1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE address management.
22 *
23 ******************************************************************************/
24
25 #include <string.h>
26
27 #include "bt_types.h"
28 #include "hcimsgs.h"
29 #include "btu.h"
30 #include "btm_int.h"
31 #include "gap_api.h"
32 #include "device/include/controller.h"
33
34 #if (defined BLE_INCLUDED && BLE_INCLUDED == TRUE)
35 #include "btm_ble_int.h"
36 #include "smp_api.h"
37
38
39 extern fixed_queue_t *btu_general_alarm_queue;
40
41 /*******************************************************************************
42 **
43 ** Function btm_gen_resolve_paddr_cmpl
44 **
45 ** Description This is callback functioin when resolvable private address
46 ** generation is complete.
47 **
48 ** Returns void
49 **
50 *******************************************************************************/
btm_gen_resolve_paddr_cmpl(tSMP_ENC * p)51 static void btm_gen_resolve_paddr_cmpl(tSMP_ENC *p)
52 {
53 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
54 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_cmpl");
55
56 if (p)
57 {
58 /* set hash to be LSB of rpAddress */
59 p_cb->private_addr[5] = p->param_buf[0];
60 p_cb->private_addr[4] = p->param_buf[1];
61 p_cb->private_addr[3] = p->param_buf[2];
62 /* set it to controller */
63 btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
64
65 p_cb->own_addr_type = BLE_ADDR_RANDOM;
66
67 /* start a periodical timer to refresh random addr */
68 period_ms_t interval_ms = BTM_BLE_PRIVATE_ADDR_INT_MS;
69 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
70 interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000;
71 #endif
72 alarm_set_on_queue(p_cb->refresh_raddr_timer, interval_ms,
73 btm_ble_refresh_raddr_timer_timeout, NULL,
74 btu_general_alarm_queue);
75 }
76 else
77 {
78 /* random address set failure */
79 BTM_TRACE_DEBUG("set random address failed");
80 }
81 }
82 /*******************************************************************************
83 **
84 ** Function btm_gen_resolve_paddr_low
85 **
86 ** Description This function is called when random address has generate the
87 ** random number base for low 3 byte bd address.
88 **
89 ** Returns void
90 **
91 *******************************************************************************/
btm_gen_resolve_paddr_low(tBTM_RAND_ENC * p)92 void btm_gen_resolve_paddr_low(tBTM_RAND_ENC *p)
93 {
94 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
95 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
96 tSMP_ENC output;
97
98 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_low");
99 if (p)
100 {
101 p->param_buf[2] &= (~BLE_RESOLVE_ADDR_MASK);
102 p->param_buf[2] |= BLE_RESOLVE_ADDR_MSB;
103
104 p_cb->private_addr[2] = p->param_buf[0];
105 p_cb->private_addr[1] = p->param_buf[1];
106 p_cb->private_addr[0] = p->param_buf[2];
107
108 /* encrypt with ur IRK */
109 if (!SMP_Encrypt(btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN, p->param_buf, 3, &output))
110 {
111 btm_gen_resolve_paddr_cmpl(NULL);
112 }
113 else
114 {
115 btm_gen_resolve_paddr_cmpl(&output);
116 }
117 }
118 #endif
119 }
120 /*******************************************************************************
121 **
122 ** Function btm_gen_resolvable_private_addr
123 **
124 ** Description This function generate a resolvable private address.
125 **
126 ** Returns void
127 **
128 *******************************************************************************/
btm_gen_resolvable_private_addr(void * p_cmd_cplt_cback)129 void btm_gen_resolvable_private_addr (void *p_cmd_cplt_cback)
130 {
131 BTM_TRACE_EVENT ("btm_gen_resolvable_private_addr");
132 /* generate 3B rand as BD LSB, SRK with it, get BD MSB */
133 if (!btsnd_hcic_ble_rand((void *)p_cmd_cplt_cback))
134 btm_gen_resolve_paddr_cmpl(NULL);
135 }
136 /*******************************************************************************
137 **
138 ** Function btm_gen_non_resolve_paddr_cmpl
139 **
140 ** Description This is the callback function when non-resolvable private
141 ** function is generated and write to controller.
142 **
143 ** Returns void
144 **
145 *******************************************************************************/
btm_gen_non_resolve_paddr_cmpl(tBTM_RAND_ENC * p)146 static void btm_gen_non_resolve_paddr_cmpl(tBTM_RAND_ENC *p)
147 {
148 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
149 tBTM_BLE_ADDR_CBACK *p_cback = p_cb->p_generate_cback;
150 void *p_data = p_cb->p;
151 UINT8 *pp;
152 BD_ADDR static_random;
153
154 BTM_TRACE_EVENT ("btm_gen_non_resolve_paddr_cmpl");
155
156 p_cb->p_generate_cback = NULL;
157 if (p)
158 {
159
160 pp = p->param_buf;
161 STREAM_TO_BDADDR(static_random, pp);
162 /* mask off the 2 MSB */
163 static_random[0] &= BLE_STATIC_PRIVATE_MSB_MASK;
164
165 /* report complete */
166 if (p_cback)
167 (* p_cback)(static_random, p_data);
168 }
169 else
170 {
171 BTM_TRACE_DEBUG("btm_gen_non_resolvable_private_addr failed");
172 if (p_cback)
173 (* p_cback)(NULL, p_data);
174 }
175 }
176 /*******************************************************************************
177 **
178 ** Function btm_gen_non_resolvable_private_addr
179 **
180 ** Description This function generate a non-resolvable private address.
