if SMP_INCLUDED == TRUE 393 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 394 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 395 396 if (p_dev_rec == NULL) 397 { 398 BTM_TRACE_ERROR("Passkey reply to Unknown device"); 399 return; 400 } 401 402 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 403 BTM_TRACE_DEBUG ("BTM_BlePasskeyReply"); 404 SMP_PasskeyReply(bd_addr, res_smp, passkey); 405 #endif 406 } 407 408 /******************************************************************************* 409 ** 410 ** Function BTM_BleConfirmReply 411 ** 412 ** Description This function is called after Security Manager submitted 413 ** numeric comparison request to the application. 414 ** 415 ** Parameters: bd_addr - Address of the device with which numeric 416 ** comparison was requested 417 ** res - comparison result BTM_SUCCESS if success 418 ** 419 *******************************************************************************/ 420 void BTM_BleConfirmReply (BD_ADDR bd_addr, UINT8 res) 421 { 422 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 423 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 424 425 if (p_dev_rec == NULL) 426 { 427 BTM_TRACE_ERROR("Passkey reply to Unknown device"); 428 return; 429 } 430 431 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 432 BTM_TRACE_DEBUG ("%s", __func__); 433 SMP_ConfirmReply(bd_addr, res_smp); 434 } 435 436 /******************************************************************************* 437 ** 438 ** Function BTM_BleOobDataReply 439 ** 440 ** Description This function is called to provide the OOB data for 441 ** SMP in response to BTM_LE_OOB_REQ_EVT 442 ** 443 ** Parameters: bd_addr - Address of the peer device 444 ** res - result of the operation SMP_SUCCESS if success 445 ** p_data - oob data, depending on transport and capabilities. 446 ** Might be "Simple Pairing Randomizer", or 447 ** "Security Manager TK Value". 448 ** 449 *******************************************************************************/ 450 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data) 451 { 452 #if SMP_INCLUDED == TRUE 453 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL; 454 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 455 456 BTM_TRACE_DEBUG ("BTM_BleOobDataReply"); 457 458 if (p_dev_rec == NULL) 459 { 460 BTM_TRACE_ERROR("BTM_BleOobDataReply() to Unknown device"); 461 return; 462 } 463 464 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 465 SMP_OobDataReply(bd_addr, res_smp, len, p_data); 466 #endif 467 } 468 469 /****************************************************************************** 470 ** 471 ** Function BTM_BleSetConnScanParams 472 ** 473 ** Description Set scan parameter used in BLE connection request 474 ** 475 ** Parameters: scan_interval: scan interval 476 ** scan_window: scan window 477 ** 478 ** Returns void 479 ** 480 *******************************************************************************/ 481 void BTM_BleSetConnScanParams (UINT32 scan_interval, UINT32 scan_window) 482 { 483 #if SMP_INCLUDED == TRUE 484 tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb; 485 BOOLEAN new_param = FALSE; 486 487 if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) && 488 BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX)) 489 { 490 if (p_ble_cb->scan_int != scan_interval) 491 { 492 p_ble_cb->scan_int = scan_interval; 493 new_param = TRUE; 494 } 495 496 if (p_ble_cb->scan_win != scan_window) 497 { 498 p_ble_cb->scan_win = scan_window; 499 new_param = TRUE; 500 } 501 502 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) 503 { 504 btm_ble_suspend_bg_conn(); 505 } 506 } 507 else 508 { 509 BTM_TRACE_ERROR("Illegal Connection Scan Parameters"); 510 } 511 #endif 512 } 513 514 /******************************************************** 515 ** 516 ** Function BTM_BleSetPrefConnParams 517 ** 518 ** Description Set a peripheral's preferred connection parameters 519 ** 520 ** Parameters: bd_addr - BD address of the peripheral 521 ** scan_interval: scan interval 522 ** scan_window: scan window 523 ** min_conn_int - minimum preferred connection interval 524 ** max_conn_int - maximum preferred connection interval 525 ** slave_latency - preferred slave latency 526 ** supervision_tout - preferred supervision timeout 527 ** 528 ** Returns void 529 ** 530 *******************************************************************************/ 531 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr, 532 UINT16 min_conn_int, UINT16 max_conn_int, 533 UINT16 slave_latency, UINT16 supervision_tout) 534 { 535 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 536 537 BTM_TRACE_API ("BTM_BleSetPrefConnParams min: %u max: %u latency: %u \ 538 tout: %u", 539 min_conn_int, max_conn_int, slave_latency, supervision_tout); 540 541 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 542 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 543 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) && 544 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) 545 { 546 if (p_dev_rec) 547 { 548 /* expect conn int and stout and slave latency to be updated all together */ 549 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 550 { 551 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 552 p_dev_rec->conn_params.min_conn_int = min_conn_int; 553 else 554 p_dev_rec->conn_params.min_conn_int = max_conn_int; 555 556 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 557 p_dev_rec->conn_params.max_conn_int = max_conn_int; 558 else 559 p_dev_rec->conn_params.max_conn_int = min_conn_int; 560 561 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF) 562 p_dev_rec->conn_params.slave_latency = slave_latency; 563 else 564 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF; 565 566 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) 567 p_dev_rec->conn_params.supervision_tout = supervision_tout; 568 else 569 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF; 570 571 } 572 573 } 574 else 575 { 576 BTM_TRACE_ERROR("Unknown Device, setting rejected"); 577 } 578 } 579 else 580 { 581 BTM_TRACE_ERROR("Illegal Connection Parameters"); 582 } 583 } 584 585 /******************************************************************************* 586 ** 587 ** Function BTM_ReadDevInfo 588 ** 589 ** Description This function is called to read the device/address type 590 ** of BD address. 591 ** 592 ** Parameter remote_bda: remote device address 593 ** p_dev_type: output parameter to read the device type. 594 ** p_addr_type: output parameter to read the address type. 595 ** 596 *******************************************************************************/ 597 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type) 598 { 599 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (remote_bda); 600 tBTM_INQ_INFO *p_inq_info = BTM_InqDbRead(remote_bda); 601 602 *p_addr_type = BLE_ADDR_PUBLIC; 603 604 if (!p_dev_rec) 605 { 606 *p_dev_type = BT_DEVICE_TYPE_BREDR; 607 /* Check with the BT manager if details about remote device are known */ 608 if (p_inq_info != NULL) 609 { 610 *p_dev_type = p_inq_info->results.device_type ; 611 *p_addr_type = p_inq_info->results.ble_addr_type; 612 } else { 613 /* unknown device, assume BR/EDR */ 614 BTM_TRACE_DEBUG ("btm_find_dev_type - unknown device, BR/EDR assumed"); 615 } 616 } 617 else /* there is a security device record exisitng */ 618 { 619 /* new inquiry result, overwrite device type in security device record */ 620 if (p_inq_info) 621 { 622 p_dev_rec->device_type = p_inq_info->results.device_type; 623 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 624 } 625 if (memcmp(p_dev_rec->bd_addr, remote_bda, BD_ADDR_LEN) == 0 && 626 memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0) 627 { 628 *p_dev_type = p_dev_rec->device_type; 629 *p_addr_type = p_dev_rec->ble.ble_addr_type; 630 } 631 else if (memcmp(p_dev_rec->ble.pseudo_addr, remote_bda, BD_ADDR_LEN) == 0) 632 { 633 *p_dev_type = BT_DEVICE_TYPE_BLE; 634 *p_addr_type = p_dev_rec->ble.ble_addr_type; 635 } 636 else /* matching static adddress only */ 637 { 638 *p_dev_type = BT_DEVICE_TYPE_BREDR; 639 *p_addr_type = BLE_ADDR_PUBLIC; 640 } 641 642 } 643 644 BTM_TRACE_DEBUG ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type); 645 } 646 647 /******************************************************************************* 648 ** 649 ** Function BTM_ReadConnectedTransportAddress 650 ** 651 ** Description This function is called to read the paired device/address type of other device paired 652 ** corresponding to the BD_address 653 ** 654 ** Parameter remote_bda: remote device address, carry out the transport address 655 ** transport: active transport 656 ** 657 ** Return TRUE if an active link is identified; FALSE otherwise 658 ** 659 *******************************************************************************/ 660 BOOLEAN BTM_ReadConnectedTransportAddress(BD_ADDR remote_bda, tBT_TRANSPORT transport) 661 { 662 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(remote_bda); 663 664 /* if no device can be located, return */ 665 if (p_dev_rec == NULL) 666 return FALSE; 667 668 if (transport == BT_TRANSPORT_BR_EDR) 669 { 670 if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL) 671 { 672 memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN); 673 return TRUE; 674 } 675 else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) 676 { 677 memcpy(remote_bda, p_dev_rec->bd_addr, BD_ADDR_LEN); 678 } 679 else 680 memset(remote_bda, 0, BD_ADDR_LEN); 681 return FALSE; 682 } 683 684 if (transport == BT_TRANSPORT_LE) 685 { 686 memcpy(remote_bda, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN); 687 