1 /*
2 * Copyright 2023 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #define LOG_TAG "ble_sec"
19
20 #include "stack/btm/btm_ble_sec.h"
21
22 #include <android_bluetooth_sysprop.h>
23 #include <base/strings/stringprintf.h>
24 #include <bluetooth/log.h>
25 #include <com_android_bluetooth_flags.h>
26
27 #include <cstddef>
28 #include <cstdint>
29 #include <optional>
30
31 #include "btif/include/btif_storage.h"
32 #include "crypto_toolbox/crypto_toolbox.h"
33 #include "device/include/interop.h"
34 #include "hci/controller_interface.h"
35 #include "main/shim/entry.h"
36 #include "osi/include/allocator.h"
37 #include "osi/include/properties.h"
38 #include "platform_ssl_mem.h"
39 #include "stack/btm/btm_ble_int.h"
40 #include "stack/btm/btm_dev.h"
41 #include "stack/btm/btm_int_types.h"
42 #include "stack/btm/btm_sec.h"
43 #include "stack/btm/btm_sec_cb.h"
44 #include "stack/btm/btm_sec_int_types.h"
45 #include "stack/btm/security_device_record.h"
46 #include "stack/eatt/eatt.h"
47 #include "stack/include/acl_api.h"
48 #include "stack/include/bt_name.h"
49 #include "stack/include/bt_octets.h"
50 #include "stack/include/bt_types.h"
51 #include "stack/include/btm_ble_addr.h"
52 #include "stack/include/btm_ble_privacy.h"
53 #include "stack/include/btm_ble_sec_api.h"
54 #include "stack/include/btm_client_interface.h"
55 #include "stack/include/btm_log_history.h"
56 #include "stack/include/btm_status.h"
57 #include "stack/include/gatt_api.h"
58 #include "stack/include/l2cap_security_interface.h"
59 #include "stack/include/smp_api.h"
60 #include "stack/include/smp_api_types.h"
61 #include "types/raw_address.h"
62
63 // TODO(b/369381361) Enfore -Wmissing-prototypes
64 #pragma GCC diagnostic ignored "-Wmissing-prototypes"
65
66 using namespace bluetooth;
67
68 extern tBTM_CB btm_cb;
69
70 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec, const RawAddress& new_pseudo_addr);
71 tBTM_STATUS btm_ble_read_remote_name(const RawAddress& remote_bda, tBTM_NAME_CMPL_CB* p_cb);
72 tBTM_STATUS btm_ble_read_remote_cod(const RawAddress& remote_bda);
73
74 namespace {
75 constexpr char kBtmLogTag[] = "SEC";
76 }
77
78 static constexpr char kPropertyCtkdDisableCsrkDistribution[] =
79 "bluetooth.core.smp.le.ctkd.quirk_disable_csrk_distribution";
80
81 /******************************************************************************/
82 /* External Function to be called by other modules */
83 /******************************************************************************/
BTM_SecAddBleDevice(const RawAddress & bd_addr,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)84 void BTM_SecAddBleDevice(const RawAddress& bd_addr, tBT_DEVICE_TYPE dev_type,
85 tBLE_ADDR_TYPE addr_type) {
86 log::debug("dev_type=0x{:x}", dev_type);
87
88 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
89 if (!p_dev_rec) {
90 p_dev_rec = btm_sec_allocate_dev_rec();
91
92 p_dev_rec->bd_addr = bd_addr;
93 p_dev_rec->hci_handle =
94 get_btm_client_interface().peer.BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
95 p_dev_rec->ble_hci_handle =
96 get_btm_client_interface().peer.BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
97
98 /* update conn params, use default value for background connection params */
99 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
100 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
101 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
102 p_dev_rec->conn_params.peripheral_latency = BTM_BLE_CONN_PARAM_UNDEF;
103
104 log::debug("Device added, handle=0x{:x}, p_dev_rec={}, bd_addr={}", p_dev_rec->ble_hci_handle,
105 std::format_ptr(p_dev_rec), bd_addr);
106
107 if (com::android::bluetooth::flags::name_discovery_for_le_pairing() &&
108 btif_storage_get_stored_remote_name(bd_addr,
109 reinterpret_cast<char*>(&p_dev_rec->sec_bd_name))) {
110 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_NAME_KNOWN;
111 }
112
113 uint32_t cod = 0;
114 if (com::android::bluetooth::flags::read_le_appearance() &&
115 btif_storage_get_cod(bd_addr, &cod)) {
116 DEV_CLASS dev_class = {};
117 dev_class[2] = (uint8_t)cod;
118 dev_class[1] = (uint8_t)(cod >> 8);
119 dev_class[0] = (uint8_t)(cod >> 16);
120 p_dev_rec->dev_class = dev_class;
121 }
122 }
123
124 if (!com::android::bluetooth::flags::name_discovery_for_le_pairing()) {
125 bd_name_clear(p_dev_rec->sec_bd_name);
126 }
127
128 p_dev_rec->device_type |= dev_type;
129 if (is_ble_addr_type_known(addr_type)) {
130 p_dev_rec->ble.SetAddressType(addr_type);
131 } else {
132 log::warn("Please do not update device record from anonymous le advertisement");
133 }
134
135 /* sync up with the Inq Data base*/
136 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr);
137 if (p_info) {
138 p_info->results.ble_addr_type = p_dev_rec->ble.AddressType();
139 p_dev_rec->device_type |= p_info->results.device_type;
140 log::debug("InqDb device_type =0x{:x} addr_type=0x{:x}", p_dev_rec->device_type,
141 p_info->results.ble_addr_type);
142 p_info->results.device_type = p_dev_rec->device_type;
143 }
144 }
145
146 /*******************************************************************************
147 *
148 * Function BTM_GetRemoteDeviceName
149 *
150 * Description This function is called to get the dev name of remote device
151 * from NV
152 *
153 * Returns TRUE if success; otherwise failed.
154 *
155 ******************************************************************************/
BTM_GetRemoteDeviceName(const RawAddress & bd_addr,BD_NAME bd_name)156 bool BTM_GetRemoteDeviceName(const RawAddress& bd_addr, BD_NAME bd_name) {
157 log::verbose("bd_addr:{}", bd_addr);
158
159 bool ret = FALSE;
160 bt_bdname_t bdname;
161 bt_property_t prop_name;
162 BTIF_STORAGE_FILL_PROPERTY(&prop_name, BT_PROPERTY_BDNAME, sizeof(bt_bdname_t), &bdname);
163
164 if (btif_storage_get_remote_device_property(&bd_addr, &prop_name) == BT_STATUS_SUCCESS) {
165 log::verbose("NV name={}", reinterpret_cast<const char*>(bdname.name));
166 bd_name_copy(bd_name, bdname.name);
167 ret = TRUE;
168 }
169 return ret;
170 }
171
172 /*******************************************************************************
173 *
174 * Function BTM_SecAddBleKey
175 *
176 * Description Add/modify LE device information. This function will be
177 * normally called during host startup to restore all required
178 * information stored in the NVRAM.
179 *
180 * Parameters: bd_addr - BD address of the peer
181 * p_le_key - LE key values.
182 * key_type - LE SMP key type.
183 *
184 * Returns true if added OK, else false
185 *
186 ******************************************************************************/
BTM_SecAddBleKey(const RawAddress & bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)187 void BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key,
188 tBTM_LE_KEY_TYPE key_type) {
189 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
190 if (!p_dev_rec || !p_le_key ||
191 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID && key_type != BTM_LE_KEY_PCSRK &&
192 key_type != BTM_LE_KEY_LENC && key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) {
193 log::warn("Wrong Type, or No Device record for bdaddr:{}, Type:0{}", bd_addr, key_type);
194 return;
195 }
196
197 log::debug("Adding BLE key device:{} key_type:{}", bd_addr, key_type);
198
199 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false);
200 // Only set peer irk. Local irk is always the same.
201 if (key_type == BTM_LE_KEY_PID) {
202 btm_ble_resolving_list_load_dev(*p_dev_rec);
203 }
204 }
205
206 /*******************************************************************************
207 *
208 * Function BTM_BleLoadLocalKeys
209 *
210 * Description Local local identity key, encryption root or sign counter.
211 *
212 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID,
213 * BTM_BLE_KEY_TYPE_ER
214 * or BTM_BLE_KEY_TYPE_COUNTER.
215 * p_key: pointer to the key.
216 *
217 * Returns non2.
218 *
219 ******************************************************************************/
BTM_BleLoadLocalKeys(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)220 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) {
221 tBTM_SEC_DEVCB* p_devcb = &btm_sec_cb.devcb;
222 log::verbose("type:{}", key_type);
223 if (p_key != NULL) {
224 switch (key_type) {
225 case BTM_BLE_KEY_TYPE_ID:
226 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
227 break;
228
229 case BTM_BLE_KEY_TYPE_ER:
230 p_devcb->ble_encryption_key_value = p_key->er;
231 break;
232
233 default:
234 log::error("unknown key type:{}", key_type);
235 break;
236 }
237 }
238 }
239
240 /** Returns local device encryption root (ER) */
BTM_GetDeviceEncRoot()241 const Octet16& BTM_GetDeviceEncRoot() { return btm_sec_cb.devcb.ble_encryption_key_value; }
242
243 /** Returns local device identity root (IR). */
BTM_GetDeviceIDRoot()244 const Octet16& BTM_GetDeviceIDRoot() { return btm_sec_cb.devcb.id_keys.irk; }
245
246 /** Return local device DHK. */
BTM_GetDeviceDHK()247 const Octet16& BTM_GetDeviceDHK() { return btm_sec_cb.devcb.id_keys.dhk; }
248
249 /*******************************************************************************
250 *
251 * Function BTM_SecurityGrant
252 *
253 * Description This function is called to grant security process.
254 *
255 * Parameters bd_addr - peer device bd address.
256 * res - result of the operation tBTM_STATUS::BTM_SUCCESS if success.
257 * Otherwise, BTM_REPEATED_ATTEMPTS if too many
258 * attempts.
259 *
260 * Returns None
261 *
262 ******************************************************************************/
BTM_SecurityGrant(const RawAddress & bd_addr,tBTM_STATUS res)263 void BTM_SecurityGrant(const RawAddress& bd_addr, tBTM_STATUS res) {
264 const tSMP_STATUS res_smp =
265 (res == tBTM_STATUS::BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
266 log::verbose("bd_addr:{}, res:{}", bd_addr, smp_status_text(res_smp));
267 BTM_LogHistory(kBtmLogTag, bd_addr, "Granted",
268 base::StringPrintf("passkey_status:%s", smp_status_text(res_smp).c_str()));
269
270 SMP_SecurityGrant(bd_addr, res_smp);
271 }
272
273 /*******************************************************************************
274 *
275 * Function BTM_BlePasskeyReply
276 *
277 * Description This function is called after Security Manager submitted
278 * passkey request to the application.
