1 /****************************************************************************** 2 * 3 * Copyright 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the Bluetooth Security Manager 22 * 23 ******************************************************************************/ 24 25 #define LOG_TAG "bt_btm_sec" 26 27 #include <stdarg.h> 28 #include <stdio.h> 29 #include <string.h> 30 31 #include "device/include/controller.h" 32 #include "osi/include/log.h" 33 #include "osi/include/osi.h" 34 #include "osi/include/time.h" 35 36 #include "bt_types.h" 37 #include "bt_utils.h" 38 #include "btm_int.h" 39 #include "btu.h" 40 #include "hcimsgs.h" 41 #include "l2c_int.h" 42 43 #include "gatt_int.h" 44 45 #define BTM_SEC_MAX_COLLISION_DELAY (5000) 46 47 #ifdef APPL_AUTH_WRITE_EXCEPTION 48 bool(APPL_AUTH_WRITE_EXCEPTION)(const RawAddress& bd_addr); 49 #endif 50 51 /******************************************************************************* 52 * L O C A L F U N C T I O N P R O T O T Y P E S * 53 ******************************************************************************/ 54 tBTM_SEC_SERV_REC* btm_sec_find_first_serv(bool is_originator, uint16_t psm); 55 static tBTM_SEC_SERV_REC* btm_sec_find_next_serv(tBTM_SEC_SERV_REC* p_cur); 56 static tBTM_SEC_SERV_REC* btm_sec_find_mx_serv(uint8_t is_originator, 57 uint16_t psm, 58 uint32_t mx_proto_id, 59 uint32_t mx_chan_id); 60 61 static bool btm_sec_start_get_name(tBTM_SEC_DEV_REC* p_dev_rec); 62 static void btm_sec_start_authentication(tBTM_SEC_DEV_REC* p_dev_rec); 63 static void btm_sec_start_encryption(tBTM_SEC_DEV_REC* p_dev_rec); 64 static void btm_sec_collision_timeout(void* data); 65 static void btm_restore_mode(void); 66 static void btm_sec_pairing_timeout(void* data); 67 static tBTM_STATUS btm_sec_dd_create_conn(tBTM_SEC_DEV_REC* p_dev_rec); 68 static void btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state); 69 70 static const char* btm_pair_state_descr(tBTM_PAIRING_STATE state); 71 72 static void btm_sec_check_pending_reqs(void); 73 static bool btm_sec_queue_mx_request(const RawAddress& bd_addr, uint16_t psm, 74 bool is_orig, uint32_t mx_proto_id, 75 uint32_t mx_chan_id, 76 tBTM_SEC_CALLBACK* p_callback, 77 void* p_ref_data); 78 static void btm_sec_bond_cancel_complete(void); 79 static void btm_send_link_key_notif(tBTM_SEC_DEV_REC* p_dev_rec); 80 static bool btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC* p_dev_rec); 81 82 static uint8_t btm_sec_start_authorization(tBTM_SEC_DEV_REC* p_dev_rec); 83 bool btm_sec_are_all_trusted(uint32_t p_mask[]); 84 85 static tBTM_STATUS btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC* p_dev_rec, 86 uint8_t reason, 87 uint16_t conn_handle); 88 uint8_t btm_sec_start_role_switch(tBTM_SEC_DEV_REC* p_dev_rec); 89 tBTM_SEC_DEV_REC* btm_sec_find_dev_by_sec_state(uint8_t state); 90 91 static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, 92 const char* p_name, uint8_t service_id, 93 uint16_t sec_level, uint16_t psm, 94 uint32_t mx_proto_id, 95 uint32_t mx_chan_id); 96 97 static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); 98 static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); 99 static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); 100 static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, 101 tBTM_SEC_SERV_REC* p_serv_rec); 102 static bool btm_sec_is_serv_level0(uint16_t psm); 103 static uint16_t btm_sec_set_serv_level4_flags(uint16_t cur_security, 104 bool is_originator); 105 106 static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr, 107 tBT_TRANSPORT transport, 108 tBTM_SEC_CALLBACK* p_callback, 109 void* p_ref_data, 110 tBTM_BLE_SEC_ACT sec_act); 111 static void btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC* p_dev_rec, 112 tBT_TRANSPORT transport, 113 uint8_t encr_enable); 114 115 static bool btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC* p_dev_rec); 116 static bool btm_sec_is_master(tBTM_SEC_DEV_REC* p_dev_rec); 117 118 /* true - authenticated link key is possible */ 119 static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { 120 /* OUT, IO, IN, NONE */ 121 /* OUT */ {false, false, true, false}, 122 /* IO */ {false, true, true, false}, 123 /* IN */ {true, true, true, false}, 124 /* NONE */ {false, false, false, false}}; 125 /* BTM_IO_CAP_OUT 0 DisplayOnly */ 126 /* BTM_IO_CAP_IO 1 DisplayYesNo */ 127 /* BTM_IO_CAP_IN 2 KeyboardOnly */ 128 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */ 129 130 /******************************************************************************* 131 * 132 * Function btm_dev_authenticated 133 * 134 * Description check device is authenticated 135 * 136 * Returns bool true or false 137 * 138 ******************************************************************************/ 139 static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { 140 if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { 141 return (true); 142 } 143 return (false); 144 } 145 146 /******************************************************************************* 147 * 148 * Function btm_dev_encrypted 149 * 150 * Description check device is encrypted 151 * 152 * Returns bool true or false 153 * 154 ******************************************************************************/ 155 static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec) { 156 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) { 157 return (true); 158 } 159 return (false); 160 } 161 162 /******************************************************************************* 163 * 164 * Function btm_dev_authorized 165 * 166 * Description check device is authorized 167 * 168 * Returns bool true or false 169 * 170 ******************************************************************************/ 171 static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec) { 172 if (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) { 173 return (true); 174 } 175 return (false); 176 } 177 178 /******************************************************************************* 179 * 180 * Function btm_dev_16_digit_authenticated 181 * 182 * Description check device is authenticated by using 16 digit pin or MITM 183 * 184 * Returns bool true or false 185 * 186 ******************************************************************************/ 187 static bool btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { 188 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used 189 if (p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) { 190 return (true); 191 } 192 return (false); 193 } 194 195 /******************************************************************************* 196 * 197 * Function btm_serv_trusted 198 * 199 * Description check service is trusted 200 * 201 * Returns bool true or false 202 * 203 ******************************************************************************/ 204 static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, 205 tBTM_SEC_SERV_REC* p_serv_rec) { 206 if (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 207 p_serv_rec->service_id)) { 208 return (true); 209 } 210 return (false); 211 } 212 213 /******************************************************************************* 214 * 215 * Function BTM_SecRegister 216 * 217 * Description Application manager calls this function to register for 218 * security services. There can be one and only one 219 * application saving link keys. BTM allows only first 220 * registration. 221 * 222 * Returns true if registered OK, else false 223 * 224 ******************************************************************************/ 225 bool BTM_SecRegister(const tBTM_APPL_INFO* p_cb_info) { 226 BT_OCTET16 temp_value = {0}; 227 228 BTM_TRACE_EVENT("%s application registered", __func__); 229 230 LOG_INFO(LOG_TAG, "%s p_cb_info->p_le_callback == 0x%p", __func__, 231 p_cb_info->p_le_callback); 232 if (p_cb_info->p_le_callback) { 233 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__); 234 SMP_Register(btm_proc_smp_cback); 235 /* if no IR is loaded, need to regenerate all the keys */ 236 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) { 237 btm_ble_reset_id(); 238 } 239 } else { 240 LOG_WARN(LOG_TAG, "%s p_cb_info->p_le_callback == NULL", __func__); 241 } 242 243 btm_cb.api = *p_cb_info; 244 LOG_INFO(LOG_TAG, "%s btm_cb.api.p_le_callback = 0x%p ", __func__, 245 btm_cb.api.p_le_callback); 246 BTM_TRACE_EVENT("%s application registered", __func__); 247 return (true); 248 } 249 250 /******************************************************************************* 251 * 252 * Function BTM_SecRegisterLinkKeyNotificationCallback 253 * 254 * Description Application manager calls this function to register for 255 * link key notification. When there is nobody registered 256 * we should avoid changing link key 257 * 258 * Returns true if registered OK, else false 259 * 260 ******************************************************************************/ 261 bool BTM_SecRegisterLinkKeyNotificationCallback( 262 tBTM_LINK_KEY_CALLBACK* p_callback) { 263 btm_cb.api.p_link_key_callback = p_callback; 264 return true; 265 } 266 267 /******************************************************************************* 268 * 269 * Function BTM_SecAddRmtNameNotifyCallback 270 * 271 * Description Any profile can register to be notified when name of the 272 * remote device is resolved. 273 * 274 * Returns true if registered OK, else false 275 * 276 ******************************************************************************/ 277 bool BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK* p_callback) { 278 int i; 279 280 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { 281 if (btm_cb.p_rmt_name_callback[i] == NULL) { 282 btm_cb.p_rmt_name_callback[i] = p_callback; 283 return (true); 284 } 285 } 286 287 return (false); 288 } 289 290 /******************************************************************************* 291 * 292 * Function BTM_SecDeleteRmtNameNotifyCallback 293 * 294 * Description Any profile can deregister notification when a new Link Key 295 * is generated per connection. 296 * 297 * Returns true if OK, else false 298 * 299 ******************************************************************************/ 300 bool BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK* p_callback) { 301 int i; 302 303 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { 304 if (btm_cb.p_rmt_name_callback[i] == p_callback) { 305 btm_cb.p_rmt_name_callback[i] = NULL; 306 return (true); 307 } 308 } 309 310 return (false); 311 } 312 313 /******************************************************************************* 314 * 315 * Function BTM_GetSecurityFlags 316 * 317 * Description Get security flags for the device 318 * 319 * Returns bool true or false is device found 320 * 321 ******************************************************************************/ 322 bool BTM_GetSecurityFlags(const RawAddress& bd_addr, uint8_t* p_sec_flags) { 323 tBTM_SEC_DEV_REC* p_dev_rec; 324 325 p_dev_rec = btm_find_dev(bd_addr); 326 if (p_dev_rec != NULL) { 327 *p_sec_flags = (uint8_t)p_dev_rec->sec_flags; 328 return (true); 329 } 330 BTM_TRACE_ERROR("BTM_GetSecurityFlags false"); 331 return (false); 332 } 333 334 /******************************************************************************* 335 * 336 * Function BTM_GetSecurityFlagsByTransport 337 * 338 * Description Get security flags for the device on a particular transport 339 * 340 * Returns bool true or false is device found 341 * 342 ******************************************************************************/ 343 bool BTM_GetSecurityFlagsByTransport(const RawAddress& bd_addr, 344 uint8_t* p_sec_flags, 345 tBT_TRANSPORT transport) { 346 tBTM_SEC_DEV_REC* p_dev_rec; 347 348 p_dev_rec = btm_find_dev(bd_addr); 349 if (p_dev_rec != NULL) { 350 if (transport == BT_TRANSPORT_BR_EDR) 351 *p_sec_flags = (uint8_t)p_dev_rec->sec_flags; 352 else 353 *p_sec_flags = (uint8_t)(p_dev_rec->sec_flags >> 8); 354 355 return (true); 356 } 357 BTM_TRACE_ERROR("BTM_GetSecurityFlags false"); 358 return (false); 359 } 360 361 /******************************************************************************* 362 * 363 * Function BTM_SetPinType 364 * 365 * Description Set PIN type for the device. 366 * 367 * Returns void 368 * 369 ******************************************************************************/ 370 void BTM_SetPinType(uint8_t pin_type, PIN_CODE pin_code, uint8_t pin_code_len) { 371 BTM_TRACE_API( 372 "BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d", 373 pin_type, (char*)pin_code, pin_code_len); 374 375 /* If device is not up security mode will be set as a part of startup */ 376 if ((btm_cb.cfg.pin_type != pin_type) && 377 controller_get_interface()->get_is_ready()) { 378 btsnd_hcic_write_pin_type(pin_type); 379 } 380 381 btm_cb.cfg.pin_type = pin_type; 382 btm_cb.cfg.pin_code_len = pin_code_len; 383 memcpy(btm_cb.cfg.pin_code, pin_code, pin_code_len); 384 } 385 386 /******************************************************************************* 387 * 388 * Function BTM_SetPairableMode 389 * 390 * Description Enable or disable pairing 391 * 392 * Parameters allow_pairing - (true or false) whether or not the device 393 * allows pairing. 394 * connect_only_paired - (true or false) whether or not to 395 * only allow paired devices to connect. 396 * 397 * Returns void 398 * 399 ******************************************************************************/ 400 void BTM_SetPairableMode(bool allow_pairing, bool connect_only_paired) { 401 BTM_TRACE_API( 402 "BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", 403 allow_pairing, connect_only_paired); 404 405 btm_cb.pairing_disabled = !allow_pairing; 406 btm_cb.connect_only_paired = connect_only_paired; 407 } 408 409 /******************************************************************************* 410 * 411 * Function BTM_SetSecureConnectionsOnly 412 * 413 * Description Enable or disable default treatment for Mode 4 Level 0 414 * services 415 * 416 * Parameter secure_connections_only_mode - 417 * true means that the device should treat Mode 4 Level 0 418 * services as services of other levels. 419 * false means that the device should provide default 420 * treatment for Mode 4 Level 0 services. 421 * 422 * Returns void 423 * 424 ******************************************************************************/ 425 void BTM_SetSecureConnectionsOnly(bool secure_connections_only_mode) { 426 BTM_TRACE_API("%s: Mode : %u", __func__, secure_connections_only_mode); 427 428 btm_cb.devcb.secure_connections_only = secure_connections_only_mode; 429 btm_cb.security_mode = BTM_SEC_MODE_SC; 430 } 431 #define BTM_NO_AVAIL_SEC_SERVICES ((uint16_t)0xffff) 432 433 /******************************************************************************* 434 * 435 * Function BTM_SetSecurityLevel 436 * 437 * Description Register service security level with Security Manager 438 * 439 * Parameters: is_originator - true if originating the connection 440 * p_name - Name of the service relevant only if 441 * authorization will show this name to user. 442 * Ignored if BTM_SEC_SERVICE_NAME_LEN is 0. 443 * service_id - service ID for the service passed to 444 * authorization callback 445 * sec_level - bit mask of the security features 446 * psm - L2CAP PSM 447 * mx_proto_id - protocol ID of multiplexing proto below 448 * mx_chan_id - channel ID of multiplexing proto below 449 * 450 * Returns true if registered OK, else false 451 * 452 ******************************************************************************/ 453 bool BTM_SetSecurityLevel(bool is_originator, const char* p_name, 454 uint8_t service_id, uint16_t sec_level, uint16_t psm, 455 uint32_t mx_proto_id, uint32_t mx_chan_id) { 456 return (btm_sec_set_security_level(is_originator, p_name, service_id, 457 sec_level, psm, mx_proto_id, mx_chan_id)); 458 } 459 460 /******************************************************************************* 461 * 462 * Function btm_sec_set_security_level 463 * 464 * Description Register service security level with Security Manager 465 * 466 * Parameters: conn_type - true if originating the connection 467 * p_name - Name of the service relevant only if 468 * authorization will show this name to user. 469 * Ignored if BTM_SEC_SERVICE_NAME_LEN is 0. 470 * service_id - service ID for the service passed to 471 * authorization callback 472 * sec_level - bit mask of the security features 473 * psm - L2CAP PSM 474 * mx_proto_id - protocol ID of multiplexing proto below 475 * mx_chan_id - channel ID of multiplexing proto below 476 * 477 * Returns true if registered OK, else false 478 * 479 ******************************************************************************/ 480 static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, 481 const char* p_name, uint8_t service_id, 482 uint16_t sec_level, uint16_t psm, 483 uint32_t mx_proto_id, 484 uint32_t mx_chan_id) { 485 tBTM_SEC_SERV_REC* p_srec; 486 uint16_t index; 487 uint16_t first_unused_record = BTM_NO_AVAIL_SEC_SERVICES; 488 bool record_allocated = false; 489 bool is_originator; 490 is_originator = conn_type; 491 492 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level); 493 494 /* See if the record can be reused (same service name, psm, mx_proto_id, 495 service_id, and mx_chan_id), or obtain the next unused record */ 496 497 p_srec = &btm_cb.sec_serv_rec[0]; 498 499 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) { 500 /* Check if there is already a record for this service */ 501 if (p_srec->security_flags & BTM_SEC_IN_USE) { 502 #if BTM_SEC_SERVICE_NAME_LEN > 0 503 if (p_srec->psm == psm && p_srec->mx_proto_id == mx_proto_id && 504 service_id == p_srec->service_id && p_name && 505 (!strncmp(p_name, (char*)p_srec->orig_service_name, 506 /* strlcpy replaces end char with termination char*/ 507 BTM_SEC_SERVICE_NAME_LEN - 1) || 508 !strncmp(p_name, (char*)p_srec->term_service_name, 509 /* strlcpy replaces end char with termination char*/ 510 BTM_SEC_SERVICE_NAME_LEN - 1))) 511 #else 512 if (p_srec->psm == psm && p_srec->mx_proto_id == mx_proto_id && 513 service_id == p_srec->service_id) 514 #endif 515 { 516 record_allocated = true; 517 break; 518 } 519 } 520 /* Mark the first available service record */ 521 else if (!record_allocated) { 522 memset(p_srec, 0, sizeof(tBTM_SEC_SERV_REC)); 523 record_allocated = true; 524 first_unused_record = index; 525 } 526 } 527 528 if (!record_allocated) { 529 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", 530 BTM_SEC_MAX_SERVICE_RECORDS); 531 return (record_allocated); 532 } 533 534 /* Process the request if service record is valid */ 535 /* If a duplicate service wasn't found, use the first available */ 536 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) { 537 index = first_unused_record; 538 p_srec = &btm_cb.sec_serv_rec[index]; 539 } 540 541 p_srec->psm = psm; 542 p_srec->service_id = service_id; 543 p_srec->mx_proto_id = mx_proto_id; 544 545 if (is_originator) { 546 p_srec->orig_mx_chan_id = mx_chan_id; 547 #if BTM_SEC_SERVICE_NAME_LEN > 0 548 strlcpy((char*)p_srec->orig_service_name, p_name, 549 BTM_SEC_SERVICE_NAME_LEN + 1); 550 #endif 551 /* clear out the old setting, just in case it exists */ 552 { 553 p_srec->security_flags &= ~( 554 BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | 555 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | BTM_SEC_FORCE_MASTER | 556 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 557 } 558 559 /* Parameter validation. Originator should not set requirements for 560 * incoming connections */ 561 sec_level &= 562 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | 563 BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN); 564 565 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 566 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 567 btm_cb.security_mode == BTM_SEC_MODE_SC) { 568 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) sec_level |= BTM_SEC_OUT_MITM; 569 } 570 571 /* Make sure the authenticate bit is set, when encrypt bit is set */ 572 if (sec_level & BTM_SEC_OUT_ENCRYPT) sec_level |= BTM_SEC_OUT_AUTHENTICATE; 573 574 /* outgoing connections usually set the security level right before 575 * the connection is initiated. 576 * set it to be the outgoing service */ 577 btm_cb.p_out_serv = p_srec; 578 } else { 579 p_srec->term_mx_chan_id = mx_chan_id; 580 #if BTM_SEC_SERVICE_NAME_LEN > 0 581 strlcpy((char*)p_srec->term_service_name, p_name, 582 BTM_SEC_SERVICE_NAME_LEN + 1); 583 #endif 584 /* clear out the old setting, just in case it exists */ 585 { 586 p_srec->security_flags &= 587 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | 588 BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | BTM_SEC_FORCE_MASTER | 589 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | 590 BTM_SEC_ATTEMPT_SLAVE | BTM_SEC_IN_MIN_16_DIGIT_PIN); 591 } 592 593 /* Parameter validation. Acceptor should not set requirements for outgoing 594 * connections */ 595 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | 596 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM); 597 598 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 599 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 600 btm_cb.security_mode == BTM_SEC_MODE_SC) { 601 if (sec_level & BTM_SEC_IN_AUTHENTICATE) sec_level |= BTM_SEC_IN_MITM; 602 } 603 604 /* Make sure the authenticate bit is set, when encrypt bit is set */ 605 if (sec_level & BTM_SEC_IN_ENCRYPT) sec_level |= BTM_SEC_IN_AUTHENTICATE; 606 } 607 608 p_srec->security_flags |= (uint16_t)(sec_level | BTM_SEC_IN_USE); 609 610 BTM_TRACE_API( 611 "BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d", 612 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id); 613 614 #if BTM_SEC_SERVICE_NAME_LEN > 0 615 BTM_TRACE_API( 616 " : sec: 0x%x, service name [%s] (up to %d chars saved)", 617 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN); 618 #endif 619 620 return (record_allocated); 621 } 622 623 /******************************************************************************* 624 * 625 * Function BTM_SecClrService 626 * 627 * Description Removes specified service record(s) from the security 628 * database. All service records with the specified name are 629 * removed. Typically used only by devices with limited RAM so 630 * that it can reuse an old security service record. 631 * 632 * Note: Unpredictable results may occur if a service is 633 * cleared that is still in use by an application/profile. 634 * 635 * Parameters Service ID - Id of the service to remove. '0' removes all 636 * service records (except SDP). 637 * 638 * Returns Number of records that were freed. 639 * 640 ******************************************************************************/ 641 uint8_t BTM_SecClrService(uint8_t service_id) { 642 tBTM_SEC_SERV_REC* p_srec = &btm_cb.sec_serv_rec[0]; 643 uint8_t num_freed = 0; 644 int i; 645 646 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) { 647 /* Delete services with specified name (if in use and not SDP) */ 648 if ((p_srec->security_flags & BTM_SEC_IN_USE) && 649 (p_srec->psm != BT_PSM_SDP) && 650 (!service_id || (service_id == p_srec->service_id))) { 651 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id); 652 p_srec->security_flags = 0; 653 num_freed++; 654 } 655 } 656 657 return (num_freed); 658 } 659 660 /******************************************************************************* 661 * 662 * Function btm_sec_clr_service_by_psm 663 * 664 * Description Removes specified service record from the security database. 665 * All service records with the specified psm are removed. 666 * Typically used by L2CAP to free up the service record used 667 * by dynamic PSM clients when the channel is closed. 668 * The given psm must be a virtual psm. 669 * 670 * Parameters Service ID - Id of the service to remove. '0' removes all 671 * service records (except SDP). 672 * 673 * Returns Number of records that were freed. 674 * 675 ******************************************************************************/ 676 uint8_t btm_sec_clr_service_by_psm(uint16_t psm) { 677 tBTM_SEC_SERV_REC* p_srec = &btm_cb.sec_serv_rec[0]; 678 uint8_t num_freed = 0; 679 int i; 680 681 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) { 682 /* Delete services with specified name (if in use and not SDP) */ 683 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm)) { 684 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id); 685 p_srec->security_flags = 0; 686 num_freed++; 687 } 688 } 689 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, 690 num_freed); 691 692 return (num_freed); 693 } 694 695 /******************************************************************************* 696 * 697 * Function btm_sec_clr_temp_auth_service 698 * 699 * Description Removes specified device record's temporary authorization 700 * flag from the security database. 