1 /******************************************************************************
2  *
3  *  Copyright 2009-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  this file contains GATT database building and query functions
22  *
23  ******************************************************************************/
24 
25 #include "bt_target.h"
26 
27 #include "bt_trace.h"
28 #include "bt_utils.h"
29 
30 #include <stdio.h>
31 #include <string.h>
32 #include "btm_int.h"
33 #include "gatt_int.h"
34 #include "l2c_api.h"
35 #include "osi/include/osi.h"
36 
37 using base::StringPrintf;
38 using bluetooth::Uuid;
39 
40 /*******************************************************************************
41  *             L O C A L    F U N C T I O N     P R O T O T Y P E S            *
42  ******************************************************************************/
43 static tGATT_ATTR& allocate_attr_in_db(tGATT_SVC_DB& db, const Uuid& uuid,
44                                        tGATT_PERM perm);
45 static tGATT_STATUS gatts_send_app_read_request(
46     tGATT_TCB& tcb, uint8_t op_code, uint16_t handle, uint16_t offset,
47     uint32_t trans_id, bt_gatt_db_attribute_type_t gatt_type);
48 
49 /**
50  * Initialize a memory space to be a service database.
51  */
gatts_init_service_db(tGATT_SVC_DB & db,const Uuid & service_uuid,bool is_pri,uint16_t s_hdl,uint16_t num_handle)52 void gatts_init_service_db(tGATT_SVC_DB& db, const Uuid& service_uuid,
53                            bool is_pri, uint16_t s_hdl, uint16_t num_handle) {
54   db.attr_list.reserve(num_handle);
55 
56   VLOG(1) << StringPrintf("%s: s_hdl= %d num_handle= %d", __func__, s_hdl,
57                           num_handle);
58 
59   /* update service database information */
60   db.next_handle = s_hdl;
61   db.end_handle = s_hdl + num_handle;
62 
63   /* add service declration record */
64   Uuid uuid =
65       Uuid::From16Bit(is_pri ? GATT_UUID_PRI_SERVICE : GATT_UUID_SEC_SERVICE);
66   tGATT_ATTR& attr = allocate_attr_in_db(db, uuid, GATT_PERM_READ);
67   attr.p_value.reset((tGATT_ATTR_VALUE*)(new Uuid));
68   attr.p_value->uuid = service_uuid;
69 }
70 
gatts_get_service_uuid(tGATT_SVC_DB * p_db)71 Uuid* gatts_get_service_uuid(tGATT_SVC_DB* p_db) {
72   if (!p_db || p_db->attr_list.empty()) {
73     LOG(ERROR) << "service DB empty";
74     return NULL;
75   } else {
76     return &p_db->attr_list[0].p_value->uuid;
77   }
78 }
79 
80 /** Check attribute readability. Returns status of operation. */
gatts_check_attr_readability(const tGATT_ATTR & attr,UNUSED_ATTR uint16_t offset,bool read_long,tGATT_SEC_FLAG sec_flag,uint8_t key_size)81 static tGATT_STATUS gatts_check_attr_readability(const tGATT_ATTR& attr,
82                                                  UNUSED_ATTR uint16_t offset,
83                                                  bool read_long,
84                                                  tGATT_SEC_FLAG sec_flag,
85                                                  uint8_t key_size) {
86   uint16_t min_key_size;
87   tGATT_PERM perm = attr.permission;
88 
89   min_key_size = (((perm & GATT_ENCRYPT_KEY_SIZE_MASK) >> 12));
90   if (min_key_size != 0) {
91     min_key_size += 6;
92   }
93 
94   if (!(perm & GATT_READ_ALLOWED)) {
95     LOG(ERROR) << __func__ << ": GATT_READ_NOT_PERMIT";
96     return GATT_READ_NOT_PERMIT;
97   }
98 
99   if ((perm & GATT_READ_AUTH_REQUIRED) &&
100       !(sec_flag & GATT_SEC_FLAG_LKEY_UNAUTHED) &&
101       !(sec_flag & BTM_SEC_FLAG_ENCRYPTED)) {
102     LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";
103     return GATT_INSUF_AUTHENTICATION;
104   }
105 
106   if ((perm & GATT_READ_MITM_REQUIRED) &&
107       !(sec_flag & GATT_SEC_FLAG_LKEY_AUTHED)) {
108     LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM Required";
109     return GATT_INSUF_AUTHENTICATION;
