1 /******************************************************************************
3 * Copyright (C) 1999-2012 Broadcom Corporation
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 ******************************************************************************/
19 /******************************************************************************
21 * This file contains functions for the Bluetooth Security Manager
23 ******************************************************************************/
25 #define LOG_TAG "bt_btm_sec"
30 #include "device/include/controller.h"
36 #include "osi/include/log.h"
38 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
39 /* needed for sprintf() */
43 #if BLE_INCLUDED == TRUE
47 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
49 #ifdef APPL_AUTH_WRITE_EXCEPTION
50 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
54 /********************************************************************************
55 ** L O C A L F U N C T I O N P R O T O T Y P E S *
56 *********************************************************************************/
57 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
58 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
59 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
63 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
64 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
67 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
68 static void btm_restore_mode(void);
69 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
70 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
71 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73 #if (BT_USE_TRACES == TRUE)
74 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
77 static void btm_sec_check_pending_reqs(void);
78 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
79 UINT32 mx_proto_id, UINT32 mx_chan_id,
80 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
81 static void btm_sec_bond_cancel_complete (void);
82 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
83 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
85 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
86 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
88 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
89 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
90 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
92 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
93 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
96 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
97 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
98 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
101 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
102 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
103 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ;
104 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
106 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec);
108 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
109 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
111 /* TRUE - authenticated link key is possible */
112 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
114 /* OUT, IO, IN, NONE */
115 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
116 /* IO */ {FALSE, TRUE, TRUE, FALSE},
117 /* IN */ {TRUE, TRUE, TRUE, FALSE},
118 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
120 /* BTM_IO_CAP_OUT 0 DisplayOnly */
121 /* BTM_IO_CAP_IO 1 DisplayYesNo */
122 /* BTM_IO_CAP_IN 2 KeyboardOnly */
123 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
125 /*******************************************************************************
127 ** Function btm_dev_authenticated
129 ** Description check device is authenticated
131 ** Returns BOOLEAN TRUE or FALSE
133 *******************************************************************************/
134 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
136 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
143 /*******************************************************************************
145 ** Function btm_dev_encrypted
147 ** Description check device is encrypted
149 ** Returns BOOLEAN TRUE or FALSE
151 *******************************************************************************/
152 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
154 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
161 /*******************************************************************************
163 ** Function btm_dev_authorized
165 ** Description check device is authorized
167 ** Returns BOOLEAN TRUE or FALSE
169 *******************************************************************************/
170 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
172 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
179 /*******************************************************************************
181 ** Function btm_serv_trusted
183 ** Description check service is trusted
185 ** Returns BOOLEAN TRUE or FALSE
187 *******************************************************************************/
188 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
190 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
197 /*******************************************************************************
199 ** Function BTM_SecRegister
201 ** Description Application manager calls this function to register for
202 ** security services. There can be one and only one application
203 ** saving link keys. BTM allows only first registration.
205 ** Returns TRUE if registered OK, else FALSE
207 *******************************************************************************/
208 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
210 #if BLE_INCLUDED == TRUE
211 BT_OCTET16 temp_value = {0};
214 BTM_TRACE_EVENT("%s application registered", __func__);
216 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
217 LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
218 if (p_cb_info->p_le_callback)
220 #if SMP_INCLUDED == TRUE
221 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
222 SMP_Register(btm_proc_smp_cback);
224 /* if no IR is loaded, need to regenerate all the keys */
225 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
232 LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__);
236 btm_cb.api = *p_cb_info;
237 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
238 LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
240 BTM_TRACE_EVENT("%s application registered", __func__);
244 /*******************************************************************************
246 ** Function BTM_SecAddRmtNameNotifyCallback
248 ** Description Any profile can register to be notified when name of the
249 ** remote device is resolved.
251 ** Returns TRUE if registered OK, else FALSE
253 *******************************************************************************/
254 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
258 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
260 if (btm_cb.p_rmt_name_callback[i] == NULL)
262 btm_cb.p_rmt_name_callback[i] = p_callback;
271 /*******************************************************************************
273 ** Function BTM_SecDeleteRmtNameNotifyCallback
275 ** Description Any profile can deregister notification when a new Link Key
276 ** is generated per connection.
278 ** Returns TRUE if OK, else FALSE
280 *******************************************************************************/
281 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
285 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
287 if (btm_cb.p_rmt_name_callback[i] == p_callback)
289 btm_cb.p_rmt_name_callback[i] = NULL;
297 /*******************************************************************************
299 ** Function BTM_GetSecurityFlags
301 ** Description Get security flags for the device
303 ** Returns BOOLEAN TRUE or FALSE is device found
305 *******************************************************************************/
306 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
308 tBTM_SEC_DEV_REC *p_dev_rec;
310 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
312 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
315 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
319 /*******************************************************************************
321 ** Function BTM_GetSecurityFlagsByTransport
323 ** Description Get security flags for the device on a particular transport
325 ** Returns BOOLEAN TRUE or FALSE is device found
327 *******************************************************************************/
328 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
329 tBT_TRANSPORT transport)
331 tBTM_SEC_DEV_REC *p_dev_rec;
333 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
335 if (transport == BT_TRANSPORT_BR_EDR)
336 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
338 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
342 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
346 /*******************************************************************************
348 ** Function BTM_SetPinType
350 ** Description Set PIN type for the device.
354 *******************************************************************************/
355 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
357 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
358 pin_type, (char *) pin_code, pin_code_len);
360 /* If device is not up security mode will be set as a part of startup */
361 if ( (btm_cb.cfg.pin_type != pin_type)
362 && controller_get_interface()->get_is_ready() )
364 btsnd_hcic_write_pin_type (pin_type);
367 btm_cb.cfg.pin_type = pin_type;
368 btm_cb.cfg.pin_code_len = pin_code_len;
369 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
372 /*******************************************************************************
374 ** Function BTM_SetPairableMode
376 ** Description Enable or disable pairing
378 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
380 ** connect_only_paired - (TRUE or FALSE) whether or not to
381 ** only allow paired devices to connect.
385 *******************************************************************************/
386 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
388 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
390 btm_cb.pairing_disabled = !allow_pairing;
391 btm_cb.connect_only_paired = connect_only_paired;
395 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
397 /*******************************************************************************
399 ** Function BTM_SetSecurityLevel
401 ** Description Register service security level with Security Manager
403 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
404 ** p_name - Name of the service relevant only if
405 ** authorization will show this name to user. ignored
406 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
407 ** service_id - service ID for the service passed to authorization callback
408 ** sec_level - bit mask of the security features
410 ** mx_proto_id - protocol ID of multiplexing proto below
411 ** mx_chan_id - channel ID of multiplexing proto below
413 ** Returns TRUE if registered OK, else FALSE
415 *******************************************************************************/
416 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
417 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
420 #if (L2CAP_UCD_INCLUDED == TRUE)
421 CONNECTION_TYPE conn_type;
424 conn_type = CONN_ORIENT_ORIG;
426 conn_type = CONN_ORIENT_TERM;
428 return(btm_sec_set_security_level (conn_type, p_name, service_id,
429 sec_level, psm, mx_proto_id, mx_chan_id));
431 return(btm_sec_set_security_level (is_originator, p_name, service_id,
432 sec_level, psm, mx_proto_id, mx_chan_id));
436 /*******************************************************************************
438 ** Function btm_sec_set_security_level
440 ** Description Register service security level with Security Manager
442 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
443 ** p_name - Name of the service relevant only if
444 ** authorization will show this name to user. ignored
445 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
446 ** service_id - service ID for the service passed to authorization callback
447 ** sec_level - bit mask of the security features
449 ** mx_proto_id - protocol ID of multiplexing proto below
450 ** mx_chan_id - channel ID of multiplexing proto below
452 ** Returns TRUE if registered OK, else FALSE
454 *******************************************************************************/
455 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
456 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
459 tBTM_SEC_SERV_REC *p_srec;
461 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
462 BOOLEAN record_allocated = FALSE;
463 BOOLEAN is_originator;
464 #if (L2CAP_UCD_INCLUDED == TRUE)
467 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
468 is_originator = TRUE;
470 is_originator = FALSE;
472 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
481 is_originator = conn_type;
484 /* See if the record can be reused (same service name, psm, mx_proto_id,
485 service_id, and mx_chan_id), or obtain the next unused record */
487 p_srec = &btm_cb.sec_serv_rec[0];
490 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
492 /* Check if there is already a record for this service */
493 if (p_srec->security_flags & BTM_SEC_IN_USE)
495 #if BTM_SEC_SERVICE_NAME_LEN > 0
496 if (p_srec->psm == psm &&
497 p_srec->mx_proto_id == mx_proto_id &&
498 service_id == p_srec->service_id &&
499 (!strncmp (p_name, (char *) p_srec->orig_service_name,
500 BTM_SEC_SERVICE_NAME_LEN) ||
501 !strncmp (p_name, (char *) p_srec->term_service_name,
502 BTM_SEC_SERVICE_NAME_LEN)))
504 if (p_srec->psm == psm &&
505 p_srec->mx_proto_id == mx_proto_id &&
506 service_id == p_srec->service_id)
509 record_allocated = TRUE;
513 /* Mark the first available service record */
514 else if (!record_allocated)
516 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
517 record_allocated = TRUE;
518 first_unused_record = index;
522 if (!record_allocated)
524 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
525 return(record_allocated);
528 /* Process the request if service record is valid */
529 /* If a duplicate service wasn't found, use the first available */
530 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
532 index = first_unused_record;
533 p_srec = &btm_cb.sec_serv_rec[index];
537 p_srec->service_id = service_id;
538 p_srec->mx_proto_id = mx_proto_id;
542 p_srec->orig_mx_chan_id = mx_chan_id;
543 #if BTM_SEC_SERVICE_NAME_LEN > 0
544 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
546 /* clear out the old setting, just in case it exists */
547 #if (L2CAP_UCD_INCLUDED == TRUE)
550 p_srec->ucd_security_flags &=
551 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
552 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
557 p_srec->security_flags &=
558 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
559 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
562 /* Parameter validation. Originator should not set requirements for incoming connections */
563 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM);
565 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
567 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
568 sec_level |= BTM_SEC_OUT_MITM;
571 /* Make sure the authenticate bit is set, when encrypt bit is set */
572 if (sec_level & BTM_SEC_OUT_ENCRYPT)
573 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
575 /* outgoing connections usually set the security level right before
576 * the connection is initiated.
577 * set it to be the outgoing service */
578 #if (L2CAP_UCD_INCLUDED == TRUE)
579 if ( is_ucd == FALSE )
582 btm_cb.p_out_serv = p_srec;
587 p_srec->term_mx_chan_id = mx_chan_id;
588 #if BTM_SEC_SERVICE_NAME_LEN > 0
589 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
591 /* clear out the old setting, just in case it exists */
592 #if (L2CAP_UCD_INCLUDED == TRUE)
595 p_srec->ucd_security_flags &=
596 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
597 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
602 p_srec->security_flags &=
603 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
604 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
607 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
608 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
610 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
612 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
613 sec_level |= BTM_SEC_IN_MITM;
616 /* Make sure the authenticate bit is set, when encrypt bit is set */
617 if (sec_level & BTM_SEC_IN_ENCRYPT)
618 sec_level |= BTM_SEC_IN_AUTHENTICATE;
621 #if (L2CAP_UCD_INCLUDED == TRUE)
624 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
625 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
629 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
632 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
633 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
635 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
636 p_srec->security_flags, p_srec->ucd_security_flags);
638 #if BTM_SEC_SERVICE_NAME_LEN > 0
639 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)",
640 p_name, BTM_SEC_SERVICE_NAME_LEN);
643 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
645 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
646 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
648 #if BTM_SEC_SERVICE_NAME_LEN > 0
649 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
650 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
655 return(record_allocated);
658 /*******************************************************************************
660 ** Function BTM_SecClrService
662 ** Description Removes specified service record(s) from the security database.
663 ** All service records with the specified name are removed.
664 ** Typically used only by devices with limited RAM so that it can
665 ** reuse an old security service record.
667 ** Note: Unpredictable results may occur if a service is cleared
668 ** that is still in use by an application/profile.
670 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
671 ** records (except SDP).
673 ** Returns Number of records that were freed.
675 *******************************************************************************/
676 UINT8 BTM_SecClrService (UINT8 service_id)
678 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
682 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
684 /* Delete services with specified name (if in use and not SDP) */
685 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
686 (!service_id || (service_id == p_srec->service_id)))
688 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
689 p_srec->security_flags = 0;
690 #if (L2CAP_UCD_INCLUDED == TRUE)
691 p_srec->ucd_security_flags = 0;
700 /*******************************************************************************
702 ** Function btm_sec_clr_service_by_psm
704 ** Description Removes specified service record from the security database.
705 ** All service records with the specified psm are removed.
706 ** Typically used by L2CAP to free up the service record used
707 ** by dynamic PSM clients when the channel is closed.
708 ** The given psm must be a virtual psm.
710 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
711 ** records (except SDP).
713 ** Returns Number of records that were freed.
715 *******************************************************************************/
716 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
718 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
722 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
724 /* Delete services with specified name (if in use and not SDP) */
725 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
727 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
728 p_srec->security_flags = 0;
732 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
737 /*******************************************************************************
739 ** Function btm_sec_clr_temp_auth_service
741 ** Description Removes specified device record's temporary authorization
742 ** flag from the security database.