if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL) 688 return TRUE; 689 else 690 return FALSE; 691 } 692 693 return FALSE; 694 } 695 696 /******************************************************************************* 697 ** 698 ** Function BTM_BleReceiverTest 699 ** 700 ** Description This function is called to start the LE Receiver test 701 ** 702 ** Parameter rx_freq - Frequency Range 703 ** p_cmd_cmpl_cback - Command Complete callback 704 ** 705 *******************************************************************************/ 706 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback) 707 { 708 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 709 710 if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE) 711 { 712 BTM_TRACE_ERROR("%s: Unable to Trigger LE receiver test", __FUNCTION__); 713 } 714 } 715 716 /******************************************************************************* 717 ** 718 ** Function BTM_BleTransmitterTest 719 ** 720 ** Description This function is called to start the LE Transmitter test 721 ** 722 ** Parameter tx_freq - Frequency Range 723 ** test_data_len - Length in bytes of payload data in each packet 724 ** packet_payload - Pattern to use in the payload 725 ** p_cmd_cmpl_cback - Command Complete callback 726 ** 727 *******************************************************************************/ 728 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len, 729 UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback) 730 { 731 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 732 if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE) 733 { 734 BTM_TRACE_ERROR("%s: Unable to Trigger LE transmitter test", __FUNCTION__); 735 } 736 } 737 738 /******************************************************************************* 739 ** 740 ** Function BTM_BleTestEnd 741 ** 742 ** Description This function is called to stop the in-progress TX or RX test 743 ** 744 ** Parameter p_cmd_cmpl_cback - Command complete callback 745 ** 746 *******************************************************************************/ 747 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback) 748 { 749 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 750 751 if (btsnd_hcic_ble_test_end() == FALSE) 752 { 753 BTM_TRACE_ERROR("%s: Unable to End the LE TX/RX test", __FUNCTION__); 754 } 755 } 756 757 /******************************************************************************* 758 ** Internal Functions 759 *******************************************************************************/ 760 void btm_ble_test_command_complete(UINT8 *p) 761 { 762 tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb; 763 764 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL; 765 766 if (p_cb) 767 { 768 (*p_cb)(p); 769 } 770 } 771 772 /******************************************************************************* 773 ** 774 ** Function BTM_UseLeLink 775 ** 776 ** Description This function is to select the underneath physical link to use. 777 ** 778 ** Returns TRUE to use LE, FALSE use BR/EDR. 779 ** 780 *******************************************************************************/ 781 BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr) 782 { 783 tACL_CONN *p; 784 tBT_DEVICE_TYPE dev_type; 785 tBLE_ADDR_TYPE addr_type; 786 BOOLEAN use_le = FALSE; 787 788 if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR)) != NULL) 789 { 790 return use_le; 791 } 792 else if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE)) != NULL) 793 { 794 use_le = TRUE; 795 } 796 else 797 { 798 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 799 use_le = (dev_type == BT_DEVICE_TYPE_BLE); 800 } 801 return use_le; 802 } 803 804 /******************************************************************************* 805 ** 806 ** Function BTM_SetBleDataLength 807 ** 808 ** Description This function is to set maximum BLE transmission packet size 809 ** 810 ** Returns BTM_SUCCESS if success; otherwise failed. 811 ** 812 *******************************************************************************/ 813 tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length) 814 { 815 tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); 816 BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length); 817 818 if (!controller_get_interface()->supports_ble_packet_extension()) 819 { 820 BTM_TRACE_ERROR("%s failed, request not supported", __FUNCTION__); 821 return BTM_ILLEGAL_VALUE; 822 } 823 824 if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) 825 { 826 BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__); 827 return BTM_ILLEGAL_VALUE; 828 } 829 830 if (p_acl != NULL) 831 { 832 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) 833 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX; 834 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) 835 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN; 836 837 /* always set the TxTime to be max, as controller does not care for now */ 838 btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length, 839 BTM_BLE_DATA_TX_TIME_MAX); 840 841 return BTM_SUCCESS; 842 } 843 else 844 { 845 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",__FUNCTION__); 846 return BTM_WRONG_MODE; 847 } 848 } 849 850 /******************************************************************************* 851 ** 852 ** Function btm_ble_determine_security_act 853 ** 854 ** Description This function checks the security of current LE link 855 ** and returns the appropriate action that needs to be 856 ** taken to achieve the required security. 857 ** 858 ** Parameter is_originator - True if outgoing connection 859 ** bdaddr: remote device address 860 ** security_required: Security required for the service. 861 ** 862 ** Returns The appropriate security action required. 863 ** 864 *******************************************************************************/ 865 tBTM_SEC_ACTION btm_ble_determine_security_act(BOOLEAN is_originator, BD_ADDR bdaddr, UINT16 security_required) 866 { 867 tBTM_LE_AUTH_REQ auth_req = 0x00; 868 869 if (is_originator) 870 { 871 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 && 872 (security_required & BTM_SEC_OUT_MITM) == 0) 873 { 874 BTM_TRACE_DEBUG ("%s No security required for outgoing connection", __func__); 875 return BTM_SEC_OK; 876 } 877 878 if (security_required & BTM_SEC_OUT_MITM) 879 auth_req |= BTM_LE_AUTH_REQ_MITM; 880 } 881 else 882 { 883 if ((security_required & BTM_SEC_IN_FLAGS) == 0&& (security_required & BTM_SEC_IN_MITM) == 0) 884 { 885 BTM_TRACE_DEBUG ("%s No security required for incoming connection", __func__); 886 return BTM_SEC_OK; 887 } 888 889 if (security_required & BTM_SEC_IN_MITM) 890 auth_req |= BTM_LE_AUTH_REQ_MITM; 891 } 892 893 tBTM_BLE_SEC_REQ_ACT ble_sec_act; 894 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act); 895 896 BTM_TRACE_DEBUG ("%s ble_sec_act %d", __func__ , ble_sec_act); 897 898 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) 899 return BTM_SEC_ENC_PENDING; 900 901 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) 902 return BTM_SEC_OK; 903 904 UINT8 sec_flag = 0; 905 BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE); 906 907 BOOLEAN is_link_encrypted = FALSE; 908 BOOLEAN is_key_mitm = FALSE; 909 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED| BTM_SEC_FLAG_LKEY_KNOWN)) 910 { 911 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) 912 is_link_encrypted = TRUE; 913 914 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) 915 is_key_mitm = TRUE; 916 } 917 918 if (auth_req & BTM_LE_AUTH_REQ_MITM) 919 { 920 if (!is_key_mitm) 921 { 922 return BTM_SEC_ENCRYPT_MITM; 923 } else { 924 if (is_link_encrypted) 925 return BTM_SEC_OK; 926 else 927 return BTM_SEC_ENCRYPT; 928 } 929 } else { 930 if (is_link_encrypted) 931 return BTM_SEC_OK; 932 else 933 return BTM_SEC_ENCRYPT_NO_MITM; 934 } 935 936 return BTM_SEC_OK; 937 } 938 939 /******************************************************************************* 940 ** 941 ** Function btm_ble_start_sec_check 942 ** 943 ** Description This function is to check and set the security required for 944 ** LE link for LE COC. 945 ** 946 ** Parameter bdaddr: remote device address. 947 ** psm : PSM of the LE COC sevice. 948 ** is_originator: TRUE if outgoing connection. 949 ** p_callback : Pointer to the callback function. 950 ** p_ref_data : Pointer to be returned along with the callback. 951 ** 952 ** Returns TRUE if link already meets the required security; otherwise FALSE. 953 ** 954 *******************************************************************************/ 955 BOOLEAN btm_ble_start_sec_check(BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator, 956 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 957 { 958 /* Find the service record for the PSM */ 959 tBTM_SEC_SERV_REC *p_serv_rec = btm_sec_find_first_serv (is_originator, psm); 960 961 /* If there is no application registered with this PSM do not allow connection */ 962 if (!p_serv_rec) 963 { 964 BTM_TRACE_WARNING ("%s PSM: %d no application registerd", __func__, psm); 965 (*p_callback) (bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED); 966 return FALSE; 967 } 968 969 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(is_originator, 970 bd_addr, p_serv_rec->security_flags); 971 972 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE; 973 BOOLEAN status = FALSE; 974 975 switch (sec_act) 976 { 977 case BTM_SEC_OK: 978 BTM_TRACE_DEBUG ("%s Security met", __func__); 979 p_callback(bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS); 980 status = TRUE; 981 break; 982 983 case BTM_SEC_ENCRYPT: 984 BTM_TRACE_DEBUG ("%s Encryption needs to be done", __func__); 985 ble_sec_act = BTM_BLE_SEC_ENCRYPT; 986 break; 987 988 case BTM_SEC_ENCRYPT_MITM: 989 BTM_TRACE_DEBUG ("%s Pairing with MITM needs to be done", __func__); 990 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM; 991 break; 992 993 case BTM_SEC_ENCRYPT_NO_MITM: 994 BTM_TRACE_DEBUG ("%s Pairing with No MITM needs to be done", __func__); 995 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM; 996 break; 997 998 case BTM_SEC_ENC_PENDING: 999 BTM_TRACE_DEBUG ("%s Ecryption pending", __func__); 1000 break; 1001 } 1002 1003 if (ble_sec_act == BTM_BLE_SEC_NONE) 1004 return status; 1005 1006 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE); 1007 p_lcb->sec_act = sec_act; 1008 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data, ble_sec_act); 1009 1010 return FALSE; 1011 } 1012 1013 /******************************************************************************* 1014 ** 1015 ** Function btm_ble_rand_enc_complete 1016 ** 1017 ** Description This function is the callback functions for HCI_Rand command 1018 ** and HCI_Encrypt command is completed. 