279 *
280 * Parameters: bd_addr - Address of the device for which passkey was
281 * requested
282 * res - result of the operation tBTM_STATUS::BTM_SUCCESS if success
283 * key_len - length in bytes of the Passkey
284 * p_passkey - pointer to array with the passkey
285 *
286 ******************************************************************************/
BTM_BlePasskeyReply(const RawAddress & bd_addr,tBTM_STATUS res,uint32_t passkey)287 void BTM_BlePasskeyReply(const RawAddress& bd_addr, tBTM_STATUS res, uint32_t passkey) {
288 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
289 log::verbose("bd_addr:{}, res:{}", bd_addr, res);
290 if (p_dev_rec == NULL) {
291 log::error("Unknown device:{}", bd_addr);
292 return;
293 }
294
295 const tSMP_STATUS res_smp =
296 (res == tBTM_STATUS::BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
297 BTM_LogHistory(kBtmLogTag, bd_addr, "Passkey reply",
298 base::StringPrintf("transport:%s authenticate_status:%s",
299 bt_transport_text(BT_TRANSPORT_LE).c_str(),
300 smp_status_text(res_smp).c_str()));
301
302 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_LE_AUTHENTICATED;
303 SMP_PasskeyReply(bd_addr, res_smp, passkey);
304 }
305
306 /*******************************************************************************
307 *
308 * Function BTM_BleConfirmReply
309 *
310 * Description This function is called after Security Manager submitted
311 * numeric comparison request to the application.
312 *
313 * Parameters: bd_addr - Address of the device with which numeric
314 * comparison was requested
315 * res - comparison result tBTM_STATUS::BTM_SUCCESS if success
316 *
317 ******************************************************************************/
BTM_BleConfirmReply(const RawAddress & bd_addr,tBTM_STATUS res)318 void BTM_BleConfirmReply(const RawAddress& bd_addr, tBTM_STATUS res) {
319 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
320 log::verbose("bd_addr:{}, res:{}", bd_addr, res);
321 if (p_dev_rec == NULL) {
322 log::error("Unknown device:{}", bd_addr);
323 return;
324 }
325 const tSMP_STATUS res_smp =
326 (res == tBTM_STATUS::BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
327
328 BTM_LogHistory(kBtmLogTag, bd_addr, "Confirm reply",
329 base::StringPrintf("transport:%s numeric_comparison_authenticate_status:%s",
330 bt_transport_text(BT_TRANSPORT_LE).c_str(),
331 smp_status_text(res_smp).c_str()));
332
333 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_LE_AUTHENTICATED;
334 SMP_ConfirmReply(bd_addr, res_smp);
335 }
336
337 /*******************************************************************************
338 *
339 * Function BTM_BleOobDataReply
340 *
341 * Description This function is called to provide the OOB data for
342 * SMP in response to BTM_LE_OOB_REQ_EVT
343 *
344 * Parameters: bd_addr - Address of the peer device
345 * res - result of the operation SMP_SUCCESS if success
346 * p_data - oob data, depending on transport and
347 * capabilities.
348 * Might be "Simple Pairing Randomizer", or
349 * "Security Manager TK Value".
350 *
351 ******************************************************************************/
BTM_BleOobDataReply(const RawAddress & bd_addr,tBTM_STATUS res,uint8_t len,uint8_t * p_data)352 void BTM_BleOobDataReply(const RawAddress& bd_addr, tBTM_STATUS res, uint8_t len, uint8_t* p_data) {
353 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
354 if (p_dev_rec == NULL) {
355 log::error("Unknown device:{}", bd_addr);
356 return;
357 }
358
359 const tSMP_STATUS res_smp = (res == tBTM_STATUS::BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
360 BTM_LogHistory(kBtmLogTag, bd_addr, "Oob data reply",
361 base::StringPrintf("transport:%s authenticate_status:%s",
362 bt_transport_text(BT_TRANSPORT_LE).c_str(),
363 smp_status_text(res_smp).c_str()));
364
365 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_LE_AUTHENTICATED;
366 SMP_OobDataReply(bd_addr, res_smp, len, p_data);
367 }
368
369 /*******************************************************************************
370 *
371 * Function BTM_BleSecureConnectionOobDataReply
372 *
373 * Description This function is called to provide the OOB data for
374 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection
375 * data is available
376 *
377 * Parameters: bd_addr - Address of the peer device
378 * p_c - pointer to Confirmation.
379 * p_r - pointer to Randomizer
380 *
381 ******************************************************************************/
BTM_BleSecureConnectionOobDataReply(const RawAddress & bd_addr,uint8_t * p_c,uint8_t * p_r)382 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr, uint8_t* p_c, uint8_t* p_r) {
383 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
384 if (p_dev_rec == NULL) {
385 log::error("Unknown device:{}", bd_addr);
386 return;
387 }
388
389 BTM_LogHistory(kBtmLogTag, bd_addr, "Oob data reply",
390 base::StringPrintf("transport:%s", bt_transport_text(BT_TRANSPORT_LE).c_str()));
391
392 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_LE_AUTHENTICATED;
393
394 tSMP_SC_OOB_DATA oob;
395 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA));
396
397 oob.peer_oob_data.present = true;
398 memcpy(&oob.peer_oob_data.randomizer, p_r, OCTET16_LEN);
399 memcpy(&oob.peer_oob_data.commitment, p_c, OCTET16_LEN);
400 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.AddressType();
401 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr;
402
403 SMP_SecureConnectionOobDataReply((uint8_t*)&oob);
404 }
405
406 /********************************************************
407 *
408 * Function BTM_BleSetPrefConnParams
409 *
410 * Description Set a peripheral's preferred connection parameters
411 *
412 * Parameters: bd_addr - BD address of the peripheral
413 * scan_interval: scan interval
414 * scan_window: scan window
415 * min_conn_int - minimum preferred connection interval
416 * max_conn_int - maximum preferred connection interval
417 * peripheral_latency - preferred peripheral latency
418 * supervision_tout - preferred supervision timeout
419 *
420 * Returns void
421 *
422 ******************************************************************************/
BTM_BleSetPrefConnParams(const RawAddress & bd_addr,uint16_t min_conn_int,uint16_t max_conn_int,uint16_t peripheral_latency,uint16_t supervision_tout)423 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int,
424 uint16_t max_conn_int, uint16_t peripheral_latency,
425 uint16_t supervision_tout) {
426 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
427
428 log::verbose("min:{},max:{},latency:{},tout:{}", min_conn_int, max_conn_int, peripheral_latency,
429 supervision_tout);
430
431 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
432 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
433 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN,
434 BTM_BLE_CONN_SUP_TOUT_MAX) &&
435 (peripheral_latency <= BTM_BLE_CONN_LATENCY_MAX ||
436 peripheral_latency == BTM_BLE_CONN_PARAM_UNDEF)) {
437 if (p_dev_rec) {
438 /* expect conn int and stout and peripheral latency to be updated all
439 * together
440 */
441 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
442 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
443 p_dev_rec->conn_params.min_conn_int = min_conn_int;
444 } else {
445 p_dev_rec->conn_params.min_conn_int = max_conn_int;
446 }
447
448 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
449 p_dev_rec->conn_params.max_conn_int = max_conn_int;
450 } else {
451 p_dev_rec->conn_params.max_conn_int = min_conn_int;
452 }
453
454 if (peripheral_latency != BTM_BLE_CONN_PARAM_UNDEF) {
455 p_dev_rec->conn_params.peripheral_latency = peripheral_latency;
456 } else {
457 p_dev_rec->conn_params.peripheral_latency = BTM_BLE_CONN_PERIPHERAL_LATENCY_DEF;
458 }
459
460 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF) {
461 p_dev_rec->conn_params.supervision_tout = supervision_tout;
462 } else {
463 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
464 }
465 }
466
467 } else {
468 log::error("Unknown Device, setting rejected");
469 }
470 } else {
471 log::error("Illegal Connection Parameters");
472 }
473 }
474
475 /*******************************************************************************
476 *
477 * Function BTM_ReadDevInfo
478 *
479 * Description This function is called to read the device/address type
480 * of BD address.
481 *
482 * Parameter remote_bda: remote device address
483 * p_dev_type: output parameter to read the device type.
484 * p_addr_type: output parameter to read the address type.
