1 /****************************************************************************** 2 * 3 * Copyright 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for BLE device control utilities, and LE 22 * security functions. 23 * 24 ******************************************************************************/ 25 26 #define LOG_TAG "bt_btm_ble" 27 28 #include "bt_target.h" 29 30 #include <base/bind.h> 31 #include <string.h> 32 33 #include "bt_types.h" 34 #include "bt_utils.h" 35 #include "btm_ble_api.h" 36 #include "btm_int.h" 37 #include "btu.h" 38 #include "device/include/controller.h" 39 #include "gap_api.h" 40 #include "gatt_api.h" 41 #include "hcimsgs.h" 42 #include "l2c_int.h" 43 #include "osi/include/log.h" 44 #include "osi/include/osi.h" 45 #include "smp_api.h" 46 47 extern bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, 48 uint16_t length, uint16_t tlen, 49 uint8_t* p_signature); 50 extern void gatt_notify_phy_updated(uint8_t status, uint16_t handle, 51 uint8_t tx_phy, uint8_t rx_phy); 52 extern void btm_ble_advertiser_notify_terminated_legacy( 53 uint8_t status, uint16_t connection_handle); 54 55 /******************************************************************************/ 56 /* External Function to be called by other modules */ 57 /******************************************************************************/ 58 /******************************************************** 59 * 60 * Function BTM_SecAddBleDevice 61 * 62 * Description Add/modify device. This function will be normally called 63 * during host startup to restore all required information 64 * for a LE device stored in the NVRAM. 65 * 66 * Parameters: bd_addr - BD address of the peer 67 * bd_name - Name of the peer device. NULL if unknown. 68 * dev_type - Remote device's device type. 69 * addr_type - LE device address type. 70 * 71 * Returns true if added OK, else false 72 * 73 ******************************************************************************/ 74 bool BTM_SecAddBleDevice(const RawAddress& bd_addr, BD_NAME bd_name, 75 tBT_DEVICE_TYPE dev_type, tBLE_ADDR_TYPE addr_type) { 76 BTM_TRACE_DEBUG("%s: dev_type=0x%x", __func__, dev_type); 77 78 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 79 if (!p_dev_rec) { 80 p_dev_rec = btm_sec_allocate_dev_rec(); 81 82 p_dev_rec->bd_addr = bd_addr; 83 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR); 84 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE); 85 86 /* update conn params, use default value for background connection params */ 87 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF; 88 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF; 89 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF; 90 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF; 91 92 BTM_TRACE_DEBUG("%s: Device added, handle=0x%x, p_dev_rec=%p, bd_addr=%s", 93 __func__, p_dev_rec->ble_hci_handle, p_dev_rec, 94 bd_addr.ToString().c_str()); 95 } 96 97 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 98 99 if (bd_name && bd_name[0]) { 100 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 101 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name, 102 BTM_MAX_REM_BD_NAME_LEN); 103 } 104 p_dev_rec->device_type |= dev_type; 105 p_dev_rec->ble.ble_addr_type = addr_type; 106 107 p_dev_rec->ble.pseudo_addr = bd_addr; 108 /* sync up with the Inq Data base*/ 109 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr); 110 if (p_info) { 111 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type; 112 p_info->results.device_type = p_dev_rec->device_type; 113 BTM_TRACE_DEBUG("InqDb device_type =0x%x addr_type=0x%x", 114 p_info->results.device_type, p_info->results.ble_addr_type); 115 } 116 117 return true; 118 } 119 120 /******************************************************************************* 121 * 122 * Function BTM_SecAddBleKey 123 * 124 * Description Add/modify LE device information. This function will be 125 * normally called during host startup to restore all required 126 * information stored in the NVRAM. 127 * 128 * Parameters: bd_addr - BD address of the peer 129 * p_le_key - LE key values. 130 * key_type - LE SMP key type. 131 * 132 * Returns true if added OK, else false 133 * 134 ******************************************************************************/ 135 bool BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key, 136 tBTM_LE_KEY_TYPE key_type) { 137 tBTM_SEC_DEV_REC* p_dev_rec; 138 BTM_TRACE_DEBUG("BTM_SecAddBleKey"); 139 p_dev_rec = btm_find_dev(bd_addr); 140 if (!p_dev_rec || !p_le_key || 141 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && 142 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC && 143 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) { 144 LOG(WARNING) << __func__ 145 << " Wrong Type, or No Device record for bdaddr: " << bd_addr 146 << ", Type: " << key_type; 147 return (false); 148 } 149 150 VLOG(1) << __func__ << " BDA: " << bd_addr << ", Type: " << key_type; 151 152 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false); 153 154 #if (BLE_PRIVACY_SPT == TRUE) 155 if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID) 156 btm_ble_resolving_list_load_dev(p_dev_rec); 157 #endif 158 159 return (true); 160 } 161 162 /******************************************************************************* 163 * 164 * Function BTM_BleLoadLocalKeys 165 * 166 * Description Local local identity key, encryption root or sign counter. 167 * 168 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, 169 * BTM_BLE_KEY_TYPE_ER 170 * or BTM_BLE_KEY_TYPE_COUNTER. 171 * p_key: pointer to the key. 172 * 173 * Returns non2. 174 * 175 ******************************************************************************/ 176 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) { 177 tBTM_DEVCB* p_devcb = &btm_cb.devcb; 178 BTM_TRACE_DEBUG("%s", __func__); 179 if (p_key != NULL) { 180 switch (key_type) { 181 case BTM_BLE_KEY_TYPE_ID: 182 memcpy(&p_devcb->id_keys, &p_key->id_keys, 183 sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 184 break; 185 186 case BTM_BLE_KEY_TYPE_ER: 187 memcpy(p_devcb->ble_encryption_key_value, p_key->er, 188 sizeof(BT_OCTET16)); 189 break; 190 191 default: 192 BTM_TRACE_ERROR("unknow local key type: %d", key_type); 193 break; 194 } 195 } 196 } 197 198 /******************************************************************************* 199 * 200 * Function BTM_GetDeviceEncRoot 201 * 202 * Description This function is called to read the local device encryption 203 * root. 204 * 205 * Returns void 206 * the local device ER is copied into ble_encr_key_value 207 * 208 ******************************************************************************/ 209 void BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value) { 210 BTM_TRACE_DEBUG("%s", __func__); 211 memcpy(ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value, 212 BT_OCTET16_LEN); 213 } 214 215 /******************************************************************************* 216 * 217 * Function BTM_GetDeviceIDRoot 218 * 219 * Description This function is called to read the local device identity 220 * root. 221 * 222 * Returns void 223 * the local device IR is copied into irk 224 * 225 ******************************************************************************/ 226 void BTM_GetDeviceIDRoot(BT_OCTET16 irk) { 227 BTM_TRACE_DEBUG("BTM_GetDeviceIDRoot "); 228 229 memcpy(irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN); 230 } 231 232 /******************************************************************************* 233 * 234 * Function BTM_GetDeviceDHK 235 * 236 * Description This function is called to read the local device DHK. 237 * 238 * Returns void 239 * the local device DHK is copied into dhk 240 * 241 ******************************************************************************/ 242 void BTM_GetDeviceDHK(BT_OCTET16 dhk) { 243 BTM_TRACE_DEBUG("BTM_GetDeviceDHK"); 244 memcpy(dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN); 245 } 246 247 /******************************************************************************* 248 * 249 * Function BTM_ReadConnectionAddr 250 * 251 * Description This function is called to get the local device address 252 * information. 253 * 254 * Returns void 255 * 256 ******************************************************************************/ 257 void BTM_ReadConnectionAddr(const RawAddress& remote_bda, 258 RawAddress& local_conn_addr, 259 tBLE_ADDR_TYPE* p_addr_type) { 260 tACL_CONN* p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE); 261 262 if (p_acl == NULL) { 263 BTM_TRACE_ERROR("No connection exist!"); 264 return; 265 } 266 local_conn_addr = p_acl->conn_addr; 267 *p_addr_type = p_acl->conn_addr_type; 268 269 BTM_TRACE_DEBUG("BTM_ReadConnectionAddr address type: %d addr: 0x%02x", 270 p_acl->conn_addr_type, p_acl->conn_addr.address[0]); 271 } 272 273 /******************************************************************************* 274 * 275 * Function BTM_IsBleConnection 276 * 277 * Description This function is called to check if the connection handle 278 * for an LE link 279 * 280 * Returns true if connection is LE link, otherwise false. 281 * 282 ******************************************************************************/ 283 bool BTM_IsBleConnection(uint16_t conn_handle) { 284 uint8_t xx; 285 tACL_CONN* p; 286 287 BTM_TRACE_API("BTM_IsBleConnection: conn_handle: %d", conn_handle); 288 289 xx = btm_handle_to_acl_index(conn_handle); 290 if (xx >= MAX_L2CAP_LINKS) return false; 291 292 p = &btm_cb.acl_db[xx]; 293 294 return (p->transport == BT_TRANSPORT_LE); 295 } 296 297 /******************************************************************************* 298 * 299 * Function BTM_ReadRemoteConnectionAddr 300 * 301 * Description This function is read the remote device address currently used 302 * 303 * Parameters pseudo_addr: pseudo random address available 304 * conn_addr:connection address used 305 * p_addr_type : BD Address type, Public or Random of the address 306 * used 307 * 308 * Returns bool, true if connection to remote device exists, else false 309 * 310 ******************************************************************************/ 311 bool BTM_ReadRemoteConnectionAddr(const RawAddress& pseudo_addr, 312 RawAddress& conn_addr, 313 tBLE_ADDR_TYPE* p_addr_type) { 314 bool st = true; 315 #if (BLE_PRIVACY_SPT == TRUE) 316 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE); 317 318 if (p == NULL) { 319 BTM_TRACE_ERROR( 320 "BTM_ReadRemoteConnectionAddr can not find connection" 321 " with matching address"); 322 return false; 323 } 324 325 conn_addr = p->active_remote_addr; 326 *p_addr_type = p->active_remote_addr_type; 327 #else 328 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(pseudo_addr); 329 330 conn_addr = pseudo_addr; 331 if (p_dev_rec != NULL) { 332 *p_addr_type = p_dev_rec->ble.ble_addr_type; 333 } 334 #endif 335 return st; 336 } 337 /******************************************************************************* 338 * 339 * Function BTM_SecurityGrant 340 * 341 * Description This function is called to grant security process. 342 * 343 * Parameters bd_addr - peer device bd address. 344 * res - result of the operation BTM_SUCCESS if success. 345 * Otherwise, BTM_REPEATED_ATTEMPTS if too many 346 * attempts. 