1019 ** This message is received from the HCI. 1020 ** 1021 ** Returns void 1022 ** 1023 *******************************************************************************/ 1024 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback) 1025 { 1026 tBTM_RAND_ENC params; 1027 UINT8 *p_dest = params.param_buf; 1028 1029 BTM_TRACE_DEBUG ("btm_ble_rand_enc_complete"); 1030 1031 memset(¶ms, 0, sizeof(tBTM_RAND_ENC)); 1032 1033 /* If there was a callback address for vcs complete, call it */ 1034 if (p_enc_cplt_cback && p) 1035 { 1036 /* Pass paramters to the callback function */ 1037 STREAM_TO_UINT8(params.status, p); /* command status */ 1038 1039 if (params.status == HCI_SUCCESS) 1040 { 1041 params.opcode = op_code; 1042 1043 if (op_code == HCI_BLE_RAND) 1044 params.param_len = BT_OCTET8_LEN; 1045 else 1046 params.param_len = BT_OCTET16_LEN; 1047 1048 memcpy(p_dest, p, params.param_len); /* Fetch return info from HCI event message */ 1049 } 1050 if (p_enc_cplt_cback) 1051 (*p_enc_cplt_cback)(¶ms); /* Call the Encryption complete callback function */ 1052 } 1053 } 1054 1055 #if (SMP_INCLUDED == TRUE) 1056 1057 /******************************************************************************* 1058 ** 1059 ** Function btm_ble_get_enc_key_type 1060 ** 1061 ** Description This function is to increment local sign counter 1062 ** Returns None 1063 ** 1064 *******************************************************************************/ 1065 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local ) 1066 { 1067 tBTM_SEC_DEV_REC *p_dev_rec; 1068 1069 BTM_TRACE_DEBUG ("btm_ble_increment_sign_ctr is_local=%d", is_local); 1070 1071 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1072 { 1073 if (is_local) 1074 p_dev_rec->ble.keys.local_counter++; 1075 else 1076 p_dev_rec->ble.keys.counter++; 1077 BTM_TRACE_DEBUG ("is_local=%d local sign counter=%d peer sign counter=%d", 1078 is_local, 1079 p_dev_rec->ble.keys.local_counter, 1080 p_dev_rec->ble.keys.counter); 1081 } 1082 } 1083 1084 /******************************************************************************* 1085 ** 1086 ** Function btm_ble_get_enc_key_type 1087 ** 1088 ** Description This function is to get the BLE key type that has been exchanged 1089 ** in betweem local device and peer device. 1090 ** 1091 ** Returns p_key_type: output parameter to carry the key type value. 1092 ** 1093 *******************************************************************************/ 1094 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types) 1095 { 1096 tBTM_SEC_DEV_REC *p_dev_rec; 1097 1098 BTM_TRACE_DEBUG ("btm_ble_get_enc_key_type"); 1099 1100 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1101 { 1102 *p_key_types = p_dev_rec->ble.key_type; 1103 return TRUE; 1104 } 1105 return FALSE; 1106 } 1107 1108 /******************************************************************************* 1109 ** 1110 ** Function btm_get_local_div 1111 ** 1112 ** Description This function is called to read the local DIV 1113 ** 1114 ** Returns TURE - if a valid DIV is availavle 1115 *******************************************************************************/ 1116 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div) 1117 { 1118 tBTM_SEC_DEV_REC *p_dev_rec; 1119 BOOLEAN status = FALSE; 1120 BTM_TRACE_DEBUG ("btm_get_local_div"); 1121 1122 BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 1123 bd_addr[0],bd_addr[1], 1124 bd_addr[2],bd_addr[3], 1125 bd_addr[4],bd_addr[5]); 1126 1127 *p_div = 0; 1128 p_dev_rec = btm_find_dev (bd_addr); 1129 1130 if (p_dev_rec && p_dev_rec->ble.keys.div) 1131 { 1132 status = TRUE; 1133 *p_div = p_dev_rec->ble.keys.div; 1134 } 1135 BTM_TRACE_DEBUG ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div); 1136 return status; 1137 } 1138 1139 /******************************************************************************* 1140 ** 1141 ** Function btm_sec_save_le_key 1142 ** 1143 ** Description This function is called by the SMP to update 1144 ** an BLE key. SMP is internal, whereas all the keys shall 1145 ** be sent to the application. The function is also called 1146 ** when application passes ble key stored in NVRAM to the btm_sec. 1147 ** pass_to_application parameter is false in this case. 1148 ** 1149 ** Returns void 1150 ** 1151 *******************************************************************************/ 1152 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys, 1153 BOOLEAN pass_to_application) 1154 { 1155 tBTM_SEC_DEV_REC *p_rec; 1156 tBTM_LE_EVT_DATA cb_data; 1157 UINT8 i; 1158 1159 BTM_TRACE_DEBUG ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application); 1160 /* Store the updated key in the device database */ 1161 1162 BTM_TRACE_DEBUG("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 1163 bd_addr[0],bd_addr[1], 1164 bd_addr[2],bd_addr[3], 1165 bd_addr[4],bd_addr[5]); 1166 1167 if ((p_rec = btm_find_dev (bd_addr)) != NULL && (p_keys || key_type== BTM_LE_KEY_LID)) 1168 { 1169 btm_ble_init_pseudo_addr (p_rec, bd_addr); 1170 1171 switch (key_type) 1172 { 1173 case BTM_LE_KEY_PENC: 1174 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN); 1175 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN); 1176 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level; 1177 p_rec->ble.keys.ediv = p_keys->penc_key.ediv; 1178 p_rec->ble.keys.key_size = p_keys->penc_key.key_size; 1179 p_rec->ble.key_type |= BTM_LE_KEY_PENC; 1180 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 1181 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) 1182 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 1183 else 1184 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 1185 BTM_TRACE_DEBUG("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x", 1186 p_rec->ble.key_type, 1187 p_rec->sec_flags, 1188 p_rec->ble.keys.sec_level); 1189 break; 1190 1191 case BTM_LE_KEY_PID: 1192 for (i=0; i<BT_OCTET16_LEN; i++) 1193 { 1194 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i]; 1195 } 1196 1197 //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system 1198 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN); 1199 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type; 1200 p_rec->ble.key_type |= BTM_LE_KEY_PID; 1201 BTM_TRACE_DEBUG("BTM_LE_KEY_PID key_type=0x%x save peer IRK", p_rec->ble.key_type); 1202 /* update device record address as static address */ 1203 memcpy(p_rec->bd_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN); 1204 /* combine DUMO device security record if needed */ 1205 btm_consolidate_dev(p_rec); 1206 break; 1207 1208 case BTM_LE_KEY_PCSRK: 1209 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN); 1210 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level; 1211 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter; 1212 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK; 1213 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 1214 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED) 1215 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 1216 else 1217 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 1218 1219 BTM_TRACE_DEBUG("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d", 1220 p_rec->ble.key_type, 1221 p_rec->sec_flags, 1222 p_rec->ble.keys.srk_sec_level, 1223 p_rec->ble.keys.counter ); 1224 break; 1225 1226 case BTM_LE_KEY_LENC: 1227 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN); 1228 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */ 1229 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level; 1230 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size; 1231 p_rec->ble.key_type |= BTM_LE_KEY_LENC; 1232 1233 BTM_TRACE_DEBUG("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x", 1234 p_rec->ble.key_type, 1235 p_rec->ble.keys.div, 1236 p_rec->ble.keys.key_size, 1237 p_rec->ble.keys.sec_level ); 1238 break; 1239 1240 case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */ 1241 memcpy (p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN); 1242 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */ 1243 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level; 1244 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter; 1245 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK; 1246 BTM_TRACE_DEBUG("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d", 1247 p_rec->ble.key_type, 1248 p_rec->ble.keys.div, 1249 p_rec->ble.keys.local_csrk_sec_level, 1250 p_rec->ble.keys.local_counter ); 1251 break; 1252 1253 case BTM_LE_KEY_LID: 1254 p_rec->ble.key_type |= BTM_LE_KEY_LID; 1255 break; 1256 default: 1257 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type); 1258 return; 1259 } 1260 1261 BTM_TRACE_DEBUG ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type, 1262 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 1263 (bd_addr[4]<<8)+bd_addr[5]); 1264 1265 /* Notify the application that one of the BLE keys has been updated 1266 If link key is in progress, it will get sent later.