485 *
486 ******************************************************************************/
BTM_ReadDevInfo(const RawAddress & remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)487 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type,
488 tBLE_ADDR_TYPE* p_addr_type) {
489 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda);
490 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda);
491
492 *p_addr_type = BLE_ADDR_PUBLIC;
493
494 if (!p_dev_rec) {
495 *p_dev_type = BT_DEVICE_TYPE_BREDR;
496 /* Check with the BT manager if details about remote device are known */
497 if (p_inq_info != NULL) {
498 *p_dev_type = p_inq_info->results.device_type;
499 *p_addr_type = p_inq_info->results.ble_addr_type;
500 } else {
501 /* unknown device, assume BR/EDR */
502 log::verbose("unknown device, BR/EDR assumed");
503 }
504 } else /* there is a security device record existing */
505 {
506 /* new inquiry result, merge device type in security device record */
507 if (p_inq_info) {
508 p_dev_rec->device_type |= p_inq_info->results.device_type;
509 if (is_ble_addr_type_known(p_inq_info->results.ble_addr_type)) {
510 p_dev_rec->ble.SetAddressType(p_inq_info->results.ble_addr_type);
511 } else {
512 log::warn(
513 "Please do not update device record from anonymous le "
514 "advertisement");
515 }
516 }
517
518 if (p_dev_rec->bd_addr == remote_bda && p_dev_rec->ble.pseudo_addr == remote_bda) {
519 *p_dev_type = p_dev_rec->device_type;
520 *p_addr_type = p_dev_rec->ble.AddressType();
521 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) {
522 *p_dev_type = BT_DEVICE_TYPE_BLE;
523 *p_addr_type = p_dev_rec->ble.AddressType();
524 } else /* matching static address only */ {
525 if (p_dev_rec->device_type != BT_DEVICE_TYPE_UNKNOWN) {
526 *p_dev_type = p_dev_rec->device_type;
527 } else {
528 log::warn("device_type not set; assuming BR/EDR");
529 *p_dev_type = BT_DEVICE_TYPE_BREDR;
530 }
531 *p_addr_type = BLE_ADDR_PUBLIC;
532 }
533 }
534 log::debug("Determined device_type:{} addr_type:{}", DeviceTypeText(*p_dev_type),
535 AddressTypeText(*p_addr_type));
536 }
537
538 /*******************************************************************************
539 *
540 * Function BTM_ReadConnectedTransportAddress
541 *
542 * Description This function is called to read the paired device/address
543 * type of other device paired corresponding to the BD_address
544 *
545 * Parameter remote_bda: remote device address, carry out the transport
546 * address
547 * transport: active transport
548 *
549 * Return true if an active link is identified; false otherwise
550 *
551 ******************************************************************************/
BTM_ReadConnectedTransportAddress(RawAddress * remote_bda,tBT_TRANSPORT transport)552 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda, tBT_TRANSPORT transport) {
553 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda);
554
555 /* if no device can be located, return */
556 if (p_dev_rec == NULL) {
557 return false;
558 }
559
560 if (transport == BT_TRANSPORT_BR_EDR) {
561 if (get_btm_client_interface().peer.BTM_IsAclConnectionUp(p_dev_rec->bd_addr, transport)) {
562 *remote_bda = p_dev_rec->bd_addr;
563 return true;
564 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) {
565 *remote_bda = p_dev_rec->bd_addr;
566 } else {
567 *remote_bda = RawAddress::kEmpty;
568 }
569 return false;
570 }
571
572 if (transport == BT_TRANSPORT_LE) {
573 *remote_bda = p_dev_rec->ble.pseudo_addr;
574 if (get_btm_client_interface().peer.BTM_IsAclConnectionUp(p_dev_rec->ble.pseudo_addr,
575 transport)) {
576 return true;
577 } else {
578 return false;
579 }
580 }
581
582 return false;
583 }
584
BTM_SetBleDataLength(const RawAddress & bd_addr,uint16_t tx_pdu_length)585 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr, uint16_t tx_pdu_length) {
586 if (!bluetooth::shim::GetController()->SupportsBleDataPacketLengthExtension()) {
587 log::info("Local controller does not support le packet extension");
588 return tBTM_STATUS::BTM_ILLEGAL_VALUE;
589 }
590
591 log::info("bd_addr:{}, tx_pdu_length:{}", bd_addr, tx_pdu_length);
592
593 auto p_dev_rec = btm_find_dev(bd_addr);
594 if (p_dev_rec == NULL) {
595 log::error("Device {} not found", bd_addr);
596 return tBTM_STATUS::BTM_UNKNOWN_ADDR;
597 }
598
599 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) {
600 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX;
601 } else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) {
602 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN;
603 }
604
605 if (p_dev_rec->get_suggested_tx_octets() >= tx_pdu_length) {
606 log::info("Suggested TX octet already set to controller {} >= {}",
607 p_dev_rec->get_suggested_tx_octets(), tx_pdu_length);
608 return tBTM_STATUS::BTM_SUCCESS;
609 }
610
611 uint16_t tx_time = BTM_BLE_DATA_TX_TIME_MAX_LEGACY;
612
613 if (bluetooth::shim::GetController()->GetLocalVersionInformation().hci_version_ >=
614 bluetooth::hci::HciVersion::V_5_0) {
615 tx_time = BTM_BLE_DATA_TX_TIME_MAX;
616 }
617
618 if (!get_btm_client_interface().peer.BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
619 log::info("Unable to set data length because no le acl link connected to device");
620 return tBTM_STATUS::BTM_WRONG_MODE;
621 }
622
623 uint16_t hci_handle =
624 get_btm_client_interface().peer.BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
625
626 if (!acl_peer_supports_ble_packet_extension(hci_handle)) {
627 log::info("Remote device unable to support le packet extension");
628 return tBTM_STATUS::BTM_ILLEGAL_VALUE;
629 }
630
631 tx_pdu_length = std::min<uint16_t>(
632 tx_pdu_length,
633 bluetooth::shim::GetController()->GetLeMaximumDataLength().supported_max_tx_octets_);
634 tx_time = std::min<uint16_t>(
635 tx_time,
636 bluetooth::shim::GetController()->GetLeMaximumDataLength().supported_max_tx_time_);
637
638 btsnd_hcic_ble_set_data_length(hci_handle, tx_pdu_length, tx_time);
639 p_dev_rec->set_suggested_tx_octect(tx_pdu_length);
640
641 return tBTM_STATUS::BTM_SUCCESS;
642 }
643
644 /*******************************************************************************
645 *
646 * Function btm_ble_determine_security_act
647 *
648 * Description This function checks the security of current LE link
649 * and returns the appropriate action that needs to be
650 * taken to achieve the required security.
651 *
652 * Parameter is_originator - True if outgoing connection
653 * bdaddr: remote device address
654 * security_required: Security required for the service.
655 *
656 * Returns The appropriate security action required.
657 *
658 ******************************************************************************/
btm_ble_determine_security_act(bool is_originator,const RawAddress & bdaddr,uint16_t security_required)659 static tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator, const RawAddress& bdaddr,
660 uint16_t security_required) {
661 tBTM_LE_AUTH_REQ auth_req = 0x00;
662
663 if (is_originator) {
664 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
665 (security_required & BTM_SEC_OUT_MITM) == 0) {
666 log::info("No security required for outgoing connection");
667 return BTM_SEC_OK;
668 }
669
670 if (security_required & BTM_SEC_OUT_MITM) {
671 auth_req |= BTM_LE_AUTH_REQ_MITM;
672 }
673 } else {
674 if ((security_required & BTM_SEC_IN_FLAGS) == 0 && (security_required & BTM_SEC_IN_MITM) == 0) {
675 log::verbose("No security required for incoming connection");
676 return BTM_SEC_OK;
677 }
678
679 if (security_required & BTM_SEC_IN_MITM) {
680 auth_req |= BTM_LE_AUTH_REQ_MITM;
681 }
682 }
683
684 tBTM_BLE_SEC_REQ_ACT ble_sec_act = {BTM_BLE_SEC_REQ_ACT_NONE};
685 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
686
687 log::verbose("ble_sec_act {}", ble_sec_act);
688
689 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
690 return BTM_SEC_ENC_PENDING;
691 }
692
693 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) {
694 return BTM_SEC_OK;
695 }
696
697 bool is_link_encrypted = BTM_IsEncrypted(bdaddr, BT_TRANSPORT_LE);
698 bool is_key_mitm = BTM_IsLinkKeyAuthed(bdaddr, BT_TRANSPORT_LE);
699
700 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
701 if (!is_key_mitm) {
702 return BTM_SEC_ENCRYPT_MITM;
703 } else {
704 if (is_link_encrypted) {
705 return BTM_SEC_OK;
706 } else {
707 return BTM_SEC_ENCRYPT;
708 }
709 }
710 } else {
711 if (is_link_encrypted) {
712 return BTM_SEC_OK;
713 } else {
714 return BTM_SEC_ENCRYPT_NO_MITM;
715 }
716 }
717
718 return BTM_SEC_OK;
719 }
720
721 /*******************************************************************************
722 *
723 * Function btm_ble_start_sec_check
724 *
725 * Description This function is to check and set the security required for
726 * LE link for LE COC.
727 *
728 * Parameter bdaddr: remote device address.
729 * psm : PSM of the LE COC service.
730 * is_originator: true if outgoing connection.
731 * p_callback : Pointer to the callback function.
732 * p_ref_data : Pointer to be returned along with the callback.
733 *
734 * Returns Returns - tBTM_STATUS
735 *
736 ******************************************************************************/
btm_ble_start_sec_check(const RawAddress & bd_addr,uint16_t psm,bool is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)737 tBTM_STATUS btm_ble_start_sec_check(const RawAddress& bd_addr, uint16_t psm, bool is_originator,
738 tBTM_SEC_CALLBACK* p_callback, void* p_ref_data) {
739 /* Find the service record for the PSM */
740 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_cb.find_first_serv_rec(is_originator, psm);
741
742 /* If there is no application registered with this PSM do not allow connection
743 */
744 if (!p_serv_rec) {
745 log::warn("PSM: {} no application registered", psm);
746 (*p_callback)(bd_addr, BT_TRANSPORT_LE, p_ref_data, tBTM_STATUS::BTM_MODE_UNSUPPORTED);
747 return tBTM_STATUS::BTM_ILLEGAL_VALUE;
748 }
749
750 bool is_encrypted = BTM_IsEncrypted(bd_addr, BT_TRANSPORT_LE);
751 bool is_link_key_authed = BTM_IsLinkKeyAuthed(bd_addr, BT_TRANSPORT_LE);
752 bool is_authenticated = BTM_IsAuthenticated(bd_addr, BT_TRANSPORT_LE);
753
754 if (!is_originator) {
755 if ((p_serv_rec->security_flags & BTM_SEC_IN_ENCRYPT) && !is_encrypted) {
756 log::error("BTM_NOT_ENCRYPTED. service security_flags=0x{:x}", p_serv_rec->security_flags);
757 return tBTM_STATUS::BTM_NOT_ENCRYPTED;
758 } else if ((p_serv_rec->security_flags & BTM_SEC_IN_AUTHENTICATE) &&
759 !(is_link_key_authed || is_authenticated)) {
760 log::error("tBTM_STATUS::BTM_NOT_AUTHENTICATED. service security_flags=0x{:x}",
761 p_serv_rec->security_flags);
762 return tBTM_STATUS::BTM_NOT_AUTHENTICATED;
763 }
764 /* TODO: When security is required, then must check that the key size of our
765 service is equal or smaller than the incoming connection key size. */
766 }
767
768 tBTM_SEC_ACTION sec_act =
769 btm_ble_determine_security_act(is_originator, bd_addr, p_serv_rec->security_flags);
770
771 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
772
773 switch (sec_act) {
774 case BTM_SEC_OK:
775 log::debug("Security met");
776 p_callback(bd_addr, BT_TRANSPORT_LE, p_ref_data, tBTM_STATUS::BTM_SUCCESS);
777 break;
778
779 case BTM_SEC_ENCRYPT:
780 log::debug("Encryption needs to be done");
781 ble_sec_act = BTM_BLE_SEC_ENCRYPT;
782 break;
783
784 case BTM_SEC_ENCRYPT_MITM:
785 log::debug("Pairing with MITM needs to be done");
786 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
787 break;
788
789 case BTM_SEC_ENCRYPT_NO_MITM:
790 log::debug("Pairing with No MITM needs to be done");
791 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
792 break;
793
794 case BTM_SEC_ENC_PENDING:
795 log::debug("Encryption pending");
796 break;
797 }
798
799 if (ble_sec_act == BTM_BLE_SEC_NONE && sec_act != BTM_SEC_ENC_PENDING) {
800 return tBTM_STATUS::BTM_SUCCESS;
801 }
802
803 l2cble_update_sec_act(bd_addr, sec_act);
804
805 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data, ble_sec_act);
806
807 return tBTM_STATUS::BTM_SUCCESS;
808 }
809
810 /*******************************************************************************
811 *
812 * Function increment_sign_counter
813 *
814 * Description This method is to increment the (local or peer) sign counter
815 * Returns None
816 *
817 ******************************************************************************/
increment_sign_counter(bool local)818 void tBTM_SEC_REC::increment_sign_counter(bool local) {
819 if (local) {
820 ble_keys.local_counter++;
821 } else {
822 ble_keys.counter++;
823 }
824
825 log::verbose("local={} local sign counter={} peer sign counter={}", local, ble_keys.local_counter,
826 ble_keys.counter);
827 }
828
829 /*******************************************************************************
830 *
831 * Function btm_ble_get_enc_key_type
832 *
833 * Description This function is to get the BLE key type that has been
834 * exchanged between the local device and the peer device.
835 *
836 * Returns p_key_type: output parameter to carry the key type value.
