1 /****************************************************************************** 2 * 3 * Copyright 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for the Bluetooth Device Manager 22 * 23 ******************************************************************************/ 24 25 #include <stddef.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 30 #include "bt_common.h" 31 #include "bt_types.h" 32 #include "btm_api.h" 33 #include "btm_int.h" 34 #include "btu.h" 35 #include "device/include/controller.h" 36 #include "hcidefs.h" 37 #include "hcimsgs.h" 38 #include "l2c_api.h" 39 40 /******************************************************************************* 41 * 42 * Function BTM_SecAddDevice 43 * 44 * Description Add/modify device. This function will be normally called 45 * during host startup to restore all required information 46 * stored in the NVRAM. 47 * 48 * Parameters: bd_addr - BD address of the peer 49 * dev_class - Device Class 50 * bd_name - Name of the peer device. NULL if unknown. 51 * features - Remote device's features (up to 3 pages). 52 * NULL if not known 53 * trusted_mask - Bitwise OR of services that do not 54 * require authorization. 55 * (array of uint32_t) 56 * link_key - Connection link key. NULL if unknown. 57 * 58 * Returns true if added OK, else false 59 * 60 ******************************************************************************/ 61 bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class, 62 BD_NAME bd_name, uint8_t* features, 63 uint32_t trusted_mask[], LINK_KEY link_key, 64 uint8_t key_type, tBTM_IO_CAP io_cap, 65 uint8_t pin_length) { 66 BTM_TRACE_API("%s: link key type:%x", __func__, key_type); 67 68 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 69 if (!p_dev_rec) { 70 p_dev_rec = btm_sec_allocate_dev_rec(); 71 BTM_TRACE_API("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec, 72 bd_addr.ToString().c_str()); 73 74 p_dev_rec->bd_addr = bd_addr; 75 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR); 76 77 /* use default value for background connection params */ 78 /* update conn params, use default value for background connection params */ 79 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS)); 80 } else { 81 /* "Bump" timestamp for existing record */ 82 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 83 84 /* TODO(eisenbach): 85 * Small refactor, but leaving original logic for now. 86 * On the surface, this does not make any sense at all. Why change the 87 * bond state for an existing device here? This logic should be verified 88 * as part of a larger refactor. 89 */ 90 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN; 91 } 92 93 if (dev_class) memcpy(p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN); 94 95 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 96 97 if (bd_name && bd_name[0]) { 98 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 99 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name, 100 BTM_MAX_REM_BD_NAME_LEN); 101 } 102 103 p_dev_rec->num_read_pages = 0; 104 if (features) { 105 bool found = false; 106 memcpy(p_dev_rec->feature_pages, features, 107 sizeof(p_dev_rec->feature_pages)); 108 for (int i = HCI_EXT_FEATURES_PAGE_MAX; !found && i >= 0; i--) { 109 for (int j = 0; j < HCI_FEATURE_BYTES_PER_PAGE; j++) { 110 if (p_dev_rec->feature_pages[i][j] != 0) { 111 found = true; 112 p_dev_rec->num_read_pages = i + 1; 113 break; 114 } 115 } 116 } 117 } else { 118 memset(p_dev_rec->feature_pages, 0, sizeof(p_dev_rec->feature_pages)); 119 } 120 121 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 122 123 if (link_key) { 124 VLOG(2) << __func__ << ": BDA: " << bd_addr; 125 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 126 memcpy(p_dev_rec->link_key, link_key, LINK_KEY_LEN); 127 p_dev_rec->link_key_type = key_type; 128 p_dev_rec->pin_code_length = pin_length; 129 130 if (pin_length >= 16 || key_type == BTM_LKEY_TYPE_AUTH_COMB || 131 key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 132 // Set the flag if the link key was made by using either a 16 digit 133 // pin or MITM. 134 p_dev_rec->sec_flags |= 135 BTM_SEC_16_DIGIT_PIN_AUTHED | BTM_SEC_LINK_KEY_AUTHED; 136 } 137 } 138 139 #if (BTIF_MIXED_MODE_INCLUDED == TRUE) 140 if (key_type < BTM_MAX_PRE_SM4_LKEY_TYPE) 141 p_dev_rec->sm4 = BTM_SM4_KNOWN; 142 else 143 p_dev_rec->sm4 = BTM_SM4_TRUE; 144 #endif 145 146 p_dev_rec->rmt_io_caps = io_cap; 147 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR; 148 149 return true; 150 } 151 152 /******************************************************************************* 153 * 154 * Function BTM_SecDeleteDevice 155 * 156 * Description Free resources associated with the device. 