110   }
111 
112   if ((perm & GATT_READ_ENCRYPTED_REQUIRED) &&
113       !(sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
114     LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";
115     return GATT_INSUF_ENCRYPTION;
116   }
117 
118   if ((perm & GATT_READ_ENCRYPTED_REQUIRED) &&
119       (sec_flag & GATT_SEC_FLAG_ENCRYPTED) && (key_size < min_key_size)) {
120     LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";
121     return GATT_INSUF_KEY_SIZE;
122   }
123 
124   if (read_long && attr.uuid.Is16Bit()) {
125     switch (attr.uuid.As16Bit()) {
126       case GATT_UUID_PRI_SERVICE:
127       case GATT_UUID_SEC_SERVICE:
128       case GATT_UUID_CHAR_DECLARE:
129       case GATT_UUID_INCLUDE_SERVICE:
130       case GATT_UUID_CHAR_EXT_PROP:
131       case GATT_UUID_CHAR_CLIENT_CONFIG:
132       case GATT_UUID_CHAR_SRVR_CONFIG:
133       case GATT_UUID_CHAR_PRESENT_FORMAT:
134         LOG(ERROR) << __func__ << ": GATT_NOT_LONG";
135         return GATT_NOT_LONG;
136 
137       default:
138         break;
139     }
140   }
141 
142   return GATT_SUCCESS;
143 }
144 
145 /*******************************************************************************
146  *
147  * Function         read_attr_value
148  *
149  * Description      Utility function to read an attribute value.
150  *
151  * Parameter        attr16: pointer to the attribute to read.
152  *                  offset: read offset.
153  *                  p_data: output parameter to carry out the attribute value.
154  *                  read_long: this is a read blob request.
155  *                  mtu: MTU
156  *                  p_len: output parameter to carry out the attribute length.
157  *                   sec_flag: current link security status.
158  *                  key_size: encryption key size.
159  *
160  * Returns          status of operation.
161  *
162  ******************************************************************************/
read_attr_value(tGATT_ATTR & attr16,uint16_t offset,uint8_t ** p_data,bool read_long,uint16_t mtu,uint16_t * p_len,tGATT_SEC_FLAG sec_flag,uint8_t key_size)163 static tGATT_STATUS read_attr_value(tGATT_ATTR& attr16, uint16_t offset,
164                                     uint8_t** p_data, bool read_long,
165                                     uint16_t mtu, uint16_t* p_len,
166                                     tGATT_SEC_FLAG sec_flag, uint8_t key_size) {
167   uint8_t* p = *p_data;
168 
169   VLOG(1) << __func__ << " uuid=" << attr16.uuid
170           << StringPrintf(" perm=0x%02x sec_flag=0x%x offset=%d read_long=%d",
171                           attr16.permission, sec_flag, offset, read_long);
172 
173   tGATT_STATUS status = gatts_check_attr_readability(attr16, offset, read_long,
174                                                      sec_flag, key_size);
175   if (status != GATT_SUCCESS) return status;
176 
177   if (!attr16.uuid.Is16Bit()) {
178     /* characteristic description or characteristic value */
179     return GATT_PENDING;
180   }
181 
182   uint16_t uuid16 = attr16.uuid.As16Bit();
183 
184   if (uuid16 == GATT_UUID_PRI_SERVICE || uuid16 == GATT_UUID_SEC_SERVICE) {
185     *p_len = gatt_build_uuid_to_stream_len(attr16.p_value->uuid);
186     if (mtu < *p_len) return GATT_NO_RESOURCES;
187 
188     gatt_build_uuid_to_stream(&p, attr16.p_value->uuid);
189     *p_data = p;
190     return GATT_SUCCESS;
191   }
192 
193   if (uuid16 == GATT_UUID_CHAR_DECLARE) {
194     tGATT_ATTR* val_attr = &attr16 + 1;
195     uint8_t val_len = val_attr->uuid.GetShortestRepresentationSize();
196     *p_len = (val_len == Uuid::kNumBytes16) ? 5 : 19;
197 
198     if (mtu < *p_len) return GATT_NO_RESOURCES;
199 
200     UINT8_TO_STREAM(p, attr16.p_value->char_decl.property);
201     UINT16_TO_STREAM(p, attr16.p_value->char_decl.char_val_handle);
202 