744 ** Parameters Device address to be cleared
748 *******************************************************************************/
749 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
751 tBTM_SEC_DEV_REC *p_dev_rec;
753 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
755 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
759 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
760 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
762 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
763 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
765 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
769 /*******************************************************************************
771 ** Function BTM_PINCodeReply
773 ** Description This function is called after Security Manager submitted
774 ** PIN code request to the UI.
776 ** Parameters: bd_addr - Address of the device for which PIN was requested
777 ** res - result of the operation BTM_SUCCESS if success
778 ** pin_len - length in bytes of the PIN Code
779 ** p_pin - pointer to array with the PIN Code
780 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
782 *******************************************************************************/
783 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
785 tBTM_SEC_DEV_REC *p_dev_rec;
787 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
788 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
790 /* If timeout already expired or has been canceled, ignore the reply */
791 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
793 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
797 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
799 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
803 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
805 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
809 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
810 res = BTM_ILLEGAL_VALUE;
812 if (res != BTM_SUCCESS)
814 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
815 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
816 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
817 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
819 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
820 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
821 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
823 btsnd_hcic_pin_code_neg_reply (bd_addr);
827 p_dev_rec->security_required = BTM_SEC_NONE;
828 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
833 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
834 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
836 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
837 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
838 && (btm_cb.security_mode_changed == FALSE) )
840 /* This is start of the dedicated bonding if local device is 2.0 */
841 btm_cb.pin_code_len = pin_len;
842 memcpy (btm_cb.pin_code, p_pin, pin_len);
844 btm_cb.security_mode_changed = TRUE;
845 #ifdef APPL_AUTH_WRITE_EXCEPTION
846 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
848 btsnd_hcic_write_auth_enable (TRUE);
850 btm_cb.acl_disc_reason = 0xff ;
852 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
853 /* before originating */
854 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
856 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
857 /* we change state little bit early so btm_sec_connected() will originate connection */
858 /* when existing ACL link is down completely */
859 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
861 /* if we already accepted incoming connection from pairing device */
862 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
864 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
865 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
867 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
869 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
870 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
872 if (btm_cb.api.p_auth_complete_callback)
873 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
874 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
879 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
880 btm_cb.acl_disc_reason = HCI_SUCCESS;
882 #ifdef PORCHE_PAIRING_CONFLICT
883 BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
884 /* if this was not pre-fetched, save the PIN */
885 if (btm_cb.pin_code_len == 0)
886 memcpy (btm_cb.pin_code, p_pin, pin_len);
887 btm_cb.pin_code_len_saved = pin_len;
889 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
892 /*******************************************************************************
894 ** Function btm_sec_bond_by_transport
896 ** Description this is the bond function that will start either SSP or SMP.
898 ** Parameters: bd_addr - Address of the device to bond
899 ** pin_len - length in bytes of the PIN Code
900 ** p_pin - pointer to array with the PIN Code
901 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
903 ** Note: After 2.1 parameters are not used and preserved here not to change API
904 *******************************************************************************/
905 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
906 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
908 tBTM_SEC_DEV_REC *p_dev_rec;
912 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport);
913 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
914 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
916 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
919 /* Other security process is in progress */
920 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
922 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
923 return(BTM_WRONG_MODE);
926 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
928 return(BTM_NO_RESOURCES);
931 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
933 /* Finished if connection is active and already paired */
934 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
935 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
936 #if (BLE_INCLUDED == TRUE)
937 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
938 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
943 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
947 /* Tell controller to get rid of the link key if it has one stored */
948 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
949 return(BTM_NO_RESOURCES);
951 /* Save the PIN code if we got a valid one */
952 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
954 btm_cb.pin_code_len = pin_len;
955 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
958 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
960 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
962 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
963 p_dev_rec->is_originator = TRUE;
965 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
967 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
968 if (transport == BT_TRANSPORT_LE)
970 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
972 if (SMP_Pair(bd_addr) == SMP_STARTED)
974 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
975 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
976 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
977 return BTM_CMD_STARTED;
980 btm_cb.pairing_flags = 0;
981 return(BTM_NO_RESOURCES);
985 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
986 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
989 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
990 if (!controller_get_interface()->supports_simple_pairing())
992 /* The special case when we authenticate keyboard. Set pin type to fixed */
993 /* It would be probably better to do it from the application, but it is */
995 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
996 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
997 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
999 btm_cb.pin_type_changed = TRUE;
1000 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1004 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1006 p_features = p_dev_rec->features[ii];
1007 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1008 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1009 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
1010 p_features[4], p_features[5], p_features[6], p_features[7]);
1013 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1015 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1016 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1019 /* If connection already exists... */
1020 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1022 if (!btm_sec_start_authentication (p_dev_rec))
1023 return(BTM_NO_RESOURCES);
1025 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1027 /* Mark lcb as bonding */
1028 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1029 return(BTM_CMD_STARTED);
1032 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1033 if (!controller_get_interface()->supports_simple_pairing()
1034 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1036 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1037 return(BTM_CMD_STARTED);
1039 if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1041 /* local is 2.1 and peer is unknown */
1042 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1044 /* we are not accepting connection request from peer
1045 * -> RNR (to learn if peer is 2.1)
1046 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1047 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1048 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1052 /* We are accepting connection request from peer */
1053 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1055 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1056 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1057 return BTM_CMD_STARTED;
1060 /* both local and peer are 2.1 */
1061 status = btm_sec_dd_create_conn(p_dev_rec);
1063 if (status != BTM_CMD_STARTED)
1065 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1071 /*******************************************************************************
1073 ** Function BTM_SecBondByTransport
1075 ** Description This function is called to perform bonding with peer device.
1076 ** If the connection is already up, but not secure, pairing
1077 ** is attempted. If already paired BTM_SUCCESS is returned.
1079 ** Parameters: bd_addr - Address of the device to bond
1080 ** transport - doing SSP over BR/EDR or SMP over LE
1081 ** pin_len - length in bytes of the PIN Code
1082 ** p_pin - pointer to array with the PIN Code
1083 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1085 ** Note: After 2.1 parameters are not used and preserved here not to change API
1086 *******************************************************************************/
1087 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1088 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1090 #if SMP_INCLUDED == TRUE
1091 tBT_DEVICE_TYPE dev_type;
1092 tBLE_ADDR_TYPE addr_type;
1094 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1095 /* LE device, do SMP pairing */
1096 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1097 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1099 return BTM_ILLEGAL_ACTION;
1102 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1105 /*******************************************************************************
1107 ** Function BTM_SecBond
1109 ** Description This function is called to perform bonding with peer device.
1110 ** If the connection is already up, but not secure, pairing
1111 ** is attempted. If already paired BTM_SUCCESS is returned.
1113 ** Parameters: bd_addr - Address of the device to bond
1114 ** pin_len - length in bytes of the PIN Code
1115 ** p_pin - pointer to array with the PIN Code
1116 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1118 ** Note: After 2.1 parameters are not used and preserved here not to change API
1119 *******************************************************************************/
1120 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1122 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1123 #if BLE_INCLUDED == TRUE
1124 if (BTM_UseLeLink(bd_addr))
1125 transport = BT_TRANSPORT_LE;
1127 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1129 /*******************************************************************************
1131 ** Function BTM_SecBondCancel
1133 ** Description This function is called to cancel ongoing bonding process
1134 ** with peer device.
1136 ** Parameters: bd_addr - Address of the peer device
1137 ** transport - FALSE for BR/EDR link; TRUE for LE link
1139 *******************************************************************************/
1140 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1142 tBTM_SEC_DEV_REC *p_dev_rec;
1144 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x",
1145 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1147 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1148 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1149 return BTM_UNKNOWN_ADDR;
1151 #if SMP_INCLUDED == TRUE
1152 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1154 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1156 BTM_TRACE_DEBUG ("Cancel LE pairing");
1157 if (SMP_PairCancel(bd_addr))
1159 return BTM_CMD_STARTED;
1162 return BTM_WRONG_MODE;
1166 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1167 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1168 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1170 /* pre-fetching pin for dedicated bonding */
1171 btm_sec_bond_cancel_complete();
1175 /* If this BDA is in a bonding procedure */
1176 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1177 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1179 /* If the HCI link is up */
1180 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1182 /* If some other thread disconnecting, we do not send second command */
1183 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1184 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1185 return(BTM_CMD_STARTED);
1187 /* If the HCI link was set up by Bonding process */
1188 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1189 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1191 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1193 return BTM_NOT_AUTHORIZED;
1195 else /*HCI link is not up */
1197 /* If the HCI link creation was started by Bonding process */
1198 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1200 if (btsnd_hcic_create_conn_cancel(bd_addr))
1201 return BTM_CMD_STARTED;
1203 return BTM_NO_RESOURCES;
1205 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1207 BTM_CancelRemoteDeviceName();
1208 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1209 return BTM_CMD_STARTED;
1211 return BTM_NOT_AUTHORIZED;
1215 return BTM_WRONG_MODE;
1218 /*******************************************************************************
1220 ** Function BTM_SecGetDeviceLinkKey
1222 ** Description This function is called to obtain link key for the device
1223 ** it returns BTM_SUCCESS if link key is available, or
1224 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1225 ** the device or device record does not contain link key info
1227 ** Parameters: bd_addr - Address of the device
1228 ** link_key - Link Key is copied into this array
1230 *******************************************************************************/
1231 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1233 tBTM_SEC_DEV_REC *p_dev_rec;
1235 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1236 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1238 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1239 return(BTM_SUCCESS);
1241 return(BTM_UNKNOWN_ADDR);
1244 /*******************************************************************************
1246 ** Function BTM_SecGetDeviceLinkKeyType
1248 ** Description This function is called to obtain link key type for the
1250 ** it returns BTM_SUCCESS if link key is available, or
1251 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1252 ** the device or device record does not contain link key info
1254 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1257 *******************************************************************************/
1258 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1260 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1262 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1264 return p_dev_rec->link_key_type;
1266 return BTM_LKEY_TYPE_IGNORE;
1269 /*******************************************************************************
1271 ** Function BTM_SetEncryption
1273 ** Description This function is called to ensure that connection is
1274 ** encrypted. Should be called only on an open connection.
1275 ** Typically only needed for connections that first want to
1276 ** bring up unencrypted links, then later encrypt them.
1278 ** Parameters: bd_addr - Address of the peer device
1279 ** p_callback - Pointer to callback function called if
1280 ** this function returns PENDING after required
1281 ** procedures are completed. Can be set to NULL
1282 ** if status is not desired.
1283 ** p_ref_data - pointer to any data the caller wishes to receive
1284 ** in the callback function upon completion.
1285 * can be set to NULL if not used.
1286 ** transport - TRUE to encryption the link over LE transport
1287 ** or FALSE for BR/EDR transport
1289 ** Returns BTM_SUCCESS - already encrypted
1290 ** BTM_PENDING - command will be returned in the callback
1291 ** BTM_WRONG_MODE- connection not up.
1292 ** BTM_BUSY - security procedures are currently active
1293 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1295 *******************************************************************************/
1296 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1301 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1303 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1304 #if BLE_INCLUDED == TRUE
1305 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1309 /* Connection should be up and runnning */
1310 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1313 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1315 return(BTM_WRONG_MODE);
1318 if ((transport == BT_TRANSPORT_BR_EDR &&
1319 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1320 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1321 || (transport == BT_TRANSPORT_LE &&
1322 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1326 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1329 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1331 return(BTM_SUCCESS);
1334 /* enqueue security request if security is active */
1335 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1337 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1339 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data))
1341 return BTM_CMD_STARTED;
1346 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1347 return BTM_NO_RESOURCES;
1351 p_dev_rec->p_callback = p_callback;
1352 p_dev_rec->p_ref_data = p_ref_data;
1353 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1354 p_dev_rec->is_originator = FALSE;
1356 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1357 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1358 p_dev_rec->security_required);
1360 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1361 if (transport == BT_TRANSPORT_LE)
1363 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1366 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1370 rc = BTM_WRONG_MODE;
1371 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1376 rc = btm_sec_execute_procedure (p_dev_rec);
1378 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1382 p_dev_rec->p_callback = NULL;
1383 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1390 /*******************************************************************************
1391 * disconnect the ACL link, if it's not done yet.
1392 *******************************************************************************/
1393 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1395 UINT8 old_state = p_dev_rec->sec_state;
1396 tBTM_STATUS status = BTM_CMD_STARTED;
1398 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1399 conn_handle, reason);
1401 /* send HCI_Disconnect on a transport only once */
1404 case BTM_SEC_STATE_DISCONNECTING:
1405 if (conn_handle == p_dev_rec->hci_handle)
1408 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1411 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1412 case BTM_SEC_STATE_DISCONNECTING_BLE:
1413 if (conn_handle == p_dev_rec->ble_hci_handle)
1416 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1419 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1424 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1425 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1430 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1431 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1433 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1434 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1435 status = BTM_SUCCESS;
1437 /* Tear down the HCI link */
1438 else if (!btsnd_hcic_disconnect (conn_handle, reason))
1440 /* could not send disconnect. restore old state */
1441 p_dev_rec->sec_state = old_state;
1442 status = BTM_NO_RESOURCES;
1448 /*******************************************************************************
1450 ** Function BTM_ConfirmReqReply
1452 ** Description This function is called to confirm the numeric value for
1453 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1455 ** Parameters: res - result of the operation BTM_SUCCESS if success
1456 ** bd_addr - Address of the peer device
1458 *******************************************************************************/
1459 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1461 tBTM_SEC_DEV_REC *p_dev_rec;
1463 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1464 btm_pair_state_descr(btm_cb.pairing_state), res);
1466 /* If timeout already expired or has been canceled, ignore the reply */
1467 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1468 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1471 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1473 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1475 btm_cb.acl_disc_reason = HCI_SUCCESS;
1477 if (res == BTM_SUCCESS)
1479 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1480 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1483 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1487 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1488 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1489 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1493 /*******************************************************************************
1495 ** Function BTM_PasskeyReqReply
1497 ** Description This function is called to provide the passkey for
1498 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1500 ** Parameters: res - result of the operation BTM_SUCCESS if success
1501 ** bd_addr - Address of the peer device
1502 ** passkey - numeric value in the range of
1503 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1505 *******************************************************************************/
1506 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
1507 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1509 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d",
1510 btm_pair_state_descr(btm_cb.pairing_state), res);
1512 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1513 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1518 /* If timeout already expired or has been canceled, ignore the reply */
1519 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1521 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1522 if (p_dev_rec != NULL)
1524 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1526 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1527 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1529 BTM_SecBondCancel(bd_addr);
1531 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1533 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1537 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1540 if (passkey > BTM_MAX_PASSKEY_VAL)
1541 res = BTM_ILLEGAL_VALUE;
1543 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1545 if (res != BTM_SUCCESS)
1547 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1548 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1549 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1551 btm_cb.acl_disc_reason = HCI_SUCCESS;
1552 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1557 /*******************************************************************************
1559 ** Function BTM_SendKeypressNotif
1561 ** Description This function is used during the passkey entry model
1562 ** by a device with KeyboardOnly IO capabilities
1563 ** (very likely to be a HID Device).
