btm_ble.c revision 87776cf5e201b18646cbc16f11a7110d5ffe510c
1/****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19/****************************************************************************** 20 * 21 * This file contains functions for BLE device control utilities, and LE 22 * security functions. 23 * 24 ******************************************************************************/ 25#include "bt_target.h" 26 27#if BLE_INCLUDED == TRUE 28 29#include <string.h> 30 31#include "bt_types.h" 32#include "hcimsgs.h" 33#include "btu.h" 34#include "btm_int.h" 35#include "btm_ble_api.h" 36#include "smp_api.h" 37#include "l2c_int.h" 38#include "gap_api.h" 39#include "bt_utils.h" 40 41#if SMP_INCLUDED == TRUE 42extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature); 43extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable); 44extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda); 45#endif 46extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr); 47 48/*******************************************************************************/ 49/* External Function to be called by other modules */ 50/*******************************************************************************/ 51/******************************************************** 52** 53** Function BTM_SecAddBleDevice 54** 55** Description Add/modify device. This function will be normally called 56** during host startup to restore all required information 57** for a LE device stored in the NVRAM. 58** 59** Parameters: bd_addr - BD address of the peer 60** bd_name - Name of the peer device. NULL if unknown. 61** dev_type - Remote device's device type. 62** addr_type - LE device address type. 63** 64** Returns TRUE if added OK, else FALSE 65** 66*******************************************************************************/ 67BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type, 68 tBLE_ADDR_TYPE addr_type) 69{ 70 tBTM_SEC_DEV_REC *p_dev_rec; 71 UINT8 i = 0; 72 tBTM_INQ_INFO *p_info=NULL; 73 74 BTM_TRACE_DEBUG1 ("BTM_SecAddBleDevice dev_type=0x%x", dev_type); 75 p_dev_rec = btm_find_dev (bd_addr); 76 77 if (!p_dev_rec) 78 { 79 BTM_TRACE_DEBUG0("Add a new device"); 80 81 /* There is no device record, allocate one. 82 * If we can not find an empty spot for this one, let it fail. */ 83 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++) 84 { 85 if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE)) 86 { 87 BTM_TRACE_DEBUG1 ("allocate a new dev rec idx=0x%x ", i ); 88 p_dev_rec = &btm_cb.sec_dev_rec[i]; 89 90 /* Mark this record as in use and initialize */ 91 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC)); 92 p_dev_rec->sec_flags = BTM_SEC_IN_USE; 93 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN); 94 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_BR_EDR); 95 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle (bd_addr, BT_TRANSPORT_LE); 96 97 /* update conn params, use default value for background connection params */ 98 p_dev_rec->conn_params.min_conn_int = 99 p_dev_rec->conn_params.max_conn_int = 100 p_dev_rec->conn_params.supervision_tout = 101 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF; 102 103 BTM_TRACE_DEBUG1 ("hci_handl=0x%x ", p_dev_rec->ble_hci_handle ); 104 break; 105 } 106 } 107 108 if (!p_dev_rec) 109 return(FALSE); 110 } 111 else 112 { 113 BTM_TRACE_DEBUG0("Device already exist"); 114 } 115 116 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME)); 117 118 if (bd_name && bd_name[0]) 119 { 120 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 121 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), 122 (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN); 123 } 124 p_dev_rec->device_type = dev_type; 125 p_dev_rec->ble.ble_addr_type = addr_type; 126 BTM_TRACE_DEBUG3 ("p_dev_rec->device_type =0x%x addr_type=0x%x sec_flags=0x%x", 127 dev_type, addr_type, p_dev_rec->sec_flags); 128 129 /* sync up with the Inq Data base*/ 130 p_info = BTM_InqDbRead(bd_addr); 131 if (p_info) 132 { 133 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ; 134 p_info->results.device_type = p_dev_rec->device_type; 135 BTM_TRACE_DEBUG2 ("InqDb device_type =0x%x addr_type=0x%x", 136 p_info->results.device_type, p_info->results.ble_addr_type); 137 } 138 139 return(TRUE); 140} 141 142/******************************************************************************* 143** 144** Function BTM_SecAddBleKey 145** 146** Description Add/modify LE device information. This function will be 147** normally called during host startup to restore all required 148** information stored in the NVRAM. 149** 150** Parameters: bd_addr - BD address of the peer 151** p_le_key - LE key values. 152** key_type - LE SMP key type. 153* 154** Returns TRUE if added OK, else FALSE 155** 156*******************************************************************************/ 157BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type) 158{ 159#if SMP_INCLUDED == TRUE 160 tBTM_SEC_DEV_REC *p_dev_rec; 161 BTM_TRACE_DEBUG0 ("BTM_SecAddBleKey"); 162 p_dev_rec = btm_find_dev (bd_addr); 163 if (!p_dev_rec || !p_le_key || 164 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && 165 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC && 166 key_type != BTM_LE_KEY_LCSRK)) 167 { 168 BTM_TRACE_WARNING3 ("BTM_SecAddBleKey() Wrong Type, or No Device record \ 169 for bdaddr: %08x%04x, Type: %d", 170 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 171 (bd_addr[4]<<8)+bd_addr[5], key_type); 172 return(FALSE); 173 } 174 175 BTM_TRACE_DEBUG3 ("BTM_SecAddLeKey() BDA: %08x%04x, Type: 0x%02x", 176 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 177 (bd_addr[4]<<8)+bd_addr[5], key_type); 178 179 if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID || 180 key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC || 181 key_type == BTM_LE_KEY_LCSRK) 182 { 183 btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE); 184 } 185 186#endif 187 188 return(TRUE); 189} 190 191/******************************************************************************* 192** 193** Function BTM_BleLoadLocalKeys 194** 195** Description Local local identity key, encryption root or sign counter. 196** 197** Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER 198** or BTM_BLE_KEY_TYPE_COUNTER. 199** p_key: pointer to the key. 200* 201** Returns non2. 202** 203*******************************************************************************/ 204void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key) 205{ 206 tBTM_DEVCB *p_devcb = &btm_cb.devcb; 207 BTM_TRACE_DEBUG0 ("BTM_BleLoadLocalKeys"); 208 if (p_key != NULL) 209 { 210 switch (key_type) 211 { 212 case BTM_BLE_KEY_TYPE_ID: 213 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 214 break; 215 216 case BTM_BLE_KEY_TYPE_ER: 217 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16)); 218 break; 219 220 default: 221 BTM_TRACE_ERROR1("unknow local key type: %d", key_type); 222 break; 223 } 224 } 225} 226 227/******************************************************************************* 228** 229** Function BTM_GetDeviceEncRoot 230** 231** Description This function is called to read the local device encryption 232** root. 233** 234** Returns void 235** the local device ER is copied into er 236** 237*******************************************************************************/ 238void BTM_GetDeviceEncRoot (BT_OCTET16 er) 239{ 240 BTM_TRACE_DEBUG0 ("BTM_GetDeviceEncRoot"); 241 242 memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN); 243} 244 245/******************************************************************************* 246** 247** Function BTM_GetDeviceIDRoot 248** 249** Description This function is called to read the local device identity 250** root. 251** 252** Returns void 253** the local device IR is copied into irk 254** 255*******************************************************************************/ 256void BTM_GetDeviceIDRoot (BT_OCTET16 irk) 257{ 258 BTM_TRACE_DEBUG0 ("BTM_GetDeviceIDRoot "); 259 260 memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN); 261} 262 263/******************************************************************************* 264** 265** Function BTM_GetDeviceDHK 266** 267** Description This function is called to read the local device DHK. 268** 269** Returns void 270** the local device DHK is copied into dhk 271** 272*******************************************************************************/ 273void BTM_GetDeviceDHK (BT_OCTET16 dhk) 274{ 275 BTM_TRACE_DEBUG0 ("BTM_GetDeviceDHK"); 276 memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN); 277} 278 279/******************************************************************************* 280** 281** Function BTM_ReadConnectionAddr 282** 283** Description This function is called to get the local device address information 284** . 285** 286** Returns void 287** 288*******************************************************************************/ 289void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type) 290{ 291 tACL_CONN *p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE); 292 293 if (p_acl == NULL) 294 { 295 BTM_TRACE_ERROR0("No connection exist!"); 296 return; 297 } 298 memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN); 299 * p_addr_type = p_acl->conn_addr_type; 300 301 BTM_TRACE_DEBUG2 ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x", 302 p_acl->conn_addr_type, p_acl->conn_addr[0]); 303} 304 305/******************************************************************************* 306** 307** Function BTM_IsBleConnection 308** 309** Description This function is called to check if the connection handle 310** for an LE link 311** 312** Returns TRUE if connection is LE link, otherwise FALSE. 