203     if (val_len == Uuid::kNumBytes16) {
204       UINT16_TO_STREAM(p, val_attr->uuid.As16Bit());
205     } else {
206       /* if 32 bit UUID, convert to 128 bit */
207       ARRAY_TO_STREAM(p, val_attr->uuid.To128BitLE(), (int)Uuid::kNumBytes128);
208     }
209     *p_data = p;
210     return GATT_SUCCESS;
211   }
212 
213   if (uuid16 == GATT_UUID_INCLUDE_SERVICE) {
214     tGATT_INCL_SRVC& incl_handle = attr16.p_value->incl_handle;
215     if (incl_handle.service_type.Is16Bit())
216       *p_len = 6;
217     else
218       *p_len = 4;
219 
220     if (mtu < *p_len) return GATT_NO_RESOURCES;
221 
222     UINT16_TO_STREAM(p, incl_handle.s_handle);
223     UINT16_TO_STREAM(p, incl_handle.e_handle);
224 
225     if (incl_handle.service_type.Is16Bit()) {
226       UINT16_TO_STREAM(p, incl_handle.service_type.As16Bit());
227     }
228     *p_data = p;
229     return GATT_SUCCESS;
230   }
231 
232   /* characteristic description or characteristic value (again) */
233   return GATT_PENDING;
234 }
235 
236 /*******************************************************************************
237  *
238  * Function         gatts_db_read_attr_value_by_type
239  *
240  * Description      Query attribute value by attribute type.
241  *
242  * Parameter        p_db: pointer to the attribute database.
243  *                  p_rsp: Read By type response data.
244  *                  s_handle: starting handle of the range we are looking for.
245  *                  e_handle: ending handle of the range we are looking for.
246  *                  type: Attribute type.
247  *                  mtu: MTU.
248  *                  sec_flag: current link security status.
249  *                  key_size: encryption key size.
250  *
251  * Returns          Status of the operation.
252  *
253  ******************************************************************************/
gatts_db_read_attr_value_by_type(tGATT_TCB & tcb,tGATT_SVC_DB * p_db,uint8_t op_code,BT_HDR * p_rsp,uint16_t s_handle,uint16_t e_handle,const Uuid & type,uint16_t * p_len,tGATT_SEC_FLAG sec_flag,uint8_t key_size,uint32_t trans_id,uint16_t * p_cur_handle)254 tGATT_STATUS gatts_db_read_attr_value_by_type(
255     tGATT_TCB& tcb, tGATT_SVC_DB* p_db, uint8_t op_code, BT_HDR* p_rsp,
256     uint16_t s_handle, uint16_t e_handle, const Uuid& type, uint16_t* p_len,
257     tGATT_SEC_FLAG sec_flag, uint8_t key_size, uint32_t trans_id,
258     uint16_t* p_cur_handle) {
259   tGATT_STATUS status = GATT_NOT_FOUND;
260   uint16_t len = 0;
261   uint8_t* p = (uint8_t*)(p_rsp + 1) + p_rsp->len + L2CAP_MIN_OFFSET;
262 
263   if (p_db) {
264     for (tGATT_ATTR& attr : p_db->attr_list) {
265       if (attr.handle >= s_handle && type == attr.uuid) {
266         if (*p_len <= 2) {
267           status = GATT_NO_RESOURCES;
268           break;
269         }
270 
271         UINT16_TO_STREAM(p, attr.handle);
272 
273         status = read_attr_value(attr, 0, &p, false, (uint16_t)(*p_len - 2),
274                                  &len, sec_flag, key_size);
275 
276         if (status == GATT_PENDING) {
277           status = gatts_send_app_read_request(tcb, op_code, attr.handle, 0,
278                                                trans_id, attr.gatt_type);
279 
280           /* one callback at a time */
281           break;
282         } else if (status == GATT_SUCCESS) {
283           if (p_rsp->offset == 0) p_rsp->offset = len + 2;
284 
285           if (p_rsp->offset == len + 2) {
286             p_rsp->len += (len + 2);
287             *p_len -= (len + 2);
288           } else {
289             LOG(ERROR) << "format mismatch";
290             status = GATT_NO_RESOURCES;
291             break;
292           }
293         } else {
294           *p_cur_handle = attr.handle;
295           break;
296         }
297       }
298     }
299   }
300 