1564 ** It is called by a HID Device to inform the remote device when
1565 ** a key has been entered or erased.
1567 ** Parameters: bd_addr - Address of the peer device
1568 ** type - notification type
1570 *******************************************************************************/
1571 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
1572 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1574 /* This API only make sense between PASSKEY_REQ and SP complete */
1575 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1576 btsnd_hcic_send_keypress_notif (bd_addr, type);
1580 #if BTM_OOB_INCLUDED == TRUE
1581 /*******************************************************************************
1583 ** Function BTM_IoCapRsp
1585 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1586 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1587 ** by the tBTM_SP_CALLBACK implementation, this function is
1588 ** called to provide the actual response
1590 ** Parameters: bd_addr - Address of the peer device
1591 ** io_cap - The IO capability of local device.
1592 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1593 ** auth_req- MITM protection required or not.
1595 *******************************************************************************/
1596 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1598 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1599 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1601 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1602 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1605 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1607 btm_cb.devcb.loc_auth_req = auth_req;
1608 btm_cb.devcb.loc_io_caps = io_cap;
1610 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1611 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1613 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1617 /*******************************************************************************
1619 ** Function BTM_ReadLocalOobData
1621 ** Description This function is called to read the local OOB data from
1624 *******************************************************************************/
1625 tBTM_STATUS BTM_ReadLocalOobData(void)
1627 tBTM_STATUS status = BTM_SUCCESS;
1629 if (btsnd_hcic_read_local_oob_data() == FALSE)
1630 status = BTM_NO_RESOURCES;
1635 /*******************************************************************************
1637 ** Function BTM_RemoteOobDataReply
1639 ** Description This function is called to provide the remote OOB data for
1640 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1642 ** Parameters: bd_addr - Address of the peer device
1643 ** c - simple pairing Hash C.
1644 ** r - simple pairing Randomizer C.
1646 *******************************************************************************/
1647 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1649 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1650 btm_pair_state_descr(btm_cb.pairing_state), res);
1652 /* If timeout already expired or has been canceled, ignore the reply */
1653 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1656 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1658 if (res != BTM_SUCCESS)
1660 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1661 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1662 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1664 btm_cb.acl_disc_reason = HCI_SUCCESS;
1665 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1669 /*******************************************************************************
1671 ** Function BTM_BuildOobData
1673 ** Description This function is called to build the OOB data payload to
1674 ** be sent over OOB (non-Bluetooth) link
1676 ** Parameters: p_data - the location for OOB data
1677 ** max_len - p_data size.
1678 ** c - simple pairing Hash C.
1679 ** r - simple pairing Randomizer C.
1680 ** name_len- 0, local device name would not be included.
1681 ** otherwise, the local device name is included for
1682 ** up to this specified length
1684 ** Returns Number of bytes in p_data.
1686 *******************************************************************************/
1687 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1688 BT_OCTET16 r, UINT8 name_len)
1692 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1694 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1697 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1699 /* add mandatory part */
1700 UINT16_TO_STREAM(p, len);
1701 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1703 len = BTM_OOB_MANDATORY_SIZE;
1706 /* now optional part */
1709 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1710 if (max_len >= delta)
1712 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1713 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1714 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1720 delta = BTM_OOB_RAND_R_SIZE + 2;
1721 if (max_len >= delta)
1723 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1724 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1725 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1730 /* add class of device */
1731 delta = BTM_OOB_COD_SIZE + 2;
1732 if (max_len >= delta)
1734 *p++ = BTM_OOB_COD_SIZE + 1;
1735 *p++ = BTM_EIR_OOB_COD_TYPE;
1736 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1740 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1741 name_size = name_len;
1742 if (name_size > strlen(btm_cb.cfg.bd_name))
1744 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1745 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1747 delta = name_size + 2;
1748 if (max_len >= delta)
1750 *p++ = name_size + 1;
1752 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1759 UINT16_TO_STREAM(p, len);
1764 /*******************************************************************************
1766 ** Function BTM_IsLeScSuppLocally
1768 ** Description This function is called to check if LE SC is supported.
1770 ** Parameters: None.
1772 ** Returns Boolean - TRUE if LE SC is supported.
1773 *******************************************************************************/
1774 BOOLEAN BTM_IsLeScSuppLocally (void)
1776 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1783 /*******************************************************************************
1785 ** Function BTM_ReadOobData
1787 ** Description This function is called to parse the OOB data payload
1788 ** received over OOB (non-Bluetooth) link
1790 ** Parameters: p_data - the location for OOB data
1791 ** eir_tag - The associated EIR tag to read the data.
1792 ** *p_len(output) - the length of the data with the given tag.
1794 ** Returns the beginning of the data with the given tag.
1795 ** NULL, if the tag is not found.
1797 *******************************************************************************/
1798 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1803 UINT8 *p_ret = NULL;
1808 STREAM_TO_UINT16(max_len, p);
1809 if (max_len >= BTM_OOB_MANDATORY_SIZE)
1811 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1813 p_ret = p; /* the location for bd_addr */
1814 ret_len = BTM_OOB_BD_ADDR_SIZE;
1819 max_len -= BTM_OOB_MANDATORY_SIZE;
1820 /* now the optional data in EIR format */
1823 len = *p++; /* tag data len + 1 */
1825 if (eir_tag == type)
1831 /* the data size of this tag is len + 1 (tag data len + 2) */
1853 /*******************************************************************************
1855 ** Function BTM_SetOutService
1857 ** Description This function is called to set the service for
1858 ** outgoing connections.
1860 ** If the profile/application calls BTM_SetSecurityLevel
1861 ** before initiating a connection, this function does not
1862 ** need to be called.
1866 *******************************************************************************/
1867 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1869 tBTM_SEC_DEV_REC *p_dev_rec;
1870 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1872 btm_cb.p_out_serv = p_serv_rec;
1873 p_dev_rec = btm_find_dev (bd_addr);
1875 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1877 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1878 && (p_serv_rec->service_id == service_id)
1879 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1881 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1882 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1883 btm_cb.p_out_serv = p_serv_rec;
1885 p_dev_rec->p_cur_service = p_serv_rec;
1891 /************************************************************************
1892 ** I N T E R N A L F U N C T I O N S
1893 *************************************************************************/
1894 /*******************************************************************************
1896 ** Function btm_sec_is_upgrade_possible
1898 ** Description This function returns TRUE if the existing link key
1899 ** can be upgraded or if the link key does not exist.
1903 *******************************************************************************/
1904 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1906 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
1907 BOOLEAN is_possible = TRUE;
1909 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
1911 is_possible = FALSE;
1912 if(p_dev_rec->p_cur_service)
1914 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
1915 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
1916 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
1920 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
1921 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
1923 /* Already have a link key to the connected peer. Is the link key secure enough?
1924 ** Is a link key upgrade even possible?
1926 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
1927 && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */
1928 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
1929 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */
1931 /* upgrade is possible: check if the application wants the upgrade.
1932 * If the application is configured to use a global MITM flag,
1933 * it probably would not want to upgrade the link key based on the security level database */
1937 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
1941 /*******************************************************************************
1943 ** Function btm_sec_check_upgrade
1945 ** Description This function is called to check if the existing link key
1946 ** needs to be upgraded.
1950 *******************************************************************************/
1951 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1954 BTM_TRACE_DEBUG ("%s()", __func__);
1956 /* Only check if link key already exists */
1957 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1960 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
1962 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
1963 /* upgrade is possible: check if the application wants the upgrade.
1964 * If the application is configured to use a global MITM flag,
1965 * it probably would not want to upgrade the link key based on the security level database */
1966 tBTM_SP_UPGRADE evt_data;
1967 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
1968 evt_data.upgrade = TRUE;
1969 if (btm_cb.api.p_sp_callback)
1970 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
1972 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
1973 if (evt_data.upgrade)
1975 /* if the application confirms the upgrade, set the upgrade bit */
1976 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
1978 /* Clear the link key known to go through authentication/pairing again */
1979 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
1980 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
1981 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
1986 /*******************************************************************************
1988 ** Function btm_sec_l2cap_access_req
1990 ** Description This function is called by the L2CAP to grant permission to
1991 ** establish L2CAP connection to or from the peer device.
1993 ** Parameters: bd_addr - Address of the peer device
1995 ** is_originator - TRUE if protocol above L2CAP originates
1997 ** p_callback - Pointer to callback function called if
1998 ** this function returns PENDING after required
1999 ** procedures are complete. MUST NOT BE NULL.
2001 ** Returns tBTM_STATUS
2003 *******************************************************************************/
2004 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2005 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2007 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2008 CONNECTION_TYPE conn_type,
2009 tBTM_SEC_CALLBACK *p_callback,
2012 tBTM_SEC_DEV_REC *p_dev_rec;
2013 tBTM_SEC_SERV_REC *p_serv_rec;
2014 UINT16 security_required;
2015 UINT16 old_security_required;
2016 BOOLEAN old_is_originator;
2017 tBTM_STATUS rc = BTM_SUCCESS;
2018 BOOLEAN chk_acp_auth_done = FALSE;
2019 BOOLEAN is_originator;
2020 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2022 #if (L2CAP_UCD_INCLUDED == TRUE)
2023 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2024 is_originator = TRUE;
2026 is_originator = FALSE;
2028 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2030 is_originator = conn_type;
2032 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2035 /* Find or get oldest record */
2036 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2038 p_dev_rec->hci_handle = handle;
2040 /* Find the service record for the PSM */
2041 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2043 /* If there is no application registered with this PSM do not allow connection */
2046 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2047 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2048 return(BTM_MODE_UNSUPPORTED);
2051 /* SDP connection we will always let through */
2052 if (BT_PSM_SDP == psm)
2054 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2055 return(BTM_SUCCESS);
2057 #if (L2CAP_UCD_INCLUDED == TRUE)
2058 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2060 security_required = p_serv_rec->ucd_security_flags;
2062 rc = BTM_CMD_STARTED;
2065 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2066 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2067 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2068 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2075 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2076 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2077 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2078 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2084 if (rc == BTM_SUCCESS)
2087 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2089 return(BTM_SUCCESS);
2095 security_required = p_serv_rec->security_flags;
2098 /* there are some devices (moto KRZR) which connects to several services at the same time */
2099 /* we will process one after another */
2100 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2102 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__,
2103 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2104 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2105 rc = BTM_CMD_STARTED;
2106 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2107 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2108 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2111 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2112 * or SM4 with no possibility of link key upgrade */
2115 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2116 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2117 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2118 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) )
2125 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2126 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2127 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2128 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2129 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2130 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2131 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2137 if (rc == BTM_SUCCESS)
2140 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2141 return(BTM_SUCCESS);
2145 btm_cb.sec_req_pending = TRUE;
2146 return(BTM_CMD_STARTED);
2149 /* Save pointer to service record */
2150 p_dev_rec->p_cur_service = p_serv_rec;
2152 /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */
2153 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
2157 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2159 /* SM4 to SM4 -> always authenticate & encrypt */
2160 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2164 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2166 BTM_TRACE_DEBUG ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2167 /* the remote features are not known yet */
2168 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2170 return(BTM_CMD_STARTED);
2177 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2179 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2180 chk_acp_auth_done = TRUE;
2181 /* SM4 to SM4 -> always authenticate & encrypt */
2182 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2186 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2188 BTM_TRACE_DEBUG ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2189 /* the remote features are not known yet */
2190 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2192 return(BTM_CMD_STARTED);
2198 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2199 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2201 old_security_required = p_dev_rec->security_required;
2202 old_is_originator = p_dev_rec->is_originator;
2203 p_dev_rec->security_required = security_required;
2204 p_dev_rec->p_ref_data = p_ref_data;
2205 p_dev_rec->is_originator = is_originator;
2207 #if (L2CAP_UCD_INCLUDED == TRUE)
2208 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2209 p_dev_rec->is_ucd = TRUE;
2211 p_dev_rec->is_ucd = FALSE;
2214 /* If there are multiple service records used through the same PSM */
2215 /* leave security decision for the multiplexor on the top */
2216 #if (L2CAP_UCD_INCLUDED == TRUE)
2217 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2218 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2220 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2223 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2224 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2226 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2227 /* pre-Lisbon: restore the old settings */
2228 p_dev_rec->security_required = old_security_required;
2229 p_dev_rec->is_originator = old_is_originator;
2231 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2233 return(BTM_SUCCESS);
2237 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now.