701 * 702 * Parameters Device address to be cleared 703 * 704 * Returns void. 705 * 706 ******************************************************************************/ 707 void btm_sec_clr_temp_auth_service(const RawAddress& bda) { 708 tBTM_SEC_DEV_REC* p_dev_rec; 709 710 p_dev_rec = btm_find_dev(bda); 711 if (p_dev_rec == NULL) { 712 BTM_TRACE_WARNING("btm_sec_clr_temp_auth_service() - no dev CB"); 713 return; 714 } 715 716 /* Reset the temporary authorized flag so that next time (untrusted) service 717 * is accessed autorization will take place */ 718 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && 719 p_dev_rec->p_cur_service) { 720 VLOG(1) << __func__ << " clearing device: " << bda; 721 722 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID; 723 } 724 } 725 726 /******************************************************************************* 727 * 728 * Function BTM_PINCodeReply 729 * 730 * Description This function is called after Security Manager submitted 731 * PIN code request to the UI. 732 * 733 * Parameters: bd_addr - Address of the device for which PIN was 734 * requested 735 * res - result of the operation BTM_SUCCESS 736 * if success 737 * pin_len - length in bytes of the PIN Code 738 * p_pin - pointer to array with the PIN Code 739 * trusted_mask - bitwise OR of trusted services 740 * (array of uint32_t) 741 * 742 ******************************************************************************/ 743 void BTM_PINCodeReply(const RawAddress& bd_addr, uint8_t res, uint8_t pin_len, 744 uint8_t* p_pin, uint32_t trusted_mask[]) { 745 tBTM_SEC_DEV_REC* p_dev_rec; 746 747 BTM_TRACE_API( 748 "BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d " 749 "Result:%d", 750 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, 751 res); 752 753 /* If timeout already expired or has been canceled, ignore the reply */ 754 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) { 755 BTM_TRACE_WARNING("BTM_PINCodeReply() - Wrong State: %d", 756 btm_cb.pairing_state); 757 return; 758 } 759 760 if (bd_addr != btm_cb.pairing_bda) { 761 BTM_TRACE_ERROR("BTM_PINCodeReply() - Wrong BD Addr"); 762 return; 763 } 764 765 p_dev_rec = btm_find_dev(bd_addr); 766 if (p_dev_rec == NULL) { 767 BTM_TRACE_ERROR("BTM_PINCodeReply() - no dev CB"); 768 return; 769 } 770 771 if ((pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL)) 772 res = BTM_ILLEGAL_VALUE; 773 774 if (res != BTM_SUCCESS) { 775 /* if peer started dd OR we started dd and pre-fetch pin was not used send 776 * negative reply */ 777 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) || 778 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 779 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))) { 780 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed 781 * event */ 782 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 783 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 784 785 btsnd_hcic_pin_code_neg_reply(bd_addr); 786 } else { 787 p_dev_rec->security_required = BTM_SEC_NONE; 788 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 789 } 790 return; 791 } 792 if (trusted_mask) 793 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 794 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 795 p_dev_rec->pin_code_length = pin_len; 796 if (pin_len >= 16) { 797 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 798 } 799 800 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 801 (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) && 802 (!btm_cb.security_mode_changed)) { 803 /* This is start of the dedicated bonding if local device is 2.0 */ 804 btm_cb.pin_code_len = pin_len; 805 memcpy(btm_cb.pin_code, p_pin, pin_len); 806 807 btm_cb.security_mode_changed = true; 808 #ifdef APPL_AUTH_WRITE_EXCEPTION 809 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 810 #endif 811 btsnd_hcic_write_auth_enable(true); 812 813 btm_cb.acl_disc_reason = 0xff; 814 815 /* if we rejected incoming connection request, we have to wait 816 * HCI_Connection_Complete event */ 817 /* before originating */ 818 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) { 819 BTM_TRACE_WARNING( 820 "BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected " 821 "incoming connection"); 822 /* we change state little bit early so btm_sec_connected() will originate 823 * connection */ 824 /* when existing ACL link is down completely */ 825 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 826 } 827 /* if we already accepted incoming connection from pairing device */ 828 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) { 829 BTM_TRACE_WARNING( 830 "BTM_PINCodeReply(): link is connecting so wait pin code request " 831 "from peer"); 832 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 833 } else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) { 834 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 835 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 836 837 if (btm_cb.api.p_auth_complete_callback) 838 (*btm_cb.api.p_auth_complete_callback)( 839 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 840 HCI_ERR_AUTH_FAILURE); 841 } 842 return; 843 } 844 845 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 846 btm_cb.acl_disc_reason = HCI_SUCCESS; 847 848 btsnd_hcic_pin_code_req_reply(bd_addr, pin_len, p_pin); 849 } 850 851 /******************************************************************************* 852 * 853 * Function btm_sec_bond_by_transport 854 * 855 * Description this is the bond function that will start either SSP or SMP. 856 * 857 * Parameters: bd_addr - Address of the device to bond 858 * pin_len - length in bytes of the PIN Code 859 * p_pin - pointer to array with the PIN Code 860 * trusted_mask - bitwise OR of trusted services 861 * (array of uint32_t) 862 * 863 * Note: After 2.1 parameters are not used and preserved here not to change API 864 ******************************************************************************/ 865 tBTM_STATUS btm_sec_bond_by_transport(const RawAddress& bd_addr, 866 tBT_TRANSPORT transport, uint8_t pin_len, 867 uint8_t* p_pin, uint32_t trusted_mask[]) { 868 tBTM_SEC_DEV_REC* p_dev_rec; 869 tBTM_STATUS status; 870 uint8_t* p_features; 871 uint8_t ii; 872 tACL_CONN* p = btm_bda_to_acl(bd_addr, transport); 873 VLOG(1) << __func__ << " BDA: " << bd_addr; 874 875 BTM_TRACE_DEBUG("%s: Transport used %d, bd_addr=%s", __func__, transport, 876 bd_addr.ToString().c_str()); 877 878 /* Other security process is in progress */ 879 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) { 880 BTM_TRACE_ERROR("BTM_SecBond: already busy in state: %s", 881 btm_pair_state_descr(btm_cb.pairing_state)); 882 return (BTM_WRONG_MODE); 883 } 884 885 p_dev_rec = btm_find_or_alloc_dev(bd_addr); 886 if (p_dev_rec == NULL) { 887 return (BTM_NO_RESOURCES); 888 } 889 890 if (!controller_get_interface()->get_is_ready()) { 891 BTM_TRACE_ERROR("%s controller module is not ready", __func__); 892 return (BTM_NO_RESOURCES); 893 } 894 895 BTM_TRACE_DEBUG("before update sec_flags=0x%x", p_dev_rec->sec_flags); 896 897 /* Finished if connection is active and already paired */ 898 if (((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && 899 transport == BT_TRANSPORT_BR_EDR && 900 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) || 901 ((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && 902 transport == BT_TRANSPORT_LE && 903 (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))) { 904 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired"); 905 return (BTM_SUCCESS); 906 } 907 908 /* Tell controller to get rid of the link key if it has one stored */ 909 if ((BTM_DeleteStoredLinkKey(&bd_addr, NULL)) != BTM_SUCCESS) 910 return (BTM_NO_RESOURCES); 911 912 /* Save the PIN code if we got a valid one */ 913 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) { 914 btm_cb.pin_code_len = pin_len; 915 p_dev_rec->pin_code_length = pin_len; 916 memcpy(btm_cb.pin_code, p_pin, PIN_CODE_LEN); 917 } 918 919 btm_cb.pairing_bda = bd_addr; 920 921 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD; 922 923 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE; 924 p_dev_rec->is_originator = true; 925 if (trusted_mask) 926 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 927 928 if (transport == BT_TRANSPORT_LE) { 929 btm_ble_init_pseudo_addr(p_dev_rec, bd_addr); 930 p_dev_rec->sec_flags &= ~BTM_SEC_LE_MASK; 931 932 if (SMP_Pair(bd_addr) == SMP_STARTED) { 933 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 934 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 935 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 936 return BTM_CMD_STARTED; 937 } 938 939 btm_cb.pairing_flags = 0; 940 return (BTM_NO_RESOURCES); 941 } 942 943 p_dev_rec->sec_flags &= 944 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | 945 BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED); 946 947 BTM_TRACE_DEBUG("after update sec_flags=0x%x", p_dev_rec->sec_flags); 948 if (!controller_get_interface()->supports_simple_pairing()) { 949 /* The special case when we authenticate keyboard. Set pin type to fixed */ 950 /* It would be probably better to do it from the application, but it is */ 951 /* complicated */ 952 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == 953 BTM_COD_MAJOR_PERIPHERAL) && 954 (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD) && 955 (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) { 956 btm_cb.pin_type_changed = true; 957 btsnd_hcic_write_pin_type(HCI_PIN_TYPE_FIXED); 958 } 959 } 960 961 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) { 962 p_features = p_dev_rec->feature_pages[ii]; 963 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x", ii, 964 p_features[0], p_features[1], p_features[2], p_features[3]); 965 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x", 966 p_features[4], p_features[5], p_features[6], p_features[7]); 967 } 968 969 BTM_TRACE_EVENT("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", 970 p_dev_rec->sm4, p_dev_rec->hci_handle); 971 972 #if (BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE) 973 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN; 974 #endif 975 976 /* If connection already exists... */ 977 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE) { 978 btm_sec_start_authentication(p_dev_rec); 979 980 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 981 982 /* Mark lcb as bonding */ 983 l2cu_update_lcb_4_bonding(bd_addr, true); 984 return (BTM_CMD_STARTED); 985 } 986 987 BTM_TRACE_DEBUG("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4); 988 if (!controller_get_interface()->supports_simple_pairing() || 989 (p_dev_rec->sm4 == BTM_SM4_KNOWN)) { 990 if (btm_sec_check_prefetch_pin(p_dev_rec)) return (BTM_CMD_STARTED); 991 } 992 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 993 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 994 btm_cb.security_mode == BTM_SEC_MODE_SC) && 995 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) { 996 /* local is 2.1 and peer is unknown */ 997 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) { 998 /* we are not accepting connection request from peer 999 * -> RNR (to learn if peer is 2.1) 1000 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 1001 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME); 1002 status = BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR); 1003 } else { 1004 /* We are accepting connection request from peer */ 1005 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 1006 status = BTM_CMD_STARTED; 1007 } 1008 BTM_TRACE_DEBUG("State:%s sm4: 0x%x sec_state:%d", 1009 btm_pair_state_descr(btm_cb.pairing_state), p_dev_rec->sm4, 1010 p_dev_rec->sec_state); 1011 } else { 1012 /* both local and peer are 2.1 */ 1013 status = btm_sec_dd_create_conn(p_dev_rec); 1014 } 1015 1016 if (status != BTM_CMD_STARTED) { 1017 BTM_TRACE_ERROR( 1018 "%s BTM_ReadRemoteDeviceName or btm_sec_dd_create_conn error: 0x%x", 1019 __func__, (int)status); 1020 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 1021 } 1022 1023 return status; 1024 } 1025 1026 /******************************************************************************* 1027 * 1028 * Function BTM_SecBondByTransport 1029 * 1030 * Description This function is called to perform bonding with peer device. 1031 * If the connection is already up, but not secure, pairing 1032 * is attempted. If already paired BTM_SUCCESS is returned. 1033 * 1034 * Parameters: bd_addr - Address of the device to bond 1035 * transport - doing SSP over BR/EDR or SMP over LE 1036 * pin_len - length in bytes of the PIN Code 1037 * p_pin - pointer to array with the PIN Code 1038 * trusted_mask - bitwise OR of trusted services 1039 * (array of uint32_t) 1040 * 1041 * Note: After 2.1 parameters are not used and preserved here not to change API 1042 ******************************************************************************/ 1043 tBTM_STATUS BTM_SecBondByTransport(const RawAddress& bd_addr, 1044 tBT_TRANSPORT transport, uint8_t pin_len, 1045 uint8_t* p_pin, uint32_t trusted_mask[]) { 1046 tBT_DEVICE_TYPE dev_type; 1047 tBLE_ADDR_TYPE addr_type; 1048 1049 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 1050 /* LE device, do SMP pairing */ 1051 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) || 1052 (transport == BT_TRANSPORT_BR_EDR && 1053 (dev_type & BT_DEVICE_TYPE_BREDR) == 0)) { 1054 return BTM_ILLEGAL_ACTION; 1055 } 1056 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, 1057 trusted_mask); 1058 } 1059 1060 /******************************************************************************* 1061 * 1062 * Function BTM_SecBond 1063 * 1064 * Description This function is called to perform bonding with peer device. 1065 * If the connection is already up, but not secure, pairing 1066 * is attempted. If already paired BTM_SUCCESS is returned. 1067 * 1068 * Parameters: bd_addr - Address of the device to bond 1069 * pin_len - length in bytes of the PIN Code 1070 * p_pin - pointer to array with the PIN Code 1071 * trusted_mask - bitwise OR of trusted services 1072 * (array of uint32_t) 1073 * 1074 * Note: After 2.1 parameters are not used and preserved here not to change API 1075 ******************************************************************************/ 1076 tBTM_STATUS BTM_SecBond(const RawAddress& bd_addr, uint8_t pin_len, 1077 uint8_t* p_pin, uint32_t trusted_mask[]) { 1078 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 1079 if (BTM_UseLeLink(bd_addr)) transport = BT_TRANSPORT_LE; 1080 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, 1081 trusted_mask); 1082 } 1083 /******************************************************************************* 1084 * 1085 * Function BTM_SecBondCancel 1086 * 1087 * Description This function is called to cancel ongoing bonding process 1088 * with peer device. 1089 * 1090 * Parameters: bd_addr - Address of the peer device 1091 * transport - false for BR/EDR link; true for LE link 1092 * 1093 ******************************************************************************/ 1094 tBTM_STATUS BTM_SecBondCancel(const RawAddress& bd_addr) { 1095 tBTM_SEC_DEV_REC* p_dev_rec; 1096 1097 BTM_TRACE_API("BTM_SecBondCancel() State: %s flags:0x%x", 1098 btm_pair_state_descr(btm_cb.pairing_state), 1099 btm_cb.pairing_flags); 1100 p_dev_rec = btm_find_dev(bd_addr); 1101 if (!p_dev_rec || btm_cb.pairing_bda != bd_addr) { 1102 return BTM_UNKNOWN_ADDR; 1103 } 1104 1105 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) { 1106 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) { 1107 BTM_TRACE_DEBUG("Cancel LE pairing"); 1108 if (SMP_PairCancel(bd_addr)) { 1109 return BTM_CMD_STARTED; 1110 } 1111 } 1112 return BTM_WRONG_MODE; 1113 } 1114 1115 BTM_TRACE_DEBUG("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, 1116 p_dev_rec->sec_state); 1117 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 1118 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) { 1119 /* pre-fetching pin for dedicated bonding */ 1120 btm_sec_bond_cancel_complete(); 1121 return BTM_SUCCESS; 1122 } 1123 1124 /* If this BDA is in a bonding procedure */ 1125 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 1126 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) { 1127 /* If the HCI link is up */ 1128 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) { 1129 /* If some other thread disconnecting, we do not send second command */ 1130 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) || 1131 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)) 1132 return (BTM_CMD_STARTED); 1133 1134 /* If the HCI link was set up by Bonding process */ 1135 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1136 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, 1137 p_dev_rec->hci_handle); 1138 else 1139 l2cu_update_lcb_4_bonding(bd_addr, false); 1140 1141 return BTM_NOT_AUTHORIZED; 1142 } else /*HCI link is not up */ 1143 { 1144 /* If the HCI link creation was started by Bonding process */ 1145 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) { 1146 btsnd_hcic_create_conn_cancel(bd_addr); 1147 return BTM_CMD_STARTED; 1148 } 1149 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) { 1150 BTM_CancelRemoteDeviceName(); 1151 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD; 1152 return BTM_CMD_STARTED; 1153 } 1154 return BTM_NOT_AUTHORIZED; 1155 } 1156 } 1157 1158 return BTM_WRONG_MODE; 1159 } 1160 1161 /******************************************************************************* 1162 * 1163 * Function BTM_SecGetDeviceLinkKey 1164 * 1165 * Description This function is called to obtain link key for the device 1166 * it returns BTM_SUCCESS if link key is available, or 1167 * BTM_UNKNOWN_ADDR if Security Manager does not know about 1168 * the device or device record does not contain link key info 1169 * 1170 * Parameters: bd_addr - Address of the device 1171 * link_key - Link Key is copied into this array 1172 * 1173 ******************************************************************************/ 1174 tBTM_STATUS BTM_SecGetDeviceLinkKey(const RawAddress& bd_addr, 1175 LINK_KEY link_key) { 1176 tBTM_SEC_DEV_REC* p_dev_rec; 1177 p_dev_rec = btm_find_dev(bd_addr); 1178 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) { 1179 memcpy(link_key, p_dev_rec->link_key, LINK_KEY_LEN); 1180 return (BTM_SUCCESS); 1181 } 1182 return (BTM_UNKNOWN_ADDR); 1183 } 1184 1185 /******************************************************************************* 1186 * 1187 * Function BTM_SecGetDeviceLinkKeyType 1188 * 1189 * Description This function is called to obtain link key type for the 1190 * device. 1191 * it returns BTM_SUCCESS if link key is available, or 1192 * BTM_UNKNOWN_ADDR if Security Manager does not know about 1193 * the device or device record does not contain link key info 1194 * 1195 * Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type 1196 * otherwise. 1197 * 1198 ******************************************************************************/ 1199 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType(const RawAddress& bd_addr) { 1200 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 1201 1202 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) { 1203 return p_dev_rec->link_key_type; 1204 } 1205 return BTM_LKEY_TYPE_IGNORE; 1206 } 1207 1208 /******************************************************************************* 1209 * 1210 * Function BTM_SetEncryption 1211 * 1212 * Description This function is called to ensure that connection is 1213 * encrypted. Should be called only on an open connection. 1214 * Typically only needed for connections that first want to 1215 * bring up unencrypted links, then later encrypt them. 1216 * 1217 * Parameters: bd_addr - Address of the peer device 1218 * transport - Link transport 1219 * p_callback - Pointer to callback function called if 1220 * this function returns PENDING after required 1221 * procedures are completed. Can be set to 1222 * NULL if status is not desired. 1223 * p_ref_data - pointer to any data the caller wishes to 1224 * receive in the callback function upon 1225 * completion. can be set to NULL if not used. 1226 * sec_act - LE security action, unused for BR/EDR 1227 * 1228 * Returns BTM_SUCCESS - already encrypted 1229 * BTM_PENDING - command will be returned in the callback 1230 * BTM_WRONG_MODE- connection not up. 1231 * BTM_BUSY - security procedures are currently active 1232 * BTM_MODE_UNSUPPORTED - if security manager not linked in. 1233 * 1234 ******************************************************************************/ 1235 tBTM_STATUS BTM_SetEncryption(const RawAddress& bd_addr, 1236 tBT_TRANSPORT transport, 1237 tBTM_SEC_CBACK* p_callback, void* p_ref_data, 1238 tBTM_BLE_SEC_ACT sec_act) { 1239 tBTM_STATUS rc = 0; 1240 1241 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 1242 if (!p_dev_rec || 1243 (transport == BT_TRANSPORT_BR_EDR && 1244 p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) || 1245 (transport == BT_TRANSPORT_LE && 1246 p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)) { 1247 /* Connection should be up and runnning */ 1248 BTM_TRACE_WARNING("Security Manager: BTM_SetEncryption not connected"); 1249 1250 if (p_callback) 1251 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_WRONG_MODE); 1252 1253 return (BTM_WRONG_MODE); 1254 } 1255 1256 if (transport == BT_TRANSPORT_BR_EDR && 1257 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)) { 1258 BTM_TRACE_EVENT("Security Manager: BTM_SetEncryption already encrypted"); 1259 1260 if (*p_callback) 1261 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS); 1262 1263 return (BTM_SUCCESS); 1264 } 1265 1266 /* enqueue security request if security is active */ 1267 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)) { 1268 BTM_TRACE_WARNING( 1269 "Security Manager: BTM_SetEncryption busy, enqueue request"); 1270 1271 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, 1272 p_ref_data, sec_act)) { 1273 return BTM_CMD_STARTED; 1274 } else { 1275 if (p_callback) 1276 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_NO_RESOURCES); 1277 return BTM_NO_RESOURCES; 1278 } 1279 } 1280 1281 p_dev_rec->p_callback = p_callback; 1282 p_dev_rec->p_ref_data = p_ref_data; 1283 p_dev_rec->security_required |= 1284 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 1285 p_dev_rec->is_originator = false; 1286 1287 BTM_TRACE_API( 1288 "Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x " 1289 "Required:0x%x, p_dev_rec=%p, p_callback=%p", 1290 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 1291 p_dev_rec->security_required, p_dev_rec, p_callback); 1292 1293 if (transport == BT_TRANSPORT_LE) { 1294 tACL_CONN* p = btm_bda_to_acl(bd_addr, transport); 1295 if (p) { 1296 rc = btm_ble_set_encryption(bd_addr, sec_act, p->link_role); 1297 } else { 1298 rc = BTM_WRONG_MODE; 1299 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", 1300 __func__); 1301 } 1302 } else { 1303 rc = btm_sec_execute_procedure(p_dev_rec); 1304 } 1305 1306 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY) { 1307 if (p_callback) { 1308 BTM_TRACE_DEBUG( 1309 "%s: clearing p_callback=%p, p_dev_rec=%p, transport=%d, " 1310 "bd_addr=%s", 1311 __func__, p_callback, p_dev_rec, transport, 1312 bd_addr.ToString().c_str()); 1313 p_dev_rec->p_callback = NULL; 1314 (*p_callback)(&bd_addr, transport, p_dev_rec->p_ref_data, rc); 1315 } 1316 } 1317 1318 return (rc); 1319 } 1320 1321 /******************************************************************************* 1322 * disconnect the ACL link, if it's not done yet. 1323 ******************************************************************************/ 1324 static tBTM_STATUS btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC* p_dev_rec, 1325 uint8_t reason, 1326 uint16_t conn_handle) { 1327 uint8_t old_state = p_dev_rec->sec_state; 1328 tBTM_STATUS status = BTM_CMD_STARTED; 1329 1330 BTM_TRACE_EVENT("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x", 1331 conn_handle, reason); 1332 1333 /* send HCI_Disconnect on a transport only once */ 1334 switch (old_state) { 1335 case BTM_SEC_STATE_DISCONNECTING: 1336 if (conn_handle == p_dev_rec->hci_handle) return status; 1337 1338 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1339 break; 1340 1341 case BTM_SEC_STATE_DISCONNECTING_BLE: 1342 if (conn_handle == p_dev_rec->ble_hci_handle) return status; 1343 1344 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1345 break; 1346 1347 case BTM_SEC_STATE_DISCONNECTING_BOTH: 1348 return status; 1349 1350 default: 1351 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) 1352 ? BTM_SEC_STATE_DISCONNECTING 1353 : BTM_SEC_STATE_DISCONNECTING_BLE; 1354 1355 break; 1356 } 1357 1358 /* If a role switch is in progress, delay the HCI Disconnect to avoid 1359 * controller problem */ 1360 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && 1361 p_dev_rec->hci_handle == conn_handle) { 1362 BTM_TRACE_DEBUG( 1363 "RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect " 1364 "to delay disconnect"); 1365 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING; 1366 status = BTM_SUCCESS; 1367 } 1368 /* Tear down the HCI link */ 1369 else { 1370 btsnd_hcic_disconnect(conn_handle, reason); 1371 } 1372 1373 return status; 1374 } 1375 1376 /******************************************************************************* 1377 * 1378 * Function BTM_ConfirmReqReply 1379 * 1380 * Description This function is called to confirm the numeric value for 1381 * Simple Pairing in response to BTM_SP_CFM_REQ_EVT 1382 * 1383 * Parameters: res - result of the operation BTM_SUCCESS if 1384 * success 1385 * bd_addr - Address of the peer device 1386 * 1387 ******************************************************************************/ 1388 void BTM_ConfirmReqReply(tBTM_STATUS res, const RawAddress& bd_addr) { 1389 tBTM_SEC_DEV_REC* p_dev_rec; 1390 1391 BTM_TRACE_EVENT("BTM_ConfirmReqReply() State: %s Res: %u", 1392 btm_pair_state_descr(btm_cb.pairing_state), res); 1393 1394 /* If timeout already expired or has been canceled, ignore the reply */ 1395 if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM) || 1396 (btm_cb.pairing_bda != bd_addr)) 1397 return; 1398 1399 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1400 1401 if ((res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY)) { 1402 btm_cb.acl_disc_reason = HCI_SUCCESS; 1403 1404 if (res == BTM_SUCCESS) { 1405 p_dev_rec = btm_find_dev(bd_addr); 1406 if (p_dev_rec != NULL) { 1407 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1408 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 1409 } 1410 } 1411 1412 btsnd_hcic_user_conf_reply(bd_addr, true); 1413 } else { 1414 /* Report authentication failed event from state 1415 * BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */ 1416 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1417 btsnd_hcic_user_conf_reply(bd_addr, false); 1418 } 1419 } 1420 1421 /******************************************************************************* 1422 * 1423 * Function BTM_PasskeyReqReply 1424 * 1425 * Description This function is called to provide the passkey for 1426 * Simple Pairing in response to BTM_SP_KEY_REQ_EVT 1427 * 1428 * Parameters: res - result of the operation BTM_SUCCESS if success 1429 * bd_addr - Address of the peer device 1430 * passkey - numeric value in the range of 1431 * BTM_MIN_PASSKEY_VAL(0) - 1432 * BTM_MAX_PASSKEY_VAL(999999(0xF423F)). 1433 * 1434 ******************************************************************************/ 1435 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1436 void BTM_PasskeyReqReply(tBTM_STATUS res, const RawAddress& bd_addr, 1437 uint32_t passkey) { 1438 BTM_TRACE_API("BTM_PasskeyReqReply: State: %s res:%d", 1439 btm_pair_state_descr(btm_cb.pairing_state), res); 1440 1441 if ((btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) || 1442 (btm_cb.pairing_bda != bd_addr)) { 1443 return; 1444 } 1445 1446 /* If timeout already expired or has been canceled, ignore the reply */ 1447 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && 1448 (res != BTM_SUCCESS)) { 1449 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 1450 if (p_dev_rec != NULL) { 1451 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1452 1453 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1454 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, 1455 p_dev_rec->hci_handle); 1456 else 1457 BTM_SecBondCancel(bd_addr); 1458 1459 p_dev_rec->sec_flags &= 1460 ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN); 1461 1462 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 1463 return; 1464 } 1465 } else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY) 1466 return; 1467 1468 if (passkey > BTM_MAX_PASSKEY_VAL) res = BTM_ILLEGAL_VALUE; 1469 1470 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1471 1472 if (res != BTM_SUCCESS) { 1473 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed 1474 * event */ 1475 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1476 btsnd_hcic_user_passkey_neg_reply(bd_addr); 1477 } else { 1478 btm_cb.acl_disc_reason = HCI_SUCCESS; 1479 btsnd_hcic_user_passkey_reply(bd_addr, passkey); 1480 } 1481 } 1482 #endif 1483 1484 /******************************************************************************* 1485 * 1486 * Function BTM_SendKeypressNotif 1487 * 1488 * Description This function is used during the passkey entry model 1489 * by a device with KeyboardOnly IO capabilities 1490 * (very likely to be a HID Device). 1491 * It is called by a HID Device to inform the remote device 1492 * when a key has been entered or erased. 1493 * 1494 * Parameters: bd_addr - Address of the peer device 1495 * type - notification type 1496 * 1497 ******************************************************************************/ 1498 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1499 void BTM_SendKeypressNotif(const RawAddress& bd_addr, tBTM_SP_KEY_TYPE type) { 1500 /* This API only make sense between PASSKEY_REQ and SP complete */ 1501 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY) 1502 btsnd_hcic_send_keypress_notif(bd_addr, type); 1503 } 1504 #endif 1505 1506 /******************************************************************************* 1507 * 1508 * Function BTM_IoCapRsp 1509 * 1510 * Description This function is called in response to BTM_SP_IO_REQ_EVT 1511 * When the event data io_req.oob_data is set to 1512 * BTM_OOB_UNKNOWN by the tBTM_SP_CALLBACK implementation, 1513 * this function is called to provide the actual response 1514 * 1515 * Parameters: bd_addr - Address of the peer device 1516 * io_cap - The IO capability of local device. 