301 #if (BLE_DELAY_REQUEST_ENC == TRUE)
302   uint8_t flag = 0;
303   if (BTM_GetSecurityFlags(tcb.peer_bda, &flag)) {
304     if ((tcb.att_lcid == L2CAP_ATT_CID) && (status == GATT_PENDING) &&
305         (type.As16Bit() == GATT_UUID_GAP_DEVICE_NAME)) {
306       if ((flag & (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_FLAG_ENCRYPTED)) ==
307           BTM_SEC_LINK_KEY_KNOWN) {
308         tACL_CONN* p = btm_bda_to_acl(tcb.peer_bda, BT_TRANSPORT_LE);
309         if ((p != NULL) && (p->link_role == BTM_ROLE_MASTER))
310           btm_ble_set_encryption(tcb.peer_bda, BTM_BLE_SEC_ENCRYPT,
311                                  p->link_role);
312       }
313     }
314   }
315 #endif
316   return status;
317 }
318 
319 /**
320  * This function adds an included service into a database.
321  *
322  * Parameter        db: database pointer.
323  *                  inc_srvc_type: included service type.
324  *
325  * Returns          Status of the operation.
326  *
327  */
gatts_add_included_service(tGATT_SVC_DB & db,uint16_t s_handle,uint16_t e_handle,const Uuid & service)328 uint16_t gatts_add_included_service(tGATT_SVC_DB& db, uint16_t s_handle,
329                                     uint16_t e_handle, const Uuid& service) {
330   Uuid uuid = Uuid::From16Bit(GATT_UUID_INCLUDE_SERVICE);
331 
332   VLOG(1) << __func__
333           << StringPrintf(": s_hdl=0x%04x e_hdl=0x%04x ", s_handle, e_handle)
334           << "service uuid = " << service;
335 
336   if (service.IsEmpty() || s_handle == 0 || e_handle == 0) {
337     LOG(ERROR) << __func__ << ": Illegal Params.";
338     return 0;
339   }
340 
341   tGATT_ATTR& attr = allocate_attr_in_db(db, uuid, GATT_PERM_READ);
342 
343   attr.p_value.reset((tGATT_ATTR_VALUE*)(new tGATT_INCL_SRVC));
344   attr.p_value->incl_handle.s_handle = s_handle;
345   attr.p_value->incl_handle.e_handle = e_handle;
346   attr.p_value->incl_handle.service_type = service;
347 
348   return attr.handle;
349 }
350 
351 /*******************************************************************************
352  *
353  * Function         gatts_add_characteristic
354  *
355  * Description      This function add a characteristics and its descriptor into
356  *                  a servce identified by the service database pointer.
357  *
358  * Parameter        db: database.
359  *                  perm: permission (authentication and key size requirements)
360  *                  property: property of the characteristic.
361  *                  p_char: characteristic value information.
362  *
363  * Returns          Status of te operation.
364  *
365  ******************************************************************************/
gatts_add_characteristic(tGATT_SVC_DB & db,tGATT_PERM perm,tGATT_CHAR_PROP property,const Uuid & char_uuid)366 uint16_t gatts_add_characteristic(tGATT_SVC_DB& db, tGATT_PERM perm,
367                                   tGATT_CHAR_PROP property,
368                                   const Uuid& char_uuid) {
369   Uuid uuid = Uuid::From16Bit(GATT_UUID_CHAR_DECLARE);
370 
371   VLOG(1) << StringPrintf("%s: perm=0x%0x property=0x%0x", __func__, perm,
372                           property);
373 
374   tGATT_ATTR& char_decl = allocate_attr_in_db(db, uuid, GATT_PERM_READ);
375   tGATT_ATTR& char_val = allocate_attr_in_db(db, char_uuid, perm);
376 
377   char_decl.p_value.reset((tGATT_ATTR_VALUE*)(new tGATT_CHAR_DECL));
378   char_decl.p_value->char_decl.property = property;
379   char_decl.p_value->char_decl.char_val_handle = char_val.handle;
380   char_val.gatt_type = BTGATT_DB_CHARACTERISTIC;
381   return char_val.handle;
382 }
383 
384 /*******************************************************************************
385  *
386  * Function         gatts_add_char_descr
387  *
388  * Description      This function add a characteristics descriptor.