313** 314*******************************************************************************/ 315BOOLEAN BTM_IsBleConnection (UINT16 conn_handle) 316{ 317#if (BLE_INCLUDED == TRUE) 318 UINT8 xx; 319 tACL_CONN *p; 320 321 BTM_TRACE_API1 ("BTM_IsBleConnection: conn_handle: %d", conn_handle); 322 323 xx = btm_handle_to_acl_index (conn_handle); 324 if (xx >= MAX_L2CAP_LINKS) 325 return FALSE; 326 327 p = &btm_cb.acl_db[xx]; 328 329 return (p->transport == BT_TRANSPORT_LE); 330#else 331 return FALSE; 332#endif 333} 334 335/******************************************************************************* 336** 337** Function BTM_ReadRemoteConnectionAddr 338** 339** Description This function is read the remote device address currently used 340** 341** Parameters pseudo_addr: pseudo random address available 342** conn_addr:connection address used 343** p_addr_type : BD Address type, Public or Random of the address used 344** 345** Returns BOOLEAN , TRUE if connection to remote device exists, else FALSE 346** 347*******************************************************************************/ 348BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, 349 tBLE_ADDR_TYPE *p_addr_type) 350{ 351 BOOLEAN st = TRUE; 352#if (BLE_PRIVACY_SPT == TRUE) 353 tACL_CONN *p = btm_bda_to_acl (pseudo_addr, BT_TRANSPORT_LE); 354 355 if (p == NULL) 356 { 357 BTM_TRACE_ERROR0("BTM_ReadRemoteConnectionAddr can not find connection" 358 " with matching address"); 359 return FALSE; 360 } 361 362 memcpy(conn_addr, p->active_remote_addr, BD_ADDR_LEN); 363 *p_addr_type = p->active_remote_addr_type; 364#else 365 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr); 366 367 memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN); 368 if (p_dev_rec != NULL) 369 { 370 *p_addr_type = p_dev_rec->ble.ble_addr_type; 371 } 372#endif 373 return st; 374 375} 376/******************************************************************************* 377** 378** Function BTM_SecurityGrant 379** 380** Description This function is called to grant security process. 381** 382** Parameters bd_addr - peer device bd address. 383** res - result of the operation BTM_SUCCESS if success. 384** Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts. 385** 386** Returns None 387** 388*******************************************************************************/ 389void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res) 390{ 391#if SMP_INCLUDED == TRUE 392 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS; 393 BTM_TRACE_DEBUG0 ("BTM_SecurityGrant"); 394 SMP_SecurityGrant(bd_addr, res_smp); 395#endif 396} 397 398/******************************************************************************* 399** 400** Function BTM_BlePasskeyReply 401** 402** Description This function is called after Security Manager submitted 403** passkey request to the application. 404** 405** Parameters: bd_addr - Address of the device for which passkey was requested 406** res - result of the operation BTM_SUCCESS if success 407** key_len - length in bytes of the Passkey 408** p_passkey - pointer to array with the passkey 409** trusted_mask - bitwise OR of trusted services (array of UINT32) 410** 411*******************************************************************************/ 412void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey) 413{ 414#if SMP_INCLUDED == TRUE 415 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 416 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL; 417 418 if (p_dev_rec == NULL) 419 { 420 BTM_TRACE_ERROR0("Passkey reply to Unknown device"); 421 return; 422 } 423 424 p_dev_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 425 BTM_TRACE_DEBUG0 ("BTM_BlePasskeyReply"); 426 SMP_PasskeyReply(bd_addr, res_smp, passkey); 427#endif 428} 429 430/******************************************************************************* 431** 432** Function BTM_BleOobDataReply 433** 434** Description This function is called to provide the OOB data for 435** SMP in response to BTM_LE_OOB_REQ_EVT 436** 437** Parameters: bd_addr - Address of the peer device 438** res - result of the operation SMP_SUCCESS if success 439** p_data - simple pairing Randomizer C. 440** 441*******************************************************************************/ 442void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data) 443{ 444#if SMP_INCLUDED == TRUE 445 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL; 446 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 447 448 BTM_TRACE_DEBUG0 ("BTM_BleOobDataReply"); 449 450 if (p_dev_rec == NULL) 451 { 452 BTM_TRACE_ERROR0("BTM_BleOobDataReply() to Unknown device"); 453 return; 454 } 455 456 p_dev_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 457 SMP_OobDataReply(bd_addr, res_smp, len, p_data); 458#endif 459} 460 461/****************************************************************************** 462** 463** Function BTM_BleSetConnScanParams 464** 465** Description Set scan parameter used in BLE connection request 466** 467** Parameters: scan_interval: scan interval 468** scan_window: scan window 469** 470** Returns void 471** 472*******************************************************************************/ 473void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window) 474{ 475#if SMP_INCLUDED == TRUE 476 tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb; 477 BOOLEAN new_param = FALSE; 478 479 if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) && 480 BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX)) 481 { 482 btu_stop_timer(&p_ble_cb->scan_param_idle_timer); 483 484 if (p_ble_cb->scan_int != scan_interval) 485 { 486 p_ble_cb->scan_int = scan_interval; 487 new_param = TRUE; 488 } 489 490 if (p_ble_cb->scan_win != scan_window) 491 { 492 p_ble_cb->scan_win = scan_window; 493 new_param = TRUE; 494 } 495 496 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) 497 { 498 btm_ble_suspend_bg_conn(); 499 } 500 } 501 else 502 { 503 BTM_TRACE_ERROR0("Illegal Connection Scan Parameters"); 504 } 505#endif 506} 507 508/******************************************************** 509** 510** Function BTM_BleSetPrefConnParams 511** 512** Description Set a peripheral's preferred connection parameters 513** 514** Parameters: bd_addr - BD address of the peripheral 515** scan_interval: scan interval 516** scan_window: scan window 517** min_conn_int - minimum preferred connection interval 518** max_conn_int - maximum preferred connection interval 519** slave_latency - preferred slave latency 520** supervision_tout - preferred supervision timeout 521** 522** Returns void 523** 524*******************************************************************************/ 525void BTM_BleSetPrefConnParams (BD_ADDR bd_addr, 526 UINT16 min_conn_int, UINT16 max_conn_int, 527 UINT16 slave_latency, UINT16 supervision_tout) 528{ 529 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 530 531 BTM_TRACE_API4 ("BTM_BleSetPrefConnParams min: %u max: %u latency: %u \ 532 tout: %u", 533 min_conn_int, max_conn_int, slave_latency, supervision_tout); 534 535 if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 536 BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) && 537 BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) && 538 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) 539 { 540 if (p_dev_rec) 541 { 542 /* expect conn int and stout and slave latency to be updated all together */ 543 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 544 { 545 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 546 p_dev_rec->conn_params.min_conn_int = min_conn_int; 547 else 548 p_dev_rec->conn_params.min_conn_int = max_conn_int; 549 550 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) 551 p_dev_rec->conn_params.max_conn_int = max_conn_int; 552 else 553 p_dev_rec->conn_params.max_conn_int = min_conn_int; 554 555 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF) 556 p_dev_rec->conn_params.slave_latency = slave_latency; 557 else 558 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF; 559 560 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) 561 p_dev_rec->conn_params.supervision_tout = supervision_tout; 562 else 563 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_TIMEOUT_DEF; 564 565 } 566 567 } 568 else 569 { 570 BTM_TRACE_ERROR0("Unknown Device, setting rejected"); 571 } 572 } 573 else 574 { 575 BTM_TRACE_ERROR0("Illegal Connection Parameters"); 576 } 577} 578 579/******************************************************************************* 580** 581** Function BTM_ReadDevInfo 582** 583** Description This function is called to read the device/address type 584** of BD address. 