1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Device Manager
22 *
23 ******************************************************************************/
24
25 #include <stddef.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29
30 #include "bt_common.h"
31 #include "bt_types.h"
32 #include "btm_api.h"
33 #include "btu.h"
34 #include "device/include/controller.h"
35 #include "hcidefs.h"
36 #include "hcimsgs.h"
37 #include "l2c_api.h"
38 #include "main/shim/btm_api.h"
39 #include "main/shim/shim.h"
40 #include "stack/btm/btm_dev.h"
41 #include "stack/include/acl_api.h"
42
43 extern tBTM_CB btm_cb;
44
45 /*******************************************************************************
46 *
47 * Function BTM_SecAddDevice
48 *
49 * Description Add/modify device. This function will be normally called
50 * during host startup to restore all required information
51 * stored in the NVRAM.
52 *
53 * Parameters: bd_addr - BD address of the peer
54 * dev_class - Device Class
55 * bd_name - Name of the peer device. NULL if unknown.
56 * features - Remote device's features (up to 3 pages).
57 * NULL if not known
58 * link_key - Connection link key. NULL if unknown.
59 *
60 * Returns true if added OK, else false
61 *
62 ******************************************************************************/
BTM_SecAddDevice(const RawAddress & bd_addr,DEV_CLASS dev_class,BD_NAME bd_name,uint8_t * features,LinkKey * p_link_key,uint8_t key_type,uint8_t pin_length)63 bool BTM_SecAddDevice(const RawAddress& bd_addr, DEV_CLASS dev_class,
64 BD_NAME bd_name, uint8_t* features, LinkKey* p_link_key,
65 uint8_t key_type, uint8_t pin_length) {
66 BTM_TRACE_API("%s: link key type:%x", __func__, key_type);
67
68 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
69 if (!p_dev_rec) {
70 p_dev_rec = btm_sec_allocate_dev_rec();
71 BTM_TRACE_API("%s: allocated p_dev_rec=%p, bd_addr=%s", __func__, p_dev_rec,
72 bd_addr.ToString().c_str());
73
74 p_dev_rec->bd_addr = bd_addr;
75 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
76
77 /* use default value for background connection params */
78 /* update conn params, use default value for background connection params */
79 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
80 } else {
81 /* "Bump" timestamp for existing record */
82 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
83
84 /* TODO(eisenbach):
85 * Small refactor, but leaving original logic for now.
86 * On the surface, this does not make any sense at all. Why change the
87 * bond state for an existing device here? This logic should be verified
88 * as part of a larger refactor.
89 */
90 p_dev_rec->bond_type = tBTM_SEC_DEV_REC::BOND_TYPE_UNKNOWN;
91 }
92
93 if (dev_class) memcpy(p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN);
94
95 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
96
97 if (bd_name && bd_name[0]) {
98 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
99 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
100 BTM_MAX_REM_BD_NAME_LEN + 1);
101 }
102
103 if (p_link_key) {
104 VLOG(2) << __func__ << ": BDA: " << bd_addr;
105 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
106 p_dev_rec->link_key = *p_link_key;
107 p_dev_rec->link_key_type = key_type;
108 p_dev_rec->pin_code_length = pin_length;
109
110 if (pin_length >= 16 || key_type == BTM_LKEY_TYPE_AUTH_COMB ||
111 key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
112 // Set the flag if the link key was made by using either a 16 digit
113 // pin or MITM.
114 p_dev_rec->sec_flags |=
115 BTM_SEC_16_DIGIT_PIN_AUTHED | BTM_SEC_LINK_KEY_AUTHED;
116 }
117 }
118
119 p_dev_rec->rmt_io_caps = BTM_IO_CAP_OUT;
120 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
121
122 return true;
123 }
124
wipe_secrets_and_remove(tBTM_SEC_DEV_REC * p_dev_rec)125 void wipe_secrets_and_remove(tBTM_SEC_DEV_REC* p_dev_rec) {
126 p_dev_rec->link_key.fill(0);
127 memset(&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
128 list_remove(btm_cb.sec_dev_rec, p_dev_rec);
129 }
130
131 /** Free resources associated with the device associated with |bd_addr| address.