837 *
838 ******************************************************************************/
btm_ble_get_enc_key_type(const RawAddress & bd_addr,uint8_t * p_key_types)839 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) {
840 tBTM_SEC_DEV_REC* p_dev_rec;
841
842 log::verbose("bd_addr:{}", bd_addr);
843
844 p_dev_rec = btm_find_dev(bd_addr);
845 if (p_dev_rec != NULL) {
846 *p_key_types = p_dev_rec->sec_rec.ble_keys.key_type;
847 return true;
848 }
849 return false;
850 }
851
852 /*******************************************************************************
853 *
854 * Function btm_get_local_div
855 *
856 * Description This function is called to read the local DIV
857 *
858 * Returns TRUE - if a valid DIV is available
859 ******************************************************************************/
btm_get_local_div(const RawAddress & bd_addr,uint16_t * p_div)860 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) {
861 tBTM_SEC_DEV_REC* p_dev_rec;
862 bool status = false;
863
864 *p_div = 0;
865 p_dev_rec = btm_find_dev(bd_addr);
866
867 if (p_dev_rec && p_dev_rec->sec_rec.ble_keys.div) {
868 status = true;
869 *p_div = p_dev_rec->sec_rec.ble_keys.div;
870 }
871 log::verbose("status={} (1-OK) DIV=0x{:x}", status, *p_div);
872 return status;
873 }
874
875 /*******************************************************************************
876 *
877 * Function btm_sec_save_le_key
878 *
879 * Description This function is called by the SMP to update
880 * an BLE key. SMP is internal, whereas all the keys shall
881 * be sent to the application. The function is also called
882 * when application passes ble key stored in NVRAM to the
883 * btm_sec.
884 * pass_to_application parameter is false in this case.
885 *
886 * Returns void
887 *
888 ******************************************************************************/
btm_sec_save_le_key(const RawAddress & bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,bool pass_to_application)889 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type,
890 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) {
891 tBTM_SEC_DEV_REC* p_rec;
892
893 log::verbose("key_type=0x{:x} pass_to_application={}", key_type, pass_to_application);
894 /* Store the updated key in the device database */
895
896 if ((p_rec = btm_find_dev(bd_addr)) != NULL && (p_keys || key_type == BTM_LE_KEY_LID)) {
897 btm_ble_init_pseudo_addr(p_rec, bd_addr);
898
899 switch (key_type) {
900 case BTM_LE_KEY_PENC:
901 p_rec->sec_rec.ble_keys.pltk = p_keys->penc_key.ltk;
902 memcpy(p_rec->sec_rec.ble_keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
903 p_rec->sec_rec.ble_keys.sec_level = p_keys->penc_key.sec_level;
904 p_rec->sec_rec.ble_keys.ediv = p_keys->penc_key.ediv;
905 p_rec->sec_rec.ble_keys.key_size = p_keys->penc_key.key_size;
906 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_PENC;
907 p_rec->sec_rec.sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
908 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED) {
909 p_rec->sec_rec.sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
910 } else {
911 p_rec->sec_rec.sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
912 }
913 log::verbose("BTM_LE_KEY_PENC key_type=0x{:x} sec_flags=0x{:x} sec_leve=0x{:x}",
914 p_rec->sec_rec.ble_keys.key_type, p_rec->sec_rec.sec_flags,
915 p_rec->sec_rec.ble_keys.sec_level);
916 break;
917
918 case BTM_LE_KEY_PID:
919 p_rec->sec_rec.ble_keys.irk = p_keys->pid_key.irk;
920 p_rec->ble.identity_address_with_type.bda = p_keys->pid_key.identity_addr;
921 p_rec->ble.identity_address_with_type.type = p_keys->pid_key.identity_addr_type;
922 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_PID;
923 log::verbose(
924 "BTM_LE_KEY_PID key_type=0x{:x} save peer IRK, change bd_addr={} "
925 "to id_addr={} id_addr_type=0x{:x}",
926 p_rec->sec_rec.ble_keys.key_type, p_rec->bd_addr, p_keys->pid_key.identity_addr,
927 p_keys->pid_key.identity_addr_type);
928 /* update device record address as identity address */
929 p_rec->bd_addr = p_keys->pid_key.identity_addr;
930 /* combine DUMO device security record if needed */
931 btm_consolidate_dev(p_rec);
932 break;
933
934 case BTM_LE_KEY_PCSRK:
935 p_rec->sec_rec.ble_keys.pcsrk = p_keys->pcsrk_key.csrk;
936 p_rec->sec_rec.ble_keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
937 p_rec->sec_rec.ble_keys.counter = p_keys->pcsrk_key.counter;
938 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_PCSRK;
939 p_rec->sec_rec.sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
940 if (!com::android::bluetooth::flags::donot_update_sec_flags_on_csrk_save()) {
941 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED) {
942 p_rec->sec_rec.sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
943 } else {
944 p_rec->sec_rec.sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
945 }
946 }
947
948 log::verbose(
949 "BTM_LE_KEY_PCSRK key_type=0x{:x} sec_flags=0x{:x} "
950 "sec_level=0x{:x} peer_counter={}",
951 p_rec->sec_rec.ble_keys.key_type, p_rec->sec_rec.sec_flags,
952 p_rec->sec_rec.ble_keys.srk_sec_level, p_rec->sec_rec.ble_keys.counter);
953 break;
954
955 case BTM_LE_KEY_LENC:
956 p_rec->sec_rec.ble_keys.lltk = p_keys->lenc_key.ltk;
957 p_rec->sec_rec.ble_keys.div = p_keys->lenc_key.div; /* update DIV */
958 p_rec->sec_rec.ble_keys.sec_level = p_keys->lenc_key.sec_level;
959 p_rec->sec_rec.ble_keys.key_size = p_keys->lenc_key.key_size;
960 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_LENC;
961
962 log::verbose(
963 "BTM_LE_KEY_LENC key_type=0x{:x} DIV=0x{:x} key_size=0x{:x} "
964 "sec_level=0x{:x}",
965 p_rec->sec_rec.ble_keys.key_type, p_rec->sec_rec.ble_keys.div,
966 p_rec->sec_rec.ble_keys.key_size, p_rec->sec_rec.ble_keys.sec_level);
967 break;
968
969 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */
970 p_rec->sec_rec.ble_keys.lcsrk = p_keys->lcsrk_key.csrk;
971 p_rec->sec_rec.ble_keys.div = p_keys->lcsrk_key.div; /* update DIV */
972 p_rec->sec_rec.ble_keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
973 p_rec->sec_rec.ble_keys.local_counter = p_keys->lcsrk_key.counter;
974 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_LCSRK;
975 log::verbose(
976 "BTM_LE_KEY_LCSRK key_type=0x{:x} DIV=0x{:x} scrk_sec_level=0x{:x} "
977 "local_counter={}",
978 p_rec->sec_rec.ble_keys.key_type, p_rec->sec_rec.ble_keys.div,
979 p_rec->sec_rec.ble_keys.local_csrk_sec_level,
980 p_rec->sec_rec.ble_keys.local_counter);
981 break;
982
983 case BTM_LE_KEY_LID:
984 p_rec->sec_rec.ble_keys.key_type |= BTM_LE_KEY_LID;
985 break;
986 default:
987 log::warn("btm_sec_save_le_key (Bad key_type 0x{:02x})", key_type);
988 return;
989 }
990
991 log::verbose("BLE key type 0x{:x}, updated for BDA:{}", key_type, bd_addr);
992
993 /* Notify the application that one of the BLE keys has been updated
994 If link key is in progress, it will get sent later.*/
995 if (pass_to_application) {
996 tBTM_LE_EVT_DATA cb_data = {};
997 cb_data.key.p_key_value = p_keys;
998 cb_data.key.key_type = key_type;
999
1000 BTM_BLE_SEC_CALLBACK(BTM_LE_KEY_EVT, bd_addr, &cb_data);
1001 }
1002 return;
1003 }
1004
1005 log::warn("BLE key type 0x{:x}, called for Unknown BDA or type:{}", key_type, bd_addr);
1006
1007 if (p_rec) {
1008 log::verbose("sec_flags=0x{:x}", p_rec->sec_rec.sec_flags);
1009 }
1010 }
1011
1012 /*******************************************************************************
1013 *
1014 * Function btm_ble_update_sec_key_size
1015 *
1016 * Description update the current link encryption key size
1017 *
1018 * Returns void
1019 *
1020 ******************************************************************************/
btm_ble_update_sec_key_size(const RawAddress & bd_addr,uint8_t enc_key_size)1021 void btm_ble_update_sec_key_size(const RawAddress& bd_addr, uint8_t enc_key_size) {
1022 tBTM_SEC_DEV_REC* p_rec;
1023
1024 log::verbose("bd_addr:{}, enc_key_size={}", bd_addr, enc_key_size);
1025
1026 p_rec = btm_find_dev(bd_addr);
1027 if (p_rec != NULL) {
1028 p_rec->sec_rec.enc_key_size = enc_key_size;
1029 }
1030 }
1031
1032 /*******************************************************************************
1033 *
1034 * Function btm_ble_read_sec_key_size
1035 *
1036 * Description update the current link encryption key size
1037 *
1038 * Returns void
1039 *
1040 ******************************************************************************/
btm_ble_read_sec_key_size(const RawAddress & bd_addr)1041 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) {
1042 tBTM_SEC_DEV_REC* p_rec;
1043
1044 p_rec = btm_find_dev(bd_addr);
1045 if (p_rec != NULL) {
1046 return p_rec->sec_rec.enc_key_size;
1047 } else {
1048 return 0;
1049 }
1050 }
1051
1052 /*******************************************************************************
1053 *
1054 * Function btm_ble_link_sec_check
1055 *
1056 * Description Check BLE link security level match.
1057 *
1058 * Returns true: check is OK and the *p_sec_req_act contain the action
1059 *
1060 ******************************************************************************/
btm_ble_link_sec_check(const RawAddress & bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1061 void btm_ble_link_sec_check(const RawAddress& bd_addr, tBTM_LE_AUTH_REQ auth_req,
1062 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) {
1063 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1064 uint8_t req_sec_level = SMP_SEC_NONE, cur_sec_level = SMP_SEC_NONE;
1065
1066 log::verbose("bd_addr:{}, auth_req=0x{:x}", bd_addr, auth_req);
1067
1068 if (p_dev_rec == NULL) {
1069 log::error("received for unknown device");
1070 return;
1071 }
1072
1073 if (p_dev_rec->sec_rec.is_security_state_encrypting() ||
1074 p_dev_rec->sec_rec.le_link == tSECURITY_STATE::AUTHENTICATING) {
1075 /* race condition: discard the security request while central is encrypting
1076 * the link */
1077 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1078 } else {
1079 req_sec_level = SMP_SEC_UNAUTHENTICATE;
1080 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1081 req_sec_level = SMP_SEC_AUTHENTICATED;
1082 }
1083
1084 log::verbose("dev_rec sec_flags=0x{:x}", p_dev_rec->sec_rec.sec_flags);
1085
1086 /* currently encrypted */
1087 if (p_dev_rec->sec_rec.sec_flags & BTM_SEC_LE_ENCRYPTED) {
1088 if (p_dev_rec->sec_rec.sec_flags & BTM_SEC_LE_AUTHENTICATED) {
1089 cur_sec_level = SMP_SEC_AUTHENTICATED;
1090 } else {
1091 cur_sec_level = SMP_SEC_UNAUTHENTICATE;
1092 }
1093 } else /* unencrypted link */
1094 {
1095 /* if bonded, get the key security level */
1096 if (p_dev_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PENC) {
1097 cur_sec_level = p_dev_rec->sec_rec.ble_keys.sec_level;
1098 } else {
1099 cur_sec_level = SMP_SEC_NONE;
1100 }
1101 }
1102
1103 if (cur_sec_level >= req_sec_level) {
1104 /* To avoid re-encryption on an encrypted link for an equal condition
1105 * encryption */
1106 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1107 } else {
1108 /* start the pairing process to upgrade the keys*/
1109 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR;
1110 }
1111 }
1112
1113 log::verbose("cur_sec_level={} req_sec_level={} sec_req_act={}", cur_sec_level, req_sec_level,
1114 *p_sec_req_act);
1115 }
1116
1117 /*******************************************************************************
1118 *
1119 * Function btm_ble_set_encryption
1120 *
1121 * Description This function is called to ensure that LE connection is
1122 * encrypted. Should be called only on an open connection.