389  *
390  * Parameter        p_db: database pointer.
391  *                  perm: characteristic descriptor permission type.
392  *                  char_dscp_tpye: the characteristic descriptor masks.
393  *                  p_dscp_params: characteristic descriptors values.
394  *
395  * Returns          Status of the operation.
396  *
397  ******************************************************************************/
gatts_add_char_descr(tGATT_SVC_DB & db,tGATT_PERM perm,const Uuid & descr_uuid)398 uint16_t gatts_add_char_descr(tGATT_SVC_DB& db, tGATT_PERM perm,
399                               const Uuid& descr_uuid) {
400   VLOG(1) << StringPrintf("gatts_add_char_descr uuid=%s",
401                           descr_uuid.ToString().c_str());
402 
403   /* Add characteristic descriptors */
404   tGATT_ATTR& char_dscptr = allocate_attr_in_db(db, descr_uuid, perm);
405   char_dscptr.gatt_type = BTGATT_DB_DESCRIPTOR;
406   return char_dscptr.handle;
407 }
408 
409 /******************************************************************************/
410 /* Service Attribute Database Query Utility Functions */
411 /******************************************************************************/
find_attr_by_handle(tGATT_SVC_DB * p_db,uint16_t handle)412 tGATT_ATTR* find_attr_by_handle(tGATT_SVC_DB* p_db, uint16_t handle) {
413   if (!p_db) return nullptr;
414 
415   for (auto& attr : p_db->attr_list) {
416     if (attr.handle == handle) return &attr;
417     if (attr.handle > handle) return nullptr;
418   }
419 
420   return nullptr;
421 }
422 
423 /*******************************************************************************
424  *
425  * Function         gatts_read_attr_value_by_handle
426  *
427  * Description      Query attribute value by attribute handle.
428  *
429  * Parameter        p_db: pointer to the attribute database.
430  *                  handle: Attribute handle to read.
431  *                  offset: Read offset.
432  *                  p_value: output parameter to carry out the attribute value.
433  *                  p_len: output parameter as attribute length read.
434  *                  read_long: this is a read blob request.
435  *                  mtu: MTU.
436  *                  sec_flag: current link security status.
437  *                  key_size: encryption key size
438  *
439  * Returns          Status of operation.
440  *
441  ******************************************************************************/
gatts_read_attr_value_by_handle(tGATT_TCB & tcb,tGATT_SVC_DB * p_db,uint8_t op_code,uint16_t handle,uint16_t offset,uint8_t * p_value,uint16_t * p_len,uint16_t mtu,tGATT_SEC_FLAG sec_flag,uint8_t key_size,uint32_t trans_id)442 tGATT_STATUS gatts_read_attr_value_by_handle(
443     tGATT_TCB& tcb, tGATT_SVC_DB* p_db, uint8_t op_code, uint16_t handle,
444     uint16_t offset, uint8_t* p_value, uint16_t* p_len, uint16_t mtu,
445     tGATT_SEC_FLAG sec_flag, uint8_t key_size, uint32_t trans_id) {
446   tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);
447   if (!p_attr) return GATT_NOT_FOUND;
448 
449   uint8_t* pp = p_value;
450   tGATT_STATUS status = read_attr_value(*p_attr, offset, &pp,
451                                         (bool)(op_code == GATT_REQ_READ_BLOB),
452                                         mtu, p_len, sec_flag, key_size);
453 
454   if (status == GATT_PENDING) {
455     status = gatts_send_app_read_request(tcb, op_code, p_attr->handle, offset,
456                                          trans_id, p_attr->gatt_type);
457   }
458   return status;
459 }
460 
461 /*******************************************************************************
462  *
463  * Function         gatts_read_attr_perm_check
464  *
465  * Description      Check attribute readability.
