1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Device Manager
22 *
23 ******************************************************************************/
24
25 #include <stddef.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29
30 #include "bt_common.h"
31 #include "bt_types.h"
32 #include "btm_api.h"
33 #include "btm_int.h"
34 #include "btu.h"
35 #include "device/include/controller.h"
36 #include "hcidefs.h"
37 #include "hcimsgs.h"
38 #include "l2c_api.h"
39 #include "main/shim/btm_api.h"
40 #include "main/shim/shim.h"
41
42 /*******************************************************************************
43 *
44 * Function BTM_SecAddDevice
45 *
46 * Description Add/modify device. This function will be normally called
47 * during host startup to restore all required information
48 * stored in the NVRAM.
49 *
50 * Parameters: bd_addr - BD address of the peer
51 * dev_class - Device Class
52 * bd_name - Name of the peer device. NULL if unknown.
53 * features - Remote device's features (up to 3 pages).
54 * NULL if not known
55 * trusted_mask - Bitwise OR of services that do not
56 * require authorization.
57 * (array of uint32_t)
58 * link_key - Connection link key. NULL if unknown.
59 *
60 * Returns true if added OK, else false
61 *
62 ******************************************************************************/
BTM_SecAddDevice(const RawAddress & bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,uint8_t * features,uint32_t trusted_mask[],LinkKey * p_link_key,uint8_t key_type,tBTM_IO_CAP io_cap,uint8_t pin_length)63 bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
64 BD_NAME bd_name, uint8_t* features,
65 uint32_t trusted_mask[], LinkKey* p_link_key,
66 uint8_t key_type, tBTM_IO_CAP io_cap,
67 uint8_t pin_length) {
68 BTM_TRACE_API("%s: link key type:%x", __func__, key_type);
69
70 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
71 if (!p_dev_rec) {
72 p_dev_rec = btm_sec_allocate_dev_rec();
73 BTM_TRACE_API("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec,
74 bd_addr.ToString().c_str());
75
76 p_dev_rec->bd_addr = bd_addr;
77 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
78
79 /* use default value for background connection params */
80 /* update conn params, use default value for background connection params */
81 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
82 } else {
83 /* "Bump" timestamp for existing record */
84 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
85
86 /* TODO(eisenbach):
87 * Small refactor, but leaving original logic for now.
88 * On the surface, this does not make any sense at all. Why change the
89 * bond state for an existing device here? This logic should be verified
90 * as part of a larger refactor.
91 */
92 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
93 }
94
95 if (dev_class) memcpy(p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN);
96
97 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
98
99 if (bd_name && bd_name[0]) {
100 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
101 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
102 BTM_MAX_REM_BD_NAME_LEN);
103 }
104
105 p_dev_rec->num_read_pages = 0;
106 if (features) {
107 bool found = false;
108 memcpy(p_dev_rec->feature_pages, features,
109 sizeof(p_dev_rec->feature_pages));
110 for (int i = HCI_EXT_FEATURES_PAGE_MAX; !found && i >= 0; i--) {
111 for (int j = 0; j < HCI_FEATURE_BYTES_PER_PAGE; j++) {
112 if (p_dev_rec->feature_pages[i][j] != 0) {
113 found = true;
114 p_dev_rec->num_read_pages = i + 1;
115 break;
116 }
117 }
118 }
119 } else {
120 memset(p_dev_rec->feature_pages, 0, sizeof(p_dev_rec->feature_pages));
121 }
122
123 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
124
125 if (p_link_key) {
126 VLOG(2) << __func__ << ": BDA: " << bd_addr;
127 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
128 p_dev_rec->link_key = *p_link_key;
129 p_dev_rec->link_key_type = key_type;
130 p_dev_rec->pin_code_length = pin_length;
131
132 if (pin_length >= 16 || key_type == BTM_LKEY_TYPE_AUTH_COMB ||
133 key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
134 // Set the flag if the link key was made by using either a 16 digit
135 // pin or MITM.