2238 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/
2239 if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2241 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2242 /* restore the old settings */
2243 p_dev_rec->security_required = old_security_required;
2244 p_dev_rec->is_originator = old_is_originator;
2246 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2248 return(BTM_SUCCESS);
2251 if (chk_acp_auth_done)
2253 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2254 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2255 /* SM4, but we do not know for sure which level of security we need.
2256 * as long as we have a link key, it's OK */
2257 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2258 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2260 rc = BTM_DELAY_CHECK;
2262 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2263 because of data path issues. Delay this disconnect a little bit
2265 LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2266 p_dev_rec->p_callback = p_callback;
2267 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2268 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2274 p_dev_rec->p_callback = p_callback;
2276 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2277 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2279 /* Although authentication and encryption are per connection
2280 ** authorization is per access request. For example when serial connection
2281 ** is up and authorized and client requests to read file (access to other
2282 ** scn), we need to request user's permission again.
2284 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2287 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2289 /* If we already have a link key to the connected peer, is the link key secure enough ? */
2290 btm_sec_check_upgrade(p_dev_rec, is_originator);
2293 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2294 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2295 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2297 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2299 p_dev_rec->p_callback = NULL;
2300 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2306 /*******************************************************************************
2308 ** Function btm_sec_mx_access_request
2310 ** Description This function is called by all Multiplexing Protocols during
2311 ** establishing connection to or from peer device to grant
2312 ** permission to establish application connection.
2314 ** Parameters: bd_addr - Address of the peer device
2316 ** is_originator - TRUE if protocol above L2CAP originates
2318 ** mx_proto_id - protocol ID of the multiplexer
2319 ** mx_chan_id - multiplexer channel to reach application
2320 ** p_callback - Pointer to callback function called if
2321 ** this function returns PENDING after required
2322 ** procedures are completed
2323 ** p_ref_data - Pointer to any reference data needed by the
2324 ** the callback function.
2326 ** Returns BTM_CMD_STARTED
2328 *******************************************************************************/
2329 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2330 UINT32 mx_proto_id, UINT32 mx_chan_id,
2331 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2333 tBTM_SEC_DEV_REC *p_dev_rec;
2334 tBTM_SEC_SERV_REC *p_serv_rec;
2336 UINT16 security_required;
2337 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2339 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2340 /* Find or get oldest record */
2341 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2343 /* Find the service record for the PSM */
2344 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2346 /* If there is no application registered with this PSM do not allow connection */
2350 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2352 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2353 psm, mx_proto_id, mx_chan_id);
2354 return BTM_NO_RESOURCES;
2357 /* there are some devices (moto phone) which connects to several services at the same time */
2358 /* we will process one after another */
2359 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2361 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__,
2362 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2364 rc = BTM_CMD_STARTED;
2365 security_required = p_serv_rec->security_flags;
2366 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2367 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2368 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2371 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2372 * or SM4 with no possibility of link key upgrade */
2375 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2376 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2377 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2385 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2386 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2387 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2388 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2389 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2390 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2397 if (rc == BTM_CMD_STARTED)
2399 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data);
2404 p_dev_rec->p_cur_service = p_serv_rec;
2405 p_dev_rec->security_required = p_serv_rec->security_flags;
2407 if (BTM_SEC_MODE_SP == btm_cb.security_mode)
2409 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2411 /* If we already have a link key, check if that link key is good enough */
2412 btm_sec_check_upgrade(p_dev_rec, is_originator);
2416 p_dev_rec->is_originator = is_originator;
2417 p_dev_rec->p_callback = p_callback;
2418 p_dev_rec->p_ref_data = p_ref_data;
2420 /* Although authentication and encryption are per connection */
2421 /* authorization is per access request. For example when serial connection */
2422 /* is up and authorized and client requests to read file (access to other */
2423 /* scn, we need to request user's permission again. */
2424 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2426 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2427 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2428 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2430 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2434 p_dev_rec->p_callback = NULL;
2435 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2442 /*******************************************************************************
2444 ** Function btm_sec_conn_req
2446 ** Description This function is when the peer device is requesting
2451 *******************************************************************************/
2452 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2454 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2456 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2457 if (!controller_get_interface()->get_is_ready())
2459 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2460 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2464 /* Security guys wants us not to allow connection from not paired devices */
2466 /* Check if connection is allowed for only paired devices */
2467 if (btm_cb.connect_only_paired)
2469 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2471 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2472 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2477 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2478 /* If non-discoverable, only allow known devices to connect */
2479 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2483 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2484 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2490 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2491 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2492 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2494 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2496 /* incoming connection from bonding device is rejected */
2497 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2498 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2502 /* Host is not interested or approved connection. Save BDA and DC and */
2503 /* pass request to L2CAP */
2504 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2505 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2507 if (l2c_link_hci_conn_req (bda))
2511 /* accept the connection -> allocate a device record */
2512 p_dev_rec = btm_sec_alloc_dev (bda);
2516 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2521 /*******************************************************************************
2523 ** Function btm_sec_bond_cancel_complete
2525 ** Description This function is called to report bond cancel complete
2530 *******************************************************************************/
2531 static void btm_sec_bond_cancel_complete (void)
2533 tBTM_SEC_DEV_REC *p_dev_rec;
2535 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2536 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2537 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2538 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2539 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2541 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2542 * btm_sec_connected is called with failed status.
2543 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2544 * However, this function may clean out the security related flags and btm_sec_connected would not know
2545 * this function also needs to do proper clean up.
2547 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2548 p_dev_rec->security_required = BTM_SEC_NONE;
2549 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2551 /* Notify application that the cancel succeeded */
2552 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2553 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2557 /*******************************************************************************
2559 ** Function btm_create_conn_cancel_complete
2561 ** Description This function is called when the command complete message
2562 ** is received from the HCI for the create connection cancel
2567 *******************************************************************************/
2568 void btm_create_conn_cancel_complete (UINT8 *p)
2572 STREAM_TO_UINT8 (status, p);
2573 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2574 btm_pair_state_descr(btm_cb.pairing_state), status);
2576 /* if the create conn cancel cmd was issued by the bond cancel,
2577 ** the application needs to be notified that bond cancel succeeded
2582 btm_sec_bond_cancel_complete();
2584 case HCI_ERR_CONNECTION_EXISTS:
2585 case HCI_ERR_NO_CONNECTION:
2587 /* Notify application of the error */
2588 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2589 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2594 /*******************************************************************************
2596 ** Function btm_sec_check_pending_reqs
2598 ** Description This function is called at the end of the security procedure
2599 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2603 *******************************************************************************/
2604 void btm_sec_check_pending_reqs (void)
2606 tBTM_SEC_QUEUE_ENTRY *p_e;
2609 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2611 /* First, resubmit L2CAP requests */
2612 if (btm_cb.sec_req_pending)
2614 btm_cb.sec_req_pending = FALSE;
2615 l2cu_resubmit_pending_sec_req (NULL);
2618 /* Now, re-submit anything in the mux queue */
2619 bq = btm_cb.sec_pending_q;
2621 GKI_init_q (&btm_cb.sec_pending_q);
2623 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2625 /* Check that the ACL is still up before starting security procedures */
2626 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2630 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2631 __FUNCTION__, p_e->psm, p_e->is_orig,
2632 p_e->mx_proto_id, p_e->mx_chan_id);
2634 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2635 p_e->mx_proto_id, p_e->mx_chan_id,
2636 p_e->p_callback, p_e->p_ref_data);
2640 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2650 /*******************************************************************************
2652 ** Function btm_sec_init
2654 ** Description This function is on the SEC startup
2658 *******************************************************************************/
2659 void btm_sec_init (UINT8 sec_mode)
2661 btm_cb.security_mode = sec_mode;
2662 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2663 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2666 /*******************************************************************************
2668 ** Function btm_sec_device_down
2670 ** Description This function should be called when device is disabled or
2675 *******************************************************************************/
2676 void btm_sec_device_down (void)
2678 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2679 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2682 /*******************************************************************************
2684 ** Function btm_sec_dev_reset
2686 ** Description This function should be called after device reset
2690 *******************************************************************************/
2691 void btm_sec_dev_reset (void)
2693 if (controller_get_interface()->supports_simple_pairing())
2695 /* set the default IO capabilities */
2696 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2697 /* add mx service to use no security */
2698 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2699 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2703 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2706 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2709 /*******************************************************************************
2711 ** Function btm_sec_abort_access_req
2713 ** Description This function is called by the L2CAP or RFCOMM to abort
2714 ** the pending operation.
2716 ** Parameters: bd_addr - Address of the peer device
2720 *******************************************************************************/
2721 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2723 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2728 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2729 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2732 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2733 p_dev_rec->p_callback = NULL;
2736 /*******************************************************************************
2738 ** Function btm_sec_dd_create_conn
2740 ** Description This function is called to create the ACL connection for
2741 ** the dedicated boding process
2745 *******************************************************************************/
2746 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
2750 /* Make sure an L2cap link control block is available */
2751 if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
2753 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
2754 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2755 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2757 return(BTM_NO_RESOURCES);
2760 /* set up the control block to indicated dedicated bonding */
2761 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
2763 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
2765 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
2766 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2767 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2769 l2cu_release_lcb(p_lcb);
2770 return(BTM_NO_RESOURCES);
2773 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
2775 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
2776 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2777 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2779 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
2781 return(BTM_CMD_STARTED);
2784 /*******************************************************************************
2786 ** Function btm_sec_rmt_name_request_complete
2788 ** Description This function is called when remote name was obtained from
2793 *******************************************************************************/
2794 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
2796 tBTM_SEC_DEV_REC *p_dev_rec;
2798 DEV_CLASS dev_class;
2799 UINT8 old_sec_state;
2801 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
2802 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
2803 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
2805 btm_acl_resubmit_page();
2808 /* If remote name request failed, p_bd_addr is null and we need to search */
2809 /* based on state assuming that we are doing 1 at a time */
2811 p_dev_rec = btm_find_dev (p_bd_addr);
2814 p_dev_rec = &btm_cb.sec_dev_rec[0];
2816 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
2818 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
2819 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
2821 p_bd_addr = p_dev_rec->bd_addr;
2826 if (i == BTM_SEC_MAX_DEVICE_RECORDS)
2831 /* Commenting out trace due to obf/compilation problems.
