1/****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19/****************************************************************************** 20 * 21 * This file contains functions for the Bluetooth Security Manager 22 * 23 ******************************************************************************/ 24 25#define LOG_TAG "bt_btm_sec" 26 27#include <stdarg.h> 28#include <string.h> 29 30#include "device/include/controller.h" 31#include "osi/include/log.h" 32#include "osi/include/time.h" 33 34#include "bt_types.h" 35#include "bt_utils.h" 36#include "btm_int.h" 37#include "btu.h" 38#include "hcimsgs.h" 39#include "l2c_int.h" 40 41#if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) 42/* needed for sprintf() */ 43#include <stdio.h> 44#endif 45 46#if BLE_INCLUDED == TRUE 47 #include "gatt_int.h" 48#endif 49 50#define BTM_SEC_MAX_COLLISION_DELAY (5000) 51 52extern fixed_queue_t *btu_general_alarm_queue; 53 54#ifdef APPL_AUTH_WRITE_EXCEPTION 55BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr); 56#endif 57 58/******************************************************************************** 59** L O C A L F U N C T I O N P R O T O T Y P E S * 60*********************************************************************************/ 61tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm); 62static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur); 63static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 64 UINT32 mx_proto_id, 65 UINT32 mx_chan_id); 66 67static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec); 68static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec); 69static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec); 70static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec); 71static void btm_sec_collision_timeout(void *data); 72static void btm_restore_mode(void); 73static void btm_sec_pairing_timeout(void *data); 74static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec); 75static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state); 76 77#if (BT_USE_TRACES == TRUE) 78static char *btm_pair_state_descr (tBTM_PAIRING_STATE state); 79#endif 80 81static void btm_sec_check_pending_reqs(void); 82static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 83 UINT32 mx_proto_id, UINT32 mx_chan_id, 84 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data); 85static void btm_sec_bond_cancel_complete (void); 86static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec); 87static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec); 88 89static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec); 90BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]); 91 92static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle); 93UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec); 94tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state); 95 96static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 97 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 98 UINT32 mx_chan_id); 99 100static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec); 101static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec); 102static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec); 103static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec); 104static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm); 105static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator); 106 107static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport, 108 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data, 109 tBTM_BLE_SEC_ACT sec_act); 110static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport, 111 UINT8 encr_enable); 112 113static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec); 114static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec); 115 116/* TRUE - authenticated link key is possible */ 117static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = 118{ 119 /* OUT, IO, IN, NONE */ 120/* OUT */ {FALSE, FALSE, TRUE, FALSE}, 121/* IO */ {FALSE, TRUE, TRUE, FALSE}, 122/* IN */ {TRUE, TRUE, TRUE, FALSE}, 123/* NONE */ {FALSE, FALSE, FALSE, FALSE} 124}; 125/* BTM_IO_CAP_OUT 0 DisplayOnly */ 126/* BTM_IO_CAP_IO 1 DisplayYesNo */ 127/* BTM_IO_CAP_IN 2 KeyboardOnly */ 128/* BTM_IO_CAP_NONE 3 NoInputNoOutput */ 129 130/******************************************************************************* 131** 132** Function btm_dev_authenticated 133** 134** Description check device is authenticated 135** 136** Returns BOOLEAN TRUE or FALSE 137** 138*******************************************************************************/ 139static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec) 140{ 141 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) 142 { 143 return(TRUE); 144 } 145 return(FALSE); 146} 147 148/******************************************************************************* 149** 150** Function btm_dev_encrypted 151** 152** Description check device is encrypted 153** 154** Returns BOOLEAN TRUE or FALSE 155** 156*******************************************************************************/ 157static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec) 158{ 159 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 160 { 161 return(TRUE); 162 } 163 return(FALSE); 164} 165 166/******************************************************************************* 167** 168** Function btm_dev_authorized 169** 170** Description check device is authorized 171** 172** Returns BOOLEAN TRUE or FALSE 173** 174*******************************************************************************/ 175static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec) 176{ 177 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) 178 { 179 return(TRUE); 180 } 181 return(FALSE); 182} 183 184/******************************************************************************* 185** 186** Function btm_dev_16_digit_authenticated 187** 188** Description check device is authenticated by using 16 digit pin or MITM 189** 190** Returns BOOLEAN TRUE or FALSE 191** 192*******************************************************************************/ 193static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec) 194{ 195 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used 196 if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 197 { 198 return(TRUE); 199 } 200 return(FALSE); 201} 202 203/******************************************************************************* 204** 205** Function btm_serv_trusted 206** 207** Description check service is trusted 208** 209** Returns BOOLEAN TRUE or FALSE 210** 211*******************************************************************************/ 212static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec) 213{ 214 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) 215 { 216 return(TRUE); 217 } 218 return(FALSE); 219} 220 221/******************************************************************************* 222** 223** Function BTM_SecRegister 224** 225** Description Application manager calls this function to register for 226** security services. There can be one and only one application 227** saving link keys. BTM allows only first registration. 228** 229** Returns TRUE if registered OK, else FALSE 230** 231*******************************************************************************/ 232BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info) 233{ 234#if BLE_INCLUDED == TRUE 235 BT_OCTET16 temp_value = {0}; 236#endif 237 238 BTM_TRACE_EVENT("%s application registered", __func__); 239 240#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 241 LOG_INFO(LOG_TAG, "%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback); 242 if (p_cb_info->p_le_callback) 243 { 244#if SMP_INCLUDED == TRUE 245 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__); 246 SMP_Register(btm_proc_smp_cback); 247#endif 248 /* if no IR is loaded, need to regenerate all the keys */ 249 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) 250 { 251 btm_ble_reset_id(); 252 } 253 } 254 else 255 { 256 LOG_WARN(LOG_TAG, "%s p_cb_info->p_le_callback == NULL", __func__); 257 } 258#endif 259 260 btm_cb.api = *p_cb_info; 261#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 262 LOG_INFO(LOG_TAG, "%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback); 263#endif 264 BTM_TRACE_EVENT("%s application registered", __func__); 265 return(TRUE); 266} 267 268/******************************************************************************* 269** 270** Function BTM_SecRegisterLinkKeyNotificationCallback 271** 272** Description Application manager calls this function to register for 273** link key notification. When there is nobody registered 274** we should avoid changing link key 275** 276** Returns TRUE if registered OK, else FALSE 277** 278*******************************************************************************/ 279BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback) 280{ 281 btm_cb.api.p_link_key_callback = p_callback; 282 return TRUE; 283} 284 285/******************************************************************************* 286** 287** Function BTM_SecAddRmtNameNotifyCallback 288** 289** Description Any profile can register to be notified when name of the 290** remote device is resolved. 291** 292** Returns TRUE if registered OK, else FALSE 293** 294*******************************************************************************/ 295BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 296{ 297 int i; 298 299 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 300 { 301 if (btm_cb.p_rmt_name_callback[i] == NULL) 302 { 303 btm_cb.p_rmt_name_callback[i] = p_callback; 304 return(TRUE); 305 } 306 } 307 308 return(FALSE); 309} 310 311/******************************************************************************* 312** 313** Function BTM_SecDeleteRmtNameNotifyCallback 314** 315** Description Any profile can deregister notification when a new Link Key 316** is generated per connection. 317** 318** Returns TRUE if OK, else FALSE 319** 320*******************************************************************************/ 321BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback) 322{ 323 int i; 324 325 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 326 { 327 if (btm_cb.p_rmt_name_callback[i] == p_callback) 328 { 329 btm_cb.p_rmt_name_callback[i] = NULL; 330 return(TRUE); 331 } 332 } 333 334 return(FALSE); 335} 336 337/******************************************************************************* 338** 339** Function BTM_GetSecurityFlags 340** 341** Description Get security flags for the device 342** 343** Returns BOOLEAN TRUE or FALSE is device found 344** 345*******************************************************************************/ 346BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags) 347{ 348 tBTM_SEC_DEV_REC *p_dev_rec; 349 350 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 351 { 352 *p_sec_flags = (UINT8) p_dev_rec->sec_flags; 353 return(TRUE); 354 } 355 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false"); 356 return(FALSE); 357} 358 359/******************************************************************************* 360** 361** Function BTM_GetSecurityFlagsByTransport 362** 363** Description Get security flags for the device on a particular transport 364** 365** Returns BOOLEAN TRUE or FALSE is device found 366** 367*******************************************************************************/ 368BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags, 369 tBT_TRANSPORT transport) 370{ 371 tBTM_SEC_DEV_REC *p_dev_rec; 372 373 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 374 { 375 if (transport == BT_TRANSPORT_BR_EDR) 376 *p_sec_flags = (UINT8) p_dev_rec->sec_flags; 377 else 378 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8); 379 380 return(TRUE); 381 } 382 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false"); 383 return(FALSE); 384} 385 386/******************************************************************************* 387** 388** Function BTM_SetPinType 389** 390** Description Set PIN type for the device. 391** 392** Returns void 393** 394*******************************************************************************/ 395void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len) 396{ 397 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d", 398 pin_type, (char *) pin_code, pin_code_len); 399 400 /* If device is not up security mode will be set as a part of startup */ 401 if ( (btm_cb.cfg.pin_type != pin_type) 402 && controller_get_interface()->get_is_ready() ) 403 { 404 btsnd_hcic_write_pin_type (pin_type); 405 } 406 407 btm_cb.cfg.pin_type = pin_type; 408 btm_cb.cfg.pin_code_len = pin_code_len; 409 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len); 410} 411 412/******************************************************************************* 413** 414** Function BTM_SetPairableMode 415** 416** Description Enable or disable pairing 417** 418** Parameters allow_pairing - (TRUE or FALSE) whether or not the device 419** allows pairing. 420** connect_only_paired - (TRUE or FALSE) whether or not to 421** only allow paired devices to connect. 422** 423** Returns void 424** 425*******************************************************************************/ 426void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired) 427{ 428 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired); 429 430 btm_cb.pairing_disabled = !allow_pairing; 431 btm_cb.connect_only_paired = connect_only_paired; 432} 433 434/******************************************************************************* 435** 436** Function BTM_SetSecureConnectionsOnly 437** 438** Description Enable or disable default treatment for Mode 4 Level 0 services 439** 440** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device 441** TRUE means that the device should treat Mode 4 Level 0 services as 442** services of other levels. (Secure_connections_only_mode) 443** FALSE means that the device should provide default treatment for 444** Mode 4 Level 0 services. 445** 446** Returns void 447** 448*******************************************************************************/ 449void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode) 450{ 451 BTM_TRACE_API("%s: Mode : %u", __FUNCTION__, 452 secure_connections_only_mode); 453 454 btm_cb.devcb.secure_connections_only = secure_connections_only_mode; 455 btm_cb.security_mode = BTM_SEC_MODE_SC; 456} 457#define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff) 458 459/******************************************************************************* 460** 461** Function BTM_SetSecurityLevel 462** 463** Description Register service security level with Security Manager 464** 465** Parameters: is_originator - TRUE if originating the connection, FALSE if not 466** p_name - Name of the service relevant only if 467** authorization will show this name to user. ignored 468** if BTM_SEC_SERVICE_NAME_LEN is 0. 469** service_id - service ID for the service passed to authorization callback 470** sec_level - bit mask of the security features 471** psm - L2CAP PSM 472** mx_proto_id - protocol ID of multiplexing proto below 473** mx_chan_id - channel ID of multiplexing proto below 474** 475** Returns TRUE if registered OK, else FALSE 476** 477*******************************************************************************/ 478BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id, 479 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 480 UINT32 mx_chan_id) 481{ 482#if (L2CAP_UCD_INCLUDED == TRUE) 483 CONNECTION_TYPE conn_type; 484 485 if (is_originator) 486 conn_type = CONN_ORIENT_ORIG; 487 else 488 conn_type = CONN_ORIENT_TERM; 489 490 return(btm_sec_set_security_level (conn_type, p_name, service_id, 491 sec_level, psm, mx_proto_id, mx_chan_id)); 492#else 493 return(btm_sec_set_security_level (is_originator, p_name, service_id, 494 sec_level, psm, mx_proto_id, mx_chan_id)); 495#endif 496} 497 498/******************************************************************************* 499** 500** Function btm_sec_set_security_level 501** 502** Description Register service security level with Security Manager 503** 504** Parameters: conn_type - TRUE if originating the connection, FALSE if not 505** p_name - Name of the service relevant only if 506** authorization will show this name to user. ignored 507** if BTM_SEC_SERVICE_NAME_LEN is 0. 508** service_id - service ID for the service passed to authorization callback 509** sec_level - bit mask of the security features 510** psm - L2CAP PSM 511** mx_proto_id - protocol ID of multiplexing proto below 512** mx_chan_id - channel ID of multiplexing proto below 513** 514** Returns TRUE if registered OK, else FALSE 515** 516*******************************************************************************/ 517static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id, 518 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, 519 UINT32 mx_chan_id) 520{ 521 tBTM_SEC_SERV_REC *p_srec; 522 UINT16 index; 523 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES; 524 BOOLEAN record_allocated = FALSE; 525 BOOLEAN is_originator; 526#if (L2CAP_UCD_INCLUDED == TRUE) 527 BOOLEAN is_ucd; 528 529 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 530 is_originator = TRUE; 531 else 532 is_originator = FALSE; 533 534 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 535 { 536 is_ucd = TRUE; 537 } 538 else 539 { 540 is_ucd = FALSE; 541 } 542#else 543 is_originator = conn_type; 544#endif 545 546 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level); 547 548 /* See if the record can be reused (same service name, psm, mx_proto_id, 549 service_id, and mx_chan_id), or obtain the next unused record */ 550 551 p_srec = &btm_cb.sec_serv_rec[0]; 552 553 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) 554 { 555 /* Check if there is already a record for this service */ 556 if (p_srec->security_flags & BTM_SEC_IN_USE) 557 { 558#if BTM_SEC_SERVICE_NAME_LEN > 0 559 if (p_srec->psm == psm && 560 p_srec->mx_proto_id == mx_proto_id && 561 service_id == p_srec->service_id && 562 p_name && 563 (!strncmp (p_name, (char *) p_srec->orig_service_name, 564 BTM_SEC_SERVICE_NAME_LEN) || 565 !strncmp (p_name, (char *) p_srec->term_service_name, 566 BTM_SEC_SERVICE_NAME_LEN))) 567#else 568 if (p_srec->psm == psm && 569 p_srec->mx_proto_id == mx_proto_id && 570 service_id == p_srec->service_id) 571#endif 572 { 573 record_allocated = TRUE; 574 break; 575 } 576 } 577 /* Mark the first available service record */ 578 else if (!record_allocated) 579 { 580 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC)); 581 record_allocated = TRUE; 582 first_unused_record = index; 583 } 584 } 585 586 if (!record_allocated) 587 { 588 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS); 589 return(record_allocated); 590 } 591 592 /* Process the request if service record is valid */ 593 /* If a duplicate service wasn't found, use the first available */ 594 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) 595 { 596 index = first_unused_record; 597 p_srec = &btm_cb.sec_serv_rec[index]; 598 } 599 600 p_srec->psm = psm; 601 p_srec->service_id = service_id; 602 p_srec->mx_proto_id = mx_proto_id; 603 604 if (is_originator) 605 { 606 p_srec->orig_mx_chan_id = mx_chan_id; 607#if BTM_SEC_SERVICE_NAME_LEN > 0 608 strlcpy ((char *)p_srec->orig_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN); 609#endif 610 /* clear out the old setting, just in case it exists */ 611#if (L2CAP_UCD_INCLUDED == TRUE) 612 if ( is_ucd ) 613 { 614 p_srec->ucd_security_flags &= 615 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 616 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 617 } 618 else 619#endif 620 { 621 p_srec->security_flags &= 622 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM | 623 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 624 } 625 626 /* Parameter validation. Originator should not set requirements for incoming connections */ 627 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE 628 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN ); 629 630 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 631 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 632 btm_cb.security_mode == BTM_SEC_MODE_SC) 633 { 634 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) 635 sec_level |= BTM_SEC_OUT_MITM; 636 } 637 638 /* Make sure the authenticate bit is set, when encrypt bit is set */ 639 if (sec_level & BTM_SEC_OUT_ENCRYPT) 640 sec_level |= BTM_SEC_OUT_AUTHENTICATE; 641 642 /* outgoing connections usually set the security level right before 643 * the connection is initiated. 644 * set it to be the outgoing service */ 645#if (L2CAP_UCD_INCLUDED == TRUE) 646 if ( is_ucd == FALSE ) 647#endif 648 { 649 btm_cb.p_out_serv = p_srec; 650 } 651 } 652 else 653 { 654 p_srec->term_mx_chan_id = mx_chan_id; 655#if BTM_SEC_SERVICE_NAME_LEN > 0 656 strlcpy ((char *)p_srec->term_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN); 657#endif 658 /* clear out the old setting, just in case it exists */ 659#if (L2CAP_UCD_INCLUDED == TRUE) 660 if ( is_ucd ) 661 { 662 p_srec->ucd_security_flags &= 663 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 664 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE 665 | BTM_SEC_IN_MIN_16_DIGIT_PIN); 666 } 667 else 668#endif 669 { 670 p_srec->security_flags &= 671 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM | 672 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE 673 | BTM_SEC_IN_MIN_16_DIGIT_PIN); 674 } 675 676 /* Parameter validation. Acceptor should not set requirements for outgoing connections */ 677 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM); 678 679 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 680 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 681 btm_cb.security_mode == BTM_SEC_MODE_SC) 682 { 683 if (sec_level & BTM_SEC_IN_AUTHENTICATE) 684 sec_level |= BTM_SEC_IN_MITM; 685 } 686 687 /* Make sure the authenticate bit is set, when encrypt bit is set */ 688 if (sec_level & BTM_SEC_IN_ENCRYPT) 689 sec_level |= BTM_SEC_IN_AUTHENTICATE; 690 } 691 692#if (L2CAP_UCD_INCLUDED == TRUE) 693 if ( is_ucd ) 694 { 695 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE); 696 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 697 } 698 else 699 { 700 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 701 } 702 703 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d", 704 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id); 705 706 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x", 707 p_srec->security_flags, p_srec->ucd_security_flags); 708 709#if BTM_SEC_SERVICE_NAME_LEN > 0 710 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)", 711 p_name, BTM_SEC_SERVICE_NAME_LEN); 712#endif 713#else 714 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE); 715 716 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d", 717 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id); 718 719#if BTM_SEC_SERVICE_NAME_LEN > 0 720 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)", 721 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN); 722#endif 723#endif 724 725 return(record_allocated); 726} 727 728/******************************************************************************* 729** 730** Function BTM_SecClrService 731** 732** Description Removes specified service record(s) from the security database. 733** All service records with the specified name are removed. 734** Typically used only by devices with limited RAM so that it can 735** reuse an old security service record. 736** 737** Note: Unpredictable results may occur if a service is cleared 738** that is still in use by an application/profile. 739** 740** Parameters Service ID - Id of the service to remove. ('0' removes all service 741** records (except SDP). 742** 743** Returns Number of records that were freed. 744** 745*******************************************************************************/ 746UINT8 BTM_SecClrService (UINT8 service_id) 747{ 748 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 749 UINT8 num_freed = 0; 750 int i; 751 752 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 753 { 754 /* Delete services with specified name (if in use and not SDP) */ 755 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) && 756 (!service_id || (service_id == p_srec->service_id))) 757 { 758 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id); 759 p_srec->security_flags = 0; 760#if (L2CAP_UCD_INCLUDED == TRUE) 761 p_srec->ucd_security_flags = 0; 762#endif 763 num_freed++; 764 } 765 } 766 767 return(num_freed); 768} 769 770/******************************************************************************* 771** 772** Function btm_sec_clr_service_by_psm 773** 774** Description Removes specified service record from the security database. 775** All service records with the specified psm are removed. 776** Typically used by L2CAP to free up the service record used 777** by dynamic PSM clients when the channel is closed. 778** The given psm must be a virtual psm. 779** 780** Parameters Service ID - Id of the service to remove. ('0' removes all service 781** records (except SDP). 782** 783** Returns Number of records that were freed. 784** 785*******************************************************************************/ 786UINT8 btm_sec_clr_service_by_psm (UINT16 psm) 787{ 788 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0]; 789 UINT8 num_freed = 0; 790 int i; 791 792 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) 793 { 794 /* Delete services with specified name (if in use and not SDP) */ 795 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) ) 796 { 797 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id); 798 p_srec->security_flags = 0; 799 num_freed++; 800 } 801 } 802 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed); 803 804 return(num_freed); 805} 806 807/******************************************************************************* 808** 809** Function btm_sec_clr_temp_auth_service 810** 811** Description Removes specified device record's temporary authorization 812** flag from the security database. 