1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains GATT authentication handling functions
22 *
23 ******************************************************************************/
24 #include "bt_target.h"
25 #include "bt_utils.h"
26
27 #include <string.h>
28 #include "bt_common.h"
29
30 #include "gatt_api.h"
31 #include "gatt_int.h"
32 #include "osi/include/osi.h"
33 #include "stack/btm/btm_ble_int.h"
34 #include "stack/btm/btm_ble_int_types.h"
35 #include "stack/btm/btm_int.h"
36 #include "stack/btm/btm_sec.h"
37
38 using base::StringPrintf;
39
40 /*******************************************************************************
41 *
42 * Function gatt_sign_data
43 *
44 * Description This function sign the data for write command.
45 *
46 * Returns true if encrypted, otherwise false.
47 *
48 ******************************************************************************/
gatt_sign_data(tGATT_CLCB * p_clcb)49 static bool gatt_sign_data(tGATT_CLCB* p_clcb) {
50 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
51 uint8_t *p_data = NULL, *p;
52 uint16_t payload_size = p_clcb->p_tcb->payload_size;
53 bool status = false;
54 uint8_t* p_signature;
55
56 /* do not need to mark channel securoty activity for data signing */
57 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_OK);
58
59 p_data =
60 (uint8_t*)osi_malloc(p_attr->len + 3); /* 3 = 2 byte handle + opcode */
61
62 p = p_data;
63 UINT8_TO_STREAM(p, GATT_SIGN_CMD_WRITE);
64 UINT16_TO_STREAM(p, p_attr->handle);
65 ARRAY_TO_STREAM(p, p_attr->value, p_attr->len);
66
67 /* sign data length should be attribulte value length plus 2B handle + 1B op
68 * code */
69 if ((payload_size - GATT_AUTH_SIGN_LEN - 3) < p_attr->len)
70 p_attr->len = payload_size - GATT_AUTH_SIGN_LEN - 3;
71
72 p_signature = p_attr->value + p_attr->len;
73 if (BTM_BleDataSignature(
74 p_clcb->p_tcb->peer_bda, p_data,
75 (uint16_t)(p_attr->len + 3), /* 3 = 2 byte handle + opcode */
76 p_signature)) {
77 p_attr->len += BTM_BLE_AUTH_SIGN_LEN;
78 gatt_set_ch_state(p_clcb->p_tcb, GATT_CH_OPEN);
79 gatt_act_write(p_clcb, GATT_SEC_SIGN_DATA);
80 } else {
81 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, NULL);
82 }
83
84 osi_free(p_data);
85
86 return status;
87 }
88
89 /*******************************************************************************
90 *
91 * Function gatt_verify_signature
92 *
93 * Description This function start to verify the sign data when receiving
94 * the data from peer device.
95 *
96 * Returns
97 *
98 ******************************************************************************/
gatt_verify_signature(tGATT_TCB & tcb,uint16_t cid,BT_HDR * p_buf)99 void gatt_verify_signature(tGATT_TCB& tcb, uint16_t cid, BT_HDR* p_buf) {
100 uint16_t cmd_len;
101 uint8_t op_code;
102 uint8_t *p, *p_orig = (uint8_t*)(p_buf + 1) + p_buf->offset;
103 uint32_t counter;
104
105 if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {
106 LOG(ERROR) << StringPrintf("%s: Data length %u less than expected %u",
107 __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);
108 return;
109 }
110 cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;
111 p = p_orig + cmd_len - 4;
112 STREAM_TO_UINT32(counter, p);
113
114 if (!BTM_BleVerifySignature(tcb.peer_bda, p_orig, cmd_len, counter, p)) {
115 /* if this is a bad signature, assume from attacker, ignore it */
116 LOG(ERROR) << StringPrintf("Signature Verification Failed, data ignored");
117 return;
118 }
119
120 STREAM_TO_UINT8(op_code, p_orig);
121 gatt_server_handle_client_req(tcb, cid, op_code, (uint16_t)(p_buf->len - 1),
122 p_orig);
123 }
124 /*******************************************************************************
125 *
126 * Function gatt_sec_check_complete
127 *
128 * Description security check complete and proceed to data sending action.
129 *
130 * Returns void.