2833 #if (BT_USE_TRACES == TRUE)
2835 p_bd_name = (UINT8 *)"";
2839 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ",
2840 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2841 status, p_dev_rec->sec_state, p_dev_rec);
2845 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d",
2846 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2853 old_sec_state = p_dev_rec->sec_state;
2854 if (status == HCI_SUCCESS)
2856 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
2857 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
2858 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
2862 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
2863 p_dev_rec->sec_bd_name[0] = 0;
2866 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
2867 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2869 /* Notify all clients waiting for name to be resolved */
2870 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2872 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
2873 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
2874 p_dev_rec->sec_bd_name);
2883 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
2884 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2886 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
2887 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
2893 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
2894 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
2895 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
2897 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
2899 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
2900 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
2901 btm_cb.api.p_pin_callback)
2903 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
2904 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
2905 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name);
2908 /* Set the same state again to force the timer to be restarted */
2909 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
2913 /* Check if we were delaying bonding because name was not resolved */
2914 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
2916 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
2918 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
2919 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
2921 btm_sec_bond_cancel_complete();
2925 if (status != HCI_SUCCESS)
2927 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2929 if (btm_cb.api.p_auth_complete_callback)
2930 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
2931 p_dev_rec->sec_bd_name, status);
2935 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
2936 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
2938 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
2939 /* If it is set, there may be a race condition */
2940 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x",
2941 btm_cb.pairing_flags);
2942 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
2944 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
2948 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
2949 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
2950 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
2952 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
2953 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
2955 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
2957 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
2958 /* before originating */
2959 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
2961 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
2963 /* Both we and the peer are 2.1 - continue to create connection */
2964 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
2966 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
2968 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2970 if (btm_cb.api.p_auth_complete_callback)
2971 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
2972 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
2979 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
2981 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
2986 /* check if we were delaying link_key_callback because name was not resolved */
2987 if (p_dev_rec->link_key_not_sent)
2989 /* If HCI connection complete has not arrived, wait for it */
2990 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
2993 p_dev_rec->link_key_not_sent = FALSE;
2994 btm_send_link_key_notif(p_dev_rec);
2996 /* If its not us who perform authentication, we should tell stackserver */
2997 /* that some authentication has been completed */
2998 /* This is required when different entities receive link notification and auth complete */
2999 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3001 if (btm_cb.api.p_auth_complete_callback)
3002 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3003 p_dev_rec->dev_class,
3004 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3009 /* If this is a bonding procedure can disconnect the link now */
3010 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3011 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3013 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3014 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3015 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3019 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3022 /* If get name failed, notify the waiting layer */
3023 if (status != HCI_SUCCESS)
3025 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3029 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3031 BTM_TRACE_EVENT ("waiting for remote features!!");
3035 /* Remote Name succeeded, execute the next security procedure, if any */
3036 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3038 /* If result is pending reply from the user or from the device is pending */
3039 if (status == BTM_CMD_STARTED)
3042 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3043 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3046 /*******************************************************************************
3048 ** Function btm_sec_rmt_host_support_feat_evt
3050 ** Description This function is called when the
3051 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3055 *******************************************************************************/
3056 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3058 tBTM_SEC_DEV_REC *p_dev_rec;
3059 BD_ADDR bd_addr; /* peer address */
3060 BD_FEATURES features;
3062 STREAM_TO_BDADDR (bd_addr, p);
3063 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3065 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3067 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3069 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3070 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3071 if (HCI_SSP_HOST_SUPPORTED(features))
3073 p_dev_rec->sm4 = BTM_SM4_TRUE;
3075 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3079 /*******************************************************************************
3081 ** Function btm_io_capabilities_req
3083 ** Description This function is called when LM request for the IO
3084 ** capability of the local device and
3085 ** if the OOB data is present for the device in the event
3089 *******************************************************************************/
3090 void btm_io_capabilities_req (UINT8 *p)
3092 tBTM_SP_IO_REQ evt_data;
3094 tBTM_SEC_DEV_REC *p_dev_rec;
3095 BOOLEAN is_orig = TRUE;
3096 UINT8 callback_rc = BTM_SUCCESS;
3098 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3100 /* setup the default response according to compile options */
3101 /* assume that the local IO capability does not change
3102 * loc_io_caps is initialized with the default value */
3103 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3104 evt_data.oob_data = BTM_OOB_NONE;
3105 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3107 BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
3109 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3110 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3112 BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3113 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3115 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3117 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP)
3119 /* received IO capability response already-> not the originator of SSP */
3122 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3123 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3125 /* security is already in progress */
3126 else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)
3128 /* coverity[uninit_use_in_call]
3129 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3130 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3132 if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3134 /* and it's not the device in bonding -> reject it */
3135 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3139 /* local device initiated dedicated bonding */
3140 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3145 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3149 /* paring is not allowed */
3150 if (btm_cb.pairing_disabled)
3151 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3155 /* coverity[uninit_use_in_call]
3156 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3157 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3159 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3163 evt_data.is_orig = is_orig;
3167 /* local device initiated the pairing non-bonding -> use p_cur_service */
3168 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3169 p_dev_rec->p_cur_service &&
3170 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3172 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3176 /* Notify L2CAP to increase timeout */
3177 l2c_pin_code_request (evt_data.bd_addr);
3179 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3181 /* coverity[uninit_use_in_call]
3182 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3183 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3185 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3186 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3188 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3190 callback_rc = BTM_SUCCESS;
3191 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3193 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3195 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3196 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3198 else if (btm_cb.api.p_sp_callback)
3200 /* the callback function implementation may change the IO capability... */
3201 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3204 #if BTM_OOB_INCLUDED == TRUE
3205 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3207 if (callback_rc == BTM_SUCCESS)
3210 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3212 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3215 /* if the user does not indicate "reply later" by setting the oob_data to unknown
3216 * send the response right now. Save the current IO capability in the control block */
3217 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3218 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3220 BTM_TRACE_EVENT ("btm_io_capabilities_req: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3221 btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3222 evt_data.oob_data, evt_data.auth_req);
3224 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3225 evt_data.oob_data, evt_data.auth_req);
3229 /*******************************************************************************
3231 ** Function btm_io_capabilities_rsp
3233 ** Description This function is called when the IO capability of the
3234 ** specified device is received
3238 *******************************************************************************/
3239 void btm_io_capabilities_rsp (UINT8 *p)
3241 tBTM_SEC_DEV_REC *p_dev_rec;
3242 tBTM_SP_IO_RSP evt_data;
3244 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3245 STREAM_TO_UINT8 (evt_data.io_cap, p);
3246 STREAM_TO_UINT8 (evt_data.oob_data, p);
3247 STREAM_TO_UINT8 (evt_data.auth_req, p);
3249 /* Allocate a new device record or reuse the oldest one */
3250 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3252 /* If no security is in progress, this indicates incoming security */
3253 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3255 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3257 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3259 /* Make sure we reset the trusted mask to help against attacks */
3260 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3262 /* work around for FW bug */
3263 btm_inq_stop_on_ssp();
3266 /* Notify L2CAP to increase timeout */
3267 l2c_pin_code_request (evt_data.bd_addr);
3269 /* We must have a device record here.
3270 * Use the connecting device's CoD for the connection */
3271 /* coverity[uninit_use_in_call]
3272 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3273 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3275 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3276 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3278 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3279 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3280 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3282 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3285 /* save the IO capability in the device record */
3286 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3287 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3289 if (btm_cb.api.p_sp_callback)
3290 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3293 /*******************************************************************************
3295 ** Function btm_proc_sp_req_evt
3297 ** Description This function is called to process/report
3298 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3299 ** or HCI_USER_PASSKEY_REQUEST_EVT
3300 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3304 *******************************************************************************/
3305 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3307 tBTM_STATUS status = BTM_ERR_PROCESSING;
3308 tBTM_SP_EVT_DATA evt_data;
3309 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3310 tBTM_SEC_DEV_REC *p_dev_rec;
3312 /* All events start with bd_addr */
3313 STREAM_TO_BDADDR (p_bda, p);
3315 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3316 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3317 event, btm_pair_state_descr(btm_cb.pairing_state));
3319 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3320 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3321 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3323 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3324 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3326 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3330 case BTM_SP_CFM_REQ_EVT:
3331 /* Numeric confirmation. Need user to conf the passkey */
3332 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3334 /* The device record must be allocated in the "IO cap exchange" step */
3335 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3337 evt_data.cfm_req.just_works = TRUE;
3339 /* process user confirm req in association with the auth_req param */
3340 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3341 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3342 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3343 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3345 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3346 -> use authenticated link key */
3347 evt_data.cfm_req.just_works = FALSE;
3350 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3351 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3352 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3354 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3355 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3356 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3357 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3360 case BTM_SP_KEY_NOTIF_EVT:
3361 /* Passkey notification (other side is a keyboard) */
3362 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3364 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3366 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3369 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3370 case BTM_SP_KEY_REQ_EVT:
3371 /* HCI_USER_PASSKEY_REQUEST_EVT */
3372 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3377 if (btm_cb.api.p_sp_callback)
3379 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3380 if (status != BTM_NOT_AUTHORIZED)
3384 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3386 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3388 /* automatically reply with just works if no sp_cback */
3389 status = BTM_SUCCESS;
3392 if (event == BTM_SP_CFM_REQ_EVT)
3394 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3395 BTM_ConfirmReqReply (status, p_bda);
3397 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3398 else if (event == BTM_SP_KEY_REQ_EVT)
3400 BTM_PasskeyReqReply(status, p_bda, 0);
3406 /* Something bad. we can only fail this connection */
3407 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3409 if (BTM_SP_CFM_REQ_EVT == event)
3411 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3413 else if (BTM_SP_KEY_NOTIF_EVT == event)
3415 /* do nothing -> it very unlikely to happen.
3416 This event is most likely to be received by a HID host when it first connects to a HID device.
3417 Usually the Host initiated the connection in this case.
3418 On Mobile platforms, if there's a security process happening,
3419 the host probably can not initiate another connection.
3420 BTW (PC) is another story. */
3421 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3423 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3426 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3429 btsnd_hcic_user_passkey_neg_reply(p_bda);
3434 /*******************************************************************************
3436 ** Function btm_keypress_notif_evt
3438 ** Description This function is called when a key press notification is
3443 *******************************************************************************/
3444 void btm_keypress_notif_evt (UINT8 *p)
3446 tBTM_SP_KEYPRESS evt_data;
3449 /* parse & report BTM_SP_KEYPRESS_EVT */
3450 if (btm_cb.api.p_sp_callback)
3452 p_bda = evt_data.bd_addr;
3454 STREAM_TO_BDADDR (p_bda, p);
3455 evt_data.notif_type = *p;
3457 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3461 /*******************************************************************************
3463 ** Function btm_simple_pair_complete
3465 ** Description This function is called when simple pairing process is
3470 *******************************************************************************/
3471 void btm_simple_pair_complete (UINT8 *p)
3473 tBTM_SP_COMPLT evt_data;
3474 tBTM_SEC_DEV_REC *p_dev_rec;
3476 BOOLEAN disc = FALSE;
3479 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3481 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3483 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3484 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3485 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3489 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3490 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3492 evt_data.status = BTM_ERR_PROCESSING;
3493 if (status == HCI_SUCCESS)
3495 evt_data.status = BTM_SUCCESS;
3496 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3500 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3502 /* The test spec wants the peer device to get this failure code. */
3503 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3505 /* Change the timer to 1 second */
3506 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3508 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3510 /* stop the timer */
3511 btu_stop_timer (&btm_cb.pairing_tle);
3513 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3515 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3523 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3524 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3525 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3527 if (btm_cb.api.p_sp_callback)
3528 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3532 /* simple pairing failed */
3533 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3534 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3536 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3541 #if BTM_OOB_INCLUDED == TRUE
3542 /*******************************************************************************
3544 ** Function btm_rem_oob_req
3546 ** Description This function is called to process/report
3547 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3551 *******************************************************************************/
3552 void btm_rem_oob_req (UINT8 *p)
3555 tBTM_SP_RMT_OOB evt_data;
3556 tBTM_SEC_DEV_REC *p_dev_rec;
3560 p_bda = evt_data.bd_addr;
3562 STREAM_TO_BDADDR (p_bda, p);
3564 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3565 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3567 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3568 btm_cb.api.p_sp_callback)
3570 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3571 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3572 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3573 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3575 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3576 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3578 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3583 /* something bad. we can only fail this connection */
3584 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3585 btsnd_hcic_rem_oob_neg_reply (p_bda);
3588 /*******************************************************************************
3590 ** Function btm_read_local_oob_complete
3592 ** Description This function is called when read local oob data is
3593 ** completed by the LM
3597 *******************************************************************************/
3598 void btm_read_local_oob_complete (UINT8 *p)
3600 tBTM_SP_LOC_OOB evt_data;
3601 UINT8 status = *p++;
3603 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3604 if (status == HCI_SUCCESS)
3606 evt_data.status = BTM_SUCCESS;
3607 STREAM_TO_ARRAY16(evt_data.c, p);
3608 STREAM_TO_ARRAY16(evt_data.r, p);
3611 evt_data.status = BTM_ERR_PROCESSING;
3613 if (btm_cb.api.p_sp_callback)
3614 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3616 #endif /* BTM_OOB_INCLUDED */
3618 /*******************************************************************************
3620 ** Function btm_sec_auth_collision
3622 ** Description This function is called when authentication or encryption
3623 ** needs to be retried at a later time.
3627 *******************************************************************************/
3628 static void btm_sec_auth_collision (UINT16 handle)
3630 tBTM_SEC_DEV_REC *p_dev_rec;
3632 if (!btm_cb.collision_start_time)
3633 btm_cb.collision_start_time = GKI_get_os_tick_count();
3635 if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3637 if (handle == BTM_SEC_INVALID_HANDLE)
3639 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3640 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3643 p_dev_rec = btm_find_dev_by_handle (handle);
3645 if (p_dev_rec != NULL)
3647 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3648 /* We will restart authentication after timeout */
3649 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3650 p_dev_rec->sec_state = 0;
3652 btm_cb.p_collided_dev_rec = p_dev_rec;
3653 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3654 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3659 /*******************************************************************************
3661 ** Function btm_sec_auth_complete
3663 ** Description This function is when authentication of the connection is
3664 ** completed by the LM
3668 *******************************************************************************/
3669 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3672 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3673 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3674 BOOLEAN are_bonding = FALSE;
3676 /* Commenting out trace due to obf/compilation problems.
3678 #if (BT_USE_TRACES == TRUE)
3681 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
3682 btm_pair_state_descr (btm_cb.pairing_state),
3684 p_dev_rec->sec_state,
3685 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3686 p_dev_rec->sec_bd_name);
3690 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
3691 btm_pair_state_descr (btm_cb.pairing_state),
3696 /* For transaction collision we need to wait and repeat. There is no need */
3697 /* for random timeout because only slave should receive the result */
3698 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3700 btm_sec_auth_collision(handle);
3703 btm_cb.collision_start_time = 0;
3707 /* Check if connection was made just to do bonding. If we authenticate
3708 the connection that is up, this is the last event received.
3711 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3712 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
3714 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3716 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3722 /* keep the old sm4 flag and clear the retry bit in control block */
3723 old_sm4 = p_dev_rec->sm4;
3724 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3726 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3727 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3728 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
3731 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3733 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3735 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
3736 && (old_state != BTM_PAIR_STATE_IDLE) )
3738 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3739 p_dev_rec->dev_class,
3740 p_dev_rec->sec_bd_name, status);
3745 /* There can be a race condition, when we are starting authentication and
3746 ** the peer device is doing encryption.
3747 ** If first we receive encryption change up, then initiated authentication
3748 ** can not be performed. According to the spec we can not do authentication
3749 ** on the encrypted link, so device is correct.
3751 if ((status == HCI_ERR_COMMAND_DISALLOWED)
3752 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
3753 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
3755 status = HCI_SUCCESS;
3757 /* Currently we do not notify user if it is a keyboard which connects */
3758 /* User probably Disabled the keyboard while it was asleap. Let her try */
3759 if (btm_cb.api.p_auth_complete_callback)
3761 /* report the suthentication status */
3762 if (old_state != BTM_PAIR_STATE_IDLE)
3763 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3764 p_dev_rec->dev_class,
3765 p_dev_rec->sec_bd_name, status);
3768 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3770 /* If this is a bonding procedure can disconnect the link now */
3773 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3775 if (status != HCI_SUCCESS)
3777 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
3778 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
3782 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
3783 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec)))
3785 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
3787 if (btm_sec_is_master(p_dev_rec))
3789 // Encryption is required to start SM over BR/EDR.