136 p_dev_rec->sec_flags |=
137 BTM_SEC_16_DIGIT_PIN_AUTHED | BTM_SEC_LINK_KEY_AUTHED;
138 }
139 }
140
141 #if (BTIF_MIXED_MODE_INCLUDED == TRUE)
142 if (key_type < BTM_MAX_PRE_SM4_LKEY_TYPE)
143 p_dev_rec->sm4 = BTM_SM4_KNOWN;
144 else
145 p_dev_rec->sm4 = BTM_SM4_TRUE;
146 #endif
147
148 p_dev_rec->rmt_io_caps = io_cap;
149 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
150
151 return true;
152 }
153
wipe_secrets_and_remove(tBTM_SEC_DEV_REC * p_dev_rec)154 void wipe_secrets_and_remove(tBTM_SEC_DEV_REC* p_dev_rec) {
155 p_dev_rec->link_key.fill(0);
156 memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
157 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
158 }
159
160 /** Free resources associated with the device associated with |bd_addr| address.
161 *
162 * *** WARNING ***
163 * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
164 * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
165 * no longer valid!
166 * *** WARNING ***
167 *
168 * Returns true if removed OK, false if not found or ACL link is active.
169 */
BTM_SecDeleteDevice(const RawAddress & bd_addr)170 bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
171 if (bluetooth::shim::is_gd_shim_enabled()) {
172 return bluetooth::shim::BTM_SecDeleteDevice(bd_addr);
173 }
174
175 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
176 BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
177 BTM_TRACE_WARNING("%s FAILED: Cannot Delete when connection is active",
178 __func__);
179 return false;
180 }
181
182 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
183 if (p_dev_rec != NULL) {
184 RawAddress bda = p_dev_rec->bd_addr;
185
186 /* Clear out any saved BLE keys */
187 btm_sec_clear_ble_keys(p_dev_rec);
188 wipe_secrets_and_remove(p_dev_rec);
189 /* Tell controller to get rid of the link key, if it has one stored */
190 BTM_DeleteStoredLinkKey(&bda, NULL);
191 }
192
193 return true;
194 }
195
196 /*******************************************************************************
197 *
198 * Function BTM_SecClearSecurityFlags
199 *
200 * Description Reset the security flags (mark as not-paired) for a given
201 * remove device.
202 *
203 ******************************************************************************/
BTM_SecClearSecurityFlags(const RawAddress & bd_addr)204 extern void BTM_SecClearSecurityFlags(const RawAddress& bd_addr) {
205 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
206 if (p_dev_rec == NULL) return;
207
208 p_dev_rec->sec_flags = 0;
209 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
210 p_dev_rec->sm4 = BTM_SM4_UNKNOWN;
211 }
212
213 /*******************************************************************************
214 *
215 * Function BTM_SecReadDevName
216 *
217 * Description Looks for the device name in the security database for the
218 * specified BD address.
