1/****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19/****************************************************************************** 20 * 21 * This file contains functions for BLE address management. 22 * 23 ******************************************************************************/ 24 25#include <string.h> 26 27#include "bt_types.h" 28#include "hcimsgs.h" 29#include "btu.h" 30#include "btm_int.h" 31#include "gap_api.h" 32#include "device/include/controller.h" 33 34#if (defined BLE_INCLUDED && BLE_INCLUDED == TRUE) 35#include "btm_ble_int.h" 36#include "smp_api.h" 37 38 39extern fixed_queue_t *btu_general_alarm_queue; 40 41/******************************************************************************* 42** 43** Function btm_gen_resolve_paddr_cmpl 44** 45** Description This is callback functioin when resolvable private address 46** generation is complete. 47** 48** Returns void 49** 50*******************************************************************************/ 51static void btm_gen_resolve_paddr_cmpl(tSMP_ENC *p) 52{ 53 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 54 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_cmpl"); 55 56 if (p) 57 { 58 /* set hash to be LSB of rpAddress */ 59 p_cb->private_addr[5] = p->param_buf[0]; 60 p_cb->private_addr[4] = p->param_buf[1]; 61 p_cb->private_addr[3] = p->param_buf[2]; 62 /* set it to controller */ 63 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 64 65 p_cb->own_addr_type = BLE_ADDR_RANDOM; 66 67 /* start a periodical timer to refresh random addr */ 68 period_ms_t interval_ms = BTM_BLE_PRIVATE_ADDR_INT_MS; 69#if (BTM_BLE_CONFORMANCE_TESTING == TRUE) 70 interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000; 71#endif 72 alarm_set_on_queue(p_cb->refresh_raddr_timer, interval_ms, 73 btm_ble_refresh_raddr_timer_timeout, NULL, 74 btu_general_alarm_queue); 75 } 76 else 77 { 78 /* random address set failure */ 79 BTM_TRACE_DEBUG("set random address failed"); 80 } 81} 82/******************************************************************************* 83** 84** Function btm_gen_resolve_paddr_low 85** 86** Description This function is called when random address has generate the 87** random number base for low 3 byte bd address. 88** 89** Returns void 90** 91*******************************************************************************/ 92void btm_gen_resolve_paddr_low(tBTM_RAND_ENC *p) 93{ 94#if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 95 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 96 tSMP_ENC output; 97 98 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_low"); 99 if (p) 100 { 101 p->param_buf[2] &= (~BLE_RESOLVE_ADDR_MASK); 102 p->param_buf[2] |= BLE_RESOLVE_ADDR_MSB; 103 104 p_cb->private_addr[2] = p->param_buf[0]; 105 p_cb->private_addr[1] = p->param_buf[1]; 106 p_cb->private_addr[0] = p->param_buf[2]; 107 108 /* encrypt with ur IRK */ 109 if (!SMP_Encrypt(btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN, p->param_buf, 3, &output)) 110 { 111 btm_gen_resolve_paddr_cmpl(NULL); 112 } 113 else 114 { 115 btm_gen_resolve_paddr_cmpl(&output); 116 } 117 } 118#endif 119} 120/******************************************************************************* 121** 122** Function btm_gen_resolvable_private_addr 123** 124** Description This function generate a resolvable private address. 125** 126** Returns void 127** 128*******************************************************************************/ 129void btm_gen_resolvable_private_addr (void *p_cmd_cplt_cback) 130{ 131 BTM_TRACE_EVENT ("btm_gen_resolvable_private_addr"); 132 /* generate 3B rand as BD LSB, SRK with it, get BD MSB */ 133 if (!btsnd_hcic_ble_rand((void *)p_cmd_cplt_cback)) 134 btm_gen_resolve_paddr_cmpl(NULL); 135} 136/******************************************************************************* 137** 138** Function btm_gen_non_resolve_paddr_cmpl 139** 140** Description This is the callback function when non-resolvable private 141** function is generated and write to controller. 142** 143** Returns void 144** 145*******************************************************************************/ 146static void btm_gen_non_resolve_paddr_cmpl(tBTM_RAND_ENC *p) 147{ 148 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 149 tBTM_BLE_ADDR_CBACK *p_cback = p_cb->p_generate_cback; 150 void *p_data = p_cb->p; 151 UINT8 *pp; 152 BD_ADDR static_random; 153 154 BTM_TRACE_EVENT ("btm_gen_non_resolve_paddr_cmpl"); 155 156 p_cb->p_generate_cback = NULL; 157 if (p) 158 { 159 160 pp = p->param_buf; 161 STREAM_TO_BDADDR(static_random, pp); 162 /* mask off the 2 MSB */ 163 static_random[0] &= BLE_STATIC_PRIVATE_MSB_MASK; 164 165 /* report complete */ 166 if (p_cback) 167 (* p_cback)(static_random, p_data); 168 } 169 else 170 { 171 BTM_TRACE_DEBUG("btm_gen_non_resolvable_private_addr failed"); 172 if (p_cback) 173 (* p_cback)(NULL, p_data); 174 } 175} 176/******************************************************************************* 177** 178** Function btm_gen_non_resolvable_private_addr 179** 180** Description This function generate a non-resolvable private address. 