1517 * oob - BTM_OOB_NONE or BTM_OOB_PRESENT. 1518 * auth_req- MITM protection required or not. 1519 * 1520 ******************************************************************************/ 1521 void BTM_IoCapRsp(const RawAddress& bd_addr, tBTM_IO_CAP io_cap, 1522 tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req) { 1523 BTM_TRACE_EVENT("BTM_IoCapRsp: state: %s oob: %d io_cap: %d", 1524 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap); 1525 1526 if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS) || 1527 (btm_cb.pairing_bda != bd_addr)) 1528 return; 1529 1530 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) { 1531 btm_cb.devcb.loc_auth_req = auth_req; 1532 btm_cb.devcb.loc_io_caps = io_cap; 1533 1534 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 1535 auth_req = (BTM_AUTH_DD_BOND | (auth_req & BTM_AUTH_YN_BIT)); 1536 1537 btsnd_hcic_io_cap_req_reply(bd_addr, io_cap, oob, auth_req); 1538 } 1539 } 1540 1541 /******************************************************************************* 1542 * 1543 * Function BTM_ReadLocalOobData 1544 * 1545 * Description This function is called to read the local OOB data from 1546 * LM 1547 * 1548 ******************************************************************************/ 1549 void BTM_ReadLocalOobData(void) { btsnd_hcic_read_local_oob_data(); } 1550 1551 /******************************************************************************* 1552 * 1553 * Function BTM_RemoteOobDataReply 1554 * 1555 * Description This function is called to provide the remote OOB data for 1556 * Simple Pairing in response to BTM_SP_RMT_OOB_EVT 1557 * 1558 * Parameters: bd_addr - Address of the peer device 1559 * c - simple pairing Hash C. 1560 * r - simple pairing Randomizer C. 1561 * 1562 ******************************************************************************/ 1563 void BTM_RemoteOobDataReply(tBTM_STATUS res, const RawAddress& bd_addr, 1564 BT_OCTET16 c, BT_OCTET16 r) { 1565 BTM_TRACE_EVENT("%s() - State: %s res: %d", __func__, 1566 btm_pair_state_descr(btm_cb.pairing_state), res); 1567 1568 /* If timeout already expired or has been canceled, ignore the reply */ 1569 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) return; 1570 1571 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1572 1573 if (res != BTM_SUCCESS) { 1574 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed 1575 * event */ 1576 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1577 btsnd_hcic_rem_oob_neg_reply(bd_addr); 1578 } else { 1579 btm_cb.acl_disc_reason = HCI_SUCCESS; 1580 btsnd_hcic_rem_oob_reply(bd_addr, c, r); 1581 } 1582 } 1583 1584 /******************************************************************************* 1585 * 1586 * Function BTM_BuildOobData 1587 * 1588 * Description This function is called to build the OOB data payload to 1589 * be sent over OOB (non-Bluetooth) link 1590 * 1591 * Parameters: p_data - the location for OOB data 1592 * max_len - p_data size. 1593 * c - simple pairing Hash C. 1594 * r - simple pairing Randomizer C. 1595 * name_len- 0, local device name would not be included. 1596 * otherwise, the local device name is included for 1597 * up to this specified length 1598 * 1599 * Returns Number of bytes in p_data. 1600 * 1601 ******************************************************************************/ 1602 uint16_t BTM_BuildOobData(uint8_t* p_data, uint16_t max_len, BT_OCTET16 c, 1603 BT_OCTET16 r, uint8_t name_len) { 1604 uint8_t* p = p_data; 1605 uint16_t len = 0; 1606 uint16_t name_size; 1607 uint8_t name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE; 1608 1609 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) { 1610 /* add mandatory part */ 1611 UINT16_TO_STREAM(p, len); 1612 BDADDR_TO_STREAM(p, *controller_get_interface()->get_address()); 1613 1614 len = BTM_OOB_MANDATORY_SIZE; 1615 max_len -= len; 1616 1617 /* now optional part */ 1618 1619 /* add Hash C */ 1620 uint16_t delta = BTM_OOB_HASH_C_SIZE + 2; 1621 if (max_len >= delta) { 1622 *p++ = BTM_OOB_HASH_C_SIZE + 1; 1623 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE; 1624 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE); 1625 len += delta; 1626 max_len -= delta; 1627 } 1628 1629 /* add Rand R */ 1630 delta = BTM_OOB_RAND_R_SIZE + 2; 1631 if (max_len >= delta) { 1632 *p++ = BTM_OOB_RAND_R_SIZE + 1; 1633 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE; 1634 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE); 1635 len += delta; 1636 max_len -= delta; 1637 } 1638 1639 /* add class of device */ 1640 delta = BTM_OOB_COD_SIZE + 2; 1641 if (max_len >= delta) { 1642 *p++ = BTM_OOB_COD_SIZE + 1; 1643 *p++ = BTM_EIR_OOB_COD_TYPE; 1644 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class); 1645 len += delta; 1646 max_len -= delta; 1647 } 1648 name_size = name_len; 1649 if (name_size > strlen(btm_cb.cfg.bd_name)) { 1650 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE; 1651 name_size = (uint16_t)strlen(btm_cb.cfg.bd_name); 1652 } 1653 delta = name_size + 2; 1654 if (max_len >= delta) { 1655 *p++ = name_size + 1; 1656 *p++ = name_type; 1657 ARRAY_TO_STREAM(p, btm_cb.cfg.bd_name, name_size); 1658 len += delta; 1659 max_len -= delta; 1660 } 1661 /* update len */ 1662 p = p_data; 1663 UINT16_TO_STREAM(p, len); 1664 } 1665 return len; 1666 } 1667 1668 /******************************************************************************* 1669 * 1670 * Function BTM_BothEndsSupportSecureConnections 1671 * 1672 * Description This function is called to check if both the local device 1673 * and the peer device specified by bd_addr support BR/EDR 1674 * Secure Connections. 1675 * 1676 * Parameters: bd_addr - address of the peer 1677 * 1678 * Returns true if BR/EDR Secure Connections are supported by both 1679 * local and the remote device, else false. 1680 * 1681 ******************************************************************************/ 1682 bool BTM_BothEndsSupportSecureConnections(const RawAddress& bd_addr) { 1683 return ((controller_get_interface()->supports_secure_connections()) && 1684 (BTM_PeerSupportsSecureConnections(bd_addr))); 1685 } 1686 1687 /******************************************************************************* 1688 * 1689 * Function BTM_PeerSupportsSecureConnections 1690 * 1691 * Description This function is called to check if the peer supports 1692 * BR/EDR Secure Connections. 1693 * 1694 * Parameters: bd_addr - address of the peer 1695 * 1696 * Returns true if BR/EDR Secure Connections are supported by the peer, 1697 * else false. 1698 * 1699 ******************************************************************************/ 1700 bool BTM_PeerSupportsSecureConnections(const RawAddress& bd_addr) { 1701 tBTM_SEC_DEV_REC* p_dev_rec; 1702 1703 p_dev_rec = btm_find_dev(bd_addr); 1704 if (p_dev_rec == NULL) { 1705 LOG(WARNING) << __func__ << ": unknown BDA: " << bd_addr; 1706 return false; 1707 } 1708 1709 return (p_dev_rec->remote_supports_secure_connections); 1710 } 1711 1712 /******************************************************************************* 1713 * 1714 * Function BTM_ReadOobData 1715 * 1716 * Description This function is called to parse the OOB data payload 1717 * received over OOB (non-Bluetooth) link 1718 * 1719 * Parameters: p_data - the location for OOB data 1720 * eir_tag - The associated EIR tag to read the data. 1721 * *p_len(output) - the length of the data with the given tag. 1722 * 1723 * Returns the beginning of the data with the given tag. 1724 * NULL, if the tag is not found. 1725 * 1726 ******************************************************************************/ 1727 uint8_t* BTM_ReadOobData(uint8_t* p_data, uint8_t eir_tag, uint8_t* p_len) { 1728 uint8_t* p = p_data; 1729 uint16_t max_len; 1730 uint8_t len, type; 1731 uint8_t* p_ret = NULL; 1732 uint8_t ret_len = 0; 1733 1734 if (p_data) { 1735 STREAM_TO_UINT16(max_len, p); 1736 if (max_len >= BTM_OOB_MANDATORY_SIZE) { 1737 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) { 1738 p_ret = p; /* the location for bd_addr */ 1739 ret_len = BTM_OOB_BD_ADDR_SIZE; 1740 } else { 1741 p += BD_ADDR_LEN; 1742 max_len -= BTM_OOB_MANDATORY_SIZE; 1743 /* now the optional data in EIR format */ 1744 while (max_len > 0) { 1745 len = *p++; /* tag data len + 1 */ 1746 type = *p++; 1747 if (eir_tag == type) { 1748 p_ret = p; 1749 ret_len = len - 1; 1750 break; 1751 } 1752 /* the data size of this tag is len + 1 (tag data len + 2) */ 1753 if (max_len > len) { 1754 max_len -= len; 1755 max_len--; 1756 len--; 1757 p += len; 1758 } else 1759 max_len = 0; 1760 } 1761 } 1762 } 1763 } 1764 1765 if (p_len) *p_len = ret_len; 1766 1767 return p_ret; 1768 } 1769 1770 /******************************************************************************* 1771 * 1772 * Function BTM_SetOutService 1773 * 1774 * Description This function is called to set the service for 1775 * outgoing connections. 1776 * 1777 * If the profile/application calls BTM_SetSecurityLevel 1778 * before initiating a connection, this function does not 1779 * need to be called. 1780 * 1781 * Returns void 1782 * 1783 ******************************************************************************/ 1784 void BTM_SetOutService(const RawAddress& bd_addr, uint8_t service_id, 1785 uint32_t mx_chan_id) { 1786 tBTM_SEC_DEV_REC* p_dev_rec; 1787 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0]; 1788 1789 btm_cb.p_out_serv = p_serv_rec; 1790 p_dev_rec = btm_find_dev(bd_addr); 1791 1792 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) { 1793 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) && 1794 (p_serv_rec->service_id == service_id) && 1795 (p_serv_rec->orig_mx_chan_id == mx_chan_id)) { 1796 BTM_TRACE_API( 1797 "BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, " 1798 "chan_id %d", 1799 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, 1800 p_serv_rec->orig_mx_chan_id); 1801 btm_cb.p_out_serv = p_serv_rec; 1802 if (p_dev_rec) p_dev_rec->p_cur_service = p_serv_rec; 1803 break; 1804 } 1805 } 1806 } 1807 1808 /************************************************************************ 1809 * I N T E R N A L F U N C T I O N S 1810 ************************************************************************/ 1811 /******************************************************************************* 1812 * 1813 * Function btm_sec_is_upgrade_possible 1814 * 1815 * Description This function returns true if the existing link key 1816 * can be upgraded or if the link key does not exist. 1817 * 1818 * Returns bool 1819 * 1820 ******************************************************************************/ 1821 static bool btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC* p_dev_rec, 1822 bool is_originator) { 1823 uint16_t mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM; 1824 bool is_possible = true; 1825 1826 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) { 1827 is_possible = false; 1828 if (p_dev_rec->p_cur_service) { 1829 BTM_TRACE_DEBUG( 1830 "%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, " 1831 "flags: 0x%x", 1832 __func__, p_dev_rec->p_cur_service->service_id, 1833 p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check, 1834 p_dev_rec->p_cur_service->security_flags); 1835 } else { 1836 BTM_TRACE_DEBUG( 1837 "%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x", __func__, 1838 p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check); 1839 } 1840 /* Already have a link key to the connected peer. Is the link key secure 1841 *enough? 1842 ** Is a link key upgrade even possible? 1843 */ 1844 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */ 1845 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) || 1846 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) 1847 /* has unauthenticated 1848 link key */ 1849 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */ 1850 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) 1851 /* authenticated 1852 link key is possible */ 1853 { 1854 /* upgrade is possible: check if the application wants the upgrade. 1855 * If the application is configured to use a global MITM flag, 1856 * it probably would not want to upgrade the link key based on the 1857 * security level database */ 1858 is_possible = true; 1859 } 1860 } 1861 BTM_TRACE_DEBUG("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, 1862 p_dev_rec->sec_flags); 1863 return is_possible; 1864 } 1865 1866 /******************************************************************************* 1867 * 1868 * Function btm_sec_check_upgrade 1869 * 1870 * Description This function is called to check if the existing link key 1871 * needs to be upgraded. 1872 * 1873 * Returns void 1874 * 1875 ******************************************************************************/ 1876 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC* p_dev_rec, 1877 bool is_originator) { 1878 BTM_TRACE_DEBUG("%s()", __func__); 1879 1880 /* Only check if link key already exists */ 1881 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) return; 1882 1883 if (btm_sec_is_upgrade_possible(p_dev_rec, is_originator)) { 1884 BTM_TRACE_DEBUG("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags); 1885 /* upgrade is possible: check if the application wants the upgrade. 1886 * If the application is configured to use a global MITM flag, 1887 * it probably would not want to upgrade the link key based on the security 1888 * level database */ 1889 tBTM_SP_UPGRADE evt_data; 1890 evt_data.bd_addr = p_dev_rec->bd_addr; 1891 evt_data.upgrade = true; 1892 if (btm_cb.api.p_sp_callback) 1893 (*btm_cb.api.p_sp_callback)(BTM_SP_UPGRADE_EVT, 1894 (tBTM_SP_EVT_DATA*)&evt_data); 1895 1896 BTM_TRACE_DEBUG("evt_data.upgrade:0x%x", evt_data.upgrade); 1897 if (evt_data.upgrade) { 1898 /* if the application confirms the upgrade, set the upgrade bit */ 1899 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 1900 1901 /* Clear the link key known to go through authentication/pairing again */ 1902 p_dev_rec->sec_flags &= 1903 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED); 1904 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED; 1905 BTM_TRACE_DEBUG("sec_flags:0x%x", p_dev_rec->sec_flags); 1906 } 1907 } 1908 } 1909 1910 /******************************************************************************* 1911 * 1912 * Function btm_sec_l2cap_access_req 1913 * 1914 * Description This function is called by the L2CAP to grant permission to 1915 * establish L2CAP connection to or from the peer device. 1916 * 1917 * Parameters: bd_addr - Address of the peer device 1918 * psm - L2CAP PSM 1919 * is_originator - true if protocol above L2CAP originates 1920 * connection 1921 * p_callback - Pointer to callback function called if 1922 * this function returns PENDING after required 1923 * procedures are complete. MUST NOT BE NULL. 1924 * 1925 * Returns tBTM_STATUS 1926 * 1927 ******************************************************************************/ 1928 tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, 1929 uint16_t handle, CONNECTION_TYPE conn_type, 1930 tBTM_SEC_CALLBACK* p_callback, 1931 void* p_ref_data) { 1932 tBTM_SEC_DEV_REC* p_dev_rec; 1933 tBTM_SEC_SERV_REC* p_serv_rec; 1934 uint16_t security_required; 1935 uint16_t old_security_required; 1936 bool old_is_originator; 1937 tBTM_STATUS rc = BTM_SUCCESS; 1938 bool chk_acp_auth_done = false; 1939 bool is_originator; 1940 tBT_TRANSPORT transport = 1941 BT_TRANSPORT_BR_EDR; /* should check PSM range in LE connection oriented 1942 L2CAP connection */ 1943 1944 is_originator = conn_type; 1945 1946 BTM_TRACE_DEBUG("%s() is_originator:%d, 0x%x, psm=0x%04x", __func__, 1947 is_originator, p_ref_data, psm); 1948 1949 /* Find or get oldest record */ 1950 p_dev_rec = btm_find_or_alloc_dev(bd_addr); 1951 1952 p_dev_rec->hci_handle = handle; 1953 1954 /* Find the service record for the PSM */ 1955 p_serv_rec = btm_sec_find_first_serv(conn_type, psm); 1956 1957 /* If there is no application registered with this PSM do not allow connection 1958 */ 1959 if (!p_serv_rec) { 1960 BTM_TRACE_WARNING("%s() PSM: %d no application registerd", __func__, psm); 1961 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 1962 return (BTM_MODE_UNSUPPORTED); 1963 } 1964 1965 /* Services level0 by default have no security */ 1966 if ((btm_sec_is_serv_level0(psm)) && 1967 (!btm_cb.devcb.secure_connections_only)) { 1968 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS_NO_SECURITY); 1969 return (BTM_SUCCESS); 1970 } 1971 if (btm_cb.security_mode == BTM_SEC_MODE_SC) { 1972 security_required = btm_sec_set_serv_level4_flags( 1973 p_serv_rec->security_flags, is_originator); 1974 } else { 1975 security_required = p_serv_rec->security_flags; 1976 } 1977 1978 BTM_TRACE_DEBUG( 1979 "%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x", 1980 __func__, security_required, is_originator, psm); 1981 1982 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4)) { 1983 bool local_supports_sc = 1984 controller_get_interface()->supports_secure_connections(); 1985 /* acceptor receives L2CAP Channel Connect Request for Secure Connections 1986 * Only service */ 1987 if (!(local_supports_sc) || 1988 !(p_dev_rec->remote_supports_secure_connections)) { 1989 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d", 1990 "rmt_support_for_sc : %d -> fail pairing", __func__, 1991 local_supports_sc, 1992 p_dev_rec->remote_supports_secure_connections); 1993 if (p_callback) 1994 (*p_callback)(&bd_addr, transport, (void*)p_ref_data, 1995 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 1996 1997 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 1998 } 1999 } 2000 2001 /* there are some devices (moto KRZR) which connects to several services at 2002 * the same time */ 2003 /* we will process one after another */ 2004 if ((p_dev_rec->p_callback) || 2005 (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)) { 2006 BTM_TRACE_EVENT("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", 2007 __func__, psm, btm_pair_state_descr(btm_cb.pairing_state), 2008 btm_cb.security_mode, p_dev_rec->sm4); 2009 BTM_TRACE_EVENT("security_flags:x%x, sec_flags:x%x", security_required, 2010 p_dev_rec->sec_flags); 2011 rc = BTM_CMD_STARTED; 2012 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2013 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2014 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2015 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2016 (BTM_SM4_KNOWN == p_dev_rec->sm4) || 2017 (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2018 (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) { 2019 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2020 * or SM4 with no possibility of link key upgrade */ 2021 if (is_originator) { 2022 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2023 ((((security_required & BTM_SEC_OUT_FLAGS) == 2024 BTM_SEC_OUT_AUTHENTICATE) && 2025 btm_dev_authenticated(p_dev_rec))) || 2026 ((((security_required & BTM_SEC_OUT_FLAGS) == 2027 (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && 2028 btm_dev_encrypted(p_dev_rec))) || 2029 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && 2030 btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec)))) { 2031 rc = BTM_SUCCESS; 2032 } 2033 } else { 2034 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2035 (((security_required & BTM_SEC_IN_FLAGS) == 2036 BTM_SEC_IN_AUTHENTICATE) && 2037 btm_dev_authenticated(p_dev_rec)) || 2038 (((security_required & BTM_SEC_IN_FLAGS) == 2039 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && 2040 btm_dev_encrypted(p_dev_rec)) || 2041 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && 2042 (btm_dev_authorized(p_dev_rec) || 2043 btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2044 (((security_required & BTM_SEC_IN_FLAGS) == 2045 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && 2046 ((btm_dev_authorized(p_dev_rec) || 2047 btm_serv_trusted(p_dev_rec, p_serv_rec)) && 2048 btm_dev_authenticated(p_dev_rec))) || 2049 (((security_required & BTM_SEC_IN_FLAGS) == 2050 (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && 2051 ((btm_dev_authorized(p_dev_rec) || 2052 btm_serv_trusted(p_dev_rec, p_serv_rec)) && 2053 btm_dev_encrypted(p_dev_rec))) || 2054 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && 2055 btm_dev_encrypted(p_dev_rec) && 2056 (btm_dev_authorized(p_dev_rec) || 2057 btm_serv_trusted(p_dev_rec, p_serv_rec)))) { 2058 // Check for 16 digits (or MITM) 2059 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2060 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 2061 BTM_SEC_IN_MIN_16_DIGIT_PIN) && 2062 btm_dev_16_digit_authenticated(p_dev_rec))) { 2063 rc = BTM_SUCCESS; 2064 } 2065 } 2066 } 2067 2068 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2069 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 2070 rc = BTM_CMD_STARTED; 2071 } 2072 2073 if (rc == BTM_SUCCESS) { 2074 if (p_callback) 2075 (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); 2076 return (BTM_SUCCESS); 2077 } 2078 } 2079 2080 btm_cb.sec_req_pending = true; 2081 return (BTM_CMD_STARTED); 2082 } 2083 2084 /* Save pointer to service record */ 2085 p_dev_rec->p_cur_service = p_serv_rec; 2086 2087 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */ 2088 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2089 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2090 btm_cb.security_mode == BTM_SEC_MODE_SC) { 2091 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { 2092 if (is_originator) { 2093 /* SM4 to SM4 -> always authenticate & encrypt */ 2094 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); 2095 } else /* acceptor */ 2096 { 2097 /* SM4 to SM4: the acceptor needs to make sure the authentication is 2098 * already done */ 2099 chk_acp_auth_done = true; 2100 /* SM4 to SM4 -> always authenticate & encrypt */ 2101 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 2102 } 2103 } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { 2104 /* the remote features are not known yet */ 2105 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", 2106 __func__, (is_originator) ? "initiator" : "acceptor", 2107 p_dev_rec->sec_flags); 2108 2109 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND; 2110 return (BTM_CMD_STARTED); 2111 } 2112 } 2113 2114 BTM_TRACE_DEBUG( 2115 "%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__, 2116 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, 2117 chk_acp_auth_done); 2118 2119 old_security_required = p_dev_rec->security_required; 2120 old_is_originator = p_dev_rec->is_originator; 2121 p_dev_rec->security_required = security_required; 2122 p_dev_rec->p_ref_data = p_ref_data; 2123 p_dev_rec->is_originator = is_originator; 2124 2125 /* If there are multiple service records used through the same PSM */ 2126 /* leave security decision for the multiplexor on the top */ 2127 if ((btm_sec_find_next_serv(p_serv_rec)) != NULL) { 2128 BTM_TRACE_DEBUG("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, 2129 chk_acp_auth_done); 2130 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) { 2131 BTM_TRACE_EVENT( 2132 "Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", 2133 psm); 2134 /* pre-Lisbon: restore the old settings */ 2135 p_dev_rec->security_required = old_security_required; 2136 p_dev_rec->is_originator = old_is_originator; 2137 2138 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS); 2139 2140 return (BTM_SUCCESS); 2141 } 2142 } 2143 2144 /* if the originator is using dynamic PSM in legacy mode, do not start any 2145 * security process now 2146 * The layer above L2CAP needs to carry out the security requirement after 2147 * L2CAP connect 2148 * response is received */ 2149 if (is_originator && 2150 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2151 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2152 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2153 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2154 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && 2155 (psm >= 0x1001)) { 2156 BTM_TRACE_EVENT( 2157 "dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm); 2158 /* restore the old settings */ 2159 p_dev_rec->security_required = old_security_required; 2160 p_dev_rec->is_originator = old_is_originator; 2161 2162 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_SUCCESS); 2163 2164 return (BTM_SUCCESS); 2165 } 2166 2167 if (chk_acp_auth_done) { 2168 BTM_TRACE_DEBUG( 2169 "(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: " 2170 "x%x", 2171 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), 2172 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)); 2173 /* SM4, but we do not know for sure which level of security we need. 2174 * as long as we have a link key, it's OK */ 2175 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) || 2176 (0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) { 2177 rc = BTM_DELAY_CHECK; 2178 /* 2179 2046 may report HCI_Encryption_Change and L2C Connection Request out of 2180 sequence 2181 because of data path issues. Delay this disconnect a little bit 2182 */ 2183 LOG_INFO( 2184 LOG_TAG, 2185 "%s peer should have initiated security process by now (SM4 to SM4)", 2186 __func__); 2187 p_dev_rec->p_callback = p_callback; 2188 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC; 2189 (*p_callback)(&bd_addr, transport, p_ref_data, rc); 2190 2191 return BTM_SUCCESS; 2192 } 2193 } 2194 2195 p_dev_rec->p_callback = p_callback; 2196 2197 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID || 2198 p_dev_rec->last_author_service_id != 2199 p_dev_rec->p_cur_service->service_id) { 2200 /* Although authentication and encryption are per connection 2201 ** authorization is per access request. For example when serial connection 2202 ** is up and authorized and client requests to read file (access to other 2203 ** scn), we need to request user's permission again. 2204 */ 2205 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED; 2206 } 2207 2208 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { 2209 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2210 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 2211 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case 2212 */ 2213 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) { 2214 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2215 } 2216 p_dev_rec->sec_flags &= 2217 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2218 BTM_SEC_AUTHENTICATED); 2219 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __func__, p_dev_rec->sec_flags); 2220 } else { 2221 /* If we already have a link key to the connected peer, is it secure 2222 * enough? */ 2223 btm_sec_check_upgrade(p_dev_rec, is_originator); 2224 } 2225 } 2226 2227 BTM_TRACE_EVENT( 2228 "%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d", 2229 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 2230 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2231 2232 rc = btm_sec_execute_procedure(p_dev_rec); 2233 if (rc != BTM_CMD_STARTED) { 2234 BTM_TRACE_DEBUG("%s: p_dev_rec=%p, clearing callback. old p_callback=%p", 2235 __func__, p_dev_rec, p_dev_rec->p_callback); 2236 p_dev_rec->p_callback = NULL; 2237 (*p_callback)(&bd_addr, transport, p_dev_rec->p_ref_data, (uint8_t)rc); 2238 } 2239 2240 return (rc); 2241 } 2242 2243 /******************************************************************************* 2244 * 2245 * Function btm_sec_mx_access_request 2246 * 2247 * Description This function is called by all Multiplexing Protocols during 2248 * establishing connection to or from peer device to grant 2249 * permission to establish application connection. 