3790 // Indicate that this is encryption after authentication.
3791 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
3795 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3800 /* If authentication failed, notify the waiting layer */
3801 if (status != HCI_SUCCESS)
3803 if ((old_sm4 & BTM_SM4_RETRY) == 0)
3805 /* allow retry only once */
3806 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
3808 /* not retried yet. set the retry bit */
3809 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3810 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3812 /* this retry for missing key is for Lisbon or later only.
3813 * Legacy device do not need this. the controller will drive the retry automatically */
3814 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
3816 /* not retried yet. set the retry bit */
3817 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3818 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
3819 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3821 /* With BRCM controller, we do not need to delete the stored link key in controller.
3822 If the stack may sit on top of other controller, we may need this
3823 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
3826 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
3828 btm_sec_execute_procedure (p_dev_rec);
3833 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3835 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
3837 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3842 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3844 /* Authentication succeeded, execute the next security procedure, if any */
3845 status = btm_sec_execute_procedure (p_dev_rec);
3847 /* If there is no next procedure, or procedure failed to start, notify the caller */
3848 if (status != BTM_CMD_STARTED)
3849 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3852 /*******************************************************************************
3854 ** Function btm_sec_encrypt_change
3856 ** Description This function is when encryption of the connection is
3857 ** completed by the LM
3861 *******************************************************************************/
3862 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
3864 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3865 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3866 tACL_CONN *p_acl = NULL;
3867 UINT8 acl_idx = btm_handle_to_acl_index(handle);
3869 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
3870 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
3871 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
3873 /* For transaction collision we need to wait and repeat. There is no need */
3874 /* for random timeout because only slave should receive the result */
3875 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3877 btm_sec_auth_collision(handle);
3880 btm_cb.collision_start_time = 0;
3885 if ((status == HCI_SUCCESS) && encr_enable)
3887 if (p_dev_rec->hci_handle == handle)
3888 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
3890 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
3893 /* It is possible that we decrypted the link to perform role switch */
3894 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
3895 if ((status == HCI_SUCCESS) && !encr_enable)
3897 if (p_dev_rec->hci_handle == handle)
3898 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
3900 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
3903 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
3905 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3906 if (acl_idx != MAX_L2CAP_LINKS )
3907 p_acl = &btm_cb.acl_db[acl_idx];
3909 btm_sec_check_pending_enc_req (p_dev_rec, p_acl->transport, encr_enable);
3911 if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
3913 if (status == HCI_ERR_KEY_MISSING ||
3914 status == HCI_ERR_AUTH_FAILURE ||
3915 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
3917 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
3918 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
3920 btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable);
3924 /* BR/EDR connection, update the encryption key size to be 16 as always */
3925 p_dev_rec->enc_key_size = 16;
3927 BTM_TRACE_DEBUG ("in btm_sec_encrypt_change new_encr_key_256 is %d",
3928 p_dev_rec->new_encryption_key_is_p256);
3930 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
3932 if (p_dev_rec->new_encryption_key_is_p256)
3934 if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
3935 btm_sec_is_master(p_dev_rec))
3937 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
3938 p_dev_rec->new_encryption_key_is_p256 = FALSE;
3940 BTM_TRACE_DEBUG ("btm_sec_encrypt_change start SM over BR/EDR");
3941 SMP_BR_PairWith(p_dev_rec->bd_addr);
3945 { /* BR/EDR is successfully encrypted. Correct LK type if needed
3946 (BR/EDR LK derived from LE LTK was used for encryption) */
3947 if ((encr_enable == 1) && /* encryption is ON for SSP */
3948 /* LK type is for BR/EDR SC */
3949 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
3950 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
3952 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
3953 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
3954 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
3955 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
3957 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
3958 btm_send_link_key_notif(p_dev_rec);
3963 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
3964 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
3966 /* If this encryption was started by peer do not need to do anything */
3967 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
3969 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
3971 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3972 p_dev_rec->p_callback = NULL;
3973 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
3978 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3980 /* If encryption setup failed, notify the waiting layer */
3981 if (status != HCI_SUCCESS)
3983 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3987 /* Encryption setup succeeded, execute the next security procedure, if any */
3988 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3990 /* If there is no next procedure, or procedure failed to start, notify the caller */
3991 if (status != BTM_CMD_STARTED)
3992 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3995 /*******************************************************************************
3997 ** Function btm_sec_connect_after_reject_timeout
3999 ** Description Connection for bonding could not start because of the collision
4000 ** Initiate outgoing connection
4002 ** Returns Pointer to the TLE struct
4004 *******************************************************************************/
4005 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4007 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4010 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4011 btm_cb.sec_collision_tle.param = 0;
4012 btm_cb.p_collided_dev_rec = 0;
4014 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4016 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4018 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4020 if (btm_cb.api.p_auth_complete_callback)
4021 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4022 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4026 /*******************************************************************************
4028 ** Function btm_sec_connected
4030 ** Description This function is when a connection to the peer device is
4035 *******************************************************************************/
4036 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4038 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4040 BOOLEAN is_pairing_device = FALSE;
4041 tACL_CONN *p_acl_cb;
4042 UINT8 bit_shift = 0;
4044 btm_acl_resubmit_page();
4046 /* Commenting out trace due to obf/compilation problems.
4048 #if (BT_USE_TRACES == TRUE)
4051 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4052 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4053 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4054 p_dev_rec->sec_bd_name);
4058 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4059 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4060 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4066 /* There is no device record for new connection. Allocate one */
4067 if (status == HCI_SUCCESS)
4069 p_dev_rec = btm_sec_alloc_dev (bda);
4073 /* can not find the device record and the status is error,
4078 else /* Update the timestamp for this device */
4081 #if BLE_INCLUDED == TRUE
4082 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4084 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4085 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4087 /* tell L2CAP it's a bonding connection. */
4088 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4089 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4090 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4092 /* if incoming connection failed while pairing, then try to connect and continue */
4093 /* Motorola S9 disconnects without asking pin code */
4094 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4096 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4098 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4099 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4101 /* Start timer with 0 to initiate connection with new LCB */
4102 /* because L2CAP will delete current LCB with this event */
4103 btm_cb.p_collided_dev_rec = p_dev_rec;
4104 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4105 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4109 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4110 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4112 #if BTM_DISC_DURING_RS == TRUE
4113 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4119 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4122 /* always clear the pending flag */
4123 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4127 #if BLE_INCLUDED == TRUE
4128 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4131 #if BTM_DISC_DURING_RS == TRUE
4132 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4135 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4137 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4138 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4140 /* if we rejected incoming connection from bonding device */
4141 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4142 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4144 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4145 btm_cb.pairing_flags, p_dev_rec->sm4);
4147 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4148 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4150 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4151 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4152 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4156 /* if we already have pin code */
4157 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4159 /* Start timer with 0 to initiate connection with new LCB */
4160 /* because L2CAP will delete current LCB with this event */
4161 btm_cb.p_collided_dev_rec = p_dev_rec;
4162 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4163 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4168 /* wait for incoming connection without resetting pairing state */
4169 else if (status == HCI_ERR_CONNECTION_EXISTS)
4171 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4175 is_pairing_device = TRUE;
4178 /* If connection was made to do bonding restore link security if changed */
4181 /* if connection fails during pin request, notify application */
4182 if (status != HCI_SUCCESS)
4184 /* If connection failed because of during pairing, need to tell user */
4185 if (is_pairing_device)
4187 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4188 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4189 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4191 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4193 /* We need to notify host that the key is not known any more */
4194 if (btm_cb.api.p_auth_complete_callback)
4196 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4197 p_dev_rec->dev_class,
4198 p_dev_rec->sec_bd_name, status);
4202 Do not send authentication failure, if following conditions hold good
4203 1. BTM Sec Pairing state is idle
4204 2. Link key for the remote device is present.
4205 3. Remote is SSP capable.
4207 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4208 (((status == HCI_ERR_AUTH_FAILURE) ||
4209 (status == HCI_ERR_KEY_MISSING) ||
4210 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4211 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4212 (status == HCI_ERR_UNIT_KEY_USED) ||
4213 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4214 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4215 (status == HCI_ERR_REPEATED_ATTEMPTS))))
4217 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4218 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4221 #ifdef BRCM_NOT_4_BTE
4222 /* If we rejected pairing, pass this special result code */
4223 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4225 status = HCI_ERR_HOST_REJECT_SECURITY;
4229 /* We need to notify host that the key is not known any more */
4230 if (btm_cb.api.p_auth_complete_callback)
4232 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4233 p_dev_rec->dev_class,
4234 p_dev_rec->sec_bd_name, status);
4238 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4239 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4240 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4242 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4247 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4248 /* If dedicated bonding, and we now have a link key, we are all done */
4249 if ( is_pairing_device
4250 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4252 if (p_dev_rec->link_key_not_sent)
4254 p_dev_rec->link_key_not_sent = FALSE;
4255 btm_send_link_key_notif(p_dev_rec);
4258 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4260 /* remember flag before it is initialized */
4261 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4266 if (btm_cb.api.p_auth_complete_callback)
4267 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4268 p_dev_rec->dev_class,
4269 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4271 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4275 /* Let l2cap start bond timer */
4276 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4282 p_dev_rec->hci_handle = handle;
4284 /* role may not be correct here, it will be updated by l2cap, but we need to */
4285 /* notify btm_acl that link is up, so starting of rmt name request will not */
4286 /* set paging flag up */
4287 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4290 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4291 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4292 /* For now there are a some devices that do not like sending */
4293 /* commands events and data at the same time. */
4294 /* Set the packet types to the default allowed by the device */
4295 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4297 if (btm_cb.btm_def_link_policy)
4298 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4301 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4303 /* Initialize security flags. We need to do that because some */
4304 /* authorization complete could have come after the connection is dropped */
4305 /* and that would set wrong flag that link has been authorized already */
4306 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4307 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4309 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4310 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4312 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4313 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4315 p_dev_rec->link_key_changed = FALSE;
4317 /* After connection is established we perform security if we do not know */
4318 /* the name, or if we are originator because some procedure can have */
4319 /* been scheduled while connection was down */
4320 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4321 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4323 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4324 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4329 /*******************************************************************************
4331 ** Function btm_sec_disconnect
4333 ** Description This function is called to disconnect HCI link
4335 ** Returns btm status
4337 *******************************************************************************/
4338 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4340 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4342 /* In some weird race condition we may not have a record */
4345 btsnd_hcic_disconnect (handle, reason);
4346 return(BTM_SUCCESS);
4349 /* If we are in the process of bonding we need to tell client that auth failed */
4350 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4351 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4352 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4354 /* we are currently doing bonding. Link will be disconnected when done */
4355 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4359 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4362 /*******************************************************************************
4364 ** Function btm_sec_disconnected
4366 ** Description This function is when a connection to the peer device is
4371 *******************************************************************************/
4372 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4374 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4375 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4376 int result = HCI_ERR_AUTH_FAILURE;
4377 tBTM_SEC_CALLBACK *p_callback = NULL;
4378 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4380 /* If page was delayed for disc complete, can do it now */
4381 btm_cb.discing = FALSE;
4383 btm_acl_resubmit_page();
4388 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4390 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4392 #if BTM_DISC_DURING_RS == TRUE
4393 LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4394 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4397 /* clear unused flags */
4398 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4400 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4401 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4402 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4403 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4405 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4407 /* If we are in the process of bonding we need to tell client that auth failed */
4408 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4409 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4411 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4412 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4413 if (btm_cb.api.p_auth_complete_callback)
4415 /* If the disconnection reason is REPEATED_ATTEMPTS,
4416 send this error message to complete callback function
4417 to display the error message of Repeated attempts.