*/ 1267 if (pass_to_application && btm_cb.api.p_le_callback) 1268 { 1269 cb_data.key.p_key_value = p_keys; 1270 cb_data.key.key_type = key_type; 1271 1272 (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data); 1273 } 1274 return; 1275 } 1276 1277 BTM_TRACE_WARNING ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type, 1278 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 1279 (bd_addr[4]<<8)+bd_addr[5]); 1280 1281 if (p_rec) 1282 { 1283 BTM_TRACE_DEBUG ("sec_flags=0x%x", p_rec->sec_flags); 1284 } 1285 } 1286 1287 /******************************************************************************* 1288 ** 1289 ** Function btm_ble_update_sec_key_size 1290 ** 1291 ** Description update the current lin kencryption key size 1292 ** 1293 ** Returns void 1294 ** 1295 *******************************************************************************/ 1296 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size) 1297 { 1298 tBTM_SEC_DEV_REC *p_rec; 1299 1300 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size); 1301 1302 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1303 { 1304 p_rec->enc_key_size = enc_key_size; 1305 } 1306 } 1307 1308 /******************************************************************************* 1309 ** 1310 ** Function btm_ble_read_sec_key_size 1311 ** 1312 ** Description update the current lin kencryption key size 1313 ** 1314 ** Returns void 1315 ** 1316 *******************************************************************************/ 1317 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr) 1318 { 1319 tBTM_SEC_DEV_REC *p_rec; 1320 1321 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1322 { 1323 return p_rec->enc_key_size; 1324 } 1325 else 1326 return 0; 1327 } 1328 1329 /******************************************************************************* 1330 ** 1331 ** Function btm_ble_link_sec_check 1332 ** 1333 ** Description Check BLE link security level match. 1334 ** 1335 ** Returns TRUE: check is OK and the *p_sec_req_act contain the action 1336 ** 1337 *******************************************************************************/ 1338 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act) 1339 { 1340 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1341 UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE; 1342 1343 BTM_TRACE_DEBUG ("btm_ble_link_sec_check auth_req =0x%x", auth_req); 1344 1345 if (p_dev_rec == NULL) 1346 { 1347 BTM_TRACE_ERROR ("btm_ble_link_sec_check received for unknown device"); 1348 return; 1349 } 1350 1351 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 1352 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1353 { 1354 /* race condition: discard the security request while master is encrypting the link */ 1355 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1356 } 1357 else 1358 { 1359 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1360 if (auth_req & BTM_LE_AUTH_REQ_MITM) 1361 { 1362 req_sec_level = BTM_LE_SEC_AUTHENTICATED; 1363 } 1364 1365 BTM_TRACE_DEBUG ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags); 1366 1367 /* currently encrpted */ 1368 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) 1369 { 1370 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED) 1371 cur_sec_level = BTM_LE_SEC_AUTHENTICATED; 1372 else 1373 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1374 } 1375 else /* unencrypted link */ 1376 { 1377 /* if bonded, get the key security level */ 1378 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 1379 cur_sec_level = p_dev_rec->ble.keys.sec_level; 1380 else 1381 cur_sec_level = BTM_LE_SEC_NONE; 1382 } 1383 1384 if (cur_sec_level >= req_sec_level) 1385 { 1386 /* To avoid re-encryption on an encrypted link for an equal condition encryption */ 1387 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT; 1388 } 1389 else 1390 { 1391 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/ 1392 } 1393 } 1394 1395 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d", 1396 cur_sec_level, 1397 req_sec_level, 1398 *p_sec_req_act); 1399 1400 } 1401 1402 /******************************************************************************* 1403 ** 1404 ** Function btm_ble_set_encryption 1405 ** 1406 ** Description This function is called to ensure that LE connection is 1407 ** encrypted. Should be called only on an open connection. 1408 ** Typically only needed for connections that first want to 1409 ** bring up unencrypted links, then later encrypt them. 1410 ** 1411 ** Returns void 1412 ** the local device ER is copied into er 1413 ** 1414 *******************************************************************************/ 1415 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, tBTM_BLE_SEC_ACT sec_act, UINT8 link_role) 1416 { 1417 tBTM_STATUS cmd = BTM_NO_RESOURCES; 1418 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1419 tBTM_BLE_SEC_REQ_ACT sec_req_act; 1420 tBTM_LE_AUTH_REQ auth_req; 1421 1422 if (p_rec == NULL) 1423 { 1424 BTM_TRACE_WARNING ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act); 1425 return(BTM_WRONG_MODE); 1426 } 1427 1428 BTM_TRACE_DEBUG ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master); 1429 1430 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) 1431 { 1432 p_rec->security_required |= BTM_SEC_IN_MITM; 1433 } 1434 1435 switch (sec_act) 1436 { 1437 case BTM_BLE_SEC_ENCRYPT: 1438 if (link_role == BTM_ROLE_MASTER) 1439 { 1440 /* start link layer encryption using the security info stored */ 1441 cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL); 1442 break; 1443 } 1444 /* if salve role then fall through to call SMP_Pair below which will send a 1445 sec_request to request the master to encrypt the link */ 1446 case BTM_BLE_SEC_ENCRYPT_NO_MITM: 1447 case BTM_BLE_SEC_ENCRYPT_MITM: 1448 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM) 1449 ? SMP_AUTH_GEN_BOND : (SMP_AUTH_GEN_BOND | SMP_AUTH_YN_BIT); 1450 btm_ble_link_sec_check (bd_addr, auth_req, &sec_req_act); 1451 if(sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE || sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) 1452 { 1453 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__); 1454 cmd = BTM_SUCCESS; 1455 break; 1456 } 1457 if (link_role == BTM_ROLE_MASTER) 1458 { 1459 1460 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) 1461 { 1462 cmd = btm_ble_start_encrypt(bd_addr, FALSE, NULL); 1463 break; 1464 } 1465 } 1466 1467 if (SMP_Pair(bd_addr) == SMP_STARTED) 1468 { 1469 cmd = BTM_CMD_STARTED; 1470 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1471 } 1472 break; 1473 1474 default: 1475 cmd = BTM_WRONG_MODE; 1476 break; 1477 } 1478 return cmd; 1479 } 1480 1481 /******************************************************************************* 1482 ** 1483 ** Function btm_ble_ltk_request 1484 ** 1485 ** Description This function is called when encryption request is received 1486 ** on a slave device. 1487 ** 1488 ** 1489 ** Returns void 1490 ** 1491 *******************************************************************************/ 1492 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv) 1493 { 1494 tBTM_CB *p_cb = &btm_cb; 1495 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 1496 BT_OCTET8 dummy_stk = {0}; 1497 1498 BTM_TRACE_DEBUG ("btm_ble_ltk_request"); 1499 1500 p_cb->ediv = ediv; 1501 1502 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 1503 1504 if (p_dev_rec != NULL) 1505 { 1506 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) 1507 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk); 1508 } 1509 1510 } 1511 1512 /******************************************************************************* 1513 ** 1514 ** Function btm_ble_start_encrypt 1515 ** 1516 ** Description This function is called to start LE encryption. 1517 ** 1518 ** 1519 ** Returns BTM_SUCCESS if encryption was started successfully 1520 ** 1521 *******************************************************************************/ 1522 tBTM_STATUS btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1523 { 1524 tBTM_CB *p_cb = &btm_cb; 1525 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1526 BT_OCTET8 dummy_rand = {0}; 1527 tBTM_STATUS rt = BTM_NO_RESOURCES; 1528 1529 BTM_TRACE_DEBUG ("btm_ble_start_encrypt"); 1530 1531 if (!p_rec ) 1532 { 1533 BTM_TRACE_ERROR("Link is not active, can not encrypt!"); 1534 return BTM_WRONG_MODE; 1535 } 1536 1537 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 1538 { 1539 BTM_TRACE_WARNING("Link Encryption is active, Busy!"); 1540 return BTM_BUSY; 1541 } 1542 1543 p_cb->enc_handle = p_rec->ble_hci_handle; 1544 1545 if (use_stk) 1546 { 1547 if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk)) 1548 rt = BTM_CMD_STARTED; 1549 } 1550 else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) 1551 { 1552 if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand, 1553 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk)) 1554 rt = BTM_CMD_STARTED; 1555 } 1556 else 1557 { 1558 BTM_TRACE_ERROR("No key available to encrypt the link"); 1559 } 1560 if (rt == BTM_CMD_STARTED) 1561 { 1562 if (p_rec->sec_state == BTM_SEC_STATE_IDLE) 1563 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1564 } 1565 1566 return rt; 1567 } 1568 1569 /******************************************************************************* 1570 ** 1571 ** Function btm_ble_link_encrypted 1572 ** 1573 ** Description This function is called when LE link encrption status is changed. 