| /* att.c - Attribute protocol handling */ |
| |
| /* |
| * Copyright (c) 2015-2016 Intel Corporation |
| * |
| * SPDX-License-Identifier: Apache-2.0 |
| */ |
| |
| #include <zephyr.h> |
| #include <string.h> |
| #include <errno.h> |
| #include <stdbool.h> |
| #include <atomic.h> |
| #include <misc/byteorder.h> |
| #include <misc/util.h> |
| |
| #define BT_DBG_ENABLED IS_ENABLED(CONFIG_BLUETOOTH_DEBUG_ATT) |
| #include <bluetooth/log.h> |
| #include <bluetooth/hci.h> |
| #include <bluetooth/bluetooth.h> |
| #include <bluetooth/uuid.h> |
| #include <bluetooth/gatt.h> |
| #include <bluetooth/hci_driver.h> |
| |
| #include "hci_core.h" |
| #include "conn_internal.h" |
| #include "l2cap_internal.h" |
| #include "smp.h" |
| #include "att_internal.h" |
| #include "gatt_internal.h" |
| |
| #define ATT_CHAN(_ch) CONTAINER_OF(_ch, struct bt_att, chan.chan) |
| #define ATT_REQ(_node) CONTAINER_OF(_node, struct bt_att_req, node) |
| |
| #define BT_GATT_PERM_READ_MASK (BT_GATT_PERM_READ | \ |
| BT_GATT_PERM_READ_ENCRYPT | \ |
| BT_GATT_PERM_READ_AUTHEN) |
| #define BT_GATT_PERM_WRITE_MASK (BT_GATT_PERM_WRITE | \ |
| BT_GATT_PERM_WRITE_ENCRYPT | \ |
| BT_GATT_PERM_WRITE_AUTHEN) |
| #define BT_GATT_PERM_ENCRYPT_MASK (BT_GATT_PERM_READ_ENCRYPT | \ |
| BT_GATT_PERM_WRITE_ENCRYPT) |
| #define BT_GATT_PERM_AUTHEN_MASK (BT_GATT_PERM_READ_AUTHEN | \ |
| BT_GATT_PERM_WRITE_AUTHEN) |
| #define BT_ATT_OP_CMD_FLAG 0x40 |
| |
| #define ATT_TIMEOUT K_SECONDS(30) |
| |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| struct bt_attr_data { |
| uint16_t handle; |
| uint16_t offset; |
| }; |
| |
| /* Pool for incoming ATT packets */ |
| NET_BUF_POOL_DEFINE(prep_pool, CONFIG_BLUETOOTH_ATT_PREPARE_COUNT, BT_ATT_MTU, |
| sizeof(struct bt_attr_data), NULL); |
| #endif /* CONFIG_BLUETOOTH_ATT_PREPARE_COUNT */ |
| |
| /* ATT channel specific context */ |
| struct bt_att { |
| /* The channel this context is associated with */ |
| struct bt_l2cap_le_chan chan; |
| struct bt_att_req *req; |
| sys_slist_t reqs; |
| struct k_delayed_work timeout_work; |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| struct k_fifo prep_queue; |
| #endif |
| }; |
| |
| static struct bt_att bt_req_pool[CONFIG_BLUETOOTH_MAX_CONN]; |
| |
| static void att_req_destroy(struct bt_att_req *req) |
| { |
| if (req->buf) { |
| net_buf_unref(req->buf); |
| } |
| |
| if (req->destroy) { |
| req->destroy(req); |
| } |
| |
| memset(req, 0, sizeof(*req)); |
| } |
| |
| static void send_err_rsp(struct bt_conn *conn, uint8_t req, uint16_t handle, |
| uint8_t err) |
| { |
| struct bt_att_error_rsp *rsp; |
| struct net_buf *buf; |
| |
| /* Ignore opcode 0x00 */ |
| if (!req) { |
| return; |
| } |
| |
| buf = bt_att_create_pdu(conn, BT_ATT_OP_ERROR_RSP, sizeof(*rsp)); |
| if (!buf) { |
| return; |
| } |
| |
| rsp = net_buf_add(buf, sizeof(*rsp)); |
| rsp->request = req; |
| rsp->handle = sys_cpu_to_le16(handle); |
| rsp->error = err; |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, buf); |
| } |
| |
| static uint8_t att_mtu_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_exchange_mtu_req *req; |
| struct bt_att_exchange_mtu_rsp *rsp; |
| struct net_buf *pdu; |
| uint16_t mtu_client, mtu_server; |
| |
| req = (void *)buf->data; |
| |
| mtu_client = sys_le16_to_cpu(req->mtu); |
| |
| BT_DBG("Client MTU %u", mtu_client); |
| |
| /* Check if MTU is valid */ |
| if (mtu_client < BT_ATT_DEFAULT_LE_MTU) { |
| return BT_ATT_ERR_INVALID_PDU; |
| } |
| |
| pdu = bt_att_create_pdu(conn, BT_ATT_OP_MTU_RSP, sizeof(*rsp)); |
| if (!pdu) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| mtu_server = BT_ATT_MTU; |
| |
| BT_DBG("Server MTU %u", mtu_server); |
| |
| rsp = net_buf_add(pdu, sizeof(*rsp)); |
| rsp->mtu = sys_cpu_to_le16(mtu_server); |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, pdu); |
| |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 484: |
| * |
| * A device's Exchange MTU Request shall contain the same MTU as the |
| * device's Exchange MTU Response (i.e. the MTU shall be symmetric). |
| */ |
| att->chan.rx.mtu = min(mtu_client, mtu_server); |
| att->chan.tx.mtu = att->chan.rx.mtu; |
| |
| BT_DBG("Negotiated MTU %u", att->chan.rx.mtu); |
| return 0; |
| } |
| |
| static int att_send_req(struct bt_att *att, struct bt_att_req *req) |
| { |
| BT_DBG("req %p", req); |
| |
| att->req = req; |
| |
| /* Save request state so it can be resent */ |
| net_buf_simple_save(&req->buf->b, &req->state); |
| |
| /* Start timeout work */ |
| k_delayed_work_submit(&att->timeout_work, ATT_TIMEOUT); |
| |
| /* Keep a reference for resending in case of an error */ |
| bt_l2cap_send(att->chan.chan.conn, BT_L2CAP_CID_ATT, |
| net_buf_ref(req->buf)); |
| |
| return 0; |
| } |
| |
| static void att_process(struct bt_att *att) |
| { |
| sys_snode_t *node; |
| |
| BT_DBG(""); |
| |
| /* Pull next request from the list */ |
| node = sys_slist_get(&att->reqs); |
| if (!node) { |
| return; |
| } |
| |
| att_send_req(att, ATT_REQ(node)); |
| } |
| |
| static uint8_t att_handle_rsp(struct bt_att *att, void *pdu, uint16_t len, |
| uint8_t err) |
| { |
| bt_att_func_t func; |
| |
| if (!att->req) { |
| goto process; |
| } |
| |
| /* Cancel timeout if ongoing */ |
| k_delayed_work_cancel(&att->timeout_work); |
| |
| /* Release original buffer */ |
| if (att->req->buf) { |
| net_buf_unref(att->req->buf); |
| att->req->buf = NULL; |
| } |
| |
| /* Reset func so it can be reused by the callback */ |
| func = att->req->func; |
| att->req->func = NULL; |
| |
| func(att->chan.chan.conn, err, pdu, len, att->req); |
| |
| /* Don't destroy if callback had reused the request */ |
| if (!att->req->func) { |
| att_req_destroy(att->req); |
| } |
| |
| att->req = NULL; |
| |
| process: |
| /* Process pending requests */ |
| att_process(att); |
| |
| return 0; |
| } |
| |
| static uint8_t att_mtu_rsp(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_att_exchange_mtu_rsp *rsp; |
| uint16_t mtu; |
| |
| if (!att) { |
| return 0; |
| } |
| |
| rsp = (void *)buf->data; |
| |
| mtu = sys_le16_to_cpu(rsp->mtu); |
| |
| BT_DBG("Server MTU %u", mtu); |
| |
| /* Check if MTU is valid */ |
| if (mtu < BT_ATT_DEFAULT_LE_MTU) { |
| return att_handle_rsp(att, NULL, 0, BT_ATT_ERR_INVALID_PDU); |
| } |
| |
| att->chan.rx.mtu = min(mtu, BT_ATT_MTU); |
| |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 484: |
| * |
| * A device's Exchange MTU Request shall contain the same MTU as the |
| * device's Exchange MTU Response (i.e. the MTU shall be symmetric). |
| */ |