4418 All others, send HCI_ERR_AUTH_FAILURE. */
4419 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4421 result = HCI_ERR_REPEATED_ATTEMPTS;
4423 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4425 result = HCI_ERR_HOST_REJECT_SECURITY;
4427 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4428 p_dev_rec->sec_bd_name, result);
4432 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4433 p_dev_rec->enc_key_size = 0;
4434 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4435 /* see sec_flags processing in btm_acl_removed */
4437 if (transport == BT_TRANSPORT_LE)
4439 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4440 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4445 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4446 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4449 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4450 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4452 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4453 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4457 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4458 p_dev_rec->security_required = BTM_SEC_NONE;
4460 p_callback = p_dev_rec->p_callback;
4462 /* if security is pending, send callback to clean up the security state */
4465 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4466 we do, this call back must be reset here */
4467 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4470 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4473 /*******************************************************************************
4475 ** Function btm_sec_link_key_notification
4477 ** Description This function is called when a new connection link key is
4480 ** Returns Pointer to the record or NULL
4482 *******************************************************************************/
4483 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4485 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4486 BOOLEAN we_are_bonding = FALSE;
4487 BOOLEAN ltk_derived_lk = FALSE;
4489 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4490 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4493 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4494 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4496 ltk_derived_lk = TRUE;
4497 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4499 /* If connection was made to do bonding restore link security if changed */
4502 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4503 p_dev_rec->link_key_type = key_type;
4505 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4506 #if (BLE_INCLUDED == TRUE)
4507 /* BR/EDR connection, update the encryption key size to be 16 as always */
4508 p_dev_rec->enc_key_size = 16;
4510 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4512 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4513 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4515 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4516 we_are_bonding = TRUE;
4518 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4521 /* save LTK derived LK no matter what */
4524 if (btm_cb.api.p_link_key_callback)
4526 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4527 __FUNCTION__, p_dev_rec->link_key_type);
4528 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4529 p_dev_rec->sec_bd_name,
4530 p_link_key, p_dev_rec->link_key_type);
4533 #if BTM_CROSS_TRANSP_KEY_DERIVATION == TRUE
4536 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4537 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4539 p_dev_rec->new_encr_key_256 = TRUE;
4540 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4541 __func__, p_dev_rec->new_encr_key_256);
4546 /* If name is not known at this point delay calling callback until the name is */
4547 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4548 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4549 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) )
4551 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4552 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4553 (p_bda[4] << 8) + p_bda[5], key_type);
4555 p_dev_rec->link_key_not_sent = TRUE;
4557 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4560 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4561 btm_inq_rmt_name_failed();
4564 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4568 /* If its not us who perform authentication, we should tell stackserver */
4569 /* that some authentication has been completed */
4570 /* This is required when different entities receive link notification and auth complete */
4571 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
4573 if (btm_cb.api.p_auth_complete_callback)
4574 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4575 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4578 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4579 #ifdef BRCM_NONE_BTE
4580 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4583 if (btm_cb.api.p_link_key_callback)
4585 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4586 p_link_key, p_dev_rec->link_key_type);
4591 /*******************************************************************************
4593 ** Function btm_sec_link_key_request
4595 ** Description This function is called when controller requests link key
4597 ** Returns Pointer to the record or NULL
4599 *******************************************************************************/
4600 void btm_sec_link_key_request (UINT8 *p_bda)
4602 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4604 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4605 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4607 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4608 (btm_cb.collision_start_time != 0) &&
4609 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
4611 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4612 "State: %d START_TIMEOUT : %d",
4613 btm_cb.pairing_state, btm_cb.collision_start_time);
4614 btsnd_hcic_link_key_neg_reply (p_bda);
4617 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
4619 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4623 /* Notify L2CAP to increase timeout */
4624 l2c_pin_code_request (p_bda);
4626 /* The link key is not in the database and it is not known to the manager */
4627 btsnd_hcic_link_key_neg_reply (p_bda);
4630 /*******************************************************************************
4632 ** Function btm_sec_pairing_timeout
4634 ** Description This function is called when host does not provide PIN
4635 ** within requested time
4637 ** Returns Pointer to the TLE struct
4639 *******************************************************************************/
4640 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4642 tBTM_CB *p_cb = &btm_cb;
4643 tBTM_SEC_DEV_REC *p_dev_rec;
4644 #if BTM_OOB_INCLUDED == TRUE
4645 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4646 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
4648 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
4654 p_cb->pairing_tle.param = 0;
4655 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4656 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4658 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4660 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u",
4661 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4663 switch (p_cb->pairing_state)
4665 case BTM_PAIR_STATE_WAIT_PIN_REQ:
4666 btm_sec_bond_cancel_complete();
4669 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4670 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4671 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4672 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4673 /* We need to notify the UI that no longer need the PIN */
4674 if (btm_cb.api.p_auth_complete_callback)
4676 if (p_dev_rec == NULL)
4679 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4681 name, HCI_ERR_CONNECTION_TOUT);
4684 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4685 p_dev_rec->dev_class,
4686 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4690 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4691 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4692 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4695 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4696 case BTM_PAIR_STATE_KEY_ENTRY:
4697 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4698 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4700 #endif /* !BTM_IO_CAP_NONE */
4702 #if BTM_OOB_INCLUDED == TRUE
4703 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4704 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4705 auth_req |= BTM_AUTH_DD_BOND;
4707 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4708 BTM_OOB_NONE, auth_req);
4709 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4712 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
4713 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
4714 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4716 #endif /* BTM_OOB_INCLUDED */
4718 case BTM_PAIR_STATE_WAIT_DISCONNECT:
4719 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
4720 * now it's time to tear down the ACL link*/
4721 if (p_dev_rec == NULL)
4723 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
4724 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
4725 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
4728 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4729 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4732 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
4733 /* We need to notify the UI that timeout has happened while waiting for authentication*/
4734 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4735 if (btm_cb.api.p_auth_complete_callback)
4737 if (p_dev_rec == NULL)
4740 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4742 name, HCI_ERR_CONNECTION_TOUT);
4745 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4746 p_dev_rec->dev_class,
4747 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4752 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
4753 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4758 /*******************************************************************************
4760 ** Function btm_sec_pin_code_request
4762 ** Description This function is called when controller requests PIN code
4764 ** Returns Pointer to the record or NULL
4766 *******************************************************************************/
4767 void btm_sec_pin_code_request (UINT8 *p_bda)
4769 tBTM_SEC_DEV_REC *p_dev_rec;
4770 tBTM_CB *p_cb = &btm_cb;
4772 #ifdef PORCHE_PAIRING_CONFLICT
4773 UINT8 default_pin_code_len = 4;
4774 PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
4776 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
4777 btm_pair_state_descr(btm_cb.pairing_state),
4778 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
4780 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4782 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
4783 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
4785 /* fake this out - porshe carkit issue - */
4786 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
4787 if(! btm_cb.pin_code_len_saved)
4789 btsnd_hcic_pin_code_neg_reply (p_bda);
4794 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4798 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
4799 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
4801 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
4802 btm_pair_state_descr(btm_cb.pairing_state));
4804 #ifdef PORCHE_PAIRING_CONFLICT
4805 /* reply pin code again due to counter in_rand when local initiates pairing */
4806 BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
4807 if(! btm_cb.pin_code_len_saved)
4809 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4810 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
4814 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4815 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4818 btsnd_hcic_pin_code_neg_reply (p_bda);
4824 p_dev_rec = btm_find_or_alloc_dev (p_bda);
4825 /* received PIN code request. must be non-sm4 */
4826 p_dev_rec->sm4 = BTM_SM4_KNOWN;
4828 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4830 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
4832 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
4833 /* Make sure we reset the trusted mask to help against attacks */
4834 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
4837 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
4839 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
4840 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4841 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
4845 /* Use the connecting device's CoD for the connection */
4846 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
4847 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
4848 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
4850 /* We could have started connection after asking user for the PIN code */
4851 if (btm_cb.pin_code_len != 0)
4853 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
4854 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
4856 #ifdef PORCHE_PAIRING_CONFLICT
4857 btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
4860 /* Mark that we forwarded received from the user PIN code */
4861 btm_cb.pin_code_len = 0;
4863 /* We can change mode back right away, that other connection being established */
4864 /* is not forced to be secure - found a FW issue, so we can not do this
4865 btm_restore_mode(); */
4867 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4870 /* If pairing disabled OR (no PIN callback and not bonding) */
4871 /* OR we could not allocate entry in the database reject pairing request */
4872 else if (p_cb->pairing_disabled
4873 || (p_cb->api.p_pin_callback == NULL)
4875 /* OR Microsoft keyboard can for some reason try to establish connection */
4876 /* the only thing we can do here is to shut it up. Normally we will be originator */
4877 /* for keyboard bonding */
4878 || (!p_dev_rec->is_originator
4879 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
4880 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
4882 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
4883 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
4885 btsnd_hcic_pin_code_neg_reply (p_bda);
4887 /* Notify upper layer of PIN request and start expiration timer */
4890 btm_cb.pin_code_len_saved = 0;
4891 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
4892 /* Pin code request can not come at the same time as connection request */
4893 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
4894 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
4896 /* Check if the name is known */
4897 /* Even if name is not known we might not be able to get one */
4898 /* this is the case when we are already getting something from the */
4899 /* device, so HCI level is flow controlled */
4900 /* Also cannot send remote name request while paging, i.e. connection is not completed */
4901 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4903 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
4905 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4906 if (p_cb->api.p_pin_callback)
4907 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4911 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
4913 /* We received PIN code request for the device with unknown name */
4914 /* it is not user friendly just to ask for the PIN without name */
4915 /* try to get name at first */
4916 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
4917 HCI_PAGE_SCAN_REP_MODE_R1,
4918 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
4920 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
4921 p_dev_rec->sec_bd_name[0] = 'f';
4922 p_dev_rec->sec_bd_name[1] = '0';
4923 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
4925 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4926 if (p_cb->api.p_pin_callback)
4927 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4935 /*******************************************************************************
4937 ** Function btm_sec_update_clock_offset
4939 ** Description This function is called to update clock offset
4943 *******************************************************************************/
4944 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
4946 tBTM_SEC_DEV_REC *p_dev_rec;
4947 tBTM_INQ_INFO *p_inq_info;
4949 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
4952 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4954 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
4957 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4961 /******************************************************************
4962 ** S T A T I C F U N C T I O N S
4963 *******************************************************************/
4965 /*******************************************************************************
4967 ** Function btm_sec_execute_procedure
4969 ** Description This function is called to start required security
4970 ** procedure. There is a case when multiplexing protocol
4971 ** calls this function on the originating side, connection to
4972 ** the peer will not be established. This function in this
4973 ** case performs only authorization.
4975 ** Returns BTM_SUCCESS - permission is granted
4976 ** BTM_CMD_STARTED - in process
4977 ** BTM_NO_RESOURCES - permission declined
4979 *******************************************************************************/
4980 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
4982 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
4983 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
4985 /* There is a chance that we are getting name. Wait until done. */
4986 if (p_dev_rec->sec_state != 0)
4987 return(BTM_CMD_STARTED);
4989 /* If any security is required, get the name first */
4990 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4991 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
4993 BTM_TRACE_EVENT ("Security Manager: Start get name");
4994 if (!btm_sec_start_get_name (p_dev_rec))
4996 return(BTM_NO_RESOURCES);
4998 return(BTM_CMD_STARTED);
5001 /* If connection is not authenticated and authentication is required */
5002 /* start authentication and return PENDING to the caller */
5003 if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5004 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5005 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))
5006 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5008 #if (L2CAP_UCD_INCLUDED == TRUE)
5009 /* if incoming UCD packet, discard it */
5010 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5011 return(BTM_FAILED_ON_SECURITY);
5014 BTM_TRACE_EVENT ("Security Manager: Start authentication");
5016 if (!btm_sec_start_authentication (p_dev_rec))
5018 return(BTM_NO_RESOURCES);
5020 return(BTM_CMD_STARTED);
5023 /* If connection is not encrypted and encryption is required */
5024 /* start encryption and return PENDING to the caller */
5025 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5026 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5027 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5028 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5030 #if (L2CAP_UCD_INCLUDED == TRUE)
5031 /* if incoming UCD packet, discard it */
5032 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5033 return(BTM_FAILED_ON_SECURITY);
5036 BTM_TRACE_EVENT ("Security Manager: Start encryption");
5038 if (!btm_sec_start_encryption (p_dev_rec))
5040 return(BTM_NO_RESOURCES);
5042 return(BTM_CMD_STARTED);
5045 /* If connection is not authorized and authorization is required */
5046 /* start authorization and return PENDING to the caller */
5047 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5048 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5049 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5051 BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5052 p_dev_rec->p_cur_service->service_id,
5053 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5054 p_dev_rec->p_cur_service->service_id)));
5055 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5056 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5057 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5058 p_dev_rec->p_cur_service->service_id) == FALSE))
5060 BTM_TRACE_EVENT ("Security Manager: Start authorization");
5061 return(btm_sec_start_authorization (p_dev_rec));
5065 /* All required security procedures already established */
5066 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5067 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5068 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5069 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5070 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5072 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5073 BTM_TRACE_EVENT ("Security Manager: access granted");
5075 return(BTM_SUCCESS);
5079 /*******************************************************************************
5081 ** Function btm_sec_start_get_name
5083 ** Description This function is called to start get name procedure
5085 ** Returns TRUE if started
5087 *******************************************************************************/
5088 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5090 UINT8 tempstate = p_dev_rec->sec_state;
5092 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5094 /* Device should be connected, no need to provide correct page params */
5095 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5096 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5097 0, NULL)) != BTM_CMD_STARTED)
5099 p_dev_rec->sec_state = tempstate;
5106 /*******************************************************************************
5108 ** Function btm_sec_start_authentication
5110 ** Description This function is called to start authentication
5112 ** Returns TRUE if started
5114 *******************************************************************************/
5115 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5117 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5119 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5122 /*******************************************************************************
5124 ** Function btm_sec_start_encryption
5126 ** Description This function is called to start encryption
5128 ** Returns TRUE if started
5130 *******************************************************************************/
5131 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5133 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5136 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5141 /*******************************************************************************
5143 ** Function btm_sec_start_authorization
5145 ** Description This function is called to start authorization
5147 ** Returns TRUE if started
5149 *******************************************************************************/
5150 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5153 UINT8 *p_service_name = NULL;
5156 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5157 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5159 if (!btm_cb.api.p_authorize_callback)
5160 return(BTM_MODE_UNSUPPORTED);
5162 if (p_dev_rec->p_cur_service)
5164 #if BTM_SEC_SERVICE_NAME_LEN > 0
5165 if (p_dev_rec->is_originator)
5166 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5168 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5170 service_id = p_dev_rec->p_cur_service->service_id;
5175 /* Send authorization request if not already sent during this service connection */
5176 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5177 || p_dev_rec->last_author_service_id != service_id)
5179 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5180 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5181 p_dev_rec->dev_class,
5182 p_dev_rec->sec_bd_name,
5185 p_dev_rec->is_originator);
5188 else /* Already authorized once for this L2CAP bringup */
5190 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5191 return (BTM_SUCCESS);
5194 if (result == BTM_SUCCESS)
5196 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5198 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5199 if (!p_dev_rec->is_originator)
5200 p_dev_rec->last_author_service_id = service_id;
5202 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5206 btm_sec_start_get_name (p_dev_rec);
5207 return(BTM_CMD_STARTED);
5210 /*******************************************************************************
5212 ** Function btm_sec_are_all_trusted
5214 ** Description This function is called check if all services are trusted
5216 ** Returns TRUE if all are trusted, otherwise FALSE
5218 *******************************************************************************/
5219 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5222 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5224 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5231 /*******************************************************************************
5233 ** Function btm_sec_find_first_serv
5235 ** Description Look for the first record in the service database
5236 ** with specified PSM
5238 ** Returns Pointer to the record or NULL
5240 *******************************************************************************/
5241 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5243 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5245 BOOLEAN is_originator;
5247 #if (L2CAP_UCD_INCLUDED == TRUE)
5249 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5250 is_originator = TRUE;
5252 is_originator = FALSE;
5254 is_originator = conn_type;
5257 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5259 /* If this is outgoing connection and the PSM matches p_out_serv,
5260 * use it as the current service */
5261 return btm_cb.p_out_serv;
5264 /* otherwise, just find the first record with the specified PSM */
5265 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5267 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5274 /*******************************************************************************
5276 ** Function btm_sec_find_next_serv
5278 ** Description Look for the next record in the service database
5279 ** with specified PSM
5281 ** Returns Pointer to the record or NULL
5283 *******************************************************************************/
5284 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5286 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5289 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5291 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5292 && (p_serv_rec->psm == p_cur->psm) )
5294 if (p_cur != p_serv_rec)
5304 /*******************************************************************************
5306 ** Function btm_sec_find_mx_serv
5308 ** Description Look for the record in the service database with specified
5309 ** PSM and multiplexor channel information
5311 ** Returns Pointer to the record or NULL
5313 *******************************************************************************/
5314 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5315 UINT32 mx_proto_id, UINT32 mx_chan_id)
5317 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5318 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5321 BTM_TRACE_DEBUG ("%s()", __func__);
5322 if (is_originator && p_out_serv && p_out_serv->psm == psm
5323 && p_out_serv->mx_proto_id == mx_proto_id
5324 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5326 /* If this is outgoing connection and the parameters match p_out_serv,
5327 * use it as the current service */
5328 return btm_cb.p_out_serv;
5331 /* otherwise, the old way */
5332 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5334 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5335 && (p_serv_rec->psm == psm)
5336 && (p_serv_rec->mx_proto_id == mx_proto_id)
5337 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5338 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5347 /*******************************************************************************
5349 ** Function btm_sec_collision_timeout
5351 ** Description Encryption could not start because of the collision
5352 ** try to do it again
5354 ** Returns Pointer to the TLE struct
5356 *******************************************************************************/
5357 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5361 BTM_TRACE_EVENT ("%s()", __func__);
5362 btm_cb.sec_collision_tle.param = 0;
5364 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5366 /* If result is pending reply from the user or from the device is pending */
5367 if (status != BTM_CMD_STARTED)
5369 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5370 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5374 /*******************************************************************************
5376 ** Function btm_sec_link_key_request
5378 ** Description This function is called when controller requests link key
5380 ** Returns Pointer to the record or NULL
5382 *******************************************************************************/
5383 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5385 if (btm_cb.api.p_link_key_callback)
5386 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5387 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5388 p_dev_rec->link_key_type);
5391 /*******************************************************************************
5393 ** Function BTM_ReadTrustedMask
5395 ** Description Get trusted mask for the peer device
5397 ** Parameters: bd_addr - Address of the device
5399 ** Returns NULL, if the device record is not found.