466  *
467  * Parameter        p_db: pointer to the attribute database.
468  *                  handle: Attribute handle to read.
469  *                  offset: Read offset.
470  *                  p_value: output parameter to carry out the attribute value.
471  *                  p_len: output parameter as attribute length read.
472  *                  read_long: this is a read blob request.
473  *                  mtu: MTU.
474  *                  sec_flag: current link security status.
475  *                  key_size: encryption key size
476  *
477  * Returns          Status of operation.
478  *
479  ******************************************************************************/
gatts_read_attr_perm_check(tGATT_SVC_DB * p_db,bool is_long,uint16_t handle,tGATT_SEC_FLAG sec_flag,uint8_t key_size)480 tGATT_STATUS gatts_read_attr_perm_check(tGATT_SVC_DB* p_db, bool is_long,
481                                         uint16_t handle,
482                                         tGATT_SEC_FLAG sec_flag,
483                                         uint8_t key_size) {
484   tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);
485   if (!p_attr) return GATT_NOT_FOUND;
486 
487   return gatts_check_attr_readability(*p_attr, 0, is_long, sec_flag, key_size);
488 }
489 
490 /*******************************************************************************
491  *
492  * Function         gatts_write_attr_perm_check
493  *
494  * Description      Write attribute value into database.
495  *
496  * Parameter        p_db: pointer to the attribute database.
497  *                  op_code:op code of this write.
498  *                  handle: handle of the attribute to write.
499  *                  offset: Write offset if write op code is write blob.
500  *                  p_data: Attribute value to write.
501  *                  len: attribute data length.
502  *                  sec_flag: current link security status.
503  *                  key_size: encryption key size
504  *
505  * Returns          Status of the operation.
506  *
507  ******************************************************************************/
gatts_write_attr_perm_check(tGATT_SVC_DB * p_db,uint8_t op_code,uint16_t handle,uint16_t offset,uint8_t * p_data,uint16_t len,tGATT_SEC_FLAG sec_flag,uint8_t key_size)508 tGATT_STATUS gatts_write_attr_perm_check(tGATT_SVC_DB* p_db, uint8_t op_code,
509                                          uint16_t handle, uint16_t offset,
510                                          uint8_t* p_data, uint16_t len,
511                                          tGATT_SEC_FLAG sec_flag,
512                                          uint8_t key_size) {
513   VLOG(1) << StringPrintf(
514       "%s: op_code=0x%0x handle=0x%04x offset=%d len=%d sec_flag=0x%0x "
515       "key_size=%d",
516       __func__, op_code, handle, offset, len, sec_flag, key_size);
517 
518   tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);
519   if (!p_attr) return GATT_NOT_FOUND;
520 
521   tGATT_PERM perm = p_attr->permission;
522   uint16_t min_key_size = (((perm & GATT_ENCRYPT_KEY_SIZE_MASK) >> 12));
523   if (min_key_size != 0) {
524     min_key_size += 6;
525   }
526   VLOG(1) << StringPrintf("%s: p_attr->permission =0x%04x min_key_size==0x%04x",
527                           __func__, p_attr->permission, min_key_size);
528 
529   if ((op_code == GATT_CMD_WRITE || op_code == GATT_REQ_WRITE) &&
530       (perm & GATT_WRITE_SIGNED_PERM)) {
531     /* use the rules for the mixed security see section 10.2.3*/
532     /* use security mode 1 level 2 when the following condition follows */
533     /* LE security mode 2 level 1 and LE security mode 1 level 2 */
534     if ((perm & GATT_PERM_WRITE_SIGNED) && (perm & GATT_PERM_WRITE_ENCRYPTED)) {
535       perm = GATT_PERM_WRITE_ENCRYPTED;
536     }
537     /* use security mode 1 level 3 when the following condition follows */
538     /* LE security mode 2 level 2 and security mode 1 and LE */
539     else if (((perm & GATT_PERM_WRITE_SIGNED_MITM) &&
540               (perm & GATT_PERM_WRITE_ENCRYPTED)) ||
541              /* LE security mode 2 and security mode 1 level 3 */
542              ((perm & GATT_WRITE_SIGNED_PERM) &&
543               (perm & GATT_PERM_WRITE_ENC_MITM))) {