| att->chan.tx.mtu = att->chan.rx.mtu; |
| |
| BT_DBG("Negotiated MTU %u", att->chan.rx.mtu); |
| |
| return att_handle_rsp(att, rsp, buf->len, 0); |
| } |
| |
| static bool range_is_valid(uint16_t start, uint16_t end, uint16_t *err) |
| { |
| /* Handle 0 is invalid */ |
| if (!start || !end) { |
| if (err) { |
| *err = 0; |
| } |
| return false; |
| } |
| |
| /* Check if range is valid */ |
| if (start > end) { |
| if (err) { |
| *err = start; |
| } |
| return false; |
| } |
| |
| return true; |
| } |
| |
| struct find_info_data { |
| struct bt_att *att; |
| struct net_buf *buf; |
| struct bt_att_find_info_rsp *rsp; |
| union { |
| struct bt_att_info_16 *info16; |
| struct bt_att_info_128 *info128; |
| }; |
| }; |
| |
| static uint8_t find_info_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct find_info_data *data = user_data; |
| struct bt_att *att = data->att; |
| |
| BT_DBG("handle 0x%04x", attr->handle); |
| |
| /* Initialize rsp at first entry */ |
| if (!data->rsp) { |
| data->rsp = net_buf_add(data->buf, sizeof(*data->rsp)); |
| data->rsp->format = (attr->uuid->type == BT_UUID_TYPE_16) ? |
| BT_ATT_INFO_16 : BT_ATT_INFO_128; |
| } |
| |
| switch (data->rsp->format) { |
| case BT_ATT_INFO_16: |
| if (attr->uuid->type != BT_UUID_TYPE_16) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Fast foward to next item position */ |
| data->info16 = net_buf_add(data->buf, sizeof(*data->info16)); |
| data->info16->handle = sys_cpu_to_le16(attr->handle); |
| data->info16->uuid = sys_cpu_to_le16(BT_UUID_16(attr->uuid)->val); |
| |
| if (att->chan.tx.mtu - data->buf->len > |
| sizeof(*data->info16)) { |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| break; |
| case BT_ATT_INFO_128: |
| if (attr->uuid->type != BT_UUID_TYPE_128) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Fast foward to next item position */ |
| data->info128 = net_buf_add(data->buf, sizeof(*data->info128)); |
| data->info128->handle = sys_cpu_to_le16(attr->handle); |
| memcpy(data->info128->uuid, BT_UUID_128(attr->uuid)->val, |
| sizeof(data->info128->uuid)); |
| |
| if (att->chan.tx.mtu - data->buf->len > |
| sizeof(*data->info128)) { |
| return BT_GATT_ITER_CONTINUE; |
| } |
| } |
| |
| return BT_GATT_ITER_STOP; |
| } |
| |
| static uint8_t att_find_info_rsp(struct bt_att *att, uint16_t start_handle, |
| uint16_t end_handle) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct find_info_data data; |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_FIND_INFO_RSP, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| bt_gatt_foreach_attr(start_handle, end_handle, find_info_cb, &data); |
| |
| if (!data.rsp) { |
| net_buf_unref(data.buf); |
| /* Respond since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_FIND_INFO_REQ, start_handle, |
| BT_ATT_ERR_ATTRIBUTE_NOT_FOUND); |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_find_info_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_find_info_req *req; |
| uint16_t start_handle, end_handle, err_handle; |
| |
| req = (void *)buf->data; |
| |
| start_handle = sys_le16_to_cpu(req->start_handle); |
| end_handle = sys_le16_to_cpu(req->end_handle); |
| |
| BT_DBG("start_handle 0x%04x end_handle 0x%04x", start_handle, |
| end_handle); |
| |
| if (!range_is_valid(start_handle, end_handle, &err_handle)) { |
| send_err_rsp(conn, BT_ATT_OP_FIND_INFO_REQ, err_handle, |
| BT_ATT_ERR_INVALID_HANDLE); |
| return 0; |
| } |
| |
| return att_find_info_rsp(att, start_handle, end_handle); |
| } |
| |
| struct find_type_data { |
| struct bt_att *att; |
| struct net_buf *buf; |
| struct bt_att_handle_group *group; |
| const void *value; |
| uint8_t value_len; |
| uint8_t err; |
| }; |
| |
| static uint8_t find_type_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct find_type_data *data = user_data; |
| struct bt_att *att = data->att; |
| struct bt_conn *conn = att->chan.chan.conn; |
| int read; |
| uint8_t uuid[16]; |
| |
| /* Skip secondary services */ |
| if (!bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) { |
| data->group = NULL; |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| /* Update group end_handle if not a primary service */ |
| if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY)) { |
| if (data->group && attr->handle > data->group->end_handle) { |
| data->group->end_handle = sys_cpu_to_le16(attr->handle); |
| } |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| BT_DBG("handle 0x%04x", attr->handle); |
| |
| /* stop if there is no space left */ |
| if (att->chan.tx.mtu - data->buf->len < sizeof(*data->group)) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Read attribute value and store in the buffer */ |
| read = attr->read(conn, attr, uuid, sizeof(uuid), 0); |
| if (read < 0) { |
| /* |
| * Since we don't know if it is the service with requested UUID, |
| * we cannot respond with an error to this request. |
| */ |
| data->group = NULL; |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| /* Check if data matches */ |
| if (read != data->value_len || memcmp(data->value, uuid, read)) { |
| data->group = NULL; |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| /* If service has been found, error should be cleared */ |
| data->err = 0x00; |
| |
| /* Fast foward to next item position */ |
| data->group = net_buf_add(data->buf, sizeof(*data->group)); |
| data->group->start_handle = sys_cpu_to_le16(attr->handle); |
| data->group->end_handle = sys_cpu_to_le16(attr->handle); |
| |
| /* continue to find the end_handle */ |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| static uint8_t att_find_type_rsp(struct bt_att *att, uint16_t start_handle, |
| uint16_t end_handle, const void *value, |
| uint8_t value_len) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct find_type_data data; |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_FIND_TYPE_RSP, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| data.group = NULL; |
| data.value = value; |
| data.value_len = value_len; |
| |
| /* Pre-set error in case no service will be found */ |
| data.err = BT_ATT_ERR_ATTRIBUTE_NOT_FOUND; |
| |
| bt_gatt_foreach_attr(start_handle, end_handle, find_type_cb, &data); |
| |
| /* If error has not been cleared, no service has been found */ |
| if (data.err) { |
| net_buf_unref(data.buf); |
| /* Respond since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_FIND_TYPE_REQ, start_handle, |
| data.err); |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_find_type_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_find_type_req *req; |