1574 ** 1575 ** Returns void 1576 ** 1577 *******************************************************************************/ 1578 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable) 1579 { 1580 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1581 BOOLEAN enc_cback; 1582 1583 if (!p_dev_rec) 1584 { 1585 BTM_TRACE_WARNING ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable); 1586 return; 1587 } 1588 1589 BTM_TRACE_DEBUG ("btm_ble_link_encrypted encr_enable=%d", encr_enable); 1590 1591 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING); 1592 1593 smp_link_encrypted(bd_addr, encr_enable); 1594 1595 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags); 1596 1597 if (encr_enable && p_dev_rec->enc_key_size == 0) 1598 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size; 1599 1600 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1601 if (p_dev_rec->p_callback && enc_cback) 1602 { 1603 if (encr_enable) 1604 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE); 1605 else if (p_dev_rec->role_master) 1606 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE); 1607 1608 } 1609 /* to notify GATT to send data if any request is pending */ 1610 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr); 1611 } 1612 1613 /******************************************************************************* 1614 ** 1615 ** Function btm_ble_ltk_request_reply 1616 ** 1617 ** Description This function is called to send a LTK request reply on a slave 1618 ** device. 1619 ** 1620 ** Returns void 1621 ** 1622 *******************************************************************************/ 1623 void btm_ble_ltk_request_reply(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1624 { 1625 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1626 tBTM_CB *p_cb = &btm_cb; 1627 1628 if (p_rec == NULL) 1629 { 1630 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device"); 1631 return; 1632 } 1633 1634 BTM_TRACE_DEBUG ("btm_ble_ltk_request_reply"); 1635 p_cb->enc_handle = p_rec->ble_hci_handle; 1636 p_cb->key_size = p_rec->ble.keys.key_size; 1637 1638 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size); 1639 if (use_stk) 1640 { 1641 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk); 1642 } 1643 else /* calculate LTK using peer device */ 1644 { 1645 if (p_rec->ble.key_type & BTM_LE_KEY_LENC) 1646 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk); 1647 else 1648 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle); 1649 } 1650 } 1651 1652 /******************************************************************************* 1653 ** 1654 ** Function btm_ble_io_capabilities_req 1655 ** 1656 ** Description This function is called to handle SMP get IO capability request. 1657 ** 1658 ** Returns void 1659 ** 1660 *******************************************************************************/ 1661 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data) 1662 { 1663 UINT8 callback_rc = BTM_SUCCESS; 1664 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req"); 1665 if (btm_cb.api.p_le_callback) 1666 { 1667 /* the callback function implementation may change the IO capability... */ 1668 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1669 } 1670 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) 1671 { 1672 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 1673 if (btm_cb.devcb.keep_rfu_in_auth_req) 1674 { 1675 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u", 1676 btm_cb.devcb.keep_rfu_in_auth_req); 1677 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU; 1678 btm_cb.devcb.keep_rfu_in_auth_req = FALSE; 1679 } 1680 else 1681 { /* default */ 1682 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1683 } 1684 #else 1685 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1686 #endif 1687 1688 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d", 1689 p_dev_rec->security_required, p_data->auth_req); 1690 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)", 1691 p_data->init_keys, 1692 p_data->resp_keys); 1693 1694 /* if authentication requires MITM protection, put on the mask */ 1695 if (p_dev_rec->security_required & BTM_SEC_IN_MITM) 1696 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM; 1697 1698 if (!(p_data->auth_req & SMP_AUTH_BOND)) 1699 { 1700 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged"); 1701 p_data->init_keys = 0; 1702 p_data->resp_keys = 0; 1703 } 1704 1705 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req); 1706 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x", 1707 p_data->init_keys, 1708 p_data->resp_keys); 1709 1710 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d", 1711 p_data->io_cap, p_data->auth_req); 1712 1713 /* remove MITM protection requirement if IO cap does not allow it */ 1714 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) 1715 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM; 1716 1717 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) 1718 { 1719 /* if Secure Connections are not supported then remove LK derivation, 1720 ** and keypress notifications. 1721 */ 1722 BTM_TRACE_DEBUG("%s-SC not supported -> No LK derivation, no keypress notifications", 1723 __func__); 1724 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT; 1725 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK; 1726 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK; 1727 } 1728 1729 BTM_TRACE_DEBUG ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x", 1730 p_data->io_cap, p_data->oob_data, p_data->auth_req); 1731 } 1732 return callback_rc; 1733 } 1734 1735 /******************************************************************************* 1736 ** 1737 ** Function btm_ble_br_keys_req 1738 ** 1739 ** Description This function is called to handle SMP request for keys sent 1740 ** over BR/EDR. 1741 ** 1742 ** Returns void 1743 ** 1744 *******************************************************************************/ 1745 UINT8 btm_ble_br_keys_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data) 1746 { 1747 UINT8 callback_rc = BTM_SUCCESS; 1748 BTM_TRACE_DEBUG ("%s", __func__); 1749 if (btm_cb.api.p_le_callback) 1750 { 1751 /* the callback function implementation may change the IO capability... */ 1752 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, 1753 (tBTM_LE_EVT_DATA *)p_data); 1754 } 1755 1756 return callback_rc; 1757 } 1758 1759 #if (BLE_PRIVACY_SPT == TRUE ) 1760 /******************************************************************************* 1761 ** 1762 ** Function btm_ble_resolve_random_addr_on_conn_cmpl 1763 ** 1764 ** Description resolve random address complete on connection complete event. 1765 ** 1766 ** Returns void 1767 ** 1768 *******************************************************************************/ 1769 static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data) 1770 { 1771 UINT8 *p = (UINT8 *)p_data; 1772 tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec; 1773 UINT8 role, bda_type; 1774 UINT16 handle; 1775 BD_ADDR bda; 1776 UINT16 conn_interval, conn_latency, conn_timeout; 1777 BOOLEAN match = FALSE; 1778 1779 ++p; 1780 STREAM_TO_UINT16 (handle, p); 1781 STREAM_TO_UINT8 (role, p); 1782 STREAM_TO_UINT8 (bda_type, p); 1783 STREAM_TO_BDADDR (bda, p); 1784 STREAM_TO_UINT16 (conn_interval, p); 1785 STREAM_TO_UINT16 (conn_latency, p); 1786 STREAM_TO_UINT16 (conn_timeout, p); 1787 1788 handle = HCID_GET_HANDLE (handle); 1789 1790 BTM_TRACE_EVENT ("%s", __func__); 1791 1792 if (match_rec) 1793 { 1794 LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__); 1795 match = TRUE; 1796 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA; 1797 memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN); 1798 if (!btm_ble_init_pseudo_addr (match_rec, bda)) 1799 { 1800 /* assign the original address to be the current report address */ 1801 memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN); 1802 } 1803 else 1804 { 1805 memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN); 1806 } 1807 } 1808 else 1809 { 1810 LOG_INFO(LOG_TAG, "%s unable to match and resolve random address", __func__); 1811 } 1812 1813 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1814 1815 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1816 conn_latency, conn_timeout); 1817 1818 return; 1819 } 1820 #endif 1821 1822 /******************************************************************************* 1823 ** 1824 ** Function btm_ble_connected 1825 ** 1826 ** Description This function is when a LE connection to the peer device is 1827 ** establsihed 1828 ** 1829 ** Returns void 1830 ** 1831 *******************************************************************************/ 1832 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role, 1833 tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched) 1834 { 1835 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 1836 tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb; 1837 UNUSED(addr_matched); 1838 1839 BTM_TRACE_EVENT ("btm_ble_connected"); 1840 1841 /* Commenting out trace due to obf/compilation problems. 