813** 814** Parameters Device address to be cleared 815** 816** Returns void. 817** 818*******************************************************************************/ 819void btm_sec_clr_temp_auth_service (BD_ADDR bda) 820{ 821 tBTM_SEC_DEV_REC *p_dev_rec; 822 823 if ((p_dev_rec = btm_find_dev (bda)) == NULL) 824 { 825 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB"); 826 return; 827 } 828 829 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */ 830 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service) 831 { 832 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]", 833 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); 834 835 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID; 836 } 837} 838 839/******************************************************************************* 840** 841** Function BTM_PINCodeReply 842** 843** Description This function is called after Security Manager submitted 844** PIN code request to the UI. 845** 846** Parameters: bd_addr - Address of the device for which PIN was requested 847** res - result of the operation BTM_SUCCESS if success 848** pin_len - length in bytes of the PIN Code 849** p_pin - pointer to array with the PIN Code 850** trusted_mask - bitwise OR of trusted services (array of UINT32) 851** 852*******************************************************************************/ 853void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 854{ 855 tBTM_SEC_DEV_REC *p_dev_rec; 856 857 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d", 858 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res); 859 860 /* If timeout already expired or has been canceled, ignore the reply */ 861 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 862 { 863 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state); 864 return; 865 } 866 867 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 868 { 869 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr"); 870 return; 871 } 872 873 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 874 { 875 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB"); 876 return; 877 } 878 879 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) ) 880 res = BTM_ILLEGAL_VALUE; 881 882 if (res != BTM_SUCCESS) 883 { 884 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */ 885 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) || 886 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 887 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) ) 888 { 889 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 890 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 891 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 892 893 btsnd_hcic_pin_code_neg_reply (bd_addr); 894 } 895 else 896 { 897 p_dev_rec->security_required = BTM_SEC_NONE; 898 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 899 } 900 return; 901 } 902 if (trusted_mask) 903 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 905 if (pin_len >= 16) { 906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 907 } 908 909 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 910 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 911 && (btm_cb.security_mode_changed == FALSE) ) 912 { 913 /* This is start of the dedicated bonding if local device is 2.0 */ 914 btm_cb.pin_code_len = pin_len; 915 p_dev_rec->pin_code_length = pin_len; 916 memcpy (btm_cb.pin_code, p_pin, pin_len); 917 918 btm_cb.security_mode_changed = TRUE; 919#ifdef APPL_AUTH_WRITE_EXCEPTION 920 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 921#endif 922 btsnd_hcic_write_auth_enable (TRUE); 923 924 btm_cb.acl_disc_reason = 0xff ; 925 926 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 927 /* before originating */ 928 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 929 { 930 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection"); 931 /* we change state little bit early so btm_sec_connected() will originate connection */ 932 /* when existing ACL link is down completely */ 933 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 934 } 935 /* if we already accepted incoming connection from pairing device */ 936 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 937 { 938 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer"); 939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 940 } 941 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 942 { 943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 944 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED; 945 946 if (btm_cb.api.p_auth_complete_callback) 947 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 948 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE); 949 } 950 return; 951 } 952 953 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 954 btm_cb.acl_disc_reason = HCI_SUCCESS; 955 956 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin); 957} 958 959/******************************************************************************* 960** 961** Function btm_sec_bond_by_transport 962** 963** Description this is the bond function that will start either SSP or SMP. 964** 965** Parameters: bd_addr - Address of the device to bond 966** pin_len - length in bytes of the PIN Code 967** p_pin - pointer to array with the PIN Code 968** trusted_mask - bitwise OR of trusted services (array of UINT32) 969** 970** Note: After 2.1 parameters are not used and preserved here not to change API 971*******************************************************************************/ 972tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport, 973 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 974{ 975 tBTM_SEC_DEV_REC *p_dev_rec; 976 tBTM_STATUS status; 977 UINT8 *p_features; 978 UINT8 ii; 979 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport); 980 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x", 981 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]); 982 983 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport); 984 985 /* Other security process is in progress */ 986 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 987 { 988 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state)); 989 return(BTM_WRONG_MODE); 990 } 991 992 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL) 993 { 994 return(BTM_NO_RESOURCES); 995 } 996 997 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags); 998 999 /* Finished if connection is active and already paired */ 1000 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR 1001 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 1002#if (BLE_INCLUDED == TRUE) 1003 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE 1004 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)) 1005#endif 1006 1007 ) 1008 { 1009 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired"); 1010 return(BTM_SUCCESS); 1011 } 1012 1013 /* Tell controller to get rid of the link key if it has one stored */ 1014 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS) 1015 return(BTM_NO_RESOURCES); 1016 1017 /* Save the PIN code if we got a valid one */ 1018 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) 1019 { 1020 btm_cb.pin_code_len = pin_len; 1021 p_dev_rec->pin_code_length = pin_len; 1022 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN); 1023 } 1024 1025 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN); 1026 1027 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD; 1028 1029 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE; 1030 p_dev_rec->is_originator = TRUE; 1031 if (trusted_mask) 1032 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask); 1033 1034#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1035 if (transport == BT_TRANSPORT_LE) 1036 { 1037 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr); 1038 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK; 1039 1040 if (SMP_Pair(bd_addr) == SMP_STARTED) 1041 { 1042 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE; 1043 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 1044 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1045 return BTM_CMD_STARTED; 1046 } 1047 1048 btm_cb.pairing_flags = 0; 1049 return(BTM_NO_RESOURCES); 1050 } 1051#endif 1052 1053 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED 1054 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED); 1055 1056 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags); 1057 if (!controller_get_interface()->supports_simple_pairing()) 1058 { 1059 /* The special case when we authenticate keyboard. Set pin type to fixed */ 1060 /* It would be probably better to do it from the application, but it is */ 1061 /* complicated */ 1062 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 1063 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD) 1064 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) 1065 { 1066 btm_cb.pin_type_changed = TRUE; 1067 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED); 1068 } 1069 } 1070 1071 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) 1072 { 1073 p_features = p_dev_rec->features[ii]; 1074 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x", 1075 ii, p_features[0], p_features[1], p_features[2], p_features[3]); 1076 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x", 1077 p_features[4], p_features[5], p_features[6], p_features[7]); 1078 } 1079 1080 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle); 1081 1082#if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE 1083 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN; 1084#endif 1085 1086 /* If connection already exists... */ 1087 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE) 1088 { 1089 if (!btm_sec_start_authentication (p_dev_rec)) 1090 return(BTM_NO_RESOURCES); 1091 1092 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1093 1094 /* Mark lcb as bonding */ 1095 l2cu_update_lcb_4_bonding (bd_addr, TRUE); 1096 return(BTM_CMD_STARTED); 1097 } 1098 1099 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4); 1100 if (!controller_get_interface()->supports_simple_pairing() 1101 || (p_dev_rec->sm4 == BTM_SM4_KNOWN)) 1102 { 1103 if ( btm_sec_check_prefetch_pin (p_dev_rec) ) 1104 return (BTM_CMD_STARTED); 1105 } 1106 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 1107 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 1108 btm_cb.security_mode == BTM_SEC_MODE_SC) && 1109 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 1110 { 1111 /* local is 2.1 and peer is unknown */ 1112 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) 1113 { 1114 /* we are not accepting connection request from peer 1115 * -> RNR (to learn if peer is 2.1) 1116 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 1117 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 1118 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR); 1119 } 1120 else 1121 { 1122 /* We are accepting connection request from peer */ 1123 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 1124 } 1125 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d", 1126 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state); 1127 return BTM_CMD_STARTED; 1128 } 1129 1130 /* both local and peer are 2.1 */ 1131 status = btm_sec_dd_create_conn(p_dev_rec); 1132 1133 if (status != BTM_CMD_STARTED) 1134 { 1135 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1136 } 1137 1138 return status; 1139} 1140 1141/******************************************************************************* 1142** 1143** Function BTM_SecBondByTransport 1144** 1145** Description This function is called to perform bonding with peer device. 1146** If the connection is already up, but not secure, pairing 1147** is attempted. If already paired BTM_SUCCESS is returned. 1148** 1149** Parameters: bd_addr - Address of the device to bond 1150** transport - doing SSP over BR/EDR or SMP over LE 1151** pin_len - length in bytes of the PIN Code 1152** p_pin - pointer to array with the PIN Code 1153** trusted_mask - bitwise OR of trusted services (array of UINT32) 1154** 1155** Note: After 2.1 parameters are not used and preserved here not to change API 1156*******************************************************************************/ 1157tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport, 1158 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 1159{ 1160#if SMP_INCLUDED == TRUE 1161 tBT_DEVICE_TYPE dev_type; 1162 tBLE_ADDR_TYPE addr_type; 1163 1164 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type); 1165 /* LE device, do SMP pairing */ 1166 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) || 1167 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0)) 1168 { 1169 return BTM_ILLEGAL_ACTION; 1170 } 1171#endif 1172 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask); 1173} 1174 1175/******************************************************************************* 1176** 1177** Function BTM_SecBond 1178** 1179** Description This function is called to perform bonding with peer device. 1180** If the connection is already up, but not secure, pairing 1181** is attempted. If already paired BTM_SUCCESS is returned. 1182** 1183** Parameters: bd_addr - Address of the device to bond 1184** pin_len - length in bytes of the PIN Code 1185** p_pin - pointer to array with the PIN Code 1186** trusted_mask - bitwise OR of trusted services (array of UINT32) 1187** 1188** Note: After 2.1 parameters are not used and preserved here not to change API 1189*******************************************************************************/ 1190tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[]) 1191{ 1192 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 1193#if BLE_INCLUDED == TRUE 1194 if (BTM_UseLeLink(bd_addr)) 1195 transport = BT_TRANSPORT_LE; 1196#endif 1197 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask); 1198} 1199/******************************************************************************* 1200** 1201** Function BTM_SecBondCancel 1202** 1203** Description This function is called to cancel ongoing bonding process 1204** with peer device. 1205** 1206** Parameters: bd_addr - Address of the peer device 1207** transport - FALSE for BR/EDR link; TRUE for LE link 1208** 1209*******************************************************************************/ 1210tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr) 1211{ 1212 tBTM_SEC_DEV_REC *p_dev_rec; 1213 1214 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x", 1215 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags); 1216 1217 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL) 1218 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1219 return BTM_UNKNOWN_ADDR; 1220 1221#if SMP_INCLUDED == TRUE 1222 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) 1223 { 1224 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) 1225 { 1226 BTM_TRACE_DEBUG ("Cancel LE pairing"); 1227 if (SMP_PairCancel(bd_addr)) 1228 { 1229 return BTM_CMD_STARTED; 1230 } 1231 } 1232 return BTM_WRONG_MODE; 1233 } 1234 1235#endif 1236 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state ); 1237 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 1238 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) 1239 { 1240 /* pre-fetching pin for dedicated bonding */ 1241 btm_sec_bond_cancel_complete(); 1242 return BTM_SUCCESS; 1243 } 1244 1245 /* If this BDA is in a bonding procedure */ 1246 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 1247 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 1248 { 1249 /* If the HCI link is up */ 1250 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1251 { 1252 /* If some other thread disconnecting, we do not send second command */ 1253 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) || 1254 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)) 1255 return(BTM_CMD_STARTED); 1256 1257 /* If the HCI link was set up by Bonding process */ 1258 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1259 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle); 1260 else 1261 l2cu_update_lcb_4_bonding(bd_addr, FALSE); 1262 1263 return BTM_NOT_AUTHORIZED; 1264 } 1265 else /*HCI link is not up */ 1266 { 1267 /* If the HCI link creation was started by Bonding process */ 1268 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 1269 { 1270 if (btsnd_hcic_create_conn_cancel(bd_addr)) 1271 return BTM_CMD_STARTED; 1272 1273 return BTM_NO_RESOURCES; 1274 } 1275 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 1276 { 1277 BTM_CancelRemoteDeviceName(); 1278 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD; 1279 return BTM_CMD_STARTED; 1280 } 1281 return BTM_NOT_AUTHORIZED; 1282 } 1283 } 1284 1285 return BTM_WRONG_MODE; 1286} 1287 1288/******************************************************************************* 1289** 1290** Function BTM_SecGetDeviceLinkKey 1291** 1292** Description This function is called to obtain link key for the device 1293** it returns BTM_SUCCESS if link key is available, or 1294** BTM_UNKNOWN_ADDR if Security Manager does not know about 1295** the device or device record does not contain link key info 1296** 1297** Parameters: bd_addr - Address of the device 1298** link_key - Link Key is copied into this array 1299** 1300*******************************************************************************/ 1301tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key) 1302{ 1303 tBTM_SEC_DEV_REC *p_dev_rec; 1304 1305 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1306 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1307 { 1308 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN); 1309 return(BTM_SUCCESS); 1310 } 1311 return(BTM_UNKNOWN_ADDR); 1312} 1313 1314/******************************************************************************* 1315** 1316** Function BTM_SecGetDeviceLinkKeyType 1317** 1318** Description This function is called to obtain link key type for the 1319** device. 1320** it returns BTM_SUCCESS if link key is available, or 1321** BTM_UNKNOWN_ADDR if Security Manager does not know about 1322** the device or device record does not contain link key info 1323** 1324** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type 1325** otherwise. 1326** 1327*******************************************************************************/ 1328tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr) 1329{ 1330 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1331 1332 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 1333 { 1334 return p_dev_rec->link_key_type; 1335 } 1336 return BTM_LKEY_TYPE_IGNORE; 1337} 1338 1339/******************************************************************************* 1340** 1341** Function BTM_SetEncryption 1342** 1343** Description This function is called to ensure that connection is 1344** encrypted. Should be called only on an open connection. 1345** Typically only needed for connections that first want to 1346** bring up unencrypted links, then later encrypt them. 1347** 1348** Parameters: bd_addr - Address of the peer device 1349** transport - Link transport 1350** p_callback - Pointer to callback function called if 1351** this function returns PENDING after required 1352** procedures are completed. Can be set to NULL 1353** if status is not desired. 1354** p_ref_data - pointer to any data the caller wishes to receive 1355** in the callback function upon completion. 1356** can be set to NULL if not used. 1357** sec_act - LE security action, unused for BR/EDR 1358** 1359** Returns BTM_SUCCESS - already encrypted 1360** BTM_PENDING - command will be returned in the callback 1361** BTM_WRONG_MODE- connection not up. 1362** BTM_BUSY - security procedures are currently active 1363** BTM_MODE_UNSUPPORTED - if security manager not linked in. 1364** 1365*******************************************************************************/ 1366tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback, 1367 void *p_ref_data, tBTM_BLE_SEC_ACT sec_act) 1368{ 1369 tBTM_STATUS rc = 0; 1370 1371 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1372 if (!p_dev_rec || 1373 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 1374#if BLE_INCLUDED == TRUE 1375 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) 1376#endif 1377 ) 1378 { 1379 /* Connection should be up and runnning */ 1380 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected"); 1381 1382 if (p_callback) 1383 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE); 1384 1385 return(BTM_WRONG_MODE); 1386 } 1387 1388 if (transport == BT_TRANSPORT_BR_EDR && 1389 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)) 1390 { 1391 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted"); 1392 1393 if (p_callback) 1394 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 1395 1396 return(BTM_SUCCESS); 1397 } 1398 1399 /* enqueue security request if security is active */ 1400 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)) 1401 { 1402 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request"); 1403 1404 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data, sec_act)) 1405 { 1406 return BTM_CMD_STARTED; 1407 } 1408 else 1409 { 1410 if (p_callback) 1411 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES); 1412 return BTM_NO_RESOURCES; 1413 } 1414 } 1415 1416 p_dev_rec->p_callback = p_callback; 1417 p_dev_rec->p_ref_data = p_ref_data; 1418 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 1419 p_dev_rec->is_originator = FALSE; 1420 1421 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x", 1422 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 1423 p_dev_rec->security_required); 1424 1425#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1426 if (transport == BT_TRANSPORT_LE) 1427 { 1428 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport); 1429 if (p) 1430 { 1431 rc = btm_ble_set_encryption(bd_addr, sec_act, p->link_role); 1432 } 1433 else 1434 { 1435 rc = BTM_WRONG_MODE; 1436 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__); 1437 } 1438 } 1439 else 1440#endif 1441 rc = btm_sec_execute_procedure (p_dev_rec); 1442 1443 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY) 1444 { 1445 if (p_callback) 1446 { 1447 p_dev_rec->p_callback = NULL; 1448 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc); 1449 } 1450 } 1451 1452 return(rc); 1453} 1454 1455/******************************************************************************* 1456 * disconnect the ACL link, if it's not done yet. 1457*******************************************************************************/ 1458static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle) 1459{ 1460 UINT8 old_state = p_dev_rec->sec_state; 1461 tBTM_STATUS status = BTM_CMD_STARTED; 1462 1463 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x", 1464 conn_handle, reason); 1465 1466 /* send HCI_Disconnect on a transport only once */ 1467 switch (old_state) 1468 { 1469 case BTM_SEC_STATE_DISCONNECTING: 1470 if (conn_handle == p_dev_rec->hci_handle) 1471 return status; 1472 1473 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1474 break; 1475 1476#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 1477 case BTM_SEC_STATE_DISCONNECTING_BLE: 1478 if (conn_handle == p_dev_rec->ble_hci_handle) 1479 return status; 1480 1481 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH; 1482 break; 1483 1484 case BTM_SEC_STATE_DISCONNECTING_BOTH: 1485 return status; 1486#endif 1487 1488 default: 1489 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ? 1490 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE; 1491 1492 break; 1493 } 1494 1495 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */ 1496 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle) 1497 { 1498 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect"); 1499 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING; 1500 status = BTM_SUCCESS; 1501 } 1502 /* Tear down the HCI link */ 1503 else if (!btsnd_hcic_disconnect (conn_handle, reason)) 1504 { 1505 /* could not send disconnect. restore old state */ 1506 p_dev_rec->sec_state = old_state; 1507 status = BTM_NO_RESOURCES; 1508 } 1509 1510 return status; 1511} 1512 1513/******************************************************************************* 1514** 1515** Function BTM_ConfirmReqReply 1516** 1517** Description This function is called to confirm the numeric value for 1518** Simple Pairing in response to BTM_SP_CFM_REQ_EVT 1519** 1520** Parameters: res - result of the operation BTM_SUCCESS if success 1521** bd_addr - Address of the peer device 1522** 1523*******************************************************************************/ 1524void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr) 1525{ 1526 tBTM_SEC_DEV_REC *p_dev_rec; 1527 1528 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u", 1529 btm_pair_state_descr(btm_cb.pairing_state), res); 1530 1531 /* If timeout already expired or has been canceled, ignore the reply */ 1532 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM) 1533 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1534 return; 1535 1536 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1537 1538 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) ) 1539 { 1540 btm_cb.acl_disc_reason = HCI_SUCCESS; 1541 1542 if (res == BTM_SUCCESS) 1543 { 1544 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) 1545 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; 1546 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 1547 } 1548 1549 btsnd_hcic_user_conf_reply (bd_addr, TRUE); 1550 } 1551 else 1552 { 1553 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */ 1554 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1555 btsnd_hcic_user_conf_reply (bd_addr, FALSE); 1556 } 1557} 1558 1559/******************************************************************************* 1560** 1561** Function BTM_PasskeyReqReply 1562** 1563** Description This function is called to provide the passkey for 1564** Simple Pairing in response to BTM_SP_KEY_REQ_EVT 1565** 1566** Parameters: res - result of the operation BTM_SUCCESS if success 1567** bd_addr - Address of the peer device 1568** passkey - numeric value in the range of 1569** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)). 1570** 1571*******************************************************************************/ 1572#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1573void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey) 1574{ 1575 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d", 1576 btm_pair_state_descr(btm_cb.pairing_state), res); 1577 1578 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 1579 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1580 { 1581 return; 1582 } 1583 1584 /* If timeout already expired or has been canceled, ignore the reply */ 1585 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) ) 1586 { 1587 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 1588 if (p_dev_rec != NULL) 1589 { 1590 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1591 1592 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) 1593 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 1594 else 1595 BTM_SecBondCancel(bd_addr); 1596 1597 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN); 1598 1599 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 1600 return; 1601 } 1602 } 1603 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY) 1604 return; 1605 1606 if (passkey > BTM_MAX_PASSKEY_VAL) 1607 res = BTM_ILLEGAL_VALUE; 1608 1609 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1610 1611 if (res != BTM_SUCCESS) 1612 { 1613 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1614 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1615 btsnd_hcic_user_passkey_neg_reply (bd_addr); 1616 } else { 1617 btm_cb.acl_disc_reason = HCI_SUCCESS; 1618 btsnd_hcic_user_passkey_reply (bd_addr, passkey); 1619 } 1620} 1621#endif 1622 1623/******************************************************************************* 1624** 1625** Function BTM_SendKeypressNotif 1626** 1627** Description This function is used during the passkey entry model 1628** by a device with KeyboardOnly IO capabilities 1629** (very likely to be a HID Device). 