| uint16_t start_handle, end_handle, err_handle, type; |
| uint8_t *value; |
| |
| req = (void *)buf->data; |
| |
| start_handle = sys_le16_to_cpu(req->start_handle); |
| end_handle = sys_le16_to_cpu(req->end_handle); |
| type = sys_le16_to_cpu(req->type); |
| value = net_buf_pull(buf, sizeof(*req)); |
| |
| BT_DBG("start_handle 0x%04x end_handle 0x%04x type %u", start_handle, |
| end_handle, type); |
| |
| if (!range_is_valid(start_handle, end_handle, &err_handle)) { |
| send_err_rsp(conn, BT_ATT_OP_FIND_TYPE_REQ, err_handle, |
| BT_ATT_ERR_INVALID_HANDLE); |
| return 0; |
| } |
| |
| /* The Attribute Protocol Find By Type Value Request shall be used with |
| * the Attribute Type parameter set to the UUID for "Primary Service" |
| * and the Attribute Value set to the 16-bit Bluetooth UUID or 128-bit |
| * UUID for the specific primary service. |
| */ |
| if (type != BT_UUID_GATT_PRIMARY_VAL) { |
| send_err_rsp(conn, BT_ATT_OP_FIND_TYPE_REQ, start_handle, |
| BT_ATT_ERR_ATTRIBUTE_NOT_FOUND); |
| return 0; |
| } |
| |
| return att_find_type_rsp(att, start_handle, end_handle, value, |
| buf->len); |
| } |
| |
| static bool uuid_create(struct bt_uuid *uuid, struct net_buf *buf) |
| { |
| switch (buf->len) { |
| case 2: |
| uuid->type = BT_UUID_TYPE_16; |
| BT_UUID_16(uuid)->val = net_buf_pull_le16(buf); |
| return true; |
| case 16: |
| uuid->type = BT_UUID_TYPE_128; |
| memcpy(BT_UUID_128(uuid)->val, buf->data, buf->len); |
| return true; |
| } |
| |
| return false; |
| } |
| |
| static uint8_t check_perm(struct bt_conn *conn, const struct bt_gatt_attr *attr, |
| uint8_t mask) |
| { |
| if ((mask & BT_GATT_PERM_READ) && |
| (!(attr->perm & BT_GATT_PERM_READ_MASK) || !attr->read)) { |
| return BT_ATT_ERR_READ_NOT_PERMITTED; |
| } |
| |
| if ((mask & BT_GATT_PERM_WRITE) && |
| (!(attr->perm & BT_GATT_PERM_WRITE_MASK) || !attr->write)) { |
| return BT_ATT_ERR_WRITE_NOT_PERMITTED; |
| } |
| |
| mask &= attr->perm; |
| if (mask & BT_GATT_PERM_AUTHEN_MASK) { |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| if (conn->sec_level < BT_SECURITY_HIGH) { |
| return BT_ATT_ERR_AUTHENTICATION; |
| } |
| #else |
| return BT_ATT_ERR_AUTHENTICATION; |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| } |
| |
| if ((mask & BT_GATT_PERM_ENCRYPT_MASK)) { |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| if (!conn->encrypt) { |
| return BT_ATT_ERR_INSUFFICIENT_ENCRYPTION; |
| } |
| #else |
| return BT_ATT_ERR_INSUFFICIENT_ENCRYPTION; |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| } |
| |
| return 0; |
| } |
| |
| static uint8_t err_to_att(int err) |
| { |
| BT_DBG("%d", err); |
| |
| if (err < 0 && err >= -0xff) { |
| return -err; |
| } |
| |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| struct read_type_data { |
| struct bt_att *att; |
| struct bt_uuid *uuid; |
| struct net_buf *buf; |
| struct bt_att_read_type_rsp *rsp; |
| struct bt_att_data *item; |
| uint8_t err; |
| }; |
| |
| static uint8_t read_type_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct read_type_data *data = user_data; |
| struct bt_att *att = data->att; |
| struct bt_conn *conn = att->chan.chan.conn; |
| int read; |
| |
| /* Skip if doesn't match */ |
| if (bt_uuid_cmp(attr->uuid, data->uuid)) { |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| BT_DBG("handle 0x%04x", attr->handle); |
| |
| /* |
| * If an attribute in the set of requested attributes would cause an |
| * Error Response then this attribute cannot be included in a |
| * Read By Type Response and the attributes before this attribute |
| * shall be returned |
| * |
| * If the first attribute in the set of requested attributes would |
| * cause an Error Response then no other attributes in the requested |
| * attributes can be considered. |
| */ |
| data->err = check_perm(conn, attr, BT_GATT_PERM_READ_MASK); |
| if (data->err) { |
| if (data->rsp->len) { |
| data->err = 0x00; |
| } |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* |
| * If any attribute is founded in handle range it means that error |
| * should be changed from pre-set: attr not found error to no error. |
| */ |
| data->err = 0x00; |
| |
| /* Fast foward to next item position */ |
| data->item = net_buf_add(data->buf, sizeof(*data->item)); |
| data->item->handle = sys_cpu_to_le16(attr->handle); |
| |
| /* Read attribute value and store in the buffer */ |
| read = attr->read(conn, attr, data->buf->data + data->buf->len, |
| att->chan.tx.mtu - data->buf->len, 0); |
| if (read < 0) { |
| data->err = err_to_att(read); |
| return BT_GATT_ITER_STOP; |
| } |
| |
| if (!data->rsp->len) { |
| /* Set len to be the first item found */ |
| data->rsp->len = read + sizeof(*data->item); |
| } else if (data->rsp->len != read + sizeof(*data->item)) { |
| /* All items should have the same size */ |
| data->buf->len -= sizeof(*data->item); |
| return BT_GATT_ITER_STOP; |
| } |
| |
| net_buf_add(data->buf, read); |
| |
| /* return true only if there are still space for more items */ |
| return att->chan.tx.mtu - data->buf->len > data->rsp->len ? |
| BT_GATT_ITER_CONTINUE : BT_GATT_ITER_STOP; |
| } |
| |
| static uint8_t att_read_type_rsp(struct bt_att *att, struct bt_uuid *uuid, |
| uint16_t start_handle, uint16_t end_handle) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct read_type_data data; |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_TYPE_RSP, |
| sizeof(*data.rsp)); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| data.uuid = uuid; |
| data.rsp = net_buf_add(data.buf, sizeof(*data.rsp)); |
| data.rsp->len = 0; |
| |
| /* Pre-set error if no attr will be found in handle */ |
| data.err = BT_ATT_ERR_ATTRIBUTE_NOT_FOUND; |
| |
| bt_gatt_foreach_attr(start_handle, end_handle, read_type_cb, &data); |
| |
| if (data.err) { |
| net_buf_unref(data.buf); |
| /* Response here since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_READ_TYPE_REQ, start_handle, |
| data.err); |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_read_type_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_read_type_req *req; |
| uint16_t start_handle, end_handle, err_handle; |
| union { |
| struct bt_uuid uuid; |
| struct bt_uuid_16 u16; |
| struct bt_uuid_128 u128; |
| } u; |
| |
| /* Type can only be UUID16 or UUID128 */ |
| if (buf->len != sizeof(*req) + 2 && buf->len != sizeof(*req) + 16) { |
| return BT_ATT_ERR_INVALID_PDU; |
| } |
| |
| req = (void *)buf->data; |
| |
| start_handle = sys_le16_to_cpu(req->start_handle); |
| end_handle = sys_le16_to_cpu(req->end_handle); |
