1 // SPDX-License-Identifier: LGPL-2.1-or-later
4 * BlueZ - Bluetooth protocol stack for Linux
6 * Copyright (C) 2014 Google Inc.
19 #include "src/shared/io.h"
20 #include "src/shared/queue.h"
21 #include "src/shared/util.h"
22 #include "src/shared/timeout.h"
23 #include "lib/bluetooth.h"
24 #include "lib/l2cap.h"
26 #include "src/shared/att.h"
27 #include "src/shared/crypto.h"
29 #define ATT_MIN_PDU_LEN 1 /* At least 1 byte for the opcode. */
30 #define ATT_OP_CMD_MASK 0x40
31 #define ATT_OP_SIGNED_MASK 0x80
32 #define ATT_TIMEOUT_INTERVAL 30000 /* 30000 ms */
34 /* Length of signature in write signed packet */
35 #define BT_ATT_SIGNATURE_LEN 12
44 int sec_level; /* Only used for non-L2CAP */
46 struct queue *queue; /* Channel dedicated queue */
48 struct att_send_op *pending_req;
49 struct att_send_op *pending_ind;
52 bool in_req; /* There's a pending incoming request */
63 uint16_t mtu; /* Biggest possible MTU */
65 struct queue *notify_list; /* List of registered callbacks */
66 struct queue *disconn_list; /* List of disconnect handlers */
67 struct queue *exchange_list; /* List of MTU changed handlers */
69 unsigned int next_send_id; /* IDs for "send" ops */
70 unsigned int next_reg_id; /* IDs for registered callbacks */
72 struct queue *req_queue; /* Queued ATT protocol requests */
73 struct queue *ind_queue; /* Queued ATT protocol indications */
74 struct queue *write_queue; /* Queue of PDUs ready to send */
75 bool in_disc; /* Cleanup queues on disconnect_cb */
76 bt_att_timeout_func_t timeout_callback;
77 bt_att_destroy_func_t timeout_destroy;
81 bt_att_debug_func_t debug_callback;
82 bt_att_destroy_func_t debug_destroy;
84 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
87 bool service_change_indication; /* Service changed indication status */
92 struct bt_crypto *crypto;
94 struct sign_info *local_sign;
95 struct sign_info *remote_sign;
100 bt_att_counter_func_t counter;
114 static const struct {
116 enum att_op_type type;
117 } att_opcode_type_table[] = {
118 { BT_ATT_OP_ERROR_RSP, ATT_OP_TYPE_RSP },
119 { BT_ATT_OP_MTU_REQ, ATT_OP_TYPE_REQ },
120 { BT_ATT_OP_MTU_RSP, ATT_OP_TYPE_RSP },
121 { BT_ATT_OP_FIND_INFO_REQ, ATT_OP_TYPE_REQ },
122 { BT_ATT_OP_FIND_INFO_RSP, ATT_OP_TYPE_RSP },
123 { BT_ATT_OP_FIND_BY_TYPE_REQ, ATT_OP_TYPE_REQ },
124 { BT_ATT_OP_FIND_BY_TYPE_RSP, ATT_OP_TYPE_RSP },
125 { BT_ATT_OP_READ_BY_TYPE_REQ, ATT_OP_TYPE_REQ },
126 { BT_ATT_OP_READ_BY_TYPE_RSP, ATT_OP_TYPE_RSP },
127 { BT_ATT_OP_READ_REQ, ATT_OP_TYPE_REQ },
128 { BT_ATT_OP_READ_RSP, ATT_OP_TYPE_RSP },
129 { BT_ATT_OP_READ_BLOB_REQ, ATT_OP_TYPE_REQ },
130 { BT_ATT_OP_READ_BLOB_RSP, ATT_OP_TYPE_RSP },
131 { BT_ATT_OP_READ_MULT_REQ, ATT_OP_TYPE_REQ },
132 { BT_ATT_OP_READ_MULT_RSP, ATT_OP_TYPE_RSP },
133 { BT_ATT_OP_READ_BY_GRP_TYPE_REQ, ATT_OP_TYPE_REQ },
134 { BT_ATT_OP_READ_BY_GRP_TYPE_RSP, ATT_OP_TYPE_RSP },
135 { BT_ATT_OP_WRITE_REQ, ATT_OP_TYPE_REQ },
136 { BT_ATT_OP_WRITE_RSP, ATT_OP_TYPE_RSP },
137 { BT_ATT_OP_WRITE_CMD, ATT_OP_TYPE_CMD },
138 { BT_ATT_OP_SIGNED_WRITE_CMD, ATT_OP_TYPE_CMD },
139 { BT_ATT_OP_PREP_WRITE_REQ, ATT_OP_TYPE_REQ },
140 { BT_ATT_OP_PREP_WRITE_RSP, ATT_OP_TYPE_RSP },
141 { BT_ATT_OP_EXEC_WRITE_REQ, ATT_OP_TYPE_REQ },
142 { BT_ATT_OP_EXEC_WRITE_RSP, ATT_OP_TYPE_RSP },
143 { BT_ATT_OP_HANDLE_NFY, ATT_OP_TYPE_NFY },
144 { BT_ATT_OP_HANDLE_NFY_MULT, ATT_OP_TYPE_NFY },
145 { BT_ATT_OP_HANDLE_IND, ATT_OP_TYPE_IND },
146 { BT_ATT_OP_HANDLE_CONF, ATT_OP_TYPE_CONF },
150 static enum att_op_type get_op_type(uint8_t opcode)
154 for (i = 0; att_opcode_type_table[i].opcode; i++) {
155 if (att_opcode_type_table[i].opcode == opcode)
156 return att_opcode_type_table[i].type;
159 if (opcode & ATT_OP_CMD_MASK)
160 return ATT_OP_TYPE_CMD;
162 return ATT_OP_TYPE_UNKNOWN;
165 static const struct {
168 } att_req_rsp_mapping_table[] = {
169 { BT_ATT_OP_MTU_REQ, BT_ATT_OP_MTU_RSP },
170 { BT_ATT_OP_FIND_INFO_REQ, BT_ATT_OP_FIND_INFO_RSP},
171 { BT_ATT_OP_FIND_BY_TYPE_REQ, BT_ATT_OP_FIND_BY_TYPE_RSP },
172 { BT_ATT_OP_READ_BY_TYPE_REQ, BT_ATT_OP_READ_BY_TYPE_RSP },
173 { BT_ATT_OP_READ_REQ, BT_ATT_OP_READ_RSP },
174 { BT_ATT_OP_READ_BLOB_REQ, BT_ATT_OP_READ_BLOB_RSP },
175 { BT_ATT_OP_READ_MULT_REQ, BT_ATT_OP_READ_MULT_RSP },
176 { BT_ATT_OP_READ_BY_GRP_TYPE_REQ, BT_ATT_OP_READ_BY_GRP_TYPE_RSP },
177 { BT_ATT_OP_WRITE_REQ, BT_ATT_OP_WRITE_RSP },
178 { BT_ATT_OP_PREP_WRITE_REQ, BT_ATT_OP_PREP_WRITE_RSP },
179 { BT_ATT_OP_EXEC_WRITE_REQ, BT_ATT_OP_EXEC_WRITE_RSP },
183 static uint8_t get_req_opcode(uint8_t rsp_opcode)
187 for (i = 0; att_req_rsp_mapping_table[i].rsp_opcode; i++) {
188 if (att_req_rsp_mapping_table[i].rsp_opcode == rsp_opcode)
189 return att_req_rsp_mapping_table[i].req_opcode;