1842 */ 1843 #if (BT_USE_TRACES == TRUE) 1844 if (p_dev_rec) 1845 { 1846 BTM_TRACE_EVENT ("Security Manager: btm_ble_connected : handle:%d enc_mode:%d bda:%x RName:%s", 1847 handle, enc_mode, 1848 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 1849 p_dev_rec->sec_bd_name); 1850 1851 BTM_TRACE_DEBUG ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags); 1852 } 1853 else 1854 { 1855 BTM_TRACE_EVENT ("Security Manager: btm_ble_connected: handle:%d enc_mode:%d bda:%x ", 1856 handle, enc_mode, 1857 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 1858 } 1859 #endif 1860 1861 if (!p_dev_rec) 1862 { 1863 /* There is no device record for new connection. Allocate one */ 1864 if ((p_dev_rec = btm_sec_alloc_dev (bda)) == NULL) 1865 return; 1866 } 1867 else /* Update the timestamp for this device */ 1868 { 1869 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 1870 } 1871 1872 /* update device information */ 1873 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE; 1874 p_dev_rec->ble_hci_handle = handle; 1875 p_dev_rec->ble.ble_addr_type = addr_type; 1876 /* update pseudo address */ 1877 memcpy(p_dev_rec->ble.pseudo_addr, bda, BD_ADDR_LEN); 1878 1879 p_dev_rec->role_master = FALSE; 1880 if (role == HCI_ROLE_MASTER) 1881 p_dev_rec->role_master = TRUE; 1882 1883 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) 1884 if (!addr_matched) 1885 p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO; 1886 1887 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched) 1888 memcpy(p_dev_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN); 1889 #endif 1890 1891 p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT; 1892 1893 return; 1894 } 1895 1896 /***************************************************************************** 1897 ** Function btm_ble_conn_complete 1898 ** 1899 ** Description LE connection complete. 1900 ** 1901 ******************************************************************************/ 1902 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced) 1903 { 1904 #if (BLE_PRIVACY_SPT == TRUE ) 1905 UINT8 *p_data = p, peer_addr_type; 1906 BD_ADDR local_rpa, peer_rpa; 1907 #endif 1908 UINT8 role, status, bda_type; 1909 UINT16 handle; 1910 BD_ADDR bda; 1911 UINT16 conn_interval, conn_latency, conn_timeout; 1912 BOOLEAN match = FALSE; 1913 UNUSED(evt_len); 1914 1915 STREAM_TO_UINT8 (status, p); 1916 STREAM_TO_UINT16 (handle, p); 1917 STREAM_TO_UINT8 (role, p); 1918 STREAM_TO_UINT8 (bda_type, p); 1919 STREAM_TO_BDADDR (bda, p); 1920 1921 if (status == 0) 1922 { 1923 #if (BLE_PRIVACY_SPT == TRUE ) 1924 peer_addr_type = bda_type; 1925 match = btm_identity_addr_to_random_pseudo (bda, &bda_type, TRUE); 1926 1927 if (enhanced) 1928 { 1929 STREAM_TO_BDADDR (local_rpa, p); 1930 STREAM_TO_BDADDR (peer_rpa, p); 1931 } 1932 1933 /* possiblly receive connection complete with resolvable random while 1934 the device has been paired */ 1935 if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) 1936 { 1937 btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data); 1938 } 1939 else 1940 #endif 1941 { 1942 STREAM_TO_UINT16 (conn_interval, p); 1943 STREAM_TO_UINT16 (conn_latency, p); 1944 STREAM_TO_UINT16 (conn_timeout, p); 1945 handle = HCID_GET_HANDLE (handle); 1946 1947 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1948 1949 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1950 conn_latency, conn_timeout); 1951 1952 #if (BLE_PRIVACY_SPT == TRUE) 1953 if (enhanced) 1954 { 1955 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa); 1956 1957 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT) 1958 btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM); 1959 } 1960 #endif 1961 } 1962 } 1963 else 1964 { 1965 role = HCI_ROLE_UNKNOWN; 1966 if (status != HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT) 1967 { 1968 btm_ble_set_conn_st(BLE_CONN_IDLE); 1969 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) 1970 btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, TRUE); 1971 #endif 1972 } 1973 else 1974 { 1975 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) 1976 btm_cb.ble_ctr_cb.inq_var.adv_mode = BTM_BLE_ADV_DISABLE; 1977 btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, TRUE); 1978 #endif 1979 } 1980 } 1981 1982 btm_ble_update_mode_operation(role, bda, status); 1983 } 1984 1985 /***************************************************************************** 1986 ** Function btm_ble_create_ll_conn_complete 1987 ** 1988 ** Description LE connection complete. 1989 ** 1990 ******************************************************************************/ 1991 void btm_ble_create_ll_conn_complete (UINT8 status) 1992 { 1993 if (status != HCI_SUCCESS) 1994 { 1995 btm_ble_set_conn_st(BLE_CONN_IDLE); 1996 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status); 1997 } 1998 } 1999 /***************************************************************************** 2000 ** Function btm_proc_smp_cback 2001 ** 2002 ** Description This function is the SMP callback handler. 2003 ** 2004 ******************************************************************************/ 2005 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data) 2006 { 2007 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 2008 UINT8 res = 0; 2009 2010 BTM_TRACE_DEBUG ("btm_proc_smp_cback event = %d", event); 2011 2012 if (p_dev_rec != NULL) 2013 { 2014 switch (event) 2015 { 2016 case SMP_IO_CAP_REQ_EVT: 2017 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req); 2018 break; 2019 2020 case SMP_BR_KEYS_REQ_EVT: 2021 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req); 2022 break; 2023 2024 case SMP_PASSKEY_REQ_EVT: 2025 case SMP_PASSKEY_NOTIF_EVT: 2026 case SMP_OOB_REQ_EVT: 2027 case SMP_NC_REQ_EVT: 2028 case SMP_SC_OOB_REQ_EVT: 2029 /* fall through */ 2030 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 2031 2032 case SMP_SEC_REQUEST_EVT: 2033 if (event == SMP_SEC_REQUEST_EVT && btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 2034 { 2035 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__); 2036 break; 2037 } 2038 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 2039 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 2040 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 2041 /* fall through */ 2042 2043 case SMP_COMPLT_EVT: 2044 if (btm_cb.api.p_le_callback) 2045 { 2046 /* the callback function implementation may change the IO capability... */ 2047 BTM_TRACE_DEBUG ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback ); 2048 (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data); 2049 } 2050 2051 if (event == SMP_COMPLT_EVT) 2052 { 2053 BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 2054 2055 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING; 2056 2057 BTM_TRACE_DEBUG ("after update result=%d sec_level=0x%x sec_flags=0x%x", 2058 res, p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 2059 2060 if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback ) 2061 { 2062 BTM_TRACE_DEBUG ("Pairing Cancel completed"); 2063 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS); 2064 } 2065 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2066 if (res != BTM_SUCCESS) 2067 { 2068 if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT) 2069 { 2070 BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL"); 2071 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle); 2072 } 2073 else 2074 { 2075 BTM_TRACE_DEBUG ("Pairing failed - Not Removing ACL"); 2076 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2077 } 2078 } 2079 #else 2080 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) 2081 { 2082 BTM_TRACE_DEBUG ("Pairing failed - prepare to remove ACL"); 2083 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle); 2084 } 2085 #endif 2086 2087 BTM_TRACE_DEBUG ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x", 2088 btm_cb.pairing_state, 2089 btm_cb.pairing_flags, 2090 btm_cb.pin_code_len ); 2091 BTM_TRACE_DEBUG ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x", 2092 btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2], 2093 btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]); 2094 2095 /* Reset btm state only if the callback address matches pairing address*/ 2096 if(memcmp(bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) 2097 { 2098 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 2099 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 2100 btm_cb.pairing_flags = 0; 2101 } 2102 2103 if (res == BTM_SUCCESS) 2104 { 2105 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2106 #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) 2107 /* add all bonded device into resolving list if IRK is available*/ 2108 btm_ble_resolving_list_load_dev(p_dev_rec); 2109 #endif 2110 } 2111 2112 btm_sec_dev_rec_cback_event(p_dev_rec, res, TRUE); 2113 } 2114 break; 2115 2116 default: 2117 BTM_TRACE_DEBUG ("unknown event = %d", event); 2118 break; 2119 2120 } 2121 } 2122 else 2123 { 2124 BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device"); 2125 } 2126 2127 return 0; 2128 } 2129 2130 #endif /* SMP_INCLUDED */ 2131 2132 /******************************************************************************* 2133 ** 2134 ** Function BTM_BleDataSignature 2135 ** 2136 ** Description This function is called to sign the data using AES128 CMAC 2137 ** algorith. 2138 ** 2139 ** Parameter bd_addr: target device the data to be signed for. 2140 ** p_text: singing data 2141 ** len: length of the data to be signed. 2142 ** signature: output parameter where data signature is going to 2143 ** be stored. 2144 ** 2145 ** Returns TRUE if signing sucessul, otherwise FALSE. 