131 *
132 ******************************************************************************/
gatt_sec_check_complete(bool sec_check_ok,tGATT_CLCB * p_clcb,uint8_t sec_act)133 void gatt_sec_check_complete(bool sec_check_ok, tGATT_CLCB* p_clcb,
134 uint8_t sec_act) {
135 if (p_clcb && p_clcb->p_tcb && p_clcb->p_tcb->pending_enc_clcb.empty()) {
136 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
137 }
138
139 if (!sec_check_ok) {
140 gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
141 } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
142 gatt_act_write(p_clcb, sec_act);
143 } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
144 gatt_act_read(p_clcb, p_clcb->counter);
145 }
146 }
147 /*******************************************************************************
148 *
149 * Function gatt_enc_cmpl_cback
150 *
151 * Description link encryption complete callback.
152 *
153 * Returns
154 *
155 ******************************************************************************/
gatt_enc_cmpl_cback(const RawAddress * bd_addr,tBT_TRANSPORT transport,UNUSED_ATTR void * p_ref_data,tBTM_STATUS result)156 void gatt_enc_cmpl_cback(const RawAddress* bd_addr, tBT_TRANSPORT transport,
157 UNUSED_ATTR void* p_ref_data, tBTM_STATUS result) {
158 VLOG(1) << StringPrintf("gatt_enc_cmpl_cback");
159 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(*bd_addr, transport);
160 if (!p_tcb) {
161 LOG(ERROR) << StringPrintf("%s: enc callback for unknown bd_addr",
162 __func__);
163 return;
164 }
165
166 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) return;
167
168 if (p_tcb->pending_enc_clcb.empty()) {
169 LOG(ERROR) << StringPrintf("%s: no operation waiting for encrypting",
170 __func__);
171 return;
172 }
173
174 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
175 p_tcb->pending_enc_clcb.pop();
176
177 bool status = false;
178 if (result == BTM_SUCCESS) {
179 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENCRYPT_MITM) {
180 status = BTM_IsLinkKeyAuthed(*bd_addr, transport);
181 } else {
182 status = true;
183 }
184 }
185
186 gatt_sec_check_complete(status, p_clcb, p_tcb->sec_act);
187
188 /* start all other pending operation in queue */
189 std::queue<tGATT_CLCB*> new_pending_clcbs;
190 while (!p_tcb->pending_enc_clcb.empty()) {
191 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
192 p_tcb->pending_enc_clcb.pop();
193 if (gatt_security_check_start(p_clcb)) new_pending_clcbs.push(p_clcb);
194 }
195 p_tcb->pending_enc_clcb = new_pending_clcbs;
196 }
197
198 /*******************************************************************************
199 *
200 * Function gatt_notify_enc_cmpl
201 *
202 * Description link encryption complete notification for all encryption
203 * process initiated outside GATT.
204 *
205 * Returns
206 *
207 ******************************************************************************/
gatt_notify_enc_cmpl(const RawAddress & bd_addr)208 void gatt_notify_enc_cmpl(const RawAddress& bd_addr) {
209 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(bd_addr, BT_TRANSPORT_LE);
210 if (!p_tcb) {
211 VLOG(1) << StringPrintf(
212 "notify GATT for encryption completion of unknown device");
213 return;
214 }
215
216 for (uint8_t i = 0; i < GATT_MAX_APPS; i++) {
217 if (gatt_cb.cl_rcb[i].in_use && gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb) {
218 (*gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb)(gatt_cb.cl_rcb[i].gatt_if,
219 bd_addr);
220 }
221 }
222
223 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {
224 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
225
226 std::queue<tGATT_CLCB*> new_pending_clcbs;
227 while (!p_tcb->pending_enc_clcb.empty()) {