1630** It is called by a HID Device to inform the remote device when 1631** a key has been entered or erased. 1632** 1633** Parameters: bd_addr - Address of the peer device 1634** type - notification type 1635** 1636*******************************************************************************/ 1637#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 1638void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type) 1639{ 1640 /* This API only make sense between PASSKEY_REQ and SP complete */ 1641 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY) 1642 btsnd_hcic_send_keypress_notif (bd_addr, type); 1643} 1644#endif 1645 1646/******************************************************************************* 1647** 1648** Function BTM_IoCapRsp 1649** 1650** Description This function is called in response to BTM_SP_IO_REQ_EVT 1651** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN 1652** by the tBTM_SP_CALLBACK implementation, this function is 1653** called to provide the actual response 1654** 1655** Parameters: bd_addr - Address of the peer device 1656** io_cap - The IO capability of local device. 1657** oob - BTM_OOB_NONE or BTM_OOB_PRESENT. 1658** auth_req- MITM protection required or not. 1659** 1660*******************************************************************************/ 1661void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req) 1662{ 1663 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d", 1664 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap); 1665 1666 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS) 1667 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) 1668 return; 1669 1670 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) 1671 { 1672 btm_cb.devcb.loc_auth_req = auth_req; 1673 btm_cb.devcb.loc_io_caps = io_cap; 1674 1675 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 1676 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT)); 1677 1678 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req); 1679 } 1680} 1681 1682/******************************************************************************* 1683** 1684** Function BTM_ReadLocalOobData 1685** 1686** Description This function is called to read the local OOB data from 1687** LM 1688** 1689*******************************************************************************/ 1690tBTM_STATUS BTM_ReadLocalOobData(void) 1691{ 1692 tBTM_STATUS status = BTM_SUCCESS; 1693 1694 if (btsnd_hcic_read_local_oob_data() == FALSE) 1695 status = BTM_NO_RESOURCES; 1696 1697 return status; 1698} 1699 1700/******************************************************************************* 1701** 1702** Function BTM_RemoteOobDataReply 1703** 1704** Description This function is called to provide the remote OOB data for 1705** Simple Pairing in response to BTM_SP_RMT_OOB_EVT 1706** 1707** Parameters: bd_addr - Address of the peer device 1708** c - simple pairing Hash C. 1709** r - simple pairing Randomizer C. 1710** 1711*******************************************************************************/ 1712void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r) 1713{ 1714 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__, 1715 btm_pair_state_descr(btm_cb.pairing_state), res); 1716 1717 /* If timeout already expired or has been canceled, ignore the reply */ 1718 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) 1719 return; 1720 1721 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 1722 1723 if (res != BTM_SUCCESS) 1724 { 1725 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */ 1726 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 1727 btsnd_hcic_rem_oob_neg_reply (bd_addr); 1728 } else { 1729 btm_cb.acl_disc_reason = HCI_SUCCESS; 1730 btsnd_hcic_rem_oob_reply (bd_addr, c, r); 1731 } 1732} 1733 1734/******************************************************************************* 1735** 1736** Function BTM_BuildOobData 1737** 1738** Description This function is called to build the OOB data payload to 1739** be sent over OOB (non-Bluetooth) link 1740** 1741** Parameters: p_data - the location for OOB data 1742** max_len - p_data size. 1743** c - simple pairing Hash C. 1744** r - simple pairing Randomizer C. 1745** name_len- 0, local device name would not be included. 1746** otherwise, the local device name is included for 1747** up to this specified length 1748** 1749** Returns Number of bytes in p_data. 1750** 1751*******************************************************************************/ 1752UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c, 1753 BT_OCTET16 r, UINT8 name_len) 1754{ 1755 UINT8 *p = p_data; 1756 UINT16 len = 0; 1757#if BTM_MAX_LOC_BD_NAME_LEN > 0 1758 UINT16 name_size; 1759 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE; 1760#endif 1761 1762 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) 1763 { 1764 /* add mandatory part */ 1765 UINT16_TO_STREAM(p, len); 1766 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address); 1767 1768 len = BTM_OOB_MANDATORY_SIZE; 1769 max_len -= len; 1770 1771 /* now optional part */ 1772 1773 /* add Hash C */ 1774 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2; 1775 if (max_len >= delta) 1776 { 1777 *p++ = BTM_OOB_HASH_C_SIZE + 1; 1778 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE; 1779 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE); 1780 len += delta; 1781 max_len -= delta; 1782 } 1783 1784 /* add Rand R */ 1785 delta = BTM_OOB_RAND_R_SIZE + 2; 1786 if (max_len >= delta) 1787 { 1788 *p++ = BTM_OOB_RAND_R_SIZE + 1; 1789 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE; 1790 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE); 1791 len += delta; 1792 max_len -= delta; 1793 } 1794 1795 /* add class of device */ 1796 delta = BTM_OOB_COD_SIZE + 2; 1797 if (max_len >= delta) 1798 { 1799 *p++ = BTM_OOB_COD_SIZE + 1; 1800 *p++ = BTM_EIR_OOB_COD_TYPE; 1801 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class); 1802 len += delta; 1803 max_len -= delta; 1804 } 1805#if BTM_MAX_LOC_BD_NAME_LEN > 0 1806 name_size = name_len; 1807 if (name_size > strlen(btm_cb.cfg.bd_name)) 1808 { 1809 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE; 1810 name_size = (UINT16)strlen(btm_cb.cfg.bd_name); 1811 } 1812 delta = name_size + 2; 1813 if (max_len >= delta) 1814 { 1815 *p++ = name_size + 1; 1816 *p++ = name_type; 1817 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size); 1818 len += delta; 1819 max_len -= delta; 1820 } 1821#endif 1822 /* update len */ 1823 p = p_data; 1824 UINT16_TO_STREAM(p, len); 1825 } 1826 return len; 1827} 1828 1829/******************************************************************************* 1830** 1831** Function BTM_BothEndsSupportSecureConnections 1832** 1833** Description This function is called to check if both the local device and the peer device 1834** specified by bd_addr support BR/EDR Secure Connections. 1835** 1836** Parameters: bd_addr - address of the peer 1837** 1838** Returns TRUE if BR/EDR Secure Connections are supported by both local 1839** and the remote device. 1840** else FALSE. 1841** 1842*******************************************************************************/ 1843BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr) 1844{ 1845 return ((controller_get_interface()->supports_secure_connections()) && 1846 (BTM_PeerSupportsSecureConnections(bd_addr))); 1847} 1848 1849/******************************************************************************* 1850** 1851** Function BTM_PeerSupportsSecureConnections 1852** 1853** Description This function is called to check if the peer supports 1854** BR/EDR Secure Connections. 1855** 1856** Parameters: bd_addr - address of the peer 1857** 1858** Returns TRUE if BR/EDR Secure Connections are supported by the peer, 1859** else FALSE. 1860** 1861*******************************************************************************/ 1862BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr) 1863{ 1864 tBTM_SEC_DEV_REC *p_dev_rec; 1865 1866 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL) 1867 { 1868 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__, 1869 (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3], 1870 (bd_addr[4]<< 8) + bd_addr[5]); 1871 return FALSE; 1872 } 1873 1874 return (p_dev_rec->remote_supports_secure_connections); 1875} 1876 1877/******************************************************************************* 1878** 1879** Function BTM_ReadOobData 1880** 1881** Description This function is called to parse the OOB data payload 1882** received over OOB (non-Bluetooth) link 1883** 1884** Parameters: p_data - the location for OOB data 1885** eir_tag - The associated EIR tag to read the data. 1886** *p_len(output) - the length of the data with the given tag. 1887** 1888** Returns the beginning of the data with the given tag. 1889** NULL, if the tag is not found. 1890** 1891*******************************************************************************/ 1892UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len) 1893{ 1894 UINT8 *p = p_data; 1895 UINT16 max_len; 1896 UINT8 len, type; 1897 UINT8 *p_ret = NULL; 1898 UINT8 ret_len = 0; 1899 1900 if (p_data) 1901 { 1902 STREAM_TO_UINT16(max_len, p); 1903 if (max_len >= BTM_OOB_MANDATORY_SIZE) 1904 { 1905 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) 1906 { 1907 p_ret = p; /* the location for bd_addr */ 1908 ret_len = BTM_OOB_BD_ADDR_SIZE; 1909 } 1910 else 1911 { 1912 p += BD_ADDR_LEN; 1913 max_len -= BTM_OOB_MANDATORY_SIZE; 1914 /* now the optional data in EIR format */ 1915 while (max_len > 0) 1916 { 1917 len = *p++; /* tag data len + 1 */ 1918 type = *p++; 1919 if (eir_tag == type) 1920 { 1921 p_ret = p; 1922 ret_len = len - 1; 1923 break; 1924 } 1925 /* the data size of this tag is len + 1 (tag data len + 2) */ 1926 if (max_len > len) 1927 { 1928 max_len -= len; 1929 max_len--; 1930 len--; 1931 p += len; 1932 } 1933 else 1934 max_len = 0; 1935 } 1936 } 1937 } 1938 } 1939 1940 if (p_len) 1941 *p_len = ret_len; 1942 1943 return p_ret; 1944} 1945 1946/******************************************************************************* 1947** 1948** Function BTM_SetOutService 1949** 1950** Description This function is called to set the service for 1951** outgoing connections. 1952** 1953** If the profile/application calls BTM_SetSecurityLevel 1954** before initiating a connection, this function does not 1955** need to be called. 1956** 1957** Returns void 1958** 1959*******************************************************************************/ 1960void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id) 1961{ 1962 tBTM_SEC_DEV_REC *p_dev_rec; 1963 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 1964 1965 btm_cb.p_out_serv = p_serv_rec; 1966 p_dev_rec = btm_find_dev (bd_addr); 1967 1968 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 1969 { 1970 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 1971 && (p_serv_rec->service_id == service_id) 1972 && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 1973 { 1974 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d", 1975 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id); 1976 btm_cb.p_out_serv = p_serv_rec; 1977 if (p_dev_rec) 1978 p_dev_rec->p_cur_service = p_serv_rec; 1979 break; 1980 } 1981 } 1982} 1983 1984/************************************************************************ 1985** I N T E R N A L F U N C T I O N S 1986*************************************************************************/ 1987/******************************************************************************* 1988** 1989** Function btm_sec_is_upgrade_possible 1990** 1991** Description This function returns TRUE if the existing link key 1992** can be upgraded or if the link key does not exist. 1993** 1994** Returns BOOLEAN 1995** 1996*******************************************************************************/ 1997static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 1998{ 1999 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM; 2000 BOOLEAN is_possible = TRUE; 2001 2002 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 2003 { 2004 is_possible = FALSE; 2005 if(p_dev_rec->p_cur_service) 2006 { 2007 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x", 2008 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, 2009 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags); 2010 } 2011 else 2012 { 2013 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x", 2014 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check); 2015 } 2016 /* Already have a link key to the connected peer. Is the link key secure enough? 2017 ** Is a link key upgrade even possible? 2018 */ 2019 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */ 2020 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) || 2021 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)) 2022 /* has unauthenticated 2023 link key */ 2024 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */ 2025 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) 2026 /* authenticated 2027 link key is possible */ 2028 { 2029 /* upgrade is possible: check if the application wants the upgrade. 2030 * If the application is configured to use a global MITM flag, 2031 * it probably would not want to upgrade the link key based on the security level database */ 2032 is_possible = TRUE; 2033 } 2034 } 2035 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags); 2036 return is_possible; 2037} 2038 2039/******************************************************************************* 2040** 2041** Function btm_sec_check_upgrade 2042** 2043** Description This function is called to check if the existing link key 2044** needs to be upgraded. 2045** 2046** Returns void 2047** 2048*******************************************************************************/ 2049static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator) 2050{ 2051 2052 BTM_TRACE_DEBUG ("%s()", __func__); 2053 2054 /* Only check if link key already exists */ 2055 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) 2056 return; 2057 2058 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE) 2059 { 2060 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags); 2061 /* upgrade is possible: check if the application wants the upgrade. 2062 * If the application is configured to use a global MITM flag, 2063 * it probably would not want to upgrade the link key based on the security level database */ 2064 tBTM_SP_UPGRADE evt_data; 2065 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 2066 evt_data.upgrade = TRUE; 2067 if (btm_cb.api.p_sp_callback) 2068 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 2069 2070 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade); 2071 if (evt_data.upgrade) 2072 { 2073 /* if the application confirms the upgrade, set the upgrade bit */ 2074 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2075 2076 /* Clear the link key known to go through authentication/pairing again */ 2077 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED); 2078 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED; 2079 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags); 2080 } 2081 } 2082} 2083 2084/******************************************************************************* 2085** 2086** Function btm_sec_l2cap_access_req 2087** 2088** Description This function is called by the L2CAP to grant permission to 2089** establish L2CAP connection to or from the peer device. 2090** 2091** Parameters: bd_addr - Address of the peer device 2092** psm - L2CAP PSM 2093** is_originator - TRUE if protocol above L2CAP originates 2094** connection 2095** p_callback - Pointer to callback function called if 2096** this function returns PENDING after required 2097** procedures are complete. MUST NOT BE NULL. 2098** 2099** Returns tBTM_STATUS 2100** 2101*******************************************************************************/ 2102tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle, 2103 CONNECTION_TYPE conn_type, 2104 tBTM_SEC_CALLBACK *p_callback, 2105 void *p_ref_data) 2106{ 2107 tBTM_SEC_DEV_REC *p_dev_rec; 2108 tBTM_SEC_SERV_REC *p_serv_rec; 2109 UINT16 security_required; 2110 UINT16 old_security_required; 2111 BOOLEAN old_is_originator; 2112 tBTM_STATUS rc = BTM_SUCCESS; 2113 BOOLEAN chk_acp_auth_done = FALSE; 2114 BOOLEAN is_originator; 2115 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; /* should check PSM range in LE connection oriented L2CAP connection */ 2116 2117#if (L2CAP_UCD_INCLUDED == TRUE) 2118 if (conn_type & CONNECTION_TYPE_ORIG_MASK) 2119 is_originator = TRUE; 2120 else 2121 is_originator = FALSE; 2122 2123 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data); 2124#else 2125 is_originator = conn_type; 2126 2127 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data); 2128#endif 2129 2130 /* Find or get oldest record */ 2131 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2132 2133 p_dev_rec->hci_handle = handle; 2134 2135 /* Find the service record for the PSM */ 2136 p_serv_rec = btm_sec_find_first_serv (conn_type, psm); 2137 2138 /* If there is no application registered with this PSM do not allow connection */ 2139 if (!p_serv_rec) 2140 { 2141 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm); 2142 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 2143 return(BTM_MODE_UNSUPPORTED); 2144 } 2145 2146 /* Services level0 by default have no security */ 2147 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only)) 2148 { 2149 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY); 2150 return(BTM_SUCCESS); 2151 } 2152#if (L2CAP_UCD_INCLUDED == TRUE) 2153 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2154 { 2155 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 2156 { 2157 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags, 2158 is_originator); 2159 } 2160 else 2161 { 2162 security_required = p_serv_rec->ucd_security_flags; 2163 } 2164 2165 rc = BTM_CMD_STARTED; 2166 if (is_originator) 2167 { 2168 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2169 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2170 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2171 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2172 { 2173 rc = BTM_SUCCESS; 2174 } 2175 } 2176 else 2177 { 2178 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2179 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) || 2180 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) || 2181 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) 2182 { 2183 // Check for 16 digits (or MITM) 2184 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2185 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && 2186 btm_dev_16_digit_authenticated(p_dev_rec))) { 2187 rc = BTM_SUCCESS; 2188 } 2189 } 2190 } 2191 2192 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2193 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2194 { 2195 rc = BTM_CMD_STARTED; 2196 } 2197 2198 if (rc == BTM_SUCCESS) 2199 { 2200 if (p_callback) 2201 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS); 2202 2203 return(BTM_SUCCESS); 2204 } 2205 } 2206 else 2207#endif 2208 { 2209 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 2210 { 2211 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags, 2212 is_originator); 2213 } 2214 else 2215 { 2216 security_required = p_serv_rec->security_flags; 2217 } 2218 } 2219 2220 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x", 2221 __FUNCTION__, security_required, is_originator, psm); 2222 2223 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4)) 2224 { 2225 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 2226 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */ 2227 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 2228 { 2229 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d", 2230 "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__, 2231 local_supports_sc, 2232 p_dev_rec->remote_supports_secure_connections); 2233 if (p_callback) 2234 (*p_callback) (bd_addr, transport, (void *)p_ref_data, 2235 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2236 2237 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2238 } 2239 } 2240 2241 /* there are some devices (moto KRZR) which connects to several services at the same time */ 2242 /* we will process one after another */ 2243 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2244 { 2245 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__, 2246 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4); 2247 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags); 2248 rc = BTM_CMD_STARTED; 2249 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2250 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2251 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2252 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2253 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2254 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) 2255 { 2256 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2257 * or SM4 with no possibility of link key upgrade */ 2258 if (is_originator) 2259 { 2260 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2261 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2262 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) || 2263 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) ) 2264 { 2265 rc = BTM_SUCCESS; 2266 } 2267 } 2268 else 2269 { 2270 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2271 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) || 2272 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) || 2273 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2274 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) || 2275 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) || 2276 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)))) 2277 { 2278 // Check for 16 digits (or MITM) 2279 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2280 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) { 2281 rc = BTM_SUCCESS; 2282 } 2283 } 2284 } 2285 2286 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2287 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2288 { 2289 rc = BTM_CMD_STARTED; 2290 } 2291 2292 if (rc == BTM_SUCCESS) 2293 { 2294 if (p_callback) 2295 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS); 2296 return(BTM_SUCCESS); 2297 } 2298 } 2299 2300 btm_cb.sec_req_pending = TRUE; 2301 return(BTM_CMD_STARTED); 2302 } 2303 2304 /* Save pointer to service record */ 2305 p_dev_rec->p_cur_service = p_serv_rec; 2306 2307 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */ 2308 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2309 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2310 btm_cb.security_mode == BTM_SEC_MODE_SC) 2311 { 2312 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2313 { 2314 if (is_originator) 2315 { 2316 /* SM4 to SM4 -> always authenticate & encrypt */ 2317 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); 2318 } 2319 else /* acceptor */ 2320 { 2321 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */ 2322 chk_acp_auth_done = TRUE; 2323 /* SM4 to SM4 -> always authenticate & encrypt */ 2324 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); 2325 } 2326 } 2327 else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) 2328 { 2329 /* the remote features are not known yet */ 2330 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__, 2331 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags); 2332 2333 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND; 2334 return (BTM_CMD_STARTED); 2335 } 2336 } 2337 2338 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__, 2339 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done); 2340 2341 old_security_required = p_dev_rec->security_required; 2342 old_is_originator = p_dev_rec->is_originator; 2343 p_dev_rec->security_required = security_required; 2344 p_dev_rec->p_ref_data = p_ref_data; 2345 p_dev_rec->is_originator = is_originator; 2346 2347#if (L2CAP_UCD_INCLUDED == TRUE) 2348 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) 2349 p_dev_rec->is_ucd = TRUE; 2350 else 2351 p_dev_rec->is_ucd = FALSE; 2352#endif 2353 2354 /* If there are multiple service records used through the same PSM */ 2355 /* leave security decision for the multiplexor on the top */ 2356#if (L2CAP_UCD_INCLUDED == TRUE) 2357 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2358 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */ 2359#else 2360 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL) 2361#endif 2362 { 2363 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done); 2364 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2365 { 2366 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm); 2367 /* pre-Lisbon: restore the old settings */ 2368 p_dev_rec->security_required = old_security_required; 2369 p_dev_rec->is_originator = old_is_originator; 2370 2371 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 2372 2373 return(BTM_SUCCESS); 2374 } 2375 } 2376 2377 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now 2378 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect 2379 * response is received */ 2380 if (is_originator && 2381 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2382 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2383 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2384 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2385 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001)) 2386 { 2387 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm); 2388 /* restore the old settings */ 2389 p_dev_rec->security_required = old_security_required; 2390 p_dev_rec->is_originator = old_is_originator; 2391 2392 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS); 2393 2394 return(BTM_SUCCESS); 2395 } 2396 2397 if (chk_acp_auth_done) 2398 { 2399 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x", 2400 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)); 2401 /* SM4, but we do not know for sure which level of security we need. 2402 * as long as we have a link key, it's OK */ 2403 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 2404 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) 2405 { 2406 rc = BTM_DELAY_CHECK; 2407 /* 2408 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence 2409 because of data path issues. Delay this disconnect a little bit 2410 */ 2411 LOG_INFO(LOG_TAG, "%s peer should have initiated security process by now (SM4 to SM4)", __func__); 2412 p_dev_rec->p_callback = p_callback; 2413 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC; 2414 (*p_callback) (bd_addr, transport, p_ref_data, rc); 2415 2416 return BTM_SUCCESS; 2417 } 2418 } 2419 2420 p_dev_rec->p_callback = p_callback; 2421 2422 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 2423 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id) 2424 { 2425 /* Although authentication and encryption are per connection 2426 ** authorization is per access request. For example when serial connection 2427 ** is up and authorized and client requests to read file (access to other 2428 ** scn), we need to request user's permission again. 