197 unsigned int timeout_id;
198 enum att_op_type type;
202 bt_att_response_func_t callback;
203 bt_att_destroy_func_t destroy;
207 static void destroy_att_send_op(void *data)
209 struct att_send_op *op = data;
212 timeout_remove(op->timeout_id);
215 op->destroy(op->user_data);
221 static void cancel_att_send_op(void *data)
223 struct att_send_op *op = data;
226 op->destroy(op->user_data);
228 op->user_data = NULL;
236 bt_att_notify_func_t callback;
237 bt_att_destroy_func_t destroy;
241 static void destroy_att_notify(void *data)
243 struct att_notify *notify = data;
246 notify->destroy(notify->user_data);
251 static bool match_notify_id(const void *a, const void *b)
253 const struct att_notify *notify = a;
254 unsigned int id = PTR_TO_UINT(b);
256 return notify->id == id;
262 bt_att_disconnect_func_t callback;
263 bt_att_destroy_func_t destroy;
267 struct att_exchange {
270 bt_att_exchange_func_t callback;
271 bt_att_destroy_func_t destroy;
275 static void destroy_att_disconn(void *data)
277 struct att_disconn *disconn = data;
279 if (disconn->destroy)
280 disconn->destroy(disconn->user_data);
285 static void destroy_att_exchange(void *data)
287 struct att_exchange *exchange = data;
289 if (exchange->destroy)
290 exchange->destroy(exchange->user_data);
295 static bool match_disconn_id(const void *a, const void *b)
297 const struct att_disconn *disconn = a;
298 unsigned int id = PTR_TO_UINT(b);
300 return disconn->id == id;
303 static void att_log(struct bt_att *att, uint8_t level, const char *format,
308 if (att->debug_level < level)
310 va_start(va, format);
312 util_debug_va(att->debug_callback, att->debug_data, format, va);
316 #define att_debug(_att, _format, _arg...) \
317 att_log(_att, BT_ATT_DEBUG, _format, ## _arg)
319 #define att_verbose(_att, _format, _arg...) \
320 att_log(_att, BT_ATT_DEBUG_VERBOSE, _format, ## _arg)
322 static void att_hexdump(struct bt_att *att, char dir, const void *data,
325 if (att->debug_level < 2)
328 util_hexdump(dir, data, len, att->debug_callback, att->debug_data);
330 static bool encode_pdu(struct bt_att *att, struct att_send_op *op,
331 const void *pdu, uint16_t length)
333 uint16_t pdu_len = 1;
334 struct sign_info *sign = att->local_sign;
337 if (sign && (op->opcode & ATT_OP_SIGNED_MASK))
338 pdu_len += BT_ATT_SIGNATURE_LEN;
343 if (pdu_len > att->mtu)
347 op->pdu = malloc(op->len);
351 ((uint8_t *) op->pdu)[0] = op->opcode;
353 memcpy(op->pdu + 1, pdu, length);
355 if (!sign || !(op->opcode & ATT_OP_SIGNED_MASK) || !att->crypto)
358 if (!sign->counter(&sign_cnt, sign->user_data))
361 if ((bt_crypto_sign_att(att->crypto, sign->key, op->pdu, 1 + length,
362 sign_cnt, &((uint8_t *) op->pdu)[1 + length])))
365 att_debug(att, "ATT unable to generate signature");
372 static struct att_send_op *create_att_send_op(struct bt_att *att,
376 bt_att_response_func_t callback,
378 bt_att_destroy_func_t destroy)
380 struct att_send_op *op;
381 enum att_op_type type;
386 type = get_op_type(opcode);
387 if (type == ATT_OP_TYPE_UNKNOWN)
390 /* If the opcode corresponds to an operation type that does not elicit a
391 * response from the remote end, then no callback should have been
392 * provided, since it will never be called.
394 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
395 if (callback && type != ATT_OP_TYPE_REQ && type != ATT_OP_TYPE_IND
396 && type != ATT_OP_TYPE_CMD)
399 if (callback && type != ATT_OP_TYPE_REQ && type != ATT_OP_TYPE_IND)
403 /* Similarly, if the operation does elicit a response then a callback
406 if (!callback && (type == ATT_OP_TYPE_REQ || type == ATT_OP_TYPE_IND))
409 op = new0(struct att_send_op, 1);
412 op->callback = callback;
413 op->destroy = destroy;
414 op->user_data = user_data;
416 if (!encode_pdu(att, op, pdu, length)) {
424 static struct att_send_op *pick_next_send_op(struct bt_att_chan *chan)
426 struct bt_att *att = chan->att;
427 struct att_send_op *op;
429 /* Check if there is anything queued on the channel */
430 op = queue_pop_head(chan->queue);
434 /* See if any operations are already in the write queue */
435 op = queue_peek_head(att->write_queue);
436 if (op && op->len <= chan->mtu)
437 return queue_pop_head(att->write_queue);
439 /* If there is no pending request, pick an operation from the
442 if (!chan->pending_req) {
443 op = queue_peek_head(att->req_queue);
444 if (op && op->len <= chan->mtu) {
445 /* Don't send Exchange MTU over EATT */
446 if (op->opcode == BT_ATT_OP_MTU_REQ &&
447 chan->type == BT_ATT_EATT)
450 return queue_pop_head(att->req_queue);
455 /* There is either a request pending or no requests queued. If there is
456 * no pending indication, pick an operation from the indication queue.