585** 586** Parameter remote_bda: remote device address 587** p_dev_type: output parameter to read the device type. 588** p_addr_type: output parameter to read the address type. 589** 590*******************************************************************************/ 591void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type) 592{ 593 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (remote_bda); 594 tBTM_INQ_INFO *p_inq_info = BTM_InqDbRead(remote_bda); 595 596 *p_dev_type = BT_DEVICE_TYPE_BREDR; 597 *p_addr_type = BLE_ADDR_PUBLIC; 598 599 if (!p_dev_rec) 600 { 601 /* Check with the BT manager if details about remote device are known */ 602 if (p_inq_info != NULL) 603 { 604 *p_dev_type = p_inq_info->results.device_type ; 605 *p_addr_type = p_inq_info->results.ble_addr_type; 606 } else { 607 /* unknown device, assume BR/EDR */ 608 BTM_TRACE_DEBUG0 ("btm_find_dev_type - unknown device, BR/EDR assumed"); 609 } 610 } 611 else /* there is a security device record exisitng */ 612 { 613 /* new inquiry result, overwrite device type in security device record */ 614 if (p_inq_info) 615 { 616 p_dev_rec->device_type = p_inq_info->results.device_type; 617 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type; 618 } 619 *p_dev_type = p_dev_rec->device_type; 620 *p_addr_type = p_dev_rec->ble.ble_addr_type; 621 622 } 623 624 BTM_TRACE_DEBUG2 ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type); 625} 626 627/******************************************************************************* 628** 629** Function BTM_BleReceiverTest 630** 631** Description This function is called to start the LE Receiver test 632** 633** Parameter rx_freq - Frequency Range 634** p_cmd_cmpl_cback - Command Complete callback 635** 636*******************************************************************************/ 637void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback) 638{ 639 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 640 641 if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE) 642 { 643 BTM_TRACE_ERROR1("%s: Unable to Trigger LE receiver test", __FUNCTION__); 644 } 645} 646 647/******************************************************************************* 648** 649** Function BTM_BleTransmitterTest 650** 651** Description This function is called to start the LE Transmitter test 652** 653** Parameter tx_freq - Frequency Range 654** test_data_len - Length in bytes of payload data in each packet 655** packet_payload - Pattern to use in the payload 656** p_cmd_cmpl_cback - Command Complete callback 657** 658*******************************************************************************/ 659void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len, 660 UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback) 661{ 662 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 663 if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE) 664 { 665 BTM_TRACE_ERROR1("%s: Unable to Trigger LE transmitter test", __FUNCTION__); 666 } 667} 668 669/******************************************************************************* 670** 671** Function BTM_BleTestEnd 672** 673** Description This function is called to stop the in-progress TX or RX test 674** 675** Parameter p_cmd_cmpl_cback - Command complete callback 676** 677*******************************************************************************/ 678void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback) 679{ 680 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback; 681 682 if (btsnd_hcic_ble_test_end() == FALSE) 683 { 684 BTM_TRACE_ERROR1("%s: Unable to End the LE TX/RX test", __FUNCTION__); 685 } 686} 687 688/******************************************************************************* 689** Internal Functions 690*******************************************************************************/ 691void btm_ble_test_command_complete(UINT8 *p) 692{ 693 tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb; 694 UINT8 status; 695 696 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL; 697 698 if (p_cb) 699 { 700 (*p_cb)(p); 701 } 702} 703 704/******************************************************************************* 705** 706** Function BTM_UseLeLink 707** 708** Description This function is to select the underneath physical link to use. 709** 710** Returns TRUE to use LE, FALSE use BR/EDR. 711** 712*******************************************************************************/ 713BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr) 714{ 715 tACL_CONN *p; 716 tBT_DEVICE_TYPE dev_type; 717 tBLE_ADDR_TYPE addr_type; 718 BOOLEAN use_le = FALSE; 719 720 if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR)) != NULL) 721 { 722 return use_le; 723 } 724 else if ((p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE)) != NULL) 725 { 726 use_le = TRUE; 727 } 728 else 729 { 730 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 731 use_le = (dev_type == BT_DEVICE_TYPE_BLE); 732 } 733 return use_le; 734} 735/******************************************************************************* 736** 737** Function btm_ble_rand_enc_complete 738** 739** Description This function is the callback functions for HCI_Rand command 740** and HCI_Encrypt command is completed. 741** This message is received from the HCI. 742** 743** Returns void 744** 745*******************************************************************************/ 746void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback) 747{ 748 tBTM_RAND_ENC params; 749 UINT8 *p_dest = params.param_buf; 750 751 BTM_TRACE_DEBUG0 ("btm_ble_rand_enc_complete"); 752 753 memset(¶ms, 0, sizeof(tBTM_RAND_ENC)); 754 755 /* If there was a callback address for vcs complete, call it */ 756 if (p_enc_cplt_cback && p) 757 { 758 /* Pass paramters to the callback function */ 759 STREAM_TO_UINT8(params.status, p); /* command status */ 760 761 if (params.status == HCI_SUCCESS) 762 { 763 params.opcode = op_code; 764 765 if (op_code == HCI_BLE_RAND) 766 params.param_len = BT_OCTET8_LEN; 767 else 768 params.param_len = BT_OCTET16_LEN; 769 770 memcpy(p_dest, p, params.param_len); /* Fetch return info from HCI event message */ 771 } 772 if (p_enc_cplt_cback) 773 (*p_enc_cplt_cback)(¶ms); /* Call the Encryption complete callback function */ 774 } 775} 776 777 778 #if (SMP_INCLUDED == TRUE) 779 780/******************************************************************************* 781** 782** Function btm_ble_get_enc_key_type 783** 784** Description This function is to increment local sign counter 785** Returns None 786** 787*******************************************************************************/ 788void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local ) 789{ 790 tBTM_SEC_DEV_REC *p_dev_rec; 791 792 BTM_TRACE_DEBUG1 ("btm_ble_increment_sign_ctr is_local=%d", is_local); 793 794 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 795 { 796 if (is_local) 797 p_dev_rec->ble.keys.local_counter++; 798 else 799 p_dev_rec->ble.keys.counter++; 800 BTM_TRACE_DEBUG3 ("is_local=%d local sign counter=%d peer sign counter=%d", 801 is_local, 802 p_dev_rec->ble.keys.local_counter, 803 p_dev_rec->ble.keys.counter); 804 } 805} 806 807/******************************************************************************* 808** 809** Function btm_ble_get_enc_key_type 810** 811** Description This function is to get the BLE key type that has been exchanged 812** in betweem local device and peer device. 813** 814** Returns p_key_type: output parameter to carry the key type value. 815** 816*******************************************************************************/ 817BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types) 818{ 819 tBTM_SEC_DEV_REC *p_dev_rec; 820 821 BTM_TRACE_DEBUG0 ("btm_ble_get_enc_key_type"); 822 823 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 824 { 825 *p_key_types = p_dev_rec->ble.key_type; 826 return TRUE; 827 } 828 return FALSE; 829} 830 831/******************************************************************************* 832** 833** Function btm_get_local_div 834** 835** Description This function is called to read the local DIV 836** 837** Returns TURE - if a valid DIV is availavle 838*******************************************************************************/ 839BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div) 840{ 841 tBTM_SEC_DEV_REC *p_dev_rec; 842 BOOLEAN status = FALSE; 843 BTM_TRACE_DEBUG0 ("btm_get_local_div"); 844 845 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 846 bd_addr[0],bd_addr[1], 847 bd_addr[2],bd_addr[3], 848 bd_addr[4],bd_addr[5]); 849 850 *p_div = 0; 851 p_dev_rec = btm_find_dev (bd_addr); 852 853 if (p_dev_rec && p_dev_rec->ble.keys.div) 854 { 855 status = TRUE; 856 *p_div = p_dev_rec->ble.keys.div; 857 } 858 BTM_TRACE_DEBUG2 ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div); 859 return status; 860} 861 862/******************************************************************************* 863** 864** Function btm_sec_save_le_key 865** 866** Description This function is called by the SMP to update 867** an BLE key. SMP is internal, whereas all the keys shall 868** be sent to the application. The function is also called 869** when application passes ble key stored in NVRAM to the btm_sec. 870** pass_to_application parameter is false in this case. 871** 872** Returns void 873** 874*******************************************************************************/ 875void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys, 876 BOOLEAN pass_to_application) 877{ 878 tBTM_SEC_DEV_REC *p_rec; 879 tBTM_LE_EVT_DATA cb_data; 880 UINT8 i; 881 882 BTM_TRACE_DEBUG2 ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application); 