1123 * Typically only needed for connections that first want to
1124 * bring up unencrypted links, then later encrypt them.
1125 *
1126 * Returns void
1127 * the local device ER is copied into er
1128 *
1129 ******************************************************************************/
btm_ble_set_encryption(const RawAddress & bd_addr,tBTM_BLE_SEC_ACT sec_act,uint8_t link_role)1130 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr, tBTM_BLE_SEC_ACT sec_act,
1131 uint8_t link_role) {
1132 tBTM_STATUS cmd = tBTM_STATUS::BTM_NO_RESOURCES;
1133 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1134 tBTM_BLE_SEC_REQ_ACT sec_req_act;
1135 tBTM_LE_AUTH_REQ auth_req;
1136
1137 if (p_rec == NULL) {
1138 log::warn("NULL device record!! sec_act=0x{:x}", sec_act);
1139 return tBTM_STATUS::BTM_WRONG_MODE;
1140 }
1141
1142 log::verbose("sec_act=0x{:x} role_central={}", sec_act, p_rec->role_central);
1143
1144 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) {
1145 p_rec->sec_rec.security_required |= BTM_SEC_IN_MITM;
1146 }
1147
1148 switch (sec_act) {
1149 case BTM_BLE_SEC_ENCRYPT:
1150 if (link_role == HCI_ROLE_CENTRAL) {
1151 /* start link layer encryption using the security info stored */
1152 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1153 break;
1154 }
1155 /* if salve role then fall through to call SMP_Pair below which will send
1156 a sec_request to request the central to encrypt the link */
1157 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
1158 case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1159 case BTM_BLE_SEC_ENCRYPT_MITM:
1160 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM) ? SMP_AUTH_BOND
1161 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT);
1162 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act);
1163 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE || sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
1164 log::verbose("no action needed. Ignore");
1165 cmd = tBTM_STATUS::BTM_SUCCESS;
1166 break;
1167 }
1168 if (link_role == HCI_ROLE_CENTRAL) {
1169 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) {
1170 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1171 break;
1172 }
1173 }
1174
1175 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1176 cmd = tBTM_STATUS::BTM_CMD_STARTED;
1177 p_rec->sec_rec.le_link = tSECURITY_STATE::AUTHENTICATING;
1178 }
1179 break;
1180
1181 default:
1182 cmd = tBTM_STATUS::BTM_WRONG_MODE;
1183 break;
1184 }
1185 return cmd;
1186 }
1187
1188 /*******************************************************************************
1189 *
1190 * Function btm_ble_ltk_request
1191 *
1192 * Description This function is called when encryption request is received
1193 * on a peripheral device.
1194 *
1195 *
1196 * Returns void
1197 *
1198 ******************************************************************************/
btm_ble_ltk_request(uint16_t handle,BT_OCTET8 rand,uint16_t ediv)1199 void btm_ble_ltk_request(uint16_t handle, BT_OCTET8 rand, uint16_t ediv) {
1200 tBTM_SEC_CB* p_cb = &btm_sec_cb;
1201 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
1202
1203 log::verbose("handle:0x{:x}", handle);
1204
1205 p_cb->ediv = ediv;
1206
1207 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1208
1209 if (p_dev_rec != NULL) {
1210 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) {
1211 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, Octet16{0});
1212 }
1213 }
1214 }
1215
1216 /** This function is called to start LE encryption.
1217 * Returns tBTM_STATUS::BTM_SUCCESS if encryption was started successfully
1218 */
btm_ble_start_encrypt(const RawAddress & bda,bool use_stk,Octet16 * p_stk)1219 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk, Octet16* p_stk) {
1220 tBTM_SEC_CB* p_cb = &btm_sec_cb;
1221 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1222 BT_OCTET8 dummy_rand = {0};
1223
1224 log::verbose("bd_addr:{}, use_stk:{}", bda, use_stk);
1225
1226 if (!p_rec) {
1227 log::error("Link is not active, can not encrypt!");
1228 return tBTM_STATUS::BTM_WRONG_MODE;
1229 }
1230
1231 if (p_rec->sec_rec.is_security_state_le_encrypting()) {
1232 log::warn("LE link encryption is active, Busy!");
1233 return tBTM_STATUS::BTM_BUSY;
1234 }
1235
1236 // Some controllers may not like encrypting both transports at the same time
1237 bool allow_le_enc_with_bredr =
1238 android::sysprop::bluetooth::Ble::allow_enc_with_bredr().value_or(false);
1239 if (!allow_le_enc_with_bredr && p_rec->sec_rec.is_security_state_bredr_encrypting()) {
1240 log::warn("BR/EDR link encryption is active, Busy!");
1241 return tBTM_STATUS::BTM_BUSY;
1242 }
1243
1244 p_cb->enc_handle = p_rec->ble_hci_handle;
1245
1246 if (use_stk) {
1247 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, *p_stk);
1248 } else if (p_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PENC) {
1249 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->sec_rec.ble_keys.rand,
1250 p_rec->sec_rec.ble_keys.ediv, p_rec->sec_rec.ble_keys.pltk);
1251 } else {
1252 log::error("No key available to encrypt the link");
1253 return tBTM_STATUS::BTM_ERR_KEY_MISSING;
1254 }
1255
1256 if (p_rec->sec_rec.le_link == tSECURITY_STATE::IDLE) {
1257 p_rec->sec_rec.le_link = tSECURITY_STATE::ENCRYPTING;
1258 }
1259
1260 return tBTM_STATUS::BTM_CMD_STARTED;
1261 }
1262
1263 /*******************************************************************************
1264 *
1265 * Function btm_ble_notify_enc_cmpl
1266 *
1267 * Description This function is called to connect EATT and notify GATT to
1268 * send data if any request is pending. This either happens on
1269 * encryption complete event, or if bond is pending, after SMP
1270 * notifies that bonding is complete.
1271 *
1272 * Returns void
1273 *
1274 ******************************************************************************/
btm_ble_notify_enc_cmpl(const RawAddress & bd_addr,bool encr_enable)1275 static void btm_ble_notify_enc_cmpl(const RawAddress& bd_addr, bool encr_enable) {
1276 if (encr_enable) {
1277 uint8_t remote_lmp_version = 0;
1278 if (!get_btm_client_interface().peer.BTM_ReadRemoteVersion(bd_addr, &remote_lmp_version,
1279 nullptr, nullptr) ||
1280 remote_lmp_version == 0) {
1281 log::warn("BLE Unable to determine remote version");
1282 }
1283
1284 if (remote_lmp_version == 0 || remote_lmp_version >= HCI_PROTO_VERSION_5_0) {
1285 /* Link is encrypted, start EATT if remote LMP version is unknown, or 5.2
1286 * or greater */
1287 bluetooth::eatt::EattExtension::GetInstance()->Connect(bd_addr);
1288 }
1289 }
1290
1291 /* to notify GATT to send data if any request is pending */
1292 gatt_notify_enc_cmpl(bd_addr);
1293 }
1294
1295 /*******************************************************************************
1296 *
1297 * Function btm_ble_link_encrypted
1298 *
1299 * Description This function is called when LE link encryption status is
1300 * changed.
1301 *
1302 * Returns void
1303 *
1304 ******************************************************************************/
btm_ble_link_encrypted(const RawAddress & bd_addr,uint8_t encr_enable)1305 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) {
1306 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1307 bool enc_cback;
1308
1309 log::verbose("bd_addr:{}, encr_enable={}", bd_addr, encr_enable);
1310
1311 if (!p_dev_rec) {
1312 log::warn("No Device Found!");
1313 return;
1314 }
1315
1316 enc_cback = p_dev_rec->sec_rec.is_security_state_le_encrypting();
1317
1318 smp_link_encrypted(bd_addr, encr_enable);
1319
1320 log::verbose("p_dev_rec->sec_rec.sec_flags=0x{:x}", p_dev_rec->sec_rec.sec_flags);
1321
1322 if (encr_enable && p_dev_rec->sec_rec.enc_key_size == 0) {
1323 p_dev_rec->sec_rec.enc_key_size = p_dev_rec->sec_rec.ble_keys.key_size;
1324 }
1325
1326 p_dev_rec->sec_rec.le_link = tSECURITY_STATE::IDLE;
1327 if (p_dev_rec->sec_rec.p_callback && enc_cback) {
1328 if (encr_enable) {
1329 btm_sec_dev_rec_cback_event(p_dev_rec, tBTM_STATUS::BTM_SUCCESS, true);
1330 } else if (p_dev_rec->role_central && (p_dev_rec->sec_rec.sec_status == HCI_ERR_KEY_MISSING)) {
1331 /* LTK missing on peripheral */
1332 btm_sec_dev_rec_cback_event(p_dev_rec, tBTM_STATUS::BTM_ERR_KEY_MISSING, true);
1333 } else if (!(p_dev_rec->sec_rec.sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN)) {
1334 btm_sec_dev_rec_cback_event(p_dev_rec, tBTM_STATUS::BTM_FAILED_ON_SECURITY, true);
1335 } else if (p_dev_rec->role_central) {
1336 btm_sec_dev_rec_cback_event(p_dev_rec, tBTM_STATUS::BTM_ERR_PROCESSING, true);
1337 }
1338 }
1339
1340 BD_NAME remote_name = {};
1341 /* to notify GATT to send data if any request is pending,
1342 or if IOP matched, delay notifying until SMP_CMPLT_EVT */
1343 if (BTM_GetRemoteDeviceName(p_dev_rec->ble.pseudo_addr, remote_name) &&
1344 interop_match_name(INTEROP_SUSPEND_ATT_TRAFFIC_DURING_PAIRING, (const char*)remote_name) &&
1345 (btm_sec_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) &&
1346 btm_sec_cb.pairing_bda == p_dev_rec->ble.pseudo_addr) {
1347 log::info(
1348 "INTEROP_DELAY_ATT_TRAFFIC_DURING_PAIRING: Waiting for bonding to "
1349 "complete to notify enc complete");
1350 } else {
1351 btm_ble_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr, encr_enable);
1352 }
1353 }
1354
1355 /*******************************************************************************
1356 *
1357 * Function btm_ble_ltk_request_reply
1358 *
1359 * Description This function is called to send a LTK request reply on a
1360 * peripheral
1361 * device.