181 **
182 **
183 ** Returns void
184 **
185 *******************************************************************************/
btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK * p_cback,void * p)186 void btm_gen_non_resolvable_private_addr (tBTM_BLE_ADDR_CBACK *p_cback, void *p)
187 {
188 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
189
190 BTM_TRACE_EVENT ("btm_gen_non_resolvable_private_addr");
191
192 if (p_mgnt_cb->p_generate_cback != NULL)
193 return;
194
195 p_mgnt_cb->p_generate_cback = p_cback;
196 p_mgnt_cb->p = p;
197 if (!btsnd_hcic_ble_rand((void *)btm_gen_non_resolve_paddr_cmpl))
198 {
199 btm_gen_non_resolve_paddr_cmpl(NULL);
200 }
201
202 }
203
204 #if SMP_INCLUDED == TRUE
205 /*******************************************************************************
206 ** Utility functions for Random address resolving
207 *******************************************************************************/
208 /*******************************************************************************
209 **
210 ** Function btm_ble_proc_resolve_x
211 **
212 ** Description This function compares the X with random address 3 MSO bytes
213 ** to find a match.
214 **
215 ** Returns TRUE on match, FALSE otherwise
216 **
217 *******************************************************************************/
btm_ble_proc_resolve_x(tSMP_ENC * p)218 static BOOLEAN btm_ble_proc_resolve_x(tSMP_ENC *p)
219 {
220 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
221 UINT8 comp[3];
222 BTM_TRACE_EVENT ("btm_ble_proc_resolve_x");
223 /* compare the hash with 3 LSB of bd address */
224 comp[0] = p_mgnt_cb->random_bda[5];
225 comp[1] = p_mgnt_cb->random_bda[4];
226 comp[2] = p_mgnt_cb->random_bda[3];
227
228 if (p)
229 {
230 if (!memcmp(p->param_buf, &comp[0], 3))
231 {
232 /* match is found */
233 BTM_TRACE_EVENT ("match is found");
234 return TRUE;
235 }
236 }
237 return FALSE;
238 }
239
240 /*******************************************************************************
241 **
242 ** Function btm_ble_init_pseudo_addr
243 **
244 ** Description This function is used to initialize pseudo address.
245 ** If pseudo address is not available, use dummy address
246 **
247 ** Returns TRUE is updated; FALSE otherwise.
248 **
249 *******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,BD_ADDR new_pseudo_addr)250 BOOLEAN btm_ble_init_pseudo_addr (tBTM_SEC_DEV_REC *p_dev_rec, BD_ADDR new_pseudo_addr)
251 {
252 BD_ADDR dummy_bda = {0};
253
254 if (memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN) == 0)
255 {
256 memcpy(p_dev_rec->ble.pseudo_addr, new_pseudo_addr, BD_ADDR_LEN);
257 return TRUE;
258 }
259
260 return FALSE;
261 }
262
263 /*******************************************************************************
264 **
265 ** Function btm_ble_addr_resolvable
266 **
267 ** Description This function checks if a RPA is resolvable by the device key.
268 **
269 ** Returns TRUE is resolvable; FALSE otherwise.
270 **
271 *******************************************************************************/
btm_ble_addr_resolvable(BD_ADDR rpa,tBTM_SEC_DEV_REC * p_dev_rec)272 BOOLEAN btm_ble_addr_resolvable (BD_ADDR rpa, tBTM_SEC_DEV_REC *p_dev_rec)
273 {
274 BOOLEAN rt = FALSE;
275
276 if (!BTM_BLE_IS_RESOLVE_BDA(rpa))
277 return rt;
278
279 UINT8 rand[3];
280 tSMP_ENC output;
281 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
282 (p_dev_rec->ble.key_type & BTM_LE_KEY_PID))
283 {
284 BTM_TRACE_DEBUG("%s try to resolve", __func__);
285 /* use the 3 MSB of bd address as prand */
286 rand[0] = rpa[2];
287 rand[1] = rpa[1];
288 rand[2] = rpa[0];
289
290 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
291 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN,
292 &rand[0], 3, &output);
293
294 rand[0] = rpa[5];
295 rand[1] = rpa[4];
296 rand[2] = rpa[3];
297
298 if (!memcmp(output.param_buf, &rand[0], 3))
299 {
300 btm_ble_init_pseudo_addr (p_dev_rec, rpa);
301 rt = TRUE;
302 }
303 }
304 return rt;
305 }
306
307 /*******************************************************************************
308 **
309 ** Function btm_ble_match_random_bda
310 **
311 ** Description This function match the random address to the appointed device
312 ** record, starting from calculating IRK. If record index exceed
313 ** the maximum record number, matching failed and send callback.
