1 /*-
2  * sdp.c
3  *
4  * SPDX-License-Identifier: BSD-2-Clause
5  *
6  * Copyright (c) 2004 Maksim Yevmenkin <m_evmenkin@yahoo.com>
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  * $Id: sdp.c,v 1.3 2004/02/17 22:14:57 max Exp $
31  */
32 
33 #include <sys/types.h>
34 #include <sys/queue.h>
35 #include <sys/sysctl.h>
36 #define L2CAP_SOCKET_CHECKED
37 #include <bluetooth.h>
38 #include <dev/usb/usb.h>
39 #include <dev/usb/usbhid.h>
40 #include <errno.h>
41 #include <sdp.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <usbhid.h>
45 #include "bthid_config.h"
46 #include "bthidcontrol.h"
47 
48 static int32_t hid_sdp_query				(bdaddr_t const *local, struct hid_device *hd, int32_t *error);
49 static int32_t hid_sdp_parse_protocol_descriptor_list	(sdp_attr_p a);
50 static int32_t hid_sdp_parse_hid_descriptor		(sdp_attr_p a);
51 static int32_t hid_sdp_parse_boolean			(sdp_attr_p a);
52 
53 /*
54  * Hard coded attribute IDs taken from the
55  * DEVICE IDENTIFICATION PROFILE SPECIFICATION V13 p.12
56  */
57 
58 #define SDP_ATTR_DEVICE_ID_SERVICE_VENDORID  0x0201
59 #define SDP_ATTR_DEVICE_ID_SERVICE_PRODUCTID 0x0202
60 #define SDP_ATTR_DEVICE_ID_SERVICE_VERSION   0x0203
61 #define SDP_ATTR_DEVICE_ID_RANGE SDP_ATTR_RANGE( \
62  SDP_ATTR_DEVICE_ID_SERVICE_VENDORID, SDP_ATTR_DEVICE_ID_SERVICE_VERSION )
63 
64 static uint16_t		service = SDP_SERVICE_CLASS_HUMAN_INTERFACE_DEVICE;
65 static uint16_t		service_devid = SDP_SERVICE_CLASS_PNP_INFORMATION;
66 static uint32_t 	attrs_devid   = SDP_ATTR_DEVICE_ID_RANGE;
67 
68 static uint32_t		attrs[] = {
69 SDP_ATTR_RANGE(	SDP_ATTR_PROTOCOL_DESCRIPTOR_LIST,
70 		SDP_ATTR_PROTOCOL_DESCRIPTOR_LIST),
71 SDP_ATTR_RANGE	(SDP_ATTR_ADDITIONAL_PROTOCOL_DESCRIPTOR_LISTS,
72 		SDP_ATTR_ADDITIONAL_PROTOCOL_DESCRIPTOR_LISTS),
73 SDP_ATTR_RANGE(	0x0205,		/* HIDReconnectInitiate */
74 		0x0205),
75 SDP_ATTR_RANGE(	0x0206,		/* HIDDescriptorList */
76 		0x0206),
77 SDP_ATTR_RANGE(	0x0209,		/* HIDBatteryPower */
78 		0x0209),
79 SDP_ATTR_RANGE(	0x020d,		/* HIDNormallyConnectable */
80 		0x020d)
81 	};
82 #define	nattrs	(sizeof(attrs)/sizeof(attrs[0]))
83 
84 static sdp_attr_t	values[8];
85 #define	nvalues	(sizeof(values)/sizeof(values[0]))
86 
87 static uint8_t		buffer[nvalues][512];
88 
89 /*
90  * Query remote device
91  */
92 
93 #undef	hid_sdp_query_exit
94 #define	hid_sdp_query_exit(e) {		\
95 	if (error != NULL)		\
96 		*error = (e);		\
97 	if (ss != NULL) {		\
98 		sdp_close(ss);		\
99 		ss = NULL;		\
100 	}				\
101 	return (((e) == 0)? 0 : -1);	\
102 }
103 
104 static void
105 hid_init_return_values() {
106 	int i;
107 	for (i = 0; i < nvalues; i ++) {
108 		values[i].flags = SDP_ATTR_INVALID;
109 		values[i].attr = 0;
110 		values[i].vlen = sizeof(buffer[i]);
111 		values[i].value = buffer[i];
112 	}
113 }
114 
115 static int32_t
116 hid_sdp_query(bdaddr_t const *local, struct hid_device *hd, int32_t *error)
117 {
118 	void			*ss = NULL;
119 	uint8_t			*hid_descriptor = NULL, *v;
120 	int32_t			 i, control_psm = -1, interrupt_psm = -1,
121 				 reconnect_initiate = -1,