1362 *
1363 * Returns void
1364 *
1365 ******************************************************************************/
btm_ble_ltk_request_reply(const RawAddress & bda,bool use_stk,const Octet16 & stk)1366 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk, const Octet16& stk) {
1367 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1368 tBTM_SEC_CB* p_cb = &btm_sec_cb;
1369
1370 log::debug("bd_addr:{},use_stk:{}", bda, use_stk);
1371
1372 if (p_rec == NULL) {
1373 log::error("unknown device");
1374 return;
1375 }
1376
1377 p_cb->enc_handle = p_rec->ble_hci_handle;
1378 p_cb->key_size = p_rec->sec_rec.ble_keys.key_size;
1379
1380 log::error("key size={}", p_rec->sec_rec.ble_keys.key_size);
1381 if (use_stk) {
1382 btsnd_hcic_ble_ltk_req_reply(btm_sec_cb.enc_handle, stk);
1383 return;
1384 }
1385 /* calculate LTK using peer device */
1386 if (p_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_LENC) {
1387 btsnd_hcic_ble_ltk_req_reply(btm_sec_cb.enc_handle, p_rec->sec_rec.ble_keys.lltk);
1388 return;
1389 }
1390
1391 p_rec = btm_find_dev_with_lenc(bda);
1392 if (!p_rec) {
1393 btsnd_hcic_ble_ltk_req_neg_reply(btm_sec_cb.enc_handle);
1394 return;
1395 }
1396
1397 log::info("Found second sec_dev_rec for device that have LTK");
1398 /* This can happen when remote established LE connection using RPA to this
1399 * device, but then pair with us using Classing transport while still keeping
1400 * LE connection. If remote attempts to encrypt the LE connection, we might
1401 * end up here. We will eventually consolidate both entries, this is to avoid
1402 * race conditions. */
1403
1404 log::assert_that(p_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_LENC,
1405 "local encryption key not present");
1406 p_cb->key_size = p_rec->sec_rec.ble_keys.key_size;
1407 btsnd_hcic_ble_ltk_req_reply(btm_sec_cb.enc_handle, p_rec->sec_rec.ble_keys.lltk);
1408 }
1409
1410 /*******************************************************************************
1411 *
1412 * Function btm_ble_io_capabilities_req
1413 *
1414 * Description This function is called to handle SMP get IO capability
1415 * request.
1416 *
1417 * Returns void
1418 *
1419 ******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1420 static tBTM_STATUS btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec,
1421 tBTM_LE_IO_REQ* p_data) {
1422 log::verbose("p_dev_rec->bd_addr:{}", p_dev_rec->bd_addr);
1423 if (btm_sec_cb.api.p_le_callback) {
1424 tBTM_STATUS status = (*btm_sec_cb.api.p_le_callback)(BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr,
1425 (tBTM_LE_EVT_DATA*)p_data);
1426 if (status != tBTM_STATUS::BTM_SUCCESS) {
1427 log::warn("Security callback failed {} for {}", btm_status_text(status), p_dev_rec->bd_addr);
1428 return status;
1429 }
1430 }
1431
1432 if (BTM_OOB_UNKNOWN == p_data->oob_data) {
1433 return tBTM_STATUS::BTM_SUCCESS;
1434 }
1435
1436 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1437 log::verbose("1:p_dev_rec->sec_rec.security_required={}, auth_req:{}",
1438 p_dev_rec->sec_rec.security_required, p_data->auth_req);
1439 log::verbose("2:i_keys=0x{:x} r_keys=0x{:x} (bit 0-LTK 1-IRK 2-CSRK)", p_data->init_keys,
1440 p_data->resp_keys);
1441
1442 /* if authentication requires MITM protection, put on the mask */
1443 if (p_dev_rec->sec_rec.security_required & BTM_SEC_IN_MITM) {
1444 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1445 }
1446
1447 if (!(p_data->auth_req & SMP_AUTH_BOND)) {
1448 log::verbose("Non bonding: No keys should be exchanged");
1449 p_data->init_keys = 0;
1450 p_data->resp_keys = 0;
1451 }
1452
1453 log::verbose("3:auth_req:{}", p_data->auth_req);
1454 log::verbose("4:i_keys=0x{:x} r_keys=0x{:x}", p_data->init_keys, p_data->resp_keys);
1455
1456 log::verbose("5:p_data->io_cap={} auth_req:{}", p_data->io_cap, p_data->auth_req);
1457
1458 /* remove MITM protection requirement if IO cap does not allow it */
1459 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE) {
1460 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1461 }
1462
1463 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) {
1464 /* if Secure Connections are not supported then remove LK derivation,
1465 ** and keypress notifications.
1466 */
1467 log::verbose("SC not supported -> No LK derivation, no keypress notifications");
1468 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1469 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1470 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1471 }
1472
1473 log::verbose("6:IO_CAP:{} oob_data:{} auth_req:0x{:02x}", p_data->io_cap, p_data->oob_data,
1474 p_data->auth_req);
1475
1476 return tBTM_STATUS::BTM_SUCCESS;
1477 }
1478
1479 /*******************************************************************************
1480 *
1481 * Function btm_ble_br_keys_req
1482 *
1483 * Description This function is called to handle SMP request for keys sent
1484 * over BR/EDR.
1485 *
1486 * Returns void
1487 *
1488 ******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1489 static tBTM_STATUS btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec, tBTM_LE_IO_REQ* p_data) {
1490 tBTM_STATUS callback_rc = tBTM_STATUS::BTM_SUCCESS;
1491 log::verbose("p_dev_rec->bd_addr:{}", p_dev_rec->bd_addr);
1492 *p_data = tBTM_LE_IO_REQ{
1493 .io_cap = BTM_IO_CAP_UNKNOWN,
1494 .oob_data = false,
1495 .auth_req = BTM_LE_AUTH_REQ_SC_MITM_BOND,
1496 .max_key_size = BTM_BLE_MAX_KEY_SIZE,
1497 .init_keys = SMP_BR_SEC_DEFAULT_KEY,
1498 .resp_keys = SMP_BR_SEC_DEFAULT_KEY,
1499 };
1500
1501 if (osi_property_get_bool(kPropertyCtkdDisableCsrkDistribution, false)) {
1502 p_data->init_keys &= (~SMP_SEC_KEY_TYPE_CSRK);
1503 p_data->resp_keys &= (~SMP_SEC_KEY_TYPE_CSRK);
1504 }
1505
1506 return callback_rc;
1507 }
1508
1509 /*******************************************************************************
1510 *
1511 * Function btm_ble_connected
1512 *
1513 * Description This function is called on LE connection
1514 *
1515 * Returns void
1516 *
1517 ******************************************************************************/
btm_ble_connected(const RawAddress & bda,uint16_t handle,uint8_t,uint8_t role,tBLE_ADDR_TYPE addr_type,bool addr_matched,bool can_read_discoverable_characteristics)1518 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t /* enc_mode */, uint8_t role,
1519 tBLE_ADDR_TYPE addr_type, bool addr_matched,
1520 bool can_read_discoverable_characteristics) {
1521 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(bda);
1522
1523 log::info("Update timestamp for ble connection:{}", bda);
1524 // TODO () Why is timestamp a counter ?
1525 p_dev_rec->timestamp = btm_sec_cb.dev_rec_count++;
1526
1527 if (is_ble_addr_type_known(addr_type)) {
1528 p_dev_rec->ble.SetAddressType(addr_type);
1529 } else {
1530 log::warn("Please do not update device record from anonymous le advertisement");
1531 }
1532
1533 p_dev_rec->ble.pseudo_addr = bda;
1534 p_dev_rec->ble_hci_handle = handle;
1535 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1536 p_dev_rec->role_central = (role == HCI_ROLE_CENTRAL) ? true : false;
1537 p_dev_rec->can_read_discoverable = can_read_discoverable_characteristics;
1538
1539 if (!addr_matched) {
1540 p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1541 if (p_dev_rec->ble.AddressType() == BLE_ADDR_RANDOM) {
1542 p_dev_rec->ble.cur_rand_addr = bda;
1543 }
1544 }
1545 btm_cb.ble_ctr_cb.inq_var.directed_conn = BTM_BLE_ADV_IND_EVT;
1546 }
1547
1548 /*******************************************************************************
1549 *
1550 * Function btm_ble_connection_established
1551 *
1552 * Description This function when LE connection is established
1553 *
1554 * Returns void
1555 *
1556 ******************************************************************************/
btm_ble_connection_established(const RawAddress & bda)1557 void btm_ble_connection_established(const RawAddress& bda) {
1558 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1559 if (p_dev_rec == nullptr) {
1560 log::warn("No security record for {}", bda);
1561 return;
1562 }
1563
1564 // Encrypt the link if device is bonded
1565 if (com::android::bluetooth::flags::le_enc_on_reconnection() &&
1566 p_dev_rec->sec_rec.is_le_link_key_known()) {
1567 btm_ble_set_encryption(bda, BTM_BLE_SEC_ENCRYPT,
1568 p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL);
1569 }
1570
1571 // Read device name if it is not known already, we may need it for pairing
1572 if (com::android::bluetooth::flags::name_discovery_for_le_pairing() &&
1573 !p_dev_rec->sec_rec.is_name_known()) {
1574 btm_ble_read_remote_name(bda, nullptr);
1575 }
1576
1577 if (com::android::bluetooth::flags::read_le_appearance() && p_dev_rec != nullptr &&
1578 !p_dev_rec->sec_rec.is_le_link_key_known()) {
1579 // Unknown device
1580 if (p_dev_rec->dev_class == kDevClassEmpty || p_dev_rec->dev_class == kDevClassUnclassified) {
1581 // Class of device not known, read appearance characteristic
1582 btm_ble_read_remote_cod(bda);
1583 }
1584 }
1585 }
1586
btm_ble_user_confirmation_req(const RawAddress & bd_addr,tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_EVT event,tBTM_LE_EVT_DATA * p_data)1587 static void btm_ble_user_confirmation_req(const RawAddress& bd_addr, tBTM_SEC_DEV_REC* p_dev_rec,
1588 tBTM_LE_EVT event, tBTM_LE_EVT_DATA* p_data) {
1589 p_dev_rec->sec_rec.sec_flags |= BTM_SEC_LE_AUTHENTICATED;
1590 p_dev_rec->sec_rec.le_link = tSECURITY_STATE::AUTHENTICATING;