| net_buf_pull(buf, sizeof(*req)); |
| |
| if (!uuid_create(&u.uuid, buf)) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| BT_DBG("start_handle 0x%04x end_handle 0x%04x type %s", |
| start_handle, end_handle, bt_uuid_str(&u.uuid)); |
| |
| if (!range_is_valid(start_handle, end_handle, &err_handle)) { |
| send_err_rsp(conn, BT_ATT_OP_READ_TYPE_REQ, err_handle, |
| BT_ATT_ERR_INVALID_HANDLE); |
| return 0; |
| } |
| |
| return att_read_type_rsp(att, &u.uuid, start_handle, end_handle); |
| } |
| |
| struct read_data { |
| struct bt_att *att; |
| uint16_t offset; |
| struct net_buf *buf; |
| struct bt_att_read_rsp *rsp; |
| uint8_t err; |
| }; |
| |
| static uint8_t read_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct read_data *data = user_data; |
| struct bt_att *att = data->att; |
| struct bt_conn *conn = att->chan.chan.conn; |
| int read; |
| |
| BT_DBG("handle 0x%04x", attr->handle); |
| |
| data->rsp = net_buf_add(data->buf, sizeof(*data->rsp)); |
| |
| /* |
| * If any attribute is founded in handle range it means that error |
| * should be changed from pre-set: invalid handle error to no error. |
| */ |
| data->err = 0x00; |
| |
| /* Check attribute permissions */ |
| data->err = check_perm(conn, attr, BT_GATT_PERM_READ_MASK); |
| if (data->err) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Read attribute value and store in the buffer */ |
| read = attr->read(conn, attr, data->buf->data + data->buf->len, |
| att->chan.tx.mtu - data->buf->len, data->offset); |
| if (read < 0) { |
| data->err = err_to_att(read); |
| return BT_GATT_ITER_STOP; |
| } |
| |
| net_buf_add(data->buf, read); |
| |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| static uint8_t att_read_rsp(struct bt_att *att, uint8_t op, uint8_t rsp, |
| uint16_t handle, uint16_t offset) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct read_data data; |
| |
| if (!handle) { |
| return BT_ATT_ERR_INVALID_HANDLE; |
| } |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, rsp, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| data.offset = offset; |
| |
| /* Pre-set error if no attr will be found in handle */ |
| data.err = BT_ATT_ERR_INVALID_HANDLE; |
| |
| bt_gatt_foreach_attr(handle, handle, read_cb, &data); |
| |
| /* In case of error discard data and respond with an error */ |
| if (data.err) { |
| net_buf_unref(data.buf); |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, op, handle, data.err); |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_read_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_att_read_req *req; |
| uint16_t handle; |
| |
| req = (void *)buf->data; |
| |
| handle = sys_le16_to_cpu(req->handle); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| return att_read_rsp(att, BT_ATT_OP_READ_REQ, BT_ATT_OP_READ_RSP, |
| handle, 0); |
| } |
| |
| static uint8_t att_read_blob_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_att_read_blob_req *req; |
| uint16_t handle, offset; |
| |
| req = (void *)buf->data; |
| |
| handle = sys_le16_to_cpu(req->handle); |
| offset = sys_le16_to_cpu(req->offset); |
| |
| BT_DBG("handle 0x%04x offset %u", handle, offset); |
| |
| return att_read_rsp(att, BT_ATT_OP_READ_BLOB_REQ, |
| BT_ATT_OP_READ_BLOB_RSP, handle, offset); |
| } |
| |
| static uint8_t att_read_mult_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct read_data data; |
| uint16_t handle; |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_MULT_RSP, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| |
| while (buf->len >= sizeof(uint16_t)) { |
| handle = net_buf_pull_le16(buf); |
| |
| BT_DBG("handle 0x%04x ", handle); |
| |
| /* An Error Response shall be sent by the server in response to |
| * the Read Multiple Request [....] if a read operation is not |
| * permitted on any of the Characteristic Values. |
| * |
| * If handle is not valid then return invalid handle error. |
| * If handle is found error will be cleared by read_cb. |
| */ |
| data.err = BT_ATT_ERR_INVALID_HANDLE; |
| |
| bt_gatt_foreach_attr(handle, handle, read_cb, &data); |
| |
| /* Stop reading in case of error */ |
| if (data.err) { |
| net_buf_unref(data.buf); |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_READ_MULT_REQ, handle, |
| data.err); |
| return 0; |
| } |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| struct read_group_data { |
| struct bt_att *att; |
| struct bt_uuid *uuid; |
| struct net_buf *buf; |
| struct bt_att_read_group_rsp *rsp; |
| struct bt_att_group_data *group; |
| }; |
| |
| static uint8_t read_group_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct read_group_data *data = user_data; |
| struct bt_att *att = data->att; |
| struct bt_conn *conn = att->chan.chan.conn; |
| int read; |
| |
| /* Update group end_handle if attribute is not a service */ |
| if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY) && |
| bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) { |
| if (data->group && attr->handle > data->group->end_handle) { |
| data->group->end_handle = sys_cpu_to_le16(attr->handle); |
| } |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| /* If Group Type don't match skip */ |
| if (bt_uuid_cmp(attr->uuid, data->uuid)) { |
| data->group = NULL; |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| BT_DBG("handle 0x%04x", attr->handle); |
| |
| /* Stop if there is no space left */ |
| if (data->rsp->len && |
| att->chan.tx.mtu - data->buf->len < data->rsp->len) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Fast foward to next group position */ |
| data->group = net_buf_add(data->buf, sizeof(*data->group)); |
| |
| /* Initialize group handle range */ |
| data->group->start_handle = sys_cpu_to_le16(attr->handle); |
| data->group->end_handle = sys_cpu_to_le16(attr->handle); |
| |
| /* Read attribute value and store in the buffer */ |
| read = attr->read(conn, attr, data->buf->data + data->buf->len, |
| att->chan.tx.mtu - data->buf->len, 0); |
| if (read < 0) { |
| /* TODO: Handle read errors */ |
| return BT_GATT_ITER_STOP; |
| } |
| |
| if (!data->rsp->len) { |
| /* Set len to be the first group found */ |
| data->rsp->len = read + sizeof(*data->group); |
| } else if (data->rsp->len != read + sizeof(*data->group)) { |
| /* All groups entries should have the same size */ |
| data->buf->len -= sizeof(*data->group); |
| return false; |
| } |
| |
| net_buf_add(data->buf, read); |
| |
| /* Continue to find the end handle */ |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| static uint8_t att_read_group_rsp(struct bt_att *att, struct bt_uuid *uuid, |