181** 182** 183** Returns void 184** 185*******************************************************************************/ 186void btm_gen_non_resolvable_private_addr (tBTM_BLE_ADDR_CBACK *p_cback, void *p) 187{ 188 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 189 190 BTM_TRACE_EVENT ("btm_gen_non_resolvable_private_addr"); 191 192 if (p_mgnt_cb->p_generate_cback != NULL) 193 return; 194 195 p_mgnt_cb->p_generate_cback = p_cback; 196 p_mgnt_cb->p = p; 197 if (!btsnd_hcic_ble_rand((void *)btm_gen_non_resolve_paddr_cmpl)) 198 { 199 btm_gen_non_resolve_paddr_cmpl(NULL); 200 } 201 202} 203 204#if SMP_INCLUDED == TRUE 205/******************************************************************************* 206** Utility functions for Random address resolving 207*******************************************************************************/ 208/******************************************************************************* 209** 210** Function btm_ble_proc_resolve_x 211** 212** Description This function compares the X with random address 3 MSO bytes 213** to find a match. 214** 215** Returns TRUE on match, FALSE otherwise 216** 217*******************************************************************************/ 218static BOOLEAN btm_ble_proc_resolve_x(tSMP_ENC *p) 219{ 220 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 221 UINT8 comp[3]; 222 BTM_TRACE_EVENT ("btm_ble_proc_resolve_x"); 223 /* compare the hash with 3 LSB of bd address */ 224 comp[0] = p_mgnt_cb->random_bda[5]; 225 comp[1] = p_mgnt_cb->random_bda[4]; 226 comp[2] = p_mgnt_cb->random_bda[3]; 227 228 if (p) 229 { 230 if (!memcmp(p->param_buf, &comp[0], 3)) 231 { 232 /* match is found */ 233 BTM_TRACE_EVENT ("match is found"); 234 return TRUE; 235 } 236 } 237 return FALSE; 238} 239 240/******************************************************************************* 241** 242** Function btm_ble_init_pseudo_addr 243** 244** Description This function is used to initialize pseudo address. 245** If pseudo address is not available, use dummy address 246** 247** Returns TRUE is updated; FALSE otherwise. 248** 249*******************************************************************************/ 250BOOLEAN btm_ble_init_pseudo_addr (tBTM_SEC_DEV_REC *p_dev_rec, BD_ADDR new_pseudo_addr) 251{ 252 BD_ADDR dummy_bda = {0}; 253 254 if (memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN) == 0) 255 { 256 memcpy(p_dev_rec->ble.pseudo_addr, new_pseudo_addr, BD_ADDR_LEN); 257 return TRUE; 258 } 259 260 return FALSE; 261} 262 263/******************************************************************************* 264** 265** Function btm_ble_addr_resolvable 266** 267** Description This function checks if a RPA is resolvable by the device key. 268** 269** Returns TRUE is resolvable; FALSE otherwise. 270** 271*******************************************************************************/ 272BOOLEAN btm_ble_addr_resolvable (BD_ADDR rpa, tBTM_SEC_DEV_REC *p_dev_rec) 273{ 274 BOOLEAN rt = FALSE; 275 276 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) 277 return rt; 278 279 UINT8 rand[3]; 280 tSMP_ENC output; 281 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) && 282 (p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) 283 { 284 BTM_TRACE_DEBUG("%s try to resolve", __func__); 285 /* use the 3 MSB of bd address as prand */ 286 rand[0] = rpa[2]; 287 rand[1] = rpa[1]; 288 rand[2] = rpa[0]; 289 290 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */ 291 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, 292 &rand[0], 3, &output); 293 294 rand[0] = rpa[5]; 295 rand[1] = rpa[4]; 296 rand[2] = rpa[3]; 297 298 if (!memcmp(output.param_buf, &rand[0], 3)) 299 { 300 btm_ble_init_pseudo_addr (p_dev_rec, rpa); 301 rt = TRUE; 302 } 303 } 304 return rt; 305} 306 307/******************************************************************************* 308** 309** Function btm_ble_match_random_bda 310** 311** Description This function match the random address to the appointed device 312** record, starting from calculating IRK. If record index exceed 313** the maximum record number, matching failed and send callback. 