2250 * 2251 * Parameters: bd_addr - Address of the peer device 2252 * psm - L2CAP PSM 2253 * is_originator - true if protocol above L2CAP originates 2254 * connection 2255 * mx_proto_id - protocol ID of the multiplexer 2256 * mx_chan_id - multiplexer channel to reach application 2257 * p_callback - Pointer to callback function called if 2258 * this function returns PENDING after required 2259 * procedures are completed 2260 * p_ref_data - Pointer to any reference data needed by the 2261 * the callback function. 2262 * 2263 * Returns BTM_CMD_STARTED 2264 * 2265 ******************************************************************************/ 2266 tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, 2267 bool is_originator, uint32_t mx_proto_id, 2268 uint32_t mx_chan_id, 2269 tBTM_SEC_CALLBACK* p_callback, 2270 void* p_ref_data) { 2271 tBTM_SEC_DEV_REC* p_dev_rec; 2272 tBTM_SEC_SERV_REC* p_serv_rec; 2273 tBTM_STATUS rc; 2274 uint16_t security_required; 2275 bool transport = false; /* should check PSM range in LE connection oriented 2276 L2CAP connection */ 2277 2278 BTM_TRACE_DEBUG("%s() is_originator: %d", __func__, is_originator); 2279 /* Find or get oldest record */ 2280 p_dev_rec = btm_find_or_alloc_dev(bd_addr); 2281 2282 /* Find the service record for the PSM */ 2283 p_serv_rec = 2284 btm_sec_find_mx_serv(is_originator, psm, mx_proto_id, mx_chan_id); 2285 2286 /* If there is no application registered with this PSM do not allow connection 2287 */ 2288 if (!p_serv_rec) { 2289 if (p_callback) 2290 (*p_callback)(&bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 2291 2292 BTM_TRACE_ERROR( 2293 "Security Manager: MX service not found PSM:%d Proto:%d SCN:%d", psm, 2294 mx_proto_id, mx_chan_id); 2295 return BTM_NO_RESOURCES; 2296 } 2297 2298 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && 2299 (!btm_sec_is_serv_level0(psm))) { 2300 security_required = btm_sec_set_serv_level4_flags( 2301 p_serv_rec->security_flags, is_originator); 2302 } else { 2303 security_required = p_serv_rec->security_flags; 2304 } 2305 2306 /* there are some devices (moto phone) which connects to several services at 2307 * the same time */ 2308 /* we will process one after another */ 2309 if ((p_dev_rec->p_callback) || 2310 (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)) { 2311 BTM_TRACE_EVENT("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", 2312 __func__, psm, mx_proto_id, mx_chan_id, 2313 btm_pair_state_descr(btm_cb.pairing_state)); 2314 2315 rc = BTM_CMD_STARTED; 2316 2317 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2318 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2319 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2320 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2321 (BTM_SM4_KNOWN == p_dev_rec->sm4) || 2322 (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2323 (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) { 2324 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2325 * or SM4 with no possibility of link key upgrade */ 2326 if (is_originator) { 2327 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2328 ((((security_required & BTM_SEC_OUT_FLAGS) == 2329 BTM_SEC_OUT_AUTHENTICATE) && 2330 btm_dev_authenticated(p_dev_rec))) || 2331 ((((security_required & BTM_SEC_OUT_FLAGS) == 2332 (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && 2333 btm_dev_encrypted(p_dev_rec)))) { 2334 rc = BTM_SUCCESS; 2335 } 2336 } else { 2337 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2338 ((((security_required & BTM_SEC_IN_FLAGS) == 2339 BTM_SEC_IN_AUTHENTICATE) && 2340 btm_dev_authenticated(p_dev_rec))) || 2341 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && 2342 (btm_dev_authorized(p_dev_rec) || 2343 btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2344 (((security_required & BTM_SEC_IN_FLAGS) == 2345 (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && 2346 ((btm_dev_authorized(p_dev_rec) || 2347 btm_serv_trusted(p_dev_rec, p_serv_rec)) && 2348 btm_dev_authenticated(p_dev_rec))) || 2349 (((security_required & BTM_SEC_IN_FLAGS) == 2350 (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && 2351 ((btm_dev_authorized(p_dev_rec) || 2352 btm_serv_trusted(p_dev_rec, p_serv_rec)) && 2353 btm_dev_encrypted(p_dev_rec))) || 2354 ((((security_required & BTM_SEC_IN_FLAGS) == 2355 (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && 2356 btm_dev_encrypted(p_dev_rec)))) { 2357 // Check for 16 digits (or MITM) 2358 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2359 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 2360 BTM_SEC_IN_MIN_16_DIGIT_PIN) && 2361 btm_dev_16_digit_authenticated(p_dev_rec))) { 2362 rc = BTM_SUCCESS; 2363 } 2364 } 2365 } 2366 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2367 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 2368 rc = BTM_CMD_STARTED; 2369 } 2370 } 2371 2372 if (rc == BTM_SUCCESS) { 2373 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __func__); 2374 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the 2375 * requirements in */ 2376 /* btm_sec_execute_procedure */ 2377 if ((is_originator && 2378 (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) || 2379 (!is_originator && 2380 (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE))) { 2381 BTM_TRACE_EVENT("%s: still need authorization", __func__); 2382 rc = BTM_CMD_STARTED; 2383 } 2384 } 2385 2386 /* Check whether there is a pending security procedure, if so we should 2387 * always queue */ 2388 /* the new security request */ 2389 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE) { 2390 BTM_TRACE_EVENT("%s: There is a pending security procedure", __func__); 2391 rc = BTM_CMD_STARTED; 2392 } 2393 if (rc == BTM_CMD_STARTED) { 2394 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __func__); 2395 btm_sec_queue_mx_request(bd_addr, psm, is_originator, mx_proto_id, 2396 mx_chan_id, p_callback, p_ref_data); 2397 } else /* rc == BTM_SUCCESS */ 2398 { 2399 /* access granted */ 2400 if (p_callback) { 2401 (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); 2402 } 2403 } 2404 2405 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __func__, 2406 rc, btm_pair_state_descr(btm_cb.pairing_state)); 2407 return rc; 2408 } 2409 2410 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) || 2411 (btm_cb.security_mode == BTM_SEC_MODE_SC))) { 2412 bool local_supports_sc = 2413 controller_get_interface()->supports_secure_connections(); 2414 /* acceptor receives service connection establishment Request for */ 2415 /* Secure Connections Only service */ 2416 if (!(local_supports_sc) || 2417 !(p_dev_rec->remote_supports_secure_connections)) { 2418 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,", 2419 "remote_support_for_sc %d: fail pairing", __func__, 2420 local_supports_sc, 2421 p_dev_rec->remote_supports_secure_connections); 2422 2423 if (p_callback) 2424 (*p_callback)(&bd_addr, transport, (void*)p_ref_data, 2425 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2426 2427 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2428 } 2429 } 2430 2431 p_dev_rec->p_cur_service = p_serv_rec; 2432 p_dev_rec->security_required = security_required; 2433 2434 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2435 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2436 btm_cb.security_mode == BTM_SEC_MODE_SC) { 2437 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { 2438 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2439 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 2440 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case 2441 */ 2442 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) { 2443 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2444 } 2445 2446 p_dev_rec->sec_flags &= 2447 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2448 BTM_SEC_AUTHENTICATED); 2449 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __func__, p_dev_rec->sec_flags); 2450 } else { 2451 /* If we already have a link key, check if that link key is good enough 2452 */ 2453 btm_sec_check_upgrade(p_dev_rec, is_originator); 2454 } 2455 } 2456 } 2457 2458 p_dev_rec->is_originator = is_originator; 2459 p_dev_rec->p_callback = p_callback; 2460 p_dev_rec->p_ref_data = p_ref_data; 2461 2462 /* Although authentication and encryption are per connection */ 2463 /* authorization is per access request. For example when serial connection */ 2464 /* is up and authorized and client requests to read file (access to other */ 2465 /* scn, we need to request user's permission again. */ 2466 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED); 2467 2468 BTM_TRACE_EVENT( 2469 "%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service " 2470 "ID:%d", 2471 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, 2472 p_dev_rec->sec_flags, p_dev_rec->security_required, 2473 p_dev_rec->p_cur_service->service_id); 2474 2475 rc = btm_sec_execute_procedure(p_dev_rec); 2476 if (rc != BTM_CMD_STARTED) { 2477 if (p_callback) { 2478 p_dev_rec->p_callback = NULL; 2479 (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); 2480 } 2481 } 2482 2483 return rc; 2484 } 2485 2486 /******************************************************************************* 2487 * 2488 * Function btm_sec_conn_req 2489 * 2490 * Description This function is when the peer device is requesting 2491 * connection 2492 * 2493 * Returns void 2494 * 2495 ******************************************************************************/ 2496 void btm_sec_conn_req(const RawAddress& bda, uint8_t* dc) { 2497 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 2498 2499 /* Some device may request a connection before we are done with the HCI_Reset 2500 * sequence */ 2501 if (!controller_get_interface()->get_is_ready()) { 2502 BTM_TRACE_EVENT("Security Manager: connect request when device not ready"); 2503 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE); 2504 return; 2505 } 2506 2507 /* Security guys wants us not to allow connection from not paired devices */ 2508 2509 /* Check if connection is allowed for only paired devices */ 2510 if (btm_cb.connect_only_paired) { 2511 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) { 2512 BTM_TRACE_EVENT( 2513 "Security Manager: connect request from non-paired device"); 2514 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE); 2515 return; 2516 } 2517 } 2518 2519 #if (BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE) 2520 /* If non-discoverable, only allow known devices to connect */ 2521 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) { 2522 if (!p_dev_rec) { 2523 BTM_TRACE_EVENT( 2524 "Security Manager: connect request from not paired device"); 2525 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE); 2526 return; 2527 } 2528 } 2529 #endif 2530 2531 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 2532 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 2533 (btm_cb.pairing_bda == bda)) { 2534 BTM_TRACE_EVENT( 2535 "Security Manager: reject connect request from bonding device"); 2536 2537 /* incoming connection from bonding device is rejected */ 2538 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT; 2539 btsnd_hcic_reject_conn(bda, HCI_ERR_HOST_REJECT_DEVICE); 2540 return; 2541 } 2542 2543 /* Host is not interested or approved connection. Save BDA and DC and */ 2544 /* pass request to L2CAP */ 2545 btm_cb.connecting_bda = bda; 2546 memcpy(btm_cb.connecting_dc, dc, DEV_CLASS_LEN); 2547 2548 if (l2c_link_hci_conn_req(bda)) { 2549 if (!p_dev_rec) { 2550 /* accept the connection -> allocate a device record */ 2551 p_dev_rec = btm_sec_alloc_dev(bda); 2552 } 2553 if (p_dev_rec) { 2554 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND; 2555 } 2556 } 2557 } 2558 2559 /******************************************************************************* 2560 * 2561 * Function btm_sec_bond_cancel_complete 2562 * 2563 * Description This function is called to report bond cancel complete 2564 * event. 2565 * 2566 * Returns void 2567 * 2568 ******************************************************************************/ 2569 static void btm_sec_bond_cancel_complete(void) { 2570 tBTM_SEC_DEV_REC* p_dev_rec; 2571 2572 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) || 2573 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 2574 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) || 2575 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME && 2576 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) { 2577 /* for dedicated bonding in legacy mode, authentication happens at "link 2578 * level" 2579 * btm_sec_connected is called with failed status. 2580 * In theory, the code that handles is_pairing_device/true should clean out 2581 * security related code. 2582 * However, this function may clean out the security related flags and 2583 * btm_sec_connected would not know 2584 * this function also needs to do proper clean up. 2585 */ 2586 p_dev_rec = btm_find_dev(btm_cb.pairing_bda); 2587 if (p_dev_rec != NULL) p_dev_rec->security_required = BTM_SEC_NONE; 2588 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 2589 2590 /* Notify application that the cancel succeeded */ 2591 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2592 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS); 2593 } 2594 } 2595 2596 /******************************************************************************* 2597 * 2598 * Function btm_create_conn_cancel_complete 2599 * 2600 * Description This function is called when the command complete message 2601 * is received from the HCI for the create connection cancel 2602 * command. 2603 * 2604 * Returns void 2605 * 2606 ******************************************************************************/ 2607 void btm_create_conn_cancel_complete(uint8_t* p) { 2608 uint8_t status; 2609 2610 STREAM_TO_UINT8(status, p); 2611 BTM_TRACE_EVENT("btm_create_conn_cancel_complete(): in State: %s status:%d", 2612 btm_pair_state_descr(btm_cb.pairing_state), status); 2613 2614 /* if the create conn cancel cmd was issued by the bond cancel, 2615 ** the application needs to be notified that bond cancel succeeded 2616 */ 2617 switch (status) { 2618 case HCI_SUCCESS: 2619 btm_sec_bond_cancel_complete(); 2620 break; 2621 case HCI_ERR_CONNECTION_EXISTS: 2622 case HCI_ERR_NO_CONNECTION: 2623 default: 2624 /* Notify application of the error */ 2625 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2626 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING); 2627 break; 2628 } 2629 } 2630 2631 /******************************************************************************* 2632 * 2633 * Function btm_sec_check_pending_reqs 2634 * 2635 * Description This function is called at the end of the security procedure 2636 * to let L2CAP and RFCOMM know to re-submit any pending 2637 * requests 2638 * 2639 * Returns void 2640 * 2641 ******************************************************************************/ 2642 void btm_sec_check_pending_reqs(void) { 2643 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) { 2644 /* First, resubmit L2CAP requests */ 2645 if (btm_cb.sec_req_pending) { 2646 btm_cb.sec_req_pending = false; 2647 l2cu_resubmit_pending_sec_req(nullptr); 2648 } 2649 2650 /* Now, re-submit anything in the mux queue */ 2651 fixed_queue_t* bq = btm_cb.sec_pending_q; 2652 2653 btm_cb.sec_pending_q = fixed_queue_new(SIZE_MAX); 2654 2655 tBTM_SEC_QUEUE_ENTRY* p_e; 2656 while ((p_e = (tBTM_SEC_QUEUE_ENTRY*)fixed_queue_try_dequeue(bq)) != NULL) { 2657 /* Check that the ACL is still up before starting security procedures */ 2658 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL) { 2659 if (p_e->psm != 0) { 2660 BTM_TRACE_EVENT( 2661 "%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u", __func__, 2662 p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id); 2663 2664 btm_sec_mx_access_request(p_e->bd_addr, p_e->psm, p_e->is_orig, 2665 p_e->mx_proto_id, p_e->mx_chan_id, 2666 p_e->p_callback, p_e->p_ref_data); 2667 } else { 2668 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback, 2669 p_e->p_ref_data, p_e->sec_act); 2670 } 2671 } 2672 2673 osi_free(p_e); 2674 } 2675 fixed_queue_free(bq, NULL); 2676 } 2677 } 2678 2679 /******************************************************************************* 2680 * 2681 * Function btm_sec_init 2682 * 2683 * Description This function is on the SEC startup 2684 * 2685 * Returns void 2686 * 2687 ******************************************************************************/ 2688 void btm_sec_init(uint8_t sec_mode) { 2689 btm_cb.security_mode = sec_mode; 2690 btm_cb.pairing_bda = RawAddress::kAny; 2691 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY; 2692 } 2693 2694 /******************************************************************************* 2695 * 2696 * Function btm_sec_device_down 2697 * 2698 * Description This function should be called when device is disabled or 2699 * turned off 2700 * 2701 * Returns void 2702 * 2703 ******************************************************************************/ 2704 void btm_sec_device_down(void) { 2705 BTM_TRACE_EVENT("%s() State: %s", __func__, 2706 btm_pair_state_descr(btm_cb.pairing_state)); 2707 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 2708 } 2709 2710 /******************************************************************************* 2711 * 2712 * Function btm_sec_dev_reset 2713 * 2714 * Description This function should be called after device reset 2715 * 2716 * Returns void 2717 * 2718 ******************************************************************************/ 2719 void btm_sec_dev_reset(void) { 2720 if (controller_get_interface()->supports_simple_pairing()) { 2721 /* set the default IO capabilities */ 2722 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS; 2723 /* add mx service to use no security */ 2724 BTM_SetSecurityLevel(false, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX, 2725 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0); 2726 } else { 2727 btm_cb.security_mode = BTM_SEC_MODE_SERVICE; 2728 } 2729 2730 BTM_TRACE_DEBUG("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode); 2731 } 2732 2733 /******************************************************************************* 2734 * 2735 * Function btm_sec_abort_access_req 2736 * 2737 * Description This function is called by the L2CAP or RFCOMM to abort 2738 * the pending operation. 2739 * 2740 * Parameters: bd_addr - Address of the peer device 2741 * 2742 * Returns void 2743 * 2744 ******************************************************************************/ 2745 void btm_sec_abort_access_req(const RawAddress& bd_addr) { 2746 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 2747 2748 if (!p_dev_rec) return; 2749 2750 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) && 2751 (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)) 2752 return; 2753 2754 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2755 2756 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p", 2757 __func__, p_dev_rec, p_dev_rec->p_callback); 2758 p_dev_rec->p_callback = NULL; 2759 } 2760 2761 /******************************************************************************* 2762 * 2763 * Function btm_sec_dd_create_conn 2764 * 2765 * Description This function is called to create the ACL connection for 2766 * the dedicated boding process 2767 * 2768 * Returns void 2769 * 2770 ******************************************************************************/ 2771 static tBTM_STATUS btm_sec_dd_create_conn(tBTM_SEC_DEV_REC* p_dev_rec) { 2772 tL2C_LCB* p_lcb = 2773 l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 2774 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || 2775 p_lcb->link_state == LST_CONNECTING)) { 2776 BTM_TRACE_WARNING("%s Connection already exists", __func__); 2777 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 2778 return BTM_CMD_STARTED; 2779 } 2780 2781 /* Make sure an L2cap link control block is available */ 2782 if (!p_lcb && (p_lcb = l2cu_allocate_lcb(p_dev_rec->bd_addr, true, 2783 BT_TRANSPORT_BR_EDR)) == NULL) { 2784 LOG(WARNING) << "Security Manager: failed allocate LCB " 2785 << p_dev_rec->bd_addr; 2786 2787 return (BTM_NO_RESOURCES); 2788 } 2789 2790 /* set up the control block to indicated dedicated bonding */ 2791 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 2792 2793 if (!l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR)) { 2794 LOG(WARNING) << "Security Manager: failed create allocate LCB " 2795 << p_dev_rec->bd_addr; 2796 2797 l2cu_release_lcb(p_lcb); 2798 return (BTM_NO_RESOURCES); 2799 } 2800 2801 btm_acl_update_busy_level(BTM_BLI_PAGE_EVT); 2802 2803 VLOG(1) << "Security Manager: " << p_dev_rec->bd_addr; 2804 2805 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_PIN_REQ); 2806 2807 return (BTM_CMD_STARTED); 2808 } 2809 2810 bool is_state_getting_name(void* data, void* context) { 2811 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data); 2812 2813 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) { 2814 return false; 2815 } 2816 return true; 2817 } 2818 2819 /******************************************************************************* 2820 * 2821 * Function btm_sec_rmt_name_request_complete 2822 * 2823 * Description This function is called when remote name was obtained from 2824 * the peer device 2825 * 2826 * Returns void 2827 * 2828 ******************************************************************************/ 2829 void btm_sec_rmt_name_request_complete(const RawAddress* p_bd_addr, 2830 uint8_t* p_bd_name, uint8_t status) { 2831 tBTM_SEC_DEV_REC* p_dev_rec; 2832 int i; 2833 DEV_CLASS dev_class; 2834 uint8_t old_sec_state; 2835 2836 BTM_TRACE_EVENT("btm_sec_rmt_name_request_complete"); 2837 if ((!p_bd_addr && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda)) || 2838 (p_bd_addr && !BTM_ACL_IS_CONNECTED(*p_bd_addr))) { 2839 btm_acl_resubmit_page(); 2840 } 2841 2842 /* If remote name request failed, p_bd_addr is null and we need to search */ 2843 /* based on state assuming that we are doing 1 at a time */ 2844 if (p_bd_addr) 2845 p_dev_rec = btm_find_dev(*p_bd_addr); 2846 else { 2847 list_node_t* node = 2848 list_foreach(btm_cb.sec_dev_rec, is_state_getting_name, NULL); 2849 if (node != NULL) { 2850 p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(node)); 2851 p_bd_addr = &p_dev_rec->bd_addr; 2852 } else { 2853 p_dev_rec = NULL; 2854 } 2855 } 2856 2857 /* Commenting out trace due to obf/compilation problems. 2858 */ 2859 if (!p_bd_name) p_bd_name = (uint8_t*)""; 2860 2861 if (p_dev_rec) { 2862 BTM_TRACE_EVENT( 2863 "%s PairState: %s RemName: %s status: %d State:%d p_dev_rec: " 2864 "0x%08x ", 2865 __func__, btm_pair_state_descr(btm_cb.pairing_state), p_bd_name, status, 2866 p_dev_rec->sec_state, p_dev_rec); 2867 } else { 2868 BTM_TRACE_EVENT("%s PairState: %s RemName: %s status: %d", __func__, 2869 btm_pair_state_descr(btm_cb.pairing_state), p_bd_name, 2870 status); 2871 } 2872 2873 if (p_dev_rec) { 2874 old_sec_state = p_dev_rec->sec_state; 2875 if (status == HCI_SUCCESS) { 2876 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)p_bd_name, 2877 BTM_MAX_REM_BD_NAME_LEN); 2878 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 2879 BTM_TRACE_EVENT("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", 2880 p_dev_rec->sec_flags); 2881 } else { 2882 /* Notify all clients waiting for name to be resolved even if it failed so 2883 * clients can continue */ 2884 p_dev_rec->sec_bd_name[0] = 0; 2885 } 2886 2887 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) 2888 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2889 2890 /* Notify all clients waiting for name to be resolved */ 2891 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { 2892 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 2893 (*btm_cb.p_rmt_name_callback[i])(*p_bd_addr, p_dev_rec->dev_class, 2894 p_dev_rec->sec_bd_name); 2895 } 2896 } else { 2897 dev_class[0] = 0; 2898 dev_class[1] = 0; 2899 dev_class[2] = 0; 2900 2901 /* Notify all clients waiting for name to be resolved even if not found so 2902 * clients can continue */ 2903 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) { 2904 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 2905 (*btm_cb.p_rmt_name_callback[i])(*p_bd_addr, dev_class, (uint8_t*)""); 2906 } 2907 2908 return; 2909 } 2910 2911 /* If we were delaying asking UI for a PIN because name was not resolved, ask 2912 * now */ 2913 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr && 2914 (btm_cb.pairing_bda == *p_bd_addr)) { 2915 BTM_TRACE_EVENT( 2916 "%s() delayed pin now being requested flags:0x%x, " 2917 "(p_pin_callback=0x%p)", 2918 __func__, btm_cb.pairing_flags, btm_cb.api.p_pin_callback); 2919 2920 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0 && 2921 btm_cb.api.p_pin_callback) { 2922 BTM_TRACE_EVENT("%s() calling pin_callback", __func__); 2923 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 2924 (*btm_cb.api.p_pin_callback)( 2925 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name, 2926 (p_dev_rec->p_cur_service == NULL) 2927 ? false 2928 : (p_dev_rec->p_cur_service->security_flags & 2929 BTM_SEC_IN_MIN_16_DIGIT_PIN)); 2930 } 2931 2932 /* Set the same state again to force the timer to be restarted */ 2933 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN); 2934 return; 2935 } 2936 2937 /* Check if we were delaying bonding because name was not resolved */ 2938 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) { 2939 if (p_bd_addr && btm_cb.pairing_bda == *p_bd_addr) { 2940 BTM_TRACE_EVENT("%s() continue bonding sm4: 0x%04x, status:0x%x", 2941 __func__, p_dev_rec->sm4, status); 2942 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) { 2943 btm_sec_bond_cancel_complete(); 2944 return; 2945 } 2946 2947 if (status != HCI_SUCCESS) { 2948 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 2949 2950 if (btm_cb.api.p_auth_complete_callback) 2951 (*btm_cb.api.p_auth_complete_callback)( 2952 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 2953 status); 2954 return; 2955 } 2956 2957 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is 2958 * not reported */ 2959 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) { 2960 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not 2961 * set.