228 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
229 p_tcb->pending_enc_clcb.pop();
230 if (gatt_security_check_start(p_clcb)) new_pending_clcbs.push(p_clcb);
231 }
232 p_tcb->pending_enc_clcb = new_pending_clcbs;
233 }
234 }
235 /*******************************************************************************
236 *
237 * Function gatt_set_sec_act
238 *
239 * Description This function set the sec_act in clcb
240 *
241 * Returns none
242 *
243 ******************************************************************************/
gatt_set_sec_act(tGATT_TCB * p_tcb,tGATT_SEC_ACTION sec_act)244 void gatt_set_sec_act(tGATT_TCB* p_tcb, tGATT_SEC_ACTION sec_act) {
245 if (p_tcb) {
246 p_tcb->sec_act = sec_act;
247 }
248 }
249 /*******************************************************************************
250 *
251 * Function gatt_get_sec_act
252 *
253 * Description This function get the sec_act in clcb
254 *
255 * Returns none
256 *
257 ******************************************************************************/
gatt_get_sec_act(tGATT_TCB * p_tcb)258 tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB* p_tcb) {
259 tGATT_SEC_ACTION sec_act = GATT_SEC_NONE;
260 if (p_tcb) {
261 sec_act = p_tcb->sec_act;
262 }
263 return sec_act;
264 }
265 /**
266 * This routine determine the security action based on auth_request and current
267 * link status. Returns tGATT_SEC_ACTION (security action)
268 */
gatt_determine_sec_act(tGATT_CLCB * p_clcb)269 tGATT_SEC_ACTION gatt_determine_sec_act(tGATT_CLCB* p_clcb) {
270 tGATT_SEC_ACTION act = GATT_SEC_OK;
271 tGATT_TCB* p_tcb = p_clcb->p_tcb;
272 tGATT_AUTH_REQ auth_req = p_clcb->auth_req;
273 bool is_link_encrypted = false;
274 bool is_link_key_known = false;
275 bool is_key_mitm = false;
276 uint8_t key_type;
277 tBTM_BLE_SEC_REQ_ACT sec_act = BTM_BLE_SEC_REQ_ACT_NONE;
278
279 if (auth_req == GATT_AUTH_REQ_NONE) return act;
280
281 btm_ble_link_sec_check(p_tcb->peer_bda, auth_req, &sec_act);
282
283 /* if a encryption is pending, need to wait */
284 if (sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD && auth_req != GATT_AUTH_REQ_NONE)
285 return GATT_SEC_ENC_PENDING;
286
287 is_link_key_known =
288 BTM_IsLinkKeyKnown(p_tcb->peer_bda, p_clcb->p_tcb->transport);
289 is_link_encrypted =
290 BTM_IsEncrypted(p_tcb->peer_bda, p_clcb->p_tcb->transport);
291 is_key_mitm = BTM_IsLinkKeyAuthed(p_tcb->peer_bda, p_clcb->p_tcb->transport);
292
293 /* first check link key upgrade required or not */
294 switch (auth_req) {
295 case GATT_AUTH_REQ_MITM:
296 case GATT_AUTH_REQ_SIGNED_MITM:
297 if (!is_key_mitm) act = GATT_SEC_ENCRYPT_MITM;
298 break;
299
300 case GATT_AUTH_REQ_NO_MITM:
301 case GATT_AUTH_REQ_SIGNED_NO_MITM:
302 if (!is_link_key_known) act = GATT_SEC_ENCRYPT_NO_MITM;
303 break;
304 default:
305 break;
306 }
307
308 /* now check link needs to be encrypted or not if the link key upgrade is not
309 * required */
310 if (act == GATT_SEC_OK) {
311 if (p_tcb->transport == BT_TRANSPORT_LE &&
312 (p_clcb->operation == GATTC_OPTYPE_WRITE) &&
313 (p_clcb->op_subtype == GATT_WRITE_NO_RSP)) {
314 /* this is a write command request
315 check data signing required or not */
316 if (!is_link_encrypted) {
317 btm_ble_get_enc_key_type(p_tcb->peer_bda, &key_type);
318
319 if ((key_type & BTM_LE_KEY_LCSRK) &&
320 ((auth_req == GATT_AUTH_REQ_SIGNED_NO_MITM) ||
321 (auth_req == GATT_AUTH_REQ_SIGNED_MITM))) {
322 act = GATT_SEC_SIGN_DATA;
323 } else {
324 act = GATT_SEC_ENCRYPT;
325 }
326 }
327 } else {
328 if (!is_link_encrypted) {
329 act = GATT_SEC_ENCRYPT;
330 }
331 }
332 }
333
334 return act;
335 }
336
337 /*******************************************************************************