219 *
220 * Returns Pointer to the name or NULL
221 *
222 ******************************************************************************/
BTM_SecReadDevName(const RawAddress & bd_addr)223 char* BTM_SecReadDevName(const RawAddress& bd_addr) {
224 char* p_name = NULL;
225 tBTM_SEC_DEV_REC* p_srec;
226
227 p_srec = btm_find_dev(bd_addr);
228 if (p_srec != NULL) p_name = (char*)p_srec->sec_bd_name;
229
230 return (p_name);
231 }
232
233 /*******************************************************************************
234 *
235 * Function btm_sec_alloc_dev
236 *
237 * Description Look for the record in the device database for the record
238 * with specified address
239 *
240 * Returns Pointer to the record or NULL
241 *
242 ******************************************************************************/
btm_sec_alloc_dev(const RawAddress & bd_addr)243 tBTM_SEC_DEV_REC* btm_sec_alloc_dev(const RawAddress& bd_addr) {
244 tBTM_INQ_INFO* p_inq_info;
245
246 tBTM_SEC_DEV_REC* p_dev_rec = btm_sec_allocate_dev_rec();
247
248 BTM_TRACE_EVENT("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec,
249 bd_addr.ToString().c_str());
250
251 /* Check with the BT manager if details about remote device are known */
252 /* outgoing connection */
253 p_inq_info = BTM_InqDbRead(bd_addr);
254 if (p_inq_info != NULL) {
255 memcpy(p_dev_rec->dev_class, p_inq_info->results.dev_class, DEV_CLASS_LEN);
256
257 p_dev_rec->device_type = p_inq_info->results.device_type;
258 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
259 } else if (bd_addr == btm_cb.connecting_bda)
260 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
261
262 /* update conn params, use default value for background connection params */
263 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
264
265 p_dev_rec->bd_addr = bd_addr;
266
267 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
268 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
269
270 return (p_dev_rec);
271 }
272
273 /*******************************************************************************
274 *
275 * Function btm_dev_support_switch
276 *
277 * Description This function is called by the L2CAP to check if remote
278 * device supports role switch
279 *
280 * Parameters: bd_addr - Address of the peer device
281 *
282 * Returns true if device is known and role switch is supported
283 *
284 ******************************************************************************/
btm_dev_support_switch(const RawAddress & bd_addr)285 bool btm_dev_support_switch(const RawAddress& bd_addr) {
286 tBTM_SEC_DEV_REC* p_dev_rec;
287 uint8_t xx;
288 bool feature_empty = true;
289
290 /* Role switch is not allowed if a SCO is up */
291 if (btm_is_sco_active_by_bdaddr(bd_addr)) return (false);
292 p_dev_rec = btm_find_dev(bd_addr);
293 if (p_dev_rec &&
294 controller_get_interface()->supports_master_slave_role_switch()) {
295 if (HCI_SWITCH_SUPPORTED(p_dev_rec->feature_pages[0])) {
296 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature found)");
297 return (true);
298 }
299
300 /* If the feature field is all zero, we never received them */
301 for (xx = 0; xx < BD_FEATURES_LEN; xx++) {
302 if (p_dev_rec->feature_pages[0][xx] != 0x00) {
303 feature_empty = false; /* at least one is != 0 */
304 break;
305 }
306 }
307
308 /* If we don't know peer's capabilities, assume it supports Role-switch */
309 if (feature_empty) {
310 BTM_TRACE_DEBUG("btm_dev_support_switch return true (feature empty)");
311 return (true);
312 }
313 }
314
315 BTM_TRACE_DEBUG("btm_dev_support_switch return false");
316 return (false);
317 }
318
is_handle_equal(void * data,void * context)319 bool is_handle_equal(void* data, void* context) {
320 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
321 uint16_t* handle = static_cast<uint16_t*>(context);
322
323 if (p_dev_rec->hci_handle == *handle || p_dev_rec->ble_hci_handle == *handle)
324 return false;
325
326 return true;
327 }
328
329 /*******************************************************************************
330 *
331 * Function btm_find_dev_by_handle
332 *
333 * Description Look for the record in the device database for the record
334 * with specified handle
335 *
336 * Returns Pointer to the record or NULL
337 *
338 ******************************************************************************/
btm_find_dev_by_handle(uint16_t handle)339 tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle) {
340 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_handle_equal, &handle);
