blob: 9c9173c03da7b33757cc771ea8098b427552b649 [file] [log] [blame]
// Copyright 2017 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "bearer.h"
#include <lib/async/default.h>
#include "src/connectivity/bluetooth/core/bt-host/common/log.h"
#include "src/connectivity/bluetooth/core/bt-host/common/slab_allocator.h"
#include "src/connectivity/bluetooth/core/bt-host/l2cap/channel.h"
#include "src/lib/fxl/strings/string_printf.h"
namespace bt::att {
// static
namespace {
// Returns the security level that is required to resolve the given ATT error
// code and the current security properties of the link, according to the table
// in v5.0, Vol 3, Part C, 10.3.2 (table 10.2). A security upgrade is not
// required if the returned value equals sm::SecurityLevel::kNoSecurity.
// TODO(armansito): Supporting requesting Secure Connections in addition to the
// encrypted/MITM dimensions.
sm::SecurityLevel CheckSecurity(ErrorCode ecode, const sm::SecurityProperties& security) {
bool encrypted = (security.level() != sm::SecurityLevel::kNoSecurity);
switch (ecode) {
// "Insufficient Encryption" error code is specified for cases when the peer
// is paired (i.e. a LTK or STK exists for it) but the link is not
// encrypted. We treat this as equivalent to "Insufficient Authentication"
// sent on an unencrypted link.
case ErrorCode::kInsufficientEncryption:
encrypted = false;
[[fallthrough]];
// We achieve authorization by pairing which requires a confirmation from
// the host's pairing delegate.
// TODO(armansito): Allow for this to be satisfied with a simple user
// confirmation if we're not paired?
case ErrorCode::kInsufficientAuthorization:
case ErrorCode::kInsufficientAuthentication:
// If the link is already authenticated we cannot request a further
// upgrade.
// TODO(armansito): Take into account "secure connections" once it's
// supported.
if (security.authenticated()) {
return sm::SecurityLevel::kNoSecurity;
}
return encrypted ? sm::SecurityLevel::kAuthenticated : sm::SecurityLevel::kEncrypted;
// Our SMP implementation always claims to support the maximum encryption
// key size. If the key size is too small then the peer must support a
// smaller size and we cannot upgrade the key.
case ErrorCode::kInsufficientEncryptionKeySize:
break;
default:
break;
}
return sm::SecurityLevel::kNoSecurity;
}
MethodType GetMethodType(OpCode opcode) {
// We treat all packets as a command if the command bit was set. An
// unrecognized command will always be ignored (so it is OK to return kCommand
// here if, for example, |opcode| is a response with the command-bit set).
if (opcode & kCommandFlag)
return MethodType::kCommand;
switch (opcode) {
case kInvalidOpCode:
return MethodType::kInvalid;
case kExchangeMTURequest:
case kFindInformationRequest:
case kFindByTypeValueRequest:
case kReadByTypeRequest:
case kReadRequest:
case kReadBlobRequest:
case kReadMultipleRequest:
case kReadByGroupTypeRequest:
case kWriteRequest:
case kPrepareWriteRequest:
case kExecuteWriteRequest:
return MethodType::kRequest;
case kErrorResponse:
case kExchangeMTUResponse:
case kFindInformationResponse:
case kFindByTypeValueResponse:
case kReadByTypeResponse:
case kReadResponse:
case kReadBlobResponse:
case kReadMultipleResponse:
case kReadByGroupTypeResponse:
case kWriteResponse:
case kPrepareWriteResponse:
case kExecuteWriteResponse:
return MethodType::kResponse;
case kNotification:
return MethodType::kNotification;
case kIndication:
return MethodType::kIndication;
case kConfirmation:
return MethodType::kConfirmation;
// These are redundant with the check above but are included for
// completeness.
case kWriteCommand:
case kSignedWriteCommand:
return MethodType::kCommand;
default:
break;
}
// Everything else will be treated as an incoming request.
return MethodType::kRequest;
}
// Returns the corresponding originating transaction opcode for
// |transaction_end_code|, where the latter must correspond to a response or
// confirmation.