458 if (!chan->pending_ind) {
459 op = queue_peek_head(att->ind_queue);
460 if (op && op->len <= chan->mtu)
461 return queue_pop_head(att->ind_queue);
467 static void disc_att_send_op(void *data)
469 struct att_send_op *op = data;
472 op->callback(BT_ATT_OP_ERROR_RSP, NULL, 0, op->user_data);
474 destroy_att_send_op(op);
477 struct timeout_data {
478 struct bt_att_chan *chan;
482 static bool timeout_cb(void *user_data)
484 struct timeout_data *timeout = user_data;
485 struct bt_att_chan *chan = timeout->chan;
486 struct bt_att *att = chan->att;
487 struct att_send_op *op = NULL;
489 if (chan->pending_req && chan->pending_req->id == timeout->id) {
490 op = chan->pending_req;
491 chan->pending_req = NULL;
492 } else if (chan->pending_ind && chan->pending_ind->id == timeout->id) {
493 op = chan->pending_ind;
494 chan->pending_ind = NULL;
500 att_debug(att, "(chan %p) Operation timed out: 0x%02x", chan,
503 if (att->timeout_callback)
504 att->timeout_callback(op->id, op->opcode, att->timeout_data);
507 disc_att_send_op(op);
510 * Directly terminate the connection as required by the ATT protocol.
511 * This should trigger an io disconnect event which will clean up the
512 * io and notify the upper layer.
514 io_shutdown(chan->io);
519 static void write_watch_destroy(void *user_data)
521 struct bt_att_chan *chan = user_data;
523 chan->writer_active = false;
526 static ssize_t bt_att_chan_write(struct bt_att_chan *chan, uint8_t opcode,
527 const void *pdu, uint16_t len)
529 struct bt_att *att = chan->att;
533 iov.iov_base = (void *) pdu;
536 att_verbose(att, "(chan %p) ATT op 0x%02x", chan, opcode);
538 ret = io_send(chan->io, &iov, 1);
541 att_debug(att, "(chan %p) write failed: %s", chan,
546 if (att->debug_level)
547 util_hexdump('<', pdu, ret, att->debug_callback,
553 static bool can_write_data(struct io *io, void *user_data)
555 struct bt_att_chan *chan = user_data;
556 struct att_send_op *op;
557 struct timeout_data *timeout;
559 op = pick_next_send_op(chan);
563 if (!bt_att_chan_write(chan, op->opcode, op->pdu, op->len)) {
565 op->callback(BT_ATT_OP_ERROR_RSP, NULL, 0,
568 destroy_att_send_op(op);
573 /* Based on the operation type, set either the pending request or the
574 * pending indication. If it came from the write queue, then there is
575 * no need to keep it around.
578 case ATT_OP_TYPE_REQ:
579 chan->pending_req = op;
581 case ATT_OP_TYPE_IND:
582 chan->pending_ind = op;
584 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
585 case ATT_OP_TYPE_CMD:
587 op->callback(0, NULL, 0, op->user_data);
588 destroy_att_send_op(op);
591 case ATT_OP_TYPE_RSP:
592 /* Set in_req to false to indicate that no request is pending */
593 chan->in_req = false;
596 #ifndef TIZEN_FEATURE_BLUEZ_MODIFY
597 case ATT_OP_TYPE_CMD:
599 case ATT_OP_TYPE_NFY:
600 case ATT_OP_TYPE_CONF:
601 case ATT_OP_TYPE_UNKNOWN:
603 destroy_att_send_op(op);
607 timeout = new0(struct timeout_data, 1);
608 timeout->chan = chan;
609 timeout->id = op->id;
610 op->timeout_id = timeout_add(ATT_TIMEOUT_INTERVAL, timeout_cb,
613 /* Return true as there may be more operations ready to write. */
617 static void wakeup_chan_writer(void *data, void *user_data)
619 struct bt_att_chan *chan = data;
620 struct bt_att *att = chan->att;
622 if (chan->writer_active)
625 /* Set the write handler only if there is anything that can be sent
628 if (queue_isempty(chan->queue) && queue_isempty(att->write_queue)) {
629 if ((chan->pending_req || queue_isempty(att->req_queue)) &&
630 (chan->pending_ind || queue_isempty(att->ind_queue)))
634 if (!io_set_write_handler(chan->io, can_write_data, chan,
635 write_watch_destroy))
638 chan->writer_active = true;
641 static void wakeup_writer(struct bt_att *att)
643 queue_foreach(att->chans, wakeup_chan_writer, NULL);
646 static void disconn_handler(void *data, void *user_data)
648 struct att_disconn *disconn = data;
649 int err = PTR_TO_INT(user_data);
651 if (disconn->removed)
654 if (disconn->callback)
655 disconn->callback(err, disconn->user_data);
658 static void bt_att_chan_free(void *data)
660 struct bt_att_chan *chan = data;
662 if (chan->pending_req)
663 destroy_att_send_op(chan->pending_req);
665 if (chan->pending_ind)
666 destroy_att_send_op(chan->pending_ind);
668 queue_destroy(chan->queue, destroy_att_send_op);
670 io_destroy(chan->io);
676 static bool disconnect_cb(struct io *io, void *user_data)
678 struct bt_att_chan *chan = user_data;
679 struct bt_att *att = chan->att;
685 if (getsockopt(chan->fd, SOL_SOCKET, SO_ERROR, &err, &len) < 0) {
686 att_debug(att, "(chan %p) Failed to obtain disconnect "
687 "error: %s", chan, strerror(errno));
691 att_debug(att, "Channel %p disconnected: %s", chan, strerror(err));
693 /* Dettach channel */
694 queue_remove(att->chans, chan);
696 if (chan->pending_req) {
697 disc_att_send_op(chan->pending_req);
698 chan->pending_req = NULL;
701 if (chan->pending_ind) {
702 disc_att_send_op(chan->pending_ind);
703 chan->pending_ind = NULL;
706 bt_att_chan_free(chan);