883 /* Store the updated key in the device database */ 884 885 BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x", 886 bd_addr[0],bd_addr[1], 887 bd_addr[2],bd_addr[3], 888 bd_addr[4],bd_addr[5]); 889 890 if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys) 891 { 892 switch (key_type) 893 { 894 case BTM_LE_KEY_PENC: 895 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN); 896 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN); 897 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level; 898 p_rec->ble.keys.ediv = p_keys->penc_key.ediv; 899 p_rec->ble.keys.key_size = p_keys->penc_key.key_size; 900 p_rec->ble.key_type |= BTM_LE_KEY_PENC; 901 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 902 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) 903 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 904 else 905 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 906 BTM_TRACE_DEBUG3("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x", 907 p_rec->ble.key_type, 908 p_rec->sec_flags, 909 p_rec->ble.keys.sec_level); 910 break; 911 912 case BTM_LE_KEY_PID: 913 for (i=0; i<BT_OCTET16_LEN; i++) 914 { 915 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i]; 916 } 917 918 //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system 919 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN); 920 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type; 921 p_rec->ble.key_type |= BTM_LE_KEY_PID; 922 BTM_TRACE_DEBUG1("BTM_LE_KEY_PID key_type=0x%x save peer IRK", p_rec->ble.key_type); 923 break; 924 925 case BTM_LE_KEY_PCSRK: 926 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN); 927 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level; 928 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter; 929 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK; 930 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN; 931 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED) 932 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED; 933 else 934 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED; 935 936 BTM_TRACE_DEBUG4("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d", 937 p_rec->ble.key_type, 938 p_rec->sec_flags, 939 p_rec->ble.keys.srk_sec_level, 940 p_rec->ble.keys.counter ); 941 break; 942 943 case BTM_LE_KEY_LENC: 944 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */ 945 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level; 946 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size; 947 p_rec->ble.key_type |= BTM_LE_KEY_LENC; 948 949 BTM_TRACE_DEBUG4("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x", 950 p_rec->ble.key_type, 951 p_rec->ble.keys.div, 952 p_rec->ble.keys.key_size, 953 p_rec->ble.keys.sec_level ); 954 break; 955 956 case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */ 957 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */ 958 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level; 959 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter; 960 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK; 961 BTM_TRACE_DEBUG4("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d", 962 p_rec->ble.key_type, 963 p_rec->ble.keys.div, 964 p_rec->ble.keys.local_csrk_sec_level, 965 p_rec->ble.keys.local_counter ); 966 break; 967 968 default: 969 BTM_TRACE_WARNING1("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type); 970 return; 971 } 972 973 BTM_TRACE_DEBUG3 ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type, 974 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 975 (bd_addr[4]<<8)+bd_addr[5]); 976 977 /* Notify the application that one of the BLE keys has been updated 978 If link key is in progress, it will get sent later.*/ 979 if (pass_to_application && btm_cb.api.p_le_callback) 980 { 981 cb_data.key.p_key_value = p_keys; 982 cb_data.key.key_type = key_type; 983 (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data); 984 } 985 return; 986 } 987 988 BTM_TRACE_WARNING3 ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type, 989 (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3], 990 (bd_addr[4]<<8)+bd_addr[5]); 991 992 if (p_rec) 993 { 994 BTM_TRACE_DEBUG1 ("sec_flags=0x%x", p_rec->sec_flags); 995 } 996} 997 998/******************************************************************************* 999** 1000** Function btm_ble_update_sec_key_size 1001** 1002** Description update the current lin kencryption key size 1003** 1004** Returns void 1005** 1006*******************************************************************************/ 1007void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size) 1008{ 1009 tBTM_SEC_DEV_REC *p_rec; 1010 1011 BTM_TRACE_DEBUG1("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size); 1012 1013 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1014 { 1015 p_rec->enc_key_size = enc_key_size; 1016 } 1017} 1018 1019/******************************************************************************* 1020** 1021** Function btm_ble_read_sec_key_size 1022** 1023** Description update the current lin kencryption key size 1024** 1025** Returns void 1026** 1027*******************************************************************************/ 1028UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr) 1029{ 1030 tBTM_SEC_DEV_REC *p_rec; 1031 1032 if ((p_rec = btm_find_dev (bd_addr)) != NULL ) 1033 { 1034 return p_rec->enc_key_size; 1035 } 1036 else 1037 return 0; 1038} 1039 1040/******************************************************************************* 1041** 1042** Function btm_ble_link_sec_check 1043** 1044** Description Check BLE link security level match. 1045** 1046** Returns TRUE: check is OK and the *p_sec_req_act contain the action 1047** 1048*******************************************************************************/ 1049void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act) 1050{ 1051 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1052 UINT8 req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE; 1053 1054 BTM_TRACE_DEBUG1 ("btm_ble_link_sec_check auth_req =0x%x", auth_req); 1055 1056 if (p_dev_rec == NULL) 1057 { 1058 BTM_TRACE_ERROR0 ("btm_ble_link_sec_check received for unknown device"); 1059 return; 1060 } 1061 1062 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING || 1063 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1064 { 1065 /* race condition: discard the security request while master is encrypting the link */ 1066 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1067 } 1068 else 1069 { 1070 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1071 if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) || 1072 (auth_req == (BTM_LE_AUTH_REQ_MITM)) ) 1073 { 1074 req_sec_level = BTM_LE_SEC_AUTHENTICATED; 1075 } 1076 1077 BTM_TRACE_DEBUG1 ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags); 1078 1079 /* currently encrpted */ 1080 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) 1081 { 1082 if (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) 1083 cur_sec_level = BTM_LE_SEC_AUTHENTICATED; 1084 else 1085 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE; 1086 } 1087 else /* unencrypted link */ 1088 { 1089 /* if bonded, get the key security level */ 1090 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) 1091 cur_sec_level = p_dev_rec->ble.keys.sec_level; 1092 else 1093 cur_sec_level = BTM_LE_SEC_NONE; 1094 } 1095 1096 if (cur_sec_level >= req_sec_level) 1097 { 1098 if (cur_sec_level == BTM_LE_SEC_NONE) 1099 { 1100 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE; 1101 } 1102 else 1103 { 1104 /* To avoid re-encryption on an encrypted link for an equal condition encryption */ 1105 /* if link has been encrypted, do nothing, go straight to furhter action 1106 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 1107 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD; 1108 else 1109 */ 1110 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT; 1111 } 1112 } 1113 else 1114 { 1115 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/ 1116 } 1117 } 1118 1119 BTM_TRACE_DEBUG3("cur_sec_level=%d req_sec_level=%d sec_req_act=%d", 1120 cur_sec_level, 1121 req_sec_level, 1122 *p_sec_req_act); 1123 1124} 1125 1126/******************************************************************************* 1127** 1128** Function btm_ble_set_encryption 1129** 1130** Description This function is called to ensure that LE connection is 1131** encrypted. Should be called only on an open connection. 