OpCode MatchingTransactionCode(OpCode transaction_end_code) {
switch (transaction_end_code) {
case kExchangeMTUResponse:
return kExchangeMTURequest;
case kFindInformationResponse:
return kFindInformationRequest;
case kFindByTypeValueResponse:
return kFindByTypeValueRequest;
case kReadByTypeResponse:
return kReadByTypeRequest;
case kReadResponse:
return kReadRequest;
case kReadBlobResponse:
return kReadBlobRequest;
case kReadMultipleResponse:
return kReadMultipleRequest;
case kReadByGroupTypeResponse:
return kReadByGroupTypeRequest;
case kWriteResponse:
return kWriteRequest;
case kPrepareWriteResponse:
return kPrepareWriteRequest;
case kExecuteWriteResponse:
return kExecuteWriteRequest;
case kConfirmation:
return kIndication;
default:
break;
}
return kInvalidOpCode;
}
} // namespace
// static
fxl::RefPtr<Bearer> Bearer::Create(fbl::RefPtr<l2cap::Channel> chan) {
auto bearer = fxl::AdoptRef(new Bearer(std::move(chan)));
return bearer->Activate() ? bearer : nullptr;
}
Bearer::PendingTransaction::PendingTransaction(OpCode opcode, TransactionCallback callback,
ErrorCallback error_callback, ByteBufferPtr pdu)
: opcode(opcode),
callback(std::move(callback)),
error_callback(std::move(error_callback)),
pdu(std::move(pdu)),
security_retry_level(sm::SecurityLevel::kNoSecurity) {
ZX_DEBUG_ASSERT(this->callback);
ZX_DEBUG_ASSERT(this->error_callback);
ZX_DEBUG_ASSERT(this->pdu);
}
Bearer::PendingRemoteTransaction::PendingRemoteTransaction(TransactionId id, OpCode opcode)
: id(id), opcode(opcode) {}
Bearer::TransactionQueue::TransactionQueue(TransactionQueue&& other)
: queue_(std::move(other.queue_)), current_(std::move(other.current_)) {
// The move constructor is only used during shut down below. So we simply
// cancel the task and not worry about moving it.
other.timeout_task_.Cancel();
}
Bearer::PendingTransactionPtr Bearer::TransactionQueue::ClearCurrent() {
ZX_DEBUG_ASSERT(current_);
ZX_DEBUG_ASSERT(timeout_task_.is_pending());
timeout_task_.Cancel();
return std::move(current_);
}
void Bearer::TransactionQueue::Enqueue(PendingTransactionPtr transaction) {
queue_.push_back(std::move(transaction));
}
void Bearer::TransactionQueue::TrySendNext(l2cap::Channel* chan, async::Task::Handler timeout_cb,
zx::duration timeout) {
ZX_DEBUG_ASSERT(chan);
// Abort if a transaction is currently pending.
if (current())
return;
// Advance to the next transaction.
current_ = queue_.pop_front();
while (current()) {
ZX_DEBUG_ASSERT(!timeout_task_.is_pending());
ZX_DEBUG_ASSERT(current()->pdu);
// We copy the PDU payload in case it needs to be retried following a
// security upgrade.
auto pdu = NewSlabBuffer(current()->pdu->size());
if (pdu) {
current()->pdu->Copy(pdu.get());
timeout_task_.set_handler(std::move(timeout_cb));
timeout_task_.PostDelayed(async_get_default_dispatcher(), timeout);
chan->Send(std::move(pdu));
break;
}
bt_log(TRACE, "att", "Failed to start transaction: out of memory!");
auto t = std::move(current_);
t->error_callback(Status(HostError::kOutOfMemory), kInvalidHandle);
// Process the next command until we can send OR we have drained the queue.