132 *
133 * *** WARNING ***
134 * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
135 * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
136 * no longer valid!
137 * *** WARNING ***
138 *
139 * Returns true if removed OK, false if not found or ACL link is active.
140 */
BTM_SecDeleteDevice(const RawAddress & bd_addr)141 bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
142 if (bluetooth::shim::is_gd_shim_enabled()) {
143 return bluetooth::shim::BTM_SecDeleteDevice(bd_addr);
144 }
145
146 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
147 BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
148 BTM_TRACE_WARNING("%s FAILED: Cannot Delete when connection is active",
149 __func__);
150 return false;
151 }
152
153 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
154 if (p_dev_rec != NULL) {
155 RawAddress bda = p_dev_rec->bd_addr;
156
157 /* Clear out any saved BLE keys */
158 btm_sec_clear_ble_keys(p_dev_rec);
159 wipe_secrets_and_remove(p_dev_rec);
160 /* Tell controller to get rid of the link key, if it has one stored */
161 BTM_DeleteStoredLinkKey(&bda, NULL);
162 }
163
164 return true;
165 }
166
167 /*******************************************************************************
168 *
169 * Function BTM_SecClearSecurityFlags
170 *
171 * Description Reset the security flags (mark as not-paired) for a given
172 * remove device.
173 *
174 ******************************************************************************/
BTM_SecClearSecurityFlags(const RawAddress & bd_addr)175 void BTM_SecClearSecurityFlags(const RawAddress& bd_addr) {
176 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
177 if (p_dev_rec == NULL) return;
178
179 p_dev_rec->sec_flags = 0;
180 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
181 p_dev_rec->sm4 = BTM_SM4_UNKNOWN;
182 }
183
184 /*******************************************************************************
185 *
186 * Function BTM_SecReadDevName
187 *
188 * Description Looks for the device name in the security database for the
189 * specified BD address.
190 *
191 * Returns Pointer to the name or NULL
192 *
193 ******************************************************************************/
BTM_SecReadDevName(const RawAddress & bd_addr)194 char* BTM_SecReadDevName(const RawAddress& bd_addr) {
195 char* p_name = NULL;
196 tBTM_SEC_DEV_REC* p_srec;
197
198 p_srec = btm_find_dev(bd_addr);
199 if (p_srec != NULL) p_name = (char*)p_srec->sec_bd_name;
200
201 return (p_name);
202 }
203
204 /*******************************************************************************
205 *
206 * Function btm_sec_alloc_dev
207 *
208 * Description Look for the record in the device database for the record
209 * with specified address
210 *
211 * Returns Pointer to the record or NULL
212 *
213 ******************************************************************************/
btm_sec_alloc_dev(const RawAddress & bd_addr)214 tBTM_SEC_DEV_REC* btm_sec_alloc_dev(const RawAddress& bd_addr) {
215 tBTM_INQ_INFO* p_inq_info;
216
217 tBTM_SEC_DEV_REC* p_dev_rec = btm_sec_allocate_dev_rec();
218
219 LOG_DEBUG("Allocated device record bd_addr:%s", PRIVATE_ADDRESS(bd_addr));
220
221 /* Check with the BT manager if details about remote device are known */
222 /* outgoing connection */
223 p_inq_info = BTM_InqDbRead(bd_addr);
224 if (p_inq_info != NULL) {
225 memcpy(p_dev_rec->dev_class, p_inq_info->results.dev_class, DEV_CLASS_LEN);
226
227 p_dev_rec->device_type = p_inq_info->results.device_type;
228 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
229 } else if (bd_addr == btm_cb.connecting_bda)
230 memcpy(p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
231
232 /* update conn params, use default value for background connection params */
233 memset(&p_dev_rec->conn_params, 0xff, sizeof(tBTM_LE_CONN_PRAMS));
234
235 p_dev_rec->bd_addr = bd_addr;
236
237 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
238 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
239
240 return (p_dev_rec);
241 }
242
243 /*******************************************************************************
244 *
245 * Function btm_dev_support_role_switch
246 *
247 * Description This function is called by the L2CAP to check if remote
248 * device supports role switch
249 *
250 * Parameters: bd_addr - Address of the peer device
251 *
252 * Returns true if device is known and role switch is supported
253 * for the link.