347 * 348 * Returns None 349 * 350 ******************************************************************************/ 351 void BTM_SecurityGrant(const RawAddress& bd_addr, uint8_t res) { 352 tSMP_STATUS res_smp = 353 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS; 354 BTM_TRACE_DEBUG("BTM_SecurityGrant"); 355 SMP_SecurityGrant(bd_addr, res_smp); 356 } 357 358 /******************************************************************************* 359 * 360 * Function BTM_BlePasskeyReply 361 * 362 * Description This function is called after Security Manager submitted 363 * passkey request to the application. 364 * 365 * Parameters: bd_addr - Address of the device for which passkey was 366 * requested 367 * res - result of the operation BTM_SUCCESS if success 368 * key_len - length in bytes of the Passkey 369 * p_passkey - pointer to array with the passkey 370 * trusted_mask - bitwise OR of trusted services (array of 371 * uint32_t) 372 * 373 ******************************************************************************/ 374 void BTM_BlePasskeyReply(const RawAddress& bd_addr, uint8_t res, 375 uint32_t passkey) { 376 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 377 tSMP_STATUS res_smp = 378 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 379 380 if (p_dev_rec == NULL) { 381 BTM_TRACE_ERROR("Passkey reply to Unknown device"); 382 return; 383 } 384 385 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 386 BTM_TRACE_DEBUG("BTM_BlePasskeyReply"); 387 SMP_PasskeyReply(bd_addr, res_smp, passkey); 388 } 389 390 /******************************************************************************* 391 * 392 * Function BTM_BleConfirmReply 393 * 394 * Description This function is called after Security Manager submitted 395 * numeric comparison request to the application. 396 * 397 * Parameters: bd_addr - Address of the device with which numeric 398 * comparison was requested 399 * res - comparison result BTM_SUCCESS if success 400 * 401 ******************************************************************************/ 402 void BTM_BleConfirmReply(const RawAddress& bd_addr, uint8_t res) { 403 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 404 tSMP_STATUS res_smp = 405 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 406 407 if (p_dev_rec == NULL) { 408 BTM_TRACE_ERROR("Passkey reply to Unknown device"); 409 return; 410 } 411 412 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 413 BTM_TRACE_DEBUG("%s", __func__); 414 SMP_ConfirmReply(bd_addr, res_smp); 415 } 416 417 /******************************************************************************* 418 * 419 * Function BTM_BleOobDataReply 420 * 421 * Description This function is called to provide the OOB data for 422 * SMP in response to BTM_LE_OOB_REQ_EVT 423 * 424 * Parameters: bd_addr - Address of the peer device 425 * res - result of the operation SMP_SUCCESS if success 426 * p_data - oob data, depending on transport and 427 * capabilities. 428 * Might be "Simple Pairing Randomizer", or 429 * "Security Manager TK Value". 430 * 431 ******************************************************************************/ 432 void BTM_BleOobDataReply(const RawAddress& bd_addr, uint8_t res, uint8_t len, 433 uint8_t* p_data) { 434 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL; 435 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 436 437 BTM_TRACE_DEBUG("%s:", __func__); 438 439 if (p_dev_rec == NULL) { 440 BTM_TRACE_ERROR("%s: Unknown device", __func__); 441 return; 442 } 443 444 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 445 SMP_OobDataReply(bd_addr, res_smp, len, p_data); 446 } 447 448 /******************************************************************************* 449 * 450 * Function BTM_BleSecureConnectionOobDataReply 451 * 452 * Description This function is called to provide the OOB data for 453 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection 454 * data is available 455 * 456 * Parameters: bd_addr - Address of the peer device 457 * p_c - pointer to Confirmation. 458 * p_r - pointer to Randomizer 459 * 460 ******************************************************************************/ 461 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr, 462 uint8_t* p_c, uint8_t* p_r) { 463 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 464 465 BTM_TRACE_DEBUG("%s:", __func__); 466 467 if (p_dev_rec == NULL) { 468 BTM_TRACE_ERROR("%s: Unknown device", __func__); 469 return; 470 } 471 472 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 473 474 tSMP_SC_OOB_DATA oob; 475 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA)); 476 477 oob.peer_oob_data.present = true; 478 memcpy(&oob.peer_oob_data.randomizer, p_r, BT_OCTET16_LEN); 479 memcpy(&oob.peer_oob_data.commitment, p_c, BT_OCTET16_LEN); 480 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.ble_addr_type; 481 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr; 482 483 SMP_SecureConnectionOobDataReply((uint8_t*)&oob); 484 } 485 486 /****************************************************************************** 487 * 488 * Function BTM_BleSetConnScanParams 489 * 490 * Description Set scan parameter used in BLE connection request 491 * 492 * Parameters: scan_interval: scan interval 493 * scan_window: scan window 494 * 495 * Returns void 496 * 497 ******************************************************************************/ 498 void BTM_BleSetConnScanParams(uint32_t scan_interval, uint32_t scan_window) { 499 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb; 500 bool new_param = false; 501 502 if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN, 503 BTM_BLE_SCAN_INT_MAX) && 504 BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN, 505 BTM_BLE_SCAN_WIN_MAX)) { 506 if (p_ble_cb->scan_int != scan_interval) { 507 p_ble_cb->scan_int = scan_interval; 508 new_param = true; 509 } 510 511 if (p_ble_cb->scan_win != scan_window) { 512 p_ble_cb->scan_win = scan_window; 513 new_param = true; 514 } 515 516 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) { 517 btm_ble_suspend_bg_conn(); 518 } 519 } else { 520 BTM_TRACE_ERROR("Illegal Connection Scan Parameters"); 521 } 522 } 523 524 /******************************************************** 525 * 526 * Function BTM_BleSetPrefConnParams 527 * 528 * Description Set a peripheral's preferred connection parameters 529 * 530 * Parameters: bd_addr - BD address of the peripheral 531 * scan_interval: scan interval 532 * scan_window: scan window 533 * min_conn_int - minimum preferred connection interval 534 * max_conn_int - maximum preferred connection interval 535 * slave_latency - preferred slave latency 536 * supervision_tout - preferred supervision timeout 537 * 538 * Returns void 539 * 540 ******************************************************************************/ 541 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int, 542 uint16_t max_conn_int, uint16_t slave_latency, 543 uint16_t supervision_tout) { 544 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 545 546 BTM_TRACE_API( 547 "BTM_BleSetPrefConnParams min: %u max: %u latency: %u \ 548 tout: %u", 549 min_conn_int, max_conn_int, slave_latency, supervision_tout); 550 551 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN, 552 BTM_BLE_CONN_INT_MAX) && 553 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN, 554 BTM_BLE_CONN_INT_MAX) && 555 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, 556 BTM_BLE_CONN_SUP_TOUT_MAX) && 557 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || 558 slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) { 559 if (p_dev_rec) { 560 /* expect conn int and stout and slave latency to be updated all together 561 */ 562 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || 563 max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) { 564 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 565 p_dev_rec->conn_params.min_conn_int = min_conn_int; 566 else 567 p_dev_rec->conn_params.min_conn_int = max_conn_int; 568 569 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 570 p_dev_rec->conn_params.max_conn_int = max_conn_int; 571 else 572 p_dev_rec->conn_params.max_conn_int = min_conn_int; 573 574 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF) 575 p_dev_rec->conn_params.slave_latency = slave_latency; 576 else 577 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF; 578 579 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) 580 p_dev_rec->conn_params.supervision_tout = supervision_tout; 581 else 582 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF; 583 } 584 585 } else { 586 BTM_TRACE_ERROR("Unknown Device, setting rejected"); 587 } 588 } else { 589 BTM_TRACE_ERROR("Illegal Connection Parameters"); 590 } 591 } 592 593 /******************************************************************************* 594 * 595 * Function BTM_ReadDevInfo 596 * 597 * Description This function is called to read the device/address type 598 * of BD address. 599 * 600 * Parameter remote_bda: remote device address 601 * p_dev_type: output parameter to read the device type. 602 * p_addr_type: output parameter to read the address type. 603 * 604 ******************************************************************************/ 605 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type, 606 tBLE_ADDR_TYPE* p_addr_type) { 607 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda); 608 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda); 609 610 *p_addr_type = BLE_ADDR_PUBLIC; 611 612 if (!p_dev_rec) { 613 *p_dev_type = BT_DEVICE_TYPE_BREDR; 614 /* Check with the BT manager if details about remote device are known */ 615 if (p_inq_info != NULL) { 616 *p_dev_type = p_inq_info->results.device_type; 617 *p_addr_type = p_inq_info->results.ble_addr_type; 618 } else { 619 /* unknown device, assume BR/EDR */ 620 BTM_TRACE_DEBUG("btm_find_dev_type - unknown device, BR/EDR assumed"); 621 } 622 } else /* there is a security device record exisitng */ 623 { 624 /* new inquiry result, overwrite device type in security device record */ 625 if (p_inq_info) { 626 p_dev_rec->device_type = p_inq_info->results.device_type; 627 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 628 } 629 if (p_dev_rec->bd_addr == remote_bda && 630 p_dev_rec->ble.pseudo_addr == remote_bda) { 631 *p_dev_type = p_dev_rec->device_type; 632 *p_addr_type = p_dev_rec->ble.ble_addr_type; 633 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) { 634 *p_dev_type = BT_DEVICE_TYPE_BLE; 635 *p_addr_type = p_dev_rec->ble.ble_addr_type; 636 } else /* matching static adddress only */ 637 { 638 *p_dev_type = BT_DEVICE_TYPE_BREDR; 639 *p_addr_type = BLE_ADDR_PUBLIC; 640 } 641 } 642 643 BTM_TRACE_DEBUG("btm_find_dev_type - device_type = %d addr_type = %d", 644 *p_dev_type, *p_addr_type); 645 } 646 647 /******************************************************************************* 648 * 649 * Function BTM_ReadConnectedTransportAddress 650 * 651 * Description This function is called to read the paired device/address 652 * type of other device paired corresponding to the BD_address 653 * 654 * Parameter remote_bda: remote device address, carry out the transport 655 * address 656 * transport: active transport 657 * 658 * Return true if an active link is identified; false otherwise 659 * 660 ******************************************************************************/ 661 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda, 662 tBT_TRANSPORT transport) { 663 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda); 664 665 /* if no device can be located, return */ 666 if (p_dev_rec == NULL) return false; 667 668 if (transport == BT_TRANSPORT_BR_EDR) { 669 if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL) { 670 *remote_bda = p_dev_rec->bd_addr; 671 return true; 672 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) { 673 *remote_bda = p_dev_rec->bd_addr; 674 } else 675 *remote_bda = RawAddress::kEmpty; 676 return false; 677 } 678 679 if (transport == BT_TRANSPORT_LE) { 680 *remote_bda = p_dev_rec->ble.pseudo_addr; 681 if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL) 682 return true; 683 else 684 return false; 685 } 686 687 return false; 688 } 689 690 /******************************************************************************* 691 * 692 * Function BTM_BleReceiverTest 693 * 694 * Description This function is called to start the LE Receiver test 695 * 696 * Parameter rx_freq - Frequency Range 697 * p_cmd_cmpl_cback - Command Complete callback 698 * 699 ******************************************************************************/ 700 void BTM_BleReceiverTest(uint8_t rx_freq, tBTM_CMPL_CB* p_cmd_cmpl_cback) { 701 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 702 703 btsnd_hcic_ble_receiver_test(rx_freq); 704 } 705 706 /******************************************************************************* 707 * 708 * Function BTM_BleTransmitterTest 709 * 710 * Description This function is called to start the LE Transmitter test 711 * 712 * Parameter tx_freq - Frequency Range 713 * test_data_len - Length in bytes of payload data in each 714 * packet 715 * packet_payload - Pattern to use in the payload 716 * p_cmd_cmpl_cback - Command Complete callback 717 * 718 ******************************************************************************/ 719 void BTM_BleTransmitterTest(uint8_t tx_freq, uint8_t test_data_len, 720 uint8_t packet_payload, 721 tBTM_CMPL_CB* p_cmd_cmpl_cback) { 722 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 723 btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload); 724 } 725 726 /******************************************************************************* 727 * 728 * Function BTM_BleTestEnd 729 * 730 * Description This function is called to stop the in-progress TX or RX 731 * test 732 * 733 * Parameter p_cmd_cmpl_cback - Command complete callback 734 * 735 ******************************************************************************/ 736 void BTM_BleTestEnd(tBTM_CMPL_CB* p_cmd_cmpl_cback) { 737 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 738 739 btsnd_hcic_ble_test_end(); 740 } 741 742 /******************************************************************************* 743 * Internal Functions 744 ******************************************************************************/ 745 void btm_ble_test_command_complete(uint8_t* p) { 746 tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb; 747 748 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL; 749 750 if (p_cb) { 751 (*p_cb)(p); 752 } 753 } 754 755 /******************************************************************************* 756 * 757 * Function BTM_UseLeLink 758 * 759 * Description This function is to select the underlying physical link to 760 * use. 761 * 762 * Returns true to use LE, false use BR/EDR. 763 * 764 ******************************************************************************/ 765 bool BTM_UseLeLink(const RawAddress& bd_addr) { 766 tACL_CONN* p; 767 tBT_DEVICE_TYPE dev_type; 768 tBLE_ADDR_TYPE addr_type; 769 bool use_le = false; 770 771 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR); 772 if (p != NULL) { 773 return use_le; 774 } else { 775 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); 776 if (p != NULL) { 777 use_le = true; 778 } else { 779 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 780 use_le = (dev_type == BT_DEVICE_TYPE_BLE); 781 } 782 } 783 return use_le; 784 } 785 786 /******************************************************************************* 787 * 788 * Function BTM_SetBleDataLength 789 * 790 * Description This function is to set maximum BLE transmission packet size 791 * 792 * Returns BTM_SUCCESS if success; otherwise failed. 793 * 794 ******************************************************************************/ 795 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr, 796 uint16_t tx_pdu_length) { 797 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); 798 799 if (p_acl == NULL) { 800 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported", 801 __func__); 802 return BTM_WRONG_MODE; 803 } 804 805 BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __func__, tx_pdu_length); 806 807 if (!controller_get_interface()->supports_ble_packet_extension()) { 808 BTM_TRACE_ERROR("%s failed, request not supported", __func__); 809 return BTM_ILLEGAL_VALUE; 810 } 811 812 if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) { 813 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__); 814 return BTM_ILLEGAL_VALUE; 815 } 816 817 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) 818 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX; 819 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) 820 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN; 821 822 /* always set the TxTime to be max, as controller does not care for now */ 823 btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length, 824 BTM_BLE_DATA_TX_TIME_MAX); 825 826 return BTM_SUCCESS; 827 } 828 829 void read_phy_cb( 830 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb, 831 uint8_t* data, uint16_t len) { 832 uint8_t status, tx_phy, rx_phy; 833 uint16_t handle; 834 835 LOG_ASSERT(len == 5) << "Received bad response length: " << len; 836 uint8_t* pp = data; 837 STREAM_TO_UINT8(status, pp); 838 STREAM_TO_UINT16(handle, pp); 839 handle = handle & 0x0FFF; 840 STREAM_TO_UINT8(tx_phy, pp); 841 STREAM_TO_UINT8(rx_phy, pp); 842 843 DVLOG(1) << __func__ << " Received read_phy_cb"; 844 cb.Run(tx_phy, rx_phy, status); 845 } 846 847 /******************************************************************************* 848 * 849 * Function BTM_BleReadPhy 850 * 851 * Description To read the current PHYs for specified LE connection 852 * 853 * 854 * Returns BTM_SUCCESS if command successfully sent to controller, 855 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE 856 * 2M or LE Coded PHY, 857 * BTM_WRONG_MODE if Device in wrong mode for request. 858 * 859 ******************************************************************************/ 860 void BTM_BleReadPhy( 861 const RawAddress& bd_addr, 862 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb) { 863 BTM_TRACE_DEBUG("%s", __func__); 864 865 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); 866 867 if (p_acl == NULL) { 868 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported", 869 __func__); 870 cb.Run(0, 0, HCI_ERR_NO_CONNECTION); 871 return; 872 } 873 874 // checking if local controller supports it! 875 if (!controller_get_interface()->supports_ble_2m_phy() && 876 !controller_get_interface()->supports_ble_coded_phy()) { 877 BTM_TRACE_ERROR("%s failed, request not supported in local controller!", 878 __func__); 879 cb.Run(0, 0, GATT_REQ_NOT_SUPPORTED); 880 return; 881 } 882 883 uint16_t handle = p_acl->hci_handle; 884 885 const uint8_t len = HCIC_PARAM_SIZE_BLE_READ_PHY; 886 uint8_t data[len]; 887 uint8_t* pp = data; 888 UINT16_TO_STREAM(pp, handle); 889 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_READ_PHY, data, len, 890 base::Bind(&read_phy_cb, std::move(cb))); 891 return; 892 } 893 894 void doNothing(uint8_t* data, uint16_t len) {} 895 896 /******************************************************************************* 897 * 898 * Function BTM_BleSetDefaultPhy 899 * 900 * Description To set preferred PHY for ensuing LE connections 901 * 902 * 903 * Returns BTM_SUCCESS if command successfully sent to controller, 904 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE 905 * 2M or LE Coded PHY 906 * 907 ******************************************************************************/ 908 tBTM_STATUS BTM_BleSetDefaultPhy(uint8_t all_phys, uint8_t tx_phys, 909 uint8_t rx_phys) { 910 BTM_TRACE_DEBUG("%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x", 911 __func__, all_phys, tx_phys, rx_phys); 912 913 // checking if local controller supports it! 914 if (!controller_get_interface()->supports_ble_2m_phy() && 915 !controller_get_interface()->supports_ble_coded_phy()) { 916 BTM_TRACE_ERROR("%s failed, request not supported in local controller!", 917 __func__); 918 return BTM_MODE_UNSUPPORTED; 919 } 920 921 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_DEFAULT_PHY; 922 uint8_t data[len]; 923 uint8_t* pp = data; 924 UINT8_TO_STREAM(pp, all_phys); 925 UINT8_TO_STREAM(pp, tx_phys); 926 UINT8_TO_STREAM(pp, rx_phys); 927 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_DEFAULT_PHY, data, len, 928 base::Bind(doNothing)); 929 return BTM_SUCCESS; 930 } 931 932 /******************************************************************************* 933 * 934 * Function BTM_BleSetPhy 935 * 936 * Description To set PHY preferences for specified LE connection 937 * 938 * 939 * Returns BTM_SUCCESS if command successfully sent to controller, 940 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE 941 * 2M or LE Coded PHY, 942 * BTM_ILLEGAL_VALUE if specified remote doesn't support LE 2M 943 * or LE Coded PHY, 944 * BTM_WRONG_MODE if Device in wrong mode for request. 945 * 946 ******************************************************************************/ 947 void BTM_BleSetPhy(const RawAddress& bd_addr, uint8_t tx_phys, uint8_t rx_phys, 948 uint16_t phy_options) { 949 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); 950 951 if (p_acl == NULL) { 952 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported", 953 __func__); 954 return; 955 } 956 957 uint8_t all_phys = 0; 958 if (tx_phys == 0) all_phys &= 0x01; 959 if (rx_phys == 0) all_phys &= 0x02; 960 961 BTM_TRACE_DEBUG( 962 "%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x, phy_options " 963 "= 0x%04x", 964 __func__, all_phys, tx_phys, rx_phys, phy_options); 965 966 uint16_t handle = p_acl->hci_handle; 967 968 // checking if local controller supports it! 969 if (!controller_get_interface()->supports_ble_2m_phy() && 970 !controller_get_interface()->supports_ble_coded_phy()) { 971 BTM_TRACE_ERROR("%s failed, request not supported in local controller!", 972 __func__); 973 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys); 974 return; 975 } 976 977 if (!HCI_LE_2M_PHY_SUPPORTED(p_acl->peer_le_features) && 978 !HCI_LE_CODED_PHY_SUPPORTED(p_acl->peer_le_features)) { 979 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__); 980 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys); 981 return; 982 } 983 984 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_PHY; 985 uint8_t data[len]; 986 uint8_t* pp = data; 987 UINT16_TO_STREAM(pp, handle); 988 UINT8_TO_STREAM(pp, all_phys); 989 UINT8_TO_STREAM(pp, tx_phys); 990 UINT8_TO_STREAM(pp, rx_phys); 991 UINT16_TO_STREAM(pp, phy_options); 992 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_PHY, data, len, 993 base::Bind(doNothing)); 994 } 995 996 /******************************************************************************* 997 * 998 * Function btm_ble_determine_security_act 999 * 1000 * Description This function checks the security of current LE link 1001 * and returns the appropriate action that needs to be 1002 * taken to achieve the required security. 1003 * 1004 * Parameter is_originator - True if outgoing connection 1005 * bdaddr: remote device address 1006 * security_required: Security required for the service. 