current_ = queue_.pop_front();
}
}
void Bearer::TransactionQueue::Reset() {
timeout_task_.Cancel();
queue_.clear();
current_ = nullptr;
}
void Bearer::TransactionQueue::InvokeErrorAll(Status status) {
if (current_) {
current_->error_callback(status, kInvalidHandle);
}
for (const auto& t : queue_) {
if (t.error_callback)
t.error_callback(status, kInvalidHandle);
}
}
Bearer::Bearer(fbl::RefPtr<l2cap::Channel> chan)
: chan_(std::move(chan)),
next_remote_transaction_id_(1u),
next_handler_id_(1u),
weak_ptr_factory_(this) {
ZX_DEBUG_ASSERT(chan_);
if (chan_->link_type() == hci::Connection::LinkType::kLE) {
min_mtu_ = kLEMinMTU;
} else {
min_mtu_ = kBREDRMinMTU;
}
mtu_ = min_mtu();
// TODO (fxbug.dev/1447): Dynamically configure preferred MTU value.
preferred_mtu_ = kLEMaxMTU;
}
Bearer::~Bearer() {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
rx_task_.Cancel();
chan_ = nullptr;
request_queue_.Reset();
indication_queue_.Reset();
}
bool Bearer::Activate() {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
rx_task_.Reset(fit::bind_member(this, &Bearer::OnRxBFrame));
chan_closed_cb_.Reset(fit::bind_member(this, &Bearer::OnChannelClosed));
return chan_->Activate(rx_task_.callback(), chan_closed_cb_.callback());
}
void Bearer::ShutDown() {
if (is_open())
ShutDownInternal(false /* due_to_timeout */);
}
void Bearer::ShutDownInternal(bool due_to_timeout) {
ZX_DEBUG_ASSERT(is_open());
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
bt_log(DEBUG, "att", "bearer shutting down");
rx_task_.Cancel();
chan_closed_cb_.Cancel();
// This will have no effect if the channel is already closed (e.g. if
// ShutDown() was called by OnChannelClosed()).
chan_->SignalLinkError();
chan_ = nullptr;
// Move the contents to temporaries. This prevents a potential memory
// corruption in InvokeErrorAll if the Bearer gets deleted by one of the
// invoked error callbacks.
TransactionQueue req_queue(std::move(request_queue_));
TransactionQueue ind_queue(std::move(indication_queue_));
if (closed_cb_)
closed_cb_();
// Terminate all remaining procedures with an error. This is safe even if
// the bearer got deleted by |closed_cb_|.
Status status(due_to_timeout ? HostError::kTimedOut : HostError::kFailed);
req_queue.InvokeErrorAll(status);
ind_queue.InvokeErrorAll(status);
}
bool Bearer::StartTransaction(ByteBufferPtr pdu, TransactionCallback callback,
ErrorCallback error_callback) {
ZX_DEBUG_ASSERT(pdu);
ZX_DEBUG_ASSERT(callback);
ZX_DEBUG_ASSERT(error_callback);
return SendInternal(std::move(pdu), std::move(callback), std::move(error_callback));
}
bool Bearer::SendWithoutResponse(ByteBufferPtr pdu) {
ZX_DEBUG_ASSERT(pdu);
return SendInternal(std::move(pdu), {}, {});
}
bool Bearer::SendInternal(ByteBufferPtr pdu, TransactionCallback callback,
ErrorCallback error_callback) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
if (!is_open()) {
bt_log(TRACE, "att", "bearer closed; cannot send packet");
return false;
}
if (!IsPacketValid(*pdu)) {
bt_log(DEBUG, "att", "packet has bad length!");
return false;
}
PacketReader reader(pdu.get());
MethodType type = GetMethodType(reader.opcode());
TransactionQueue* tq = nullptr;
switch (type) {
case MethodType::kCommand:
case MethodType::kNotification:
if (callback || error_callback) {
bt_log(DEBUG, "att", "method not a transaction!");
return false;
}
// Send the command. No flow control is necessary.