708 /* Don't run disconnect callback if there are channels left */
709 if (!queue_isempty(att->chans))
715 /* Notify request callbacks */
716 queue_remove_all(att->req_queue, NULL, NULL, disc_att_send_op);
717 queue_remove_all(att->ind_queue, NULL, NULL, disc_att_send_op);
718 queue_remove_all(att->write_queue, NULL, NULL, disc_att_send_op);
720 att->in_disc = false;
722 queue_foreach(att->disconn_list, disconn_handler, INT_TO_PTR(err));
724 bt_att_unregister_all(att);
730 static int bt_att_chan_get_security(struct bt_att_chan *chan)
732 struct bt_security sec;
735 if (chan->type == BT_ATT_LOCAL)
736 return chan->sec_level;
738 memset(&sec, 0, sizeof(sec));
740 if (getsockopt(chan->fd, SOL_BLUETOOTH, BT_SECURITY, &sec, &len) < 0)
746 static bool bt_att_chan_set_security(struct bt_att_chan *chan, int level)
748 struct bt_security sec;
750 if (chan->type == BT_ATT_LOCAL) {
751 chan->sec_level = level;
755 memset(&sec, 0, sizeof(sec));
758 if (setsockopt(chan->fd, SOL_BLUETOOTH, BT_SECURITY, &sec,
765 static bool change_security(struct bt_att_chan *chan, uint8_t ecode)
769 if (chan->sec_level != BT_ATT_SECURITY_AUTO)
772 security = bt_att_chan_get_security(chan);
774 if (ecode == BT_ATT_ERROR_INSUFFICIENT_ENCRYPTION &&
775 security < BT_ATT_SECURITY_MEDIUM) {
776 security = BT_ATT_SECURITY_MEDIUM;
777 } else if (ecode == BT_ATT_ERROR_AUTHENTICATION) {
778 if (security < BT_ATT_SECURITY_MEDIUM)
779 security = BT_ATT_SECURITY_MEDIUM;
780 else if (security < BT_ATT_SECURITY_HIGH)
781 security = BT_ATT_SECURITY_HIGH;
782 else if (security < BT_ATT_SECURITY_FIPS)
783 security = BT_ATT_SECURITY_FIPS;
790 return bt_att_chan_set_security(chan, security);
793 static bool handle_error_rsp(struct bt_att_chan *chan, uint8_t *pdu,
794 ssize_t pdu_len, uint8_t *opcode)
796 struct bt_att *att = chan->att;
797 const struct bt_att_pdu_error_rsp *rsp;
798 struct att_send_op *op = chan->pending_req;
800 if (pdu_len != sizeof(*rsp)) {
807 *opcode = rsp->opcode;
809 /* Attempt to change security */
810 if (!change_security(chan, rsp->ecode))
813 /* Remove timeout_id if outstanding */
814 if (op->timeout_id) {
815 timeout_remove(op->timeout_id);
819 att_debug(att, "(chan %p) Retrying operation %p", chan, op);
821 chan->pending_req = NULL;
823 /* Push operation back to request queue */
824 return queue_push_head(att->req_queue, op);
827 static void handle_rsp(struct bt_att_chan *chan, uint8_t opcode, uint8_t *pdu,
830 struct bt_att *att = chan->att;
831 struct att_send_op *op = chan->pending_req;
834 uint8_t *rsp_pdu = NULL;
835 uint16_t rsp_pdu_len = 0;
838 * If no request is pending, then the response is unexpected. Disconnect
842 att_debug(att, "(chan %p) Received unexpected ATT response",
844 io_shutdown(chan->io);
849 * If the received response doesn't match the pending request, or if
850 * the request is malformed, end the current request with failure.
852 if (opcode == BT_ATT_OP_ERROR_RSP) {
853 /* Return if error response cause a retry */
854 if (handle_error_rsp(chan, pdu, pdu_len, &req_opcode)) {
855 wakeup_chan_writer(chan, NULL);
858 } else if (!(req_opcode = get_req_opcode(opcode)))
861 if (req_opcode != op->opcode)
868 rsp_pdu_len = pdu_len;
874 att_debug(att, "(chan %p) Failed to handle response PDU; opcode: "
875 "0x%02x", chan, opcode);
877 rsp_opcode = BT_ATT_OP_ERROR_RSP;
881 op->callback(rsp_opcode, rsp_pdu, rsp_pdu_len, op->user_data);
883 destroy_att_send_op(op);
884 chan->pending_req = NULL;
886 wakeup_chan_writer(chan, NULL);
889 static void handle_conf(struct bt_att_chan *chan, uint8_t *pdu, ssize_t pdu_len)
891 struct bt_att *att = chan->att;
892 struct att_send_op *op = chan->pending_ind;
895 * Disconnect the bearer if the confirmation is unexpected or the PDU is
898 if (!op || pdu_len) {
899 att_debug(att, "(chan %p) Received unexpected/invalid ATT "
900 "confirmation", chan);
901 io_shutdown(chan->io);
906 op->callback(BT_ATT_OP_HANDLE_CONF, NULL, 0, op->user_data);
908 destroy_att_send_op(op);
909 chan->pending_ind = NULL;
911 wakeup_chan_writer(chan, NULL);
921 static bool opcode_match(uint8_t opcode, uint8_t test_opcode)
923 enum att_op_type op_type = get_op_type(test_opcode);
925 if (opcode == BT_ATT_ALL_REQUESTS && (op_type == ATT_OP_TYPE_REQ ||
926 op_type == ATT_OP_TYPE_CMD))
929 return opcode == test_opcode;
932 static void respond_not_supported(struct bt_att *att, uint8_t opcode)
934 struct bt_att_pdu_error_rsp pdu;
938 pdu.ecode = BT_ATT_ERROR_REQUEST_NOT_SUPPORTED;
940 bt_att_send(att, BT_ATT_OP_ERROR_RSP, &pdu, sizeof(pdu), NULL, NULL,
944 static bool handle_signed(struct bt_att *att, uint8_t *pdu, ssize_t pdu_len)
948 struct sign_info *sign;
949 uint8_t opcode = pdu[0];
951 /* Check if there is enough data for a signature */
952 if (pdu_len < 3 + BT_ATT_SIGNATURE_LEN)
955 sign = att->remote_sign;
959 signature = pdu + (pdu_len - BT_ATT_SIGNATURE_LEN);
960 sign_cnt = get_le32(signature);
962 /* Validate counter */
963 if (!sign->counter(&sign_cnt, sign->user_data))