1132** Typically only needed for connections that first want to 1133** bring up unencrypted links, then later encrypt them. 1134** 1135** Returns void 1136** the local device ER is copied into er 1137** 1138*******************************************************************************/ 1139tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role) 1140{ 1141 tBTM_STATUS cmd = BTM_NO_RESOURCES; 1142 tBTM_BLE_SEC_ACT sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ; 1143 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1144 1145 if (p_rec == NULL) 1146 { 1147 BTM_TRACE_WARNING1 ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act); 1148 return(BTM_WRONG_MODE); 1149 } 1150 1151 BTM_TRACE_DEBUG2 ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master); 1152 1153 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) 1154 { 1155 p_rec->security_required |= BTM_SEC_IN_MITM; 1156 } 1157 1158 switch (sec_act) 1159 { 1160 case BTM_BLE_SEC_ENCRYPT: 1161 if (link_role == BTM_ROLE_MASTER) 1162 { 1163 if(p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) { 1164 BTM_TRACE_DEBUG0 ("State is already encrypting::"); 1165 cmd = BTM_CMD_STARTED; 1166 } 1167 else { 1168 /* start link layer encryption using the security info stored */ 1169 if (btm_ble_start_encrypt(bd_addr, FALSE, NULL)) 1170 { 1171 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1172 cmd = BTM_CMD_STARTED; 1173 } 1174 } 1175 break; 1176 } 1177 /* if salve role then fall through to call SMP_Pair below which will send a 1178 sec_request to request the master to encrypt the link */ 1179 case BTM_BLE_SEC_ENCRYPT_NO_MITM: 1180 case BTM_BLE_SEC_ENCRYPT_MITM: 1181 1182 if (SMP_Pair(bd_addr) == SMP_STARTED) 1183 { 1184 cmd = BTM_CMD_STARTED; 1185 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1186 } 1187 break; 1188 1189 default: 1190 cmd = BTM_WRONG_MODE; 1191 break; 1192 } 1193 return cmd; 1194} 1195 1196/******************************************************************************* 1197** 1198** Function btm_ble_ltk_request 1199** 1200** Description This function is called when encryption request is received 1201** on a slave device. 1202** 1203** 1204** Returns void 1205** 1206*******************************************************************************/ 1207void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv) 1208{ 1209 tBTM_CB *p_cb = &btm_cb; 1210 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 1211 BT_OCTET8 dummy_stk = {0}; 1212 1213 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request"); 1214 1215 p_cb->ediv = ediv; 1216 1217 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN); 1218 1219 if (p_dev_rec != NULL) 1220 { 1221 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) 1222 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk); 1223 } 1224 1225} 1226 1227/******************************************************************************* 1228** 1229** Function btm_ble_start_encrypt 1230** 1231** Description This function is called to start LE encryption. 1232** 1233** 1234** Returns BTM_SUCCESS if encryption was started successfully 1235** 1236*******************************************************************************/ 1237tBTM_STATUS btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1238{ 1239 tBTM_CB *p_cb = &btm_cb; 1240 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1241 BT_OCTET8 dummy_rand = {0}; 1242 tBTM_STATUS rt = BTM_NO_RESOURCES; 1243 1244 BTM_TRACE_DEBUG0 ("btm_ble_start_encrypt"); 1245 1246 if (!p_rec ) 1247 { 1248 BTM_TRACE_ERROR0("Link is not active, can not encrypt!"); 1249 return BTM_WRONG_MODE; 1250 } 1251 1252 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 1253 { 1254 BTM_TRACE_WARNING0("Link Encryption is active, Busy!"); 1255 return BTM_BUSY; 1256 } 1257 1258 p_cb->enc_handle = p_rec->ble_hci_handle; 1259 1260 if (use_stk) 1261 { 1262 if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk)) 1263 rt = BTM_CMD_STARTED; 1264 } 1265 else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) 1266 { 1267 if (btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand, 1268 p_rec->ble.keys.ediv, p_rec->ble.keys.ltk)) 1269 rt = BTM_CMD_STARTED; 1270 } 1271 else 1272 { 1273 BTM_TRACE_ERROR0("No key available to encrypt the link"); 1274 } 1275 if (rt == BTM_CMD_STARTED) 1276 { 1277 if (p_rec->sec_state == BTM_SEC_STATE_IDLE) 1278 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 1279 } 1280 1281 return rt; 1282} 1283 1284/******************************************************************************* 1285** 1286** Function btm_ble_link_encrypted 1287** 1288** Description This function is called when LE link encrption status is changed. 1289** 1290** Returns void 1291** 1292*******************************************************************************/ 1293void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable) 1294{ 1295 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1296 BOOLEAN enc_cback; 1297 1298 if (!p_dev_rec) 1299 { 1300 BTM_TRACE_WARNING1 ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable); 1301 return; 1302 } 1303 1304 BTM_TRACE_DEBUG1 ("btm_ble_link_encrypted encr_enable=%d", encr_enable); 1305 1306 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING); 1307 1308 smp_link_encrypted(bd_addr, encr_enable); 1309 1310 BTM_TRACE_DEBUG1(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags); 1311 1312 if (encr_enable && p_dev_rec->enc_key_size == 0) 1313 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size; 1314 1315 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1316 if (p_dev_rec->p_callback && enc_cback) 1317 { 1318 if (encr_enable) 1319 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE); 1320 else if (p_dev_rec->role_master) 1321 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE); 1322 1323 } 1324 /* to notify GATT to send data if any request is pending */ 1325 gatt_notify_enc_cmpl(p_dev_rec->bd_addr); 1326} 1327 1328/******************************************************************************* 1329** Function btm_enc_proc_ltk 1330** Description send LTK reply when it's ready. 1331*******************************************************************************/ 1332static void btm_enc_proc_ltk(tSMP_ENC *p) 1333{ 1334 UINT8 i; 1335 BTM_TRACE_DEBUG0 ("btm_enc_proc_ltk"); 1336 if (p && p->param_len == BT_OCTET16_LEN) 1337 { 1338 for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++) 1339 p->param_buf[BT_OCTET16_LEN - i - 1] = 0; 1340 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf); 1341 } 1342} 1343 1344/******************************************************************************* 1345** Function btm_enc_proc_slave_y 1346** Description calculate LTK when Y is ready 1347*******************************************************************************/ 1348static void btm_enc_proc_slave_y(tSMP_ENC *p) 1349{ 1350 UINT16 div, y; 1351 UINT8 *pp = p->param_buf; 1352 tBTM_CB *p_cb = &btm_cb; 1353 tSMP_ENC output; 1354 tBTM_SEC_DEV_REC *p_dev_rec; 1355 1356 BTM_TRACE_DEBUG0 ("btm_enc_proc_slave_y"); 1357 if (p != NULL) 1358 { 1359 STREAM_TO_UINT16(y, pp); 1360 1361 div = p_cb->ediv ^ y; 1362 p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle); 1363 1364 if ( p_dev_rec && 1365 p_dev_rec->ble.keys.div == div ) 1366 { 1367 BTM_TRACE_DEBUG0 ("LTK request OK"); 1368 /* calculating LTK , LTK = E er(div) */ 1369 SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output); 1370 btm_enc_proc_ltk(&output); 1371 } 1372 else 1373 { 1374 BTM_TRACE_DEBUG0 ("LTK request failed - send negative reply"); 1375 btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle); 1376 if (p_dev_rec) 1377 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0); 1378 1379 } 1380 } 1381} 1382 1383/******************************************************************************* 1384** 1385** Function btm_ble_ltk_request_reply 1386** 1387** Description This function is called to send a LTK request reply on a slave 1388** device. 1389** 1390** Returns void 1391** 1392*******************************************************************************/ 1393void btm_ble_ltk_request_reply(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk) 1394{ 1395 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bda); 1396 tBTM_CB *p_cb = &btm_cb; 1397 tSMP_ENC output; 1398 1399 if (p_rec == NULL) 1400 { 1401 BTM_TRACE_ERROR0("btm_ble_ltk_request_reply received for unknown device"); 1402 return; 1403 } 1404 1405 BTM_TRACE_DEBUG0 ("btm_ble_ltk_request_reply"); 1406 p_cb->enc_handle = p_rec->ble_hci_handle; 1407 p_cb->key_size = p_rec->ble.keys.key_size; 1408 1409 BTM_TRACE_ERROR1("key size = %d", p_rec->ble.keys.key_size); 1410 if (use_stk) 1411 { 1412 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk); 1413 } 1414 else /* calculate LTK using peer device */ 1415 { 1416 /* generate Y= Encrypt(DHK, Rand) received from encrypt request */ 1417 SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand, 1418 BT_OCTET8_LEN, &output); 1419 btm_enc_proc_slave_y(&output); 1420 } 1421} 1422 1423/******************************************************************************* 1424** 1425** Function btm_ble_io_capabilities_req 1426** 1427** Description This function is called to handle SMP get IO capability request. 1428** 1429** Returns void 1430** 1431*******************************************************************************/ 1432UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data) 1433{ 1434 UINT8 callback_rc = BTM_SUCCESS; 1435 BTM_TRACE_DEBUG0 ("btm_ble_io_capabilities_req"); 1436 if (btm_cb.api.p_le_callback) 1437 { 1438 /* the callback function implementation may change the IO capability... */ 1439 callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1440 } 1441#if BTM_OOB_INCLUDED == TRUE 1442 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) 1443#else 1444 if (callback_rc == BTM_SUCCESS) 1445#endif 1446 { 1447#if BTM_BLE_CONFORMANCE_TESTING == TRUE 1448 if (btm_cb.devcb.keep_rfu_in_auth_req) 1449 { 1450 BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u", 1451 btm_cb.devcb.keep_rfu_in_auth_req); 1452 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU; 1453 btm_cb.devcb.keep_rfu_in_auth_req = FALSE; 1454 } 1455 else 1456 { /* default */ 1457 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1458 } 1459#else 1460 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK; 1461#endif 1462 1463 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d", 1464 p_dev_rec->security_required, p_data->auth_req); 1465 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)", 1466 p_data->init_keys, 1467 p_data->resp_keys); 1468 1469 /* if authentication requires MITM protection, put on the mask */ 1470 if (p_dev_rec->security_required & BTM_SEC_IN_MITM) 1471 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM; 1472 1473 if (!