chan_->Send(std::move(pdu));
return true;
case MethodType::kRequest:
tq = &request_queue_;
break;
case MethodType::kIndication:
tq = &indication_queue_;
break;
default:
bt_log(DEBUG, "att", "invalid opcode: %#.2x", reader.opcode());
return false;
}
if (!callback || !error_callback) {
bt_log(DEBUG, "att", "transaction requires callbacks!");
return false;
}
tq->Enqueue(std::make_unique<PendingTransaction>(reader.opcode(), std::move(callback),
std::move(error_callback), std::move(pdu)));
TryStartNextTransaction(tq);
return true;
}
Bearer::HandlerId Bearer::RegisterHandler(OpCode opcode, Handler handler) {
ZX_DEBUG_ASSERT(handler);
if (!is_open())
return kInvalidHandlerId;
if (handlers_.find(opcode) != handlers_.end()) {
bt_log(DEBUG, "att", "can only register one handler per opcode (%#.2x)", opcode);
return kInvalidHandlerId;
}
HandlerId id = NextHandlerId();
if (id == kInvalidHandlerId)
return kInvalidHandlerId;
auto res = handler_id_map_.emplace(id, opcode);
ZX_ASSERT_MSG(res.second, "handler ID got reused (id: %zu)", id);
handlers_[opcode] = std::move(handler);
return id;
}
void Bearer::UnregisterHandler(HandlerId id) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
ZX_DEBUG_ASSERT(id != kInvalidHandlerId);
auto iter = handler_id_map_.find(id);
if (iter == handler_id_map_.end()) {
bt_log(DEBUG, "att", "cannot unregister unknown handler id: %zu", id);
return;
}
OpCode opcode = iter->second;
handlers_.erase(opcode);
}
bool Bearer::Reply(TransactionId tid, ByteBufferPtr pdu) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
ZX_DEBUG_ASSERT(pdu);
if (tid == kInvalidTransactionId)
return false;
if (!is_open()) {
bt_log(TRACE, "att", "bearer closed; cannot reply");
return false;
}
if (!IsPacketValid(*pdu)) {
bt_log(DEBUG, "att", "invalid response PDU");
return false;
}
RemoteTransaction* pending = FindRemoteTransaction(tid);
if (!pending)
return false;
PacketReader reader(pdu.get());
// Use ReplyWithError() instead.
if (reader.opcode() == kErrorResponse)
return false;
OpCode pending_opcode = (*pending)->opcode;
if (pending_opcode != MatchingTransactionCode(reader.opcode())) {
bt_log(DEBUG, "att", "opcodes do not match (pending: %#.2x, given: %#.2x)", pending_opcode,
reader.opcode());
return false;
}
pending->reset();
chan_->Send(std::move(pdu));
return true;
}
bool Bearer::ReplyWithError(TransactionId id, Handle handle, ErrorCode error_code) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
RemoteTransaction* pending = FindRemoteTransaction(id);
if (!pending)
return false;
OpCode pending_opcode = (*pending)->opcode;
if (pending_opcode == kIndication) {
bt_log(DEBUG, "att", "cannot respond to an indication with error!");
return false;
}
pending->reset();
SendErrorResponse(pending_opcode, handle, error_code);
return true;
}
bool Bearer::IsPacketValid(const ByteBuffer& packet) {
return packet.size() != 0u && packet.size() <= mtu_;
}
void Bearer::TryStartNextTransaction(TransactionQueue* tq) {
ZX_DEBUG_ASSERT(tq);
if (!is_open()) {
bt_log(TRACE, "att", "Cannot process transactions; bearer is closed");
return;
}
tq->TrySendNext(
chan_.get(),
[this](async_dispatcher_t* /*unused*/, async::Task* /*unused*/, zx_status_t status) {
if (status == ZX_OK)
ShutDownInternal(true /* due_to_timeout */);
},
kTransactionTimeout);
}
void Bearer::SendErrorResponse(OpCode request_opcode, Handle attribute_handle,
ErrorCode error_code) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