122 				 normally_connectable = 0, battery_power = 0,
123 				 hid_descriptor_length = -1, type;
124 	int16_t 		 vendor_id = 0, product_id = 0, version = 0;
125 	bdaddr_t		 sdp_local;
126 	char			 devname[HCI_DEVNAME_SIZE];
127 
128 	if (local == NULL)
129 		local = NG_HCI_BDADDR_ANY;
130 	if (hd == NULL)
131 		hid_sdp_query_exit(EINVAL);
132 
133 	hid_init_return_values();
134 
135 	if ((ss = sdp_open(local, &hd->bdaddr)) == NULL)
136 		hid_sdp_query_exit(ENOMEM);
137 	if (sdp_error(ss) != 0)
138 		hid_sdp_query_exit(sdp_error(ss));
139 	if (sdp_search(ss, 1, &service, nattrs, attrs, nvalues, values) != 0)
140                 hid_sdp_query_exit(sdp_error(ss));
141 
142 	for (i = 0; i < nvalues; i ++) {
143 		if (values[i].flags != SDP_ATTR_OK)
144 			continue;
145 
146 		switch (values[i].attr) {
147 		case SDP_ATTR_PROTOCOL_DESCRIPTOR_LIST:
148 			control_psm = hid_sdp_parse_protocol_descriptor_list(&values[i]);
149 			break;
150 
151 		case SDP_ATTR_ADDITIONAL_PROTOCOL_DESCRIPTOR_LISTS:
152 			interrupt_psm = hid_sdp_parse_protocol_descriptor_list(&values[i]);
153 			break;
154 
155 		case 0x0205: /* HIDReconnectInitiate */
156 			reconnect_initiate = hid_sdp_parse_boolean(&values[i]);
157 			break;
158 
159 		case 0x0206: /* HIDDescriptorList */
160 			if (hid_sdp_parse_hid_descriptor(&values[i]) == 0) {
161 				hid_descriptor = values[i].value;
162 				hid_descriptor_length = values[i].vlen;
163 			}
164 			break;
165 
166 		case 0x0209: /* HIDBatteryPower */
167 			battery_power = hid_sdp_parse_boolean(&values[i]);
168 			break;
169 
170 		case 0x020d: /* HIDNormallyConnectable */
171 			normally_connectable = hid_sdp_parse_boolean(&values[i]);
172 			break;
173 		}
174 	}
175 
176 	hid_init_return_values();
177 
178 	if (sdp_search(ss, 1, &service_devid, 1, &attrs_devid, nvalues, values) != 0)
179                 hid_sdp_query_exit(sdp_error(ss));
180 
181 	/* Try extract HCI bdaddr from opened SDP session */
182 	if (sdp_get_lcaddr(ss, &sdp_local) != 0 ||
183 	    bt_devname(devname, &sdp_local) == 0)
184 		hid_sdp_query_exit(ENOATTR);
185 
186         sdp_close(ss);
187         ss = NULL;
188 
189 	/* If search is successful, scan through return vals */
190 	for (i = 0; i < 3; i ++ ) {
191 		if (values[i].flags == SDP_ATTR_INVALID )
192 			continue;
193 
194 		/* Expecting tag + uint16_t on all 3 attributes */
195 		if (values[i].vlen != 3)
196 			continue;
197 
198 		/* Make sure, we're reading a uint16_t */
199 		v = values[i].value;
200 		SDP_GET8(type, v);
201 		if (type != SDP_DATA_UINT16 )
202 			continue;
203 
204 		switch (values[i].attr) {
205 			case SDP_ATTR_DEVICE_ID_SERVICE_VENDORID:
206 				SDP_GET16(vendor_id, v);
207 				break;
208 			case SDP_ATTR_DEVICE_ID_SERVICE_PRODUCTID:
209 				SDP_GET16(product_id, v);
210 				break;
211 			case SDP_ATTR_DEVICE_ID_SERVICE_VERSION:
212 				SDP_GET16(version, v);
213 				break;
214 			default:
215 				break;
216 		}
217 	}
218 
219 	if (control_psm == -1 || interrupt_psm == -1 ||
220 	    reconnect_initiate == -1 ||