(p_data->auth_req & SMP_AUTH_BOND)) 1474 { 1475 BTM_TRACE_DEBUG0("Non bonding: No keys should be exchanged"); 1476 p_data->init_keys = 0; 1477 p_data->resp_keys = 0; 1478 } 1479 1480 BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req); 1481 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x", 1482 p_data->init_keys, 1483 p_data->resp_keys); 1484 1485 BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d", 1486 p_data->io_cap, p_data->auth_req); 1487 1488 /* remove MITM protection requirement if IO cap does not allow it */ 1489 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) 1490 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM; 1491 1492 BTM_TRACE_DEBUG3 ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d", 1493 p_data->io_cap, p_data->oob_data, p_data->auth_req); 1494 } 1495 return callback_rc; 1496} 1497 1498#if (BLE_PRIVACY_SPT == TRUE ) 1499/******************************************************************************* 1500** 1501** Function btm_ble_resolve_random_addr_on_conn_cmpl 1502** 1503** Description resolve random address complete on connection complete event. 1504** 1505** Returns void 1506** 1507*******************************************************************************/ 1508static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data) 1509{ 1510 UINT8 *p = (UINT8 *)p_data; 1511 tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec; 1512 UINT8 role, status, bda_type; 1513 UINT16 handle; 1514 BD_ADDR bda; 1515 UINT16 conn_interval, conn_latency, conn_timeout; 1516 BOOLEAN match = FALSE; 1517 1518 STREAM_TO_UINT8 (status, p); 1519 STREAM_TO_UINT16 (handle, p); 1520 STREAM_TO_UINT8 (role, p); 1521 STREAM_TO_UINT8 (bda_type, p); 1522 STREAM_TO_BDADDR (bda, p); 1523 STREAM_TO_UINT16 (conn_interval, p); 1524 STREAM_TO_UINT16 (conn_latency, p); 1525 STREAM_TO_UINT16 (conn_timeout, p); 1526 1527 handle = HCID_GET_HANDLE (handle); 1528 1529 BTM_TRACE_EVENT0 ("btm_ble_resolve_random_addr_master_cmpl"); 1530 1531 if (match_rec) 1532 { 1533 BTM_TRACE_ERROR0("Random match"); 1534 match = TRUE; 1535 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA; 1536 memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN); 1537 memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN); 1538 } 1539 else 1540 { 1541 BTM_TRACE_ERROR0("Random unmatch"); 1542 } 1543 1544 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1545 1546 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1547 conn_latency, conn_timeout); 1548 1549 return; 1550} 1551#endif 1552 1553/******************************************************************************* 1554** 1555** Function btm_ble_connected 1556** 1557** Description This function is when a LE connection to the peer device is 1558** establsihed 1559** 1560** Returns void 1561** 1562*******************************************************************************/ 1563void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role, 1564 tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched) 1565{ 1566 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 1567 tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb; 1568 UNUSED(addr_matched); 1569 1570 BTM_TRACE_EVENT0 ("btm_ble_connected"); 1571 1572 /* Commenting out trace due to obf/compilation problems. 1573 */ 1574#if (BT_USE_TRACES == TRUE) 1575 if (p_dev_rec) 1576 { 1577 BTM_TRACE_EVENT4 ("Security Manager: btm_ble_connected : handle:%d enc_mode:%d bda:%x RName:%s", 1578 handle, enc_mode, 1579 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 1580 p_dev_rec->sec_bd_name); 1581 1582 BTM_TRACE_DEBUG1 ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags); 1583 } 1584 else 1585 { 1586 BTM_TRACE_EVENT3 ("Security Manager: btm_ble_connected: handle:%d enc_mode:%d bda:%x ", 1587 handle, enc_mode, 1588 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 1589 } 1590#endif 1591 1592 if (!p_dev_rec) 1593 { 1594 /* There is no device record for new connection. Allocate one */ 1595 p_dev_rec = btm_sec_alloc_dev (bda); 1596 } 1597 else /* Update the timestamp for this device */ 1598 { 1599 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 1600 } 1601 1602 /* update device information */ 1603 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE; 1604 p_dev_rec->ble_hci_handle = handle; 1605 p_dev_rec->ble.ble_addr_type = addr_type; 1606 1607 p_dev_rec->role_master = FALSE; 1608 if (role == HCI_ROLE_MASTER) 1609 p_dev_rec->role_master = TRUE; 1610 1611#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) 1612 if (!addr_matched) 1613 p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO; 1614 1615 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched) 1616 memcpy(p_dev_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN); 1617#endif 1618 1619 if (role == HCI_ROLE_SLAVE) 1620 p_cb->inq_var.adv_mode = BTM_BLE_ADV_DISABLE; 1621 p_cb->inq_var.directed_conn = FALSE; 1622 1623 return; 1624} 1625 1626/***************************************************************************** 1627** Function btm_ble_conn_complete 1628** 1629** Description LE connection complete. 1630** 1631******************************************************************************/ 1632void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len) 1633{ 1634#if (BLE_PRIVACY_SPT == TRUE ) 1635 UINT8 *p_data = p; 1636#endif 1637 UINT8 role, status, bda_type; 1638 UINT16 handle; 1639 BD_ADDR bda; 1640 UINT16 conn_interval, conn_latency, conn_timeout; 1641 BOOLEAN match = FALSE; 1642 UNUSED(evt_len); 1643 1644 STREAM_TO_UINT8 (status, p); 1645 STREAM_TO_UINT16 (handle, p); 1646 STREAM_TO_UINT8 (role, p); 1647 STREAM_TO_UINT8 (bda_type, p); 1648 STREAM_TO_BDADDR (bda, p); 1649 1650 if (status == 0) 1651 { 1652#if (BLE_PRIVACY_SPT == TRUE ) 1653 /* possiblly receive connection complete with resolvable random on 1654 slave role while the device has been paired */ 1655 if (!match && role == HCI_ROLE_SLAVE && BTM_BLE_IS_RESOLVE_BDA(bda)) 1656 { 1657 btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data); 1658 } 1659 else 1660#endif 1661 { 1662 STREAM_TO_UINT16 (conn_interval, p); 1663 STREAM_TO_UINT16 (conn_latency, p); 1664 STREAM_TO_UINT16 (conn_timeout, p); 1665 handle = HCID_GET_HANDLE (handle); 1666 1667 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match); 1668 l2cble_conn_comp (handle, role, bda, bda_type, conn_interval, 1669 conn_latency, conn_timeout); 1670 } 1671 } 1672 else 1673 { 1674 role = HCI_ROLE_UNKNOWN; 1675 1676 if (status != HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT) 1677 { 1678 btm_ble_set_conn_st(BLE_CONN_IDLE); 1679 } 1680 /* this is to work around broadcom firmware problem to handle 1681 * unsolicited command complete event for HCI_LE_Create_Connection_Cancel 1682 * and LE connection complete event with status error code (0x2) 1683 * unknown connection identifier from bluetooth controller 1684 * the workaround is to release the HCI connection to avoid out of sync 1685 * with bluetooth controller, which cause BT can't be turned off. 1686 */ 1687 else if ((status == HCI_ERR_NO_CONNECTION) && 1688 (btm_ble_get_conn_st() != BLE_CONN_CANCEL)) 1689 { 1690 tL2C_LCB *p_lcb; 1691 handle = HCID_GET_HANDLE (handle); 1692 p_lcb = l2cu_find_lcb_by_handle (handle); 1693 if (p_lcb != NULL) 1694 { 1695 l2c_link_hci_disc_comp (handle, HCI_ERR_PEER_USER); 1696 btm_sec_disconnected (handle, HCI_ERR_PEER_USER); 1697 } 1698 } 1699 } 1700 btm_ble_set_conn_st(BLE_CONN_IDLE); 1701 btm_ble_update_mode_operation(role, bda, TRUE); 1702} 1703 1704/***************************************************************************** 1705** Function btm_proc_smp_cback 1706** 1707** Description This function is the SMP callback handler. 