254 *
255 ******************************************************************************/
btm_dev_support_role_switch(const RawAddress & bd_addr)256 bool btm_dev_support_role_switch(const RawAddress& bd_addr) {
257 if (BTM_IsScoActiveByBdaddr(bd_addr)) {
258 BTM_TRACE_DEBUG("%s Role switch is not allowed if a SCO is up", __func__);
259 return false;
260 }
261
262 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
263 if (p_dev_rec == nullptr) {
264 BTM_TRACE_DEBUG("%s Unknown address for role switch", __func__);
265 return false;
266 }
267
268 if (!controller_get_interface()->supports_central_peripheral_role_switch()) {
269 BTM_TRACE_DEBUG("%s Local controller does not support role switch",
270 __func__);
271 return false;
272 }
273
274 if (p_dev_rec->remote_supports_hci_role_switch) {
275 BTM_TRACE_DEBUG("%s Peer controller supports role switch", __func__);
276 return true;
277 }
278
279 if (!p_dev_rec->remote_feature_received) {
280 BTM_TRACE_DEBUG(
281 "%s Unknown peer capabilities, assuming peer supports role switch",
282 __func__);
283 return true;
284 }
285
286 BTM_TRACE_DEBUG("%s Peer controller does not support role switch", __func__);
287 return false;
288 }
289
is_handle_equal(void * data,void * context)290 bool is_handle_equal(void* data, void* context) {
291 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
292 uint16_t* handle = static_cast<uint16_t*>(context);
293
294 if (p_dev_rec->hci_handle == *handle || p_dev_rec->ble_hci_handle == *handle)
295 return false;
296
297 return true;
298 }
299
300 /*******************************************************************************
301 *
302 * Function btm_find_dev_by_handle
303 *
304 * Description Look for the record in the device database for the record
305 * with specified handle
306 *
307 * Returns Pointer to the record or NULL
308 *
309 ******************************************************************************/
btm_find_dev_by_handle(uint16_t handle)310 tBTM_SEC_DEV_REC* btm_find_dev_by_handle(uint16_t handle) {
311 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, is_handle_equal, &handle);
312 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
313
314 return NULL;
315 }
316
is_address_equal(void * data,void * context)317 bool is_address_equal(void* data, void* context) {
318 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
319 const RawAddress* bd_addr = ((RawAddress*)context);
320
321 if (p_dev_rec->bd_addr == *bd_addr) return false;
322 // If a LE random address is looking for device record
323 if (p_dev_rec->ble.pseudo_addr == *bd_addr) return false;
324
325 if (btm_ble_addr_resolvable(*bd_addr, p_dev_rec)) return false;
326 return true;
327 }
328
329 /*******************************************************************************
330 *
331 * Function btm_find_dev
332 *
333 * Description Look for the record in the device database for the record
334 * with specified BD address
335 *
336 * Returns Pointer to the record or NULL
337 *
338 ******************************************************************************/
btm_find_dev(const RawAddress & bd_addr)339 tBTM_SEC_DEV_REC* btm_find_dev(const RawAddress& bd_addr) {
340 list_node_t* n =
341 list_foreach(btm_cb.sec_dev_rec, is_address_equal, (void*)&bd_addr);