314** 315** Returns None. 316** 317*******************************************************************************/ 318static BOOLEAN btm_ble_match_random_bda(void *data, void *context) 319{ 320#if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 321 /* use the 3 MSB of bd address as prand */ 322 323 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 324 UINT8 rand[3]; 325 rand[0] = p_mgnt_cb->random_bda[2]; 326 rand[1] = p_mgnt_cb->random_bda[1]; 327 rand[2] = p_mgnt_cb->random_bda[0]; 328 329 BTM_TRACE_EVENT("%s next iteration", __func__); 330 331 tSMP_ENC output; 332 tBTM_SEC_DEV_REC *p_dev_rec = data; 333 334 BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags, 335 p_dev_rec->device_type); 336 337 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) || 338 !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) 339 return TRUE; 340 341 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */ 342 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, 343 &rand[0], 3, &output); 344 // if it was match, finish iteration, otherwise continue 345 return !btm_ble_proc_resolve_x(&output); 346#endif 347} 348 349/******************************************************************************* 350** 351** Function btm_ble_resolve_random_addr 352** 353** Description This function is called to resolve a random address. 354** 355** Returns pointer to the security record of the device whom a random 356** address is matched to. 357** 358*******************************************************************************/ 359void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p) 360{ 361 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 362 363 BTM_TRACE_EVENT("%s", __func__); 364 if ( !p_mgnt_cb->busy) { 365 p_mgnt_cb->p = p; 366 p_mgnt_cb->busy = TRUE; 367 memcpy(p_mgnt_cb->random_bda, random_bda, BD_ADDR_LEN); 368 /* start to resolve random address */ 369 /* check for next security record */ 370 371 list_node_t * n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, NULL); 372 tBTM_SEC_DEV_REC *p_dev_rec = n ? list_node(n) : NULL; 373 374 BTM_TRACE_EVENT("%s: %sresolved", __func__, (p_dev_rec == NULL ? "not " : "")); 375 p_mgnt_cb->busy = FALSE; 376 377 (*p_cback)(p_dev_rec, p); 378 } else { 379 (*p_cback)(NULL, p); 380 } 381} 382#endif 383 384/******************************************************************************* 385** address mapping between pseudo address and real connection address 386*******************************************************************************/ 387/******************************************************************************* 388** 389** Function btm_find_dev_by_identity_addr 390** 391** Description find the security record whose LE static address is matching 392** 393*******************************************************************************/ 394tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(BD_ADDR bd_addr, UINT8 addr_type) 395{ 396#if BLE_PRIVACY_SPT == TRUE 397 list_node_t *end = list_end(btm_cb.sec_dev_rec); 398 for (list_node_t *node = list_begin(btm_cb.sec_dev_rec); node != end; node = list_next(node)) { 399 tBTM_SEC_DEV_REC *p_dev_rec = list_node(node); 400 if (memcmp(p_dev_rec->ble.static_addr, bd_addr, BD_ADDR_LEN) == 0) { 401 if ((p_dev_rec->ble.static_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) != 402 (addr_type & (~BLE_ADDR_TYPE_ID_BIT))) 403 BTM_TRACE_WARNING("%s find pseudo->random match with diff addr type: %d vs %d", 404 __func__, p_dev_rec->ble.static_addr_type, addr_type); 405 406 /* found the match */ 407 return p_dev_rec; 408 } 409 } 410#endif 411 412 return NULL; 413} 414 415/******************************************************************************* 416** 417** Function btm_identity_addr_to_random_pseudo 418** 419** Description This function map a static BD address to a pseudo random address 420** in security database. 421** 422*******************************************************************************/ 423BOOLEAN btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, UINT8 *p_addr_type, BOOLEAN refresh) 424{ 425#if BLE_PRIVACY_SPT == TRUE 426 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_identity_addr(bd_addr, *p_addr_type); 427 428 BTM_TRACE_EVENT ("%s", __func__); 429 /* evt reported on static address, map static address to random pseudo */ 430 if (p_dev_rec != NULL) 431 { 432 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */ 433 if (refresh && controller_get_interface()->get_ble_resolving_list_max_size() != 0) 434 btm_ble_read_resolving_list_entry(p_dev_rec); 435 436 /* assign the original address to be the current report address */ 437 if (!btm_ble_init_pseudo_addr (p_dev_rec, bd_addr)) 438 memcpy(bd_addr, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN); 439 440 *p_addr_type = p_dev_rec->ble.ble_addr_type; 441 return TRUE; 442 } 443#endif 