1591 btm_sec_cb.pairing_bda = bd_addr;
1592 btm_sec_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1593 BTM_BLE_SEC_CALLBACK(event, bd_addr, p_data);
1594 }
1595
btm_ble_sec_req(const RawAddress & bd_addr,tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_EVT_DATA * p_data)1596 static void btm_ble_sec_req(const RawAddress& bd_addr, tBTM_SEC_DEV_REC* p_dev_rec,
1597 tBTM_LE_EVT_DATA* p_data) {
1598 if (btm_sec_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
1599 log::warn("Ignoring SMP Security request");
1600 return;
1601 }
1602 btm_sec_cb.pairing_bda = bd_addr;
1603 p_dev_rec->sec_rec.le_link = tSECURITY_STATE::AUTHENTICATING;
1604 btm_sec_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1605 BTM_BLE_SEC_CALLBACK(BTM_LE_SEC_REQUEST_EVT, bd_addr, p_data);
1606 }
1607
btm_ble_consent_req(const RawAddress & bd_addr,tBTM_LE_EVT_DATA * p_data)1608 static void btm_ble_consent_req(const RawAddress& bd_addr, tBTM_LE_EVT_DATA* p_data) {
1609 btm_sec_cb.pairing_bda = bd_addr;
1610 btm_sec_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1611 BTM_BLE_SEC_CALLBACK(BTM_LE_CONSENT_REQ_EVT, bd_addr, p_data);
1612 }
1613
btm_ble_complete_evt(const RawAddress & bd_addr,tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_EVT_DATA * p_data)1614 static void btm_ble_complete_evt(const RawAddress& bd_addr, tBTM_SEC_DEV_REC* p_dev_rec,
1615 tBTM_LE_EVT_DATA* p_data) {
1616 BTM_BLE_SEC_CALLBACK(BTM_LE_COMPLT_EVT, bd_addr, p_data);
1617
1618 log::verbose("before update sec_level=0x{:x} sec_flags=0x{:x}", p_data->complt.sec_level,
1619 p_dev_rec->sec_rec.sec_flags);
1620
1621 tBTM_STATUS res = (p_data->complt.reason == SMP_SUCCESS) ? tBTM_STATUS::BTM_SUCCESS
1622 : tBTM_STATUS::BTM_ERR_PROCESSING;
1623
1624 log::verbose("after update result={} sec_level=0x{:x} sec_flags=0x{:x}", res,
1625 p_data->complt.sec_level, p_dev_rec->sec_rec.sec_flags);
1626
1627 if (p_data->complt.is_pair_cancel && btm_sec_cb.api.p_bond_cancel_cmpl_callback) {
1628 log::verbose("Pairing Cancel completed");
1629 (*btm_sec_cb.api.p_bond_cancel_cmpl_callback)(tBTM_STATUS::BTM_SUCCESS);
1630 }
1631
1632 if (res != tBTM_STATUS::BTM_SUCCESS && p_data->complt.reason != SMP_CONN_TOUT) {
1633 log::verbose("Pairing failed - prepare to remove ACL");
1634 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
1635 }
1636
1637 log::verbose(
1638 "btm_sec_cb.pairing_state={:x} pairing_flags={:x} "
1639 "pin_code_len={:x}",
1640 btm_sec_cb.pairing_state, btm_sec_cb.pairing_flags, btm_sec_cb.pin_code_len);
1641
1642 /* Reset btm state only if the callback address matches pairing address */
1643 if (bd_addr == btm_sec_cb.pairing_bda) {
1644 btm_sec_cb.pairing_bda = RawAddress::kAny;
1645 btm_sec_cb.pairing_state = BTM_PAIR_STATE_IDLE;
1646 btm_sec_cb.pairing_flags = 0;
1647 }
1648
1649 if (res == tBTM_STATUS::BTM_SUCCESS) {
1650 p_dev_rec->sec_rec.le_link = tSECURITY_STATE::IDLE;
1651
1652 if (p_dev_rec->sec_rec.bond_type != BOND_TYPE_TEMPORARY) {
1653 // Add all bonded device into resolving list if IRK is available.
1654 btm_ble_resolving_list_load_dev(*p_dev_rec);
1655 } else if (p_dev_rec->ble_hci_handle == HCI_INVALID_HANDLE) {
1656 // At this point LTK should have been dropped by btif.
1657 // Reset the flags here if LE is not connected (over BR),
1658 // otherwise they would be reset on disconnected.
1659 log::debug(
1660 "SMP over BR triggered by temporary bond has completed, "
1661 "resetting the LK flags");
1662 p_dev_rec->sec_rec.sec_flags &= ~(BTM_SEC_LE_LINK_KEY_KNOWN);
1663 p_dev_rec->sec_rec.ble_keys.key_type = BTM_LE_KEY_NONE;
1664 }
1665 }
1666 BD_NAME remote_name = {};
1667 if (BTM_GetRemoteDeviceName(p_dev_rec->ble.pseudo_addr, remote_name) &&
1668 interop_match_name(INTEROP_SUSPEND_ATT_TRAFFIC_DURING_PAIRING, (const char*)remote_name)) {
1669 log::debug("Notifying encryption cmpl delayed due to IOP match");
1670 btm_ble_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr, true);
1671 }
1672
1673 btm_sec_dev_rec_cback_event(p_dev_rec, res, true);
1674 }
1675
btm_ble_sirk_verification_req(const RawAddress & bd_addr)1676 static tBTM_STATUS btm_ble_sirk_verification_req(const RawAddress& bd_addr) {
1677 tBTM_STATUS res = (*btm_sec_cb.api.p_sirk_verification_callback)(bd_addr);
1678 if (res == tBTM_STATUS::BTM_CMD_STARTED) {
1679 res = tBTM_STATUS::BTM_SUCCESS;
1680 } else {
1681 log::warn("SMP SIRK verification status:{}", btm_status_text(res));
1682 }
1683 return res;
1684 }
1685
1686 /*****************************************************************************
1687 * Function btm_proc_smp_cback
1688 *
1689 * Description This function is the SMP callback handler.
1690 *
1691 *****************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,const RawAddress & bd_addr,tSMP_EVT_DATA * p_data)1692 tBTM_STATUS btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr, tSMP_EVT_DATA* p_data) {
1693 log::verbose("bd_addr:{}, event={}", bd_addr, smp_evt_to_text(event));
1694
1695 if (event == SMP_SC_LOC_OOB_DATA_UP_EVT) {
1696 btm_sec_cr_loc_oob_data_cback_event(RawAddress{}, p_data->loc_oob_data);
1697 return tBTM_STATUS::BTM_SUCCESS;
1698 }
1699
1700 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1701
1702 if (p_dev_rec == nullptr) {
1703 log::warn("Unexpected event '{}' for unknown device.", smp_evt_to_text(event));
1704 if (com::android::bluetooth::flags::clear_pairing_state_when_no_devrec() &&
1705 bd_addr == btm_sec_cb.pairing_bda &&
1706 event == SMP_COMPLT_EVT) {
1707 btm_sec_cb.pairing_bda = RawAddress::kAny;
1708 btm_sec_cb.pairing_state = BTM_PAIR_STATE_IDLE;
1709 btm_sec_cb.pairing_flags = 0;
1710 }
1711 return tBTM_STATUS::BTM_UNKNOWN_ADDR;
1712 }
1713
1714 tBTM_STATUS status = tBTM_STATUS::BTM_SUCCESS;
1715 switch (event) {
1716 case SMP_IO_CAP_REQ_EVT:
1717 btm_ble_io_capabilities_req(p_dev_rec, reinterpret_cast<tBTM_LE_IO_REQ*>(&p_data->io_req));
1718 break;
1719
1720 case SMP_BR_KEYS_REQ_EVT:
1721 btm_ble_br_keys_req(p_dev_rec, reinterpret_cast<tBTM_LE_IO_REQ*>(&p_data->io_req));
1722 break;
1723
1724 case SMP_PASSKEY_REQ_EVT:
1725 case SMP_PASSKEY_NOTIF_EVT:
1726 case SMP_OOB_REQ_EVT:
1727 case SMP_NC_REQ_EVT:
1728 case SMP_SC_OOB_REQ_EVT:
1729 btm_ble_user_confirmation_req(bd_addr, p_dev_rec, static_cast<tBTM_LE_EVT>(event),
1730 reinterpret_cast<tBTM_LE_EVT_DATA*>(p_data));
1731 break;
1732
1733 case SMP_SEC_REQUEST_EVT:
1734 btm_ble_sec_req(bd_addr, p_dev_rec, reinterpret_cast<tBTM_LE_EVT_DATA*>(p_data));
1735 break;
1736
1737 case SMP_CONSENT_REQ_EVT:
1738 btm_ble_consent_req(bd_addr, reinterpret_cast<tBTM_LE_EVT_DATA*>(p_data));
1739 break;
1740
1741 case SMP_COMPLT_EVT:
1742 btm_ble_complete_evt(bd_addr, p_dev_rec, reinterpret_cast<tBTM_LE_EVT_DATA*>(p_data));
1743 break;
1744
1745 case SMP_LE_ADDR_ASSOC_EVT:
1746 BTM_BLE_SEC_CALLBACK(static_cast<tBTM_LE_EVT>(event), bd_addr,
1747 reinterpret_cast<tBTM_LE_EVT_DATA*>(p_data));
1748 break;
1749
1750 case SMP_SIRK_VERIFICATION_REQ_EVT:
1751 status = btm_ble_sirk_verification_req(bd_addr);
1752 break;
1753
1754 default:
1755 log::verbose("unknown event={}", smp_evt_to_text(event));
1756 break;
1757 }
1758
1759 return status;
1760 }
1761
1762 /*******************************************************************************
1763 *
1764 * Function BTM_BleDataSignature
1765 *
1766 * Description This function is called to sign the data using AES128 CMAC
1767 * algorithm.
1768 *
1769 * Parameter bd_addr: target device the data to be signed for.
1770 * p_text: singing data
1771 * len: length of the data to be signed.
1772 * signature: output parameter where data signature is going to
1773 * be stored.
1774 *
1775 * Returns true if signing successful, otherwise false.
1776 *
1777 ******************************************************************************/
BTM_BleDataSignature(const RawAddress & bd_addr,uint8_t * p_text,uint16_t len,BLE_SIGNATURE signature)1778 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text, uint16_t len,
1779 BLE_SIGNATURE signature) {
1780 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1781
1782 if (p_rec == NULL) {
1783 log::error("data signing can not be done from unknown device");
1784 return false;
1785 }
1786
1787 uint8_t* p_mac = (uint8_t*)signature;
1788 uint8_t* pp;
1789 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4);
1790
1791 pp = p_buf;
1792 /* prepare plain text */
1793 if (p_text) {
1794 memcpy(p_buf, p_text, len);
1795 pp = (p_buf + len);
1796 }
1797
1798 UINT32_TO_STREAM(pp, p_rec->sec_rec.ble_keys.local_counter);
1799 UINT32_TO_STREAM(p_mac, p_rec->sec_rec.ble_keys.local_counter);
1800
1801 crypto_toolbox::aes_cmac(p_rec->sec_rec.ble_keys.lcsrk, p_buf, (uint16_t)(len + 4),
1802 BTM_CMAC_TLEN_SIZE, p_mac);
1803 p_rec->sec_rec.increment_sign_counter(true);
1804
1805 log::verbose("p_mac = {}", std::format_ptr(p_mac));
1806 log::verbose("p_mac[0]=0x{:02x} p_mac[1]=0x{:02x} p_mac[2]=0x{:02x} p_mac[3]=0x{:02x}", *p_mac,
1807 *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
1808 log::verbose("p_mac[4]=0x{:02x} p_mac[5]=0x{:02x} p_mac[6]=0x{:02x} p_mac[7]=0x{:02x}",
1809 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
1810 osi_free(p_buf);
1811 return true;
1812 }
1813
1814 /*******************************************************************************
1815 *
1816 * Function BTM_BleVerifySignature
1817 *
1818 * Description This function is called to verify the data signature
1819 *
1820 * Parameter bd_addr: target device the data to be signed for.