342 if (n) return static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
343
344 return NULL;
345 }
346
347 /*******************************************************************************
348 *
349 * Function btm_consolidate_dev
350 5**
351 * Description combine security records if identified as same peer
352 *
353 * Returns none
354 *
355 ******************************************************************************/
btm_consolidate_dev(tBTM_SEC_DEV_REC * p_target_rec)356 void btm_consolidate_dev(tBTM_SEC_DEV_REC* p_target_rec) {
357 tBTM_SEC_DEV_REC temp_rec = *p_target_rec;
358
359 BTM_TRACE_DEBUG("%s", __func__);
360
361 list_node_t* end = list_end(btm_cb.sec_dev_rec);
362 list_node_t* node = list_begin(btm_cb.sec_dev_rec);
363 while (node != end) {
364 tBTM_SEC_DEV_REC* p_dev_rec =
365 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
366
367 // we do list_remove in some cases, must grab next before removing
368 node = list_next(node);
369
370 if (p_target_rec == p_dev_rec) continue;
371
372 if (p_dev_rec->bd_addr == p_target_rec->bd_addr) {
373 memcpy(p_target_rec, p_dev_rec, sizeof(tBTM_SEC_DEV_REC));
374 p_target_rec->ble = temp_rec.ble;
375 p_target_rec->ble_hci_handle = temp_rec.ble_hci_handle;
376 p_target_rec->enc_key_size = temp_rec.enc_key_size;
377 p_target_rec->conn_params = temp_rec.conn_params;
378 p_target_rec->device_type |= temp_rec.device_type;
379 p_target_rec->sec_flags |= temp_rec.sec_flags;
380
381 p_target_rec->new_encryption_key_is_p256 =
382 temp_rec.new_encryption_key_is_p256;
383 p_target_rec->bond_type = temp_rec.bond_type;
384
385 /* remove the combined record */
386 wipe_secrets_and_remove(p_dev_rec);
387 // p_dev_rec gets freed in list_remove, we should not access it further
388 continue;
389 }
390
391 /* an RPA device entry is a duplicate of the target record */
392 if (btm_ble_addr_resolvable(p_dev_rec->bd_addr, p_target_rec)) {
393 if (p_target_rec->ble.pseudo_addr == p_dev_rec->bd_addr) {
394 p_target_rec->ble.ble_addr_type = p_dev_rec->ble.ble_addr_type;
395 p_target_rec->device_type |= p_dev_rec->device_type;
396
397 /* remove the combined record */
398 wipe_secrets_and_remove(p_dev_rec);
399 }
400 }
401 }
402 }
403
404 /*******************************************************************************
405 *
406 * Function btm_find_or_alloc_dev
407 *
408 * Description Look for the record in the device database for the record
409 * with specified BD address
410 *
411 * Returns Pointer to the record or NULL
412 *
413 ******************************************************************************/
btm_find_or_alloc_dev(const RawAddress & bd_addr)414 tBTM_SEC_DEV_REC* btm_find_or_alloc_dev(const RawAddress& bd_addr) {
415 tBTM_SEC_DEV_REC* p_dev_rec;
416 BTM_TRACE_EVENT("btm_find_or_alloc_dev");
417 p_dev_rec = btm_find_dev(bd_addr);
418 if (p_dev_rec == NULL) {
419 /* Allocate a new device record or reuse the oldest one */
420 p_dev_rec = btm_sec_alloc_dev(bd_addr);
421 }
422 return (p_dev_rec);
423 }
424
425 /*******************************************************************************
426 *
427 * Function btm_find_oldest_dev_rec
428 *
429 * Description Locates the oldest device in use. It first looks for
430 * the oldest non-paired device. If all devices are paired it
431 * returns the oldest paired device.