auto buffer = NewSlabBuffer(sizeof(Header) + sizeof(ErrorResponseParams));
ZX_ASSERT(buffer);
PacketWriter packet(kErrorResponse, buffer.get());
auto* payload = packet.mutable_payload<ErrorResponseParams>();
payload->request_opcode = request_opcode;
payload->attribute_handle = htole16(attribute_handle);
payload->error_code = error_code;
chan_->Send(std::move(buffer));
}
void Bearer::HandleEndTransaction(TransactionQueue* tq, const PacketReader& packet) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
ZX_DEBUG_ASSERT(is_open());
ZX_DEBUG_ASSERT(tq);
if (!tq->current()) {
bt_log(DEBUG, "att", "received unexpected transaction PDU (opcode: %#.2x)", packet.opcode());
ShutDown();
return;
}
bool report_error = false;
OpCode target_opcode;
ErrorCode error_code = ErrorCode::kNoError;
Handle attr_in_error = kInvalidHandle;
if (packet.opcode() == kErrorResponse) {
// We should never hit this branch for indications.
ZX_DEBUG_ASSERT(tq->current()->opcode != kIndication);
if (packet.payload_size() == sizeof(ErrorResponseParams)) {
report_error = true;
const auto& payload = packet.payload<ErrorResponseParams>();
target_opcode = payload.request_opcode;
error_code = payload.error_code;
attr_in_error = le16toh(payload.attribute_handle);
} else {
bt_log(DEBUG, "att", "received malformed error response");
// Invalid opcode will fail the opcode comparison below.
target_opcode = kInvalidOpCode;
}
} else {
target_opcode = MatchingTransactionCode(packet.opcode());
}
ZX_DEBUG_ASSERT(tq->current()->opcode != kInvalidOpCode);
if (tq->current()->opcode != target_opcode) {
bt_log(DEBUG, "att", "received bad transaction PDU (opcode: %#.2x)", packet.opcode());
ShutDown();
return;
}
// The transaction is complete.
auto transaction = tq->ClearCurrent();
ZX_DEBUG_ASSERT(transaction);
sm::SecurityLevel security_requirement = CheckSecurity(error_code, chan_->security());
if (transaction->security_retry_level >= security_requirement ||
security_requirement <= chan_->security().level()) {
// Resolve the transaction.
if (!report_error) {
transaction->callback(packet);
} else if (transaction->error_callback) {
transaction->error_callback(Status(error_code), attr_in_error);
}
// Send out the next queued transaction
TryStartNextTransaction(tq);
return;
}
bt_log(TRACE, "att",
"Received security error for transaction %#.2hhx; requesting upgrade "
"to level: %s",
error_code, sm::LevelToString(security_requirement));
chan_->UpgradeSecurity(
security_requirement,
[self = weak_ptr_factory_.GetWeakPtr(), error_code, attr_in_error, security_requirement,
t = std::move(transaction)](sm::Status status) mutable {
// If the security upgrade failed or the bearer got destroyed, then
// resolve the transaction with the original error.
if (!self || !status) {
t->error_callback(Status(error_code), attr_in_error);
return;
}
ZX_DEBUG_ASSERT(self->thread_checker_.is_thread_valid());
// TODO(armansito): Notify the upper layer to re-initiate service
// discovery and other necessary procedures (see Vol 3, Part C,
// 10.3.2).
// Re-send the request as described in Vol 3, Part G, 8.1. Since |t| was
// originally resolved with an Error Response, it must have come out of
// |request_queue_|.
ZX_DEBUG_ASSERT(GetMethodType(t->opcode) == MethodType::kRequest);
t->security_retry_level = security_requirement;
self->request_queue_.Enqueue(std::move(t));
self->TryStartNextTransaction(&self->request_queue_);
},
async_get_default_dispatcher());
// Move on to the next queued transaction.