1007 * 1008 * Returns The appropriate security action required. 1009 * 1010 ******************************************************************************/ 1011 tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator, 1012 const RawAddress& bdaddr, 1013 uint16_t security_required) { 1014 tBTM_LE_AUTH_REQ auth_req = 0x00; 1015 1016 if (is_originator) { 1017 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 && 1018 (security_required & BTM_SEC_OUT_MITM) == 0) { 1019 BTM_TRACE_DEBUG("%s No security required for outgoing connection", 1020 __func__); 1021 return BTM_SEC_OK; 1022 } 1023 1024 if (security_required & BTM_SEC_OUT_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM; 1025 } else { 1026 if ((security_required & BTM_SEC_IN_FLAGS) == 0 && 1027 (security_required & BTM_SEC_IN_MITM) == 0) { 1028 BTM_TRACE_DEBUG("%s No security required for incoming connection", 1029 __func__); 1030 return BTM_SEC_OK; 1031 } 1032 1033 if (security_required & BTM_SEC_IN_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM; 1034 } 1035 1036 tBTM_BLE_SEC_REQ_ACT ble_sec_act; 1037 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act); 1038 1039 BTM_TRACE_DEBUG("%s ble_sec_act %d", __func__, ble_sec_act); 1040 1041 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) return BTM_SEC_ENC_PENDING; 1042 1043 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) return BTM_SEC_OK; 1044 1045 uint8_t sec_flag = 0; 1046 BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE); 1047 1048 bool is_link_encrypted = false; 1049 bool is_key_mitm = false; 1050 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED | BTM_SEC_FLAG_LKEY_KNOWN)) { 1051 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) is_link_encrypted = true; 1052 1053 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) is_key_mitm = true; 1054 } 1055 1056 if (auth_req & BTM_LE_AUTH_REQ_MITM) { 1057 if (!is_key_mitm) { 1058 return BTM_SEC_ENCRYPT_MITM; 1059 } else { 1060 if (is_link_encrypted) 1061 return BTM_SEC_OK; 1062 else 1063 return BTM_SEC_ENCRYPT; 1064 } 1065 } else { 1066 if (is_link_encrypted) 1067 return BTM_SEC_OK; 1068 else 1069 return BTM_SEC_ENCRYPT_NO_MITM; 1070 } 1071 1072 return BTM_SEC_OK; 1073 } 1074 1075 /******************************************************************************* 1076 * 1077 * Function btm_ble_start_sec_check 1078 * 1079 * Description This function is to check and set the security required for 1080 * LE link for LE COC. 1081 * 1082 * Parameter bdaddr: remote device address. 1083 * psm : PSM of the LE COC sevice. 1084 * is_originator: true if outgoing connection. 1085 * p_callback : Pointer to the callback function. 1086 * p_ref_data : Pointer to be returned along with the callback. 1087 * 1088 * Returns true if link already meets the required security; otherwise 1089 * false. 1090 * 1091 ******************************************************************************/ 1092 bool btm_ble_start_sec_check(const RawAddress& bd_addr, uint16_t psm, 1093 bool is_originator, tBTM_SEC_CALLBACK* p_callback, 1094 void* p_ref_data) { 1095 /* Find the service record for the PSM */ 1096 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_find_first_serv(is_originator, psm); 1097 1098 /* If there is no application registered with this PSM do not allow connection 1099 */ 1100 if (!p_serv_rec) { 1101 BTM_TRACE_WARNING("%s PSM: %d no application registerd", __func__, psm); 1102 (*p_callback)(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED); 1103 return false; 1104 } 1105 1106 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act( 1107 is_originator, bd_addr, p_serv_rec->security_flags); 1108 1109 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE; 1110 bool status = false; 1111 1112 switch (sec_act) { 1113 case BTM_SEC_OK: 1114 BTM_TRACE_DEBUG("%s Security met", __func__); 1115 p_callback(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS); 1116 status = true; 1117 break; 1118 1119 case BTM_SEC_ENCRYPT: 1120 BTM_TRACE_DEBUG("%s Encryption needs to be done", __func__); 1121 ble_sec_act = BTM_BLE_SEC_ENCRYPT; 1122 break; 1123 1124 case BTM_SEC_ENCRYPT_MITM: 1125 BTM_TRACE_DEBUG("%s Pairing with MITM needs to be done", __func__); 1126 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM; 1127 break; 1128 1129 case BTM_SEC_ENCRYPT_NO_MITM: 1130 BTM_TRACE_DEBUG("%s Pairing with No MITM needs to be done", __func__); 1131 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM; 1132 break; 1133 1134 case BTM_SEC_ENC_PENDING: 1135 BTM_TRACE_DEBUG("%s Ecryption pending", __func__); 1136 break; 1137 } 1138 1139 if (ble_sec_act == BTM_BLE_SEC_NONE) return status; 1140 1141 tL2C_LCB* p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE); 1142 p_lcb->sec_act = sec_act; 1143 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data, 1144 ble_sec_act); 1145 1146 return false; 1147 } 1148 1149 /******************************************************************************* 1150 * 1151 * Function btm_ble_rand_enc_complete 1152 * 1153 * Description This function is the callback functions for HCI_Rand command 1154 * and HCI_Encrypt command is completed. 1155 * This message is received from the HCI. 1156 * 1157 * Returns void 1158 * 1159 ******************************************************************************/ 1160 void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code, 1161 tBTM_RAND_ENC_CB* p_enc_cplt_cback) { 1162 tBTM_RAND_ENC params; 1163 uint8_t* p_dest = params.param_buf; 1164 1165 BTM_TRACE_DEBUG("btm_ble_rand_enc_complete"); 1166 1167 memset(¶ms, 0, sizeof(tBTM_RAND_ENC)); 1168 1169 /* If there was a callback address for vcs complete, call it */ 1170 if (p_enc_cplt_cback && p) { 1171 /* Pass paramters to the callback function */ 1172 STREAM_TO_UINT8(params.status, p); /* command status */ 1173 1174 if (params.status == HCI_SUCCESS) { 1175 params.opcode = op_code; 1176 1177 if (op_code == HCI_BLE_RAND) 1178 params.param_len = BT_OCTET8_LEN; 1179 else 1180 params.param_len = BT_OCTET16_LEN; 1181 1182 /* Fetch return info from HCI event message */ 1183 memcpy(p_dest, p, params.param_len); 1184 } 1185 if (p_enc_cplt_cback) /* Call the Encryption complete callback function */ 1186 (*p_enc_cplt_cback)(¶ms); 1187 } 1188 } 1189 1190 /******************************************************************************* 1191 * 1192 * Function btm_ble_get_enc_key_type 1193 * 1194 * Description This function is to increment local sign counter 1195 * Returns None 1196 * 1197 ******************************************************************************/ 1198 void btm_ble_increment_sign_ctr(const RawAddress& bd_addr, bool is_local) { 1199 tBTM_SEC_DEV_REC* p_dev_rec; 1200 1201 BTM_TRACE_DEBUG("btm_ble_increment_sign_ctr is_local=%d", is_local); 1202 1203 p_dev_rec = btm_find_dev(bd_addr); 1204 if (p_dev_rec != NULL) { 1205 if (is_local) 1206 p_dev_rec->ble.keys.local_counter++; 1207 else 1208 p_dev_rec->ble.keys.counter++; 1209 BTM_TRACE_DEBUG("is_local=%d local sign counter=%d peer sign counter=%d", 1210 is_local, p_dev_rec->ble.keys.local_counter, 1211 p_dev_rec->ble.keys.counter); 1212 } 1213 } 1214 1215 /******************************************************************************* 1216 * 1217 * Function btm_ble_get_enc_key_type 1218 * 1219 * Description This function is to get the BLE key type that has been 1220 * exchanged betweem the local device and the peer device. 1221 * 1222 * Returns p_key_type: output parameter to carry the key type value. 1223 * 1224 ******************************************************************************/ 1225 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) { 1226 tBTM_SEC_DEV_REC* p_dev_rec; 1227 1228 BTM_TRACE_DEBUG("btm_ble_get_enc_key_type"); 1229 1230 p_dev_rec = btm_find_dev(bd_addr); 1231 if (p_dev_rec != NULL) { 1232 *p_key_types = p_dev_rec->ble.key_type; 1233 return true; 1234 } 1235 return false; 1236 } 1237 1238 /******************************************************************************* 1239 * 1240 * Function btm_get_local_div 1241 * 1242 * Description This function is called to read the local DIV 1243 * 1244 * Returns TURE - if a valid DIV is availavle 1245 ******************************************************************************/ 1246 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) { 1247 tBTM_SEC_DEV_REC* p_dev_rec; 1248 bool status = false; 1249 VLOG(1) << __func__ << " bd_addr: " << bd_addr; 1250 1251 *p_div = 0; 1252 p_dev_rec = btm_find_dev(bd_addr); 1253 1254 if (p_dev_rec && p_dev_rec->ble.keys.div) { 1255 status = true; 1256 *p_div = p_dev_rec->ble.keys.div; 1257 } 1258 BTM_TRACE_DEBUG("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, 1259 *p_div); 1260 return status; 1261 } 1262 1263 /******************************************************************************* 1264 * 1265 * Function btm_sec_save_le_key 1266 * 1267 * Description This function is called by the SMP to update 1268 * an BLE key. SMP is internal, whereas all the keys shall 1269 * be sent to the application. The function is also called 1270 * when application passes ble key stored in NVRAM to the 1271 * btm_sec. 1272 * pass_to_application parameter is false in this case. 1273 * 1274 * Returns void 1275 * 1276 ******************************************************************************/ 1277 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type, 1278 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) { 1279 tBTM_SEC_DEV_REC* p_rec; 1280 tBTM_LE_EVT_DATA cb_data; 1281 uint8_t i; 1282 1283 BTM_TRACE_DEBUG("btm_sec_save_le_key key_type=0x%x pass_to_application=%d", 1284 key_type, pass_to_application); 1285 /* Store the updated key in the device database */ 1286 1287 VLOG(1) << "bd_addr:" << bd_addr; 1288 1289 if ((p_rec = btm_find_dev(bd_addr)) != NULL && 1290 (p_keys || key_type == BTM_LE_KEY_LID)) { 1291 btm_ble_init_pseudo_addr(p_rec, bd_addr); 1292 1293 switch (key_type) { 1294 case BTM_LE_KEY_PENC: 1295 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN); 1296 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN); 1297 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level; 1298 p_rec->ble.keys.ediv = p_keys->penc_key.ediv; 1299 p_rec->ble.keys.key_size = p_keys->penc_key.key_size; 1300 p_rec->ble.key_type |= BTM_LE_KEY_PENC; 1301 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 1302 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) 1303 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 1304 else 1305 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 1306 BTM_TRACE_DEBUG( 1307 "BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x", 1308 p_rec->ble.key_type, p_rec->sec_flags, p_rec->ble.keys.sec_level); 1309 break; 1310 1311 case BTM_LE_KEY_PID: 1312 for (i = 0; i < BT_OCTET16_LEN; i++) { 1313 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i]; 1314 } 1315 1316 // memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo 1317 // will crash the system 1318 p_rec->ble.static_addr = p_keys->pid_key.static_addr; 1319 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type; 1320 p_rec->ble.key_type |= BTM_LE_KEY_PID; 1321 BTM_TRACE_DEBUG( 1322 "%s: BTM_LE_KEY_PID key_type=0x%x save peer IRK, change bd_addr=%s " 1323 "to static_addr=%s", 1324 __func__, p_rec->ble.key_type, p_rec->bd_addr.ToString().c_str(), 1325 p_keys->pid_key.static_addr.ToString().c_str()); 1326 /* update device record address as static address */ 1327 p_rec->bd_addr = p_keys->pid_key.static_addr; 1328 /* combine DUMO device security record if