432 *
433 * Returns Pointer to the record or NULL
434 *
435 ******************************************************************************/
btm_find_oldest_dev_rec(void)436 static tBTM_SEC_DEV_REC* btm_find_oldest_dev_rec(void) {
437 tBTM_SEC_DEV_REC* p_oldest = NULL;
438 uint32_t ts_oldest = 0xFFFFFFFF;
439 tBTM_SEC_DEV_REC* p_oldest_paired = NULL;
440 uint32_t ts_oldest_paired = 0xFFFFFFFF;
441
442 list_node_t* end = list_end(btm_cb.sec_dev_rec);
443 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
444 node = list_next(node)) {
445 tBTM_SEC_DEV_REC* p_dev_rec =
446 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
447
448 if ((p_dev_rec->sec_flags &
449 (BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LE_LINK_KEY_KNOWN)) == 0) {
450 // Device is not paired
451 if (p_dev_rec->timestamp < ts_oldest) {
452 p_oldest = p_dev_rec;
453 ts_oldest = p_dev_rec->timestamp;
454 }
455 } else {
456 // Paired device
457 if (p_dev_rec->timestamp < ts_oldest_paired) {
458 p_oldest_paired = p_dev_rec;
459 ts_oldest_paired = p_dev_rec->timestamp;
460 }
461 }
462 }
463
464 // If we did not find any non-paired devices, use the oldest paired one...
465 if (ts_oldest == 0xFFFFFFFF) p_oldest = p_oldest_paired;
466
467 return p_oldest;
468 }
469
470 /*******************************************************************************
471 *
472 * Function btm_sec_allocate_dev_rec
473 *
474 * Description Attempts to allocate a new device record. If we have
475 * exceeded the maximum number of allowable records to
476 * allocate, the oldest record will be deleted to make room
477 * for the new record.
478 *
479 * Returns Pointer to the newly allocated record
480 *
481 ******************************************************************************/
btm_sec_allocate_dev_rec(void)482 tBTM_SEC_DEV_REC* btm_sec_allocate_dev_rec(void) {
483 tBTM_SEC_DEV_REC* p_dev_rec = NULL;
484
485 if (list_length(btm_cb.sec_dev_rec) > BTM_SEC_MAX_DEVICE_RECORDS) {
486 p_dev_rec = btm_find_oldest_dev_rec();
487 wipe_secrets_and_remove(p_dev_rec);
488 }
489
490 p_dev_rec =
491 static_cast<tBTM_SEC_DEV_REC*>(osi_calloc(sizeof(tBTM_SEC_DEV_REC)));
492 list_append(btm_cb.sec_dev_rec, p_dev_rec);
493
494 // Initialize defaults
495 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
496 p_dev_rec->bond_type = tBTM_SEC_DEV_REC::BOND_TYPE_UNKNOWN;
497 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
498 p_dev_rec->rmt_io_caps = BTM_IO_CAP_UNKNOWN;
499
500 return p_dev_rec;
501 }
502
503 /*******************************************************************************
504 *
505 * Function btm_get_bond_type_dev
506 *
507 * Description Get the bond type for a device in the device database
508 * with specified BD address
509 *
510 * Returns The device bond type if known, otherwise BOND_TYPE_UNKNOWN
511 *
512 ******************************************************************************/
btm_get_bond_type_dev(const RawAddress & bd_addr)513 tBTM_SEC_DEV_REC::tBTM_BOND_TYPE btm_get_bond_type_dev(
514 const RawAddress& bd_addr) {
515 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
516
517 if (p_dev_rec == NULL) return tBTM_SEC_DEV_REC::BOND_TYPE_UNKNOWN;
518
519 return p_dev_rec->bond_type;
520 }
521
522 /*******************************************************************************
523 *
524 * Function btm_set_bond_type_dev
525 *
526 * Description Set the bond type for a device in the device database
527 * with specified BD address
528 *
529 * Returns true on success, otherwise false
530 *
531 ******************************************************************************/
btm_set_bond_type_dev(const RawAddress & bd_addr,tBTM_SEC_DEV_REC::tBTM_BOND_TYPE bond_type)532 bool btm_set_bond_type_dev(const RawAddress& bd_addr,
533 tBTM_SEC_DEV_REC::tBTM_BOND_TYPE bond_type) {
534 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
535
536 if (p_dev_rec == NULL) return false;
537
538 p_dev_rec->bond_type = bond_type;
539 return true;
540 }
541