2429 */ 2430 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED; 2431 } 2432 2433 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2434 { 2435 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2436 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2437 { 2438 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */ 2439 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) 2440 { 2441 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2442 } 2443 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2444 BTM_SEC_AUTHENTICATED); 2445 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags); 2446 } 2447 else 2448 { 2449 /* If we already have a link key to the connected peer, is it secure enough? */ 2450 btm_sec_check_upgrade(p_dev_rec, is_originator); 2451 } 2452 } 2453 2454 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d", 2455 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, 2456 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2457 2458 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2459 { 2460 p_dev_rec->p_callback = NULL; 2461 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc); 2462 } 2463 2464 return(rc); 2465} 2466 2467/******************************************************************************* 2468** 2469** Function btm_sec_mx_access_request 2470** 2471** Description This function is called by all Multiplexing Protocols during 2472** establishing connection to or from peer device to grant 2473** permission to establish application connection. 2474** 2475** Parameters: bd_addr - Address of the peer device 2476** psm - L2CAP PSM 2477** is_originator - TRUE if protocol above L2CAP originates 2478** connection 2479** mx_proto_id - protocol ID of the multiplexer 2480** mx_chan_id - multiplexer channel to reach application 2481** p_callback - Pointer to callback function called if 2482** this function returns PENDING after required 2483** procedures are completed 2484** p_ref_data - Pointer to any reference data needed by the 2485** the callback function. 2486** 2487** Returns BTM_CMD_STARTED 2488** 2489*******************************************************************************/ 2490tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator, 2491 UINT32 mx_proto_id, UINT32 mx_chan_id, 2492 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 2493{ 2494 tBTM_SEC_DEV_REC *p_dev_rec; 2495 tBTM_SEC_SERV_REC *p_serv_rec; 2496 tBTM_STATUS rc; 2497 UINT16 security_required; 2498 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */ 2499 2500 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator); 2501 /* Find or get oldest record */ 2502 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 2503 2504 /* Find the service record for the PSM */ 2505 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id); 2506 2507 /* If there is no application registered with this PSM do not allow connection */ 2508 if (!p_serv_rec) 2509 { 2510 if (p_callback) 2511 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED); 2512 2513 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d", 2514 psm, mx_proto_id, mx_chan_id); 2515 return BTM_NO_RESOURCES; 2516 } 2517 2518 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm))) 2519 { 2520 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags, 2521 is_originator); 2522 } 2523 else 2524 { 2525 security_required = p_serv_rec->security_flags; 2526 } 2527 2528 /* there are some devices (moto phone) which connects to several services at the same time */ 2529 /* we will process one after another */ 2530 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) 2531 { 2532 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__, 2533 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state)); 2534 2535 rc = BTM_CMD_STARTED; 2536 2537 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED || 2538 btm_cb.security_mode == BTM_SEC_MODE_NONE || 2539 btm_cb.security_mode == BTM_SEC_MODE_SERVICE || 2540 btm_cb.security_mode == BTM_SEC_MODE_LINK) || 2541 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && 2542 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) 2543 { 2544 /* legacy mode - local is legacy or local is lisbon/peer is legacy 2545 * or SM4 with no possibility of link key upgrade */ 2546 if (is_originator) 2547 { 2548 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) || 2549 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2550 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) 2551 ) 2552 { 2553 rc = BTM_SUCCESS; 2554 } 2555 } 2556 else 2557 { 2558 if (((security_required & BTM_SEC_IN_FLAGS) == 0) || 2559 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) || 2560 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) || 2561 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) || 2562 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) || 2563 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) 2564 ) 2565 { 2566 // Check for 16 digits (or MITM) 2567 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) || 2568 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) { 2569 rc = BTM_SUCCESS; 2570 } 2571 } 2572 } 2573 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) && 2574 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2575 { 2576 rc = BTM_CMD_STARTED; 2577 } 2578 } 2579 2580 if (rc == BTM_SUCCESS) 2581 { 2582 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__); 2583 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */ 2584 /* btm_sec_execute_procedure */ 2585 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) || 2586 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE))) 2587 { 2588 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__); 2589 rc = BTM_CMD_STARTED; 2590 } 2591 } 2592 2593 /* Check whether there is a pending security procedure, if so we should always queue */ 2594 /* the new security request */ 2595 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE) 2596 { 2597 BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__); 2598 rc = BTM_CMD_STARTED; 2599 } 2600 if (rc == BTM_CMD_STARTED) 2601 { 2602 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__); 2603 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, 2604 mx_chan_id, p_callback, p_ref_data); 2605 } 2606 else /* rc == BTM_SUCCESS */ 2607 { 2608 /* access granted */ 2609 if (p_callback) 2610 { 2611 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc); 2612 } 2613 } 2614 2615 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc, 2616 btm_pair_state_descr(btm_cb.pairing_state)); 2617 return rc; 2618 } 2619 2620 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) || 2621 (btm_cb.security_mode == BTM_SEC_MODE_SC))) 2622 { 2623 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 2624 /* acceptor receives service connection establishment Request for */ 2625 /* Secure Connections Only service */ 2626 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 2627 { 2628 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,", 2629 "remote_support_for_sc %d: fail pairing",__FUNCTION__, 2630 local_supports_sc, p_dev_rec->remote_supports_secure_connections); 2631 2632 if (p_callback) 2633 (*p_callback) (bd_addr, transport, (void *)p_ref_data, 2634 BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2635 2636 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED); 2637 } 2638 } 2639 2640 p_dev_rec->p_cur_service = p_serv_rec; 2641 p_dev_rec->security_required = security_required; 2642 2643 if (btm_cb.security_mode == BTM_SEC_MODE_SP || 2644 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 2645 btm_cb.security_mode == BTM_SEC_MODE_SC) 2646 { 2647 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) 2648 { 2649 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 2650 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 2651 { 2652 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */ 2653 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) 2654 { 2655 p_dev_rec->sm4 |= BTM_SM4_UPGRADE; 2656 } 2657 2658 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | 2659 BTM_SEC_AUTHENTICATED); 2660 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags); 2661 } 2662 else 2663 { 2664 /* If we already have a link key, check if that link key is good enough */ 2665 btm_sec_check_upgrade(p_dev_rec, is_originator); 2666 } 2667 } 2668 } 2669 2670 p_dev_rec->is_originator = is_originator; 2671 p_dev_rec->p_callback = p_callback; 2672 p_dev_rec->p_ref_data = p_ref_data; 2673 2674 /* Although authentication and encryption are per connection */ 2675 /* authorization is per access request. For example when serial connection */ 2676 /* is up and authorized and client requests to read file (access to other */ 2677 /* scn, we need to request user's permission again. */ 2678 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED); 2679 2680 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d", 2681 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, 2682 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id); 2683 2684 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 2685 { 2686 if (p_callback) 2687 { 2688 p_dev_rec->p_callback = NULL; 2689 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc); 2690 } 2691 } 2692 2693 return rc; 2694} 2695 2696/******************************************************************************* 2697** 2698** Function btm_sec_conn_req 2699** 2700** Description This function is when the peer device is requesting 2701** connection 2702** 2703** Returns void 2704** 2705*******************************************************************************/ 2706void btm_sec_conn_req (UINT8 *bda, UINT8 *dc) 2707{ 2708 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 2709 2710 /* Some device may request a connection before we are done with the HCI_Reset sequence */ 2711 if (!controller_get_interface()->get_is_ready()) 2712 { 2713 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready"); 2714 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2715 return; 2716 } 2717 2718 /* Security guys wants us not to allow connection from not paired devices */ 2719 2720 /* Check if connection is allowed for only paired devices */ 2721 if (btm_cb.connect_only_paired) 2722 { 2723 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) 2724 { 2725 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device"); 2726 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2727 return; 2728 } 2729 } 2730 2731#if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE 2732 /* If non-discoverable, only allow known devices to connect */ 2733 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) 2734 { 2735 if (!p_dev_rec) 2736 { 2737 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device"); 2738 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2739 return; 2740 } 2741 } 2742#endif 2743 2744 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 2745 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 2746 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN))) 2747 { 2748 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device"); 2749 2750 /* incoming connection from bonding device is rejected */ 2751 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT; 2752 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE); 2753 return; 2754 } 2755 2756 /* Host is not interested or approved connection. Save BDA and DC and */ 2757 /* pass request to L2CAP */ 2758 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN); 2759 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN); 2760 2761 if (l2c_link_hci_conn_req (bda)) 2762 { 2763 if (!p_dev_rec) 2764 { 2765 /* accept the connection -> allocate a device record */ 2766 p_dev_rec = btm_sec_alloc_dev (bda); 2767 } 2768 if (p_dev_rec) 2769 { 2770 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND; 2771 } 2772 } 2773} 2774 2775/******************************************************************************* 2776** 2777** Function btm_sec_bond_cancel_complete 2778** 2779** Description This function is called to report bond cancel complete 2780** event. 2781** 2782** Returns void 2783** 2784*******************************************************************************/ 2785static void btm_sec_bond_cancel_complete (void) 2786{ 2787 tBTM_SEC_DEV_REC *p_dev_rec; 2788 2789 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) || 2790 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state && 2791 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) || 2792 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME && 2793 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) 2794 { 2795 /* for dedicated bonding in legacy mode, authentication happens at "link level" 2796 * btm_sec_connected is called with failed status. 2797 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code. 2798 * However, this function may clean out the security related flags and btm_sec_connected would not know 2799 * this function also needs to do proper clean up. 2800 */ 2801 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL) 2802 p_dev_rec->security_required = BTM_SEC_NONE; 2803 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2804 2805 /* Notify application that the cancel succeeded */ 2806 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2807 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS); 2808 } 2809} 2810 2811/******************************************************************************* 2812** 2813** Function btm_create_conn_cancel_complete 2814** 2815** Description This function is called when the command complete message 2816** is received from the HCI for the create connection cancel 2817** command. 2818** 2819** Returns void 2820** 2821*******************************************************************************/ 2822void btm_create_conn_cancel_complete (UINT8 *p) 2823{ 2824 UINT8 status; 2825 2826 STREAM_TO_UINT8 (status, p); 2827 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d", 2828 btm_pair_state_descr(btm_cb.pairing_state), status); 2829 2830 /* if the create conn cancel cmd was issued by the bond cancel, 2831 ** the application needs to be notified that bond cancel succeeded 2832 */ 2833 switch (status) 2834 { 2835 case HCI_SUCCESS: 2836 btm_sec_bond_cancel_complete(); 2837 break; 2838 case HCI_ERR_CONNECTION_EXISTS: 2839 case HCI_ERR_NO_CONNECTION: 2840 default: 2841 /* Notify application of the error */ 2842 if (btm_cb.api.p_bond_cancel_cmpl_callback) 2843 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING); 2844 break; 2845 } 2846} 2847 2848/******************************************************************************* 2849** 2850** Function btm_sec_check_pending_reqs 2851** 2852** Description This function is called at the end of the security procedure 2853** to let L2CAP and RFCOMM know to re-submit any pending requests 2854** 2855** Returns void 2856** 2857*******************************************************************************/ 2858void btm_sec_check_pending_reqs (void) 2859{ 2860 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 2861 { 2862 /* First, resubmit L2CAP requests */ 2863 if (btm_cb.sec_req_pending) 2864 { 2865 btm_cb.sec_req_pending = FALSE; 2866 l2cu_resubmit_pending_sec_req (NULL); 2867 } 2868 2869 /* Now, re-submit anything in the mux queue */ 2870 fixed_queue_t *bq = btm_cb.sec_pending_q; 2871 2872 btm_cb.sec_pending_q = fixed_queue_new(SIZE_MAX); 2873 2874 tBTM_SEC_QUEUE_ENTRY *p_e; 2875 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)fixed_queue_try_dequeue(bq)) != NULL) 2876 { 2877 /* Check that the ACL is still up before starting security procedures */ 2878 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL) 2879 { 2880 if (p_e->psm != 0) 2881 { 2882 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u", 2883 __FUNCTION__, p_e->psm, p_e->is_orig, 2884 p_e->mx_proto_id, p_e->mx_chan_id); 2885 2886 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig, 2887 p_e->mx_proto_id, p_e->mx_chan_id, 2888 p_e->p_callback, p_e->p_ref_data); 2889 } 2890 else 2891 { 2892 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback, 2893 p_e->p_ref_data, p_e->sec_act); 2894 } 2895 } 2896 2897 osi_free(p_e); 2898 } 2899 fixed_queue_free(bq, NULL); 2900 } 2901} 2902 2903/******************************************************************************* 2904** 2905** Function btm_sec_init 2906** 2907** Description This function is on the SEC startup 2908** 2909** Returns void 2910** 2911*******************************************************************************/ 2912void btm_sec_init (UINT8 sec_mode) 2913{ 2914 btm_cb.security_mode = sec_mode; 2915 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN); 2916 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY; 2917} 2918 2919/******************************************************************************* 2920** 2921** Function btm_sec_device_down 2922** 2923** Description This function should be called when device is disabled or 2924** turned off 2925** 2926** Returns void 2927** 2928*******************************************************************************/ 2929void btm_sec_device_down (void) 2930{ 2931 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state)); 2932 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 2933} 2934 2935/******************************************************************************* 2936** 2937** Function btm_sec_dev_reset 2938** 2939** Description This function should be called after device reset 2940** 2941** Returns void 2942** 2943*******************************************************************************/ 2944void btm_sec_dev_reset (void) 2945{ 2946 if (controller_get_interface()->supports_simple_pairing()) 2947 { 2948 /* set the default IO capabilities */ 2949 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS; 2950 /* add mx service to use no security */ 2951 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX, 2952 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0); 2953 } 2954 else 2955 { 2956 btm_cb.security_mode = BTM_SEC_MODE_SERVICE; 2957 } 2958 2959 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode); 2960} 2961 2962/******************************************************************************* 2963** 2964** Function btm_sec_abort_access_req 2965** 2966** Description This function is called by the L2CAP or RFCOMM to abort 2967** the pending operation. 2968** 2969** Parameters: bd_addr - Address of the peer device 2970** 2971** Returns void 2972** 2973*******************************************************************************/ 2974void btm_sec_abort_access_req (BD_ADDR bd_addr) 2975{ 2976 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 2977 2978 if (!p_dev_rec) 2979 return; 2980 2981 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING) 2982 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)) 2983 return; 2984 2985 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 2986 p_dev_rec->p_callback = NULL; 2987} 2988 2989/******************************************************************************* 2990** 2991** Function btm_sec_dd_create_conn 2992** 2993** Description This function is called to create the ACL connection for 2994** the dedicated boding process 2995** 2996** Returns void 2997** 2998*******************************************************************************/ 2999static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec) 3000{ 3001 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 3002 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING)) 3003 { 3004 BTM_TRACE_WARNING("%s Connection already exists", __func__); 3005 return BTM_CMD_STARTED; 3006 } 3007 3008 /* Make sure an L2cap link control block is available */ 3009 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL) 3010 { 3011 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]", 3012 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3013 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3014 3015 return(BTM_NO_RESOURCES); 3016 } 3017 3018 /* set up the control block to indicated dedicated bonding */ 3019 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 3020 3021 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE) 3022 { 3023 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]", 3024 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3025 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3026 3027 l2cu_release_lcb(p_lcb); 3028 return(BTM_NO_RESOURCES); 3029 } 3030 3031 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT); 3032 3033 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]", 3034 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2], 3035 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]); 3036 3037 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ); 3038 3039 return(BTM_CMD_STARTED); 3040} 3041 3042 3043bool is_state_getting_name(void *data, void *context) 3044{ 3045 tBTM_SEC_DEV_REC *p_dev_rec = data; 3046 3047 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) { 3048 return false; 3049 } 3050 return true; 3051} 3052 3053/******************************************************************************* 3054** 3055** Function btm_sec_rmt_name_request_complete 3056* 3057** Description This function is called when remote name was obtained from 3058** the peer device 3059** 3060** Returns void 3061** 3062*******************************************************************************/ 3063void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status) 3064{ 3065 tBTM_SEC_DEV_REC *p_dev_rec; 3066 int i; 3067 DEV_CLASS dev_class; 3068 UINT8 old_sec_state; 3069 3070 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete"); 3071 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda)) 3072 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr))) 3073 { 3074 btm_acl_resubmit_page(); 3075 } 3076 3077 /* If remote name request failed, p_bd_addr is null and we need to search */ 3078 /* based on state assuming that we are doing 1 at a time */ 3079 if (p_bd_addr) 3080 p_dev_rec = btm_find_dev (p_bd_addr); 3081 else 3082 { 3083 list_node_t *node = list_foreach(btm_cb.sec_dev_rec, is_state_getting_name, NULL); 3084 if (node != NULL) { 3085 p_dev_rec = list_node(node); 3086 p_bd_addr = p_dev_rec->bd_addr; 3087 } else { 3088 p_dev_rec = NULL; 3089 } 3090 } 3091 3092 /* Commenting out trace due to obf/compilation problems. 