needed */ 1329 btm_consolidate_dev(p_rec); 1330 break; 1331 1332 case BTM_LE_KEY_PCSRK: 1333 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN); 1334 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level; 1335 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter; 1336 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK; 1337 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 1338 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED) 1339 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 1340 else 1341 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 1342 1343 BTM_TRACE_DEBUG( 1344 "BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x " 1345 "peer_counter=%d", 1346 p_rec->ble.key_type, p_rec->sec_flags, 1347 p_rec->ble.keys.srk_sec_level, p_rec->ble.keys.counter); 1348 break; 1349 1350 case BTM_LE_KEY_LENC: 1351 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN); 1352 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */ 1353 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level; 1354 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size; 1355 p_rec->ble.key_type |= BTM_LE_KEY_LENC; 1356 1357 BTM_TRACE_DEBUG( 1358 "BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x " 1359 "sec_level=0x%x", 1360 p_rec->ble.key_type, p_rec->ble.keys.div, p_rec->ble.keys.key_size, 1361 p_rec->ble.keys.sec_level); 1362 break; 1363 1364 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */ 1365 memcpy(p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN); 1366 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */ 1367 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level; 1368 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter; 1369 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK; 1370 BTM_TRACE_DEBUG( 1371 "BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x " 1372 "local_counter=%d", 1373 p_rec->ble.key_type, p_rec->ble.keys.div, 1374 p_rec->ble.keys.local_csrk_sec_level, 1375 p_rec->ble.keys.local_counter); 1376 break; 1377 1378 case BTM_LE_KEY_LID: 1379 p_rec->ble.key_type |= BTM_LE_KEY_LID; 1380 break; 1381 default: 1382 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)", 1383 key_type); 1384 return; 1385 } 1386 1387 VLOG(1) << "BLE key type 0x" << loghex(key_type) 1388 << " updated for BDA: " << bd_addr << " (btm_sec_save_le_key)"; 1389 1390 /* Notify the application that one of the BLE keys has been updated 1391 If link key is in progress, it will get sent later.*/ 1392 if (pass_to_application && btm_cb.api.p_le_callback) { 1393 cb_data.key.p_key_value = p_keys; 1394 cb_data.key.key_type = key_type; 1395 1396 (*btm_cb.api.p_le_callback)(BTM_LE_KEY_EVT, bd_addr, &cb_data); 1397 } 1398 return; 1399 } 1400 1401 LOG(WARNING) << "BLE key type 0x" << loghex(key_type) 1402 << " called for Unknown BDA or type: " << bd_addr 1403 << "(btm_sec_save_le_key)"; 1404 1405 if (p_rec) { 1406 BTM_TRACE_DEBUG("sec_flags=0x%x", p_rec->sec_flags); 1407 } 1408 } 1409 1410 /******************************************************************************* 1411 * 1412 * Function btm_ble_update_sec_key_size 1413 * 1414 * Description update the current lin kencryption key size 1415 * 1416 * Returns void 1417 * 1418 ******************************************************************************/ 1419 void btm_ble_update_sec_key_size(const RawAddress& bd_addr, 1420 uint8_t enc_key_size) { 1421 tBTM_SEC_DEV_REC* p_rec; 1422 1423 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d", 1424 enc_key_size); 1425 1426 p_rec = btm_find_dev(bd_addr); 1427 if (p_rec != NULL) { 1428 p_rec->enc_key_size = enc_key_size; 1429 } 1430 } 1431 1432 /******************************************************************************* 1433 * 1434 * Function btm_ble_read_sec_key_size 1435 * 1436 * Description update the current lin kencryption key size 1437 * 1438 * Returns void 1439 * 1440 ******************************************************************************/ 1441 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) { 1442 tBTM_SEC_DEV_REC* p_rec; 1443 1444 p_rec = btm_find_dev(bd_addr); 1445 if (p_rec != NULL) { 1446 return p_rec->enc_key_size; 1447 } else 1448 return 0; 1449 } 1450 1451 /******************************************************************************* 1452 * 1453 * Function btm_ble_link_sec_check 1454 * 1455 * Description Check BLE link security level match. 1456 * 1457 * Returns true: check is OK and the *p_sec_req_act contain the action 1458 * 1459 ******************************************************************************/ 1460 void btm_ble_link_sec_check(const RawAddress& bd_addr, 1461 tBTM_LE_AUTH_REQ auth_req, 1462 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) { 1463 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 1464 uint8_t req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE; 1465 1466 BTM_TRACE_DEBUG("btm_ble_link_sec_check auth_req =0x%x", auth_req); 1467 1468 if (p_dev_rec == NULL) { 1469 BTM_TRACE_ERROR("btm_ble_link_sec_check received for unknown device"); 1470 return; 1471 } 1472 1473 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 1474 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) { 1475 /* race condition: discard the security request while master is encrypting 1476 * the link */ 1477 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1478 } else { 1479 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1480 if (auth_req & BTM_LE_AUTH_REQ_MITM) { 1481 req_sec_level = BTM_LE_SEC_AUTHENTICATED; 1482 } 1483 1484 BTM_TRACE_DEBUG("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags); 1485 1486 /* currently encrpted */ 1487 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) { 1488 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED) 1489 cur_sec_level = BTM_LE_SEC_AUTHENTICATED; 1490 else 1491 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1492 } else /* unencrypted link */ 1493 { 1494 /* if bonded, get the key security level */ 1495 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 1496 cur_sec_level = p_dev_rec->ble.keys.sec_level; 1497 else 1498 cur_sec_level = BTM_LE_SEC_NONE; 1499 } 1500 1501 if (cur_sec_level >= req_sec_level) { 1502 /* To avoid re-encryption on an encrypted link for an equal condition 1503 * encryption */ 1504 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT; 1505 } else { 1506 /* start the pariring process to upgrade the keys*/ 1507 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; 1508 } 1509 } 1510 1511 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d", 1512 cur_sec_level, req_sec_level, *p_sec_req_act); 1513 } 1514 1515 /******************************************************************************* 1516 * 1517 * Function btm_ble_set_encryption 1518 * 1519 * Description This function is called to ensure that LE connection is 1520 * encrypted. Should be called only on an open connection. 1521 * Typically only needed for connections that first want to 1522 * bring up unencrypted links, then later encrypt them. 1523 * 1524 * Returns void 1525 * the local device ER is copied into er 1526 * 1527 ******************************************************************************/ 1528 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr, 1529 tBTM_BLE_SEC_ACT sec_act, 1530 uint8_t link_role) { 1531 tBTM_STATUS cmd = BTM_NO_RESOURCES; 1532 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr); 1533 tBTM_BLE_SEC_REQ_ACT sec_req_act; 1534 tBTM_LE_AUTH_REQ auth_req; 1535 1536 if (p_rec == NULL) { 1537 BTM_TRACE_WARNING( 1538 "btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act); 1539 return (BTM_WRONG_MODE); 1540 } 1541 1542 BTM_TRACE_DEBUG("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, 1543 p_rec->role_master); 1544 1545 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) { 1546 p_rec->security_required |= BTM_SEC_IN_MITM; 1547 } 1548 1549 switch (sec_act) { 1550 case BTM_BLE_SEC_ENCRYPT: 1551 if (link_role == BTM_ROLE_MASTER) { 1552 /* start link layer encryption using the security info stored */ 1553 cmd = btm_ble_start_encrypt(bd_addr, false, NULL); 1554 break; 1555 } 1556 /* if salve role then fall through to call SMP_Pair below which will send a 1557 sec_request to request the master to encrypt the link */ 1558 case BTM_BLE_SEC_ENCRYPT_NO_MITM: 1559 case BTM_BLE_SEC_ENCRYPT_MITM: 1560 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM) 1561 ? SMP_AUTH_BOND 1562 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT); 1563 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act); 1564 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE || 1565 sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) { 1566 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__); 1567 cmd = BTM_SUCCESS; 1568 break; 1569 } 1570 if (link_role == BTM_ROLE_MASTER) { 1571 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) { 1572 cmd = btm_ble_start_encrypt(bd_addr, false, NULL); 1573 break; 1574 } 1575 } 1576 1577 if (SMP_Pair(bd_addr) == SMP_STARTED) { 1578 cmd = BTM_CMD_STARTED; 1579 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1580 } 1581 break; 1582 1583 default: 1584 cmd = BTM_WRONG_MODE; 1585 break; 1586 } 1587 return cmd; 1588 } 1589 1590 /******************************************************************************* 1591 * 1592 * Function btm_ble_ltk_request 1593 * 1594 * Description This function is called when encryption request is received 1595 * on a slave device. 1596 * 1597 * 1598 * Returns void 1599 * 1600 ******************************************************************************/ 1601 void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8], uint16_t ediv) { 1602 tBTM_CB* p_cb = &btm_cb; 1603 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 1604 BT_OCTET8 dummy_stk = {0}; 1605 1606 BTM_TRACE_DEBUG("btm_ble_ltk_request"); 1607 1608 p_cb->ediv = ediv; 1609 1610 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 1611 1612 if (p_dev_rec != NULL) { 1613 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) 1614 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, dummy_stk); 1615 } 1616 } 1617 1618 /******************************************************************************* 1619 * 1620 * Function btm_ble_start_encrypt 1621 * 1622 * Description This function is called to start LE encryption. 1623 * 1624 * 1625 * Returns BTM_SUCCESS if encryption was started successfully 1626 * 1627 ******************************************************************************/ 1628 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk, 1629 BT_OCTET16 stk) { 1630 tBTM_CB* p_cb = &btm_cb; 1631 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda); 1632 BT_OCTET8 dummy_rand = {0}; 1633 1634 BTM_TRACE_DEBUG("btm_ble_start_encrypt"); 1635 1636 if (!p_rec) { 1637 BTM_TRACE_ERROR("Link is not active, can not encrypt!"); 1638 return BTM_WRONG_MODE; 1639 } 1640 1641 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) { 1642 BTM_TRACE_WARNING("Link Encryption is active, Busy!"); 1643 return BTM_BUSY; 1644 } 1645 1646 p_cb->enc_handle = p_rec->ble_hci_handle; 1647 1648 if (use_stk) { 1649 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk); 1650 } else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) { 1651 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand, 1652 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk); 1653 } else { 1654 BTM_TRACE_ERROR("No key available to encrypt the link"); 1655 return BTM_NO_RESOURCES; 1656 } 1657 1658 if (p_rec->sec_state == BTM_SEC_STATE_IDLE) 1659 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1660 1661 return BTM_CMD_STARTED; 1662 } 1663 1664 /******************************************************************************* 1665 * 1666 * Function btm_ble_link_encrypted 1667 * 1668 * Description This function is called when LE link encrption status is 1669 * changed. 