221 	    hid_descriptor == NULL || hid_descriptor_length == -1)
222 		hid_sdp_query_exit(ENOATTR);
223 	hd->name = bt_devremote_name_gen(devname, &hd->bdaddr);
224 	hd->vendor_id = vendor_id;
225 	hd->product_id = product_id;
226 	hd->version = version;
227 	hd->control_psm = control_psm;
228 	hd->interrupt_psm = interrupt_psm;
229 	hd->reconnect_initiate = reconnect_initiate? 1 : 0;
230 	hd->battery_power = battery_power? 1 : 0;
231 	hd->normally_connectable = normally_connectable? 1 : 0;
232 	hd->desc = hid_use_report_desc(hid_descriptor, hid_descriptor_length);
233 	if (hd->desc == NULL)
234 		hid_sdp_query_exit(ENOMEM);
235 
236 	return (0);
237 }
238 
239 /*
240  * seq len				2
241  *	seq len				2
242  *		uuid value		3
243  *		uint16 value		3
244  *		seq len			2
245  *			uuid value	3
246  */
247 
248 static int32_t
249 hid_sdp_parse_protocol_descriptor_list(sdp_attr_p a)
250 {
251 	uint8_t	*ptr = a->value;
252 	uint8_t	*end = a->value + a->vlen;
253 	int32_t	 type, len, uuid, psm;
254 
255 	if (end - ptr < 15)
256 		return (-1);
257 
258 	if (a->attr == SDP_ATTR_ADDITIONAL_PROTOCOL_DESCRIPTOR_LISTS) {
259 		SDP_GET8(type, ptr);
260 		switch (type) {
261 		case SDP_DATA_SEQ8:
262 			SDP_GET8(len, ptr);
263 			break;
264 
265 		case SDP_DATA_SEQ16:
266 			SDP_GET16(len, ptr);
267 			break;
268 
269 		case SDP_DATA_SEQ32:
270 			SDP_GET32(len, ptr);
271 			break;
272 
273 		default:
274 			return (-1);
275 		}
276 		if (ptr + len > end)
277 			return (-1);
278 	}
279 
280 	SDP_GET8(type, ptr);
281 	switch (type) {
282 	case SDP_DATA_SEQ8:
283 		SDP_GET8(len, ptr);
284 		break;
285 
286 	case SDP_DATA_SEQ16:
287 		SDP_GET16(len, ptr);
288 		break;
289 
290 	case SDP_DATA_SEQ32:
291 		SDP_GET32(len, ptr);
292 		break;
293 
294 	default:
295 		return (-1);
296 	}
297 	if (ptr + len > end)
298 		return (-1);
299 
300 	/* Protocol */
301 	SDP_GET8(type, ptr);
302 	switch (type) {
303 	case SDP_DATA_SEQ8:
304 		SDP_GET8(len, ptr);
305 		break;
306 
307 	case SDP_DATA_SEQ16:
308 		SDP_GET16(len, ptr);
309 		break;
310 
311 	case SDP_DATA_SEQ32:
312 		SDP_GET32(len, ptr);
313 		break;
314 
315 	default:
316 		return (-1);
317 	}
318 	if (ptr + len > end)
319 		return (-1);
320 
321 	/* UUID */
322 	if (ptr + 3 > end)
323 		return (-1);
324 	SDP_GET8(type, ptr);
325 	switch (type) {
326 	case SDP_DATA_UUID16:
327 		SDP_GET16(uuid, ptr);
328 		if (uuid != SDP_UUID_PROTOCOL_L2CAP)
329 			return (-1);
330 		break;
331 
332 	case SDP_DATA_UUID32:  /* XXX FIXME can we have 32-bit UUID */
333 	case SDP_DATA_UUID128: /* XXX FIXME can we have 128-bit UUID */
334 	default:
335 		return (-1);
336 	}
337 
338 	/* PSM */
339 	if (ptr + 3 > end)
340 		return (-1);
341 	SDP_GET8(type, ptr);
342 	if (type != SDP_DATA_UINT16)
343 		return (-1);
344 	SDP_GET16(psm, ptr);
345 
346 	return (psm);
347 }
348 
349 /*
350  * seq len			2
351  *	seq len			2
352  *		uint8 value8	2
353  * 		str value	3
354  */
355 
356 static int32_t
357 hid_sdp_parse_hid_descriptor(sdp_attr_p a)
358 {
359 	uint8_t	*ptr = a->value;