| uint16_t start_handle, uint16_t end_handle) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct read_group_data data; |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_READ_GROUP_RSP, |
| sizeof(*data.rsp)); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| data.att = att; |
| data.uuid = uuid; |
| data.rsp = net_buf_add(data.buf, sizeof(*data.rsp)); |
| data.rsp->len = 0; |
| data.group = NULL; |
| |
| bt_gatt_foreach_attr(start_handle, end_handle, read_group_cb, &data); |
| |
| if (!data.rsp->len) { |
| net_buf_unref(data.buf); |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_READ_GROUP_REQ, start_handle, |
| BT_ATT_ERR_ATTRIBUTE_NOT_FOUND); |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_read_group_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_read_group_req *req; |
| uint16_t start_handle, end_handle, err_handle; |
| union { |
| struct bt_uuid uuid; |
| struct bt_uuid_16 u16; |
| struct bt_uuid_128 u128; |
| } u; |
| |
| /* Type can only be UUID16 or UUID128 */ |
| if (buf->len != sizeof(*req) + 2 && buf->len != sizeof(*req) + 16) { |
| return BT_ATT_ERR_INVALID_PDU; |
| } |
| |
| req = (void *)buf->data; |
| |
| start_handle = sys_le16_to_cpu(req->start_handle); |
| end_handle = sys_le16_to_cpu(req->end_handle); |
| net_buf_pull(buf, sizeof(*req)); |
| |
| if (!uuid_create(&u.uuid, buf)) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| BT_DBG("start_handle 0x%04x end_handle 0x%04x type %s", |
| start_handle, end_handle, bt_uuid_str(&u.uuid)); |
| |
| if (!range_is_valid(start_handle, end_handle, &err_handle)) { |
| send_err_rsp(conn, BT_ATT_OP_READ_GROUP_REQ, err_handle, |
| BT_ATT_ERR_INVALID_HANDLE); |
| return 0; |
| } |
| |
| /* Core v4.2, Vol 3, sec 2.5.3 Attribute Grouping: |
| * Not all of the grouping attributes can be used in the ATT |
| * Read By Group Type Request. The "Primary Service" and "Secondary |
| * Service" grouping types may be used in the Read By Group Type |
| * Request. The "Characteristic" grouping type shall not be used in |
| * the ATT Read By Group Type Request. |
| */ |
| if (bt_uuid_cmp(&u.uuid, BT_UUID_GATT_PRIMARY) && |
| bt_uuid_cmp(&u.uuid, BT_UUID_GATT_SECONDARY)) { |
| send_err_rsp(conn, BT_ATT_OP_READ_GROUP_REQ, start_handle, |
| BT_ATT_ERR_UNSUPPORTED_GROUP_TYPE); |
| return 0; |
| } |
| |
| return att_read_group_rsp(att, &u.uuid, start_handle, end_handle); |
| } |
| |
| struct write_data { |
| struct bt_conn *conn; |
| struct net_buf *buf; |
| uint8_t op; |
| const void *value; |
| uint8_t len; |
| uint16_t offset; |
| uint8_t err; |
| }; |
| |
| static uint8_t write_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct write_data *data = user_data; |
| int write; |
| |
| BT_DBG("handle 0x%04x offset %u", attr->handle, data->offset); |
| |
| /* Check attribute permissions */ |
| data->err = check_perm(data->conn, attr, BT_GATT_PERM_WRITE_MASK); |
| if (data->err) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Read attribute value and store in the buffer */ |
| write = attr->write(data->conn, attr, data->value, data->len, |
| data->offset, 0); |
| if (write < 0 || write != data->len) { |
| data->err = err_to_att(write); |
| return BT_GATT_ITER_STOP; |
| } |
| |
| data->err = 0; |
| |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| static uint8_t att_write_rsp(struct bt_conn *conn, uint8_t op, uint8_t rsp, |
| uint16_t handle, uint16_t offset, |
| const void *value, uint8_t len) |
| { |
| struct write_data data; |
| |
| if (!handle) { |
| return BT_ATT_ERR_INVALID_HANDLE; |
| } |
| |
| memset(&data, 0, sizeof(data)); |
| |
| /* Only allocate buf if required to respond */ |
| if (rsp) { |
| data.buf = bt_att_create_pdu(conn, rsp, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| } |
| |
| data.conn = conn; |
| data.op = op; |
| data.offset = offset; |
| data.value = value; |
| data.len = len; |
| data.err = BT_ATT_ERR_INVALID_HANDLE; |
| |
| bt_gatt_foreach_attr(handle, handle, write_cb, &data); |
| |
| if (data.err) { |
| /* In case of error discard data and respond with an error */ |
| if (rsp) { |
| net_buf_unref(data.buf); |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, op, handle, data.err); |
| } |
| return op == BT_ATT_OP_EXEC_WRITE_REQ ? data.err : 0; |
| } |
| |
| if (data.buf) { |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| } |
| |
| return 0; |
| } |
| |
| static uint8_t att_write_req(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| uint16_t handle; |
| |
| handle = net_buf_pull_le16(buf); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| return att_write_rsp(conn, BT_ATT_OP_WRITE_REQ, BT_ATT_OP_WRITE_RSP, |
| handle, 0, buf->data, buf->len); |
| } |
| |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| struct prep_data { |
| struct bt_conn *conn; |
| struct net_buf *buf; |
| const void *value; |
| uint8_t len; |
| uint16_t offset; |
| uint8_t err; |
| }; |
| |
| static uint8_t prep_write_cb(const struct bt_gatt_attr *attr, void *user_data) |
| { |
| struct prep_data *data = user_data; |
| struct bt_attr_data *attr_data; |
| int write; |
| |
| BT_DBG("handle 0x%04x offset %u", attr->handle, data->offset); |
| |
| /* Check attribute permissions */ |
| data->err = check_perm(data->conn, attr, BT_GATT_PERM_WRITE_MASK); |
| if (data->err) { |
| return BT_GATT_ITER_STOP; |
| } |
| |
| if (!(attr->perm & BT_GATT_PERM_PREPARE_WRITE)) { |
| data->err = BT_ATT_ERR_WRITE_NOT_PERMITTED; |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Write attribute value to check if device is authorized */ |
| write = attr->write(data->conn, attr, data->value, data->len, |
| data->offset, BT_GATT_WRITE_FLAG_PREPARE); |
| if (write != 0) { |
| data->err = err_to_att(write); |
| return BT_GATT_ITER_STOP; |
| } |
| |
| /* Copy data into the outstanding queue */ |
| data->buf = net_buf_alloc(&prep_pool, K_NO_WAIT); |
| if (!data->buf) { |
| data->err = BT_ATT_ERR_PREPARE_QUEUE_FULL; |
| return BT_GATT_ITER_STOP; |
| } |
| |
| attr_data = net_buf_user_data(data->buf); |
| attr_data->handle = attr->handle; |
| attr_data->offset = data->offset; |
| |
| net_buf_add_mem(data->buf, data->value, data->len); |
| |
| data->err = 0; |
| |
| return BT_GATT_ITER_CONTINUE; |
| } |
| |
| static uint8_t att_prep_write_rsp(struct bt_att *att, uint16_t handle, |
| uint16_t offset, const void *value, |
| uint8_t len) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct prep_data data; |
| struct bt_att_prepare_write_rsp *rsp; |
| |
| if (!handle) { |