*/ 2962 /* If it is set, there may be a race condition */ 2963 BTM_TRACE_DEBUG("%s IS_SM4_UNKNOWN Flags:0x%04x", __func__, 2964 btm_cb.pairing_flags); 2965 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0) 2966 p_dev_rec->sm4 |= BTM_SM4_KNOWN; 2967 } 2968 2969 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d", 2970 __func__, p_dev_rec->sm4, 2971 BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4), 2972 BTM_SEC_IS_SM4(p_dev_rec->sm4), 2973 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)); 2974 2975 /* BT 2.1 or carkit, bring up the connection to force the peer to request 2976 *PIN. 2977 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if 2978 *needed) 2979 */ 2980 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || 2981 !btm_sec_check_prefetch_pin(p_dev_rec)) { 2982 /* if we rejected incoming connection request, we have to wait 2983 * HCI_Connection_Complete event */ 2984 /* before originating */ 2985 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) { 2986 BTM_TRACE_WARNING( 2987 "%s: waiting HCI_Connection_Complete after rejecting connection", 2988 __func__); 2989 } 2990 /* Both we and the peer are 2.1 - continue to create connection */ 2991 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) { 2992 BTM_TRACE_WARNING("%s: failed to start connection", __func__); 2993 2994 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 2995 2996 if (btm_cb.api.p_auth_complete_callback) { 2997 (*btm_cb.api.p_auth_complete_callback)( 2998 p_dev_rec->bd_addr, p_dev_rec->dev_class, 2999 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 3000 } 3001 } 3002 } 3003 return; 3004 } else { 3005 BTM_TRACE_WARNING("%s: wrong BDA, retry with pairing BDA", __func__); 3006 if (BTM_ReadRemoteDeviceName(btm_cb.pairing_bda, NULL, 3007 BT_TRANSPORT_BR_EDR) != BTM_CMD_STARTED) { 3008 BTM_TRACE_ERROR("%s: failed to start remote name request", __func__); 3009 if (btm_cb.api.p_auth_complete_callback) { 3010 (*btm_cb.api.p_auth_complete_callback)( 3011 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 3012 HCI_ERR_MEMORY_FULL); 3013 } 3014 }; 3015 return; 3016 } 3017 } 3018 3019 /* check if we were delaying link_key_callback because name was not resolved 3020 */ 3021 if (p_dev_rec->link_key_not_sent) { 3022 /* If HCI connection complete has not arrived, wait for it */ 3023 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) return; 3024 3025 p_dev_rec->link_key_not_sent = false; 3026 btm_send_link_key_notif(p_dev_rec); 3027 3028 /* If its not us who perform authentication, we should tell stackserver */ 3029 /* that some authentication has been completed */ 3030 /* This is required when different entities receive link notification and 3031 * auth complete */ 3032 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) { 3033 if (btm_cb.api.p_auth_complete_callback) 3034 (*btm_cb.api.p_auth_complete_callback)( 3035 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 3036 HCI_SUCCESS); 3037 } 3038 } 3039 3040 /* If this is a bonding procedure can disconnect the link now */ 3041 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3042 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { 3043 BTM_TRACE_WARNING("btm_sec_rmt_name_request_complete (none/ce)"); 3044 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE); 3045 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3046 return; 3047 } 3048 3049 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) return; 3050 3051 /* If get name failed, notify the waiting layer */ 3052 if (status != HCI_SUCCESS) { 3053 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false); 3054 return; 3055 } 3056 3057 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) { 3058 BTM_TRACE_EVENT("waiting for remote features!!"); 3059 return; 3060 } 3061 3062 /* Remote Name succeeded, execute the next security procedure, if any */ 3063 status = (uint8_t)btm_sec_execute_procedure(p_dev_rec); 3064 3065 /* If result is pending reply from the user or from the device is pending */ 3066 if (status == BTM_CMD_STARTED) return; 3067 3068 /* There is no next procedure or start of procedure failed, notify the waiting 3069 * layer */ 3070 btm_sec_dev_rec_cback_event(p_dev_rec, status, false); 3071 } 3072 3073 /******************************************************************************* 3074 * 3075 * Function btm_sec_rmt_host_support_feat_evt 3076 * 3077 * Description This function is called when the 3078 * HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received 3079 * 3080 * Returns void 3081 * 3082 ******************************************************************************/ 3083 void btm_sec_rmt_host_support_feat_evt(uint8_t* p) { 3084 tBTM_SEC_DEV_REC* p_dev_rec; 3085 RawAddress bd_addr; /* peer address */ 3086 BD_FEATURES features; 3087 3088 STREAM_TO_BDADDR(bd_addr, p); 3089 p_dev_rec = btm_find_or_alloc_dev(bd_addr); 3090 3091 BTM_TRACE_EVENT("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", 3092 p_dev_rec->sm4, p[0]); 3093 3094 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) { 3095 p_dev_rec->sm4 = BTM_SM4_KNOWN; 3096 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE); 3097 if (HCI_SSP_HOST_SUPPORTED(features)) { 3098 p_dev_rec->sm4 = BTM_SM4_TRUE; 3099 } 3100 BTM_TRACE_EVENT( 3101 "btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", 3102 p_dev_rec->sm4, features[0]); 3103 } 3104 } 3105 3106 /******************************************************************************* 3107 * 3108 * Function btm_io_capabilities_req 3109 * 3110 * Description This function is called when LM request for the IO 3111 * capability of the local device and 3112 * if the OOB data is present for the device in the event 3113 * 3114 * Returns void 3115 * 3116 ******************************************************************************/ 3117 void btm_io_capabilities_req(const RawAddress& p) { 3118 tBTM_SP_IO_REQ evt_data; 3119 uint8_t err_code = 0; 3120 tBTM_SEC_DEV_REC* p_dev_rec; 3121 bool is_orig = true; 3122 uint8_t callback_rc = BTM_SUCCESS; 3123 3124 evt_data.bd_addr = p; 3125 3126 /* setup the default response according to compile options */ 3127 /* assume that the local IO capability does not change 3128 * loc_io_caps is initialized with the default value */ 3129 evt_data.io_cap = btm_cb.devcb.loc_io_caps; 3130 evt_data.oob_data = BTM_OOB_NONE; 3131 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ; 3132 3133 BTM_TRACE_EVENT("%s: State: %s", __func__, 3134 btm_pair_state_descr(btm_cb.pairing_state)); 3135 3136 p_dev_rec = btm_find_or_alloc_dev(evt_data.bd_addr); 3137 3138 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", 3139 __func__, btm_cb.security_mode, p_dev_rec->num_read_pages); 3140 3141 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && 3142 (p_dev_rec->num_read_pages == 0)) { 3143 BTM_TRACE_EVENT("%s: Device security mode is SC only.", 3144 "To continue need to know remote features.", __func__); 3145 3146 p_dev_rec->remote_features_needed = true; 3147 return; 3148 } 3149 3150 p_dev_rec->sm4 |= BTM_SM4_TRUE; 3151 3152 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x", 3153 __func__, btm_pair_state_descr(btm_cb.pairing_state), 3154 btm_cb.pairing_flags, p_dev_rec->p_cur_service); 3155 3156 if (p_dev_rec->p_cur_service) { 3157 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x", 3158 __func__, p_dev_rec->p_cur_service->psm, 3159 p_dev_rec->p_cur_service->security_flags); 3160 } 3161 3162 switch (btm_cb.pairing_state) { 3163 /* initiator connecting */ 3164 case BTM_PAIR_STATE_IDLE: 3165 // TODO: Handle Idle pairing state 3166 // security_required = p_dev_rec->security_required; 3167 break; 3168 3169 /* received IO capability response already->acceptor */ 3170 case BTM_PAIR_STATE_INCOMING_SSP: 3171 is_orig = false; 3172 3173 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) { 3174 /* acceptor in dedicated bonding */ 3175 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3176 } 3177 break; 3178 3179 /* initiator, at this point it is expected to be dedicated bonding 3180 initiated by local device */ 3181 case BTM_PAIR_STATE_WAIT_PIN_REQ: 3182 if (evt_data.bd_addr == btm_cb.pairing_bda) { 3183 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3184 } else { 3185 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3186 } 3187 break; 3188 3189 /* any other state is unexpected */ 3190 default: 3191 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3192 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __func__, 3193 btm_cb.pairing_state); 3194 break; 3195 } 3196 3197 if (btm_cb.pairing_disabled) { 3198 /* pairing is not allowed */ 3199 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __func__); 3200 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3201 } else if (btm_cb.security_mode == BTM_SEC_MODE_SC) { 3202 bool local_supports_sc = 3203 controller_get_interface()->supports_secure_connections(); 3204 /* device in Secure Connections Only mode */ 3205 if (!(local_supports_sc) || 3206 !(p_dev_rec->remote_supports_secure_connections)) { 3207 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,", 3208 " remote_support_for_sc 0x%02x -> fail pairing", __func__, 3209 local_supports_sc, 3210 p_dev_rec->remote_supports_secure_connections); 3211 3212 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3213 } 3214 } 3215 3216 if (err_code != 0) { 3217 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code); 3218 return; 3219 } 3220 3221 evt_data.is_orig = is_orig; 3222 3223 if (is_orig) { 3224 /* local device initiated the pairing non-bonding -> use p_cur_service */ 3225 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3226 p_dev_rec->p_cur_service && 3227 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) { 3228 if (btm_cb.security_mode == BTM_SEC_MODE_SC) { 3229 /* SC only mode device requires MITM protection */ 3230 evt_data.auth_req = BTM_AUTH_SP_YES; 3231 } else { 3232 evt_data.auth_req = 3233 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) 3234 ? BTM_AUTH_SP_YES 3235 : BTM_AUTH_SP_NO; 3236 } 3237 } 3238 } 3239 3240 /* Notify L2CAP to increase timeout */ 3241 l2c_pin_code_request(evt_data.bd_addr); 3242 3243 btm_cb.pairing_bda = evt_data.bd_addr; 3244 3245 if (evt_data.bd_addr == btm_cb.connecting_bda) 3246 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3247 3248 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS); 3249 3250 callback_rc = BTM_SUCCESS; 3251 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) { 3252 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE; 3253 3254 /* link key upgrade: always use SPGB_YES - assuming we want to save the link 3255 * key */ 3256 evt_data.auth_req = BTM_AUTH_SPGB_YES; 3257 } else if (btm_cb.api.p_sp_callback) { 3258 /* the callback function implementation may change the IO capability... */ 3259 callback_rc = (*btm_cb.api.p_sp_callback)(BTM_SP_IO_REQ_EVT, 3260 (tBTM_SP_EVT_DATA*)&evt_data); 3261 } 3262 3263 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data)) { 3264 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) { 3265 evt_data.auth_req = 3266 (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT)); 3267 } 3268 3269 if (btm_cb.security_mode == BTM_SEC_MODE_SC) { 3270 /* At this moment we know that both sides are SC capable, device in */ 3271 /* SC only mode requires MITM for any service so let's set MITM bit */ 3272 evt_data.auth_req |= BTM_AUTH_YN_BIT; 3273 BTM_TRACE_DEBUG( 3274 "%s: for device in \"SC only\" mode set auth_req to 0x%02x", __func__, 3275 evt_data.auth_req); 3276 } 3277 3278 /* if the user does not indicate "reply later" by setting the oob_data to 3279 * unknown */ 3280 /* send the response right now. Save the current IO capability in the 3281 * control block */ 3282 btm_cb.devcb.loc_auth_req = evt_data.auth_req; 3283 btm_cb.devcb.loc_io_caps = evt_data.io_cap; 3284 3285 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d", 3286 __func__, btm_pair_state_descr(btm_cb.pairing_state), 3287 evt_data.io_cap, evt_data.oob_data, evt_data.auth_req); 3288 3289 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap, 3290 evt_data.oob_data, evt_data.auth_req); 3291 } 3292 } 3293 3294 /******************************************************************************* 3295 * 3296 * Function btm_io_capabilities_rsp 3297 * 3298 * Description This function is called when the IO capability of the 3299 * specified device is received 3300 * 3301 * Returns void 3302 * 3303 ******************************************************************************/ 3304 void btm_io_capabilities_rsp(uint8_t* p) { 3305 tBTM_SEC_DEV_REC* p_dev_rec; 3306 tBTM_SP_IO_RSP evt_data; 3307 3308 STREAM_TO_BDADDR(evt_data.bd_addr, p); 3309 STREAM_TO_UINT8(evt_data.io_cap, p); 3310 STREAM_TO_UINT8(evt_data.oob_data, p); 3311 STREAM_TO_UINT8(evt_data.auth_req, p); 3312 3313 /* Allocate a new device record or reuse the oldest one */ 3314 p_dev_rec = btm_find_or_alloc_dev(evt_data.bd_addr); 3315 3316 /* If no security is in progress, this indicates incoming security */ 3317 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) { 3318 btm_cb.pairing_bda = evt_data.bd_addr; 3319 3320 btm_sec_change_pairing_state(BTM_PAIR_STATE_INCOMING_SSP); 3321 3322 /* Make sure we reset the trusted mask to help against attacks */ 3323 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 3324 3325 /* work around for FW bug */ 3326 btm_inq_stop_on_ssp(); 3327 } 3328 3329 /* Notify L2CAP to increase timeout */ 3330 l2c_pin_code_request(evt_data.bd_addr); 3331 3332 /* We must have a device record here. 3333 * Use the connecting device's CoD for the connection */ 3334 if (evt_data.bd_addr == btm_cb.connecting_bda) 3335 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3336 3337 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding 3338 */ 3339 if (btm_cb.pairing_state == 3340 BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */ 3341 && (evt_data.auth_req & 3342 BTM_AUTH_DD_BOND)) /* and dedicated bonding bit is set */ 3343 { 3344 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD; 3345 } 3346 3347 /* save the IO capability in the device record */ 3348 p_dev_rec->rmt_io_caps = evt_data.io_cap; 3349 p_dev_rec->rmt_auth_req = evt_data.auth_req; 3350 3351 if (btm_cb.api.p_sp_callback) 3352 (*btm_cb.api.p_sp_callback)(BTM_SP_IO_RSP_EVT, 3353 (tBTM_SP_EVT_DATA*)&evt_data); 3354 } 3355 3356 /******************************************************************************* 3357 * 3358 * Function btm_proc_sp_req_evt 3359 * 3360 * Description This function is called to process/report 3361 * HCI_USER_CONFIRMATION_REQUEST_EVT 3362 * or HCI_USER_PASSKEY_REQUEST_EVT 3363 * or HCI_USER_PASSKEY_NOTIFY_EVT 3364 * 3365 * Returns void 3366 * 3367 ******************************************************************************/ 3368 void btm_proc_sp_req_evt(tBTM_SP_EVT event, uint8_t* p) { 3369 tBTM_STATUS status = BTM_ERR_PROCESSING; 3370 tBTM_SP_EVT_DATA evt_data; 3371 RawAddress& p_bda = evt_data.cfm_req.bd_addr; 3372 tBTM_SEC_DEV_REC* p_dev_rec; 3373 3374 /* All events start with bd_addr */ 3375 STREAM_TO_BDADDR(p_bda, p); 3376 3377 VLOG(2) << " BDA: " << p_bda << " event: 0x" << std::hex << +event 3378 << " State: " << btm_pair_state_descr(btm_cb.pairing_state); 3379 3380 p_dev_rec = btm_find_dev(p_bda); 3381 if ((p_dev_rec != NULL) && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 3382 (btm_cb.pairing_bda == p_bda)) { 3383 evt_data.cfm_req.bd_addr = p_dev_rec->bd_addr; 3384 memcpy(evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3385 3386 strlcpy((char*)evt_data.cfm_req.bd_name, (char*)p_dev_rec->sec_bd_name, 3387 BTM_MAX_REM_BD_NAME_LEN); 3388 3389 switch (event) { 3390 case BTM_SP_CFM_REQ_EVT: 3391 /* Numeric confirmation. Need user to conf the passkey */ 3392 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM); 3393 3394 /* The device record must be allocated in the "IO cap exchange" step */ 3395 STREAM_TO_UINT32(evt_data.cfm_req.num_val, p); 3396 BTM_TRACE_DEBUG("BTM_SP_CFM_REQ_EVT: num_val: %u", 3397 evt_data.cfm_req.num_val); 3398 3399 evt_data.cfm_req.just_works = true; 3400 3401 /* process user confirm req in association with the auth_req param */ 3402 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO) 3403 if (p_dev_rec->rmt_io_caps == BTM_IO_CAP_UNKNOWN) { 3404 BTM_TRACE_ERROR( 3405 "%s did not receive IO cap response prior" 3406 " to BTM_SP_CFM_REQ_EVT, failing pairing request", 3407 __func__); 3408 status = BTM_WRONG_MODE; 3409 BTM_ConfirmReqReply(status, p_bda); 3410 return; 3411 } 3412 if ((p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO) && 3413 (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO) && 3414 ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || 3415 (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES))) { 3416 /* Both devices are DisplayYesNo and one or both devices want to 3417 authenticate -> use authenticated link key */ 3418 evt_data.cfm_req.just_works = false; 3419 } 3420 #endif 3421 BTM_TRACE_DEBUG( 3422 "btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth " 3423 "loc:%d, rmt:%d", 3424 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, 3425 p_dev_rec->rmt_io_caps, btm_cb.devcb.loc_auth_req, 3426 p_dev_rec->rmt_auth_req); 3427 3428 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req; 3429 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req; 3430 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps; 3431 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps; 3432 break; 3433 3434 case BTM_SP_KEY_NOTIF_EVT: 3435 /* Passkey notification (other side is a keyboard) */ 3436 STREAM_TO_UINT32(evt_data.key_notif.passkey, p); 3437 BTM_TRACE_DEBUG("BTM_SP_KEY_NOTIF_EVT: passkey: %u", 3438 evt_data.key_notif.passkey); 3439 3440 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 3441 break; 3442 3443 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3444 case BTM_SP_KEY_REQ_EVT: 3445 /* HCI_USER_PASSKEY_REQUEST_EVT */ 3446 btm_sec_change_pairing_state(BTM_PAIR_STATE_KEY_ENTRY); 3447 break; 3448 #endif 3449 } 3450 3451 if (btm_cb.api.p_sp_callback) { 3452 status = (*btm_cb.api.p_sp_callback)(event, &evt_data); 3453 if (status != BTM_NOT_AUTHORIZED) { 3454 return; 3455 } 3456 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req 3457 * right now */ 3458 } else if ((event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works)) { 3459 /* automatically reply with just works if no sp_cback */ 3460 status = BTM_SUCCESS; 3461 } 3462 3463 if (event == BTM_SP_CFM_REQ_EVT) { 3464 BTM_TRACE_DEBUG("calling BTM_ConfirmReqReply with status: %d", status); 3465 BTM_ConfirmReqReply(status, p_bda); 3466 } 3467 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3468 else if (event == BTM_SP_KEY_REQ_EVT) { 3469 BTM_PasskeyReqReply(status, p_bda, 0); 3470 } 3471 #endif 3472 return; 3473 } 3474 3475 /* Something bad. we can only fail this connection */ 3476 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3477 3478 if (BTM_SP_CFM_REQ_EVT == event) { 3479 btsnd_hcic_user_conf_reply(p_bda, false); 3480 } else if (BTM_SP_KEY_NOTIF_EVT == event) { 3481 /* do nothing -> it very unlikely to happen. 3482 This event is most likely to be received by a HID host when it first 3483 connects to a HID device. 3484 Usually the Host initiated the connection in this case. 3485 On Mobile platforms, if there's a security process happening, 3486 the host probably can not initiate another connection. 3487 BTW (PC) is another story. */ 3488 p_dev_rec = btm_find_dev(p_bda); 3489 if (p_dev_rec != NULL) { 3490 btm_sec_disconnect(p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE); 3491 } 3492 } 3493 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3494 else { 3495 btsnd_hcic_user_passkey_neg_reply(p_bda); 3496 } 3497 #endif 3498 } 3499 3500 /******************************************************************************* 3501 * 3502 * Function btm_keypress_notif_evt 3503 * 3504 * Description This function is called when a key press notification is 3505 * received 3506 * 3507 * Returns void 3508 * 3509 ******************************************************************************/ 3510 void btm_keypress_notif_evt(uint8_t* p) { 3511 tBTM_SP_KEYPRESS evt_data; 3512 3513 /* parse & report BTM_SP_KEYPRESS_EVT */ 3514 if (btm_cb.api.p_sp_callback) { 3515 RawAddress& p_bda = evt_data.bd_addr; 3516 3517 STREAM_TO_BDADDR(p_bda, p); 3518 evt_data.notif_type = *p; 3519 3520 (*btm_cb.api.p_sp_callback)(BTM_SP_KEYPRESS_EVT, 3521 (tBTM_SP_EVT_DATA*)&evt_data); 3522 } 3523 } 3524 3525 /******************************************************************************* 3526 * 3527 * Function btm_simple_pair_complete 3528 * 3529 * Description This function is called when simple pairing process is 3530 * complete 3531 * 3532 * Returns void 3533 * 3534 ******************************************************************************/ 3535 void btm_simple_pair_complete(uint8_t* p) { 3536 tBTM_SP_COMPLT evt_data; 3537 tBTM_SEC_DEV_REC* p_dev_rec; 3538 uint8_t status; 3539 bool disc = false; 3540 3541 status = *p++; 3542 STREAM_TO_BDADDR(evt_data.bd_addr, p); 3543 3544 p_dev_rec = btm_find_dev(evt_data.bd_addr); 3545 if (p_dev_rec == NULL) { 3546 LOG(ERROR) << __func__ << " with unknown BDA: " << evt_data.bd_addr; 3547 return; 3548 } 3549 3550 BTM_TRACE_EVENT( 3551 "btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u", 3552 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state); 3553 3554 evt_data.status = BTM_ERR_PROCESSING; 3555 if (status == HCI_SUCCESS) { 3556 evt_data.status = BTM_SUCCESS; 3557 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3558 } else { 3559 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) { 3560 /* The test spec wants the peer device to get this failure code. */ 3561 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_DISCONNECT); 3562 3563 /* Change the timer to 1 second */ 3564 alarm_set_on_mloop(btm_cb.pairing_timer, BT_1SEC_TIMEOUT_MS, 3565 btm_sec_pairing_timeout, NULL); 3566 } else if (btm_cb.pairing_bda == evt_data.bd_addr) { 3567 /* stop the timer */ 3568 alarm_cancel(btm_cb.pairing_timer); 3569 3570 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) { 3571 /* the initiating side: will receive auth complete event. disconnect ACL 3572 * at that time */ 3573 disc = true; 3574 } 3575 } else 3576 disc = true; 3577 } 3578 3579 /* Let the pairing state stay active, p_auth_complete_callback will report the 3580 * failure */ 3581 evt_data.bd_addr = p_dev_rec->bd_addr; 3582 memcpy(evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3583 3584 if (btm_cb.api.p_sp_callback) 3585 (*btm_cb.api.p_sp_callback)(BTM_SP_COMPLT_EVT, 3586 (tBTM_SP_EVT_DATA*)&evt_data); 3587 3588 if (disc) { 3589 /* simple pairing failed */ 3590 /* Avoid sending disconnect on HCI_ERR_PEER_USER */ 3591 if ((status != HCI_ERR_PEER_USER) && 3592 (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)) { 3593 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, 3594 p_dev_rec->hci_handle); 3595 } 3596 } 3597 } 3598 3599 /******************************************************************************* 3600 * 3601 * Function btm_rem_oob_req 3602 * 3603 * Description This function is called to process/report 3604 * HCI_REMOTE_OOB_DATA_REQUEST_EVT 3605 * 3606 * Returns void 3607 * 3608 ******************************************************************************/ 3609 void btm_rem_oob_req(uint8_t* p) { 3610 tBTM_SP_RMT_OOB evt_data; 3611 tBTM_SEC_DEV_REC* p_dev_rec; 3612 BT_OCTET16 c; 3613 BT_OCTET16 r; 3614 3615 RawAddress& p_bda = evt_data.bd_addr; 3616 3617 STREAM_TO_BDADDR(p_bda, p); 3618 3619 VLOG(2) << __func__ << " BDA: " << p_bda; 3620 p_dev_rec = btm_find_dev(p_bda); 3621 if ((p_dev_rec != NULL) && btm_cb.api.p_sp_callback) { 3622 evt_data.bd_addr = p_dev_rec->bd_addr; 3623 memcpy(evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3624 strlcpy((char*)evt_data.bd_name, (char*)p_dev_rec->sec_bd_name, 3625 BTM_MAX_REM_BD_NAME_LEN); 3626 3627 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP); 3628 if ((*btm_cb.api.p_sp_callback)(BTM_SP_RMT_OOB_EVT, 3629 (tBTM_SP_EVT_DATA*)&evt_data) == 3630 BTM_NOT_AUTHORIZED) { 3631 BTM_RemoteOobDataReply(true, p_bda, c, r); 3632 } 3633 return; 3634 } 3635 3636 /* something bad. we can only fail this connection */ 3637 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3638 btsnd_hcic_rem_oob_neg_reply(p_bda); 3639 } 3640 3641 /******************************************************************************* 3642 * 3643 * Function btm_read_local_oob_complete 3644 * 3645 * Description This function is called when read local oob data is 3646 * completed by the LM 3647 * 3648 * Returns void 3649 * 3650 ******************************************************************************/ 3651 void btm_read_local_oob_complete(uint8_t* p) { 3652 tBTM_SP_LOC_OOB evt_data; 3653 uint8_t status = *p++; 3654 3655 BTM_TRACE_EVENT("btm_read_local_oob_complete:%d", status); 3656 if (status == HCI_SUCCESS) { 3657 evt_data.status = BTM_SUCCESS; 3658 STREAM_TO_ARRAY16(evt_data.c, p); 3659 STREAM_TO_ARRAY16(evt_data.r, p); 3660 } else 3661 evt_data.status = BTM_ERR_PROCESSING; 3662 3663 if (btm_cb.api.p_sp_callback) { 3664 tBTM_SP_EVT_DATA btm_sp_evt_data; 3665 btm_sp_evt_data.loc_oob = evt_data; 3666 (*btm_cb.api.p_sp_callback)(BTM_SP_LOC_OOB_EVT, &btm_sp_evt_data); 3667 } 3668 } 3669 3670 /******************************************************************************* 3671 * 3672 * Function btm_sec_auth_collision 3673 * 3674 * Description This function is called when authentication or encryption 3675 * needs to be retried at a later time. 3676 * 3677 * Returns void 3678 * 3679 ******************************************************************************/ 3680 static void btm_sec_auth_collision(uint16_t handle) { 3681 tBTM_SEC_DEV_REC* p_dev_rec; 3682 3683 if (!btm_cb.collision_start_time) 3684 btm_cb.collision_start_time = time_get_os_boottime_ms(); 3685 3686 if ((time_get_os_boottime_ms() - btm_cb.collision_start_time) < 3687 btm_cb.max_collision_delay) { 3688 if (handle == BTM_SEC_INVALID_HANDLE) { 3689 p_dev_rec = btm_sec_find_dev_by_sec_state(BTM_SEC_STATE_AUTHENTICATING); 3690 if (p_dev_rec == NULL) 3691 p_dev_rec = btm_sec_find_dev_by_sec_state(BTM_SEC_STATE_ENCRYPTING); 3692 } else 3693 p_dev_rec = btm_find_dev_by_handle(handle); 3694 3695 if (p_dev_rec != NULL) { 3696 BTM_TRACE_DEBUG( 3697 "btm_sec_auth_collision: state %d (retrying in a moment...)", 3698 p_dev_rec->sec_state); 3699 /* We will restart authentication after timeout */ 3700 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || 3701 p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 3702 p_dev_rec->sec_state = 0; 3703 3704 btm_cb.p_collided_dev_rec = p_dev_rec; 3705 alarm_set_on_mloop(btm_cb.sec_collision_timer, BT_1SEC_TIMEOUT_MS, 3706 btm_sec_collision_timeout, NULL); 3707 } 3708 } 3709 } 3710 3711 /****************************************************************************** 3712 * 3713 * Function btm_sec_auth_retry 3714 * 3715 * Description This function is called when authentication or encryption 3716 * needs to be retried at a later time. 3717 * 3718 * Returns TRUE if a security retry required 3719 * 3720 *****************************************************************************/ 3721 static bool btm_sec_auth_retry(uint16_t handle, uint8_t status) { 3722 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 3723 if (!p_dev_rec) return false; 3724 3725 /* keep the old sm4 flag and clear the retry bit in control block */ 3726 uint8_t old_sm4 = p_dev_rec->sm4; 3727 p_dev_rec->sm4 &= ~BTM_SM4_RETRY; 3728 3729 if ((btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) && 3730 ((old_sm4 & BTM_SM4_RETRY) == 0) && (HCI_ERR_KEY_MISSING == status) && 3731 BTM_SEC_IS_SM4(p_dev_rec->sm4)) { 3732 /* This retry for missing key is for Lisbon or later only. 3733 Legacy device do not need this. the controller will drive the retry 3734 automatically 3735 set the retry bit */ 3736 btm_cb.collision_start_time = 0; 3737 btm_restore_mode(); 3738 p_dev_rec->sm4 |= BTM_SM4_RETRY; 3739 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 3740 BTM_TRACE_DEBUG("%s Retry for missing key sm4:x%x sec_flags:0x%x", __func__, 3741 p_dev_rec->sm4, p_dev_rec->sec_flags); 3742 3743 /* With BRCM controller, we do not need to delete the stored link key in 3744 controller. 