341 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
342
343 return NULL;
344 }
345
is_address_equal(void * data,void * context)346 bool is_address_equal(void* data, void* context) {
347 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
348 const RawAddress* bd_addr = ((RawAddress*)context);
349
350 if (p_dev_rec->bd_addr == *bd_addr) return false;
351 // If a LE random address is looking for device record
352 if (p_dev_rec->ble.pseudo_addr == *bd_addr) return false;
353
354 if (btm_ble_addr_resolvable(*bd_addr, p_dev_rec)) return false;
355 return true;
356 }
357
358 /*******************************************************************************
359 *
360 * Function btm_find_dev
361 *
362 * Description Look for the record in the device database for the record
363 * with specified BD address
364 *
365 * Returns Pointer to the record or NULL
366 *
367 ******************************************************************************/
btm_find_dev(const RawAddress & bd_addr)368 tBTM_SEC_DEV_REC* btm_find_dev(const RawAddress& bd_addr) {
369 list_node_t* n =
370 list_foreach(btm_cb.sec_dev_rec, is_address_equal, (void*)&bd_addr);
371 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
372
373 return NULL;
374 }
375
376 /*******************************************************************************
377 *
378 * Function btm_consolidate_dev
379 5**
380 * Description combine security records if identified as same peer
381 *
382 * Returns none
383 *
384 ******************************************************************************/
btm_consolidate_dev(tBTM_SEC_DEV_REC * p_target_rec)385 void btm_consolidate_dev(tBTM_SEC_DEV_REC* p_target_rec) {
386 tBTM_SEC_DEV_REC temp_rec = *p_target_rec;
387
388 BTM_TRACE_DEBUG("%s", __func__);
389
390 list_node_t* end = list_end(btm_cb.sec_dev_rec);
391 list_node_t* node = list_begin(btm_cb.sec_dev_rec);
392 while (node != end) {
393 tBTM_SEC_DEV_REC* p_dev_rec =
394 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
395
396 // we do list_remove in some cases, must grab next before removing
397 node = list_next(node);
398
399 if (p_target_rec == p_dev_rec) continue;
400
401 if (p_dev_rec->bd_addr == p_target_rec->bd_addr) {
402 memcpy(p_target_rec, p_dev_rec, sizeof(tBTM_SEC_DEV_REC));
403 p_target_rec->ble = temp_rec.ble;
404 p_target_rec->ble_hci_handle = temp_rec.ble_hci_handle;
405 p_target_rec->enc_key_size = temp_rec.enc_key_size;
406 p_target_rec->conn_params = temp_rec.conn_params;
407 p_target_rec->device_type |= temp_rec.device_type;
408 p_target_rec->sec_flags |= temp_rec.sec_flags;
409
410 p_target_rec->new_encryption_key_is_p256 =
411 temp_rec.new_encryption_key_is_p256;
412 p_target_rec->no_smp_on_br = temp_rec.no_smp_on_br;
413 p_target_rec->bond_type = temp_rec.bond_type;
414
415 /* remove the combined record */
416 wipe_secrets_and_remove(p_dev_rec);
417 // p_dev_rec gets freed in list_remove, we should not access it further
418 continue;
419 }
420
421 /* an RPA device entry is a duplicate of the target record */
422 if (btm_ble_addr_resolvable(p_dev_rec->bd_addr, p_target_rec)) {
423 if (p_target_rec->ble.pseudo_addr == p_dev_rec->bd_addr) {
424 p_target_rec->ble.ble_addr_type = p_dev_rec->ble.ble_addr_type;
425 p_target_rec->device_type |= p_dev_rec->device_type;
426
427 /* remove the combined record */
428 wipe_secrets_and_remove(p_dev_rec);
429 }
430 }
431 }
432 }
433
434 /*******************************************************************************
435 *
436 * Function btm_find_or_alloc_dev
437 *
438 * Description Look for the record in the device database for the record
439 * with specified BD address
440 *
441 * Returns Pointer to the record or NULL
442 *
443 ******************************************************************************/
btm_find_or_alloc_dev(const RawAddress & bd_addr)444 tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(const RawAddress& bd_addr) {
445 tBTM_SEC_DEV_REC* p_dev_rec;
446 BTM_TRACE_EVENT("btm_find_or_alloc_dev");
447 p_dev_rec = btm_find_dev(bd_addr);
448 if (p_dev_rec == NULL) {
449 /* Allocate a new device record or reuse the oldest one */
450 p_dev_rec = btm_sec_alloc_dev(bd_addr);
451 }
452 return (p_dev_rec);
453 }
454
455 /*******************************************************************************
456 *
457 * Function btm_find_oldest_dev_rec
458 *
459 * Description Locates the oldest device in use. It first looks for
460 * the oldest non-paired device. If all devices are paired it
461 * returns the oldest paired device.