544       perm = GATT_PERM_WRITE_ENC_MITM;
545     }
546   }
547 
548   tGATT_STATUS status = GATT_NOT_FOUND;
549   if ((op_code == GATT_SIGN_CMD_WRITE) && !(perm & GATT_WRITE_SIGNED_PERM)) {
550     status = GATT_WRITE_NOT_PERMIT;
551     VLOG(1) << __func__ << ": sign cmd write not allowed";
552   }
553   if ((op_code == GATT_SIGN_CMD_WRITE) &&
554       (sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
555     status = GATT_INVALID_PDU;
556     LOG(ERROR) << __func__
557                << ": Error!! sign cmd write sent on a encypted link";
558   } else if (!(perm & GATT_WRITE_ALLOWED)) {
559     status = GATT_WRITE_NOT_PERMIT;
560     LOG(ERROR) << __func__ << ": GATT_WRITE_NOT_PERMIT";
561   }
562   /* require authentication, but not been authenticated */
563   else if ((perm & GATT_WRITE_AUTH_REQUIRED) &&
564            !(sec_flag & GATT_SEC_FLAG_LKEY_UNAUTHED)) {
565     status = GATT_INSUF_AUTHENTICATION;
566     LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";
567   } else if ((perm & GATT_WRITE_MITM_REQUIRED) &&
568              !(sec_flag & GATT_SEC_FLAG_LKEY_AUTHED)) {
569     status = GATT_INSUF_AUTHENTICATION;
570     LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM required";
571   } else if ((perm & GATT_WRITE_ENCRYPTED_PERM) &&
572              !(sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
573     status = GATT_INSUF_ENCRYPTION;
574     LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";
575   } else if ((perm & GATT_WRITE_ENCRYPTED_PERM) &&
576              (sec_flag & GATT_SEC_FLAG_ENCRYPTED) &&
577              (key_size < min_key_size)) {
578     status = GATT_INSUF_KEY_SIZE;
579     LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";
580   }
581   /* LE security mode 2 attribute  */
582   else if (perm & GATT_WRITE_SIGNED_PERM && op_code != GATT_SIGN_CMD_WRITE &&
583            !(sec_flag & GATT_SEC_FLAG_ENCRYPTED) &&
584            (perm & GATT_WRITE_ALLOWED) == 0) {
585     status = GATT_INSUF_AUTHENTICATION;
586     LOG(ERROR) << __func__
587                << ": GATT_INSUF_AUTHENTICATION: LE security mode 2 required";
588   } else /* writable: must be char value declaration or char descritpors */
589   {
590     uint16_t max_size = 0;
591 
592     if (p_attr->uuid.IsEmpty()) {
593       status = GATT_INVALID_PDU;
594     } else if (p_attr->uuid.Is16Bit()) {
595       switch (p_attr->uuid.As16Bit()) {
596         case GATT_UUID_CHAR_PRESENT_FORMAT: /* should be readable only */
597         case GATT_UUID_CHAR_EXT_PROP:       /* should be readable only */
598         case GATT_UUID_CHAR_AGG_FORMAT:     /* should be readable only */
599         case GATT_UUID_CHAR_VALID_RANGE:
600           status = GATT_WRITE_NOT_PERMIT;
601           break;
602 
603         case GATT_UUID_CHAR_CLIENT_CONFIG:
604           FALLTHROUGH_INTENDED; /* FALLTHROUGH */
605         case GATT_UUID_CHAR_SRVR_CONFIG:
606           max_size = 2;
607           FALLTHROUGH_INTENDED; /* FALLTHROUGH */
608         case GATT_UUID_CHAR_DESCRIPTION:
609         default: /* any other must be character value declaration */
610           status = GATT_SUCCESS;
611           break;
612       }
613     } else {  // 32 or 128 bit UUID
614       status = GATT_SUCCESS;
615     }
616 
617     if (p_data == NULL && len > 0) {
618       return GATT_INVALID_PDU;
619     }
620 
621     /* these attribute does not allow write blob */
622     if (p_attr->uuid.Is16Bit() &&
623         (p_attr->uuid.As16Bit() == GATT_UUID_CHAR_CLIENT_CONFIG ||
624          p_attr->uuid.As16Bit() == GATT_UUID_CHAR_SRVR_CONFIG)) {
625       if (op_code == GATT_REQ_PREPARE_WRITE && offset != 0) {
626         /* does not allow write blob */
627         status = GATT_NOT_LONG;
628         LOG(ERROR) << __func__ << ": GATT_NOT_LONG";
629       } else if (len != max_size) {
630         /* data does not match the required format */
631         status = GATT_INVALID_ATTR_LEN;
632         LOG(ERROR) << __func__ << ": GATT_INVALID_PDU";
633       } else {
634         return GATT_SUCCESS;
635       }
636     }
637   }
638 
639   return status;
640 }
641 
642 /**
643  * Description      Allocate a memory space for a new attribute, and link this
644  *                  attribute into the database attribute list.