TryStartNextTransaction(tq);
}
Bearer::HandlerId Bearer::NextHandlerId() {
auto id = next_handler_id_;
// This will stop incrementing if this were overflows and always return
// kInvalidHandlerId.
if (next_handler_id_ != kInvalidHandlerId)
next_handler_id_++;
return id;
}
Bearer::TransactionId Bearer::NextRemoteTransactionId() {
auto id = next_remote_transaction_id_;
next_remote_transaction_id_++;
// Increment extra in the case of overflow.
if (next_remote_transaction_id_ == kInvalidTransactionId)
next_remote_transaction_id_++;
return id;
}
void Bearer::HandleBeginTransaction(RemoteTransaction* currently_pending,
const PacketReader& packet) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
ZX_DEBUG_ASSERT(currently_pending);
if (currently_pending->has_value()) {
bt_log(DEBUG, "att", "A transaction is already pending! (opcode: %#.2x)", packet.opcode());
ShutDown();
return;
}
auto iter = handlers_.find(packet.opcode());
if (iter == handlers_.end()) {
bt_log(DEBUG, "att", "no handler registered for opcode %#.2x", packet.opcode());
SendErrorResponse(packet.opcode(), 0, ErrorCode::kRequestNotSupported);
return;
}
auto id = NextRemoteTransactionId();
*currently_pending = PendingRemoteTransaction(id, packet.opcode());
iter->second(id, packet);
}
Bearer::RemoteTransaction* Bearer::FindRemoteTransaction(TransactionId id) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
if (remote_request_ && remote_request_->id == id) {
return &remote_request_;
}
if (remote_indication_ && remote_indication_->id == id) {
return &remote_indication_;
}
bt_log(DEBUG, "att", "id %zu does not match any transaction", id);
return nullptr;
}
void Bearer::HandlePDUWithoutResponse(const PacketReader& packet) {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
auto iter = handlers_.find(packet.opcode());
if (iter == handlers_.end()) {
bt_log(DEBUG, "att", "dropping unhandled packet (opcode: %#.2x)", packet.opcode());
return;
}
iter->second(kInvalidTransactionId, packet);
}
void Bearer::OnChannelClosed() {
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
// This will deactivate the channel and notify |closed_cb_|.
ShutDown();
}
void Bearer::OnRxBFrame(ByteBufferPtr sdu) {
ZX_DEBUG_ASSERT(sdu);
ZX_DEBUG_ASSERT(is_open());
ZX_DEBUG_ASSERT(thread_checker_.is_thread_valid());
uint16_t length = sdu->size();
TRACE_DURATION("bluetooth", "att::Bearer::OnRxBFrame", "length", length);
// An ATT PDU should at least contain the opcode.
if (length < sizeof(OpCode)) {
bt_log(DEBUG, "att", "PDU too short!");
ShutDown();
return;
}
if (length > mtu_) {
bt_log(DEBUG, "att", "PDU exceeds MTU!");
ShutDown();
return;
}
PacketReader packet(sdu.get());
switch (GetMethodType(packet.opcode())) {
case MethodType::kResponse:
HandleEndTransaction(&request_queue_, packet);
break;
case MethodType::kConfirmation:
HandleEndTransaction(&indication_queue_, packet);
break;
case MethodType::kRequest:
HandleBeginTransaction(&remote_request_, packet);
break;
case MethodType::kIndication:
HandleBeginTransaction(&remote_indication_, packet);
break;
case MethodType::kNotification:
case MethodType::kCommand:
HandlePDUWithoutResponse(packet);
break;
default:
bt_log(DEBUG, "att", "Unsupported opcode: %#.2x", packet.opcode());
SendErrorResponse(packet.opcode(), 0, ErrorCode::kRequestNotSupported);
break;
}
}
} // namespace bt::att