1670 * 1671 * Returns void 1672 * 1673 ******************************************************************************/ 1674 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) { 1675 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 1676 bool enc_cback; 1677 1678 if (!p_dev_rec) { 1679 BTM_TRACE_WARNING( 1680 "btm_ble_link_encrypted (No Device Found!) encr_enable=%d", 1681 encr_enable); 1682 return; 1683 } 1684 1685 BTM_TRACE_DEBUG("btm_ble_link_encrypted encr_enable=%d", encr_enable); 1686 1687 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING); 1688 1689 smp_link_encrypted(bd_addr, encr_enable); 1690 1691 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags); 1692 1693 if (encr_enable && p_dev_rec->enc_key_size == 0) 1694 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size; 1695 1696 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1697 if (p_dev_rec->p_callback && enc_cback) { 1698 if (encr_enable) 1699 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, true); 1700 else if (p_dev_rec->role_master) 1701 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, true); 1702 } 1703 /* to notify GATT to send data if any request is pending */ 1704 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr); 1705 } 1706 1707 /******************************************************************************* 1708 * 1709 * Function btm_ble_ltk_request_reply 1710 * 1711 * Description This function is called to send a LTK request reply on a 1712 * slave 1713 * device. 1714 * 1715 * Returns void 1716 * 1717 ******************************************************************************/ 1718 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk, 1719 BT_OCTET16 stk) { 1720 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda); 1721 tBTM_CB* p_cb = &btm_cb; 1722 1723 if (p_rec == NULL) { 1724 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device"); 1725 return; 1726 } 1727 1728 BTM_TRACE_DEBUG("btm_ble_ltk_request_reply"); 1729 p_cb->enc_handle = p_rec->ble_hci_handle; 1730 p_cb->key_size = p_rec->ble.keys.key_size; 1731 1732 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size); 1733 if (use_stk) { 1734 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk); 1735 } else /* calculate LTK using peer device */ 1736 { 1737 if (p_rec->ble.key_type & BTM_LE_KEY_LENC) 1738 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk); 1739 else 1740 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle); 1741 } 1742 } 1743 1744 /******************************************************************************* 1745 * 1746 * Function btm_ble_io_capabilities_req 1747 * 1748 * Description This function is called to handle SMP get IO capability 1749 * request. 1750 * 1751 * Returns void 1752 * 1753 ******************************************************************************/ 1754 uint8_t btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec, 1755 tBTM_LE_IO_REQ* p_data) { 1756 uint8_t callback_rc = BTM_SUCCESS; 1757 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req"); 1758 if (btm_cb.api.p_le_callback) { 1759 /* the callback function implementation may change the IO capability... */ 1760 callback_rc = (*btm_cb.api.p_le_callback)( 1761 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data); 1762 } 1763 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) { 1764 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE) 1765 if (btm_cb.devcb.keep_rfu_in_auth_req) { 1766 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u", 1767 btm_cb.devcb.keep_rfu_in_auth_req); 1768 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU; 1769 btm_cb.devcb.keep_rfu_in_auth_req = false; 1770 } else { /* default */ 1771 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1772 } 1773 #else 1774 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1775 #endif 1776 1777 BTM_TRACE_DEBUG( 1778 "btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d " 1779 "auth_req:%d", 1780 p_dev_rec->security_required, p_data->auth_req); 1781 BTM_TRACE_DEBUG( 1782 "btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK " 1783 "1-IRK 2-CSRK)", 1784 p_data->init_keys, p_data->resp_keys); 1785 1786 /* if authentication requires MITM protection, put on the mask */ 1787 if (p_dev_rec->security_required & BTM_SEC_IN_MITM) 1788 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM; 1789 1790 if (!(p_data->auth_req & SMP_AUTH_BOND)) { 1791 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged"); 1792 p_data->init_keys = 0; 1793 p_data->resp_keys = 0; 1794 } 1795 1796 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 3: auth_req:%d", 1797 p_data->auth_req); 1798 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x", 1799 p_data->init_keys, p_data->resp_keys); 1800 1801 BTM_TRACE_DEBUG( 1802 "btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d", 1803 p_data->io_cap, p_data->auth_req); 1804 1805 /* remove MITM protection requirement if IO cap does not allow it */ 1806 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) 1807 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM; 1808 1809 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) { 1810 /* if Secure Connections are not supported then remove LK derivation, 1811 ** and keypress notifications. 1812 */ 1813 BTM_TRACE_DEBUG( 1814 "%s-SC not supported -> No LK derivation, no keypress notifications", 1815 __func__); 1816 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT; 1817 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK; 1818 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK; 1819 } 1820 1821 BTM_TRACE_DEBUG( 1822 "btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x", 1823 p_data->io_cap, p_data->oob_data, p_data->auth_req); 1824 } 1825 return callback_rc; 1826 } 1827 1828 /******************************************************************************* 1829 * 1830 * Function btm_ble_br_keys_req 1831 * 1832 * Description This function is called to handle SMP request for keys sent 1833 * over BR/EDR. 1834 * 1835 * Returns void 1836 * 1837 ******************************************************************************/ 1838 uint8_t btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec, 1839 tBTM_LE_IO_REQ* p_data) { 1840 uint8_t callback_rc = BTM_SUCCESS; 1841 BTM_TRACE_DEBUG("%s", __func__); 1842 if (btm_cb.api.p_le_callback) { 1843 /* the callback function implementation may change the IO capability... */ 1844 callback_rc = (*btm_cb.api.p_le_callback)( 1845 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data); 1846 } 1847 1848 return callback_rc; 1849 } 1850 1851 /******************************************************************************* 1852 * 1853 * Function btm_ble_connected 1854 * 1855 * Description This function is when a LE connection to the peer device is 1856 * establsihed 1857 * 1858 * Returns void 1859 * 1860 ******************************************************************************/ 1861 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t enc_mode, 1862 uint8_t role, tBLE_ADDR_TYPE addr_type, 1863 UNUSED_ATTR bool addr_matched) { 1864 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 1865 tBTM_BLE_CB* p_cb = &btm_cb.ble_ctr_cb; 1866 1867 BTM_TRACE_EVENT("btm_ble_connected"); 1868 1869 /* Commenting out trace due to obf/compilation problems. 1870 */ 1871 if (p_dev_rec) { 1872 VLOG(1) << __func__ << " Security Manager: handle:" << handle 1873 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda 1874 << " RName: " << p_dev_rec->sec_bd_name 1875 << " p_dev_rec:" << p_dev_rec; 1876 1877 BTM_TRACE_DEBUG("btm_ble_connected sec_flags=0x%x", p_dev_rec->sec_flags); 1878 } else { 1879 VLOG(1) << __func__ << " Security Manager: handle:" << handle 1880 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda 1881 << " p_dev_rec:" << p_dev_rec; 1882 } 1883 1884 if (!p_dev_rec) { 1885 /* There is no device record for new connection. Allocate one */ 1886 p_dev_rec = btm_sec_alloc_dev(bda); 1887 if (p_dev_rec == NULL) return; 1888 } else /* Update the timestamp for this device */ 1889 { 1890 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 1891 } 1892 1893 /* update device information */ 1894 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE; 1895 p_dev_rec->ble_hci_handle = handle; 1896 p_dev_rec->ble.ble_addr_type = addr_type; 1897 /* update pseudo address */ 1898 p_dev_rec->ble.pseudo_addr = bda; 1899 1900 p_dev_rec->role_master = false; 1901 if (role == HCI_ROLE_MASTER) p_dev_rec->role_master = true; 1902 1903 #if (BLE_PRIVACY_SPT == TRUE) 1904 if (!addr_matched) p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO; 1905 1906 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched) 1907 p_dev_rec->ble.cur_rand_addr = bda; 1908 #endif 1909 1910 p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT; 1911 1912 return; 1913 } 1914 1915 /***************************************************************************** 1916 * Function btm_ble_conn_complete 1917 * 1918 * Description LE connection complete. 1919 * 1920 *****************************************************************************/ 1921 void btm_ble_conn_complete(uint8_t* p, UNUSED_ATTR uint16_t evt_len, 1922 bool enhanced) { 1923 #if (BLE_PRIVACY_SPT == TRUE) 1924 uint8_t peer_addr_type; 1925 #endif 1926 RawAddress local_rpa, peer_rpa; 1927 uint8_t role, status, bda_type; 1928 uint16_t handle; 1929 RawAddress bda; 1930 uint16_t conn_interval, conn_latency, conn_timeout; 1931 bool match = false; 1932 1933 STREAM_TO_UINT8(status, p); 1934 STREAM_TO_UINT16(handle, p); 1935 STREAM_TO_UINT8(role, p); 1936 STREAM_TO_UINT8(bda_type, p); 1937 STREAM_TO_BDADDR(bda, p); 1938 1939 if (status == 0) { 1940 if (enhanced) { 1941 STREAM_TO_BDADDR(local_rpa, p); 1942 STREAM_TO_BDADDR(peer_rpa, p); 1943 } 1944 1945 STREAM_TO_UINT16(conn_interval, p); 1946 STREAM_TO_UINT16(conn_latency, p); 1947 STREAM_TO_UINT16(conn_timeout, p); 1948 handle = HCID_GET_HANDLE(handle); 1949 1950 #if (BLE_PRIVACY_SPT == TRUE) 1951 peer_addr_type = bda_type; 1952 match = btm_identity_addr_to_random_pseudo(&bda, &bda_type, true); 1953 1954 /* possiblly receive connection complete with resolvable random while 1955 the device has been paired */ 1956 if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) { 1957 tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda); 1958 if (match_rec) { 1959 LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__); 1960 match = true; 1961 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA; 1962 match_rec->ble.cur_rand_addr = bda; 1963 if (!btm_ble_init_pseudo_addr(match_rec, bda)) { 1964 /* assign the original address to be the current report address */ 1965 bda = match_rec->ble.pseudo_addr; 1966 } else { 1967 bda = match_rec->bd_addr; 1968 } 1969 } else { 1970 LOG_INFO(LOG_TAG, "%s unable to match and resolve random address", 1971 __func__); 1972 } 1973 } 1974 #endif 1975 1976 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, 1977 match); 1978 1979 l2cble_conn_comp(handle, role, bda, bda_type, conn_interval, conn_latency, 1980 conn_timeout); 1981 1982 #if (BLE_PRIVACY_SPT == TRUE) 1983 if (enhanced) { 1984 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa); 1985 1986 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT) 1987 btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, 1988 BLE_ADDR_RANDOM); 1989 } 1990 #endif 1991 } else { 1992 role = HCI_ROLE_UNKNOWN; 1993 if (status != HCI_ERR_ADVERTISING_TIMEOUT) { 1994 btm_ble_set_conn_st(BLE_CONN_IDLE); 1995 #if (BLE_PRIVACY_SPT == TRUE) 1996 btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, true); 1997 #endif 1998 } else { 1999 #if (BLE_PRIVACY_SPT == TRUE) 2000 btm_cb.ble_ctr_cb.inq_var.adv_mode = BTM_BLE_ADV_DISABLE; 2001 btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, true); 2002 #endif 2003 } 2004 } 2005 2006 btm_ble_update_mode_operation(role, &bda, status); 2007 2008 if (role == HCI_ROLE_SLAVE) 2009 btm_ble_advertiser_notify_terminated_legacy(status, handle); 2010 } 2011 2012 /***************************************************************************** 2013 * Function btm_ble_create_ll_conn_complete 2014 * 2015 * Description LE connection complete. 