3093 */ 3094#if (BT_USE_TRACES == TRUE) 3095 if (!p_bd_name) 3096 p_bd_name = (UINT8 *)""; 3097 3098 if (p_dev_rec) 3099 { 3100 BTM_TRACE_EVENT ("%s PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ", __func__, 3101 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 3102 status, p_dev_rec->sec_state, p_dev_rec); 3103 } else { 3104 BTM_TRACE_EVENT ("%s PairState: %s RemName: %s status: %d", __func__, 3105 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name, 3106 status); 3107 } 3108#endif 3109 3110 if (p_dev_rec) 3111 { 3112 old_sec_state = p_dev_rec->sec_state; 3113 if (status == HCI_SUCCESS) 3114 { 3115 strlcpy((char *)p_dev_rec->sec_bd_name, (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3116 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 3117 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags); 3118 } 3119 else 3120 { 3121 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */ 3122 p_dev_rec->sec_bd_name[0] = 0; 3123 } 3124 3125 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) 3126 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 3127 3128 /* Notify all clients waiting for name to be resolved */ 3129 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 3130 { 3131 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 3132 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class, 3133 p_dev_rec->sec_bd_name); 3134 } 3135 } else { 3136 dev_class[0] = 0; 3137 dev_class[1] = 0; 3138 dev_class[2] = 0; 3139 3140 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */ 3141 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) 3142 { 3143 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) 3144 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)""); 3145 } 3146 3147 return; 3148 } 3149 3150 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */ 3151 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr 3152 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) ) 3153 { 3154 BTM_TRACE_EVENT ("%s() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", 3155 __func__, btm_cb.pairing_flags, btm_cb.api.p_pin_callback); 3156 3157 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0 && btm_cb.api.p_pin_callback) 3158 { 3159 BTM_TRACE_EVENT ("%s() calling pin_callback", __func__); 3160 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 3161 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name, 3162 (p_dev_rec->p_cur_service==NULL) ? FALSE 3163 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 3164 } 3165 3166 /* Set the same state again to force the timer to be restarted */ 3167 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 3168 return; 3169 } 3170 3171 /* Check if we were delaying bonding because name was not resolved */ 3172 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) 3173 { 3174 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) 3175 { 3176 BTM_TRACE_EVENT ("%s() continue bonding sm4: 0x%04x, status:0x%x", __func__, p_dev_rec->sm4, status); 3177 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) 3178 { 3179 btm_sec_bond_cancel_complete(); 3180 return; 3181 } 3182 3183 if (status != HCI_SUCCESS) 3184 { 3185 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3186 3187 if (btm_cb.api.p_auth_complete_callback) 3188 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 3189 p_dev_rec->sec_bd_name, status); 3190 return; 3191 } 3192 3193 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */ 3194 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 3195 { 3196 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/ 3197 /* If it is set, there may be a race condition */ 3198 BTM_TRACE_DEBUG ("%s IS_SM4_UNKNOWN Flags:0x%04x", __func__, 3199 btm_cb.pairing_flags); 3200 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0) 3201 p_dev_rec->sm4 |= BTM_SM4_KNOWN; 3202 } 3203 3204 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__, 3205 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4), 3206 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)); 3207 3208 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN. 3209 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed) 3210 */ 3211 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec)) 3212 { 3213 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */ 3214 /* before originating */ 3215 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) 3216 { 3217 BTM_TRACE_WARNING ("%s: waiting HCI_Connection_Complete after rejecting connection", __func__); 3218 } 3219 /* Both we and the peer are 2.1 - continue to create connection */ 3220 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 3221 { 3222 BTM_TRACE_WARNING ("%s: failed to start connection", __func__); 3223 3224 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 3225 3226 if (btm_cb.api.p_auth_complete_callback) 3227 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 3228 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 3229 } 3230 } 3231 return; 3232 } else { 3233 BTM_TRACE_WARNING ("%s: wrong BDA, retry with pairing BDA", __func__); 3234 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR); 3235 return; 3236 } 3237 } 3238 3239 /* check if we were delaying link_key_callback because name was not resolved */ 3240 if (p_dev_rec->link_key_not_sent) 3241 { 3242 /* If HCI connection complete has not arrived, wait for it */ 3243 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) 3244 return; 3245 3246 p_dev_rec->link_key_not_sent = FALSE; 3247 btm_send_link_key_notif(p_dev_rec); 3248 3249 /* If its not us who perform authentication, we should tell stackserver */ 3250 /* that some authentication has been completed */ 3251 /* This is required when different entities receive link notification and auth complete */ 3252 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 3253 { 3254 if (btm_cb.api.p_auth_complete_callback) 3255 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 3256 p_dev_rec->dev_class, 3257 p_dev_rec->sec_bd_name, HCI_SUCCESS); 3258 3259 } 3260 } 3261 3262 /* If this is a bonding procedure can disconnect the link now */ 3263 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 3264 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 3265 { 3266 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)"); 3267 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE); 3268 l2cu_start_post_bond_timer(p_dev_rec->hci_handle); 3269 return; 3270 } 3271 3272 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) 3273 return; 3274 3275 /* If get name failed, notify the waiting layer */ 3276 if (status != HCI_SUCCESS) 3277 { 3278 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 3279 return; 3280 } 3281 3282 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) 3283 { 3284 BTM_TRACE_EVENT ("waiting for remote features!!"); 3285 return; 3286 } 3287 3288 /* Remote Name succeeded, execute the next security procedure, if any */ 3289 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 3290 3291 /* If result is pending reply from the user or from the device is pending */ 3292 if (status == BTM_CMD_STARTED) 3293 return; 3294 3295 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 3296 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 3297} 3298 3299/******************************************************************************* 3300** 3301** Function btm_sec_rmt_host_support_feat_evt 3302** 3303** Description This function is called when the 3304** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received 3305** 3306** Returns void 3307** 3308*******************************************************************************/ 3309void btm_sec_rmt_host_support_feat_evt (UINT8 *p) 3310{ 3311 tBTM_SEC_DEV_REC *p_dev_rec; 3312 BD_ADDR bd_addr; /* peer address */ 3313 BD_FEATURES features; 3314 3315 STREAM_TO_BDADDR (bd_addr, p); 3316 p_dev_rec = btm_find_or_alloc_dev (bd_addr); 3317 3318 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]); 3319 3320 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 3321 { 3322 p_dev_rec->sm4 = BTM_SM4_KNOWN; 3323 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE); 3324 if (HCI_SSP_HOST_SUPPORTED(features)) 3325 { 3326 p_dev_rec->sm4 = BTM_SM4_TRUE; 3327 } 3328 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]); 3329 } 3330} 3331 3332/******************************************************************************* 3333** 3334** Function btm_io_capabilities_req 3335** 3336** Description This function is called when LM request for the IO 3337** capability of the local device and 3338** if the OOB data is present for the device in the event 3339** 3340** Returns void 3341** 3342*******************************************************************************/ 3343void btm_io_capabilities_req (UINT8 *p) 3344{ 3345 tBTM_SP_IO_REQ evt_data; 3346 UINT8 err_code = 0; 3347 tBTM_SEC_DEV_REC *p_dev_rec; 3348 BOOLEAN is_orig = TRUE; 3349 UINT8 callback_rc = BTM_SUCCESS; 3350 3351 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3352 3353 /* setup the default response according to compile options */ 3354 /* assume that the local IO capability does not change 3355 * loc_io_caps is initialized with the default value */ 3356 evt_data.io_cap = btm_cb.devcb.loc_io_caps; 3357 evt_data.oob_data = BTM_OOB_NONE; 3358 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ; 3359 3360 BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state)); 3361 3362 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3363 3364 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__, 3365 btm_cb.security_mode, p_dev_rec->num_read_pages); 3366 3367 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0)) 3368 { 3369 BTM_TRACE_EVENT("%s: Device security mode is SC only.", 3370 "To continue need to know remote features.", __FUNCTION__); 3371 3372 p_dev_rec->remote_features_needed = TRUE; 3373 return; 3374 } 3375 3376 p_dev_rec->sm4 |= BTM_SM4_TRUE; 3377 3378 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x", 3379 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), 3380 btm_cb.pairing_flags, p_dev_rec->p_cur_service); 3381 3382 if (p_dev_rec->p_cur_service) 3383 { 3384 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x", 3385 __FUNCTION__, p_dev_rec->p_cur_service->psm, 3386 p_dev_rec->p_cur_service->security_flags); 3387 } 3388 3389 switch (btm_cb.pairing_state) 3390 { 3391 /* initiator connecting */ 3392 case BTM_PAIR_STATE_IDLE: 3393 //TODO: Handle Idle pairing state 3394 //security_required = p_dev_rec->security_required; 3395 break; 3396 3397 /* received IO capability response already->acceptor */ 3398 case BTM_PAIR_STATE_INCOMING_SSP: 3399 is_orig = FALSE; 3400 3401 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) 3402 { 3403 /* acceptor in dedicated bonding */ 3404 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3405 } 3406 break; 3407 3408 /* initiator, at this point it is expected to be dedicated bonding 3409 initiated by local device */ 3410 case BTM_PAIR_STATE_WAIT_PIN_REQ: 3411 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN)) 3412 { 3413 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ; 3414 } 3415 else 3416 { 3417 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3418 } 3419 break; 3420 3421 /* any other state is unexpected */ 3422 default: 3423 err_code = HCI_ERR_HOST_BUSY_PAIRING; 3424 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__, 3425 btm_cb.pairing_state); 3426 break; 3427 } 3428 3429 if (btm_cb.pairing_disabled) 3430 { 3431 /* pairing is not allowed */ 3432 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__); 3433 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3434 } 3435 else if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3436 { 3437 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections(); 3438 /* device in Secure Connections Only mode */ 3439 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) 3440 { 3441 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,", 3442 " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__, 3443 local_supports_sc, p_dev_rec->remote_supports_secure_connections); 3444 3445 err_code = HCI_ERR_PAIRING_NOT_ALLOWED; 3446 } 3447 } 3448 3449 if (err_code != 0) 3450 { 3451/* coverity[uninit_use_in_call] 3452Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3453False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3454*/ 3455 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code); 3456 return; 3457 } 3458 3459 evt_data.is_orig = is_orig; 3460 3461 if (is_orig) 3462 { 3463 /* local device initiated the pairing non-bonding -> use p_cur_service */ 3464 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) && 3465 p_dev_rec->p_cur_service && 3466 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) 3467 { 3468 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3469 { 3470 /* SC only mode device requires MITM protection */ 3471 evt_data.auth_req = BTM_AUTH_SP_YES; 3472 } 3473 else 3474 { 3475 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & 3476 BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO; 3477 } 3478 } 3479 } 3480 3481 /* Notify L2CAP to increase timeout */ 3482 l2c_pin_code_request (evt_data.bd_addr); 3483 3484 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3485 3486/* coverity[uninit_use_in_call] 3487Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3488False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3489*/ 3490 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3491 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3492 3493 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS); 3494 3495 callback_rc = BTM_SUCCESS; 3496 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) 3497 { 3498 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE; 3499 3500 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */ 3501 evt_data.auth_req = BTM_AUTH_SPGB_YES; 3502 } 3503 else if (btm_cb.api.p_sp_callback) 3504 { 3505 /* the callback function implementation may change the IO capability... */ 3506 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3507 } 3508 3509 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data)) 3510 { 3511 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) 3512 { 3513 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT)); 3514 } 3515 3516 if (btm_cb.security_mode == BTM_SEC_MODE_SC) 3517 { 3518 /* At this moment we know that both sides are SC capable, device in */ 3519 /* SC only mode requires MITM for any service so let's set MITM bit */ 3520 evt_data.auth_req |= BTM_AUTH_YN_BIT; 3521 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x", 3522 __FUNCTION__, evt_data.auth_req); 3523 } 3524 3525 /* if the user does not indicate "reply later" by setting the oob_data to unknown */ 3526 /* send the response right now. Save the current IO capability in the control block */ 3527 btm_cb.devcb.loc_auth_req = evt_data.auth_req; 3528 btm_cb.devcb.loc_io_caps = evt_data.io_cap; 3529 3530 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d", 3531 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap, 3532 evt_data.oob_data, evt_data.auth_req); 3533 3534 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap, 3535 evt_data.oob_data, evt_data.auth_req); 3536 } 3537} 3538 3539/******************************************************************************* 3540** 3541** Function btm_io_capabilities_rsp 3542** 3543** Description This function is called when the IO capability of the 3544** specified device is received 3545** 3546** Returns void 3547** 3548*******************************************************************************/ 3549void btm_io_capabilities_rsp (UINT8 *p) 3550{ 3551 tBTM_SEC_DEV_REC *p_dev_rec; 3552 tBTM_SP_IO_RSP evt_data; 3553 3554 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3555 STREAM_TO_UINT8 (evt_data.io_cap, p); 3556 STREAM_TO_UINT8 (evt_data.oob_data, p); 3557 STREAM_TO_UINT8 (evt_data.auth_req, p); 3558 3559 /* Allocate a new device record or reuse the oldest one */ 3560 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); 3561 3562 /* If no security is in progress, this indicates incoming security */ 3563 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 3564 { 3565 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); 3566 3567 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP); 3568 3569 /* Make sure we reset the trusted mask to help against attacks */ 3570 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 3571 3572 /* work around for FW bug */ 3573 btm_inq_stop_on_ssp(); 3574 } 3575 3576 /* Notify L2CAP to increase timeout */ 3577 l2c_pin_code_request (evt_data.bd_addr); 3578 3579 /* We must have a device record here. 3580 * Use the connecting device's CoD for the connection */ 3581/* coverity[uninit_use_in_call] 3582Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp" 3583FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p); 3584*/ 3585 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) 3586 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN); 3587 3588 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */ 3589 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */ 3590 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */ 3591 { 3592 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD; 3593 } 3594 3595 /* save the IO capability in the device record */ 3596 p_dev_rec->rmt_io_caps = evt_data.io_cap; 3597 p_dev_rec->rmt_auth_req = evt_data.auth_req; 3598 3599 if (btm_cb.api.p_sp_callback) 3600 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3601} 3602 3603/******************************************************************************* 3604** 3605** Function btm_proc_sp_req_evt 3606** 3607** Description This function is called to process/report 3608** HCI_USER_CONFIRMATION_REQUEST_EVT 3609** or HCI_USER_PASSKEY_REQUEST_EVT 3610** or HCI_USER_PASSKEY_NOTIFY_EVT 3611** 3612** Returns void 3613** 3614*******************************************************************************/ 3615void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p) 3616{ 3617 tBTM_STATUS status = BTM_ERR_PROCESSING; 3618 tBTM_SP_EVT_DATA evt_data; 3619 UINT8 *p_bda = evt_data.cfm_req.bd_addr; 3620 tBTM_SEC_DEV_REC *p_dev_rec; 3621 3622 /* All events start with bd_addr */ 3623 STREAM_TO_BDADDR (p_bda, p); 3624 3625 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s", 3626 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], 3627 event, btm_pair_state_descr(btm_cb.pairing_state)); 3628 3629 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL) 3630 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 3631 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 3632 { 3633 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3634 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3635 3636 strlcpy((char *)evt_data.cfm_req.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3637 3638 switch (event) 3639 { 3640 case BTM_SP_CFM_REQ_EVT: 3641 /* Numeric confirmation. Need user to conf the passkey */ 3642 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM); 3643 3644 /* The device record must be allocated in the "IO cap exchange" step */ 3645 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p); 3646 3647 evt_data.cfm_req.just_works = TRUE; 3648 3649 /* process user confirm req in association with the auth_req param */ 3650#if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO) 3651 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO) 3652 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO) 3653 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) ) 3654 { 3655 /* Both devices are DisplayYesNo and one or both devices want to authenticate 3656 -> use authenticated link key */ 3657 evt_data.cfm_req.just_works = FALSE; 3658 } 3659#endif 3660 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d", 3661 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps, 3662 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req); 3663 3664 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req; 3665 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req; 3666 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps; 3667 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps; 3668 break; 3669 3670 case BTM_SP_KEY_NOTIF_EVT: 3671 /* Passkey notification (other side is a keyboard) */ 3672 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p); 3673 3674 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey); 3675 3676 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 3677 break; 3678 3679#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3680 case BTM_SP_KEY_REQ_EVT: 3681 /* HCI_USER_PASSKEY_REQUEST_EVT */ 3682 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY); 3683 break; 3684#endif 3685 } 3686 3687 if (btm_cb.api.p_sp_callback) 3688 { 3689 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data); 3690 if (status != BTM_NOT_AUTHORIZED) 3691 { 3692 return; 3693 } 3694 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */ 3695 } 3696 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) ) 3697 { 3698 /* automatically reply with just works if no sp_cback */ 3699 status = BTM_SUCCESS; 3700 } 3701 3702 if (event == BTM_SP_CFM_REQ_EVT) 3703 { 3704 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status); 3705 BTM_ConfirmReqReply (status, p_bda); 3706 } 3707#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3708 else if (event == BTM_SP_KEY_REQ_EVT) 3709 { 3710 BTM_PasskeyReqReply(status, p_bda, 0); 3711 } 3712#endif 3713 return; 3714 } 3715 3716 /* Something bad. we can only fail this connection */ 3717 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3718 3719 if (BTM_SP_CFM_REQ_EVT == event) 3720 { 3721 btsnd_hcic_user_conf_reply (p_bda, FALSE); 3722 } 3723 else if (BTM_SP_KEY_NOTIF_EVT == event) 3724 { 3725 /* do nothing -> it very unlikely to happen. 3726 This event is most likely to be received by a HID host when it first connects to a HID device. 3727 Usually the Host initiated the connection in this case. 3728 On Mobile platforms, if there's a security process happening, 3729 the host probably can not initiate another connection. 3730 BTW (PC) is another story. */ 3731 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) ) 3732 { 3733 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE); 3734 } 3735 } 3736#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 3737 else 3738 { 3739 btsnd_hcic_user_passkey_neg_reply(p_bda); 3740 } 3741#endif 3742} 3743 3744/******************************************************************************* 3745** 3746** Function btm_keypress_notif_evt 3747** 3748** Description This function is called when a key press notification is 3749** received 3750** 3751** Returns void 3752** 3753*******************************************************************************/ 3754void btm_keypress_notif_evt (UINT8 *p) 3755{ 3756 tBTM_SP_KEYPRESS evt_data; 3757 UINT8 *p_bda; 3758 3759 /* parse & report BTM_SP_KEYPRESS_EVT */ 3760 if (btm_cb.api.p_sp_callback) 3761 { 3762 p_bda = evt_data.bd_addr; 3763 3764 STREAM_TO_BDADDR (p_bda, p); 3765 evt_data.notif_type = *p; 3766 3767 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3768 } 3769} 3770 3771/******************************************************************************* 3772** 3773** Function btm_simple_pair_complete 3774** 3775** Description This function is called when simple pairing process is 3776** complete 3777** 3778** Returns void 3779** 3780*******************************************************************************/ 3781void btm_simple_pair_complete (UINT8 *p) 3782{ 3783 tBTM_SP_COMPLT evt_data; 3784 tBTM_SEC_DEV_REC *p_dev_rec; 3785 UINT8 status; 3786 BOOLEAN disc = FALSE; 3787 3788 status = *p++; 3789 STREAM_TO_BDADDR (evt_data.bd_addr, p); 3790 3791 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL) 3792 { 3793 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x", 3794 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3], 3795 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]); 3796 return; 3797 } 3798 3799 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u", 3800 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state); 3801 3802 evt_data.status = BTM_ERR_PROCESSING; 3803 if (status == HCI_SUCCESS) 3804 { 3805 evt_data.status = BTM_SUCCESS; 3806 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 3807 } 3808 else 3809 { 3810 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) 3811 { 3812 /* The test spec wants the peer device to get this failure code. */ 3813 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT); 3814 3815 /* Change the timer to 1 second */ 3816 alarm_set_on_queue(btm_cb.pairing_timer, BT_1SEC_TIMEOUT_MS, 3817 btm_sec_pairing_timeout, NULL, 3818 btu_general_alarm_queue); 3819 } 3820 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0) 3821 { 3822 /* stop the timer */ 3823 alarm_cancel(btm_cb.pairing_timer); 3824 3825 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 3826 { 3827 /* the initiating side: will receive auth complete event. disconnect ACL at that time */ 3828 disc = TRUE; 3829 } 3830 } 3831 else 3832 disc = TRUE; 3833 } 3834 3835 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */ 3836 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3837 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3838 3839 if (btm_cb.api.p_sp_callback) 3840 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3841 3842 if (disc) 3843 { 3844 /* simple pairing failed */ 3845 /* Avoid sending disconnect on HCI_ERR_PEER_USER */ 3846 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)) 3847 { 3848 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 3849 } 3850 } 3851} 3852 3853/******************************************************************************* 3854** 3855** Function btm_rem_oob_req 3856** 3857** Description This function is called to process/report 3858** HCI_REMOTE_OOB_DATA_REQUEST_EVT 3859** 3860** Returns void 3861** 3862*******************************************************************************/ 3863void btm_rem_oob_req (UINT8 *p) 3864{ 3865 UINT8 *p_bda; 3866 tBTM_SP_RMT_OOB evt_data; 3867 tBTM_SEC_DEV_REC *p_dev_rec; 3868 BT_OCTET16 c; 3869 BT_OCTET16 r; 3870 3871 p_bda = evt_data.bd_addr; 3872 3873 STREAM_TO_BDADDR (p_bda, p); 3874 3875 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 3876 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 3877 3878 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) && 3879 btm_cb.api.p_sp_callback) 3880 { 3881 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); 3882 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN); 3883 strlcpy((char *)evt_data.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN); 3884 3885 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP); 3886 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED) 3887 { 3888 BTM_RemoteOobDataReply(TRUE, p_bda, c, r); 3889 } 3890 return; 3891 } 3892 3893 /* something bad. we can only fail this connection */ 3894 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY; 3895 btsnd_hcic_rem_oob_neg_reply (p_bda); 3896} 3897 3898/******************************************************************************* 3899** 3900** Function btm_read_local_oob_complete 3901** 3902** Description This function is called when read local oob data is 3903** completed by the LM 3904** 3905** Returns void 3906** 3907*******************************************************************************/ 3908void btm_read_local_oob_complete (UINT8 *p) 3909{ 3910 tBTM_SP_LOC_OOB evt_data; 3911 UINT8 status = *p++; 3912 3913 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status); 3914 if (status == HCI_SUCCESS) 3915 { 3916 evt_data.status = BTM_SUCCESS; 3917 STREAM_TO_ARRAY16(evt_data.c, p); 3918 STREAM_TO_ARRAY16(evt_data.r, p); 3919 } 3920 else 3921 evt_data.status = BTM_ERR_PROCESSING; 3922 3923 if (btm_cb.api.p_sp_callback) 3924 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data); 3925} 3926 3927/******************************************************************************* 3928** 3929** Function btm_sec_auth_collision 3930** 3931** Description This function is called when authentication or encryption 3932** needs to be retried at a later time. 3933** 3934** Returns void 3935** 3936*******************************************************************************/ 3937static void btm_sec_auth_collision (UINT16 handle) 3938{ 3939 tBTM_SEC_DEV_REC *p_dev_rec; 3940 3941 if (!btm_cb.collision_start_time) 3942 btm_cb.collision_start_time = time_get_os_boottime_ms(); 3943 3944 if ((time_get_os_boottime_ms() - btm_cb.collision_start_time) < btm_cb.max_collision_delay) 3945 { 3946 if (handle == BTM_SEC_INVALID_HANDLE) 3947 { 3948 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL) 3949 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING); 3950 } 3951 else 3952 p_dev_rec = btm_find_dev_by_handle (handle); 3953 3954 if (p_dev_rec != NULL) 3955 { 3956 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state); 3957 /* We will restart authentication after timeout */ 3958 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) 3959 p_dev_rec->sec_state = 0; 3960 3961 btm_cb.p_collided_dev_rec = p_dev_rec; 3962 alarm_set_on_queue(btm_cb.sec_collision_timer, BT_1SEC_TIMEOUT_MS, 3963 btm_sec_collision_timeout, NULL, 3964 btu_general_alarm_queue); 3965 } 3966 } 3967} 3968 3969/******************************************************************************* 3970** 3971** Function btm_sec_auth_complete 3972** 3973** Description This function is when authentication of the connection is 3974** completed by the LM 3975** 3976** Returns void 3977** 3978*******************************************************************************/ 3979void btm_sec_auth_complete (UINT16 handle, UINT8 status) 3980{ 3981 UINT8 old_sm4; 3982 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 3983 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 3984 BOOLEAN are_bonding = FALSE; 3985 3986 /* Commenting out trace due to obf/compilation problems. 3987 */ 3988#if (BT_USE_TRACES == TRUE) 3989 if (p_dev_rec) 3990 { 3991 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s", 3992 btm_pair_state_descr (btm_cb.pairing_state), 3993 handle, status, 3994 p_dev_rec->sec_state, 3995 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], 3996 p_dev_rec->sec_bd_name); 3997 } 3998 else 3999 { 4000 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d", 4001 btm_pair_state_descr (btm_cb.pairing_state), 4002 handle, status); 4003 } 4004#endif 4005 4006 /* For transaction collision we need to wait and repeat. There is no need */ 4007 /* for random timeout because only slave should receive the result */ 4008 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 4009 { 4010 btm_sec_auth_collision(handle); 4011 return; 4012 } 4013 btm_cb.collision_start_time = 0; 4014 4015 btm_restore_mode(); 4016 4017 /* Check if connection was made just to do bonding. If we authenticate 4018 the connection that is up, this is the last event received. 