157 * 158 * Parameters: bd_addr - BD address of the peer 159 * 160 * Returns true if removed OK, false if not found or ACL link is active 161 * 162 ******************************************************************************/ 163 bool BTM_SecDeleteDevice(const RawAddress& bd_addr) { 164 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) || 165 BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) { 166 BTM_TRACE_WARNING("%s FAILED: Cannot Delete when connection is active", 167 __func__); 168 return false; 169 } 170 171 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 172 if (p_dev_rec != NULL) { 173 btm_sec_free_dev(p_dev_rec); 174 /* Tell controller to get rid of the link key, if it has one stored */ 175 BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL); 176 } 177 178 return true; 179 } 180 181 /******************************************************************************* 182 * 183 * Function BTM_SecClearSecurityFlags 184 * 185 * Description Reset the security flags (mark as not-paired) for a given 186 * remove device. 187 * 188 ******************************************************************************/ 189 extern void BTM_SecClearSecurityFlags(const RawAddress& bd_addr) { 190 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 191 if (p_dev_rec == NULL) return; 192 193 p_dev_rec->sec_flags = 0; 194 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 195 p_dev_rec->sm4 = BTM_SM4_UNKNOWN; 196 } 197 198 /******************************************************************************* 199 * 200 * Function BTM_SecReadDevName 201 * 202 * Description Looks for the device name in the security database for the 203 * specified BD address. 204 * 205 * Returns Pointer to the name or NULL 206 * 207 ******************************************************************************/ 208 char* BTM_SecReadDevName(const RawAddress& bd_addr) { 209 char* p_name = NULL; 210 tBTM_SEC_DEV_REC* p_srec; 211 212 p_srec = btm_find_dev(bd_addr); 213 if (p_srec != NULL) p_name = (char*)p_srec->sec_bd_name; 214 215 return (p_name); 216 } 217 218 /******************************************************************************* 219 * 220 * Function btm_sec_alloc_dev 221 * 222 * Description Look for the record in the device database for the record 223 * with specified address 224 * 225 * Returns Pointer to the record or NULL 226 * 227 ******************************************************************************/ 228 tBTM_SEC_DEV_REC* btm_sec_alloc_dev(const RawAddress& bd_addr) { 229 tBTM_INQ_INFO* p_inq_info; 230 231 tBTM_SEC_DEV_REC* p_dev_rec = btm_sec_allocate_dev_rec(); 232 233 BTM_TRACE_EVENT("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec, 234 bd_addr.ToString().c_str()); 235 236 /* Check with the BT manager if details about remote device are known */ 237 /* outgoing connection */ 238 p_inq_info = BTM_InqDbRead(bd_addr); 239 if (p_inq_info != NULL) { 240 memcpy(p_dev_rec->dev_class, p_inq_info->results.dev_class, DEV_CLASS_LEN); 241 242 p_dev_rec->device_type = p_inq_info->results.device_type; 243 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 244 } else if (bd_addr == btm_cb.connecting_bda) 245 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 246 247 /* update conn params, use default value for background connection params */ 248 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS)); 249 250 p_dev_rec->bd_addr = bd_addr; 251 252 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE); 253 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR); 254 255 return (p_dev_rec); 256 } 257 258 /******************************************************************************* 259 * 260 * Function btm_sec_free_dev 261 * 262 * Description Mark device record as not used 263 * 264 ******************************************************************************/ 265 void btm_sec_free_dev(tBTM_SEC_DEV_REC* p_dev_rec) { 266 /* Clear out any saved BLE keys */ 267 btm_sec_clear_ble_keys(p_dev_rec); 268 list_remove(btm_cb.sec_dev_rec, p_dev_rec); 269 } 270 271 /******************************************************************************* 272 * 273 * Function btm_dev_support_switch 274 * 275 * Description This function is called by the L2CAP to check if remote 276 * device supports role switch 277 * 278 * Parameters: bd_addr - Address of the peer device 279 * 280 * Returns true if device is known and role switch is supported 281 * 282 ******************************************************************************/ 283 bool btm_dev_support_switch(const RawAddress& bd_addr) { 284 tBTM_SEC_DEV_REC* p_dev_rec; 285 uint8_t xx; 286 bool feature_empty = true; 287 288 #if (BTM_SCO_INCLUDED == TRUE) 289 /* Role switch is not allowed if a SCO is up */ 290 if (btm_is_sco_active_by_bdaddr(bd_addr)) return (false); 291 #endif 292 p_dev_rec = btm_find_dev(bd_addr); 293 if (p_dev_rec && 294 controller_get_interface()->supports_master_slave_role_switch()) { 