966 /* Verify received signature */
967 if (!bt_crypto_verify_att_sign(att->crypto, sign->key, pdu, pdu_len))
973 att_debug(att, "ATT failed to verify signature: 0x%02x", opcode);
978 static void handle_notify(struct bt_att_chan *chan, uint8_t *pdu,
981 struct bt_att *att = chan->att;
982 const struct queue_entry *entry;
984 uint8_t opcode = pdu[0];
989 entry = queue_get_entries(att->notify_list);
992 struct att_notify *notify = entry->data;
996 if (!opcode_match(notify->opcode, opcode))
999 if ((opcode & ATT_OP_SIGNED_MASK) && att->crypto) {
1000 if (!handle_signed(att, pdu, pdu_len))
1002 pdu_len -= BT_ATT_SIGNATURE_LEN;
1005 /* BLUETOOTH CORE SPECIFICATION Version 5.1 | Vol 3, Part G
1008 * 4.3.1 Exchange MTU
1010 * This sub-procedure shall not be used on a BR/EDR physical
1011 * link since the MTU size is negotiated using L2CAP channel
1012 * configuration procedures.
1014 if (bt_att_get_link_type(att) == BT_ATT_BREDR ||
1015 chan->type == BT_ATT_EATT) {
1017 case BT_ATT_OP_MTU_REQ:
1024 if (notify->callback)
1025 notify->callback(chan, opcode, pdu + 1, pdu_len - 1,
1028 /* callback could remove all entries from notify list */
1029 if (queue_isempty(att->notify_list))
1035 * If this was not a command and no handler was registered for it,
1036 * respond with "Not Supported"
1038 if (!found && get_op_type(opcode) != ATT_OP_TYPE_CMD)
1039 respond_not_supported(att, opcode);
1044 static bool can_read_data(struct io *io, void *user_data)
1046 struct bt_att_chan *chan = user_data;
1047 struct bt_att *att = chan->att;
1052 bytes_read = read(chan->fd, chan->buf, chan->mtu);
1056 att_verbose(att, "(chan %p) ATT received: %zd", chan, bytes_read);
1058 att_hexdump(att, '>', chan->buf, bytes_read);
1060 if (bytes_read < ATT_MIN_PDU_LEN)
1068 /* Act on the received PDU based on the opcode type */
1069 switch (get_op_type(opcode)) {
1070 case ATT_OP_TYPE_RSP:
1071 att_verbose(att, "(chan %p) ATT response received: 0x%02x",
1073 handle_rsp(chan, opcode, pdu + 1, bytes_read - 1);
1075 case ATT_OP_TYPE_CONF:
1076 att_verbose(att, "(chan %p) ATT confirmation received: 0x%02x",
1078 handle_conf(chan, pdu + 1, bytes_read - 1);
1080 case ATT_OP_TYPE_REQ:
1082 * If a request is currently pending, then the sequential
1083 * protocol was violated. Disconnect the bearer, which will
1084 * promptly notify the upper layer via disconnect handlers.
1087 att_debug(att, "(chan %p) Received request while "
1088 "another is pending: 0x%02x",
1090 io_shutdown(chan->io);
1091 bt_att_unref(chan->att);
1096 chan->in_req = true;
1098 case ATT_OP_TYPE_CMD:
1099 case ATT_OP_TYPE_NFY:
1100 case ATT_OP_TYPE_UNKNOWN:
1101 case ATT_OP_TYPE_IND:
1104 /* For all other opcodes notify the upper layer of the PDU and
1105 * let them act on it.
1107 att_debug(att, "(chan %p) ATT PDU received: 0x%02x", chan,
1109 handle_notify(chan, pdu, bytes_read);
1118 static bool is_io_l2cap_based(int fd)
1126 len = sizeof(domain);
1127 err = getsockopt(fd, SOL_SOCKET, SO_DOMAIN, &domain, &len);
1131 if (domain != AF_BLUETOOTH)
1135 len = sizeof(proto);
1136 err = getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &proto, &len);
1140 return proto == BTPROTO_L2CAP;
1143 static void bt_att_free(struct bt_att *att)
1145 bt_crypto_unref(att->crypto);
1147 if (att->timeout_destroy)
1148 att->timeout_destroy(att->timeout_data);
1150 if (att->debug_destroy)
1151 att->debug_destroy(att->debug_data);
1153 free(att->local_sign);
1154 free(att->remote_sign);
1156 queue_destroy(att->req_queue, NULL);
1157 queue_destroy(att->ind_queue, NULL);
1158 queue_destroy(att->write_queue, NULL);
1159 queue_destroy(att->notify_list, NULL);
1160 queue_destroy(att->disconn_list, NULL);
1161 queue_destroy(att->exchange_list, NULL);
1162 queue_destroy(att->chans, bt_att_chan_free);
1167 static uint16_t io_get_mtu(int fd)
1170 struct l2cap_options l2o;
1173 if (!getsockopt(fd, SOL_L2CAP, L2CAP_OPTIONS, &l2o, &len))
1176 if (!getsockopt(fd, SOL_BLUETOOTH, BT_SNDMTU, &l2o.omtu, &len))
1182 static uint8_t io_get_type(int fd)
1184 struct sockaddr_l2 src;
1187 if (!is_io_l2cap_based(fd))
1188 return BT_ATT_LOCAL;
1191 memset(&src, 0, len);
1192 if (getsockname(fd, (void *)&src, &len) < 0)
1195 if (src.l2_bdaddr_type == BDADDR_BREDR)
1196 return BT_ATT_BREDR;
1201 static struct bt_att_chan *bt_att_chan_new(int fd, uint8_t type)
1203 struct bt_att_chan *chan;
1208 chan = new0(struct bt_att_chan, 1);
1211 chan->io = io_new(fd);
1215 if (!io_set_read_handler(chan->io, can_read_data, chan, NULL))
1218 if (!io_set_disconnect_handler(chan->io, disconnect_cb, chan, NULL))
1222 switch (chan->type) {
1224 chan->sec_level = BT_ATT_SECURITY_LOW;
1227 chan->mtu = BT_ATT_DEFAULT_LE_MTU;
1230 chan->mtu = io_get_mtu(chan->fd);
1233 if (chan->mtu < BT_ATT_DEFAULT_LE_MTU)
1236 chan->buf = malloc(chan->mtu);
1240 chan->queue = queue_new();
1245 bt_att_chan_free(chan);
1250 static void bt_att_attach_chan(struct bt_att *att, struct bt_att_chan *chan)
1252 /* Push to head as EATT channels have higher priority */