462 *
463 * Returns Pointer to the record or NULL
464 *
465 ******************************************************************************/
btm_find_oldest_dev_rec(void)466 static tBTM_SEC_DEV_REC* btm_find_oldest_dev_rec(void) {
467 tBTM_SEC_DEV_REC* p_oldest = NULL;
468 uint32_t ts_oldest = 0xFFFFFFFF;
469 tBTM_SEC_DEV_REC* p_oldest_paired = NULL;
470 uint32_t ts_oldest_paired = 0xFFFFFFFF;
471
472 list_node_t* end = list_end(btm_cb.sec_dev_rec);
473 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
474 node = list_next(node)) {
475 tBTM_SEC_DEV_REC* p_dev_rec =
476 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
477
478 if ((p_dev_rec->sec_flags &
479 (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LE_LINK_KEY_KNOWN)) == 0) {
480 // Device is not paired
481 if (p_dev_rec->timestamp < ts_oldest) {
482 p_oldest = p_dev_rec;
483 ts_oldest = p_dev_rec->timestamp;
484 }
485 } else {
486 // Paired device
487 if (p_dev_rec->timestamp < ts_oldest_paired) {
488 p_oldest_paired = p_dev_rec;
489 ts_oldest_paired = p_dev_rec->timestamp;
490 }
491 }
492 }
493
494 // If we did not find any non-paired devices, use the oldest paired one...
495 if (ts_oldest == 0xFFFFFFFF) p_oldest = p_oldest_paired;
496
497 return p_oldest;
498 }
499
500 /*******************************************************************************
501 *
502 * Function btm_sec_allocate_dev_rec
503 *
504 * Description Attempts to allocate a new device record. If we have
505 * exceeded the maximum number of allowable records to
506 * allocate, the oldest record will be deleted to make room
507 * for the new record.
508 *
509 * Returns Pointer to the newly allocated record
510 *
511 ******************************************************************************/
btm_sec_allocate_dev_rec(void)512 tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void) {
513 tBTM_SEC_DEV_REC* p_dev_rec = NULL;
514
515 if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
516 p_dev_rec = btm_find_oldest_dev_rec();
517 wipe_secrets_and_remove(p_dev_rec);
518 }
519
520 p_dev_rec =
521 static_cast<tBTM_SEC_DEV_REC*>(osi_calloc(sizeof(tBTM_SEC_DEV_REC)));
522 list_append(btm_cb.sec_dev_rec, p_dev_rec);
523
524 // Initialize defaults
525 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
526 p_dev_rec->bond_type = BOND_TYPE_UNKNOWN;
527 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
528 p_dev_rec->rmt_io_caps = BTM_IO_CAP_UNKNOWN;
529
530 return p_dev_rec;
531 }
532
533 /*******************************************************************************
534 *
535 * Function btm_get_bond_type_dev
536 *
537 * Description Get the bond type for a device in the device database
538 * with specified BD address
539 *
540 * Returns The device bond type if known, otherwise BOND_TYPE_UNKNOWN
541 *
542 ******************************************************************************/
btm_get_bond_type_dev(const RawAddress & bd_addr)543 tBTM_BOND_TYPE btm_get_bond_type_dev(const RawAddress& bd_addr) {
544 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
545
546 if (p_dev_rec == NULL) return BOND_TYPE_UNKNOWN;
547
548 return p_dev_rec->bond_type;
549 }
550
551 /*******************************************************************************
552 *
553 * Function btm_set_bond_type_dev
554 *
555 * Description Set the bond type for a device in the device database
556 * with specified BD address
557 *
558 * Returns true on success, otherwise false
559 *
560 ******************************************************************************/
btm_set_bond_type_dev(const RawAddress & bd_addr,tBTM_BOND_TYPE bond_type)561 bool btm_set_bond_type_dev(const RawAddress& bd_addr,
562 tBTM_BOND_TYPE bond_type) {
563 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
564
565 if (p_dev_rec == NULL) return false;
566
567 p_dev_rec->bond_type = bond_type;
568 return true;
569 }
570