| return BT_ATT_ERR_INVALID_HANDLE; |
| } |
| |
| memset(&data, 0, sizeof(data)); |
| |
| data.conn = conn; |
| data.offset = offset; |
| data.value = value; |
| data.len = len; |
| data.err = BT_ATT_ERR_INVALID_HANDLE; |
| |
| bt_gatt_foreach_attr(handle, handle, prep_write_cb, &data); |
| |
| if (data.err) { |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_PREPARE_WRITE_REQ, handle, |
| data.err); |
| return 0; |
| } |
| |
| BT_DBG("buf %p handle 0x%04x offset %u", data.buf, handle, offset); |
| |
| /* Store buffer in the outstanding queue */ |
| net_buf_put(&att->prep_queue, data.buf); |
| |
| /* Generate response */ |
| data.buf = bt_att_create_pdu(conn, BT_ATT_OP_PREPARE_WRITE_RSP, 0); |
| if (!data.buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| rsp = net_buf_add(data.buf, sizeof(*rsp)); |
| rsp->handle = sys_cpu_to_le16(handle); |
| rsp->offset = sys_cpu_to_le16(offset); |
| net_buf_add(data.buf, len); |
| memcpy(rsp->value, value, len); |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, data.buf); |
| |
| return 0; |
| } |
| #endif /* CONFIG_BLUETOOTH_ATT_PREPARE_COUNT */ |
| |
| static uint8_t att_prepare_write_req(struct bt_att *att, struct net_buf *buf) |
| { |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT == 0 |
| return BT_ATT_ERR_NOT_SUPPORTED; |
| #else |
| struct bt_att_prepare_write_req *req; |
| uint16_t handle, offset; |
| |
| req = (void *)buf->data; |
| |
| handle = sys_le16_to_cpu(req->handle); |
| offset = sys_le16_to_cpu(req->offset); |
| net_buf_pull(buf, sizeof(*req)); |
| |
| BT_DBG("handle 0x%04x offset %u", handle, offset); |
| |
| return att_prep_write_rsp(att, handle, offset, buf->data, buf->len); |
| #endif /* CONFIG_BLUETOOTH_ATT_PREPARE_COUNT */ |
| } |
| |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| static uint8_t att_exec_write_rsp(struct bt_att *att, uint8_t flags) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct net_buf *buf; |
| uint8_t err = 0; |
| |
| while ((buf = net_buf_get(&att->prep_queue, K_NO_WAIT))) { |
| struct bt_attr_data *data = net_buf_user_data(buf); |
| |
| BT_DBG("buf %p handle 0x%04x offset %u", buf, data->handle, |
| data->offset); |
| |
| /* Just discard the data if an error was set */ |
| if (!err && flags == BT_ATT_FLAG_EXEC) { |
| err = att_write_rsp(conn, BT_ATT_OP_EXEC_WRITE_REQ, 0, |
| data->handle, data->offset, |
| buf->data, buf->len); |
| if (err) { |
| /* Respond here since handle is set */ |
| send_err_rsp(conn, BT_ATT_OP_EXEC_WRITE_REQ, |
| data->handle, err); |
| } |
| } |
| |
| net_buf_unref(buf); |
| } |
| |
| if (err) { |
| return 0; |
| } |
| |
| /* Generate response */ |
| buf = bt_att_create_pdu(conn, BT_ATT_OP_EXEC_WRITE_RSP, 0); |
| if (!buf) { |
| return BT_ATT_ERR_UNLIKELY; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, buf); |
| |
| return 0; |
| } |
| #endif /* CONFIG_BLUETOOTH_ATT_PREPARE_COUNT */ |
| |
| |
| static uint8_t att_exec_write_req(struct bt_att *att, struct net_buf *buf) |
| { |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT == 0 |
| return BT_ATT_ERR_NOT_SUPPORTED; |
| #else |
| struct bt_att_exec_write_req *req; |
| |
| req = (void *)buf->data; |
| |
| BT_DBG("flags 0x%02x", req->flags); |
| |
| return att_exec_write_rsp(att, req->flags); |
| #endif /* CONFIG_BLUETOOTH_ATT_PREPARE_COUNT */ |
| } |
| |
| static uint8_t att_write_cmd(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| uint16_t handle; |
| |
| handle = net_buf_pull_le16(buf); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| return att_write_rsp(conn, 0, 0, handle, 0, buf->data, buf->len); |
| } |
| |
| static uint8_t att_signed_write_cmd(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| struct bt_att_signed_write_cmd *req; |
| uint16_t handle; |
| int err; |
| |
| req = (void *)buf->data; |
| |
| handle = sys_le16_to_cpu(req->handle); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| /* Verifying data requires full buffer including attribute header */ |
| net_buf_push(buf, sizeof(struct bt_att_hdr)); |
| err = bt_smp_sign_verify(conn, buf); |
| if (err) { |
| BT_ERR("Error verifying data"); |
| /* No response for this command */ |
| return 0; |
| } |
| |
| net_buf_pull(buf, sizeof(struct bt_att_hdr)); |
| net_buf_pull(buf, sizeof(*req)); |
| |
| return att_write_rsp(conn, 0, 0, handle, 0, buf->data, |
| buf->len - sizeof(struct bt_att_signature)); |
| } |
| |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| static int att_change_security(struct bt_conn *conn, uint8_t err) |
| { |
| bt_security_t sec; |
| |
| switch (err) { |
| case BT_ATT_ERR_INSUFFICIENT_ENCRYPTION: |
| if (conn->sec_level >= BT_SECURITY_MEDIUM) |
| return -EALREADY; |
| sec = BT_SECURITY_MEDIUM; |
| break; |
| case BT_ATT_ERR_AUTHENTICATION: |
| if (conn->sec_level < BT_SECURITY_MEDIUM) { |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] |
| * page 375: |
| * |
| * If an LTK is not available, the service request |
| * shall be rejected with the error code 'Insufficient |
| * Authentication'. |
| * Note: When the link is not encrypted, the error code |
| * "Insufficient Authentication" does not indicate that |
| * MITM protection is required. |
| */ |
| sec = BT_SECURITY_MEDIUM; |
| } else if (conn->sec_level < BT_SECURITY_HIGH) { |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] |
| * page 375: |
| * |
| * If an authenticated pairing is required but only an |
| * unauthenticated pairing has occurred and the link is |
| * currently encrypted, the service request shall be |
| * rejected with the error code 'Insufficient |
| * Authentication'. |
| * Note: When unauthenticated pairing has occurred and |
| * the link is currently encrypted, the error code |
| * 'Insufficient Authentication' indicates that MITM |
| * protection is required. |
| */ |
| sec = BT_SECURITY_HIGH; |
| } else if (conn->sec_level < BT_SECURITY_FIPS) { |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] |
| * page 375: |
| * |
| * If LE Secure Connections authenticated pairing is |
| * required but LE legacy pairing has occurred and the |
| * link is currently encrypted, the service request |
| * shall be rejected with the error code ''Insufficient |
| * Authentication'. |
| */ |
| sec = BT_SECURITY_FIPS; |
| } else { |
| return -EALREADY; |
| } |
| break; |
| default: |
| return -EINVAL; |
| } |
| |
| return bt_conn_security(conn, sec); |
| } |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| |
| static uint8_t att_error_rsp(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_att_error_rsp *rsp; |