1253 queue_push_head(att->chans, chan);
1256 if (chan->mtu > att->mtu)
1257 att->mtu = chan->mtu;
1259 io_set_close_on_destroy(chan->io, att->close_on_unref);
1261 att_debug(att, "Channel %p attached", chan);
1263 wakeup_chan_writer(chan, NULL);
1266 struct bt_att *bt_att_new(int fd, bool ext_signed)
1269 struct bt_att_chan *chan;
1271 chan = bt_att_chan_new(fd, io_get_type(fd));
1275 att = new0(struct bt_att, 1);
1276 att->chans = queue_new();
1277 att->mtu = chan->mtu;
1279 /* crypto is optional, if not available leave it NULL */
1281 att->crypto = bt_crypto_new();
1283 att->req_queue = queue_new();
1284 att->ind_queue = queue_new();
1285 att->write_queue = queue_new();
1286 att->notify_list = queue_new();
1287 att->disconn_list = queue_new();
1288 att->exchange_list = queue_new();
1290 bt_att_attach_chan(att, chan);
1292 return bt_att_ref(att);
1295 struct bt_att *bt_att_ref(struct bt_att *att)
1300 __sync_fetch_and_add(&att->ref_count, 1);
1305 void bt_att_unref(struct bt_att *att)
1310 if (__sync_sub_and_fetch(&att->ref_count, 1))
1313 bt_att_unregister_all(att);
1314 bt_att_cancel_all(att);
1319 bool bt_att_set_close_on_unref(struct bt_att *att, bool do_close)
1321 const struct queue_entry *entry;
1326 att->close_on_unref = do_close;
1328 for (entry = queue_get_entries(att->chans); entry;
1329 entry = entry->next) {
1330 struct bt_att_chan *chan = entry->data;
1332 if (!io_set_close_on_destroy(chan->io, do_close))
1339 int bt_att_attach_fd(struct bt_att *att, int fd)
1341 struct bt_att_chan *chan;
1346 chan = bt_att_chan_new(fd, BT_ATT_EATT);
1350 bt_att_attach_chan(att, chan);
1355 int bt_att_get_fd(struct bt_att *att)
1357 struct bt_att_chan *chan;
1362 if (queue_isempty(att->chans))
1365 chan = queue_peek_tail(att->chans);
1370 int bt_att_get_channels(struct bt_att *att)
1375 return queue_length(att->chans);
1378 bool bt_att_set_debug(struct bt_att *att, uint8_t level,
1379 bt_att_debug_func_t callback, void *user_data,
1380 bt_att_destroy_func_t destroy)
1385 if (att->debug_destroy)
1386 att->debug_destroy(att->debug_data);
1388 att->debug_level = level;
1389 att->debug_callback = callback;
1390 att->debug_destroy = destroy;
1391 att->debug_data = user_data;
1396 uint16_t bt_att_get_mtu(struct bt_att *att)
1404 static void exchange_handler(void *data, void *user_data)
1406 struct att_exchange *exchange = data;
1407 uint16_t mtu = PTR_TO_INT(user_data);
1409 if (exchange->removed)
1412 if (exchange->callback)
1413 exchange->callback(mtu, exchange->user_data);
1416 bool bt_att_set_mtu(struct bt_att *att, uint16_t mtu)
1418 struct bt_att_chan *chan;
1424 if (mtu < BT_ATT_DEFAULT_LE_MTU)
1427 /* Original channel is always the last */
1428 chan = queue_peek_tail(att->chans);
1440 if (chan->mtu > att->mtu) {
1441 att->mtu = chan->mtu;
1442 queue_foreach(att->exchange_list, exchange_handler,
1443 INT_TO_PTR(att->mtu));
1449 uint8_t bt_att_get_link_type(struct bt_att *att)
1451 struct bt_att_chan *chan;
1456 chan = queue_peek_tail(att->chans);
1463 bool bt_att_set_timeout_cb(struct bt_att *att, bt_att_timeout_func_t callback,
1465 bt_att_destroy_func_t destroy)
1470 if (att->timeout_destroy)
1471 att->timeout_destroy(att->timeout_data);
1473 att->timeout_callback = callback;
1474 att->timeout_destroy = destroy;
1475 att->timeout_data = user_data;
1480 unsigned int bt_att_register_disconnect(struct bt_att *att,
1481 bt_att_disconnect_func_t callback,
1483 bt_att_destroy_func_t destroy)
1485 struct att_disconn *disconn;
1487 if (!att || queue_isempty(att->chans))
1490 disconn = new0(struct att_disconn, 1);
1491 disconn->callback = callback;
1492 disconn->destroy = destroy;
1493 disconn->user_data = user_data;
1495 if (att->next_reg_id < 1)
1496 att->next_reg_id = 1;
1498 disconn->id = att->next_reg_id++;
1500 if (!queue_push_tail(att->disconn_list, disconn)) {
1508 bool bt_att_unregister_disconnect(struct bt_att *att, unsigned int id)
1510 struct att_disconn *disconn;
1515 /* Check if disconnect is running */
1516 if (queue_isempty(att->chans)) {
1517 disconn = queue_find(att->disconn_list, match_disconn_id,
1522 disconn->removed = true;
1526 disconn = queue_remove_if(att->disconn_list, match_disconn_id,
1531 destroy_att_disconn(disconn);
1535 unsigned int bt_att_register_exchange(struct bt_att *att,
1536 bt_att_exchange_func_t callback,
1538 bt_att_destroy_func_t destroy)
1540 struct att_exchange *mtu;
1542 if (!att || queue_isempty(att->chans))
1545 mtu = new0(struct att_exchange, 1);
1546 mtu->callback = callback;
1547 mtu->destroy = destroy;
1548 mtu->user_data = user_data;
1550 if (att->next_reg_id < 1)
1551 att->next_reg_id = 1;
1553 mtu->id = att->next_reg_id++;
1555 if (!queue_push_tail(att->exchange_list, mtu)) {
1563 bool bt_att_unregister_exchange(struct bt_att *att, unsigned int id)
1565 struct att_exchange *mtu;
1570 /* Check if disconnect is running */
1571 if (queue_isempty(att->chans)) {
1572 mtu = queue_find(att->exchange_list, match_disconn_id,