2016 * 2017 *****************************************************************************/ 2018 void btm_ble_create_ll_conn_complete(uint8_t status) { 2019 if (status == HCI_SUCCESS) return; 2020 2021 btm_ble_set_conn_st(BLE_CONN_IDLE); 2022 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status); 2023 2024 LOG(WARNING) << "LE Create Connection attempt failed, status=" 2025 << loghex(status); 2026 2027 if (status == HCI_ERR_COMMAND_DISALLOWED) { 2028 /* There is already either direct connect, or whitelist connection 2029 * pending, but we don't know which one, or to which state should we 2030 * transition now. This can be triggered only in case of rare race 2031 * condition. Crash to recover. */ 2032 LOG(FATAL) << "LE Create Connection - command disallowed"; 2033 } 2034 } 2035 /***************************************************************************** 2036 * Function btm_proc_smp_cback 2037 * 2038 * Description This function is the SMP callback handler. 2039 * 2040 *****************************************************************************/ 2041 uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, 2042 tSMP_EVT_DATA* p_data) { 2043 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 2044 uint8_t res = 0; 2045 2046 BTM_TRACE_DEBUG("btm_proc_smp_cback event = %d", event); 2047 2048 if (p_dev_rec != NULL) { 2049 switch (event) { 2050 case SMP_IO_CAP_REQ_EVT: 2051 btm_ble_io_capabilities_req(p_dev_rec, 2052 (tBTM_LE_IO_REQ*)&p_data->io_req); 2053 break; 2054 2055 case SMP_BR_KEYS_REQ_EVT: 2056 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ*)&p_data->io_req); 2057 break; 2058 2059 case SMP_PASSKEY_REQ_EVT: 2060 case SMP_PASSKEY_NOTIF_EVT: 2061 case SMP_OOB_REQ_EVT: 2062 case SMP_NC_REQ_EVT: 2063 case SMP_SC_OOB_REQ_EVT: 2064 /* fall through */ 2065 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 2066 2067 case SMP_SEC_REQUEST_EVT: 2068 if (event == SMP_SEC_REQUEST_EVT && 2069 btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) { 2070 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__); 2071 break; 2072 } 2073 btm_cb.pairing_bda = bd_addr; 2074 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 2075 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 2076 /* fall through */ 2077 2078 case SMP_COMPLT_EVT: 2079 if (btm_cb.api.p_le_callback) { 2080 /* the callback function implementation may change the IO 2081 * capability... */ 2082 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x", 2083 btm_cb.api.p_le_callback); 2084 (*btm_cb.api.p_le_callback)(event, bd_addr, 2085 (tBTM_LE_EVT_DATA*)p_data); 2086 } 2087 2088 if (event == SMP_COMPLT_EVT) { 2089 BTM_TRACE_DEBUG( 2090 "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", 2091 p_data->cmplt.sec_level, p_dev_rec->sec_flags); 2092 2093 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS 2094 : BTM_ERR_PROCESSING; 2095 2096 BTM_TRACE_DEBUG( 2097 "after update result=%d sec_level=0x%x sec_flags=0x%x", res, 2098 p_data->cmplt.sec_level, p_dev_rec->sec_flags); 2099 2100 if (p_data->cmplt.is_pair_cancel && 2101 btm_cb.api.p_bond_cancel_cmpl_callback) { 2102 BTM_TRACE_DEBUG("Pairing Cancel completed"); 2103 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS); 2104 } 2105 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE) 2106 if (res != BTM_SUCCESS) { 2107 if (!btm_cb.devcb.no_disc_if_pair_fail && 2108 p_data->cmplt.reason != SMP_CONN_TOUT) { 2109 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL"); 2110 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle); 2111 } else { 2112 BTM_TRACE_DEBUG("Pairing failed - Not Removing ACL"); 2113 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2114 } 2115 } 2116 #else 2117 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) { 2118 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL"); 2119 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle); 2120 } 2121 #endif 2122 2123 BTM_TRACE_DEBUG( 2124 "btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x", 2125 btm_cb.pairing_state, btm_cb.pairing_flags, btm_cb.pin_code_len); 2126 VLOG(1) << "btm_cb.pairing_bda: " << btm_cb.pairing_bda; 2127 2128 /* Reset btm state only if the callback address matches pairing 2129 * address*/ 2130 if (bd_addr == btm_cb.pairing_bda) { 2131 btm_cb.pairing_bda = RawAddress::kAny; 2132 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 2133 btm_cb.pairing_flags = 0; 2134 } 2135 2136 if (res == BTM_SUCCESS) { 2137 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2138 #if (BLE_PRIVACY_SPT == TRUE) 2139 /* add all bonded device into resolving list if IRK is available*/ 2140 btm_ble_resolving_list_load_dev(p_dev_rec); 2141 #endif 2142 } 2143 2144 btm_sec_dev_rec_cback_event(p_dev_rec, res, true); 2145 } 2146 break; 2147 2148 default: 2149 BTM_TRACE_DEBUG("unknown event = %d", event); 2150 break; 2151 } 2152 } else { 2153 BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device"); 2154 } 2155 2156 return 0; 2157 } 2158 2159 /******************************************************************************* 2160 * 2161 * Function BTM_BleDataSignature 2162 * 2163 * Description This function is called to sign the data using AES128 CMAC 2164 * algorith. 2165 * 2166 * Parameter bd_addr: target device the data to be signed for. 2167 * p_text: singing data 2168 * len: length of the data to be signed. 2169 * signature: output parameter where data signature is going to 2170 * be stored. 2171 * 2172 * Returns true if signing sucessul, otherwise false. 2173 * 2174 ******************************************************************************/ 2175 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text, 2176 uint16_t len, BLE_SIGNATURE signature) { 2177 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr); 2178 2179 BTM_TRACE_DEBUG("%s", __func__); 2180 bool ret = false; 2181 if (p_rec == NULL) { 2182 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device", 2183 __func__); 2184 } else { 2185 uint8_t* p_mac = (uint8_t*)signature; 2186 uint8_t* pp; 2187 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4); 2188 2189 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__); 2190 pp = p_buf; 2191 /* prepare plain text */ 2192 if (p_text) { 2193 memcpy(p_buf, p_text, len); 2194 pp = (p_buf + len); 2195 } 2196 2197 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 2198 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 2199 2200 ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf, 2201 (uint16_t)(len + 4), BTM_CMAC_TLEN_SIZE, 2202 p_mac); 2203 if (ret) { 2204 btm_ble_increment_sign_ctr(bd_addr, true); 2205 } 2206 2207 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac); 2208 BTM_TRACE_DEBUG( 2209 "p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = " 2210 "0x%02x", 2211 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3)); 2212 BTM_TRACE_DEBUG( 2213 "p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = " 2214 "0x%02x", 2215 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7)); 2216 osi_free(p_buf); 2217 } 2218 return ret; 2219 } 2220 2221 /******************************************************************************* 2222 * 2223 * Function BTM_BleVerifySignature 2224 * 2225 * Description This function is called to verify the data signature 2226 * 2227 * Parameter bd_addr: target device the data to be signed for. 2228 * p_orig: original data before signature. 2229 * len: length of the signing data 2230 * counter: counter used when doing data signing 2231 * p_comp: signature to be compared against. 2232 2233 * Returns true if signature verified correctly; otherwise false. 2234 * 2235 ******************************************************************************/ 2236 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, 2237 uint16_t len, uint32_t counter, uint8_t* p_comp) { 2238 bool verified = false; 2239 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr); 2240 uint8_t p_mac[BTM_CMAC_TLEN_SIZE]; 2241 2242 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) { 2243 BTM_TRACE_ERROR("can not verify signature for unknown device"); 2244 } else if (counter < p_rec->ble.keys.counter) { 2245 BTM_TRACE_ERROR("signature received with out dated sign counter"); 2246 } else if (p_orig == NULL) { 2247 BTM_TRACE_ERROR("No signature to verify"); 2248 } else { 2249 BTM_TRACE_DEBUG("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter, 2250 p_rec->ble.keys.counter); 2251 2252 if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, 2253 BTM_CMAC_TLEN_SIZE, p_mac)) { 2254 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { 2255 btm_ble_increment_sign_ctr(bd_addr, false); 2256 verified = true; 2257 } 2258 } 2259 } 2260 return verified; 2261 } 2262 2263 /******************************************************************************* 2264 * 2265 * Function BTM_GetLeSecurityState 2266 * 2267 * Description This function is called to get security mode 1 flags and 2268 * encryption key size for LE peer. 2269 * 2270 * Returns bool true if LE device is found, false otherwise. 2271 * 2272 ******************************************************************************/ 2273 bool BTM_GetLeSecurityState(const RawAddress& bd_addr, 2274 uint8_t* p_le_dev_sec_flags, 2275 uint8_t* p_le_key_size) { 2276 tBTM_SEC_DEV_REC* p_dev_rec; 2277 uint16_t dev_rec_sec_flags; 2278 2279 *p_le_dev_sec_flags = 0; 2280 *p_le_key_size = 0; 2281 2282 p_dev_rec = btm_find_dev(bd_addr); 2283 if (p_dev_rec == NULL) { 2284 BTM_TRACE_ERROR("%s fails", __func__); 2285 return (false); 2286 } 2287 2288 if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) { 2289 BTM_TRACE_ERROR("%s-this is not LE device", __func__); 2290 return (false); 2291 } 2292 2293 dev_rec_sec_flags = p_dev_rec->sec_flags; 2294 2295 if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED) { 2296 /* link is encrypted with LTK or STK */ 2297 *p_le_key_size = p_dev_rec->enc_key_size; 2298 *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED; 2299 2300 *p_le_dev_sec_flags |= 2301 (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED) 2302 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */ 2303 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */ 2304 } else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) { 2305 /* link is unencrypted, still LTK is available */ 2306 *p_le_key_size = p_dev_rec->ble.keys.key_size; 2307 2308 *p_le_dev_sec_flags |= 2309 (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) 2310 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */ 2311 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */ 2312 } 2313 2314 BTM_TRACE_DEBUG("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d", __func__, 2315 *p_le_dev_sec_flags, *p_le_key_size); 2316 2317 return true; 2318 } 2319 2320 /******************************************************************************* 2321 * 2322 * Function BTM_BleSecurityProcedureIsRunning 2323 * 2324 * Description This function indicates if LE security procedure is 2325 * currently running with the peer. 2326 * 2327 * Returns bool true if security procedure is running, false 2328 * otherwise. 