1708** 1709******************************************************************************/ 1710UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data) 1711{ 1712 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1713 UINT8 res = 0; 1714 1715 BTM_TRACE_DEBUG1 ("btm_proc_smp_cback event = %d", event); 1716 1717 if (p_dev_rec != NULL) 1718 { 1719 switch (event) 1720 { 1721 case SMP_IO_CAP_REQ_EVT: 1722 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req); 1723 break; 1724 1725 case SMP_PASSKEY_REQ_EVT: 1726 case SMP_PASSKEY_NOTIF_EVT: 1727 case SMP_OOB_REQ_EVT: 1728 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; 1729 1730 case SMP_SEC_REQUEST_EVT: 1731 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 1732 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1733 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 1734 /* fall through */ 1735 case SMP_COMPLT_EVT: 1736 if (btm_cb.api.p_le_callback) 1737 { 1738 /* the callback function implementation may change the IO capability... */ 1739 BTM_TRACE_DEBUG1 ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback ); 1740 (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data); 1741 } 1742 1743 if (event == SMP_COMPLT_EVT) 1744 { 1745 BTM_TRACE_DEBUG2 ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1746 1747 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING; 1748 1749 BTM_TRACE_DEBUG3 ("after update result=%d sec_level=0x%x sec_flags=0x%x", 1750 res, p_data->cmplt.sec_level , p_dev_rec->sec_flags ); 1751 1752 btm_sec_dev_rec_cback_event(p_dev_rec, res, TRUE); 1753 1754 if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback ) 1755 { 1756 BTM_TRACE_DEBUG0 ("Pairing Cancel completed"); 1757 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS); 1758 } 1759#if BTM_BLE_CONFORMANCE_TESTING == TRUE 1760 if (res != BTM_SUCCESS) 1761 { 1762 if (!btm_cb.devcb.no_disc_if_pair_fail && p_data->cmplt.reason != SMP_CONN_TOUT) 1763 { 1764 BTM_TRACE_DEBUG0 ("Pairing failed - Remove ACL"); 1765 btm_remove_acl(bd_addr, BT_TRANSPORT_LE); 1766 } 1767 else 1768 { 1769 BTM_TRACE_DEBUG0 ("Pairing failed - Not Removing ACL"); 1770 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 1771 } 1772 } 1773#else 1774 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) 1775 btm_remove_acl(bd_addr, BT_TRANSPORT_LE); 1776#endif 1777 1778 BTM_TRACE_DEBUG3 ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x", 1779 btm_cb.pairing_state, 1780 btm_cb.pairing_flags, 1781 btm_cb.pin_code_len ); 1782 BTM_TRACE_DEBUG6 ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x", 1783 btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2], 1784 btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]); 1785 1786 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 1787 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE; 1788 btm_cb.pairing_flags = 0; 1789 } 1790 break; 1791 1792 default: 1793 BTM_TRACE_DEBUG1 ("unknown event = %d", event); 1794 break; 1795 1796 1797 } 1798 } 1799 else 1800 { 1801 BTM_TRACE_ERROR0("btm_proc_smp_cback received for unknown device"); 1802 } 1803 1804 return 0; 1805} 1806 1807 #endif /* SMP_INCLUDED */ 1808 1809/******************************************************************************* 1810** 1811** Function BTM_BleDataSignature 1812** 1813** Description This function is called to sign the data using AES128 CMAC 1814** algorith. 1815** 1816** Parameter bd_addr: target device the data to be signed for. 1817** p_text: singing data 1818** len: length of the data to be signed. 1819** signature: output parameter where data signature is going to 1820** be stored. 1821** 1822** Returns TRUE if signing sucessul, otherwise FALSE. 1823** 1824*******************************************************************************/ 1825BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len, 1826 BLE_SIGNATURE signature) 1827{ 1828 BOOLEAN ret = FALSE; 1829#if SMP_INCLUDED == TRUE 1830 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1831 UINT8 *p_buf, *pp; 1832 1833 BT_OCTET16 er; 1834 UINT16 div; 1835 UINT8 temp[4]; /* for (r || DIV) r=1*/ 1836 UINT16 r=1; 1837 UINT8 *p=temp, *p_mac = (UINT8 *)signature; 1838 tSMP_ENC output; 1839 BT_OCTET16 local_csrk; 1840 1841 BTM_TRACE_DEBUG0 ("BTM_BleDataSignature"); 1842 if (p_rec == NULL) 1843 { 1844 BTM_TRACE_ERROR0("data signing can not be done from unknow device"); 1845 } 1846 else 1847 { 1848 if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL) 1849 { 1850 BTM_TRACE_DEBUG0("Start to generate Local CSRK"); 1851 pp = p_buf; 1852 /* prepare plain text */ 1853 if (p_text) 1854 { 1855 memcpy(p_buf, p_text, len); 1856 pp = (p_buf + len); 1857 } 1858 1859#if BTM_BLE_CONFORMANCE_TESTING == TRUE 1860 if ( btm_cb.devcb.enable_test_local_sign_cntr) 1861 { 1862 BTM_TRACE_DEBUG1 ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr); 1863 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr); 1864 } 1865 else 1866 { 1867 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1868 } 1869#else 1870 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter); 1871#endif 1872 /* compute local csrk */ 1873 if (btm_get_local_div(bd_addr, &div)) 1874 { 1875 BTM_TRACE_DEBUG1 ("compute_csrk div=%x", div); 1876 BTM_GetDeviceEncRoot(er); 1877 1878 /* CSRK = d1(ER, DIV, 1) */ 1879 UINT16_TO_STREAM(p, div); 1880 UINT16_TO_STREAM(p, r); 1881 1882 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output)) 1883 { 1884 BTM_TRACE_ERROR0("Local CSRK generation failed "); 1885 } 1886 else 1887 { 1888 BTM_TRACE_DEBUG0("local CSRK generation success"); 1889 memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN); 1890 1891 1892#if BTM_BLE_CONFORMANCE_TESTING == TRUE 1893 if (btm_cb.devcb.enable_test_local_sign_cntr) 1894 { 1895 UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr); 1896 } 1897 else 1898 { 1899 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1900 } 1901#else 1902 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter); 1903#endif 1904 1905 if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE) 1906 { 1907 btm_ble_increment_sign_ctr(bd_addr, TRUE); 1908 1909#if BTM_BLE_CONFORMANCE_TESTING == TRUE 1910 if ( btm_cb.devcb.enable_test_mac_val) 1911 { 1912 BTM_TRACE_DEBUG0 ("Use MAC value from script"); 1913 memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE); 1914 } 1915#endif 1916 } 1917 BTM_TRACE_DEBUG1("BTM_BleDataSignature p_mac = %d", p_mac); 1918 BTM_TRACE_DEBUG4("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x", 1919 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3)); 1920 BTM_TRACE_DEBUG4("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x", 1921 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7)); 1922 1923 GKI_freebuf(p_buf); 1924 } 1925 } 1926 } 1927 } 1928#endif /* SMP_INCLUDED */ 1929 return ret; 1930} 1931 1932/******************************************************************************* 1933** 1934** Function BTM_BleVerifySignature 1935** 1936** Description This function is called to verify the data signature 1937** 1938** Parameter bd_addr: target device the data to be signed for. 1939** p_orig: original data before signature. 1940** len: length of the signing data 1941** counter: counter used when doing data signing 1942** p_comp: signature to be compared against. 1943 1944** Returns TRUE if signature verified correctly; otherwise FALSE. 1945** 1946*******************************************************************************/ 1947BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter, 1948 UINT8 *p_comp) 1949{ 1950 BOOLEAN verified = FALSE; 1951#if SMP_INCLUDED == TRUE 1952 tBTM_SEC_DEV_REC *p_rec = btm_find_dev (bd_addr); 1953 UINT8 p_mac[BTM_CMAC_TLEN_SIZE]; 1954 1955 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) 1956 { 1957 BTM_TRACE_ERROR0("can not verify signature for unknown device"); 1958 } 1959 else if (counter < p_rec->ble.keys.counter) 1960 { 1961 BTM_TRACE_ERROR0("signature received with out dated sign counter"); 1962 } 1963 else if (p_orig == NULL) 1964 { 1965 BTM_TRACE_ERROR0("No signature to verify"); 1966 } 1967 else 1968 { 1969 BTM_TRACE_DEBUG2 ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter); 1970 1971 if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac)) 1972 { 1973 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) 1974 { 1975 btm_ble_increment_sign_ctr(bd_addr, FALSE); 1976 verified = TRUE; 1977 } 1978 } 1979 } 1980#endif /* SMP_INCLUDED */ 1981 return verified; 1982} 1983 1984/******************************************************************************* 1985** Utility functions for LE device IR/ER generation 1986*******************************************************************************/ 1987/******************************************************************************* 1988** 1989** Function btm_notify_new_key 1990** 1991** Description This function is to notify application new keys have been 1992** generated. 1993** 1994** Returns void 1995** 1996*******************************************************************************/ 1997static void btm_notify_new_key(UINT8 key_type) 1998{ 1999 tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL; 2000 2001 BTM_TRACE_DEBUG1 ("btm_notify_new_key key_type=%d", key_type); 2002 2003 if (btm_cb.api.p_le_key_callback) 2004 { 2005 switch (key_type) 2006 { 2007 case BTM_BLE_KEY_TYPE_ID: 2008 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ID"); 2009 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys; 2010 break; 2011 2012 case BTM_BLE_KEY_TYPE_ER: 2013 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ER"); 2014 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er; 2015 break; 2016 2017 default: 2018 BTM_TRACE_ERROR1("unknown key type: %d", key_type); 2019 break; 2020 } 2021 if (p_locak_keys != NULL) 2022 (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys); 2023 } 2024} 2025 2026/******************************************************************************* 2027** 2028** Function btm_ble_process_er2 2029** 2030** Description This function is called when ER is generated, store it in 2031** local control block. 