2146 ** 2147 *******************************************************************************/ 2148 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len, 2149 BLE_SIGNATURE signature) 2150 { 2151 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 2152 2153 BTM_TRACE_DEBUG ("%s", __func__); 2154 BOOLEAN ret = FALSE; 2155 if (p_rec == NULL) 2156 { 2157 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device", __func__); 2158 } 2159 else 2160 { 2161 UINT8 *p_mac = (UINT8 *)signature; 2162 UINT8 *pp; 2163 UINT8 *p_buf = (UINT8 *)osi_malloc(len + 4); 2164 2165 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__); 2166 pp = p_buf; 2167 /* prepare plain text */ 2168 if (p_text) { 2169 memcpy(p_buf, p_text, len); 2170 pp = (p_buf + len); 2171 } 2172 2173 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 2174 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 2175 2176 if ((ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf, (UINT16)(len + 4), 2177 BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE) { 2178 btm_ble_increment_sign_ctr(bd_addr, TRUE); 2179 } 2180 2181 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac); 2182 BTM_TRACE_DEBUG("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x", 2183 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3)); 2184 BTM_TRACE_DEBUG("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x", 2185 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7)); 2186 osi_free(p_buf); 2187 } 2188 return ret; 2189 } 2190 2191 /******************************************************************************* 2192 ** 2193 ** Function BTM_BleVerifySignature 2194 ** 2195 ** Description This function is called to verify the data signature 2196 ** 2197 ** Parameter bd_addr: target device the data to be signed for. 2198 ** p_orig: original data before signature. 2199 ** len: length of the signing data 2200 ** counter: counter used when doing data signing 2201 ** p_comp: signature to be compared against. 2202 2203 ** Returns TRUE if signature verified correctly; otherwise FALSE. 2204 ** 2205 *******************************************************************************/ 2206 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter, 2207 UINT8 *p_comp) 2208 { 2209 BOOLEAN verified = FALSE; 2210 #if SMP_INCLUDED == TRUE 2211 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 2212 UINT8 p_mac[BTM_CMAC_TLEN_SIZE]; 2213 2214 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) 2215 { 2216 BTM_TRACE_ERROR("can not verify signature for unknown device"); 2217 } 2218 else if (counter < p_rec->ble.keys.counter) 2219 { 2220 BTM_TRACE_ERROR("signature received with out dated sign counter"); 2221 } 2222 else if (p_orig == NULL) 2223 { 2224 BTM_TRACE_ERROR("No signature to verify"); 2225 } 2226 else 2227 { 2228 BTM_TRACE_DEBUG ("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter, 2229 p_rec->ble.keys.counter); 2230 2231 if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac)) 2232 { 2233 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) 2234 { 2235 btm_ble_increment_sign_ctr(bd_addr, FALSE); 2236 verified = TRUE; 2237 } 2238 } 2239 } 2240 #endif /* SMP_INCLUDED */ 2241 return verified; 2242 } 2243 2244 /******************************************************************************* 2245 ** 2246 ** Function BTM_GetLeSecurityState 2247 ** 2248 ** Description This function is called to get security mode 1 flags and 2249 ** encryption key size for LE peer. 2250 ** 2251 ** Returns BOOLEAN TRUE if LE device is found, FALSE otherwise. 2252 ** 2253 *******************************************************************************/ 2254 BOOLEAN BTM_GetLeSecurityState (BD_ADDR bd_addr, UINT8 *p_le_dev_sec_flags, UINT8 *p_le_key_size) 2255 { 2256 #if (BLE_INCLUDED == TRUE) 2257 tBTM_SEC_DEV_REC *p_dev_rec; 2258 UINT16 dev_rec_sec_flags; 2259 #endif 2260 2261 *p_le_dev_sec_flags = 0; 2262 *p_le_key_size = 0; 2263 2264 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 2265 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 2266 { 2267 BTM_TRACE_ERROR ("%s fails", __func__); 2268 return (FALSE); 2269 } 2270 2271 if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) { 2272 BTM_TRACE_ERROR ("%s-this is not LE device", __func__); 2273 return (FALSE); 2274 } 2275 2276 dev_rec_sec_flags = p_dev_rec->sec_flags; 2277 2278 if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED) 2279 { 2280 /* link is encrypted with LTK or STK */ 2281 *p_le_key_size = p_dev_rec->enc_key_size; 2282 *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED; 2283 2284 *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED) 2285 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */ 2286 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */ 2287 } 2288 else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 2289 { 2290 /* link is unencrypted, still LTK is available */ 2291 *p_le_key_size = p_dev_rec->ble.keys.key_size; 2292 2293 *p_le_dev_sec_flags |= (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) 2294 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */ 2295 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */ 2296 } 2297 2298 BTM_TRACE_DEBUG ("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d", 2299 __func__, *p_le_dev_sec_flags, *p_le_key_size); 2300 2301 return TRUE; 2302 #else 2303 return FALSE; 2304 #endif 2305 } 2306 2307 /******************************************************************************* 2308 ** 2309 ** Function BTM_BleSecurityProcedureIsRunning 2310 ** 2311 ** Description This function indicates if LE security procedure is 2312 ** currently running with the peer. 2313 ** 2314 ** Returns BOOLEAN TRUE if security procedure is running, FALSE otherwise. 2315 ** 2316 *******************************************************************************/ 2317 BOOLEAN BTM_BleSecurityProcedureIsRunning(BD_ADDR bd_addr) 2318 { 2319 #if (BLE_INCLUDED == TRUE) 2320 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 2321 2322 if (p_dev_rec == NULL) 2323 { 2324 BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found", 2325 __func__, (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 2326 (bd_addr[4]<<8)+bd_addr[5]); 2327 return FALSE; 2328 } 2329 2330 return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 2331 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING); 2332 #else 2333 return FALSE; 2334 #endif 2335 } 2336 2337 /******************************************************************************* 2338 ** 2339 ** Function BTM_BleGetSupportedKeySize 2340 ** 2341 ** Description This function gets the maximum encryption key size in bytes 2342 ** the local device can suport. 2343 ** record. 2344 ** 2345 ** Returns the key size or 0 if the size can't be retrieved. 2346 ** 2347 *******************************************************************************/ 2348 extern UINT8 BTM_BleGetSupportedKeySize (BD_ADDR bd_addr) 2349 { 2350 #if ((BLE_INCLUDED == TRUE) && (L2CAP_LE_COC_INCLUDED == TRUE)) 2351 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 2352 tBTM_LE_IO_REQ dev_io_cfg; 2353 UINT8 callback_rc; 2354 2355 if (!p_dev_rec) 2356 { 2357 BTM_TRACE_ERROR ("%s device with BDA: %08x%04x is not found", 2358 __func__,(bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 2359 (bd_addr[4]<<8)+bd_addr[5]); 2360 return 0; 2361 } 2362 2363 if (btm_cb.api.p_le_callback == NULL) 2364 { 2365 BTM_TRACE_ERROR ("%s can't access supported key size",__func__); 2366 return 0; 2367 } 2368 2369 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, 2370 (tBTM_LE_EVT_DATA *) &dev_io_cfg); 2371 2372 if (callback_rc != BTM_SUCCESS) 2373 { 2374 BTM_TRACE_ERROR ("%s can't access supported key size",__func__); 2375 return 0; 2376 } 2377 2378 BTM_TRACE_DEBUG ("%s device supports key size = %d", __func__, dev_io_cfg.max_key_size); 2379 return (dev_io_cfg.max_key_size); 2380 #else 2381 return 0; 2382 #endif 2383 } 2384 2385 /******************************************************************************* 2386 ** Utility functions for LE device IR/ER generation 2387 *******************************************************************************/ 2388 /******************************************************************************* 2389 ** 2390 ** Function btm_notify_new_key 2391 ** 2392 ** Description This function is to notify application new keys have been 2393 ** generated. 2394 ** 2395 ** Returns void 2396 ** 2397 *******************************************************************************/ 2398 static void btm_notify_new_key(UINT8 key_type) 2399 { 2400 tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL; 2401 2402 BTM_TRACE_DEBUG ("btm_notify_new_key key_type=%d", key_type); 2403 2404 if (btm_cb.api.p_le_key_callback) 2405 { 2406 switch (key_type) 2407 { 2408 case BTM_BLE_KEY_TYPE_ID: 2409 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ID"); 2410 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys; 2411 break; 2412 2413 case BTM_BLE_KEY_TYPE_ER: 2414 BTM_TRACE_DEBUG ("BTM_BLE_KEY_TYPE_ER"); 2415 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.ble_encryption_key_value; 2416 break; 2417 2418 default: 2419 BTM_TRACE_ERROR("unknown key type: %d", key_type); 2420 break; 2421 } 2422 if (p_locak_keys != NULL) 2423 (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys); 2424 } 2425 } 2426 2427 /******************************************************************************* 2428 ** 2429 ** Function btm_ble_process_er2 2430 ** 2431 ** Description This function is called when ER is generated, store it in 2432 ** local control block. 