1577 mtu->removed = true;
1581 mtu = queue_remove_if(att->exchange_list, match_disconn_id,
1586 destroy_att_exchange(mtu);
1590 unsigned int bt_att_send(struct bt_att *att, uint8_t opcode,
1591 const void *pdu, uint16_t length,
1592 bt_att_response_func_t callback, void *user_data,
1593 bt_att_destroy_func_t destroy)
1595 struct att_send_op *op;
1598 if (!att || queue_isempty(att->chans))
1601 op = create_att_send_op(att, opcode, pdu, length, callback, user_data,
1606 if (att->next_send_id < 1)
1607 att->next_send_id = 1;
1609 op->id = att->next_send_id++;
1611 /* Add the op to the correct queue based on its type */
1613 case ATT_OP_TYPE_REQ:
1614 result = queue_push_tail(att->req_queue, op);
1616 case ATT_OP_TYPE_IND:
1617 result = queue_push_tail(att->ind_queue, op);
1619 case ATT_OP_TYPE_CMD:
1620 case ATT_OP_TYPE_NFY:
1621 case ATT_OP_TYPE_UNKNOWN:
1622 case ATT_OP_TYPE_RSP:
1623 case ATT_OP_TYPE_CONF:
1625 result = queue_push_tail(att->write_queue, op);
1640 int bt_att_resend(struct bt_att *att, unsigned int id, uint8_t opcode,
1641 const void *pdu, uint16_t length,
1642 bt_att_response_func_t callback,
1644 bt_att_destroy_func_t destroy)
1646 const struct queue_entry *entry;
1647 struct att_send_op *op;
1653 /* Lookup request on each channel */
1654 for (entry = queue_get_entries(att->chans); entry;
1655 entry = entry->next) {
1656 struct bt_att_chan *chan = entry->data;
1658 if (chan->pending_req && chan->pending_req->id == id)
1665 /* Only allow requests to be resend */
1666 if (get_op_type(opcode) != ATT_OP_TYPE_REQ)
1669 op = create_att_send_op(att, opcode, pdu, length, callback, user_data,
1677 /* Only prepend requests that could be a continuation */
1678 case BT_ATT_OP_READ_BLOB_REQ:
1679 case BT_ATT_OP_PREP_WRITE_REQ:
1680 case BT_ATT_OP_EXEC_WRITE_REQ:
1681 result = queue_push_head(att->req_queue, op);
1684 result = queue_push_tail(att->req_queue, op);
1699 unsigned int bt_att_chan_send(struct bt_att_chan *chan, uint8_t opcode,
1700 const void *pdu, uint16_t len,
1701 bt_att_response_func_t callback,
1703 bt_att_destroy_func_t destroy)
1705 struct att_send_op *op;
1707 if (!chan || !chan->att)
1710 op = create_att_send_op(chan->att, opcode, pdu, len, callback,
1711 user_data, destroy);
1715 if (!queue_push_tail(chan->queue, op)) {
1721 wakeup_chan_writer(chan, NULL);
1726 static bool match_op_id(const void *a, const void *b)
1728 const struct att_send_op *op = a;
1729 unsigned int id = PTR_TO_UINT(b);
1731 return op->id == id;
1734 bool bt_att_chan_cancel(struct bt_att_chan *chan, unsigned int id)
1736 struct att_send_op *op;
1738 if (chan->pending_req && chan->pending_req->id == id) {
1739 /* Don't cancel the pending request; remove it's handlers */
1740 cancel_att_send_op(chan->pending_req);
1744 if (chan->pending_ind && chan->pending_ind->id == id) {
1745 /* Don't cancel the pending indication; remove it's handlers. */
1746 cancel_att_send_op(chan->pending_ind);
1750 op = queue_remove_if(chan->queue, match_op_id, UINT_TO_PTR(id));
1754 destroy_att_send_op(op);
1756 wakeup_chan_writer(chan, NULL);
1761 static bool bt_att_disc_cancel(struct bt_att *att, unsigned int id)
1763 struct att_send_op *op;
1765 op = queue_find(att->req_queue, match_op_id, UINT_TO_PTR(id));
1769 op = queue_find(att->ind_queue, match_op_id, UINT_TO_PTR(id));
1773 op = queue_find(att->write_queue, match_op_id, UINT_TO_PTR(id));
1779 /* Just cancel since disconnect_cb will be cleaning up */
1780 cancel_att_send_op(op);
1785 bool bt_att_cancel(struct bt_att *att, unsigned int id)
1787 const struct queue_entry *entry;
1788 struct att_send_op *op;
1793 for (entry = queue_get_entries(att->chans); entry;
1794 entry = entry->next) {
1795 struct bt_att_chan *chan = entry->data;
1797 if (bt_att_chan_cancel(chan, id))
1802 return bt_att_disc_cancel(att, id);
1804 op = queue_remove_if(att->req_queue, match_op_id, UINT_TO_PTR(id));
1808 op = queue_remove_if(att->ind_queue, match_op_id, UINT_TO_PTR(id));
1812 op = queue_remove_if(att->write_queue, match_op_id, UINT_TO_PTR(id));
1820 destroy_att_send_op(op);
1827 bool bt_att_cancel_all(struct bt_att *att)
1829 const struct queue_entry *entry;
1834 queue_remove_all(att->req_queue, NULL, NULL, destroy_att_send_op);
1835 queue_remove_all(att->ind_queue, NULL, NULL, destroy_att_send_op);
1836 queue_remove_all(att->write_queue, NULL, NULL, destroy_att_send_op);
1838 for (entry = queue_get_entries(att->chans); entry;
1839 entry = entry->next) {
1840 struct bt_att_chan *chan = entry->data;
1842 if (chan->pending_req)
1843 /* Don't cancel the pending request; remove it's
1846 cancel_att_send_op(chan->pending_req);
1848 if (chan->pending_ind)
1849 /* Don't cancel the pending request; remove it's
1852 cancel_att_send_op(chan->pending_ind);
1858 static uint8_t att_ecode_from_error(int err)
1861 * If the error fits in a single byte, treat it as an ATT protocol
1862 * error as is. Since "0" is not a valid ATT protocol error code, we map
1863 * that to UNLIKELY below.