444 return FALSE; 445} 446 447/******************************************************************************* 448** 449** Function btm_random_pseudo_to_identity_addr 450** 451** Description This function map a random pseudo address to a public address 452** random_pseudo is input and output parameter 453** 454*******************************************************************************/ 455BOOLEAN btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo, UINT8 *p_static_addr_type) 456{ 457#if BLE_PRIVACY_SPT == TRUE 458 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (random_pseudo); 459 460 if (p_dev_rec != NULL) 461 { 462 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) 463 { 464 * p_static_addr_type = p_dev_rec->ble.static_addr_type; 465 memcpy(random_pseudo, p_dev_rec->ble.static_addr, BD_ADDR_LEN); 466 if (controller_get_interface()->supports_ble_privacy()) 467 *p_static_addr_type |= BLE_ADDR_TYPE_ID_BIT; 468 return TRUE; 469 } 470 } 471#endif 472 return FALSE; 473} 474 475/******************************************************************************* 476** 477** Function btm_ble_refresh_peer_resolvable_private_addr 478** 479** Description This function refresh the currently used resolvable remote private address into security 480** database and set active connection address. 481** 482*******************************************************************************/ 483void btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda, BD_ADDR rpa, 484 UINT8 rra_type) 485{ 486#if BLE_PRIVACY_SPT == TRUE 487 UINT8 rra_dummy = FALSE; 488 BD_ADDR dummy_bda = {0}; 489 490 if (memcmp(dummy_bda, rpa, BD_ADDR_LEN) == 0) 491 rra_dummy = TRUE; 492 493 /* update security record here, in adv event or connection complete process */ 494 tBTM_SEC_DEV_REC *p_sec_rec = btm_find_dev(pseudo_bda); 495 if (p_sec_rec != NULL) 496 { 497 memcpy(p_sec_rec->ble.cur_rand_addr, rpa, BD_ADDR_LEN); 498 499 /* unknown, if dummy address, set to static */ 500 if (rra_type == BTM_BLE_ADDR_PSEUDO) 501 p_sec_rec->ble.active_addr_type = rra_dummy ? BTM_BLE_ADDR_STATIC: BTM_BLE_ADDR_RRA; 502 else 503 p_sec_rec->ble.active_addr_type = rra_type; 504 } 505 else 506 { 507 BTM_TRACE_ERROR("No matching known device in record"); 508 return; 509 } 510 511 BTM_TRACE_DEBUG("%s: active_addr_type: %d ", 512 __func__, p_sec_rec->ble.active_addr_type); 513 514 /* connection refresh remote address */ 515 tACL_CONN *p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE); 516 if (p_acl == NULL) 517 p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE); 518 519 if (p_acl != NULL) 520 { 521 if (rra_type == BTM_BLE_ADDR_PSEUDO) 522 { 523 /* use static address, resolvable_private_addr is empty */ 524 if (rra_dummy) 525 { 526 p_acl->active_remote_addr_type = p_sec_rec->ble.static_addr_type; 527 memcpy(p_acl->active_remote_addr, p_sec_rec->ble.static_addr, BD_ADDR_LEN); 528 } 529 else 530 { 531 p_acl->active_remote_addr_type = BLE_ADDR_RANDOM; 532 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN); 533 } 534 } 535 else 536 { 537 p_acl->active_remote_addr_type = rra_type; 538 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN); 539 } 540 541 BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ", p_acl->active_remote_addr_type); 542 BTM_TRACE_DEBUG("%s conn_addr: %02x:%02x:%02x:%02x:%02x:%02x", 543 __func__,p_acl->active_remote_addr[0], p_acl->active_remote_addr[1], 544 p_acl->active_remote_addr[2], p_acl->active_remote_addr[3], 545 p_acl->active_remote_addr[4], p_acl->active_remote_addr[5]); 546 } 547#endif 548} 549 550/******************************************************************************* 551** 552** Function btm_ble_refresh_local_resolvable_private_addr 553** 554** Description This function refresh the currently used resolvable private address for the 555** active link to the remote device 556** 557*******************************************************************************/ 558void btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr, 559 BD_ADDR local_rpa) 560{ 561#if BLE_PRIVACY_SPT == TRUE 562 tACL_CONN *p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE); 563 BD_ADDR dummy_bda = {0}; 564 565 if (p != NULL) 566 { 567 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) 568 { 569 p->conn_addr_type = BLE_ADDR_RANDOM; 570 if (memcmp(local_rpa, dummy_bda, BD_ADDR_LEN)) 571 memcpy(p->conn_addr, local_rpa, BD_ADDR_LEN); 572 else 573 memcpy(p->conn_addr, btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr, BD_ADDR_LEN); 574 } 575 else 576 { 577 p->conn_addr_type = BLE_ADDR_PUBLIC; 578 memcpy(p->conn_addr,&controller_get_interface()->get_address()->address, BD_ADDR_LEN); 579 } 580 } 581#endif 582} 583#endif 584 585 586