3745 If the stack may sit on top of other controller, we may need this 3746 BTM_DeleteStoredLinkKey (bd_addr, NULL); */ 3747 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3748 btm_sec_execute_procedure(p_dev_rec); 3749 return true; 3750 } 3751 3752 return false; 3753 } 3754 3755 /******************************************************************************* 3756 * 3757 * Function btm_sec_auth_complete 3758 * 3759 * Description This function is when authentication of the connection is 3760 * completed by the LM 3761 * 3762 * Returns void 3763 * 3764 ******************************************************************************/ 3765 void btm_sec_auth_complete(uint16_t handle, uint8_t status) { 3766 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 3767 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 3768 bool are_bonding = false; 3769 3770 if (p_dev_rec) { 3771 VLOG(2) << __func__ << ": Security Manager: in state: " 3772 << btm_pair_state_descr(btm_cb.pairing_state) 3773 << " handle:" << handle << " status:" << status 3774 << "dev->sec_state:" << p_dev_rec->sec_state 3775 << " bda:" << p_dev_rec->bd_addr 3776 << "RName:" << p_dev_rec->sec_bd_name; 3777 } else { 3778 VLOG(2) << __func__ << ": Security Manager: in state: " 3779 << btm_pair_state_descr(btm_cb.pairing_state) 3780 << " handle:" << handle << " status:" << status; 3781 } 3782 3783 /* For transaction collision we need to wait and repeat. There is no need */ 3784 /* for random timeout because only slave should receive the result */ 3785 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || 3786 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) { 3787 btm_sec_auth_collision(handle); 3788 return; 3789 } else if (btm_sec_auth_retry(handle, status)) { 3790 return; 3791 } 3792 3793 btm_cb.collision_start_time = 0; 3794 3795 btm_restore_mode(); 3796 3797 /* Check if connection was made just to do bonding. If we authenticate 3798 the connection that is up, this is the last event received. 3799 */ 3800 if (p_dev_rec && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3801 !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) { 3802 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 3803 3804 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3805 } 3806 3807 if (!p_dev_rec) return; 3808 3809 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 3810 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3811 (p_dev_rec->bd_addr == btm_cb.pairing_bda)) 3812 are_bonding = true; 3813 3814 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 3815 (p_dev_rec->bd_addr == btm_cb.pairing_bda)) 3816 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 3817 3818 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) { 3819 if ((btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS) && 3820 (old_state != BTM_PAIR_STATE_IDLE)) { 3821 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr, 3822 p_dev_rec->dev_class, 3823 p_dev_rec->sec_bd_name, status); 3824 } 3825 return; 3826 } 3827 3828 /* There can be a race condition, when we are starting authentication and 3829 ** the peer device is doing encryption. 3830 ** If first we receive encryption change up, then initiated authentication 3831 ** can not be performed. According to the spec we can not do authentication 3832 ** on the encrypted link, so device is correct. 3833 */ 3834 if ((status == HCI_ERR_COMMAND_DISALLOWED) && 3835 ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) == 3836 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) { 3837 status = HCI_SUCCESS; 3838 } 3839 /* Currently we do not notify user if it is a keyboard which connects */ 3840 /* User probably Disabled the keyboard while it was asleap. Let her try */ 3841 if (btm_cb.api.p_auth_complete_callback) { 3842 /* report the suthentication status */ 3843 if ((old_state != BTM_PAIR_STATE_IDLE) || (status != HCI_SUCCESS)) 3844 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr, 3845 p_dev_rec->dev_class, 3846 p_dev_rec->sec_bd_name, status); 3847 } 3848 3849 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3850 3851 /* If this is a bonding procedure can disconnect the link now */ 3852 if (are_bonding) { 3853 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 3854 3855 if (status != HCI_SUCCESS) { 3856 if (((status != HCI_ERR_PEER_USER) && 3857 (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))) 3858 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, 3859 p_dev_rec->hci_handle); 3860 } else { 3861 BTM_TRACE_DEBUG("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL"); 3862 if (p_dev_rec->new_encryption_key_is_p256 && 3863 (btm_sec_use_smp_br_chnl(p_dev_rec)) 3864 /* no LE keys are available, do deriving */ 3865 && (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) || 3866 /* or BR key is higher security than existing LE keys */ 3867 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) && 3868 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) { 3869 BTM_TRACE_DEBUG( 3870 "link encrypted afer dedic bonding can use SMP_BR_CHNL"); 3871 3872 if (btm_sec_is_master(p_dev_rec)) { 3873 // Encryption is required to start SM over BR/EDR 3874 // indicate that this is encryption after authentication 3875 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL, 3876 0); 3877 } 3878 } 3879 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3880 } 3881 3882 return; 3883 } 3884 3885 /* If authentication failed, notify the waiting layer */ 3886 if (status != HCI_SUCCESS) { 3887 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false); 3888 3889 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) { 3890 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, 3891 p_dev_rec->hci_handle); 3892 } 3893 return; 3894 } 3895 3896 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3897 3898 if (p_dev_rec->pin_code_length >= 16 || 3899 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 3900 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 3901 // If we have MITM protection we have a higher level of security than 3902 // provided by 16 digits PIN 3903 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 3904 } 3905 3906 /* Authentication succeeded, execute the next security procedure, if any */ 3907 status = btm_sec_execute_procedure(p_dev_rec); 3908 3909 /* If there is no next procedure, or procedure failed to start, notify the 3910 * caller */ 3911 if (status != BTM_CMD_STARTED) 3912 btm_sec_dev_rec_cback_event(p_dev_rec, status, false); 3913 } 3914 3915 /******************************************************************************* 3916 * 3917 * Function btm_sec_encrypt_change 3918 * 3919 * Description This function is when encryption of the connection is 3920 * completed by the LM 3921 * 3922 * Returns void 3923 * 3924 ******************************************************************************/ 3925 void btm_sec_encrypt_change(uint16_t handle, uint8_t status, 3926 uint8_t encr_enable) { 3927 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 3928 tACL_CONN* p_acl = NULL; 3929 uint8_t acl_idx = btm_handle_to_acl_index(handle); 3930 BTM_TRACE_EVENT( 3931 "Security Manager: encrypt_change status:%d State:%d, encr_enable = %d", 3932 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable); 3933 BTM_TRACE_DEBUG("before update p_dev_rec->sec_flags=0x%x", 3934 (p_dev_rec) ? p_dev_rec->sec_flags : 0); 3935 3936 /* For transaction collision we need to wait and repeat. There is no need */ 3937 /* for random timeout because only slave should receive the result */ 3938 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || 3939 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) { 3940 btm_sec_auth_collision(handle); 3941 return; 3942 } 3943 btm_cb.collision_start_time = 0; 3944 3945 if (!p_dev_rec) return; 3946 3947 if ((status == HCI_SUCCESS) && encr_enable) { 3948 if (p_dev_rec->hci_handle == handle) { 3949 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED); 3950 if (p_dev_rec->pin_code_length >= 16 || 3951 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 3952 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 3953 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 3954 } 3955 } else { 3956 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED); 3957 } 3958 } 3959 3960 /* It is possible that we decrypted the link to perform role switch */ 3961 /* mark link not to be encrypted, so that when we execute security next time 3962 * it will kick in again */ 3963 if ((status == HCI_SUCCESS) && !encr_enable) { 3964 if (p_dev_rec->hci_handle == handle) 3965 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED; 3966 else 3967 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED; 3968 } 3969 3970 BTM_TRACE_DEBUG("after update p_dev_rec->sec_flags=0x%x", 3971 p_dev_rec->sec_flags); 3972 3973 if (acl_idx != MAX_L2CAP_LINKS) p_acl = &btm_cb.acl_db[acl_idx]; 3974 3975 if (p_acl != NULL) 3976 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable); 3977 3978 if (p_acl && p_acl->transport == BT_TRANSPORT_LE) { 3979 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE || 3980 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) { 3981 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_LINK_KEY_KNOWN); 3982 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 3983 } 3984 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable); 3985 return; 3986 } else { 3987 /* BR/EDR connection, update the encryption key size to be 16 as always */ 3988 p_dev_rec->enc_key_size = 16; 3989 } 3990 3991 BTM_TRACE_DEBUG("in %s new_encr_key_256 is %d", __func__, 3992 p_dev_rec->new_encryption_key_is_p256); 3993 3994 if ((status == HCI_SUCCESS) && encr_enable && 3995 (p_dev_rec->hci_handle == handle)) { 3996 /* if BR key is temporary no need for LE LTK derivation */ 3997 bool derive_ltk = true; 3998 if (p_dev_rec->rmt_auth_req == BTM_AUTH_SP_NO && 3999 btm_cb.devcb.loc_auth_req == BTM_AUTH_SP_NO) { 4000 derive_ltk = false; 4001 BTM_TRACE_DEBUG("%s: BR key is temporary, skip derivation of LE LTK", 4002 __func__); 4003 } 4004 if (p_dev_rec->new_encryption_key_is_p256) { 4005 if (btm_sec_use_smp_br_chnl(p_dev_rec) && btm_sec_is_master(p_dev_rec) && 4006 /* if LE key is not known, do deriving */ 4007 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) || 4008 /* or BR key is higher security than existing LE keys */ 4009 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) && 4010 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))) && 4011 derive_ltk) { 4012 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */ 4013 p_dev_rec->new_encryption_key_is_p256 = false; 4014 4015 if (p_dev_rec->no_smp_on_br) { 4016 BTM_TRACE_DEBUG("%s NO SM over BR/EDR", __func__); 4017 } else { 4018 BTM_TRACE_DEBUG("%s start SM over BR/EDR", __func__); 4019 SMP_BR_PairWith(p_dev_rec->bd_addr); 4020 } 4021 } 4022 } else { 4023 // BR/EDR is successfully encrypted. Correct LK type if needed 4024 // (BR/EDR LK derived from LE LTK was used for encryption) 4025 if ((encr_enable == 1) && /* encryption is ON for SSP */ 4026 /* LK type is for BR/EDR SC */ 4027 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 || 4028 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 4029 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) 4030 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 4031 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */ 4032 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 4033 4034 BTM_TRACE_DEBUG("updated link key type to %d", 4035 p_dev_rec->link_key_type); 4036 btm_send_link_key_notif(p_dev_rec); 4037 } 4038 } 4039 } 4040 4041 /* If this encryption was started by peer do not need to do anything */ 4042 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) { 4043 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) { 4044 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4045 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p", 4046 __func__, p_dev_rec, p_dev_rec->p_callback); 4047 p_dev_rec->p_callback = NULL; 4048 l2cu_resubmit_pending_sec_req(&p_dev_rec->bd_addr); 4049 } 4050 return; 4051 } 4052 4053 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4054 /* If encryption setup failed, notify the waiting layer */ 4055 if (status != HCI_SUCCESS) { 4056 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false); 4057 return; 4058 } 4059 4060 /* Encryption setup succeeded, execute the next security procedure, if any */ 4061 status = (uint8_t)btm_sec_execute_procedure(p_dev_rec); 4062 /* If there is no next procedure, or procedure failed to start, notify the 4063 * caller */ 4064 if (status != BTM_CMD_STARTED) 4065 btm_sec_dev_rec_cback_event(p_dev_rec, status, false); 4066 } 4067 4068 /******************************************************************************* 4069 * 4070 * Function btm_sec_connect_after_reject_timeout 4071 * 4072 * Description Connection for bonding could not start because of the 4073 * collision. Initiate outgoing connection 4074 * 4075 * Returns Pointer to the TLE struct 4076 * 4077 ******************************************************************************/ 4078 static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) { 4079 tBTM_SEC_DEV_REC* p_dev_rec = btm_cb.p_collided_dev_rec; 4080 4081 BTM_TRACE_EVENT("%s", __func__); 4082 btm_cb.p_collided_dev_rec = 0; 4083 4084 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) { 4085 BTM_TRACE_WARNING("Security Manager: %s: failed to start connection", 4086 __func__); 4087 4088 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4089 4090 if (btm_cb.api.p_auth_complete_callback) 4091 (*btm_cb.api.p_auth_complete_callback)( 4092 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4093 HCI_ERR_MEMORY_FULL); 4094 } 4095 } 4096 4097 /******************************************************************************* 4098 * 4099 * Function btm_sec_connected 4100 * 4101 * Description This function is when a connection to the peer device is 4102 * established 4103 * 4104 * Returns void 4105 * 4106 ******************************************************************************/ 4107 void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, 4108 uint8_t enc_mode) { 4109 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 4110 uint8_t res; 4111 bool is_pairing_device = false; 4112 tACL_CONN* p_acl_cb; 4113 uint8_t bit_shift = 0; 4114 4115 btm_acl_resubmit_page(); 4116 4117 if (p_dev_rec) { 4118 VLOG(2) << __func__ << ": Security Manager: in state: " 4119 << btm_pair_state_descr(btm_cb.pairing_state) 4120 << " handle:" << handle << " status:" << loghex(status) 4121 << " enc_mode:" << loghex(enc_mode) << " bda:" << bda 4122 << " RName:" << p_dev_rec->sec_bd_name; 4123 } else { 4124 VLOG(2) << __func__ << ": Security Manager: in state: " 4125 << btm_pair_state_descr(btm_cb.pairing_state) 4126 << " handle:" << handle << " status:" << loghex(status) 4127 << " enc_mode:" << loghex(enc_mode) << " bda:" << bda; 4128 } 4129 4130 if (!p_dev_rec) { 4131 /* There is no device record for new connection. Allocate one */ 4132 if (status == HCI_SUCCESS) { 4133 p_dev_rec = btm_sec_alloc_dev(bda); 4134 } else { 4135 /* If the device matches with stored paring address 4136 * reset the paring state to idle */ 4137 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4138 btm_cb.pairing_bda == bda) { 4139 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4140 } 4141 4142 /* can not find the device record and the status is error, 4143 * just ignore it */ 4144 return; 4145 } 4146 } else /* Update the timestamp for this device */ 4147 { 4148 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 : 0; 4149 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 4150 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) { 4151 /* tell L2CAP it's a bonding connection. */ 4152 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4153 (btm_cb.pairing_bda == p_dev_rec->bd_addr) && 4154 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) { 4155 /* if incoming connection failed while pairing, then try to connect and 4156 * continue */ 4157 /* Motorola S9 disconnects without asking pin code */ 4158 if ((status != HCI_SUCCESS) && 4159 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) { 4160 BTM_TRACE_WARNING( 4161 "Security Manager: btm_sec_connected: incoming connection failed " 4162 "without asking PIN"); 4163 4164 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4165 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) { 4166 /* Start timer with 0 to initiate connection with new LCB */ 4167 /* because L2CAP will delete current LCB with this event */ 4168 btm_cb.p_collided_dev_rec = p_dev_rec; 4169 alarm_set_on_mloop(btm_cb.sec_collision_timer, 0, 4170 btm_sec_connect_after_reject_timeout, NULL); 4171 } else { 4172 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME); 4173 if (BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, 4174 BT_TRANSPORT_BR_EDR) != 4175 BTM_CMD_STARTED) { 4176 BTM_TRACE_ERROR("%s cannot read remote name", __func__); 4177 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4178 } 4179 } 4180 #if (BTM_DISC_DURING_RS == TRUE) 4181 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4182 #endif 4183 return; 4184 } else { 4185 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, true); 4186 } 4187 } 4188 /* always clear the pending flag */ 4189 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4190 } 4191 } 4192 4193 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR; 4194 4195 #if (BTM_DISC_DURING_RS == TRUE) 4196 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4197 #endif 4198 4199 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4200 4201 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4202 (btm_cb.pairing_bda == bda)) { 4203 /* if we rejected incoming connection from bonding device */ 4204 if ((status == HCI_ERR_HOST_REJECT_DEVICE) && 4205 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) { 4206 BTM_TRACE_WARNING( 4207 "Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, " 4208 "sm4: 0x%x", 4209 btm_cb.pairing_flags, p_dev_rec->sm4); 4210 4211 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT; 4212 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) { 4213 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 4214 btm_sec_change_pairing_state(BTM_PAIR_STATE_GET_REM_NAME); 4215 if (BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR) != 4216 BTM_CMD_STARTED) { 4217 BTM_TRACE_ERROR("%s cannot read remote name", __func__); 4218 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4219 } 4220 return; 4221 } 4222 4223 /* if we already have pin code */ 4224 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) { 4225 /* Start timer with 0 to initiate connection with new LCB */ 4226 /* because L2CAP will delete current LCB with this event */ 4227 btm_cb.p_collided_dev_rec = p_dev_rec; 4228 alarm_set_on_mloop(btm_cb.sec_collision_timer, 0, 4229 btm_sec_connect_after_reject_timeout, NULL); 4230 } 4231 4232 return; 4233 } 4234 /* wait for incoming connection without resetting pairing state */ 4235 else if (status == HCI_ERR_CONNECTION_EXISTS) { 4236 BTM_TRACE_WARNING( 4237 "Security Manager: btm_sec_connected: Wait for incoming connection"); 4238 return; 4239 } 4240 4241 is_pairing_device = true; 4242 } 4243 4244 /* If connection was made to do bonding restore link security if changed */ 4245 btm_restore_mode(); 4246 4247 /* if connection fails during pin request, notify application */ 4248 if (status != HCI_SUCCESS) { 4249 /* If connection failed because of during pairing, need to tell user */ 4250 if (is_pairing_device) { 4251 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4252 p_dev_rec->sec_flags &= 4253 ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift); 4254 BTM_TRACE_DEBUG("security_required:%x ", p_dev_rec->security_required); 4255 4256 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4257 4258 /* We need to notify host that the key is not known any more */ 4259 if (btm_cb.api.p_auth_complete_callback) { 4260 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr, 4261 p_dev_rec->dev_class, 4262 p_dev_rec->sec_bd_name, status); 4263 } 4264 } 4265 /* 4266 Do not send authentication failure, if following conditions hold good 4267 1. BTM Sec Pairing state is idle 4268 2. Link key for the remote device is present. 4269 3. Remote is SSP capable. 4270 */ 4271 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) && 4272 (((status == HCI_ERR_AUTH_FAILURE) || 4273 (status == HCI_ERR_KEY_MISSING) || 4274 (status == HCI_ERR_HOST_REJECT_SECURITY) || 4275 (status == HCI_ERR_PAIRING_NOT_ALLOWED) || 4276 (status == HCI_ERR_UNIT_KEY_USED) || 4277 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) || 4278 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) || 4279 (status == HCI_ERR_REPEATED_ATTEMPTS)))) { 4280 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4281 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift); 4282 4283 #ifdef BRCM_NOT_4_BTE 4284 /* If we rejected pairing, pass this special result code */ 4285 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY) { 4286 status = HCI_ERR_HOST_REJECT_SECURITY; 4287 } 4288 #endif 4289 4290 /* We need to notify host that the key is not known any more */ 4291 if (btm_cb.api.p_auth_complete_callback) { 4292 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr, 4293 p_dev_rec->dev_class, 4294 p_dev_rec->sec_bd_name, status); 4295 } 4296 } 4297 4298 if (btm_cb.pairing_bda != bda) { 4299 /* Don't callback unless this Connection-Complete-failure event has the 4300 * same mac address as the bonding device */ 4301 VLOG(1) << __func__ 4302 << ": Different mac addresses: pairing_bda=" << btm_cb.pairing_bda 4303 << ", bda=" << bda << ", do not callback"; 4304 return; 4305 } 4306 4307 if (status == HCI_ERR_CONNECTION_TOUT || 4308 status == HCI_ERR_LMP_RESPONSE_TIMEOUT || 4309 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT) 4310 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_DEVICE_TIMEOUT, false); 4311 else 4312 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, false); 4313 4314 return; 4315 } 4316 4317 /* If initiated dedicated bonding, return the link key now, and initiate 4318 * disconnect */ 4319 /* If dedicated bonding, and we now have a link key, we are all done */ 4320 if (is_pairing_device && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) { 4321 if (p_dev_rec->link_key_not_sent) { 4322 p_dev_rec->link_key_not_sent = false; 4323 btm_send_link_key_notif(p_dev_rec); 4324 } 4325 4326 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4327 4328 /* remember flag before it is initialized */ 4329 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4330 res = true; 4331 else 4332 res = false; 4333 4334 if (btm_cb.api.p_auth_complete_callback) 4335 (*btm_cb.api.p_auth_complete_callback)( 4336 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4337 HCI_SUCCESS); 4338 4339 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4340 4341 if (res) { 4342 /* Let l2cap start bond timer */ 4343 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, true); 4344 } 4345 4346 return; 4347 } 4348 4349 p_dev_rec->hci_handle = handle; 4350 4351 /* role may not be correct here, it will be updated by l2cap, but we need to 4352 */ 4353 /* notify btm_acl that link is up, so starting of rmt name request will not */ 4354 /* set paging flag up */ 4355 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR); 4356 if (p_acl_cb) { 4357 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT 4358 * event */ 4359 #if (BTM_BYPASS_EXTRA_ACL_SETUP == FALSE) 4360 /* For now there are a some devices that do not like sending */ 4361 /* commands events and data at the same time. */ 4362 /* Set the packet types to the default allowed by the device */ 4363 btm_set_packet_types(p_acl_cb, btm_cb.btm_acl_pkt_types_supported); 4364 4365 if (btm_cb.btm_def_link_policy) 4366 BTM_SetLinkPolicy(p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy); 4367 #endif 4368 } 4369 btm_acl_created(bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, 4370 HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR); 4371 4372 /* Initialize security flags. We need to do that because some */ 4373 /* authorization complete could have come after the connection is dropped */ 4374 /* and that would set wrong flag that link has been authorized already */ 4375 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | 4376 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) 4377 << bit_shift); 4378 4379 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED) 4380 p_dev_rec->sec_flags |= 4381 ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift); 4382 4383 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) 4384 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift); 4385 4386 if (p_dev_rec->pin_code_length >= 16 || 4387 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4388 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4389 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift); 4390 } 4391 4392 p_dev_rec->link_key_changed = false; 4393 4394 /* After connection is established we perform security if we do not know */ 4395 /* the name, or if we are originator because some procedure can have */ 4396 /* been scheduled while connection was down */ 4397 BTM_TRACE_DEBUG("is_originator:%d ", p_dev_rec->is_originator); 4398 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || 4399 p_dev_rec->is_originator) { 4400 res = btm_sec_execute_procedure(p_dev_rec); 4401 if (res != BTM_CMD_STARTED) 4402 btm_sec_dev_rec_cback_event(p_dev_rec, res, false); 4403 } 4404 return; 4405 } 4406 4407 /******************************************************************************* 4408 * 4409 * Function btm_sec_disconnect 4410 * 4411 * Description This function is called to disconnect HCI link 4412 * 4413 * Returns btm status 4414 * 4415 ******************************************************************************/ 4416 tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) { 4417 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 4418 4419 /* In some weird race condition we may not have a record */ 4420 if (!p_dev_rec) { 4421 btsnd_hcic_disconnect(handle, reason); 4422 return (BTM_SUCCESS); 4423 } 4424 4425 /* If we are in the process of bonding we need to tell client that auth failed 4426 */ 4427 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4428 (btm_cb.pairing_bda == p_dev_rec->bd_addr) && 4429 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) { 4430 /* we are currently doing bonding. Link will be disconnected when done */ 4431 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 4432 return (BTM_BUSY); 4433 } 4434 4435 return (btm_sec_send_hci_disconnect(p_dev_rec, reason, handle)); 4436 } 4437 4438 /******************************************************************************* 4439 * 4440 * Function btm_sec_disconnected 4441 * 4442 * Description This function is when a connection to the peer device is 4443 * dropped 4444 * 4445 * Returns void 4446 * 4447 ******************************************************************************/ 4448 void btm_sec_disconnected(uint16_t handle, uint8_t reason) { 4449 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); 4450 uint8_t old_pairing_flags = btm_cb.pairing_flags; 4451 int result = HCI_ERR_AUTH_FAILURE; 4452 tBTM_SEC_CALLBACK* p_callback = NULL; 4453 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 4454 4455 /* If page was delayed for disc complete, can do it now */ 4456 btm_cb.discing = false; 4457 4458 btm_acl_resubmit_page(); 4459 4460 if (!p_dev_rec) return; 4461 4462 transport = 4463 (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR : BT_TRANSPORT_LE; 4464 4465 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4466 4467 #if (BTM_DISC_DURING_RS == TRUE) 4468 LOG_INFO(LOG_TAG, "%s clearing pending flag handle:%d reason:%d", __func__, 4469 handle, reason); 4470 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4471 #endif 4472 4473 /* clear unused flags */ 4474 p_dev_rec->sm4 &= BTM_SM4_TRUE; 4475 4476 VLOG(2) << __func__ << " bd_addr: " << p_dev_rec->bd_addr 4477 << " name: " << p_dev_rec->sec_bd_name 4478 << " state: " << btm_pair_state_descr(btm_cb.pairing_state) 4479 << " reason: " << reason << " sec_req: " << std::hex 4480 << p_dev_rec->security_required; 4481 4482 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, 4483 p_dev_rec->sec_flags); 4484 4485 /* If we are in the process of bonding we need to tell client that auth failed 4486 */ 4487 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4488 (btm_cb.pairing_bda == p_dev_rec->bd_addr)) { 4489 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4490 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4491 if (btm_cb.api.p_auth_complete_callback) { 4492 /* If the disconnection reason is REPEATED_ATTEMPTS, 4493 send this error message to complete callback function 4494 to display the error message of Repeated attempts. 