295 if (HCI_SWITCH_SUPPORTED(p_dev_rec->feature_pages[0])) { 296 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature found)"); 297 return (true); 298 } 299 300 /* If the feature field is all zero, we never received them */ 301 for (xx = 0; xx < BD_FEATURES_LEN; xx++) { 302 if (p_dev_rec->feature_pages[0][xx] != 0x00) { 303 feature_empty = false; /* at least one is != 0 */ 304 break; 305 } 306 } 307 308 /* If we don't know peer's capabilities, assume it supports Role-switch */ 309 if (feature_empty) { 310 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature empty)"); 311 return (true); 312 } 313 } 314 315 BTM_TRACE_DEBUG("btm_dev_support_switch return false"); 316 return (false); 317 } 318 319 bool is_handle_equal(void* data, void* context) { 320 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data); 321 uint16_t* handle = static_cast<uint16_t*>(context); 322 323 if (p_dev_rec->hci_handle == *handle || p_dev_rec->ble_hci_handle == *handle) 324 return false; 325 326 return true; 327 } 328 329 /******************************************************************************* 330 * 331 * Function btm_find_dev_by_handle 332 * 333 * Description Look for the record in the device database for the record 334 * with specified handle 335 * 336 * Returns Pointer to the record or NULL 337 * 338 ******************************************************************************/ 339 tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle) { 340 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_handle_equal, &handle); 341 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n)); 342 343 return NULL; 344 } 345 346 bool is_address_equal(void* data, void* context) { 347 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data); 348 const RawAddress* bd_addr = ((RawAddress*)context); 349 350 if (p_dev_rec->bd_addr == *bd_addr) return false; 351 // If a LE random address is looking for device record 352 if (p_dev_rec->ble.pseudo_addr == *bd_addr) return false; 353 354 if (btm_ble_addr_resolvable(*bd_addr, p_dev_rec)) return false; 355 return true; 356 } 357 358 /******************************************************************************* 359 * 360 * Function btm_find_dev 361 * 362 * Description Look for the record in the device database for the record 363 * with specified BD address 364 * 365 * Returns Pointer to the record or NULL 366 * 367 ******************************************************************************/ 368 tBTM_SEC_DEV_REC* btm_find_dev(const RawAddress& bd_addr) { 369 list_node_t* n = 370 list_foreach(btm_cb.sec_dev_rec, is_address_equal, (void*)&bd_addr); 371 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n)); 372 373 return NULL; 374 } 375 376 /******************************************************************************* 377 * 378 * Function btm_consolidate_dev 379 5** 380 * Description combine security records if identified as same peer 381 * 382 * Returns none 383 * 384 ******************************************************************************/ 385 void btm_consolidate_dev(tBTM_SEC_DEV_REC* p_target_rec) { 386 tBTM_SEC_DEV_REC temp_rec = *p_target_rec; 387 388 BTM_TRACE_DEBUG("%s", __func__); 389 390 list_node_t* end = list_end(btm_cb.sec_dev_rec); 391 list_node_t* node = list_begin(btm_cb.sec_dev_rec); 392 while (node != end) { 393 tBTM_SEC_DEV_REC* p_dev_rec = 394 static_cast<tBTM_SEC_DEV_REC*>(list_node(node)); 395 396 // we do list_remove in some cases, must grab next before removing 397 node = list_next(node); 398 399 if (p_target_rec == p_dev_rec) continue; 400 401 if (p_dev_rec->bd_addr == p_target_rec->bd_addr) { 402 memcpy(p_target_rec, p_dev_rec, sizeof(tBTM_SEC_DEV_REC)); 403 p_target_rec->ble = temp_rec.ble; 404 p_target_rec->ble_hci_handle = temp_rec.ble_hci_handle; 405 p_target_rec->enc_key_size = temp_rec.enc_key_size; 406 p_target_rec->conn_params = temp_rec.conn_params; 407 p_target_rec->device_type |= temp_rec.device_type; 408 p_target_rec->sec_flags |= temp_rec.sec_flags; 409 410 p_target_rec->new_encryption_key_is_p256 = 411 temp_rec.new_encryption_key_is_p256; 412 p_target_rec->no_smp_on_br = temp_rec.no_smp_on_br; 413 p_target_rec->bond_type = temp_rec.bond_type; 414 415 /* remove the combined record */ 416 list_remove(btm_cb.sec_dev_rec, p_dev_rec); 417 // p_dev_rec gets freed in list_remove, we should not access it further 418 continue; 419 } 420 421 /* an RPA device entry is a duplicate of the target record */ 422 if (btm_ble_addr_resolvable(p_dev_rec->bd_addr, p_target_rec)) { 423 if (p_target_rec->ble.pseudo_addr == p_dev_rec->bd_addr) { 424 p_target_rec->ble.ble_addr_type = p_dev_rec->ble.ble_addr_type; 425 p_target_rec->device_type |= p_dev_rec->device_type; 426 427 /* remove the combined record */ 428 list_remove(btm_cb.sec_dev_rec, p_dev_rec); 