| uint8_t err; |
| |
| rsp = (void *)buf->data; |
| |
| BT_DBG("request 0x%02x handle 0x%04x error 0x%02x", rsp->request, |
| sys_le16_to_cpu(rsp->handle), rsp->error); |
| |
| if (!att->req) { |
| err = BT_ATT_ERR_UNLIKELY; |
| goto done; |
| } |
| |
| if (att->req->buf) { |
| /* Restore state to be resent */ |
| net_buf_simple_restore(&att->req->buf->b, &att->req->state); |
| } |
| |
| err = rsp->error; |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| if (att->req->retrying) { |
| goto done; |
| } |
| |
| /* Check if security needs to be changed */ |
| if (!att_change_security(att->chan.chan.conn, err)) { |
| att->req->retrying = true; |
| /* Wait security_changed: TODO: Handle fail case */ |
| return 0; |
| } |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| |
| done: |
| return att_handle_rsp(att, NULL, 0, err); |
| } |
| |
| static uint8_t att_handle_find_info_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_find_type_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_read_type_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_read_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_read_blob_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_read_mult_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_write_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_prepare_write_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_handle_exec_write_rsp(struct bt_att *att, |
| struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static uint8_t att_notify(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| uint16_t handle; |
| |
| handle = net_buf_pull_le16(buf); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| bt_gatt_notification(conn, handle, buf->data, buf->len); |
| |
| return 0; |
| } |
| |
| static uint8_t att_indicate(struct bt_att *att, struct net_buf *buf) |
| { |
| struct bt_conn *conn = att->chan.chan.conn; |
| uint16_t handle; |
| |
| handle = net_buf_pull_le16(buf); |
| |
| BT_DBG("handle 0x%04x", handle); |
| |
| bt_gatt_notification(conn, handle, buf->data, buf->len); |
| |
| buf = bt_att_create_pdu(conn, BT_ATT_OP_CONFIRM, 0); |
| if (!buf) { |
| return 0; |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, buf); |
| |
| return 0; |
| } |
| |
| static uint8_t att_confirm(struct bt_att *att, struct net_buf *buf) |
| { |
| BT_DBG(""); |
| |
| return att_handle_rsp(att, buf->data, buf->len, 0); |
| } |
| |
| static const struct { |
| uint8_t op; |
| uint8_t (*func)(struct bt_att *att, struct net_buf *buf); |
| uint8_t expect_len; |
| } handlers[] = { |
| { BT_ATT_OP_ERROR_RSP, att_error_rsp, |
| sizeof(struct bt_att_error_rsp) }, |
| { BT_ATT_OP_MTU_REQ, att_mtu_req, |
| sizeof(struct bt_att_exchange_mtu_req) }, |
| { BT_ATT_OP_MTU_RSP, att_mtu_rsp, |
| sizeof(struct bt_att_exchange_mtu_rsp) }, |
| { BT_ATT_OP_FIND_INFO_REQ, att_find_info_req, |
| sizeof(struct bt_att_find_info_req) }, |
| { BT_ATT_OP_FIND_INFO_RSP, att_handle_find_info_rsp, |
| sizeof(struct bt_att_find_info_rsp) }, |
| { BT_ATT_OP_FIND_TYPE_REQ, att_find_type_req, |
| sizeof(struct bt_att_find_type_req) }, |
| { BT_ATT_OP_FIND_TYPE_RSP, att_handle_find_type_rsp, |
| sizeof(struct bt_att_find_type_rsp) }, |
| { BT_ATT_OP_READ_TYPE_REQ, att_read_type_req, |
| sizeof(struct bt_att_read_type_req) }, |
| { BT_ATT_OP_READ_TYPE_RSP, att_handle_read_type_rsp, |
| sizeof(struct bt_att_read_type_rsp) }, |
| { BT_ATT_OP_READ_REQ, att_read_req, |
| sizeof(struct bt_att_read_req) }, |
| { BT_ATT_OP_READ_RSP, att_handle_read_rsp, |
| sizeof(struct bt_att_read_rsp) }, |
| { BT_ATT_OP_READ_BLOB_REQ, att_read_blob_req, |
| sizeof(struct bt_att_read_blob_req) }, |
| { BT_ATT_OP_READ_BLOB_RSP, att_handle_read_blob_rsp, |
| sizeof(struct bt_att_read_blob_rsp) }, |
| { BT_ATT_OP_READ_MULT_REQ, att_read_mult_req, |
| BT_ATT_READ_MULT_MIN_LEN_REQ }, |
| { BT_ATT_OP_READ_MULT_RSP, att_handle_read_mult_rsp, |
| sizeof(struct bt_att_read_mult_rsp) }, |
| { BT_ATT_OP_READ_GROUP_REQ, att_read_group_req, |
| sizeof(struct bt_att_read_group_req) }, |
| { BT_ATT_OP_WRITE_REQ, att_write_req, |
| sizeof(struct bt_att_write_req) }, |
| { BT_ATT_OP_WRITE_RSP, att_handle_write_rsp, 0 }, |
| { BT_ATT_OP_PREPARE_WRITE_REQ, att_prepare_write_req, |
| sizeof(struct bt_att_prepare_write_req) }, |
| { BT_ATT_OP_PREPARE_WRITE_RSP, att_handle_prepare_write_rsp, |
| sizeof(struct bt_att_prepare_write_rsp) }, |
| { BT_ATT_OP_EXEC_WRITE_REQ, att_exec_write_req, |
| sizeof(struct bt_att_exec_write_req) }, |
| { BT_ATT_OP_EXEC_WRITE_RSP, att_handle_exec_write_rsp, 0 }, |
| { BT_ATT_OP_NOTIFY, att_notify, |
| sizeof(struct bt_att_notify) }, |
| { BT_ATT_OP_INDICATE, att_indicate, |
| sizeof(struct bt_att_indicate) }, |
| { BT_ATT_OP_CONFIRM, att_confirm, 0 }, |
| { BT_ATT_OP_WRITE_CMD, att_write_cmd, |
| sizeof(struct bt_att_write_cmd) }, |
| { BT_ATT_OP_SIGNED_WRITE_CMD, att_signed_write_cmd, |
| sizeof(struct bt_att_write_cmd) + sizeof(struct bt_att_signature) }, |
| }; |
| |
| static void bt_att_recv(struct bt_l2cap_chan *chan, struct net_buf *buf) |
| { |
| struct bt_att *att = ATT_CHAN(chan); |
| struct bt_att_hdr *hdr = (void *)buf->data; |
| uint8_t err = BT_ATT_ERR_NOT_SUPPORTED; |
| size_t i; |
| |
| if (buf->len < sizeof(*hdr)) { |
| BT_ERR("Too small ATT PDU received"); |
| return; |
| } |
| |
| BT_DBG("Received ATT code 0x%02x len %u", hdr->code, buf->len); |
| |
| net_buf_pull(buf, sizeof(*hdr)); |
| |
| for (i = 0; i < ARRAY_SIZE(handlers); i++) { |
| if (hdr->code != handlers[i].op) { |
| continue; |
| } |
| |
| if (buf->len < handlers[i].expect_len) { |
| BT_ERR("Invalid len %u for code 0x%02x", buf->len, |
| hdr->code); |
| err = BT_ATT_ERR_INVALID_PDU; |
| break; |
| } |
| |
| err = handlers[i].func(att, buf); |
| break; |
| } |
| |
| /* Commands don't have response */ |
| if ((hdr->code & BT_ATT_OP_CMD_FLAG)) { |
| return; |
| } |
| |
| if (err) { |
| BT_DBG("ATT error 0x%02x", err); |
| send_err_rsp(chan->conn, hdr->code, 0, err); |
| } |
| } |
| |
| static struct bt_att *att_chan_get(struct bt_conn *conn) |
| { |
| struct bt_l2cap_chan *chan; |
| |
| chan = bt_l2cap_le_lookup_rx_cid(conn, BT_L2CAP_CID_ATT); |
| if (!chan) { |
| BT_ERR("Unable to find ATT channel"); |
| return NULL; |
| } |
| |
| return ATT_CHAN(chan); |
| } |
| |
| struct net_buf *bt_att_create_pdu(struct bt_conn *conn, uint8_t op, size_t len) |
| { |
| struct bt_att_hdr *hdr; |
| struct net_buf *buf; |
| struct bt_att *att; |
| |
| att = att_chan_get(conn); |
| if (!att) { |
| return NULL; |
| } |
| |