4019 */ 4020 if (p_dev_rec 4021 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4022 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) 4023 { 4024 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4025 4026 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 4027 } 4028 4029 if (!p_dev_rec) 4030 return; 4031 4032 /* keep the old sm4 flag and clear the retry bit in control block */ 4033 old_sm4 = p_dev_rec->sm4; 4034 p_dev_rec->sm4 &= ~BTM_SM4_RETRY; 4035 4036 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4037 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4038 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) 4039 are_bonding = TRUE; 4040 4041 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4042 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) 4043 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4044 4045 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) 4046 { 4047 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS) 4048 && (old_state != BTM_PAIR_STATE_IDLE) ) 4049 { 4050 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4051 p_dev_rec->dev_class, 4052 p_dev_rec->sec_bd_name, status); 4053 } 4054 return; 4055 } 4056 4057 /* There can be a race condition, when we are starting authentication and 4058 ** the peer device is doing encryption. 4059 ** If first we receive encryption change up, then initiated authentication 4060 ** can not be performed. According to the spec we can not do authentication 4061 ** on the encrypted link, so device is correct. 4062 */ 4063 if ((status == HCI_ERR_COMMAND_DISALLOWED) 4064 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) == 4065 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) 4066 { 4067 status = HCI_SUCCESS; 4068 } 4069 /* Currently we do not notify user if it is a keyboard which connects */ 4070 /* User probably Disabled the keyboard while it was asleap. Let her try */ 4071 if (btm_cb.api.p_auth_complete_callback) 4072 { 4073 /* report the suthentication status */ 4074 if (old_state != BTM_PAIR_STATE_IDLE) 4075 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4076 p_dev_rec->dev_class, 4077 p_dev_rec->sec_bd_name, status); 4078 } 4079 4080 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4081 4082 /* If this is a bonding procedure can disconnect the link now */ 4083 if (are_bonding) 4084 { 4085 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4086 4087 if (status != HCI_SUCCESS) 4088 { 4089 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))) 4090 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle); 4091 } 4092 else 4093 { 4094 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL"); 4095 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec)) 4096 /* no LE keys are available, do deriving */ 4097 && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) || 4098 /* or BR key is higher security than existing LE keys */ 4099 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) && 4100 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) 4101 { 4102 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL"); 4103 4104 if (btm_sec_is_master(p_dev_rec)) 4105 { 4106 // Encryption is required to start SM over BR/EDR 4107 // indicate that this is encryption after authentication 4108 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL, 0); 4109 } 4110 } 4111 l2cu_start_post_bond_timer (p_dev_rec->hci_handle); 4112 } 4113 4114 return; 4115 } 4116 4117 /* If authentication failed, notify the waiting layer */ 4118 if (status != HCI_SUCCESS) 4119 { 4120 if ((old_sm4 & BTM_SM4_RETRY) == 0) 4121 { 4122 /* allow retry only once */ 4123 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION) 4124 { 4125 /* not retried yet. set the retry bit */ 4126 p_dev_rec->sm4 |= BTM_SM4_RETRY; 4127 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 4128 } 4129 /* this retry for missing key is for Lisbon or later only. 4130 * Legacy device do not need this. the controller will drive the retry automatically */ 4131 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4)) 4132 { 4133 /* not retried yet. set the retry bit */ 4134 p_dev_rec->sm4 |= BTM_SM4_RETRY; 4135 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4136 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags); 4137 4138 /* With BRCM controller, we do not need to delete the stored link key in controller. 4139 If the stack may sit on top of other controller, we may need this 4140 BTM_DeleteStoredLinkKey (bd_addr, NULL); */ 4141 } 4142 4143 if (p_dev_rec->sm4 & BTM_SM4_RETRY) 4144 { 4145 btm_sec_execute_procedure (p_dev_rec); 4146 return; 4147 } 4148 } 4149 4150 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4151 4152 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) 4153 { 4154 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 4155 } 4156 return; 4157 } 4158 4159 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED; 4160 4161 if (p_dev_rec->pin_code_length >= 16 || 4162 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4163 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4164 // If we have MITM protection we have a higher level of security than 4165 // provided by 16 digits PIN 4166 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4167 } 4168 4169 /* Authentication succeeded, execute the next security procedure, if any */ 4170 status = btm_sec_execute_procedure (p_dev_rec); 4171 4172 /* If there is no next procedure, or procedure failed to start, notify the caller */ 4173 if (status != BTM_CMD_STARTED) 4174 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 4175} 4176 4177/******************************************************************************* 4178** 4179** Function btm_sec_encrypt_change 4180** 4181** Description This function is when encryption of the connection is 4182** completed by the LM 4183** 4184** Returns void 4185** 4186*******************************************************************************/ 4187void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable) 4188{ 4189 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4190#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4191 tACL_CONN *p_acl = NULL; 4192 UINT8 acl_idx = btm_handle_to_acl_index(handle); 4193#endif 4194 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d", 4195 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable); 4196 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 ); 4197 4198 /* For transaction collision we need to wait and repeat. There is no need */ 4199 /* for random timeout because only slave should receive the result */ 4200 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || 4201 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) 4202 { 4203 btm_sec_auth_collision(handle); 4204 return; 4205 } 4206 btm_cb.collision_start_time = 0; 4207 4208 if (!p_dev_rec) 4209 return; 4210 4211 if ((status == HCI_SUCCESS) && encr_enable) 4212 { 4213 if (p_dev_rec->hci_handle == handle) { 4214 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED); 4215 if (p_dev_rec->pin_code_length >= 16 || 4216 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4217 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4218 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4219 } 4220 } 4221 else 4222 { 4223 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED); 4224 } 4225 } 4226 4227 /* It is possible that we decrypted the link to perform role switch */ 4228 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */ 4229 if ((status == HCI_SUCCESS) && !encr_enable) 4230 { 4231 if (p_dev_rec->hci_handle == handle) 4232 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED; 4233 else 4234 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED; 4235 } 4236 4237 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags ); 4238 4239#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4240 if (acl_idx != MAX_L2CAP_LINKS) 4241 p_acl = &btm_cb.acl_db[acl_idx]; 4242 4243 if (p_acl != NULL) 4244 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable); 4245 4246 if (p_acl && p_acl->transport == BT_TRANSPORT_LE) 4247 { 4248 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE || 4249 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) 4250 { 4251 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN); 4252 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 4253 } 4254 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable); 4255 return; 4256 } 4257 else 4258 { 4259 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4260 p_dev_rec->enc_key_size = 16; 4261 } 4262 4263 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d", 4264 __func__, p_dev_rec->new_encryption_key_is_p256); 4265 4266 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle)) 4267 { 4268 if (p_dev_rec->new_encryption_key_is_p256) 4269 { 4270 if (btm_sec_use_smp_br_chnl(p_dev_rec) && 4271 btm_sec_is_master(p_dev_rec) && 4272 /* if LE key is not known, do deriving */ 4273 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) || 4274 /* or BR key is higher security than existing LE keys */ 4275 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) 4276 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) 4277 { 4278 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */ 4279 p_dev_rec->new_encryption_key_is_p256 = FALSE; 4280 4281 if (p_dev_rec->no_smp_on_br) 4282 { 4283 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__); 4284 } 4285 else 4286 { 4287 BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__); 4288 SMP_BR_PairWith(p_dev_rec->bd_addr); 4289 } 4290 } 4291 } 4292 else 4293 { 4294 // BR/EDR is successfully encrypted. Correct LK type if needed 4295 // (BR/EDR LK derived from LE LTK was used for encryption) 4296 if ((encr_enable == 1) && /* encryption is ON for SSP */ 4297 /* LK type is for BR/EDR SC */ 4298 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 || 4299 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4300 { 4301 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) 4302 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; 4303 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */ 4304 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB; 4305 4306 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type); 4307 btm_send_link_key_notif(p_dev_rec); 4308 } 4309 } 4310 } 4311#else 4312 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable); 4313#endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */ 4314 4315 /* If this encryption was started by peer do not need to do anything */ 4316 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) 4317 { 4318 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) 4319 { 4320 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4321 p_dev_rec->p_callback = NULL; 4322 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr); 4323 } 4324 return; 4325 } 4326 4327 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4328 /* If encryption setup failed, notify the waiting layer */ 4329 if (status != HCI_SUCCESS) 4330 { 4331 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4332 return; 4333 } 4334 4335 /* Encryption setup succeeded, execute the next security procedure, if any */ 4336 status = (UINT8)btm_sec_execute_procedure (p_dev_rec); 4337 /* If there is no next procedure, or procedure failed to start, notify the caller */ 4338 if (status != BTM_CMD_STARTED) 4339 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE); 4340} 4341 4342/******************************************************************************* 4343** 4344** Function btm_sec_connect_after_reject_timeout 4345** 4346** Description Connection for bonding could not start because of the collision 4347** Initiate outgoing connection 4348** 4349** Returns Pointer to the TLE struct 4350** 4351*******************************************************************************/ 4352static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void *data) 4353{ 4354 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec; 4355 4356 BTM_TRACE_EVENT("%s", __func__); 4357 btm_cb.p_collided_dev_rec = 0; 4358 4359 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) 4360 { 4361 BTM_TRACE_WARNING("Security Manager: %s: failed to start connection", 4362 __func__); 4363 4364 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4365 4366 if (btm_cb.api.p_auth_complete_callback) 4367 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4368 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL); 4369 } 4370} 4371 4372/******************************************************************************* 4373** 4374** Function btm_sec_connected 4375** 4376** Description This function is when a connection to the peer device is 4377** establsihed 4378** 4379** Returns void 4380** 4381*******************************************************************************/ 4382void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode) 4383{ 4384 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda); 4385 UINT8 res; 4386 BOOLEAN is_pairing_device = FALSE; 4387 tACL_CONN *p_acl_cb; 4388 UINT8 bit_shift = 0; 4389 4390 btm_acl_resubmit_page(); 4391 4392 /* Commenting out trace due to obf/compilation problems. 4393 */ 4394#if (BT_USE_TRACES == TRUE) 4395 if (p_dev_rec) 4396 { 4397 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s", 4398 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4399 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5], 4400 p_dev_rec->sec_bd_name); 4401 } 4402 else 4403 { 4404 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ", 4405 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode, 4406 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]); 4407 } 4408#endif 4409 4410 if (!p_dev_rec) 4411 { 4412 /* There is no device record for new connection. Allocate one */ 4413 if (status == HCI_SUCCESS) 4414 { 4415 p_dev_rec = btm_sec_alloc_dev (bda); 4416 } 4417 else 4418 { 4419 /* If the device matches with stored paring address 4420 * reset the paring state to idle */ 4421 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && 4422 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0)) 4423 { 4424 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); 4425 } 4426 4427 /* can not find the device record and the status is error, 4428 * just ignore it */ 4429 return; 4430 } 4431 } 4432 else /* Update the timestamp for this device */ 4433 { 4434 4435#if BLE_INCLUDED == TRUE 4436 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0; 4437#endif 4438 p_dev_rec->timestamp = btm_cb.dev_rec_count++; 4439 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) 4440 { 4441 /* tell L2CAP it's a bonding connection. */ 4442 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4443 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4444 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4445 { 4446 /* if incoming connection failed while pairing, then try to connect and continue */ 4447 /* Motorola S9 disconnects without asking pin code */ 4448 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) 4449 { 4450 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN"); 4451 4452 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4453 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4454 { 4455 /* Start timer with 0 to initiate connection with new LCB */ 4456 /* because L2CAP will delete current LCB with this event */ 4457 btm_cb.p_collided_dev_rec = p_dev_rec; 4458 alarm_set_on_queue(btm_cb.sec_collision_timer, 0, 4459 btm_sec_connect_after_reject_timeout, 4460 NULL, btu_general_alarm_queue); 4461 } 4462 else 4463 { 4464 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4465 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR); 4466 } 4467#if BTM_DISC_DURING_RS == TRUE 4468 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4469#endif 4470 return; 4471 } 4472 else 4473 { 4474 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE); 4475 } 4476 } 4477 /* always clear the pending flag */ 4478 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND; 4479 } 4480 } 4481 4482#if BLE_INCLUDED == TRUE 4483 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR; 4484#endif 4485 4486#if BTM_DISC_DURING_RS == TRUE 4487 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4488#endif 4489 4490 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4491 4492 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4493 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) ) 4494 { 4495 /* if we rejected incoming connection from bonding device */ 4496 if ((status == HCI_ERR_HOST_REJECT_DEVICE) 4497 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) 4498 { 4499 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x", 4500 btm_cb.pairing_flags, p_dev_rec->sm4); 4501 4502 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT; 4503 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) 4504 { 4505 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */ 4506 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME); 4507 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR); 4508 return; 4509 } 4510 4511 /* if we already have pin code */ 4512 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) 4513 { 4514 /* Start timer with 0 to initiate connection with new LCB */ 4515 /* because L2CAP will delete current LCB with this event */ 4516 btm_cb.p_collided_dev_rec = p_dev_rec; 4517 alarm_set_on_queue(btm_cb.sec_collision_timer, 0, 4518 btm_sec_connect_after_reject_timeout, 4519 NULL, btu_general_alarm_queue); 4520 } 4521 4522 return; 4523 } 4524 /* wait for incoming connection without resetting pairing state */ 4525 else if (status == HCI_ERR_CONNECTION_EXISTS) 4526 { 4527 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection"); 4528 return; 4529 } 4530 4531 is_pairing_device = TRUE; 4532 } 4533 4534 /* If connection was made to do bonding restore link security if changed */ 4535 btm_restore_mode(); 4536 4537 /* if connection fails during pin request, notify application */ 4538 if (status != HCI_SUCCESS) 4539 { 4540 /* If connection failed because of during pairing, need to tell user */ 4541 if (is_pairing_device) 4542 { 4543 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4544 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift); 4545 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required ); 4546 4547 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4548 4549 /* We need to notify host that the key is not known any more */ 4550 if (btm_cb.api.p_auth_complete_callback) 4551 { 4552 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4553 p_dev_rec->dev_class, 4554 p_dev_rec->sec_bd_name, status); 4555 } 4556 } 4557 /* 4558 Do not send authentication failure, if following conditions hold good 4559 1. BTM Sec Pairing state is idle 4560 2. Link key for the remote device is present. 4561 3. Remote is SSP capable. 4562 */ 4563 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) && 4564 (((status == HCI_ERR_AUTH_FAILURE) || 4565 (status == HCI_ERR_KEY_MISSING) || 4566 (status == HCI_ERR_HOST_REJECT_SECURITY) || 4567 (status == HCI_ERR_PAIRING_NOT_ALLOWED) || 4568 (status == HCI_ERR_UNIT_KEY_USED) || 4569 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) || 4570 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) || 4571 (status == HCI_ERR_REPEATED_ATTEMPTS)))) 4572 { 4573 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4574 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift); 4575 4576#ifdef BRCM_NOT_4_BTE 4577 /* If we rejected pairing, pass this special result code */ 4578 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY) 4579 { 4580 status = HCI_ERR_HOST_REJECT_SECURITY; 4581 } 4582#endif 4583 4584 /* We need to notify host that the key is not known any more */ 4585 if (btm_cb.api.p_auth_complete_callback) 4586 { 4587 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4588 p_dev_rec->dev_class, 4589 p_dev_rec->sec_bd_name, status); 4590 } 4591 } 4592 4593 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT || 4594 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT) 4595 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE); 4596 else 4597 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE); 4598 4599 return; 4600 } 4601 4602 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */ 4603 /* If dedicated bonding, and we now have a link key, we are all done */ 4604 if ( is_pairing_device 4605 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) ) 4606 { 4607 if (p_dev_rec->link_key_not_sent) 4608 { 4609 p_dev_rec->link_key_not_sent = FALSE; 4610 btm_send_link_key_notif(p_dev_rec); 4611 } 4612 4613 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE; 4614 4615 /* remember flag before it is initialized */ 4616 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4617 res = TRUE; 4618 else 4619 res = FALSE; 4620 4621 if (btm_cb.api.p_auth_complete_callback) 4622 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 4623 p_dev_rec->dev_class, 4624 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4625 4626 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4627 4628 if ( res ) 4629 { 4630 /* Let l2cap start bond timer */ 4631 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE); 4632 } 4633 4634 return; 4635 } 4636 4637 p_dev_rec->hci_handle = handle; 4638 4639 /* role may not be correct here, it will be updated by l2cap, but we need to */ 4640 /* notify btm_acl that link is up, so starting of rmt name request will not */ 4641 /* set paging flag up */ 4642 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR); 4643 if (p_acl_cb) 4644 { 4645 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */ 4646#if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE) 4647 /* For now there are a some devices that do not like sending */ 4648 /* commands events and data at the same time. */ 4649 /* Set the packet types to the default allowed by the device */ 4650 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported); 4651 4652 if (btm_cb.btm_def_link_policy) 4653 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy); 4654#endif 4655 } 4656 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR); 4657 4658 /* Initialize security flags. We need to do that because some */ 4659 /* authorization complete could have come after the connection is dropped */ 4660 /* and that would set wrong flag that link has been authorized already */ 4661 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | 4662 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift); 4663 4664 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED) 4665 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift); 4666 4667 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) 4668 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift); 4669 4670 if (p_dev_rec->pin_code_length >= 16 || 4671 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4672 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4673 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift); 4674 } 4675 4676 p_dev_rec->link_key_changed = FALSE; 4677 4678 /* After connection is established we perform security if we do not know */ 4679 /* the name, or if we are originator because some procedure can have */ 4680 /* been scheduled while connection was down */ 4681 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator); 4682 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator) 4683 { 4684 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) 4685 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE); 4686 } 4687 return; 4688} 4689 4690/******************************************************************************* 4691** 4692** Function btm_sec_disconnect 4693** 4694** Description This function is called to disconnect HCI link 4695** 4696** Returns btm status 4697** 4698*******************************************************************************/ 4699tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason) 4700{ 4701 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4702 4703 /* In some weird race condition we may not have a record */ 4704 if (!p_dev_rec) 4705 { 4706 btsnd_hcic_disconnect (handle, reason); 4707 return(BTM_SUCCESS); 4708 } 4709 4710 /* If we are in the process of bonding we need to tell client that auth failed */ 4711 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4712 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0) 4713 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) 4714 { 4715 /* we are currently doing bonding. Link will be disconnected when done */ 4716 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE; 4717 return(BTM_BUSY); 4718 } 4719 4720 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle)); 4721} 4722 4723/******************************************************************************* 4724** 4725** Function btm_sec_disconnected 4726** 4727** Description This function is when a connection to the peer device is 4728** dropped 4729** 4730** Returns void 4731** 4732*******************************************************************************/ 4733void btm_sec_disconnected (UINT16 handle, UINT8 reason) 4734{ 4735 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle); 4736 UINT8 old_pairing_flags = btm_cb.pairing_flags; 4737 int result = HCI_ERR_AUTH_FAILURE; 4738 tBTM_SEC_CALLBACK *p_callback = NULL; 4739 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; 4740 4741 /* If page was delayed for disc complete, can do it now */ 4742 btm_cb.discing = FALSE; 4743 4744 btm_acl_resubmit_page(); 4745 4746 if (!p_dev_rec) 4747 return; 4748 4749 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE; 4750 4751 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4752 4753#if BTM_DISC_DURING_RS == TRUE 4754 LOG_INFO(LOG_TAG, "%s clearing pending flag handle:%d reason:%d", __func__, handle, reason); 4755 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */ 4756#endif 4757 4758 /* clear unused flags */ 4759 p_dev_rec->sm4 &= BTM_SM4_TRUE; 4760 4761 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr; 4762 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x" 4763 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), 4764 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name); 4765 4766 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags); 4767 4768 /* If we are in the process of bonding we need to tell client that auth failed */ 4769 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4770 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)) 4771 { 4772 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4773 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN; 4774 if (btm_cb.api.p_auth_complete_callback) 4775 { 4776 /* If the disconnection reason is REPEATED_ATTEMPTS, 4777 send this error message to complete callback function 4778 to display the error message of Repeated attempts. 