429 } 430 } 431 } 432 } 433 434 /******************************************************************************* 435 * 436 * Function btm_find_or_alloc_dev 437 * 438 * Description Look for the record in the device database for the record 439 * with specified BD address 440 * 441 * Returns Pointer to the record or NULL 442 * 443 ******************************************************************************/ 444 tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(const RawAddress& bd_addr) { 445 tBTM_SEC_DEV_REC* p_dev_rec; 446 BTM_TRACE_EVENT("btm_find_or_alloc_dev"); 447 p_dev_rec = btm_find_dev(bd_addr); 448 if (p_dev_rec == NULL) { 449 /* Allocate a new device record or reuse the oldest one */ 450 p_dev_rec = btm_sec_alloc_dev(bd_addr); 451 } 452 return (p_dev_rec); 453 } 454 455 /******************************************************************************* 456 * 457 * Function btm_find_oldest_dev_rec 458 * 459 * Description Locates the oldest device in use. It first looks for 460 * the oldest non-paired device. If all devices are paired it 461 * returns the oldest paired device. 462 * 463 * Returns Pointer to the record or NULL 464 * 465 ******************************************************************************/ 466 static tBTM_SEC_DEV_REC* btm_find_oldest_dev_rec(void) { 467 tBTM_SEC_DEV_REC* p_oldest = NULL; 468 uint32_t ts_oldest = 0xFFFFFFFF; 469 tBTM_SEC_DEV_REC* p_oldest_paired = NULL; 470 uint32_t ts_oldest_paired = 0xFFFFFFFF; 471 472 list_node_t* end = list_end(btm_cb.sec_dev_rec); 473 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end; 474 node = list_next(node)) { 475 tBTM_SEC_DEV_REC* p_dev_rec = 476 static_cast<tBTM_SEC_DEV_REC*>(list_node(node)); 477 478 if ((p_dev_rec->sec_flags & 479 (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LE_LINK_KEY_KNOWN)) == 0) { 480 // Device is not paired 481 if (p_dev_rec->timestamp < ts_oldest) { 482 p_oldest = p_dev_rec; 483 ts_oldest = p_dev_rec->timestamp; 484 } 485 } else { 486 // Paired device 487 if (p_dev_rec->timestamp < ts_oldest_paired) { 488 p_oldest_paired = p_dev_rec; 489 ts_oldest_paired = p_dev_rec->timestamp; 490 } 491 } 492 } 493 494 // If we did not find any non-paired devices, use the oldest paired one... 495 if (ts_oldest == 0xFFFFFFFF) p_oldest = p_oldest_paired; 496 497 return p_oldest; 498 } 499 500 /******************************************************************************* 501 * 502 * Function btm_sec_allocate_dev_rec 503 * 504 * Description Attempts to allocate a new device record. If we have 505 * exceeded the maximum number of allowable records to 506 * allocate, the oldest record will be deleted to make room 507 * for the new record. 508 * 509 * Returns Pointer to the newly allocated record 510 * 511 ******************************************************************************/ 512 tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void) { 513 tBTM_SEC_DEV_REC* p_dev_rec = NULL; 514 515 if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) { 516 p_dev_rec = btm_find_oldest_dev_rec(); 517 list_remove(btm_cb.sec_dev_rec, p_dev_rec); 518 } 519 520 p_dev_rec = 521 static_cast<tBTM_SEC_DEV_REC*>(osi_calloc(sizeof(tBTM_SEC_DEV_REC))); 522 list_append(btm_cb.sec_dev_rec, p_dev_rec); 523 524 // Initialize defaults 525 p_dev_rec->sec_flags = BTM_SEC_IN_USE; 526 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN; 527 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 528 p_dev_rec->rmt_io_caps = BTM_IO_CAP_UNKNOWN; 529 530 return p_dev_rec; 531 } 532 533 /******************************************************************************* 534 * 535 * Function btm_get_bond_type_dev 536 * 537 * Description Get the bond type for a device in the device database 538 * with specified BD address 539 * 540 * Returns The device bond type if known, otherwise BOND_TYPE_UNKNOWN 541 * 542 ******************************************************************************/ 543 tBTM_BOND_TYPE btm_get_bond_type_dev(const RawAddress& bd_addr) { 544 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 545 546 if (p_dev_rec == NULL) return BOND_TYPE_UNKNOWN; 547 548 return p_dev_rec->bond_type; 549 } 550 551 /******************************************************************************* 552 * 553 * Function btm_set_bond_type_dev 554 * 555 * Description Set the bond type for a device in the device database 556 * with specified BD address 557 * 558 * Returns true on success, otherwise false 559 * 560 ******************************************************************************/ 561 bool btm_set_bond_type_dev(const RawAddress& bd_addr, 562 tBTM_BOND_TYPE bond_type) { 563 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr); 564 565 if (p_dev_rec == NULL) return false; 566 567 p_dev_rec->bond_type = bond_type; 568 return true; 569 } 570