| if (len + sizeof(op) > att->chan.tx.mtu) { |
| BT_WARN("ATT MTU exceeded, max %u, wanted %zu", |
| att->chan.tx.mtu, len + sizeof(op)); |
| return NULL; |
| } |
| |
| buf = bt_l2cap_create_pdu(NULL, 0); |
| |
| hdr = net_buf_add(buf, sizeof(*hdr)); |
| hdr->code = op; |
| |
| return buf; |
| } |
| |
| static void att_reset(struct bt_att *att) |
| { |
| struct bt_att_req *req, *tmp; |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| struct net_buf *buf; |
| |
| /* Discard queued buffers */ |
| while ((buf = k_fifo_get(&att->prep_queue, K_NO_WAIT))) { |
| net_buf_unref(buf); |
| } |
| #endif |
| |
| /* Notify pending requests */ |
| SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&att->reqs, req, tmp, node) { |
| if (req->func) { |
| req->func(NULL, BT_ATT_ERR_UNLIKELY, NULL, 0, req); |
| } |
| |
| att_req_destroy(req); |
| } |
| |
| /* Reset list */ |
| sys_slist_init(&att->reqs); |
| |
| if (!att->req) { |
| return; |
| } |
| |
| /* Notify outstanding request */ |
| att_handle_rsp(att, NULL, 0, BT_ATT_ERR_UNLIKELY); |
| } |
| |
| static void att_timeout(struct k_work *work) |
| { |
| struct bt_att *att = CONTAINER_OF(work, struct bt_att, timeout_work); |
| struct bt_l2cap_le_chan *ch = |
| CONTAINER_OF(att, struct bt_l2cap_le_chan, chan); |
| |
| BT_ERR("ATT Timeout"); |
| |
| /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part F] page 480: |
| * |
| * A transaction not completed within 30 seconds shall time out. Such a |
| * transaction shall be considered to have failed and the local higher |
| * layers shall be informed of this failure. No more attribute protocol |
| * requests, commands, indications or notifications shall be sent to the |
| * target device on this ATT Bearer. |
| */ |
| att_reset(att); |
| |
| /* Consider the channel disconnected */ |
| bt_gatt_disconnected(ch->chan.conn); |
| ch->chan.conn = NULL; |
| } |
| |
| static void bt_att_connected(struct bt_l2cap_chan *chan) |
| { |
| struct bt_att *att = ATT_CHAN(chan); |
| struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan); |
| |
| BT_DBG("chan %p cid 0x%04x", ch, ch->tx.cid); |
| |
| #if CONFIG_BLUETOOTH_ATT_PREPARE_COUNT > 0 |
| k_fifo_init(&att->prep_queue); |
| #endif |
| |
| ch->tx.mtu = BT_ATT_DEFAULT_LE_MTU; |
| ch->rx.mtu = BT_ATT_DEFAULT_LE_MTU; |
| |
| k_delayed_work_init(&att->timeout_work, att_timeout); |
| sys_slist_init(&att->reqs); |
| |
| bt_gatt_connected(ch->chan.conn); |
| } |
| |
| static void bt_att_disconnected(struct bt_l2cap_chan *chan) |
| { |
| struct bt_att *att = ATT_CHAN(chan); |
| struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan); |
| |
| BT_DBG("chan %p cid 0x%04x", ch, ch->tx.cid); |
| |
| att_reset(att); |
| |
| bt_gatt_disconnected(ch->chan.conn); |
| memset(att, 0, sizeof(*att)); |
| } |
| |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| static void bt_att_encrypt_change(struct bt_l2cap_chan *chan, |
| uint8_t hci_status) |
| { |
| struct bt_att *att = ATT_CHAN(chan); |
| struct bt_l2cap_le_chan *ch = BT_L2CAP_LE_CHAN(chan); |
| struct bt_conn *conn = ch->chan.conn; |
| |
| BT_DBG("chan %p conn %p handle %u sec_level 0x%02x status 0x%02x", ch, |
| conn, conn->handle, conn->sec_level, hci_status); |
| |
| /* |
| * If status (HCI status of security procedure) is non-zero, notify |
| * outstanding request about security failure. |
| */ |
| if (hci_status) { |
| att_handle_rsp(att, NULL, 0, BT_ATT_ERR_AUTHENTICATION); |
| return; |
| } |
| |
| if (conn->sec_level == BT_SECURITY_LOW) { |
| return; |
| } |
| |
| if (!att->req || !att->req->retrying) { |
| return; |
| } |
| |
| BT_DBG("Retrying"); |
| |
| /* Resend buffer */ |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, att->req->buf); |
| att->req->buf = NULL; |
| } |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| |
| static int bt_att_accept(struct bt_conn *conn, struct bt_l2cap_chan **chan) |
| { |
| int i; |
| static struct bt_l2cap_chan_ops ops = { |
| .connected = bt_att_connected, |
| .disconnected = bt_att_disconnected, |
| .recv = bt_att_recv, |
| #if defined(CONFIG_BLUETOOTH_SMP) |
| .encrypt_change = bt_att_encrypt_change, |
| #endif /* CONFIG_BLUETOOTH_SMP */ |
| }; |
| |
| BT_DBG("conn %p handle %u", conn, conn->handle); |
| |
| for (i = 0; i < ARRAY_SIZE(bt_req_pool); i++) { |
| struct bt_att *att = &bt_req_pool[i]; |
| |
| if (att->chan.chan.conn) { |
| continue; |
| } |
| |
| att->chan.chan.ops = &ops; |
| |
| *chan = &att->chan.chan; |
| |
| return 0; |
| } |
| |
| BT_ERR("No available ATT context for conn %p", conn); |
| |
| return -ENOMEM; |
| } |
| |
| void bt_att_init(void) |
| { |
| static struct bt_l2cap_fixed_chan chan = { |
| .cid = BT_L2CAP_CID_ATT, |
| .accept = bt_att_accept, |
| }; |
| |
| bt_l2cap_le_fixed_chan_register(&chan); |
| } |
| |
| uint16_t bt_att_get_mtu(struct bt_conn *conn) |
| { |
| struct bt_att *att; |
| |
| att = att_chan_get(conn); |
| if (!att) { |
| return 0; |
| } |
| |
| /* tx and rx MTU shall be symmetric */ |
| return att->chan.tx.mtu; |
| } |
| |
| int bt_att_send(struct bt_conn *conn, struct net_buf *buf) |
| { |
| struct bt_att *att; |
| struct bt_att_hdr *hdr; |
| |
| if (!conn || !buf) { |
| return -EINVAL; |
| } |
| |
| att = att_chan_get(conn); |
| if (!att) { |
| return -ENOTCONN; |
| } |
| |
| hdr = (void *)buf->data; |
| |
| if (hdr->code == BT_ATT_OP_SIGNED_WRITE_CMD) { |
| int err; |
| |
| err = bt_smp_sign(conn, buf); |
| if (err) { |
| BT_ERR("Error signing data"); |
| return err; |
| } |
| } |
| |
| bt_l2cap_send(conn, BT_L2CAP_CID_ATT, buf); |
| |
| return 0; |
| } |
| |
| int bt_att_req_send(struct bt_conn *conn, struct bt_att_req *req) |
| { |
| struct bt_att *att; |
| |
| BT_DBG("conn %p req %p", conn, req); |
| |
| if (!conn || !req) { |
| return -EINVAL; |
| } |
| |
| att = att_chan_get(conn); |
| if (!att) { |
| return -ENOTCONN; |
| } |
| |
| /* Check if there is a request outstanding */ |
| if (att->req) { |
| /* Queue the request to be send later */ |
| sys_slist_append(&att->reqs, &req->node); |
| return 0; |
| } |
| |
| return att_send_req(att, req); |
| } |
| |
| void bt_att_req_cancel(struct bt_conn *conn, struct bt_att_req *req) |
| { |
| struct bt_att *att; |
| |
| if (!conn || !req) { |
| return; |
| } |
| |
| att = att_chan_get(conn); |
| if (!att) { |
| return; |
| } |
| |
| /* Check if request is outstanding */ |
| if (att->req == req) { |
| att->req = NULL; |
| } else { |
| /* Remove request from the list */ |
| sys_slist_find_and_remove(&att->reqs, &req->node); |
| } |
| |
| att_req_destroy(req); |
| } |