4495 All others, send HCI_ERR_AUTH_FAILURE. */ 4496 if (reason == HCI_ERR_REPEATED_ATTEMPTS) { 4497 result = HCI_ERR_REPEATED_ATTEMPTS; 4498 } else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) { 4499 result = HCI_ERR_HOST_REJECT_SECURITY; 4500 } 4501 (*btm_cb.api.p_auth_complete_callback)(p_dev_rec->bd_addr, 4502 p_dev_rec->dev_class, 4503 p_dev_rec->sec_bd_name, result); 4504 4505 // |btm_cb.api.p_auth_complete_callback| may cause |p_dev_rec| to be 4506 // deallocated. 4507 p_dev_rec = btm_find_dev_by_handle(handle); 4508 if (!p_dev_rec) { 4509 return; 4510 } 4511 } 4512 } 4513 4514 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, &p_dev_rec->bd_addr, 4515 HCI_SUCCESS); 4516 /* see sec_flags processing in btm_acl_removed */ 4517 4518 if (transport == BT_TRANSPORT_LE) { 4519 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE; 4520 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED); 4521 p_dev_rec->enc_key_size = 0; 4522 } else { 4523 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE; 4524 p_dev_rec->sec_flags &= 4525 ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | 4526 BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED); 4527 4528 // Remove temporary key. 4529 if (p_dev_rec->bond_type == BOND_TYPE_TEMPORARY) 4530 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN); 4531 } 4532 4533 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, 4534 p_dev_rec->sec_flags); 4535 4536 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) { 4537 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) 4538 ? BTM_SEC_STATE_DISCONNECTING 4539 : BTM_SEC_STATE_DISCONNECTING_BLE; 4540 return; 4541 } 4542 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4543 p_dev_rec->security_required = BTM_SEC_NONE; 4544 4545 p_callback = p_dev_rec->p_callback; 4546 4547 /* if security is pending, send callback to clean up the security state */ 4548 if (p_callback) { 4549 BTM_TRACE_DEBUG("%s: clearing callback. p_dev_rec=%p, p_callback=%p", 4550 __func__, p_dev_rec, p_dev_rec->p_callback); 4551 p_dev_rec->p_callback = 4552 NULL; /* when the peer device time out the authentication before 4553 we do, this call back must be reset here */ 4554 (*p_callback)(&p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, 4555 BTM_ERR_PROCESSING); 4556 } 4557 } 4558 4559 /******************************************************************************* 4560 * 4561 * Function btm_sec_link_key_notification 4562 * 4563 * Description This function is called when a new connection link key is 4564 * generated 4565 * 4566 * Returns Pointer to the record or NULL 4567 * 4568 ******************************************************************************/ 4569 void btm_sec_link_key_notification(const RawAddress& p_bda, uint8_t* p_link_key, 4570 uint8_t key_type) { 4571 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(p_bda); 4572 bool we_are_bonding = false; 4573 bool ltk_derived_lk = false; 4574 4575 VLOG(2) << __func__ << " BDA: " << p_bda << ", TYPE: " << +key_type; 4576 4577 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) && 4578 (key_type <= 4579 BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 4580 ltk_derived_lk = true; 4581 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET; 4582 } 4583 /* If connection was made to do bonding restore link security if changed */ 4584 btm_restore_mode(); 4585 4586 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) 4587 p_dev_rec->link_key_type = key_type; 4588 4589 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 4590 4591 /* 4592 * Until this point in time, we do not know if MITM was enabled, hence we 4593 * add the extended security flag here. 4594 */ 4595 if (p_dev_rec->pin_code_length >= 16 || 4596 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4597 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4598 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4599 } 4600 4601 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4602 p_dev_rec->enc_key_size = 16; 4603 memcpy(p_dev_rec->link_key, p_link_key, LINK_KEY_LEN); 4604 4605 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4606 (btm_cb.pairing_bda == p_bda)) { 4607 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4608 we_are_bonding = true; 4609 else 4610 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4611 } 4612 4613 /* save LTK derived LK no matter what */ 4614 if (ltk_derived_lk) { 4615 if (btm_cb.api.p_link_key_callback) { 4616 BTM_TRACE_DEBUG("%s() Save LTK derived LK (key_type = %d)", __func__, 4617 p_dev_rec->link_key_type); 4618 (*btm_cb.api.p_link_key_callback)(p_bda, p_dev_rec->dev_class, 4619 p_dev_rec->sec_bd_name, p_link_key, 4620 p_dev_rec->link_key_type); 4621 } 4622 } else { 4623 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) || 4624 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 4625 p_dev_rec->new_encryption_key_is_p256 = true; 4626 BTM_TRACE_DEBUG("%s set new_encr_key_256 to %d", __func__, 4627 p_dev_rec->new_encryption_key_is_p256); 4628 } 4629 } 4630 4631 /* If name is not known at this point delay calling callback until the name is 4632 */ 4633 /* resolved. Unless it is a HID Device and we really need to send all link 4634 * keys. */ 4635 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) && 4636 ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != 4637 BTM_COD_MAJOR_PERIPHERAL)) && 4638 !ltk_derived_lk) { 4639 VLOG(2) << __func__ << " Delayed BDA: " << p_bda << " Type:" << +key_type; 4640 4641 p_dev_rec->link_key_not_sent = true; 4642 4643 /* If it is for bonding nothing else will follow, so we need to start name 4644 * resolution */ 4645 if (we_are_bonding) { 4646 btsnd_hcic_rmt_name_req(p_bda, HCI_PAGE_SCAN_REP_MODE_R1, 4647 HCI_MANDATARY_PAGE_SCAN_MODE, 0); 4648 } 4649 4650 BTM_TRACE_EVENT("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", 4651 p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, 4652 p_dev_rec->dev_class[1]) 4653 return; 4654 } 4655 4656 /* If its not us who perform authentication, we should tell stackserver */ 4657 /* that some authentication has been completed */ 4658 /* This is required when different entities receive link notification and auth 4659 * complete */ 4660 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) 4661 /* for derived key, always send authentication callback for BR channel */ 4662 || ltk_derived_lk) { 4663 if (btm_cb.api.p_auth_complete_callback) 4664 (*btm_cb.api.p_auth_complete_callback)( 4665 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4666 HCI_SUCCESS); 4667 } 4668 4669 /* We will save link key only if the user authorized it - BTE report link key in 4670 * all cases */ 4671 #ifdef BRCM_NONE_BTE 4672 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 4673 #endif 4674 { 4675 if (btm_cb.api.p_link_key_callback) { 4676 if (ltk_derived_lk) { 4677 BTM_TRACE_DEBUG( 4678 "btm_sec_link_key_notification() LTK derived LK is saved already" 4679 " (key_type = %d)", 4680 p_dev_rec->link_key_type); 4681 } else { 4682 (*btm_cb.api.p_link_key_callback)(p_bda, p_dev_rec->dev_class, 4683 p_dev_rec->sec_bd_name, p_link_key, 4684 p_dev_rec->link_key_type); 4685 } 4686 } 4687 } 4688 } 4689 4690 /******************************************************************************* 4691 * 4692 * Function btm_sec_link_key_request 4693 * 4694 * Description This function is called when controller requests link key 4695 * 4696 * Returns Pointer to the record or NULL 4697 * 4698 ******************************************************************************/ 4699 void btm_sec_link_key_request(const RawAddress& bda) { 4700 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(bda); 4701 4702 VLOG(2) << __func__ << " bda: " << bda; 4703 4704 if ((btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) && 4705 (btm_cb.collision_start_time != 0) && 4706 (btm_cb.p_collided_dev_rec->bd_addr == bda)) { 4707 BTM_TRACE_EVENT( 4708 "btm_sec_link_key_request() rejecting link key req " 4709 "State: %d START_TIMEOUT : %d", 4710 btm_cb.pairing_state, btm_cb.collision_start_time); 4711 btsnd_hcic_link_key_neg_reply(bda); 4712 return; 4713 } 4714 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) { 4715 btsnd_hcic_link_key_req_reply(bda, p_dev_rec->link_key); 4716 return; 4717 } 4718 4719 /* Notify L2CAP to increase timeout */ 4720 l2c_pin_code_request(bda); 4721 4722 /* The link key is not in the database and it is not known to the manager */ 4723 btsnd_hcic_link_key_neg_reply(bda); 4724 } 4725 4726 /******************************************************************************* 4727 * 4728 * Function btm_sec_pairing_timeout 4729 * 4730 * Description This function is called when host does not provide PIN 4731 * within requested time 4732 * 4733 * Returns Pointer to the TLE struct 4734 * 4735 ******************************************************************************/ 4736 static void btm_sec_pairing_timeout(UNUSED_ATTR void* data) { 4737 tBTM_CB* p_cb = &btm_cb; 4738 tBTM_SEC_DEV_REC* p_dev_rec; 4739 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE) 4740 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO; 4741 #else 4742 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES; 4743 #endif 4744 uint8_t name[2]; 4745 4746 p_dev_rec = btm_find_dev(p_cb->pairing_bda); 4747 4748 BTM_TRACE_EVENT("%s State: %s Flags: %u", __func__, 4749 btm_pair_state_descr(p_cb->pairing_state), 4750 p_cb->pairing_flags); 4751 4752 switch (p_cb->pairing_state) { 4753 case BTM_PAIR_STATE_WAIT_PIN_REQ: 4754 btm_sec_bond_cancel_complete(); 4755 break; 4756 4757 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: 4758 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0) 4759 btsnd_hcic_pin_code_neg_reply(p_cb->pairing_bda); 4760 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4761 /* We need to notify the UI that no longer need the PIN */ 4762 if (btm_cb.api.p_auth_complete_callback) { 4763 if (p_dev_rec == NULL) { 4764 name[0] = 0; 4765 (*btm_cb.api.p_auth_complete_callback)(p_cb->pairing_bda, NULL, name, 4766 HCI_ERR_CONNECTION_TOUT); 4767 } else 4768 (*btm_cb.api.p_auth_complete_callback)( 4769 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4770 HCI_ERR_CONNECTION_TOUT); 4771 } 4772 break; 4773 4774 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: 4775 btsnd_hcic_user_conf_reply(p_cb->pairing_bda, false); 4776 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 4777 break; 4778 4779 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 4780 case BTM_PAIR_STATE_KEY_ENTRY: 4781 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda); 4782 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 4783 break; 4784 #endif /* !BTM_IO_CAP_NONE */ 4785 4786 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: 4787 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4788 auth_req |= BTM_AUTH_DD_BOND; 4789 4790 btsnd_hcic_io_cap_req_reply(p_cb->pairing_bda, btm_cb.devcb.loc_io_caps, 4791 BTM_OOB_NONE, auth_req); 4792 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4793 break; 4794 4795 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: 4796 btsnd_hcic_rem_oob_neg_reply(p_cb->pairing_bda); 4797 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4798 break; 4799 4800 case BTM_PAIR_STATE_WAIT_DISCONNECT: 4801 /* simple pairing failed. Started a 1-sec timer at simple pairing 4802 * complete. 4803 * now it's time to tear down the ACL link*/ 4804 if (p_dev_rec == NULL) { 4805 LOG(ERROR) << __func__ 4806 << " BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: " 4807 << p_cb->pairing_bda; 4808 break; 4809 } 4810 btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, 4811 p_dev_rec->hci_handle); 4812 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4813 break; 4814 4815 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: 4816 case BTM_PAIR_STATE_GET_REM_NAME: 4817 /* We need to notify the UI that timeout has happened while waiting for 4818 * authentication*/ 4819 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4820 if (btm_cb.api.p_auth_complete_callback) { 4821 if (p_dev_rec == NULL) { 4822 name[0] = 0; 4823 (*btm_cb.api.p_auth_complete_callback)(p_cb->pairing_bda, NULL, name, 4824 HCI_ERR_CONNECTION_TOUT); 4825 } else 4826 (*btm_cb.api.p_auth_complete_callback)( 4827 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4828 HCI_ERR_CONNECTION_TOUT); 4829 } 4830 break; 4831 4832 default: 4833 BTM_TRACE_WARNING("%s not processed state: %s", __func__, 4834 btm_pair_state_descr(btm_cb.pairing_state)); 4835 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4836 break; 4837 } 4838 } 4839 4840 /******************************************************************************* 4841 * 4842 * Function btm_sec_pin_code_request 4843 * 4844 * Description This function is called when controller requests PIN code 4845 * 4846 * Returns Pointer to the record or NULL 4847 * 4848 ******************************************************************************/ 4849 void btm_sec_pin_code_request(const RawAddress& p_bda) { 4850 tBTM_SEC_DEV_REC* p_dev_rec; 4851 tBTM_CB* p_cb = &btm_cb; 4852 4853 VLOG(2) << __func__ << " BDA: " << p_bda 4854 << " state: " << btm_pair_state_descr(btm_cb.pairing_state); 4855 4856 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) { 4857 if ((p_bda == btm_cb.pairing_bda) && 4858 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE)) { 4859 btsnd_hcic_pin_code_neg_reply(p_bda); 4860 return; 4861 } else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ) || 4862 p_bda != btm_cb.pairing_bda) { 4863 BTM_TRACE_WARNING("btm_sec_pin_code_request() rejected - state: %s", 4864 btm_pair_state_descr(btm_cb.pairing_state)); 4865 btsnd_hcic_pin_code_neg_reply(p_bda); 4866 return; 4867 } 4868 } 4869 4870 p_dev_rec = btm_find_or_alloc_dev(p_bda); 4871 /* received PIN code request. must be non-sm4 */ 4872 p_dev_rec->sm4 = BTM_SM4_KNOWN; 4873 4874 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) { 4875 btm_cb.pairing_bda = p_bda; 4876 4877 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD; 4878 /* Make sure we reset the trusted mask to help against attacks */ 4879 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 4880 } 4881 4882 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) { 4883 BTM_TRACE_EVENT("btm_sec_pin_code_request fixed pin replying"); 4884 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 4885 btsnd_hcic_pin_code_req_reply(p_bda, p_cb->cfg.pin_code_len, 4886 p_cb->cfg.pin_code); 4887 return; 4888 } 4889 4890 /* Use the connecting device's CoD for the connection */ 4891 if ((p_bda == p_cb->connecting_bda) && 4892 (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || 4893 p_cb->connecting_dc[2])) 4894 memcpy(p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN); 4895 4896 /* We could have started connection after asking user for the PIN code */ 4897 if (btm_cb.pin_code_len != 0) { 4898 BTM_TRACE_EVENT("btm_sec_pin_code_request bonding sending reply"); 4899 btsnd_hcic_pin_code_req_reply(p_bda, btm_cb.pin_code_len, p_cb->pin_code); 4900 4901 /* Mark that we forwarded received from the user PIN code */ 4902 btm_cb.pin_code_len = 0; 4903 4904 /* We can change mode back right away, that other connection being 4905 * established */ 4906 /* is not forced to be secure - found a FW issue, so we can not do this 4907 btm_restore_mode(); */ 4908 4909 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 4910 } 4911 4912 /* If pairing disabled OR (no PIN callback and not bonding) */ 4913 /* OR we could not allocate entry in the database reject pairing request */ 4914 else if ( 4915 p_cb->pairing_disabled || 4916 (p_cb->api.p_pin_callback == NULL) 4917 4918 /* OR Microsoft keyboard can for some reason try to establish connection 4919 */ 4920 /* the only thing we can do here is to shut it up. Normally we will be 4921 originator */ 4922 /* for keyboard bonding */ 4923 || (!p_dev_rec->is_originator && 4924 ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == 4925 BTM_COD_MAJOR_PERIPHERAL) && 4926 (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD))) { 4927 BTM_TRACE_WARNING( 4928 "btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev " 4929 "Rec:%x!", 4930 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec); 4931 4932 btsnd_hcic_pin_code_neg_reply(p_bda); 4933 } 4934 /* Notify upper layer of PIN request and start expiration timer */ 4935 else { 4936 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN); 4937 /* Pin code request can not come at the same time as connection request */ 4938 p_cb->connecting_bda = p_bda; 4939 memcpy(p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN); 4940 4941 /* Check if the name is known */ 4942 /* Even if name is not known we might not be able to get one */ 4943 /* this is the case when we are already getting something from the */ 4944 /* device, so HCI level is flow controlled */ 4945 /* Also cannot send remote name request while paging, i.e. connection is not 4946 * completed */ 4947 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) { 4948 BTM_TRACE_EVENT("btm_sec_pin_code_request going for callback"); 4949 4950 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 4951 if (p_cb->api.p_pin_callback) { 4952 (*p_cb->api.p_pin_callback)( 4953 p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 4954 (p_dev_rec->p_cur_service == NULL) 4955 ? false 4956 : (p_dev_rec->p_cur_service->security_flags & 4957 BTM_SEC_IN_MIN_16_DIGIT_PIN)); 4958 } 4959 } else { 4960 BTM_TRACE_EVENT("btm_sec_pin_code_request going for remote name"); 4961 4962 /* We received PIN code request for the device with unknown name */ 4963 /* it is not user friendly just to ask for the PIN without name */ 4964 /* try to get name at first */ 4965 btsnd_hcic_rmt_name_req(p_dev_rec->bd_addr, HCI_PAGE_SCAN_REP_MODE_R1, 4966 HCI_MANDATARY_PAGE_SCAN_MODE, 0); 4967 } 4968 } 4969 4970 return; 4971 } 4972 4973 /******************************************************************************* 4974 * 4975 * Function btm_sec_update_clock_offset 4976 * 4977 * Description This function is called to update clock offset 4978 * 4979 * Returns void 4980 * 4981 ******************************************************************************/ 4982 void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset) { 4983 tBTM_SEC_DEV_REC* p_dev_rec; 4984 tBTM_INQ_INFO* p_inq_info; 4985 4986 p_dev_rec = btm_find_dev_by_handle(handle); 4987 if (p_dev_rec == NULL) return; 4988 4989 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 4990 4991 p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr); 4992 if (p_inq_info == NULL) return; 4993 4994 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 4995 } 4996 4997 /****************************************************************** 4998 * S T A T I C F U N C T I O N S 4999 ******************************************************************/ 5000 5001 /******************************************************************************* 5002 * 5003 * Function btm_sec_execute_procedure 5004 * 5005 * Description This function is called to start required security 5006 * procedure. There is a case when multiplexing protocol 5007 * calls this function on the originating side, connection to 5008 * the peer will not be established. This function in this 5009 * case performs only authorization. 5010 * 5011 * Returns BTM_SUCCESS - permission is granted 5012 * BTM_CMD_STARTED - in process 5013 * BTM_NO_RESOURCES - permission declined 5014 * 5015 ******************************************************************************/ 5016 tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { 5017 BTM_TRACE_EVENT( 5018 "btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d", 5019 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state); 5020 5021 /* There is a chance that we are getting name. Wait until done. */ 5022 if (p_dev_rec->sec_state != 0) return (BTM_CMD_STARTED); 5023 5024 /* If any security is required, get the name first */ 5025 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) && 5026 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { 5027 BTM_TRACE_EVENT("Security Manager: Start get name"); 5028 if (!btm_sec_start_get_name(p_dev_rec)) { 5029 return (BTM_NO_RESOURCES); 5030 } 5031 return (BTM_CMD_STARTED); 5032 } 5033 5034 /* If connection is not authenticated and authentication is required */ 5035 /* start authentication and return PENDING to the caller */ 5036 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) && 5037 ((p_dev_rec->is_originator && 5038 (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) || 5039 (!p_dev_rec->is_originator && 5040 (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) || 5041 (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && 5042 (!p_dev_rec->is_originator && 5043 (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) && 5044 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { 5045 /* 5046 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, 5047 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the 5048 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM 5049 * authenticated connections, hence we cannot distinguish here. 5050 */ 5051 5052 BTM_TRACE_EVENT("Security Manager: Start authentication"); 5053 5054 /* 5055 * If we do have a link-key, but we end up here because we need an 5056 * upgrade, then clear the link-key known and authenticated flag before 5057 * restarting authentication. 5058 * WARNING: If the controller has link-key, it is optional and 5059 * recommended for the controller to send a Link_Key_Request. 5060 * In case we need an upgrade, the only alternative would be to delete 5061 * the existing link-key. That could lead to very bad user experience 5062 * or even IOP issues, if a reconnect causes a new connection that 5063 * requires an upgrade. 5064 */ 5065 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && 5066 (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && 5067 (!p_dev_rec->is_originator && 5068 (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { 5069 p_dev_rec->sec_flags &= 5070 ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 5071 BTM_SEC_AUTHENTICATED); 5072 } 5073 5074 btm_sec_start_authentication(p_dev_rec); 5075 return (BTM_CMD_STARTED); 5076 } 5077 5078 /* If connection is not encrypted and encryption is required */ 5079 /* start encryption and return PENDING to the caller */ 5080 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) && 5081 ((p_dev_rec->is_originator && 5082 (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT)) || 5083 (!p_dev_rec->is_originator && 5084 (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT))) && 5085 (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { 5086 5087 BTM_TRACE_EVENT("Security Manager: Start encryption"); 5088 5089 btm_sec_start_encryption(p_dev_rec); 5090 return (BTM_CMD_STARTED); 5091 } 5092 5093 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 5094 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) { 5095 BTM_TRACE_EVENT( 5096 "%s: Security Manager: SC only service, but link key type is 0x%02x -", 5097 "security failure", __func__, p_dev_rec->link_key_type); 5098 return (BTM_FAILED_ON_SECURITY); 5099 } 5100 5101 /* If connection is not authorized and authorization is required */ 5102 /* start authorization and return PENDING to the caller */ 5103 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) && 5104 ((p_dev_rec->is_originator && 5105 (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE)) || 5106 (!p_dev_rec->is_originator && 5107 (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) { 5108 BTM_TRACE_EVENT( 5109 "service id:%d, is trusted:%d", p_dev_rec->p_cur_service->service_id, 5110 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5111 p_dev_rec->p_cur_service->service_id))); 5112 if ((!btm_sec_are_all_trusted(p_dev_rec->trusted_mask)) && 5113 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && 5114 (!BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5115 p_dev_rec->p_cur_service->service_id))) { 5116 BTM_TRACE_EVENT("Security Manager: Start authorization"); 5117 return (btm_sec_start_authorization(p_dev_rec)); 5118 } 5119 } 5120 5121 /* All required security procedures already established */ 5122 p_dev_rec->security_required &= 5123 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | 5124 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE | 5125 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT | BTM_SEC_FORCE_MASTER | 5126 BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 5127 5128 BTM_TRACE_EVENT("Security Manager: trusted:0x%04x%04x", 5129 p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]); 5130 BTM_TRACE_EVENT("Security Manager: access granted"); 5131 5132 return (BTM_SUCCESS); 5133 } 5134 5135 /******************************************************************************* 5136 * 5137 * Function btm_sec_start_get_name 5138 * 5139 * Description This function is called to start get name procedure 5140 * 5141 * Returns true if started 5142 * 5143 ******************************************************************************/ 5144 static bool btm_sec_start_get_name(tBTM_SEC_DEV_REC* p_dev_rec) { 5145 uint8_t tempstate = p_dev_rec->sec_state; 5146 5147 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME; 5148 5149 /* 0 and NULL are as timeout and callback params because they are not used in 5150 * security get name case */ 5151 if ((btm_initiate_rem_name(p_dev_rec->bd_addr, BTM_RMT_NAME_SEC, 0, NULL)) != 5152 BTM_CMD_STARTED) { 5153 p_dev_rec->sec_state = tempstate; 5154 return (false); 5155 } 5156 5157 return (true); 5158 } 5159 5160 /******************************************************************************* 5161 * 5162 * Function btm_sec_start_authentication 5163 * 5164 * Description This function is called to start authentication 5165 * 5166 ******************************************************************************/ 5167 static void btm_sec_start_authentication(tBTM_SEC_DEV_REC* p_dev_rec) { 5168 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 5169 btsnd_hcic_auth_request(p_dev_rec->hci_handle); 5170 } 5171 5172 /******************************************************************************* 5173 * 5174 * Function btm_sec_start_encryption 5175 * 5176 * Description This function is called to start encryption 5177 * 5178 ******************************************************************************/ 5179 static void btm_sec_start_encryption(tBTM_SEC_DEV_REC* p_dev_rec) { 5180 btsnd_hcic_set_conn_encrypt(p_dev_rec->hci_handle, true); 5181 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 5182 } 5183 5184 /******************************************************************************* 5185 * 5186 * Function btm_sec_start_authorization 5187 * 5188 * Description This function is called to start authorization 5189 * 5190 * Returns true if started 5191 * 5192 ******************************************************************************/ 5193 static uint8_t btm_sec_start_authorization(tBTM_SEC_DEV_REC* p_dev_rec) { 5194 uint8_t result; 5195 uint8_t* p_service_name = NULL; 5196 uint8_t service_id; 5197 5198 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || 5199 (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) { 5200 if (!btm_cb.api.p_authorize_callback) return (BTM_MODE_UNSUPPORTED); 5201 5202 if (p_dev_rec->p_cur_service) { 5203 #if BTM_SEC_SERVICE_NAME_LEN > 0 5204 if (p_dev_rec->is_originator) 5205 p_service_name = p_dev_rec->p_cur_service->orig_service_name; 5206 else 5207 p_service_name = p_dev_rec->p_cur_service->term_service_name; 5208 #endif 5209 service_id = p_dev_rec->p_cur_service->service_id; 5210 } else 5211 service_id = 0; 5212 5213 /* Send authorization request if not already sent during this service 5214 * connection */ 5215 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID || 5216 p_dev_rec->last_author_service_id != service_id) { 5217 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING; 5218 result = (*btm_cb.api.p_authorize_callback)( 5219 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 5220 p_service_name, service_id, p_dev_rec->is_originator); 5221 } 5222 5223 else /* Already authorized once for this L2CAP bringup */ 5224 { 5225 BTM_TRACE_DEBUG( 5226 "btm_sec_start_authorization: (Ignoring extra Authorization prompt " 5227 "for service %d)", 5228 service_id); 5229 return (BTM_SUCCESS); 5230 } 5231 5232 if (result == BTM_SUCCESS) { 5233 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED; 5234 5235 /* Save the currently authorized service in case we are asked again by 5236 * another multiplexer layer */ 5237 if (!p_dev_rec->is_originator) 5238 p_dev_rec->last_author_service_id = service_id; 5239 5240 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 5241 } 5242 return (result); 5243 } 5244 btm_sec_start_get_name(p_dev_rec); 5245 return (BTM_CMD_STARTED); 5246 } 5247 5248 /******************************************************************************* 5249 * 5250 * Function btm_sec_are_all_trusted 5251 * 5252 * Description This function is called check if all services are trusted 5253 * 5254 * Returns true if all are trusted, otherwise false 5255 * 5256 ******************************************************************************/ 5257 bool btm_sec_are_all_trusted(uint32_t p_mask[]) { 5258 uint32_t trusted_inx; 5259 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; 5260 trusted_inx++) { 5261 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) return (false); 5262 } 5263 5264 return (true); 5265 } 5266 5267 /******************************************************************************* 5268 * 5269 * Function btm_sec_find_first_serv 5270 * 5271 * Description Look for the first record in the service database 5272 * with specified PSM 5273 * 5274 * Returns Pointer to the record or NULL 5275 * 5276 ******************************************************************************/ 5277 tBTM_SEC_SERV_REC* btm_sec_find_first_serv(CONNECTION_TYPE conn_type, 5278 uint16_t psm) { 5279 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0]; 5280 int i; 5281 bool is_originator = conn_type; 5282 5283 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) { 5284 /* If this is outgoing connection and the PSM matches p_out_serv, 5285 * use it as the current service */ 5286 return btm_cb.p_out_serv; 5287 } 5288 5289 /* otherwise, just find the first record with the specified PSM */ 5290 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) { 5291 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) && 5292 (p_serv_rec->psm == psm)) 5293 return (p_serv_rec); 5294 } 5295 return (NULL); 5296 } 5297 5298 /******************************************************************************* 5299 * 5300 * Function btm_sec_find_next_serv 5301 * 5302 * Description Look for the next record in the service database 5303 * with specified PSM 5304 * 5305 * Returns Pointer to the record or NULL 5306 * 5307 ******************************************************************************/ 5308 static tBTM_SEC_SERV_REC* btm_sec_find_next_serv(tBTM_SEC_SERV_REC* p_cur) { 5309 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0]; 5310 int i; 5311 5312 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) { 5313 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) && 5314 (p_serv_rec->psm == p_cur->psm)) { 5315 if (p_cur != p_serv_rec) { 5316 return (p_serv_rec); 5317 } 5318 } 5319 } 5320 return (NULL); 5321 } 5322 5323 /******************************************************************************* 5324 * 5325 * Function btm_sec_find_mx_serv 5326 * 5327 * Description Look for the record in the service database with specified 5328 * PSM and multiplexor channel information 5329 * 5330 * Returns Pointer to the record or NULL 5331 * 5332 ******************************************************************************/ 5333 static tBTM_SEC_SERV_REC* btm_sec_find_mx_serv(uint8_t is_originator, 5334 uint16_t psm, 5335 uint32_t mx_proto_id, 5336 uint32_t mx_chan_id) { 5337 tBTM_SEC_SERV_REC* p_out_serv = btm_cb.p_out_serv; 5338 tBTM_SEC_SERV_REC* p_serv_rec = &btm_cb.sec_serv_rec[0]; 5339 int i; 5340 5341 BTM_TRACE_DEBUG("%s()", __func__); 5342 if (is_originator && p_out_serv && p_out_serv->psm == psm && 5343 p_out_serv->mx_proto_id == mx_proto_id && 5344 p_out_serv->orig_mx_chan_id == mx_chan_id) { 5345 /* If this is outgoing connection and the parameters match p_out_serv, 5346 * use it as the current service */ 5347 return btm_cb.p_out_serv; 5348 } 5349 5350 /* otherwise, the old way */ 5351 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) { 5352 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) && 5353 (p_serv_rec->psm == psm) && (p_serv_rec->mx_proto_id == mx_proto_id) && 5354 ((is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) || 5355 (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) { 5356 return (p_serv_rec); 5357 } 5358 } 5359 return (NULL); 5360 } 5361 5362 /******************************************************************************* 5363 * 5364 * Function btm_sec_collision_timeout 5365 * 5366 * Description Encryption could not start because of the collision 5367 * try to do it again 5368 * 5369 * Returns Pointer to the TLE struct 5370 * 5371 ******************************************************************************/ 5372 static void btm_sec_collision_timeout(UNUSED_ATTR void* data) { 5373 BTM_TRACE_EVENT("%s()", __func__); 5374 5375 tBTM_STATUS status = btm_sec_execute_procedure(btm_cb.p_collided_dev_rec); 5376 5377 /* If result is pending reply from the user or from the device is pending */ 5378 if (status != BTM_CMD_STARTED) { 5379 /* There is no next procedure or start of procedure failed, notify the 5380 * waiting layer */ 5381 btm_sec_dev_rec_cback_event(btm_cb.p_collided_dev_rec, status, false); 5382 } 5383 } 5384 5385 /******************************************************************************* 5386 * 5387 * Function btm_send_link_key_notif 5388 * 5389 * Description Call the link key callback. 5390 * 5391 * Returns void 5392 * 5393 ******************************************************************************/ 5394 static void btm_send_link_key_notif(tBTM_SEC_DEV_REC* p_dev_rec) { 5395 if (btm_cb.api.p_link_key_callback) 5396 (*btm_cb.api.p_link_key_callback)( 5397 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 5398 p_dev_rec->link_key, p_dev_rec->link_key_type); 5399 } 5400 5401 /******************************************************************************* 5402 * 5403 * Function BTM_ReadTrustedMask 5404 * 5405 * Description Get trusted mask for the peer device 5406 * 5407 * Parameters: bd_addr - Address of the device 5408 * 5409 * Returns NULL, if the device record is not found. 5410 * otherwise, the trusted mask 5411 * 5412 ******************************************************************************/ 5413 uint32_t* BTM_ReadTrustedMask(const RawAddress& bd_addr) { 5414 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 5415 if (p_dev_rec != NULL) return (p_dev_rec->trusted_mask); 5416 return NULL; 5417 } 5418 5419 /******************************************************************************* 5420 * 5421 * Function btm_restore_mode 5422 * 5423 * Description This function returns the security mode to previous setting 5424 * if it was changed during bonding. 5425 * 5426 * 5427 * Parameters: void 5428 * 5429 ******************************************************************************/ 5430 static void btm_restore_mode(void) { 5431 if (btm_cb.security_mode_changed) { 5432 btm_cb.security_mode_changed = false; 5433 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, 5434 (btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5435 btsnd_hcic_write_auth_enable( 5436 (uint8_t)(btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5437 } 5438 5439 if (btm_cb.pin_type_changed) { 5440 btm_cb.pin_type_changed = false; 5441 btsnd_hcic_write_pin_type(btm_cb.cfg.pin_type); 5442 } 5443 } 5444 5445 bool is_sec_state_equal(void* data, void* context) { 5446 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data); 5447 uint8_t* state = static_cast<uint8_t*>(context); 5448 5449 if (p_dev_rec->sec_state == *state) return false; 5450 5451 return true; 5452 } 5453 5454 /******************************************************************************* 5455 * 5456 * Function btm_sec_find_dev_by_sec_state 5457 * 5458 * Description Look for the record in the device database for the device 5459 * which is being authenticated or encrypted 5460 * 5461 * Returns Pointer to the record or NULL 5462 * 5463 ******************************************************************************/ 5464 tBTM_SEC_DEV_REC* btm_sec_find_dev_by_sec_state(uint8_t state) { 5465 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_sec_state_equal, &state); 5466 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n)); 5467 5468 return NULL; 5469 } 5470 5471 /******************************************************************************* 5472 * 5473 * Function btm_sec_change_pairing_state 5474 * 5475 * Description This function is called to change pairing state 5476 * 5477 ******************************************************************************/ 5478 static void btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state) { 5479 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 5480 5481 BTM_TRACE_EVENT("%s() Old: %s", __func__, 5482 btm_pair_state_descr(btm_cb.pairing_state)); 5483 BTM_TRACE_EVENT("%s() New: %s pairing_flags:0x%x", __func__, 5484 btm_pair_state_descr(new_state), btm_cb.pairing_flags); 5485 5486 btm_cb.pairing_state = new_state; 5487 5488 if (new_state == BTM_PAIR_STATE_IDLE) { 5489 alarm_cancel(btm_cb.pairing_timer); 5490 5491 btm_cb.pairing_flags = 0; 5492 btm_cb.pin_code_len = 0; 5493 5494 /* Make sure the the lcb shows we are not bonding */ 5495 l2cu_update_lcb_4_bonding(btm_cb.pairing_bda, false); 5496 5497 btm_restore_mode(); 5498 btm_sec_check_pending_reqs(); 5499 btm_inq_clear_ssp(); 5500 5501 btm_cb.pairing_bda = RawAddress::kAny; 5502 } else { 5503 /* If transitioning out of idle, mark the lcb as bonding */ 5504 if (old_state == BTM_PAIR_STATE_IDLE) 5505 l2cu_update_lcb_4_bonding(btm_cb.pairing_bda, true); 5506 5507 alarm_set_on_mloop(btm_cb.pairing_timer, BTM_SEC_TIMEOUT_VALUE * 1000, 5508 btm_sec_pairing_timeout, NULL); 5509 } 5510 } 5511 5512 /******************************************************************************* 5513 * 5514 * Function btm_pair_state_descr 5515 * 5516 * Description Return state description for tracing 5517 * 5518 ******************************************************************************/ 5519 static const char* btm_pair_state_descr(tBTM_PAIRING_STATE state) { 5520 switch (state) { 5521 case BTM_PAIR_STATE_IDLE: 5522 return ("IDLE"); 5523 case BTM_PAIR_STATE_GET_REM_NAME: 5524 return ("GET_REM_NAME"); 5525 case BTM_PAIR_STATE_WAIT_PIN_REQ: 5526 return ("WAIT_PIN_REQ"); 5527 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: 5528 return ("WAIT_LOCAL_PIN"); 5529 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: 5530 return ("WAIT_NUM_CONFIRM"); 5531 case BTM_PAIR_STATE_KEY_ENTRY: 5532 return ("KEY_ENTRY"); 5533 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: 5534 return ("WAIT_LOCAL_OOB_RSP"); 5535 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: 5536 return ("WAIT_LOCAL_IOCAPS"); 5537 case BTM_PAIR_STATE_INCOMING_SSP: 5538 return ("INCOMING_SSP"); 5539 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: 5540 return ("WAIT_AUTH_COMPLETE"); 5541 case BTM_PAIR_STATE_WAIT_DISCONNECT: 5542 return ("WAIT_DISCONNECT"); 5543 } 5544 5545 return ("???"); 5546 } 5547 5548 /******************************************************************************* 5549 * 5550 * Function btm_sec_dev_rec_cback_event 5551 * 5552 * Description This function calls the callback function with the given 5553 * result and clear the callback function. 5554 * 5555 * Parameters: void 5556 * 5557 ******************************************************************************/ 5558 void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec, uint8_t res, 5559 bool is_le_transport) { 5560 tBTM_SEC_CALLBACK* p_callback = p_dev_rec->p_callback; 5561 5562 BTM_TRACE_DEBUG("%s: p_callback=%p, is_le_transport=%d, res=%d, p_dev_rec=%p", 5563 __func__, p_dev_rec->p_callback, is_le_transport, res, 5564 p_dev_rec); 5565 5566 if (p_dev_rec->p_callback) { 5567 p_dev_rec->p_callback = NULL; 5568 5569 if (is_le_transport) 5570 (*p_callback)(&p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, 5571 p_dev_rec->p_ref_data, res); 5572 else 5573 (*p_callback)(&p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, 5574 p_dev_rec->p_ref_data, res); 5575 } 5576 5577 btm_sec_check_pending_reqs(); 5578 } 5579 5580 /******************************************************************************* 5581 * 5582 * Function btm_sec_queue_mx_request 5583 * 5584 * Description Return state description for tracing 5585 * 5586 ******************************************************************************/ 5587 static bool btm_sec_queue_mx_request(const RawAddress& bd_addr, uint16_t psm, 5588 bool is_orig, uint32_t mx_proto_id, 5589 uint32_t mx_chan_id, 5590 tBTM_SEC_CALLBACK* p_callback, 5591 void* p_ref_data) { 5592 tBTM_SEC_QUEUE_ENTRY* p_e = 5593 (tBTM_SEC_QUEUE_ENTRY*)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY)); 5594 5595 p_e->psm = psm; 5596 p_e->is_orig = is_orig; 5597 p_e->p_callback = p_callback; 5598 p_e->p_ref_data = p_ref_data; 5599 p_e->mx_proto_id = mx_proto_id; 5600 p_e->mx_chan_id = mx_chan_id; 5601 p_e->transport = BT_TRANSPORT_BR_EDR; 5602 p_e->sec_act = 0; 5603 p_e->bd_addr = bd_addr; 5604 5605 BTM_TRACE_EVENT( 5606 "%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u", 5607 __func__, psm, is_orig, mx_proto_id, mx_chan_id); 5608 5609 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e); 5610 5611 return true; 5612 } 5613 5614 static bool btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC* p_dev_rec) { 5615 uint8_t major = (uint8_t)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK); 5616 uint8_t minor = (uint8_t)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK); 5617 bool rv = false; 5618 5619 if ((major == BTM_COD_MAJOR_AUDIO) && 5620 ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || 5621 (minor == BTM_COD_MINOR_CAR_AUDIO))) { 5622 BTM_TRACE_EVENT( 5623 "%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: " 5624 "0x%02x", 5625 __func__, major, minor); 5626 5627 if (!btm_cb.security_mode_changed) { 5628 btm_cb.security_mode_changed = true; 5629 #ifdef APPL_AUTH_WRITE_EXCEPTION 5630 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 5631 #endif 5632 btsnd_hcic_write_auth_enable(true); 5633 } 5634 } else { 5635 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_PIN); 5636 5637 /* If we got a PIN, use that, else try to get one */ 5638 if (btm_cb.pin_code_len) { 5639 BTM_PINCodeReply(p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, 5640 btm_cb.pin_code, p_dev_rec->trusted_mask); 5641 } else { 5642 /* pin was not supplied - pre-fetch pin code now */ 5643 if (btm_cb.api.p_pin_callback && 5644 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) { 5645 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__); 5646 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL) 5647 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5648 (btm_cb.api.p_pin_callback)( 5649 p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 5650 (p_dev_rec->p_cur_service == NULL) 5651 ? false 5652 : (p_dev_rec->p_cur_service->security_flags & 5653 BTM_SEC_IN_MIN_16_DIGIT_PIN)); 5654 } 5655 } 5656 5657 rv = true; 5658 } 5659 5660 return rv; 5661 } 5662 5663 /******************************************************************************* 5664 * 5665 * Function btm_sec_auth_payload_tout 5666 * 5667 * Description Processes the HCI Autheniticated Payload Timeout Event 5668 * indicating that a packet containing a valid MIC on the 5669 * connection handle was not received within the programmed 5670 * timeout value. (Spec Default is 30 secs, but can be 5671 * changed via the BTM_SecSetAuthPayloadTimeout() function. 5672 * 5673 ******************************************************************************/ 5674 void btm_sec_auth_payload_tout(uint8_t* p, uint16_t hci_evt_len) { 5675 uint16_t handle; 5676 5677 STREAM_TO_UINT16(handle, p); 5678 handle = HCID_GET_HANDLE(handle); 5679 5680 /* Will be exposed to upper layers in the future if/when determined necessary 5681 */ 5682 BTM_TRACE_ERROR("%s on handle 0x%02x", __func__, handle); 5683 } 5684 5685 /******************************************************************************* 5686 * 5687 * Function btm_sec_queue_encrypt_request 5688 * 5689 * Description encqueue encryption request when device has active security 5690 * process pending. 5691 * 5692 ******************************************************************************/ 5693 static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr, 5694 tBT_TRANSPORT transport, 5695 tBTM_SEC_CALLBACK* p_callback, 5696 void* p_ref_data, 5697 tBTM_BLE_SEC_ACT sec_act) { 5698 tBTM_SEC_QUEUE_ENTRY* p_e = 5699 (tBTM_SEC_QUEUE_ENTRY*)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1); 5700 5701 p_e->psm = 0; /* if PSM 0, encryption request */ 5702 p_e->p_callback = p_callback; 5703 p_e->p_ref_data = p_ref_data; 5704 p_e->transport = transport; 5705 p_e->sec_act = sec_act; 5706 p_e->bd_addr = bd_addr; 5707 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e); 5708 5709 return true; 5710 } 5711 5712 /******************************************************************************* 5713 * 5714 * Function btm_sec_set_peer_sec_caps 5715 * 5716 * Description This function is called to set sm4 and rmt_sec_caps fields 5717 * based on the available peer device features. 5718 * 5719 * Returns void 5720 * 5721 ******************************************************************************/ 5722 void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb, 5723 tBTM_SEC_DEV_REC* p_dev_rec) { 5724 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 5725 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 5726 btm_cb.security_mode == BTM_SEC_MODE_SC) && 5727 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) { 5728 p_dev_rec->sm4 = BTM_SM4_TRUE; 5729 p_dev_rec->remote_supports_secure_connections = 5730 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])); 5731 } else { 5732 p_dev_rec->sm4 = BTM_SM4_KNOWN; 5733 p_dev_rec->remote_supports_secure_connections = false; 5734 } 5735 5736 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", 5737 __func__, p_dev_rec->sm4, 5738 p_dev_rec->remote_supports_secure_connections); 5739 5740 if (p_dev_rec->remote_features_needed) { 5741 BTM_TRACE_EVENT( 5742 "%s: Now device in SC Only mode, waiting for peer remote features!", 5743 __func__); 5744 btm_io_capabilities_req(p_dev_rec->bd_addr); 5745 p_dev_rec->remote_features_needed = false; 5746 } 5747 } 5748 5749 /******************************************************************************* 5750 * 5751 * Function btm_sec_is_serv_level0 5752 * 5753 * Description This function is called to check if the service 5754 * corresponding to PSM is security mode 4 level 0 service. 5755 * 5756 * Returns true if the service is security mode 4 level 0 service 5757 * 5758 ******************************************************************************/ 5759 static bool btm_sec_is_serv_level0(uint16_t psm) { 5760 if (psm == BT_PSM_SDP) { 5761 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __func__, psm); 5762 return true; 5763 } 5764 return false; 5765 } 5766 5767 /******************************************************************************* 5768 * 5769 * Function btm_sec_check_pending_enc_req 5770 * 5771 * Description This function is called to send pending encryption callback 5772 * if waiting 5773 * 5774 * Returns void 5775 * 5776 ******************************************************************************/ 5777 static void btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC* p_dev_rec, 5778 tBT_TRANSPORT transport, 5779 uint8_t encr_enable) { 5780 if (fixed_queue_is_empty(btm_cb.sec_pending_q)) return; 5781 5782 uint8_t res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING; 5783 list_t* list = fixed_queue_get_list(btm_cb.sec_pending_q); 5784 for (const list_node_t* node = list_begin(list); node != list_end(list);) { 5785 tBTM_SEC_QUEUE_ENTRY* p_e = (tBTM_SEC_QUEUE_ENTRY*)list_node(node); 5786 node = list_next(node); 5787 5788 if (p_e->bd_addr == p_dev_rec->bd_addr && p_e->psm == 0 && 5789 p_e->transport == transport) { 5790 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR || 5791 p_e->sec_act == BTM_BLE_SEC_ENCRYPT || 5792 p_e->sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM || 5793 (p_e->sec_act == BTM_BLE_SEC_ENCRYPT_MITM && 5794 p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)) { 5795 if (p_e->p_callback) 5796 (*p_e->p_callback)(&p_dev_rec->bd_addr, transport, p_e->p_ref_data, 5797 res); 5798 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void*)p_e); 5799 } 5800 } 5801 } 5802 } 5803 5804 /******************************************************************************* 5805 * 5806 * Function btm_sec_set_serv_level4_flags 5807 * 5808 * Description This function is called to set security mode 4 level 4 5809 * flags. 5810 * 5811 * Returns service security requirements updated to include secure 5812 * connections only mode. 5813 * 5814 ******************************************************************************/ 5815 static uint16_t btm_sec_set_serv_level4_flags(uint16_t cur_security, 5816 bool is_originator) { 5817 uint16_t sec_level4_flags = 5818 is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS; 5819 5820 return cur_security | sec_level4_flags; 5821 } 5822 5823 /******************************************************************************* 5824 * 5825 * Function btm_sec_clear_ble_keys 5826 * 5827 * Description This function is called to clear out the BLE keys. 5828 * Typically when devices are removed in BTM_SecDeleteDevice, 5829 * or when a new BT Link key is generated. 5830 * 5831 * Returns void 5832 * 5833 ******************************************************************************/ 5834 void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec) { 5835 BTM_TRACE_DEBUG("%s() Clearing BLE Keys", __func__); 5836 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 5837 memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS)); 5838 5839 #if (BLE_PRIVACY_SPT == TRUE) 5840 btm_ble_resolving_list_remove_dev(p_dev_rec); 5841 #endif 5842 } 5843 5844 /******************************************************************************* 5845 * 5846 * Function btm_sec_is_a_bonded_dev 5847 * 5848 * Description Is the specified device is a bonded device 5849 * 5850 * Returns true - dev is bonded 5851 * 5852 ******************************************************************************/ 5853 bool btm_sec_is_a_bonded_dev(const RawAddress& bda) { 5854 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 5855 bool is_bonded = false; 5856 5857 if (p_dev_rec && ((p_dev_rec->ble.key_type && 5858 (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN)) || 5859 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) { 5860 is_bonded = true; 5861 } 5862 BTM_TRACE_DEBUG("%s() is_bonded=%d", __func__, is_bonded); 5863 return (is_bonded); 5864 } 5865 5866 /******************************************************************************* 5867 * 5868 * Function btm_sec_is_le_capable_dev 5869 * 5870 * Description Is the specified device is dual mode or LE only device 5871 * 5872 * Returns true - dev is a dual mode 5873 * 5874 ******************************************************************************/ 5875 bool btm_sec_is_le_capable_dev(const RawAddress& bda) { 5876 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); 5877 bool le_capable = false; 5878 5879 if (p_dev_rec && 5880 (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE) 5881 le_capable = true; 5882 return le_capable; 5883 } 5884 5885 /******************************************************************************* 5886 * 5887 * Function btm_sec_use_smp_br_chnl 5888 * 5889 * Description The function checks if SMP BR connection can be used with 5890 * the peer. 5891 * Is called when authentication for dedicated bonding is 5892 * successfully completed. 5893 * 5894 * Returns true - if SMP BR connection can be used (the link key is 5895 * generated from P-256 and the peer supports Security 5896 * Manager over BR). 5897 * 5898 ******************************************************************************/ 5899 static bool btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC* p_dev_rec) { 5900 uint32_t ext_feat; 5901 uint8_t chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE]; 5902 5903 BTM_TRACE_DEBUG("%s() link_key_type = 0x%x", __func__, 5904 p_dev_rec->link_key_type); 5905 5906 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) && 5907 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 5908 return false; 5909 5910 if (!L2CA_GetPeerFeatures(p_dev_rec->bd_addr, &ext_feat, chnl_mask)) 5911 return false; 5912 5913 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT)) return false; 5914 5915 return true; 5916 } 5917 5918 /******************************************************************************* 5919 * 5920 * Function btm_sec_is_master 5921 * 5922 * Description The function checks if the device is BR/EDR master after 5923 * pairing is completed. 5924 * 5925 * Returns true - if the device is master. 5926 * 5927 ******************************************************************************/ 5928 static bool btm_sec_is_master(tBTM_SEC_DEV_REC* p_dev_rec) { 5929 tACL_CONN* p = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 5930 return (p && (p->link_role == BTM_ROLE_MASTER)); 5931 } 5932