645  *
646  *
647  * Parameter        p_db    : database pointer.
648  *                  uuid:     attribute UUID
649  *
650  * Returns          pointer to the newly allocated attribute.
651  *
652  */
allocate_attr_in_db(tGATT_SVC_DB & db,const Uuid & uuid,tGATT_PERM perm)653 static tGATT_ATTR& allocate_attr_in_db(tGATT_SVC_DB& db, const Uuid& uuid,
654                                        tGATT_PERM perm) {
655   if (db.next_handle >= db.end_handle) {
656     LOG(FATAL) << __func__
657                << " wrong number of handles! handle_max = " << +db.end_handle
658                << ", next_handle = " << +db.next_handle;
659   }
660 
661   db.attr_list.emplace_back();
662   tGATT_ATTR& attr = db.attr_list.back();
663   attr.handle = db.next_handle++;
664   attr.uuid = uuid;
665   attr.permission = perm;
666   return attr;
667 }
668 
669 /*******************************************************************************
670  *
671  * Function         gatts_send_app_read_request
672  *
673  * Description      Send application read request callback
674  *
675  * Returns          status of operation.
676  *
677  ******************************************************************************/
gatts_send_app_read_request(tGATT_TCB & tcb,uint8_t op_code,uint16_t handle,uint16_t offset,uint32_t trans_id,bt_gatt_db_attribute_type_t gatt_type)678 static tGATT_STATUS gatts_send_app_read_request(
679     tGATT_TCB& tcb, uint8_t op_code, uint16_t handle, uint16_t offset,
680     uint32_t trans_id, bt_gatt_db_attribute_type_t gatt_type) {
681   tGATT_SRV_LIST_ELEM& el = *gatt_sr_find_i_rcb_by_handle(handle);
682   uint16_t conn_id = GATT_CREATE_CONN_ID(tcb.tcb_idx, el.gatt_if);
683 
684   if (trans_id == 0) {
685     trans_id = gatt_sr_enqueue_cmd(tcb, op_code, handle);
686     gatt_sr_update_cback_cnt(tcb, el.gatt_if, true, true);
687   }
688 
689   if (trans_id != 0) {
690     tGATTS_DATA sr_data;
691     memset(&sr_data, 0, sizeof(tGATTS_DATA));
692 
693     sr_data.read_req.handle = handle;
694     sr_data.read_req.is_long = (bool)(op_code == GATT_REQ_READ_BLOB);
695     sr_data.read_req.offset = offset;
696 
697     uint8_t opcode;
698     if (gatt_type == BTGATT_DB_DESCRIPTOR) {
699       opcode = GATTS_REQ_TYPE_READ_DESCRIPTOR;
700     } else if (gatt_type == BTGATT_DB_CHARACTERISTIC) {
701       opcode = GATTS_REQ_TYPE_READ_CHARACTERISTIC;
702     } else {
703       LOG(ERROR) << __func__
704                  << ": Attempt to read attribute that's not tied with "
705                     "characteristic or descriptor value.";
706       return GATT_ERROR;
707     }
708 
709     gatt_sr_send_req_callback(conn_id, trans_id, opcode, &sr_data);
710     return (tGATT_STATUS)GATT_PENDING;
711   } else
712     return (tGATT_STATUS)GATT_BUSY; /* max pending command, application error */
713 }
714