360 	uint8_t	*end = a->value + a->vlen;
361 	int32_t	 type, len, descriptor_type;
362 
363 	if (end - ptr < 9)
364 		return (-1);
365 
366 	SDP_GET8(type, ptr);
367 	switch (type) {
368 	case SDP_DATA_SEQ8:
369 		SDP_GET8(len, ptr);
370 		break;
371 
372 	case SDP_DATA_SEQ16:
373 		SDP_GET16(len, ptr);
374 		break;
375 
376 	case SDP_DATA_SEQ32:
377 		SDP_GET32(len, ptr);
378 		break;
379 
380 	default:
381 		return (-1);
382 	}
383 	if (ptr + len > end)
384 		return (-1);
385 
386 	while (ptr < end) {
387 		/* Descriptor */
388 		SDP_GET8(type, ptr);
389 		switch (type) {
390 		case SDP_DATA_SEQ8:
391 			if (ptr + 1 > end)
392 				return (-1);
393 			SDP_GET8(len, ptr);
394 			break;
395 
396 		case SDP_DATA_SEQ16:
397 			if (ptr + 2 > end)
398 				return (-1);
399 			SDP_GET16(len, ptr);
400 			break;
401 
402 		case SDP_DATA_SEQ32:
403 			if (ptr + 4 > end)
404 				return (-1);
405 			SDP_GET32(len, ptr);
406 			break;
407 
408 		default:
409 			return (-1);
410 		}
411 
412 		/* Descripor type */
413 		if (ptr + 1 > end)
414 			return (-1);
415 		SDP_GET8(type, ptr);
416 		if (type != SDP_DATA_UINT8 || ptr + 1 > end)
417 			return (-1);
418 		SDP_GET8(descriptor_type, ptr);
419 
420 		/* Descriptor value */
421 		if (ptr + 1 > end)
422 			return (-1);
423 		SDP_GET8(type, ptr);
424 		switch (type) {
425 		case SDP_DATA_STR8:
426 			if (ptr + 1 > end)
427 				return (-1);
428 			SDP_GET8(len, ptr);
429 			break;
430 
431 		case SDP_DATA_STR16:
432 			if (ptr + 2 > end)
433 				return (-1);
434 			SDP_GET16(len, ptr);
435 			break;
436 
437 		case SDP_DATA_STR32:
438 			if (ptr + 4 > end)
439 				return (-1);
440 			SDP_GET32(len, ptr);
441 			break;
442 
443 		default:
444 			return (-1);
445 		}
446 		if (ptr + len > end)
447 			return (-1);
448 
449 		if (descriptor_type == UDESC_REPORT && len > 0) {
450 			a->value = ptr;
451 			a->vlen = len;
452 
453 			return (0);
454 		}
455 
456 		ptr += len;
457 	}
458 
459 	return (-1);
460 }
461 
462 /* bool8 int8 */
463 static int32_t
464 hid_sdp_parse_boolean(sdp_attr_p a)
465 {
466 	if (a->vlen != 2 || a->value[0] != SDP_DATA_BOOL)
467 		return (-1);
468 
469 	return (a->value[1]);
470 }
471 
472 /* Perform SDP query */
473 static int32_t
474 hid_query(bdaddr_t *bdaddr, int argc, char **argv)
475 {
476 	struct hid_device	hd;
477 	int			e;
478 
479 	memcpy(&hd.bdaddr, bdaddr, sizeof(hd.bdaddr));
480 	if (hid_sdp_query(NULL, &hd, &e) < 0) {
481 		fprintf(stderr, "Could not perform SDP query on the " \
482 			"device %s. %s (%d)\n", bt_ntoa(bdaddr, NULL),
483 			strerror(e), e);
484 		return (FAILED);
485 	}
486 
487 	print_hid_device(&hd, stdout);
488 
489 	return (OK);
490 }
491 
492 struct bthid_command	sdp_commands[] =
493 {
494 {
495 "Query",
496 "Perform SDP query to the specified device and print HID configuration entry\n"\
497 "for the device. The configuration entry should be appended to the Bluetooth\n"\
498 "HID daemon configuration file and the daemon should be restarted.\n",
499 hid_query
500 },
501 { NULL, NULL, NULL }
502 };
503 
504