2329 * 2330 ******************************************************************************/ 2331 bool BTM_BleSecurityProcedureIsRunning(const RawAddress& bd_addr) { 2332 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 2333 2334 if (p_dev_rec == NULL) { 2335 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr 2336 << " is not found"; 2337 return false; 2338 } 2339 2340 return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 2341 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING); 2342 } 2343 2344 /******************************************************************************* 2345 * 2346 * Function BTM_BleGetSupportedKeySize 2347 * 2348 * Description This function gets the maximum encryption key size in bytes 2349 * the local device can suport. 2350 * record. 2351 * 2352 * Returns the key size or 0 if the size can't be retrieved. 2353 * 2354 ******************************************************************************/ 2355 extern uint8_t BTM_BleGetSupportedKeySize(const RawAddress& bd_addr) { 2356 #if (L2CAP_LE_COC_INCLUDED == TRUE) 2357 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 2358 tBTM_LE_EVT_DATA btm_le_evt_data; 2359 uint8_t callback_rc; 2360 2361 if (!p_dev_rec) { 2362 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr 2363 << " is not found"; 2364 return 0; 2365 } 2366 2367 if (btm_cb.api.p_le_callback == NULL) { 2368 BTM_TRACE_ERROR("%s can't access supported key size", __func__); 2369 return 0; 2370 } 2371 2372 callback_rc = (*btm_cb.api.p_le_callback)( 2373 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, &btm_le_evt_data); 2374 2375 if (callback_rc != BTM_SUCCESS) { 2376 BTM_TRACE_ERROR("%s can't access supported key size", __func__); 2377 return 0; 2378 } 2379 2380 BTM_TRACE_DEBUG("%s device supports key size = %d", __func__, 2381 btm_le_evt_data.io_req.max_key_size); 2382 return (btm_le_evt_data.io_req.max_key_size); 2383 #else 2384 return 0; 2385 #endif 2386 } 2387 2388 /******************************************************************************* 2389 * Utility functions for LE device IR/ER generation 2390 ******************************************************************************/ 2391 /******************************************************************************* 2392 * 2393 * Function btm_notify_new_key 2394 * 2395 * Description This function is to notify application new keys have been 2396 * generated. 2397 * 2398 * Returns void 2399 * 2400 ******************************************************************************/ 2401 static void btm_notify_new_key(uint8_t key_type) { 2402 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL; 2403 2404 BTM_TRACE_DEBUG("btm_notify_new_key key_type=%d", key_type); 2405 2406 if (btm_cb.api.p_le_key_callback) { 2407 switch (key_type) { 2408 case BTM_BLE_KEY_TYPE_ID: 2409 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ID"); 2410 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.id_keys; 2411 break; 2412 2413 case BTM_BLE_KEY_TYPE_ER: 2414 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ER"); 2415 p_local_keys = 2416 (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.ble_encryption_key_value; 2417 break; 2418 2419 default: 2420 BTM_TRACE_ERROR("unknown key type: %d", key_type); 2421 break; 2422 } 2423 if (p_local_keys != NULL) 2424 (*btm_cb.api.p_le_key_callback)(key_type, p_local_keys); 2425 } 2426 } 2427 2428 /******************************************************************************* 2429 * 2430 * Function btm_ble_process_irk 2431 * 2432 * Description This function is called when IRK is generated, store it in 2433 * local control block. 2434 * 2435 * Returns void 2436 * 2437 ******************************************************************************/ 2438 static void btm_ble_process_irk(tSMP_ENC* p) { 2439 BTM_TRACE_DEBUG("btm_ble_process_irk"); 2440 if (p && p->opcode == HCI_BLE_ENCRYPT) { 2441 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN); 2442 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID); 2443 2444 #if (BLE_PRIVACY_SPT == TRUE) 2445 /* if privacy is enabled, new RPA should be calculated */ 2446 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) { 2447 btm_gen_resolvable_private_addr(base::Bind(&btm_gen_resolve_paddr_low)); 2448 } 2449 #endif 2450 } else { 2451 BTM_TRACE_ERROR("Generating IRK exception."); 2452 } 2453 2454 /* proceed generate ER */ 2455 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand1) { 2456 memcpy(&btm_cb.devcb.ble_encryption_key_value[0], rand1, BT_OCTET8_LEN); 2457 2458 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand2) { 2459 memcpy(&btm_cb.devcb.ble_encryption_key_value[8], rand2, BT_OCTET8_LEN); 2460 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER); 2461 })); 2462 2463 })); 2464 } 2465 2466 /******************************************************************************* 2467 * 2468 * Function btm_ble_process_dhk 2469 * 2470 * Description This function is called when DHK is calculated, store it in 2471 * local control block, and proceed to generate ER, a 128-bits 2472 * random number. 2473 * 2474 * Returns void 2475 * 2476 ******************************************************************************/ 2477 static void btm_ble_process_dhk(tSMP_ENC* p) { 2478 uint8_t btm_ble_irk_pt = 0x01; 2479 tSMP_ENC output; 2480 2481 BTM_TRACE_DEBUG("btm_ble_process_dhk"); 2482 2483 if (p && p->opcode == HCI_BLE_ENCRYPT) { 2484 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN); 2485 BTM_TRACE_DEBUG("BLE DHK generated."); 2486 2487 /* IRK = D1(IR, 1) */ 2488 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt, 2489 1, &output)) { 2490 /* reset all identity root related key */ 2491 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2492 } else { 2493 btm_ble_process_irk(&output); 2494 } 2495 } else { 2496 /* reset all identity root related key */ 2497 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2498 } 2499 } 2500 2501 /******************************************************************************* 2502 * 2503 * Function btm_ble_reset_id 2504 * 2505 * Description This function is called to reset LE device identity. 2506 * 2507 * Returns void 2508 * 2509 ******************************************************************************/ 2510 void btm_ble_reset_id(void) { 2511 BTM_TRACE_DEBUG("btm_ble_reset_id"); 2512 2513 /* Regenerate Identity Root*/ 2514 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) { 2515 BTM_TRACE_DEBUG("btm_ble_process_ir1"); 2516 memcpy(btm_cb.devcb.id_keys.ir, rand, BT_OCTET8_LEN); 2517 2518 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) { 2519 uint8_t btm_ble_dhk_pt = 0x03; 2520 tSMP_ENC output; 2521 2522 BTM_TRACE_DEBUG("btm_ble_process_ir2"); 2523 2524 /* remembering in control block */ 2525 memcpy(&btm_cb.devcb.id_keys.ir[8], rand, BT_OCTET8_LEN); 2526 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */ 2527 2528 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 1, 2529 &output); 2530 btm_ble_process_dhk(&output); 2531 2532 BTM_TRACE_DEBUG("BLE IR generated."); 2533 })); 2534 })); 2535 } 2536 2537 /* This function set a random address to local controller. It also temporarily 2538 * disable scans and adv before sending the command to the controller. */ 2539 void btm_ble_set_random_address(const RawAddress& random_bda) { 2540 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 2541 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb; 2542 bool adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode; 2543 2544 BTM_TRACE_DEBUG("%s", __func__); 2545 if (btm_ble_get_conn_st() == BLE_DIR_CONN) { 2546 BTM_TRACE_ERROR("%s: Cannot set random address. Direct conn ongoing", 2547 __func__); 2548 return; 2549 } 2550 2551 if (adv_mode == BTM_BLE_ADV_ENABLE) 2552 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_DISABLE); 2553 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_stop_scan(); 2554 btm_ble_suspend_bg_conn(); 2555 2556 p_cb->private_addr = random_bda; 2557 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 2558 2559 if (adv_mode == BTM_BLE_ADV_ENABLE) 2560 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_ENABLE); 2561 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_start_scan(); 2562 btm_ble_resume_bg_conn(); 2563 } 2564 2565 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2566 /******************************************************************************* 2567 * 2568 * Function btm_ble_set_no_disc_if_pair_fail 2569 * 2570 * Description This function indicates whether no disconnect of the ACL 2571 * should be used if pairing failed 2572 * 2573 * Returns void 2574 * 2575 ******************************************************************************/ 2576 void btm_ble_set_no_disc_if_pair_fail(bool disable_disc) { 2577 BTM_TRACE_DEBUG("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", 2578 disable_disc); 2579 btm_cb.devcb.no_disc_if_pair_fail = disable_disc; 2580 } 2581 2582 /******************************************************************************* 2583 * 2584 * Function btm_ble_set_test_mac_value 2585 * 2586 * Description This function set test MAC value 2587 * 2588 * Returns void 2589 * 2590 ******************************************************************************/ 2591 void btm_ble_set_test_mac_value(bool enable, uint8_t* p_test_mac_val) { 2592 BTM_TRACE_DEBUG("btm_ble_set_test_mac_value enable=%d", enable); 2593 btm_cb.devcb.enable_test_mac_val = enable; 2594 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN); 2595 } 2596 2597 /******************************************************************************* 2598 * 2599 * Function btm_ble_set_test_local_sign_cntr_value 2600 * 2601 * Description This function set test local sign counter value 2602 * 2603 * Returns void 2604 * 2605 ******************************************************************************/ 2606 void btm_ble_set_test_local_sign_cntr_value(bool enable, 2607 uint32_t test_local_sign_cntr) { 2608 BTM_TRACE_DEBUG( 2609 "btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d", 2610 enable, test_local_sign_cntr); 2611 btm_cb.devcb.enable_test_local_sign_cntr = enable; 2612 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr; 2613 } 2614 2615 /******************************************************************************* 2616 * 2617 * Function btm_ble_set_keep_rfu_in_auth_req 2618 * 2619 * Description This function indicates if RFU bits have to be kept as is 2620 * (by default they have to be set to 0 by the sender). 2621 * 2622 * Returns void 2623 * 2624 ******************************************************************************/ 2625 void btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu) { 2626 BTM_TRACE_DEBUG("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu); 2627 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu; 2628 } 2629 2630 #endif /* BTM_BLE_CONFORMANCE_TESTING */ 2631