2032** 2033** Returns void 2034** 2035*******************************************************************************/ 2036static void btm_ble_process_er2(tBTM_RAND_ENC *p) 2037{ 2038 BTM_TRACE_DEBUG0 ("btm_ble_process_er2"); 2039 2040 if (p &&p->opcode == HCI_BLE_RAND) 2041 { 2042 memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN); 2043 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER); 2044 } 2045 else 2046 { 2047 BTM_TRACE_ERROR0("Generating ER2 exception."); 2048 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 2049 } 2050} 2051 2052/******************************************************************************* 2053** 2054** Function btm_ble_process_er 2055** 2056** Description This function is called when ER is generated, store it in 2057** local control block. 2058** 2059** Returns void 2060** 2061*******************************************************************************/ 2062static void btm_ble_process_er(tBTM_RAND_ENC *p) 2063{ 2064 BTM_TRACE_DEBUG0 ("btm_ble_process_er"); 2065 2066 if (p &&p->opcode == HCI_BLE_RAND) 2067 { 2068 memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN); 2069 2070 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2)) 2071 { 2072 memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16)); 2073 BTM_TRACE_ERROR0("Generating ER2 failed."); 2074 } 2075 } 2076 else 2077 { 2078 BTM_TRACE_ERROR0("Generating ER1 exception."); 2079 } 2080} 2081 2082/******************************************************************************* 2083** 2084** Function btm_ble_process_irk 2085** 2086** Description This function is called when IRK is generated, store it in 2087** local control block. 2088** 2089** Returns void 2090** 2091*******************************************************************************/ 2092static void btm_ble_process_irk(tSMP_ENC *p) 2093{ 2094 BTM_TRACE_DEBUG0 ("btm_ble_process_irk"); 2095 if (p &&p->opcode == HCI_BLE_ENCRYPT) 2096 { 2097 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN); 2098 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID); 2099 } 2100 else 2101 { 2102 BTM_TRACE_ERROR0("Generating IRK exception."); 2103 } 2104 2105 /* proceed generate ER */ 2106 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er)) 2107 { 2108 BTM_TRACE_ERROR0("Generating ER failed."); 2109 } 2110} 2111 2112/******************************************************************************* 2113** 2114** Function btm_ble_process_dhk 2115** 2116** Description This function is called when DHK is calculated, store it in 2117** local control block, and proceed to generate ER, a 128-bits 2118** random number. 2119** 2120** Returns void 2121** 2122*******************************************************************************/ 2123static void btm_ble_process_dhk(tSMP_ENC *p) 2124{ 2125#if SMP_INCLUDED == TRUE 2126 UINT8 btm_ble_irk_pt = 0x01; 2127 tSMP_ENC output; 2128 2129 BTM_TRACE_DEBUG0 ("btm_ble_process_dhk"); 2130 2131 if (p && p->opcode == HCI_BLE_ENCRYPT) 2132 { 2133 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN); 2134 BTM_TRACE_DEBUG0("BLE DHK generated."); 2135 2136 /* IRK = D1(IR, 1) */ 2137 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt, 2138 1, &output)) 2139 { 2140 /* reset all identity root related key */ 2141 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2142 } 2143 else 2144 { 2145 btm_ble_process_irk(&output); 2146 } 2147 } 2148 else 2149 { 2150 /* reset all identity root related key */ 2151 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2152 } 2153#endif 2154} 2155 2156/******************************************************************************* 2157** 2158** Function btm_ble_process_ir2 2159** 2160** Description This function is called when IR is generated, proceed to calculate 2161** DHK = Eir({0x03, 0, 0 ...}) 2162** 2163** 2164** Returns void 2165** 2166*******************************************************************************/ 2167static void btm_ble_process_ir2(tBTM_RAND_ENC *p) 2168{ 2169#if SMP_INCLUDED == TRUE 2170 UINT8 btm_ble_dhk_pt = 0x03; 2171 tSMP_ENC output; 2172 2173 BTM_TRACE_DEBUG0 ("btm_ble_process_ir2"); 2174 2175 if (p && p->opcode == HCI_BLE_RAND) 2176 { 2177 /* remembering in control block */ 2178 memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN); 2179 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */ 2180 2181 2182 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 2183 1, &output); 2184 btm_ble_process_dhk(&output); 2185 2186 BTM_TRACE_DEBUG0("BLE IR generated."); 2187 } 2188 else 2189 { 2190 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2191 } 2192#endif 2193} 2194 2195/******************************************************************************* 2196** 2197** Function btm_ble_process_ir 2198** 2199** Description This function is called when IR is generated, proceed to calculate 2200** DHK = Eir({0x02, 0, 0 ...}) 2201** 2202** 2203** Returns void 2204** 2205*******************************************************************************/ 2206static void btm_ble_process_ir(tBTM_RAND_ENC *p) 2207{ 2208 BTM_TRACE_DEBUG0 ("btm_ble_process_ir"); 2209 2210 if (p && p->opcode == HCI_BLE_RAND) 2211 { 2212 /* remembering in control block */ 2213 memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN); 2214 2215 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2)) 2216 { 2217 BTM_TRACE_ERROR0("Generating IR2 failed."); 2218 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS)); 2219 } 2220 } 2221} 2222 2223/******************************************************************************* 2224** 2225** Function btm_ble_reset_id 2226** 2227** Description This function is called to reset LE device identity. 2228** 2229** Returns void 2230** 2231*******************************************************************************/ 2232void btm_ble_reset_id( void ) 2233{ 2234 BTM_TRACE_DEBUG0 ("btm_ble_reset_id"); 2235 2236 /* regenrate Identity Root*/ 2237 if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir)) 2238 { 2239 BTM_TRACE_DEBUG0("Generating IR failed."); 2240 } 2241} 2242 2243 #if BTM_BLE_CONFORMANCE_TESTING == TRUE 2244/******************************************************************************* 2245** 2246** Function btm_ble_set_no_disc_if_pair_fail 2247** 2248** Description This function indicates that whether no disconnect of the ACL 2249** should be used if pairing failed 2250** 2251** Returns void 2252** 2253*******************************************************************************/ 2254void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc ) 2255{ 2256 BTM_TRACE_DEBUG1 ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc); 2257 btm_cb.devcb.no_disc_if_pair_fail = disable_disc; 2258} 2259 2260/******************************************************************************* 2261** 2262** Function btm_ble_set_test_mac_value 2263** 2264** Description This function set test MAC value 2265** 2266** Returns void 2267** 2268*******************************************************************************/ 2269void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val ) 2270{ 2271 BTM_TRACE_DEBUG1 ("btm_ble_set_test_mac_value enable=%d", enable); 2272 btm_cb.devcb.enable_test_mac_val = enable; 2273 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN); 2274} 2275 2276/******************************************************************************* 2277** 2278** Function btm_ble_set_test_local_sign_cntr_value 2279** 2280** Description This function set test local sign counter value 2281** 2282** Returns void 2283** 2284*******************************************************************************/ 2285void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr ) 2286{ 2287 BTM_TRACE_DEBUG2 ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d", 2288 enable, test_local_sign_cntr); 2289 btm_cb.devcb.enable_test_local_sign_cntr = enable; 2290 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr; 2291} 2292 2293/******************************************************************************* 2294** 2295** Function btm_set_random_address 2296** 2297** Description This function set a random address to local controller. 2298** 2299** Returns void 2300** 2301*******************************************************************************/ 2302void btm_set_random_address(BD_ADDR random_bda) 2303{ 2304 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 2305 BOOLEAN adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ; 2306 2307 BTM_TRACE_DEBUG0 ("btm_set_random_address"); 2308 2309 if (adv_mode == BTM_BLE_ADV_ENABLE) 2310 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE); 2311 2312 memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN); 2313 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 2314 2315 if (adv_mode == BTM_BLE_ADV_ENABLE) 2316 btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE); 2317 2318 2319} 2320 2321/******************************************************************************* 2322** 2323** Function btm_ble_set_keep_rfu_in_auth_req 2324** 2325** Description This function indicates if RFU bits have to be kept as is 2326** (by default they have to be set to 0 by the sender). 2327** 2328** Returns void 2329** 2330*******************************************************************************/ 2331void btm_ble_set_keep_rfu_in_auth_req(BOOLEAN keep_rfu) 2332{ 2333 BTM_TRACE_DEBUG1 ("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu); 2334 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu; 2335} 2336 2337#endif /* BTM_BLE_CONFORMANCE_TESTING */ 2338 2339#endif /* BLE_INCLUDED */ 2340