5400 ** otherwise, the trusted mask
5402 *******************************************************************************/
5403 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5405 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5406 if (p_dev_rec != NULL)
5407 return(p_dev_rec->trusted_mask);
5411 /*******************************************************************************
5413 ** Function btm_restore_mode
5415 ** Description This function returns the security mode to previous setting
5416 ** if it was changed during bonding.
5421 *******************************************************************************/
5422 static void btm_restore_mode(void)
5424 if (btm_cb.security_mode_changed)
5426 btm_cb.security_mode_changed = FALSE;
5427 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5428 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5431 if (btm_cb.pin_type_changed)
5433 btm_cb.pin_type_changed = FALSE;
5434 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5439 /*******************************************************************************
5441 ** Function btm_sec_find_dev_by_sec_state
5443 ** Description Look for the record in the device database for the device
5444 ** which is being authenticated or encrypted
5446 ** Returns Pointer to the record or NULL
5448 *******************************************************************************/
5449 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5451 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5453 for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5455 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5456 && (p_dev_rec->sec_state == state))
5462 /*******************************************************************************
5464 ** Function btm_sec_change_pairing_state
5466 ** Description This function is called to change pairing state
5468 *******************************************************************************/
5469 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5471 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5473 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5474 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__,
5475 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5477 btm_cb.pairing_state = new_state;
5479 if (new_state == BTM_PAIR_STATE_IDLE)
5481 btu_stop_timer (&btm_cb.pairing_tle);
5483 btm_cb.pairing_flags = 0;
5484 btm_cb.pin_code_len = 0;
5486 /* Make sure the the lcb shows we are not bonding */
5487 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5490 btm_sec_check_pending_reqs();
5491 btm_inq_clear_ssp();
5493 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5497 /* If transitionng out of idle, mark the lcb as bonding */
5498 if (old_state == BTM_PAIR_STATE_IDLE)
5499 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5501 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5503 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5508 /*******************************************************************************
5510 ** Function btm_pair_state_descr
5512 ** Description Return state description for tracing
5514 *******************************************************************************/
5515 #if (BT_USE_TRACES == TRUE)
5516 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5518 #if (BT_TRACE_VERBOSE == TRUE)
5521 case BTM_PAIR_STATE_IDLE: return("IDLE");
5522 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5523 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5524 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5525 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5526 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5527 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5528 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5529 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5530 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5531 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5536 sprintf(btm_cb.state_temp_buffer,"%hu",state);
5538 return(btm_cb.state_temp_buffer);
5543 /*******************************************************************************
5545 ** Function btm_sec_dev_rec_cback_event
5547 ** Description This function calls the callback function with the given
5548 ** result and clear the callback function.
5552 *******************************************************************************/
5553 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5555 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
5556 tBT_TRANSPORT transport = is_le_transport ? BT_TRANSPORT_LE : BT_TRANSPORT_BR_EDR;
5558 if (p_dev_rec->p_callback)
5560 p_dev_rec->p_callback = NULL;
5561 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, res);
5564 btm_sec_check_pending_reqs();
5567 /*******************************************************************************
5569 ** Function btm_sec_queue_mx_request
5571 ** Description Return state description for tracing
5573 *******************************************************************************/
5574 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
5575 UINT32 mx_proto_id, UINT32 mx_chan_id,
5576 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5578 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
5583 p_e->is_orig = is_orig;
5584 p_e->p_callback = p_callback;
5585 p_e->p_ref_data = p_ref_data;
5586 p_e->mx_proto_id = mx_proto_id;
5587 p_e->mx_chan_id = mx_chan_id;
5588 p_e->transport = BT_TRANSPORT_BR_EDR;
5590 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5592 BTM_TRACE_EVENT ("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
5593 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
5595 GKI_enqueue (&btm_cb.sec_pending_q, p_e);
5603 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
5605 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5606 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5609 if ((major == BTM_COD_MAJOR_AUDIO)
5610 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5612 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
5613 __func__, major, minor);
5615 if (btm_cb.security_mode_changed == FALSE)
5617 btm_cb.security_mode_changed = TRUE;
5618 #ifdef APPL_AUTH_WRITE_EXCEPTION
5619 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5621 btsnd_hcic_write_auth_enable (TRUE);
5626 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5628 /* If we got a PIN, use that, else try to get one */
5629 if (btm_cb.pin_code_len)
5631 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5635 /* pin was not supplied - pre-fetch pin code now */
5636 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
5638 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
5639 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
5640 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5641 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5651 /*******************************************************************************
5653 ** Function btm_sec_auth_payload_tout
5655 ** Description Processes the HCI Autheniticated Payload Timeout Event
5656 ** indicating that a packet containing a valid MIC on the
5657 ** connection handle was not received within the programmed
5658 ** timeout value. (Spec Default is 30 secs, but can be
5659 ** changed via the BTM_SecSetAuthPayloadTimeout() function.
5661 *******************************************************************************/
5662 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
5666 STREAM_TO_UINT16 (handle, p);
5667 handle = HCID_GET_HANDLE (handle);
5669 /* Will be exposed to upper layers in the future if/when determined necessary */
5670 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
5673 /*******************************************************************************
5675 ** Function btm_sec_queue_encrypt_request
5677 ** Description encqueue encryption request when device has active security
5680 *******************************************************************************/
5681 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
5682 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5684 tBTM_SEC_QUEUE_ENTRY *p_e;
5685 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
5689 p_e->psm = 0; /* if PSM 0, encryption request */
5690 p_e->p_callback = p_callback;
5691 p_e->p_ref_data = (void *)(p_e + 1);
5692 *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
5693 p_e->transport = transport;
5694 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5695 GKI_enqueue(&btm_cb.sec_pending_q, p_e);
5702 /*******************************************************************************
5704 ** Function btm_sec_clean_pending_req_queue
5706 ** Description This function cleans up the pending security request when the
5707 ** link to the target device dropped.
5711 *******************************************************************************/
5712 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport)
5714 tBTM_SEC_QUEUE_ENTRY *p_e;
5715 BUFFER_Q *bq = &btm_cb.sec_pending_q;
5717 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
5721 if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0
5722 #if BLE_INCLUDED == TRUE
5723 && p_e->transport == transport
5727 (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING);
5728 GKI_remove_from_queue(bq, (void *)p_e);
5730 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
5735 /*******************************************************************************
5737 ** Function btm_sec_check_pending_enc_req
5739 ** Description This function is called to send pending encryption callback if
5744 *******************************************************************************/
5745 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
5748 tBTM_SEC_QUEUE_ENTRY *p_e;
5749 BUFFER_Q *bq = &btm_cb.sec_pending_q;
5750 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
5753 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
5757 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
5758 #if BLE_INCLUDED == TRUE
5759 && p_e->transport == transport
5763 sec_act = *(UINT8 *)(p_e->p_ref_data);
5765 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
5766 #if BLE_INCLUDED == TRUE
5767 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
5768 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
5769 & BTM_SEC_LE_AUTHENTICATED)
5773 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
5774 GKI_remove_from_queue(bq, (void *)p_e);
5777 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
5782 #if (BLE_INCLUDED == TRUE)
5783 /*******************************************************************************
5785 ** Function btm_sec_clear_ble_keys
5787 ** Description This function is called to clear out the BLE keys.
5788 ** Typically when devices are removed in BTM_SecDeleteDevice,
5789 ** or when a new BT Link key is generated.
5793 *******************************************************************************/
5794 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
5797 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
5798 #if (SMP_INCLUDED== TRUE)
5799 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
5800 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
5802 #if (BLE_PRIVACY_SPT == TRUE)
5803 btm_ble_resolving_list_remove_dev(p_dev_rec);
5809 /*******************************************************************************
5811 ** Function btm_sec_is_a_bonded_dev
5813 ** Description Is the specified device is a bonded device
5815 ** Returns TRUE - dev is bonded
5817 *******************************************************************************/
5818 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
5821 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5822 BOOLEAN is_bonded= FALSE;
5825 #if (SMP_INCLUDED== TRUE)
5826 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
5828 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
5832 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
5836 /*******************************************************************************
5838 ** Function btm_sec_is_le_capable_dev
5840 ** Description Is the specified device is dual mode or LE only device
5842 ** Returns TRUE - dev is a dual mode
5844 *******************************************************************************/
5845 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
5847 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5848 BOOLEAN le_capable = FALSE;
5850 #if (BLE_INCLUDED== TRUE)
5851 if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) ||
5852 (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) )
5860 /*******************************************************************************
5862 ** Function btm_sec_find_bonded_dev
5864 ** Description Find a bonded device starting from the specified index
5866 ** Returns TRUE - found a bonded device
5868 *******************************************************************************/
5869 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
5871 BOOLEAN found= FALSE;
5873 #if (SMP_INCLUDED== TRUE)
5874 tBTM_SEC_DEV_REC *p_dev_rec;
5876 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
5878 BTM_TRACE_DEBUG ("LE bonded device not found");
5882 p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
5883 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5885 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
5892 BTM_TRACE_DEBUG ("%s() found=%d", __func__, found);
5898 /*******************************************************************************
5900 ** Function btm_sec_use_smp_br_chnl
5902 ** Description The function checks if SMP BR connection can be used with
5904 ** Is called when authentication for dedicated bonding is
5905 ** successfully completed.
5907 ** Returns TRUE - if SMP BR connection can be used (the link key is
5908 ** generated from P-256 and the peer supports Security
5909 ** Manager over BR).
5911 *******************************************************************************/
5912 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
5915 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
5917 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
5918 p_dev_rec->link_key_type);
5920 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
5921 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5924 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
5927 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
5933 /*******************************************************************************
5935 ** Function btm_sec_is_master
5937 ** Description The function checks if the device is BR/EDR master after
5938 ** pairing is completed.
5940 ** Returns TRUE - if the device is master.
5942 *******************************************************************************/
5943 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
5945 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
5946 return (p && (p->link_role == BTM_ROLE_MASTER));
5949 #endif /* BLE_INCLUDED */