1821 * p_orig: original data before signature.
1822 * len: length of the signing data
1823 * counter: counter used when doing data signing
1824 * p_comp: signature to be compared against.
1825
1826 * Returns true if signature verified correctly; otherwise false.
1827 *
1828 ******************************************************************************/
BTM_BleVerifySignature(const RawAddress & bd_addr,uint8_t * p_orig,uint16_t len,uint32_t counter,uint8_t * p_comp)1829 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, uint16_t len,
1830 uint32_t counter, uint8_t* p_comp) {
1831 bool verified = false;
1832 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1833 uint8_t p_mac[BTM_CMAC_TLEN_SIZE];
1834
1835 if (p_rec == NULL || (p_rec && !(p_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PCSRK))) {
1836 log::error("can not verify signature for unknown device");
1837 } else if (counter < p_rec->sec_rec.ble_keys.counter) {
1838 log::error("signature received with out dated sign counter");
1839 } else if (p_orig == NULL) {
1840 log::error("No signature to verify");
1841 } else {
1842 log::verbose("rcv_cnt={} >= expected_cnt={}", counter, p_rec->sec_rec.ble_keys.counter);
1843
1844 crypto_toolbox::aes_cmac(p_rec->sec_rec.ble_keys.pcsrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac);
1845 if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
1846 p_rec->sec_rec.increment_sign_counter(false);
1847 verified = true;
1848 }
1849 }
1850 return verified;
1851 }
1852
1853 /*******************************************************************************
1854 *
1855 * Function BTM_BleSirkConfirmDeviceReply
1856 *
1857 * Description This procedure confirms requested to validate set device.
1858 *
1859 * Parameter bd_addr - BD address of the peer
1860 * res - confirmation result tBTM_STATUS::BTM_SUCCESS if success
1861 *
1862 * Returns void
1863 *
1864 ******************************************************************************/
BTM_BleSirkConfirmDeviceReply(const RawAddress & bd_addr,tBTM_STATUS res)1865 void BTM_BleSirkConfirmDeviceReply(const RawAddress& bd_addr, tBTM_STATUS res) {
1866 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1867 tSMP_STATUS res_smp = (res == tBTM_STATUS::BTM_SUCCESS) ? SMP_SUCCESS : SMP_FAIL;
1868
1869 log::info("bd_addr:{}, result:{}", bd_addr, smp_status_text(res_smp));
1870
1871 if (p_dev_rec == NULL) {
1872 log::error("Confirmation of Unknown device");
1873 return;
1874 }
1875
1876 BTM_LogHistory(kBtmLogTag, bd_addr, "SIRK confirmation",
1877 base::StringPrintf("status:%s", smp_status_text(res_smp).c_str()));
1878 SMP_SirkConfirmDeviceReply(bd_addr, res_smp);
1879 }
1880
1881 /*******************************************************************************
1882 * Utility functions for LE device IR/ER generation
1883 ******************************************************************************/
1884 /** This function is to notify application new keys have been generated. */
btm_notify_new_key(uint8_t key_type)1885 static void btm_notify_new_key(uint8_t key_type) {
1886 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL;
1887
1888 log::verbose("key_type={}", key_type);
1889
1890 if (btm_sec_cb.api.p_le_key_callback) {
1891 switch (key_type) {
1892 case BTM_BLE_KEY_TYPE_ID:
1893 log::verbose("BTM_BLE_KEY_TYPE_ID");
1894 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_sec_cb.devcb.id_keys;
1895 break;
1896
1897 case BTM_BLE_KEY_TYPE_ER:
1898 log::verbose("BTM_BLE_KEY_TYPE_ER");
1899 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_sec_cb.devcb.ble_encryption_key_value;
1900 break;
1901
1902 default:
1903 log::error("unknown key type: {}", key_type);
1904 break;
1905 }
1906 if (p_local_keys != NULL) {
1907 (*btm_sec_cb.api.p_le_key_callback)(key_type, p_local_keys);
1908 }
1909 }
1910 }
1911
1912 /** implementation of btm_ble_reset_id */
btm_ble_reset_id_impl(const Octet16 & rand1,const Octet16 & rand2)1913 static void btm_ble_reset_id_impl(const Octet16& rand1, const Octet16& rand2) {
1914 /* Regenerate Identity Root */
1915 btm_sec_cb.devcb.id_keys.ir = rand1;
1916 Octet16 btm_ble_dhk_pt{};
1917 btm_ble_dhk_pt[0] = 0x03;
1918
1919 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
1920 btm_sec_cb.devcb.id_keys.dhk =
1921 crypto_toolbox::aes_128(btm_sec_cb.devcb.id_keys.ir, btm_ble_dhk_pt);
1922
1923 Octet16 btm_ble_irk_pt{};
1924 btm_ble_irk_pt[0] = 0x01;
1925 /* IRK = D1(IR, 1) */
1926 btm_sec_cb.devcb.id_keys.irk =
1927 crypto_toolbox::aes_128(btm_sec_cb.devcb.id_keys.ir, btm_ble_irk_pt);
1928
1929 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
1930
1931 /* proceed generate ER */
1932 btm_sec_cb.devcb.ble_encryption_key_value = rand2;
1933 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
1934
1935 /* if privacy is enabled, update the irk and RPA in the LE address manager */
1936 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
1937 BTM_BleConfigPrivacy(true);
1938 }
1939 }
1940
1941 struct reset_id_data {
1942 Octet16 rand1;
1943 Octet16 rand2;
1944 };
1945
1946 /** This function is called to reset LE device identity. */
btm_ble_reset_id(void)1947 void btm_ble_reset_id(void) {
1948 log::verbose("btm_ble_reset_id");
1949
1950 /* In order to reset identity, we need four random numbers. Make four nested
1951 * calls to generate them first, then proceed to perform the actual reset in
1952 * btm_ble_reset_id_impl. */
1953 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
1954 reset_id_data tmp;
1955 memcpy(tmp.rand1.data(), rand, BT_OCTET8_LEN);
1956 btsnd_hcic_ble_rand(base::Bind(
1957 [](reset_id_data tmp, BT_OCTET8 rand) {
1958 memcpy(tmp.rand1.data() + 8, rand, BT_OCTET8_LEN);
1959 btsnd_hcic_ble_rand(base::Bind(
1960 [](reset_id_data tmp, BT_OCTET8 rand) {
1961 memcpy(tmp.rand2.data(), rand, BT_OCTET8_LEN);
1962 btsnd_hcic_ble_rand(base::Bind(
1963 [](reset_id_data tmp, BT_OCTET8 rand) {
1964 memcpy(tmp.rand2.data() + 8, rand, BT_OCTET8_LEN);
1965 // when all random numbers are ready, do the actual reset.
1966 btm_ble_reset_id_impl(tmp.rand1, tmp.rand2);
1967 },
1968 tmp));
1969 },
1970 tmp));
1971 },
1972 tmp));
1973 }));
1974 }
1975
1976 /*******************************************************************************
1977 *
1978 * Function btm_ble_get_acl_remote_addr
1979 *
1980 * Description This function reads the active remote address used for the
1981 * connection.
1982 *
1983 * Returns success return true, otherwise false.
1984 *
1985 ******************************************************************************/
btm_ble_get_acl_remote_addr(uint16_t hci_handle,RawAddress & conn_addr,tBLE_ADDR_TYPE * p_addr_type)1986 bool btm_ble_get_acl_remote_addr(uint16_t hci_handle, RawAddress& conn_addr,
1987 tBLE_ADDR_TYPE* p_addr_type) {
1988 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
1989 if (p_dev_rec == nullptr) {
1990 log::warn("Unable to find security device record hci_handle:{}", hci_handle);
1991 // TODO Release acl resource
1992 return false;
1993 }
1994
1995 bool st = true;
1996
1997 switch (p_dev_rec->ble.active_addr_type) {
1998 case BTM_BLE_ADDR_PSEUDO:
1999 conn_addr = p_dev_rec->bd_addr;
2000 *p_addr_type = p_dev_rec->ble.AddressType();
2001 break;
2002
2003 case BTM_BLE_ADDR_RRA:
2004 conn_addr = p_dev_rec->ble.cur_rand_addr;
2005 *p_addr_type = BLE_ADDR_RANDOM;
2006 break;
2007
2008 case BTM_BLE_ADDR_STATIC:
2009 conn_addr = p_dev_rec->ble.identity_address_with_type.bda;
2010 *p_addr_type = p_dev_rec->ble.identity_address_with_type.type;
2011 break;
2012
2013 default:
2014 log::warn("Unable to find record with active address type:{}",
2015 p_dev_rec->ble.active_addr_type);
2016 st = false;
2017 break;
2018 }
2019 return st;
2020 }
2021
BTM_BleGetPeerLTK(const RawAddress address)2022 std::optional<Octet16> BTM_BleGetPeerLTK(const RawAddress address) {
2023 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(address);
2024 if (p_dev_rec == nullptr) {
2025 return std::nullopt;
2026 }
2027
2028 return p_dev_rec->sec_rec.ble_keys.pltk;
2029 }
2030
BTM_BleGetPeerIRK(const RawAddress address)2031 std::optional<Octet16> BTM_BleGetPeerIRK(const RawAddress address) {
2032 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(address);
2033 if (p_dev_rec == nullptr) {
2034 return std::nullopt;
2035 }
2036
2037 return p_dev_rec->sec_rec.ble_keys.irk;
2038 }
2039
BTM_BleIsLinkKeyKnown(const RawAddress address)2040 bool BTM_BleIsLinkKeyKnown(const RawAddress address) {
2041 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(address);
2042 return p_dev_rec != nullptr && p_dev_rec->sec_rec.is_le_link_key_known();
2043 }
2044
BTM_BleGetIdentityAddress(const RawAddress address)2045 std::optional<tBLE_BD_ADDR> BTM_BleGetIdentityAddress(const RawAddress address) {
2046 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(address);
2047 if (p_dev_rec == nullptr) {
2048 return std::nullopt;
2049 }
2050
2051 return p_dev_rec->ble.identity_address_with_type;
2052 }
2053