338 *
339 * Function gatt_get_link_encrypt_status
340 *
341 * Description This routine get the encryption status of the specified link
342 *
343 *
344 * Returns tGATT_STATUS link encryption status
345 *
346 ******************************************************************************/
gatt_get_link_encrypt_status(tGATT_TCB & tcb)347 tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB& tcb) {
348 tGATT_STATUS encrypt_status = GATT_NOT_ENCRYPTED;
349
350 bool encrypted = BTM_IsEncrypted(tcb.peer_bda, tcb.transport);
351 bool link_key_known = BTM_IsLinkKeyKnown(tcb.peer_bda, tcb.transport);
352 bool link_key_authed = BTM_IsLinkKeyAuthed(tcb.peer_bda, tcb.transport);
353
354 if (encrypted && link_key_known) {
355 encrypt_status = GATT_ENCRYPED_NO_MITM;
356 if (link_key_authed) {
357 encrypt_status = GATT_ENCRYPED_MITM;
358 }
359 }
360
361 VLOG(1) << StringPrintf("gatt_get_link_encrypt_status status=0x%x",
362 encrypt_status);
363 return encrypt_status;
364 }
365
366 /*******************************************************************************
367 *
368 * Function gatt_convert_sec_action
369 *
370 * Description Convert GATT security action enum into equivalent
371 * BTM BLE security action enum
372 *
373 * Returns bool true - conversation is successful
374 *
375 ******************************************************************************/
gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,tBTM_BLE_SEC_ACT * p_btm_sec_act)376 static bool gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,
377 tBTM_BLE_SEC_ACT* p_btm_sec_act) {
378 bool status = true;
379 switch (gatt_sec_act) {
380 case GATT_SEC_ENCRYPT:
381 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT;
382 break;
383 case GATT_SEC_ENCRYPT_NO_MITM:
384 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
385 break;
386 case GATT_SEC_ENCRYPT_MITM:
387 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
388 break;
389 default:
390 status = false;
391 break;
392 }
393
394 return status;
395 }
396
397 /** check link security, return true if p_clcb should be added back to queue */
gatt_security_check_start(tGATT_CLCB * p_clcb)398 bool gatt_security_check_start(tGATT_CLCB* p_clcb) {
399 tGATT_TCB* p_tcb = p_clcb->p_tcb;
400 tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);
401
402 tGATT_SEC_ACTION gatt_sec_act = gatt_determine_sec_act(p_clcb);
403
404 if (sec_act_old == GATT_SEC_NONE) gatt_set_sec_act(p_tcb, gatt_sec_act);
405
406 switch (gatt_sec_act) {
407 case GATT_SEC_SIGN_DATA:
408 VLOG(1) << StringPrintf("%s: Do data signing", __func__);
409 gatt_sign_data(p_clcb);
410 break;
411 case GATT_SEC_ENCRYPT:
412 case GATT_SEC_ENCRYPT_NO_MITM:
413 case GATT_SEC_ENCRYPT_MITM:
414 if (sec_act_old < GATT_SEC_ENCRYPT) {
415 VLOG(1) << StringPrintf("%s: Encrypt now or key upgreade first",
416 __func__);
417 tBTM_BLE_SEC_ACT btm_ble_sec_act;
418 gatt_convert_sec_action(gatt_sec_act, &btm_ble_sec_act);
419 tBTM_STATUS btm_status =
420 BTM_SetEncryption(p_tcb->peer_bda, p_tcb->transport,
421 gatt_enc_cmpl_cback, NULL, btm_ble_sec_act);
422 if ((btm_status != BTM_SUCCESS) && (btm_status != BTM_CMD_STARTED)) {
423 LOG(ERROR) << StringPrintf(
424 "%s BTM_SetEncryption failed btm_status=%d", __func__,
425 btm_status);
426 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
427 gatt_set_ch_state(p_tcb, GATT_CH_OPEN);
428
429 gatt_end_operation(p_clcb, GATT_INSUF_ENCRYPTION, NULL);
430 return false;
431 }
432 }
433 return true;
434 case GATT_SEC_ENC_PENDING:
435 /* wait for link encrypotion to finish */
436 return true;
437 default:
438 gatt_sec_check_complete(true, p_clcb, gatt_sec_act);
439 break;
440 }
441
442 return false;
443 }
444