4779 All others, send HCI_ERR_AUTH_FAILURE. */ 4780 if (reason == HCI_ERR_REPEATED_ATTEMPTS) 4781 { 4782 result = HCI_ERR_REPEATED_ATTEMPTS; 4783 } 4784 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4785 { 4786 result = HCI_ERR_HOST_REJECT_SECURITY; 4787 } 4788 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4789 p_dev_rec->sec_bd_name, result); 4790 } 4791 } 4792 4793#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4794 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS); 4795 /* see sec_flags processing in btm_acl_removed */ 4796 4797 if (transport == BT_TRANSPORT_LE) 4798 { 4799 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE; 4800 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED); 4801 p_dev_rec->enc_key_size = 0; 4802 } 4803 else 4804#endif 4805 { 4806 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE; 4807 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED 4808 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED); 4809 } 4810 4811#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE 4812 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) 4813 { 4814 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ? 4815 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE; 4816 return; 4817 } 4818#endif 4819 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 4820 p_dev_rec->security_required = BTM_SEC_NONE; 4821 4822 p_callback = p_dev_rec->p_callback; 4823 4824 /* if security is pending, send callback to clean up the security state */ 4825 if(p_callback) 4826 { 4827 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before 4828 we do, this call back must be reset here */ 4829 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING); 4830 } 4831 4832 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags); 4833} 4834 4835/******************************************************************************* 4836** 4837** Function btm_sec_link_key_notification 4838** 4839** Description This function is called when a new connection link key is 4840** generated 4841** 4842** Returns Pointer to the record or NULL 4843** 4844*******************************************************************************/ 4845void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type) 4846{ 4847 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 4848 BOOLEAN we_are_bonding = FALSE; 4849 BOOLEAN ltk_derived_lk = FALSE; 4850 4851 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d", 4852 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5], 4853 key_type); 4854 4855 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) && 4856 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4857 { 4858 ltk_derived_lk = TRUE; 4859 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET; 4860 } 4861 /* If connection was made to do bonding restore link security if changed */ 4862 btm_restore_mode(); 4863 4864 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) 4865 p_dev_rec->link_key_type = key_type; 4866 4867 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN; 4868 4869 /* 4870 * Until this point in time, we do not know if MITM was enabled, hence we 4871 * add the extended security flag here. 4872 */ 4873 if (p_dev_rec->pin_code_length >= 16 || 4874 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB || 4875 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) { 4876 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; 4877 } 4878 4879#if (BLE_INCLUDED == TRUE) 4880 /* BR/EDR connection, update the encryption key size to be 16 as always */ 4881 p_dev_rec->enc_key_size = 16; 4882#endif 4883 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN); 4884 4885 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 4886 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) 4887 { 4888 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 4889 we_are_bonding = TRUE; 4890 else 4891 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 4892 } 4893 4894 /* save LTK derived LK no matter what */ 4895 if (ltk_derived_lk) 4896 { 4897 if (btm_cb.api.p_link_key_callback) 4898 { 4899 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)", 4900 __FUNCTION__, p_dev_rec->link_key_type); 4901 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, 4902 p_dev_rec->sec_bd_name, 4903 p_link_key, p_dev_rec->link_key_type); 4904 } 4905 } 4906 else 4907 { 4908 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) || 4909 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) 4910 { 4911 p_dev_rec->new_encryption_key_is_p256 = TRUE; 4912 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d", 4913 __func__, p_dev_rec->new_encryption_key_is_p256); 4914 } 4915 } 4916 4917 /* If name is not known at this point delay calling callback until the name is */ 4918 /* resolved. Unless it is a HID Device and we really need to send all link keys. */ 4919 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 4920 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) 4921 && !ltk_derived_lk) 4922 { 4923 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d", 4924 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], 4925 (p_bda[4] << 8) + p_bda[5], key_type); 4926 4927 p_dev_rec->link_key_not_sent = TRUE; 4928 4929 /* If it is for bonding nothing else will follow, so we need to start name resolution */ 4930 if (we_are_bonding) 4931 { 4932 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0))) 4933 btm_inq_rmt_name_failed(); 4934 } 4935 4936 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1]) 4937 return; 4938 } 4939 4940 /* If its not us who perform authentication, we should tell stackserver */ 4941 /* that some authentication has been completed */ 4942 /* This is required when different entities receive link notification and auth complete */ 4943 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) 4944 /* for derived key, always send authentication callback for BR channel */ 4945 || ltk_derived_lk) 4946 { 4947 if (btm_cb.api.p_auth_complete_callback) 4948 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 4949 p_dev_rec->sec_bd_name, HCI_SUCCESS); 4950 } 4951 4952 /* We will save link key only if the user authorized it - BTE report link key in all cases */ 4953#ifdef BRCM_NONE_BTE 4954 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED) 4955#endif 4956 { 4957 if (btm_cb.api.p_link_key_callback) 4958 { 4959 if (ltk_derived_lk) 4960 { 4961 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already" 4962 " (key_type = %d)", p_dev_rec->link_key_type); 4963 } 4964 else 4965 { 4966 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, 4967 p_dev_rec->sec_bd_name, 4968 p_link_key, p_dev_rec->link_key_type); 4969 } 4970 } 4971 } 4972} 4973 4974/******************************************************************************* 4975** 4976** Function btm_sec_link_key_request 4977** 4978** Description This function is called when controller requests link key 4979** 4980** Returns Pointer to the record or NULL 4981** 4982*******************************************************************************/ 4983void btm_sec_link_key_request (UINT8 *p_bda) 4984{ 4985 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); 4986 4987 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x", 4988 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); 4989 4990 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) && 4991 (btm_cb.collision_start_time != 0) && 4992 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) ) 4993 { 4994 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req " 4995 "State: %d START_TIMEOUT : %d", 4996 btm_cb.pairing_state, btm_cb.collision_start_time); 4997 btsnd_hcic_link_key_neg_reply (p_bda); 4998 return; 4999 } 5000 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 5001 { 5002 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key); 5003 return; 5004 } 5005 5006 /* Notify L2CAP to increase timeout */ 5007 l2c_pin_code_request (p_bda); 5008 5009 /* The link key is not in the database and it is not known to the manager */ 5010 btsnd_hcic_link_key_neg_reply (p_bda); 5011} 5012 5013/******************************************************************************* 5014** 5015** Function btm_sec_pairing_timeout 5016** 5017** Description This function is called when host does not provide PIN 5018** within requested time 5019** 5020** Returns Pointer to the TLE struct 5021** 5022*******************************************************************************/ 5023static void btm_sec_pairing_timeout(UNUSED_ATTR void *data) 5024{ 5025 tBTM_CB *p_cb = &btm_cb; 5026 tBTM_SEC_DEV_REC *p_dev_rec; 5027#if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE) 5028 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO; 5029#else 5030 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES; 5031#endif 5032 UINT8 name[2]; 5033 5034/* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */ 5035/* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue. 5036*/ 5037 p_dev_rec = btm_find_dev (p_cb->pairing_bda); 5038 5039 BTM_TRACE_EVENT ("%s State: %s Flags: %u", __func__, 5040 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags); 5041 5042 switch (p_cb->pairing_state) 5043 { 5044 case BTM_PAIR_STATE_WAIT_PIN_REQ: 5045 btm_sec_bond_cancel_complete(); 5046 break; 5047 5048 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: 5049 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0) 5050 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda); 5051 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5052 /* We need to notify the UI that no longer need the PIN */ 5053 if (btm_cb.api.p_auth_complete_callback) 5054 { 5055 if (p_dev_rec == NULL) 5056 { 5057 name[0] = 0; 5058 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 5059 NULL, 5060 name, HCI_ERR_CONNECTION_TOUT); 5061 } 5062 else 5063 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 5064 p_dev_rec->dev_class, 5065 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 5066 } 5067 break; 5068 5069 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: 5070 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE); 5071 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 5072 break; 5073 5074#if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE) 5075 case BTM_PAIR_STATE_KEY_ENTRY: 5076 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda); 5077 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */ 5078 break; 5079#endif /* !BTM_IO_CAP_NONE */ 5080 5081 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: 5082 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) 5083 auth_req |= BTM_AUTH_DD_BOND; 5084 5085 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps, 5086 BTM_OOB_NONE, auth_req); 5087 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5088 break; 5089 5090 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: 5091 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda); 5092 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5093 break; 5094 5095 case BTM_PAIR_STATE_WAIT_DISCONNECT: 5096 /* simple pairing failed. Started a 1-sec timer at simple pairing complete. 5097 * now it's time to tear down the ACL link*/ 5098 if (p_dev_rec == NULL) 5099 { 5100 BTM_TRACE_ERROR("%s BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x", 5101 __func__, 5102 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3], 5103 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]); 5104 break; 5105 } 5106 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle); 5107 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5108 break; 5109 5110 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: 5111 case BTM_PAIR_STATE_GET_REM_NAME: 5112 /* We need to notify the UI that timeout has happened while waiting for authentication*/ 5113 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5114 if (btm_cb.api.p_auth_complete_callback) 5115 { 5116 if (p_dev_rec == NULL) 5117 { 5118 name[0] = 0; 5119 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda, 5120 NULL, 5121 name, HCI_ERR_CONNECTION_TOUT); 5122 } 5123 else 5124 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, 5125 p_dev_rec->dev_class, 5126 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT); 5127 } 5128 break; 5129 5130 default: 5131 BTM_TRACE_WARNING("%s not processed state: %s", __func__, 5132 btm_pair_state_descr(btm_cb.pairing_state)); 5133 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); 5134 break; 5135 } 5136} 5137 5138/******************************************************************************* 5139** 5140** Function btm_sec_pin_code_request 5141** 5142** Description This function is called when controller requests PIN code 5143** 5144** Returns Pointer to the record or NULL 5145** 5146*******************************************************************************/ 5147void btm_sec_pin_code_request (UINT8 *p_bda) 5148{ 5149 tBTM_SEC_DEV_REC *p_dev_rec; 5150 tBTM_CB *p_cb = &btm_cb; 5151 5152 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x", 5153 btm_pair_state_descr(btm_cb.pairing_state), 5154 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] ); 5155 5156 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) 5157 { 5158 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) && 5159 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) ) 5160 { 5161 btsnd_hcic_pin_code_neg_reply (p_bda); 5162 return; 5163 } 5164 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ) 5165 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) 5166 { 5167 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s", 5168 btm_pair_state_descr(btm_cb.pairing_state)); 5169 btsnd_hcic_pin_code_neg_reply (p_bda); 5170 return; 5171 } 5172 } 5173 5174 p_dev_rec = btm_find_or_alloc_dev (p_bda); 5175 /* received PIN code request. must be non-sm4 */ 5176 p_dev_rec->sm4 = BTM_SM4_KNOWN; 5177 5178 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) 5179 { 5180 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN); 5181 5182 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD; 5183 /* Make sure we reset the trusted mask to help against attacks */ 5184 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask); 5185 } 5186 5187 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) 5188 { 5189 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying"); 5190 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5191 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code); 5192 return; 5193 } 5194 5195 /* Use the connecting device's CoD for the connection */ 5196 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN)) 5197 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) ) 5198 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN); 5199 5200 /* We could have started connection after asking user for the PIN code */ 5201 if (btm_cb.pin_code_len != 0) 5202 { 5203 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply"); 5204 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code); 5205 5206 /* Mark that we forwarded received from the user PIN code */ 5207 btm_cb.pin_code_len = 0; 5208 5209 /* We can change mode back right away, that other connection being established */ 5210 /* is not forced to be secure - found a FW issue, so we can not do this 5211 btm_restore_mode(); */ 5212 5213 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE); 5214 } 5215 5216 /* If pairing disabled OR (no PIN callback and not bonding) */ 5217 /* OR we could not allocate entry in the database reject pairing request */ 5218 else if (p_cb->pairing_disabled 5219 || (p_cb->api.p_pin_callback == NULL) 5220 5221 /* OR Microsoft keyboard can for some reason try to establish connection */ 5222 /* the only thing we can do here is to shut it up. Normally we will be originator */ 5223 /* for keyboard bonding */ 5224 || (!p_dev_rec->is_originator 5225 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL) 5226 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) ) 5227 { 5228 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!", 5229 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec); 5230 5231 btsnd_hcic_pin_code_neg_reply (p_bda); 5232 } 5233 /* Notify upper layer of PIN request and start expiration timer */ 5234 else 5235 { 5236 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 5237 /* Pin code request can not come at the same time as connection request */ 5238 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN); 5239 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN); 5240 5241 /* Check if the name is known */ 5242 /* Even if name is not known we might not be able to get one */ 5243 /* this is the case when we are already getting something from the */ 5244 /* device, so HCI level is flow controlled */ 5245 /* Also cannot send remote name request while paging, i.e. connection is not completed */ 5246 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5247 { 5248 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback"); 5249 5250 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5251 if (p_cb->api.p_pin_callback) { 5252 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, 5253 (p_dev_rec->p_cur_service == NULL) ? FALSE 5254 : (p_dev_rec->p_cur_service->security_flags 5255 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 5256 } 5257 } 5258 else 5259 { 5260 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name"); 5261 5262 /* We received PIN code request for the device with unknown name */ 5263 /* it is not user friendly just to ask for the PIN without name */ 5264 /* try to get name at first */ 5265 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr, 5266 HCI_PAGE_SCAN_REP_MODE_R1, 5267 HCI_MANDATARY_PAGE_SCAN_MODE, 0)) 5268 { 5269 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN; 5270 p_dev_rec->sec_bd_name[0] = 'f'; 5271 p_dev_rec->sec_bd_name[1] = '0'; 5272 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback"); 5273 5274 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 5275 if (p_cb->api.p_pin_callback) 5276 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, 5277 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE 5278 : (p_dev_rec->p_cur_service->security_flags 5279 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 5280 } 5281 } 5282 } 5283 5284 return; 5285} 5286 5287/******************************************************************************* 5288** 5289** Function btm_sec_update_clock_offset 5290** 5291** Description This function is called to update clock offset 5292** 5293** Returns void 5294** 5295*******************************************************************************/ 5296void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset) 5297{ 5298 tBTM_SEC_DEV_REC *p_dev_rec; 5299 tBTM_INQ_INFO *p_inq_info; 5300 5301 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL) 5302 return; 5303 5304 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 5305 5306 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL) 5307 return; 5308 5309 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID; 5310} 5311 5312/****************************************************************** 5313** S T A T I C F U N C T I O N S 5314*******************************************************************/ 5315 5316/******************************************************************************* 5317** 5318** Function btm_sec_execute_procedure 5319** 5320** Description This function is called to start required security 5321** procedure. There is a case when multiplexing protocol 5322** calls this function on the originating side, connection to 5323** the peer will not be established. This function in this 5324** case performs only authorization. 5325** 5326** Returns BTM_SUCCESS - permission is granted 5327** BTM_CMD_STARTED - in process 5328** BTM_NO_RESOURCES - permission declined 5329** 5330*******************************************************************************/ 5331static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) 5332{ 5333 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d", 5334 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state); 5335 5336 /* There is a chance that we are getting name. Wait until done. */ 5337 if (p_dev_rec->sec_state != 0) 5338 return(BTM_CMD_STARTED); 5339 5340 /* If any security is required, get the name first */ 5341 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5342 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5343 { 5344 BTM_TRACE_EVENT ("Security Manager: Start get name"); 5345 if (!btm_sec_start_get_name (p_dev_rec)) 5346 { 5347 return(BTM_NO_RESOURCES); 5348 } 5349 return(BTM_CMD_STARTED); 5350 } 5351 5352 /* If connection is not authenticated and authentication is required */ 5353 /* start authentication and return PENDING to the caller */ 5354 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) 5355 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) 5356 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) 5357 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 5358 && (!p_dev_rec->is_originator 5359 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) 5360 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5361 { 5362 /* 5363 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, 5364 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the 5365 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM 5366 * authenticated connections, hence we cannot distinguish here. 5367 */ 5368 5369#if (L2CAP_UCD_INCLUDED == TRUE) 5370 /* if incoming UCD packet, discard it */ 5371 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5372 return(BTM_FAILED_ON_SECURITY); 5373#endif 5374 5375 BTM_TRACE_EVENT ("Security Manager: Start authentication"); 5376 5377 /* 5378 * If we do have a link-key, but we end up here because we need an 5379 * upgrade, then clear the link-key known and authenticated flag before 5380 * restarting authentication. 5381 * WARNING: If the controller has link-key, it is optional and 5382 * recommended for the controller to send a Link_Key_Request. 5383 * In case we need an upgrade, the only alternative would be to delete 5384 * the existing link-key. That could lead to very bad user experience 5385 * or even IOP issues, if a reconnect causes a new connection that 5386 * requires an upgrade. 5387 */ 5388 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) 5389 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) 5390 && (!p_dev_rec->is_originator && (p_dev_rec->security_required 5391 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { 5392 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED 5393 | BTM_SEC_AUTHENTICATED); 5394 } 5395 5396 if (!btm_sec_start_authentication (p_dev_rec)) 5397 { 5398 return(BTM_NO_RESOURCES); 5399 } 5400 return(BTM_CMD_STARTED); 5401 } 5402 5403 /* If connection is not encrypted and encryption is required */ 5404 /* start encryption and return PENDING to the caller */ 5405 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) 5406 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT)) 5407 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT))) 5408 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) 5409 { 5410#if (L2CAP_UCD_INCLUDED == TRUE) 5411 /* if incoming UCD packet, discard it */ 5412 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) 5413 return(BTM_FAILED_ON_SECURITY); 5414#endif 5415 5416 BTM_TRACE_EVENT ("Security Manager: Start encryption"); 5417 5418 if (!btm_sec_start_encryption (p_dev_rec)) 5419 { 5420 return(BTM_NO_RESOURCES); 5421 } 5422 return(BTM_CMD_STARTED); 5423 } 5424 5425 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) && 5426 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 5427 { 5428 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -", 5429 "security failure", __FUNCTION__, p_dev_rec->link_key_type); 5430 return (BTM_FAILED_ON_SECURITY); 5431 } 5432 5433 /* If connection is not authorized and authorization is required */ 5434 /* start authorization and return PENDING to the caller */ 5435 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) 5436 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE)) 5437 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) 5438 { 5439 BTM_TRACE_EVENT ("service id:%d, is trusted:%d", 5440 p_dev_rec->p_cur_service->service_id, 5441 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5442 p_dev_rec->p_cur_service->service_id))); 5443 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) && 5444 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) && 5445 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, 5446 p_dev_rec->p_cur_service->service_id) == FALSE)) 5447 { 5448 BTM_TRACE_EVENT ("Security Manager: Start authorization"); 5449 return(btm_sec_start_authorization (p_dev_rec)); 5450 } 5451 } 5452 5453 /* All required security procedures already established */ 5454 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | 5455 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE | 5456 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT | 5457 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | 5458 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE); 5459 5460 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]); 5461 BTM_TRACE_EVENT ("Security Manager: access granted"); 5462 5463 return(BTM_SUCCESS); 5464} 5465 5466/******************************************************************************* 5467** 5468** Function btm_sec_start_get_name 5469** 5470** Description This function is called to start get name procedure 5471** 5472** Returns TRUE if started 5473** 5474*******************************************************************************/ 5475static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec) 5476{ 5477 UINT8 tempstate = p_dev_rec->sec_state; 5478 5479 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME; 5480 5481 /* Device should be connected, no need to provide correct page params */ 5482 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */ 5483 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC, 5484 0, NULL)) != BTM_CMD_STARTED) 5485 { 5486 p_dev_rec->sec_state = tempstate; 5487 return(FALSE); 5488 } 5489 5490 return(TRUE); 5491} 5492 5493/******************************************************************************* 5494** 5495** Function btm_sec_start_authentication 5496** 5497** Description This function is called to start authentication 5498** 5499** Returns TRUE if started 5500** 5501*******************************************************************************/ 5502static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec) 5503{ 5504 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING; 5505 5506 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle)); 5507} 5508 5509/******************************************************************************* 5510** 5511** Function btm_sec_start_encryption 5512** 5513** Description This function is called to start encryption 5514** 5515** Returns TRUE if started 5516** 5517*******************************************************************************/ 5518static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec) 5519{ 5520 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE)) 5521 return(FALSE); 5522 5523 