2433 ** 2434 ** Returns void 2435 ** 2436 *******************************************************************************/ 2437 static void btm_ble_process_er2(tBTM_RAND_ENC *p) 2438 { 2439 BTM_TRACE_DEBUG ("btm_ble_process_er2"); 2440 2441 if (p &&p->opcode == HCI_BLE_RAND) 2442 { 2443 memcpy(&btm_cb.devcb.ble_encryption_key_value[8], p->param_buf, BT_OCTET8_LEN); 2444 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER); 2445 } 2446 else 2447 { 2448 BTM_TRACE_ERROR("Generating ER2 exception."); 2449 memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16)); 2450 } 2451 } 2452 2453 /******************************************************************************* 2454 ** 2455 ** Function btm_ble_process_er 2456 ** 2457 ** Description This function is called when ER is generated, store it in 2458 ** local control block. 2459 ** 2460 ** Returns void 2461 ** 2462 *******************************************************************************/ 2463 static void btm_ble_process_er(tBTM_RAND_ENC *p) 2464 { 2465 BTM_TRACE_DEBUG ("btm_ble_process_er"); 2466 2467 if (p &&p->opcode == HCI_BLE_RAND) 2468 { 2469 memcpy(&btm_cb.devcb.ble_encryption_key_value[0], p->param_buf, BT_OCTET8_LEN); 2470 2471 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2)) 2472 { 2473 memset(&btm_cb.devcb.ble_encryption_key_value, 0, sizeof(BT_OCTET16)); 2474 BTM_TRACE_ERROR("Generating ER2 failed."); 2475 } 2476 } 2477 else 2478 { 2479 BTM_TRACE_ERROR("Generating ER1 exception."); 2480 } 2481 } 2482 2483 /******************************************************************************* 2484 ** 2485 ** Function btm_ble_process_irk 2486 ** 2487 ** Description This function is called when IRK is generated, store it in 2488 ** local control block. 2489 ** 2490 ** Returns void 2491 ** 2492 *******************************************************************************/ 2493 static void btm_ble_process_irk(tSMP_ENC *p) 2494 { 2495 BTM_TRACE_DEBUG ("btm_ble_process_irk"); 2496 if (p &&p->opcode == HCI_BLE_ENCRYPT) 2497 { 2498 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN); 2499 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID); 2500 2501 #if BLE_PRIVACY_SPT == TRUE 2502 /* if privacy is enabled, new RPA should be calculated */ 2503 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) 2504 { 2505 btm_gen_resolvable_private_addr((void *)btm_gen_resolve_paddr_low); 2506 } 2507 #endif 2508 } 2509 else 2510 { 2511 BTM_TRACE_ERROR("Generating IRK exception."); 2512 } 2513 2514 /* proceed generate ER */ 2515 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er)) 2516 { 2517 BTM_TRACE_ERROR("Generating ER failed."); 2518 } 2519 } 2520 2521 /******************************************************************************* 2522 ** 2523 ** Function btm_ble_process_dhk 2524 ** 2525 ** Description This function is called when DHK is calculated, store it in 2526 ** local control block, and proceed to generate ER, a 128-bits 2527 ** random number. 2528 ** 2529 ** Returns void 2530 ** 2531 *******************************************************************************/ 2532 static void btm_ble_process_dhk(tSMP_ENC *p) 2533 { 2534 #if SMP_INCLUDED == TRUE 2535 UINT8 btm_ble_irk_pt = 0x01; 2536 tSMP_ENC output; 2537 2538 BTM_TRACE_DEBUG ("btm_ble_process_dhk"); 2539 2540 if (p && p->opcode == HCI_BLE_ENCRYPT) 2541 { 2542 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN); 2543 BTM_TRACE_DEBUG("BLE DHK generated."); 2544 2545 /* IRK = D1(IR, 1) */ 2546 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt, 2547 1, &output)) 2548 { 2549 /* reset all identity root related key */ 2550 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2551 } 2552 else 2553 { 2554 btm_ble_process_irk(&output); 2555 } 2556 } 2557 else 2558 { 2559 /* reset all identity root related key */ 2560 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2561 } 2562 #endif 2563 } 2564 2565 /******************************************************************************* 2566 ** 2567 ** Function btm_ble_process_ir2 2568 ** 2569 ** Description This function is called when IR is generated, proceed to calculate 2570 ** DHK = Eir({0x03, 0, 0 ...}) 2571 ** 2572 ** 2573 ** Returns void 2574 ** 2575 *******************************************************************************/ 2576 static void btm_ble_process_ir2(tBTM_RAND_ENC *p) 2577 { 2578 #if SMP_INCLUDED == TRUE 2579 UINT8 btm_ble_dhk_pt = 0x03; 2580 tSMP_ENC output; 2581 2582 BTM_TRACE_DEBUG ("btm_ble_process_ir2"); 2583 2584 if (p && p->opcode == HCI_BLE_RAND) 2585 { 2586 /* remembering in control block */ 2587 memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN); 2588 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */ 2589 2590 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 2591 1, &output); 2592 btm_ble_process_dhk(&output); 2593 2594 BTM_TRACE_DEBUG("BLE IR generated."); 2595 } 2596 else 2597 { 2598 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2599 } 2600 #endif 2601 } 2602 2603 /******************************************************************************* 2604 ** 2605 ** Function btm_ble_process_ir 2606 ** 2607 ** Description This function is called when IR is generated, proceed to calculate 2608 ** DHK = Eir({0x02, 0, 0 ...}) 2609 ** 2610 ** 2611 ** Returns void 2612 ** 2613 *******************************************************************************/ 2614 static void btm_ble_process_ir(tBTM_RAND_ENC *p) 2615 { 2616 BTM_TRACE_DEBUG ("btm_ble_process_ir"); 2617 2618 if (p && p->opcode == HCI_BLE_RAND) 2619 { 2620 /* remembering in control block */ 2621 memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN); 2622 2623 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2)) 2624 { 2625 BTM_TRACE_ERROR("Generating IR2 failed."); 2626 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2627 } 2628 } 2629 } 2630 2631 /******************************************************************************* 2632 ** 2633 ** Function btm_ble_reset_id 2634 ** 2635 ** Description This function is called to reset LE device identity. 2636 ** 2637 ** Returns void 2638 ** 2639 *******************************************************************************/ 2640 void btm_ble_reset_id( void ) 2641 { 2642 BTM_TRACE_DEBUG ("btm_ble_reset_id"); 2643 2644 /* regenrate Identity Root*/ 2645 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir)) 2646 { 2647 BTM_TRACE_DEBUG("Generating IR failed."); 2648 } 2649 } 2650 2651 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2652 /******************************************************************************* 2653 ** 2654 ** Function btm_ble_set_no_disc_if_pair_fail 2655 ** 2656 ** Description This function indicates that whether no disconnect of the ACL 2657 ** should be used if pairing failed 2658 ** 2659 ** Returns void 2660 ** 2661 *******************************************************************************/ 2662 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc ) 2663 { 2664 BTM_TRACE_DEBUG ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc); 2665 btm_cb.devcb.no_disc_if_pair_fail = disable_disc; 2666 } 2667 2668 /******************************************************************************* 2669 ** 2670 ** Function btm_ble_set_test_mac_value 2671 ** 2672 ** Description This function set test MAC value 2673 ** 2674 ** Returns void 2675 ** 2676 *******************************************************************************/ 2677 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val ) 2678 { 2679 BTM_TRACE_DEBUG ("btm_ble_set_test_mac_value enable=%d", enable); 2680 btm_cb.devcb.enable_test_mac_val = enable; 2681 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN); 2682 } 2683 2684 /******************************************************************************* 2685 ** 2686 ** Function btm_ble_set_test_local_sign_cntr_value 2687 ** 2688 ** Description This function set test local sign counter value 2689 ** 2690 ** Returns void 2691 ** 2692 *******************************************************************************/ 2693 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr ) 2694 { 2695 BTM_TRACE_DEBUG ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d", 2696 enable, test_local_sign_cntr); 2697 btm_cb.devcb.enable_test_local_sign_cntr = enable; 2698 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr; 2699 } 2700 2701 /******************************************************************************* 2702 ** 2703 ** Function btm_set_random_address 2704 ** 2705 ** Description This function set a random address to local controller. 2706 ** 2707 ** Returns void 2708 ** 2709 *******************************************************************************/ 2710 void btm_set_random_address(BD_ADDR random_bda) 2711 { 2712 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 2713 BOOLEAN adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ; 2714 2715 BTM_TRACE_DEBUG ("btm_set_random_address"); 2716 2717 if (adv_mode == BTM_BLE_ADV_ENABLE) 2718 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE); 2719 2720 memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN); 2721 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 2722 2723 if (adv_mode == BTM_BLE_ADV_ENABLE) 2724 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE); 2725 2726 } 2727 2728 /******************************************************************************* 2729 ** 2730 ** Function btm_ble_set_keep_rfu_in_auth_req 2731 ** 2732 ** Description This function indicates if RFU bits have to be kept as is 2733 ** (by default they have to be set to 0 by the sender). 2734 ** 2735 ** Returns void 2736 ** 2737 *******************************************************************************/ 2738 void btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu) 2739 { 2740 BTM_TRACE_DEBUG ("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu); 2741 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu; 2742 } 2743 2744 #endif /* BTM_BLE_CONFORMANCE_TESTING */ 2745 2746 #endif /* BLE_INCLUDED */ 2747