1865 if (err > 0 && err < UINT8_MAX)
1869 * Since we allow UNIX errnos, map them to appropriate ATT protocol
1870 * and "Common Profile and Service" error codes.
1874 return BT_ATT_ERROR_INVALID_HANDLE;
1876 return BT_ATT_ERROR_INSUFFICIENT_RESOURCES;
1878 return BT_ERROR_ALREADY_IN_PROGRESS;
1880 return BT_ERROR_OUT_OF_RANGE;
1883 return BT_ATT_ERROR_UNLIKELY;
1886 int bt_att_chan_send_error_rsp(struct bt_att_chan *chan, uint8_t opcode,
1887 uint16_t handle, int error)
1889 struct bt_att_pdu_error_rsp pdu;
1892 if (!chan || !chan->att || !opcode)
1895 ecode = att_ecode_from_error(error);
1897 memset(&pdu, 0, sizeof(pdu));
1899 pdu.opcode = opcode;
1900 put_le16(handle, &pdu.handle);
1903 return bt_att_chan_send_rsp(chan, BT_ATT_OP_ERROR_RSP, &pdu,
1907 unsigned int bt_att_register(struct bt_att *att, uint8_t opcode,
1908 bt_att_notify_func_t callback,
1910 bt_att_destroy_func_t destroy)
1912 struct att_notify *notify;
1914 if (!att || !callback || queue_isempty(att->chans))
1917 notify = new0(struct att_notify, 1);
1918 notify->opcode = opcode;
1919 notify->callback = callback;
1920 notify->destroy = destroy;
1921 notify->user_data = user_data;
1923 if (att->next_reg_id < 1)
1924 att->next_reg_id = 1;
1926 notify->id = att->next_reg_id++;
1928 if (!queue_push_tail(att->notify_list, notify)) {
1936 bool bt_att_unregister(struct bt_att *att, unsigned int id)
1938 struct att_notify *notify;
1943 notify = queue_remove_if(att->notify_list, match_notify_id,
1948 destroy_att_notify(notify);
1952 bool bt_att_unregister_all(struct bt_att *att)
1957 queue_remove_all(att->notify_list, NULL, NULL, destroy_att_notify);
1958 queue_remove_all(att->disconn_list, NULL, NULL, destroy_att_disconn);
1959 queue_remove_all(att->exchange_list, NULL, NULL, destroy_att_exchange);
1964 int bt_att_get_security(struct bt_att *att, uint8_t *enc_size)
1966 struct bt_att_chan *chan;
1972 chan = queue_peek_tail(att->chans);
1976 ret = bt_att_chan_get_security(chan);
1981 *enc_size = att->enc_size;
1986 bool bt_att_set_security(struct bt_att *att, int level)
1988 struct bt_att_chan *chan;
1990 if (!att || level < BT_ATT_SECURITY_AUTO ||
1991 level > BT_ATT_SECURITY_HIGH)
1994 chan = queue_peek_tail(att->chans);
1998 return bt_att_chan_set_security(chan, level);
2001 void bt_att_set_enc_key_size(struct bt_att *att, uint8_t enc_size)
2006 att->enc_size = enc_size;
2009 static bool sign_set_key(struct sign_info **sign, uint8_t key[16],
2010 bt_att_counter_func_t func, void *user_data)
2013 *sign = new0(struct sign_info, 1);
2015 (*sign)->counter = func;
2016 (*sign)->user_data = user_data;
2017 memcpy((*sign)->key, key, 16);
2022 bool bt_att_set_local_key(struct bt_att *att, uint8_t sign_key[16],
2023 bt_att_counter_func_t func, void *user_data)
2028 return sign_set_key(&att->local_sign, sign_key, func, user_data);
2031 bool bt_att_set_remote_key(struct bt_att *att, uint8_t sign_key[16],
2032 bt_att_counter_func_t func, void *user_data)
2037 return sign_set_key(&att->remote_sign, sign_key, func, user_data);
2040 bool bt_att_has_crypto(struct bt_att *att)
2045 return att->crypto ? true : false;
2048 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
2049 bool bt_att_set_remote_addr(struct bt_att *att,
2050 const bdaddr_t *bdaddr, uint8_t bdaddr_type)
2055 bacpy(&att->bdaddr, bdaddr);
2056 att->bdaddr_type = bdaddr_type;
2061 bool bt_att_get_remote_addr(struct bt_att *att,
2062 bdaddr_t *bdaddr, uint8_t *bdaddr_type)
2067 if (!bacmp(&att->bdaddr, BDADDR_ANY))
2070 bacpy(bdaddr, &att->bdaddr);
2071 *bdaddr_type = att->bdaddr_type;
2076 bool bt_att_set_svc_changed_indication_registered(struct bt_att *att, bool value)
2081 att->service_change_indication = value;
2086 bool bt_att_get_svc_changed_indication_registered(struct bt_att *att)
2091 return att->service_change_indication;