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING; 5524 return(TRUE); 5525} 5526 5527/******************************************************************************* 5528** 5529** Function btm_sec_start_authorization 5530** 5531** Description This function is called to start authorization 5532** 5533** Returns TRUE if started 5534** 5535*******************************************************************************/ 5536static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec) 5537{ 5538 UINT8 result; 5539 UINT8 *p_service_name = NULL; 5540 UINT8 service_id; 5541 5542 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) 5543 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) 5544 { 5545 if (!btm_cb.api.p_authorize_callback) 5546 return(BTM_MODE_UNSUPPORTED); 5547 5548 if (p_dev_rec->p_cur_service) 5549 { 5550#if BTM_SEC_SERVICE_NAME_LEN > 0 5551 if (p_dev_rec->is_originator) 5552 p_service_name = p_dev_rec->p_cur_service->orig_service_name; 5553 else 5554 p_service_name = p_dev_rec->p_cur_service->term_service_name; 5555#endif 5556 service_id = p_dev_rec->p_cur_service->service_id; 5557 } 5558 else 5559 service_id = 0; 5560 5561 /* Send authorization request if not already sent during this service connection */ 5562 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID 5563 || p_dev_rec->last_author_service_id != service_id) 5564 { 5565 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING; 5566 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr, 5567 p_dev_rec->dev_class, 5568 p_dev_rec->sec_bd_name, 5569 p_service_name, 5570 service_id, 5571 p_dev_rec->is_originator); 5572 } 5573 5574 else /* Already authorized once for this L2CAP bringup */ 5575 { 5576 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id); 5577 return (BTM_SUCCESS); 5578 } 5579 5580 if (result == BTM_SUCCESS) 5581 { 5582 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED; 5583 5584 /* Save the currently authorized service in case we are asked again by another multiplexer layer */ 5585 if (!p_dev_rec->is_originator) 5586 p_dev_rec->last_author_service_id = service_id; 5587 5588 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE; 5589 } 5590 return(result); 5591 } 5592 btm_sec_start_get_name (p_dev_rec); 5593 return(BTM_CMD_STARTED); 5594} 5595 5596/******************************************************************************* 5597** 5598** Function btm_sec_are_all_trusted 5599** 5600** Description This function is called check if all services are trusted 5601** 5602** Returns TRUE if all are trusted, otherwise FALSE 5603** 5604*******************************************************************************/ 5605BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]) 5606{ 5607 UINT32 trusted_inx; 5608 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++) 5609 { 5610 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) 5611 return(FALSE); 5612 } 5613 5614 return(TRUE); 5615} 5616 5617/******************************************************************************* 5618** 5619** Function btm_sec_find_first_serv 5620** 5621** Description Look for the first record in the service database 5622** with specified PSM 5623** 5624** Returns Pointer to the record or NULL 5625** 5626*******************************************************************************/ 5627tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm) 5628{ 5629 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5630 int i; 5631 BOOLEAN is_originator; 5632 5633#if (L2CAP_UCD_INCLUDED == TRUE) 5634 5635 if ( conn_type & CONNECTION_TYPE_ORIG_MASK ) 5636 is_originator = TRUE; 5637 else 5638 is_originator = FALSE; 5639#else 5640 is_originator = conn_type; 5641#endif 5642 5643 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) 5644 { 5645 /* If this is outgoing connection and the PSM matches p_out_serv, 5646 * use it as the current service */ 5647 return btm_cb.p_out_serv; 5648 } 5649 5650 /* otherwise, just find the first record with the specified PSM */ 5651 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5652 { 5653 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) ) 5654 return(p_serv_rec); 5655 } 5656 return(NULL); 5657} 5658 5659/******************************************************************************* 5660** 5661** Function btm_sec_find_next_serv 5662** 5663** Description Look for the next record in the service database 5664** with specified PSM 5665** 5666** Returns Pointer to the record or NULL 5667** 5668*******************************************************************************/ 5669static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur) 5670{ 5671 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5672 int i; 5673 5674 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5675 { 5676 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5677 && (p_serv_rec->psm == p_cur->psm) ) 5678 { 5679 if (p_cur != p_serv_rec) 5680 { 5681 return(p_serv_rec); 5682 } 5683 } 5684 } 5685 return(NULL); 5686} 5687 5688/******************************************************************************* 5689** 5690** Function btm_sec_find_mx_serv 5691** 5692** Description Look for the record in the service database with specified 5693** PSM and multiplexor channel information 5694** 5695** Returns Pointer to the record or NULL 5696** 5697*******************************************************************************/ 5698static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm, 5699 UINT32 mx_proto_id, UINT32 mx_chan_id) 5700{ 5701 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv; 5702 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0]; 5703 int i; 5704 5705 BTM_TRACE_DEBUG ("%s()", __func__); 5706 if (is_originator && p_out_serv && p_out_serv->psm == psm 5707 && p_out_serv->mx_proto_id == mx_proto_id 5708 && p_out_serv->orig_mx_chan_id == mx_chan_id) 5709 { 5710 /* If this is outgoing connection and the parameters match p_out_serv, 5711 * use it as the current service */ 5712 return btm_cb.p_out_serv; 5713 } 5714 5715 /* otherwise, the old way */ 5716 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) 5717 { 5718 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE) 5719 && (p_serv_rec->psm == psm) 5720 && (p_serv_rec->mx_proto_id == mx_proto_id) 5721 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) 5722 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) 5723 { 5724 return(p_serv_rec); 5725 } 5726 } 5727 return(NULL); 5728} 5729 5730/******************************************************************************* 5731** 5732** Function btm_sec_collision_timeout 5733** 5734** Description Encryption could not start because of the collision 5735** try to do it again 5736** 5737** Returns Pointer to the TLE struct 5738** 5739*******************************************************************************/ 5740static void btm_sec_collision_timeout(UNUSED_ATTR void *data) 5741{ 5742 BTM_TRACE_EVENT ("%s()", __func__); 5743 5744 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec); 5745 5746 /* If result is pending reply from the user or from the device is pending */ 5747 if (status != BTM_CMD_STARTED) 5748 { 5749 /* There is no next procedure or start of procedure failed, notify the waiting layer */ 5750 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE); 5751 } 5752} 5753 5754/******************************************************************************* 5755** 5756** Function btm_sec_link_key_request 5757** 5758** Description This function is called when controller requests link key 5759** 5760** Returns Pointer to the record or NULL 5761** 5762*******************************************************************************/ 5763static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec) 5764{ 5765 if (btm_cb.api.p_link_key_callback) 5766 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 5767 p_dev_rec->sec_bd_name, p_dev_rec->link_key, 5768 p_dev_rec->link_key_type); 5769} 5770 5771/******************************************************************************* 5772** 5773** Function BTM_ReadTrustedMask 5774** 5775** Description Get trusted mask for the peer device 5776** 5777** Parameters: bd_addr - Address of the device 5778** 5779** Returns NULL, if the device record is not found. 5780** otherwise, the trusted mask 5781** 5782*******************************************************************************/ 5783UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr) 5784{ 5785 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr); 5786 if (p_dev_rec != NULL) 5787 return(p_dev_rec->trusted_mask); 5788 return NULL; 5789} 5790 5791/******************************************************************************* 5792** 5793** Function btm_restore_mode 5794** 5795** Description This function returns the security mode to previous setting 5796** if it was changed during bonding. 5797** 5798** 5799** Parameters: void 5800** 5801*******************************************************************************/ 5802static void btm_restore_mode(void) 5803{ 5804 if (btm_cb.security_mode_changed) 5805 { 5806 btm_cb.security_mode_changed = FALSE; 5807 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5808 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK)); 5809 } 5810 5811 if (btm_cb.pin_type_changed) 5812 { 5813 btm_cb.pin_type_changed = FALSE; 5814 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type); 5815 } 5816} 5817 5818 5819bool is_sec_state_equal(void *data, void *context) 5820{ 5821 tBTM_SEC_DEV_REC *p_dev_rec = data; 5822 UINT8 *state = context; 5823 5824 if (p_dev_rec->sec_state == *state) 5825 return false; 5826 5827 return true; 5828} 5829 5830/******************************************************************************* 5831** 5832** Function btm_sec_find_dev_by_sec_state 5833** 5834** Description Look for the record in the device database for the device 5835** which is being authenticated or encrypted 5836** 5837** Returns Pointer to the record or NULL 5838** 5839*******************************************************************************/ 5840tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state) 5841{ 5842 list_node_t *n = list_foreach(btm_cb.sec_dev_rec, is_sec_state_equal, &state); 5843 if (n) 5844 return list_node(n); 5845 5846 return NULL; 5847} 5848 5849/******************************************************************************* 5850** 5851** Function btm_sec_change_pairing_state 5852** 5853** Description This function is called to change pairing state 5854** 5855*******************************************************************************/ 5856static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state) 5857{ 5858 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state; 5859 5860 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state)); 5861 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__, 5862 btm_pair_state_descr(new_state), btm_cb.pairing_flags); 5863 5864 btm_cb.pairing_state = new_state; 5865 5866 if (new_state == BTM_PAIR_STATE_IDLE) 5867 { 5868 alarm_cancel(btm_cb.pairing_timer); 5869 5870 btm_cb.pairing_flags = 0; 5871 btm_cb.pin_code_len = 0; 5872 5873 /* Make sure the the lcb shows we are not bonding */ 5874 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE); 5875 5876 btm_restore_mode(); 5877 btm_sec_check_pending_reqs(); 5878 btm_inq_clear_ssp(); 5879 5880 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN); 5881 } 5882 else 5883 { 5884 /* If transitioning out of idle, mark the lcb as bonding */ 5885 if (old_state == BTM_PAIR_STATE_IDLE) 5886 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE); 5887 5888 alarm_set_on_queue(btm_cb.pairing_timer, 5889 BTM_SEC_TIMEOUT_VALUE * 1000, 5890 btm_sec_pairing_timeout, NULL, 5891 btu_general_alarm_queue); 5892 } 5893} 5894 5895/******************************************************************************* 5896** 5897** Function btm_pair_state_descr 5898** 5899** Description Return state description for tracing 5900** 5901*******************************************************************************/ 5902#if (BT_USE_TRACES == TRUE) 5903static char *btm_pair_state_descr (tBTM_PAIRING_STATE state) 5904{ 5905#if (BT_TRACE_VERBOSE == TRUE) 5906 switch (state) 5907 { 5908 case BTM_PAIR_STATE_IDLE: return("IDLE"); 5909 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME"); 5910 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ"); 5911 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN"); 5912 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM"); 5913 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY"); 5914 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP"); 5915 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS"); 5916 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP"); 5917 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE"); 5918 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT"); 5919 } 5920 5921 return("???"); 5922#else 5923 sprintf(btm_cb.state_temp_buffer,"%hhu",state); 5924 5925 return(btm_cb.state_temp_buffer); 5926#endif 5927} 5928#endif 5929 5930/******************************************************************************* 5931** 5932** Function btm_sec_dev_rec_cback_event 5933** 5934** Description This function calls the callback function with the given 5935** result and clear the callback function. 5936** 5937** Parameters: void 5938** 5939*******************************************************************************/ 5940void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport) 5941{ 5942 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback; 5943 5944 if (p_dev_rec->p_callback) 5945 { 5946 p_dev_rec->p_callback = NULL; 5947 5948#if BLE_INCLUDED == TRUE 5949 if (is_le_transport) 5950 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res); 5951 else 5952#endif 5953 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res); 5954 } 5955 5956 btm_sec_check_pending_reqs(); 5957} 5958 5959/******************************************************************************* 5960** 5961** Function btm_sec_queue_mx_request 5962** 5963** Description Return state description for tracing 5964** 5965*******************************************************************************/ 5966static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig, 5967 UINT32 mx_proto_id, UINT32 mx_chan_id, 5968 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) 5969{ 5970 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY)); 5971 5972 p_e->psm = psm; 5973 p_e->is_orig = is_orig; 5974 p_e->p_callback = p_callback; 5975 p_e->p_ref_data = p_ref_data; 5976 p_e->mx_proto_id = mx_proto_id; 5977 p_e->mx_chan_id = mx_chan_id; 5978 p_e->transport = BT_TRANSPORT_BR_EDR; 5979 p_e->sec_act = 0; 5980 5981 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN); 5982 5983 BTM_TRACE_EVENT("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u", 5984 __func__, psm, is_orig, mx_proto_id, mx_chan_id); 5985 5986 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e); 5987 5988 return TRUE; 5989} 5990 5991static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec) 5992{ 5993 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK); 5994 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK); 5995 BOOLEAN rv = FALSE; 5996 5997 if ((major == BTM_COD_MAJOR_AUDIO) 5998 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) ) 5999 { 6000 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", 6001 __func__, major, minor); 6002 6003 if (btm_cb.security_mode_changed == FALSE) 6004 { 6005 btm_cb.security_mode_changed = TRUE; 6006#ifdef APPL_AUTH_WRITE_EXCEPTION 6007 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr)) 6008#endif 6009 btsnd_hcic_write_auth_enable (TRUE); 6010 } 6011 } 6012 else 6013 { 6014 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN); 6015 6016 /* If we got a PIN, use that, else try to get one */ 6017 if (btm_cb.pin_code_len) 6018 { 6019 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask); 6020 } 6021 else 6022 { 6023 /* pin was not supplied - pre-fetch pin code now */ 6024 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) 6025 { 6026 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__); 6027 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL) 6028 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD; 6029 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, 6030 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE 6031 : (p_dev_rec->p_cur_service->security_flags 6032 & BTM_SEC_IN_MIN_16_DIGIT_PIN)); 6033 } 6034 } 6035 6036 rv = TRUE; 6037 } 6038 6039 return rv; 6040} 6041 6042/******************************************************************************* 6043** 6044** Function btm_sec_auth_payload_tout 6045** 6046** Description Processes the HCI Autheniticated Payload Timeout Event 6047** indicating that a packet containing a valid MIC on the 6048** connection handle was not received within the programmed 6049** timeout value. (Spec Default is 30 secs, but can be 6050** changed via the BTM_SecSetAuthPayloadTimeout() function. 6051** 6052*******************************************************************************/ 6053void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len) 6054{ 6055 UINT16 handle; 6056 6057 STREAM_TO_UINT16 (handle, p); 6058 handle = HCID_GET_HANDLE (handle); 6059 6060 /* Will be exposed to upper layers in the future if/when determined necessary */ 6061 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle); 6062} 6063 6064/******************************************************************************* 6065** 6066** Function btm_sec_queue_encrypt_request 6067** 6068** Description encqueue encryption request when device has active security 6069** process pending. 6070** 6071*******************************************************************************/ 6072static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport, 6073 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data, 6074 tBTM_BLE_SEC_ACT sec_act) 6075{ 6076 tBTM_SEC_QUEUE_ENTRY *p_e = 6077 (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1); 6078 6079 p_e->psm = 0; /* if PSM 0, encryption request */ 6080 p_e->p_callback = p_callback; 6081 p_e->p_ref_data = p_ref_data; 6082 p_e->transport = transport; 6083 p_e->sec_act = sec_act; 6084 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN); 6085 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e); 6086 6087 return TRUE; 6088} 6089 6090/******************************************************************************* 6091** 6092** Function btm_sec_set_peer_sec_caps 6093** 6094** Description This function is called to set sm4 and rmt_sec_caps fields 6095** based on the available peer device features. 6096** 6097** Returns void 6098** 6099*******************************************************************************/ 6100void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec) 6101{ 6102 BD_ADDR rem_bd_addr; 6103 UINT8 *p_rem_bd_addr; 6104 6105 if ((btm_cb.security_mode == BTM_SEC_MODE_SP || 6106 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG || 6107 btm_cb.security_mode == BTM_SEC_MODE_SC) && 6108 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1])) 6109 { 6110 p_dev_rec->sm4 = BTM_SM4_TRUE; 6111 p_dev_rec->remote_supports_secure_connections = 6112 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1])); 6113 } 6114 else 6115 { 6116 p_dev_rec->sm4 = BTM_SM4_KNOWN; 6117 p_dev_rec->remote_supports_secure_connections = FALSE; 6118 } 6119 6120 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__, 6121 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections); 6122 6123 if (p_dev_rec->remote_features_needed) 6124 { 6125 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!", 6126 __FUNCTION__); 6127 p_rem_bd_addr = (UINT8*) rem_bd_addr; 6128 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr); 6129 p_rem_bd_addr = (UINT8*) rem_bd_addr; 6130 btm_io_capabilities_req(p_rem_bd_addr); 6131 p_dev_rec->remote_features_needed = FALSE; 6132 } 6133} 6134 6135/******************************************************************************* 6136** 6137** Function btm_sec_is_serv_level0 6138** 6139** Description This function is called to check if the service corresponding 6140** to PSM is security mode 4 level 0 service. 6141** 6142** Returns TRUE if the service is security mode 4 level 0 service 6143** 6144*******************************************************************************/ 6145static BOOLEAN btm_sec_is_serv_level0(UINT16 psm) 6146{ 6147 if (psm == BT_PSM_SDP) 6148 { 6149 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm); 6150 return TRUE; 6151 } 6152 return FALSE; 6153} 6154 6155/******************************************************************************* 6156** 6157** Function btm_sec_check_pending_enc_req 6158** 6159** Description This function is called to send pending encryption callback if 6160** waiting 6161** 6162** Returns void 6163** 6164*******************************************************************************/ 6165static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport, 6166 UINT8 encr_enable) 6167{ 6168 if (fixed_queue_is_empty(btm_cb.sec_pending_q)) 6169 return; 6170 6171 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING; 6172 list_t *list = fixed_queue_get_list(btm_cb.sec_pending_q); 6173 for (const list_node_t *node = list_begin(list); node != list_end(list); ) { 6174 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)list_node(node); 6175 node = list_next(node); 6176 6177 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0 6178#if BLE_INCLUDED == TRUE 6179 && p_e->transport == transport 6180#endif 6181 ) 6182 { 6183 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR 6184#if BLE_INCLUDED == TRUE 6185 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT 6186 || p_e->sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM 6187 || (p_e->sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags 6188 & BTM_SEC_LE_AUTHENTICATED) 6189#endif 6190 ) 6191 { 6192 if (p_e->p_callback) 6193 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res); 6194 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void *)p_e); 6195 } 6196 } 6197 } 6198} 6199 6200/******************************************************************************* 6201** 6202** Function btm_sec_set_serv_level4_flags 6203** 6204** Description This function is called to set security mode 4 level 4 flags. 6205** 6206** Returns service security requirements updated to include secure 6207** connections only mode. 6208** 6209*******************************************************************************/ 6210static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator) 6211{ 6212 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS; 6213 6214 return cur_security | sec_level4_flags; 6215} 6216 6217/******************************************************************************* 6218** 6219** Function btm_sec_clear_ble_keys 6220** 6221** Description This function is called to clear out the BLE keys. 6222** Typically when devices are removed in BTM_SecDeleteDevice, 6223** or when a new BT Link key is generated. 6224** 6225** Returns void 6226** 6227*******************************************************************************/ 6228void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec) 6229{ 6230 6231 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__); 6232#if (SMP_INCLUDED== TRUE) 6233 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE; 6234 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS)); 6235 6236#if (BLE_PRIVACY_SPT == TRUE) 6237 btm_ble_resolving_list_remove_dev(p_dev_rec); 6238#endif 6239#endif 6240} 6241 6242/******************************************************************************* 6243** 6244** Function btm_sec_is_a_bonded_dev 6245** 6246** Description Is the specified device is a bonded device 6247** 6248** Returns TRUE - dev is bonded 6249** 6250*******************************************************************************/ 6251BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda) 6252{ 6253 6254 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 6255 BOOLEAN is_bonded= FALSE; 6256 6257 if (p_dev_rec && 6258#if (SMP_INCLUDED == TRUE) 6259 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))|| 6260#else 6261 ( 6262#endif 6263 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) 6264 { 6265 is_bonded = TRUE; 6266 } 6267 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded); 6268 return(is_bonded); 6269} 6270 6271/******************************************************************************* 6272** 6273** Function btm_sec_is_le_capable_dev 6274** 6275** Description Is the specified device is dual mode or LE only device 6276** 6277** Returns TRUE - dev is a dual mode 6278** 6279*******************************************************************************/ 6280BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda) 6281{ 6282 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda); 6283 BOOLEAN le_capable = FALSE; 6284 6285#if (BLE_INCLUDED== TRUE) 6286 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE) 6287 le_capable = TRUE; 6288#endif 6289 return le_capable; 6290} 6291 6292/******************************************************************************* 6293** 6294** Function btm_sec_use_smp_br_chnl 6295** 6296** Description The function checks if SMP BR connection can be used with 6297** the peer. 6298** Is called when authentication for dedicated bonding is 6299** successfully completed. 6300** 6301** Returns TRUE - if SMP BR connection can be used (the link key is 6302** generated from P-256 and the peer supports Security 6303** Manager over BR). 6304** 6305*******************************************************************************/ 6306static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec) 6307{ 6308 UINT32 ext_feat; 6309 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE]; 6310 6311 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__, 6312 p_dev_rec->link_key_type); 6313 6314 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) && 6315 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) 6316 return FALSE; 6317 6318 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask)) 6319 return FALSE; 6320 6321 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT)) 6322 return FALSE; 6323 6324 return TRUE; 6325} 6326 6327/******************************************************************************* 6328** 6329** Function btm_sec_is_master 6330** 6331** Description The function checks if the device is BR/EDR master after 6332** pairing is completed. 6333** 6334** Returns TRUE - if the device is master. 6335** 6336*******************************************************************************/ 6337static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec) 6338{ 6339 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR); 6340 return (p && (p->link_role == BTM_ROLE_MASTER)); 6341} 6342 6343