314 **
315 ** Returns None.
316 **
317 *******************************************************************************/
btm_ble_match_random_bda(void * data,void * context)318 static BOOLEAN btm_ble_match_random_bda(void *data, void *context)
319 {
320 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
321 /* use the 3 MSB of bd address as prand */
322
323 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
324 UINT8 rand[3];
325 rand[0] = p_mgnt_cb->random_bda[2];
326 rand[1] = p_mgnt_cb->random_bda[1];
327 rand[2] = p_mgnt_cb->random_bda[0];
328
329 BTM_TRACE_EVENT("%s next iteration", __func__);
330
331 tSMP_ENC output;
332 tBTM_SEC_DEV_REC *p_dev_rec = data;
333
334 BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags,
335 p_dev_rec->device_type);
336
337 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
338 !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID))
339 return TRUE;
340
341 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
342 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN,
343 &rand[0], 3, &output);
344 // if it was match, finish iteration, otherwise continue
345 return !btm_ble_proc_resolve_x(&output);
346 #endif
347 }
348
349 /*******************************************************************************
350 **
351 ** Function btm_ble_resolve_random_addr
352 **
353 ** Description This function is called to resolve a random address.
354 **
355 ** Returns pointer to the security record of the device whom a random
356 ** address is matched to.
357 **
358 *******************************************************************************/
btm_ble_resolve_random_addr(BD_ADDR random_bda,tBTM_BLE_RESOLVE_CBACK * p_cback,void * p)359 void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p)
360 {
361 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
362
363 BTM_TRACE_EVENT("%s", __func__);
364 if ( !p_mgnt_cb->busy) {
365 p_mgnt_cb->p = p;
366 p_mgnt_cb->busy = TRUE;
367 memcpy(p_mgnt_cb->random_bda, random_bda, BD_ADDR_LEN);
368 /* start to resolve random address */
369 /* check for next security record */
370
371 list_node_t * n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, NULL);
372 tBTM_SEC_DEV_REC *p_dev_rec = n ? list_node(n) : NULL;
373
374 BTM_TRACE_EVENT("%s: %sresolved", __func__, (p_dev_rec == NULL ? "not " : ""));
375 p_mgnt_cb->busy = FALSE;
376
377 (*p_cback)(p_dev_rec, p);
378 } else {
379 (*p_cback)(NULL, p);
380 }
381 }
382 #endif
383
384 /*******************************************************************************
385 ** address mapping between pseudo address and real connection address
386 *******************************************************************************/
387 /*******************************************************************************
388 **
389 ** Function btm_find_dev_by_identity_addr
390 **
391 ** Description find the security record whose LE static address is matching
392 **
393 *******************************************************************************/
btm_find_dev_by_identity_addr(BD_ADDR bd_addr,UINT8 addr_type)394 tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(BD_ADDR bd_addr, UINT8 addr_type)
395 {
396 #if BLE_PRIVACY_SPT == TRUE
397 list_node_t *end = list_end(btm_cb.sec_dev_rec);
398 for (list_node_t *node = list_begin(btm_cb.sec_dev_rec); node != end; node = list_next(node)) {
399 tBTM_SEC_DEV_REC *p_dev_rec = list_node(node);
400 if (memcmp(p_dev_rec->ble.static_addr, bd_addr, BD_ADDR_LEN) == 0) {
401 if ((p_dev_rec->ble.static_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) !=
402 (addr_type & (~BLE_ADDR_TYPE_ID_BIT)))
403 BTM_TRACE_WARNING("%s find pseudo->random match with diff addr type: %d vs %d",
404 __func__, p_dev_rec->ble.static_addr_type, addr_type);
405
406 /* found the match */
407 return p_dev_rec;
408 }
409 }
410 #endif
411
412 return NULL;
413 }
414
415 /*******************************************************************************
416 **
417 ** Function btm_identity_addr_to_random_pseudo
418 **
419 ** Description This function map a static BD address to a pseudo random address
420 ** in security database.
421 **
422 *******************************************************************************/
btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr,UINT8 * p_addr_type,BOOLEAN refresh)423 BOOLEAN btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, UINT8 *p_addr_type, BOOLEAN refresh)
424 {
425 #if BLE_PRIVACY_SPT == TRUE
426 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_identity_addr(bd_addr, *p_addr_type);
427
428 BTM_TRACE_EVENT ("%s", __func__);
429 /* evt reported on static address, map static address to random pseudo */
430 if (p_dev_rec != NULL)
431 {
432 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
433 if (refresh && controller_get_interface()->get_ble_resolving_list_max_size() != 0)
434 btm_ble_read_resolving_list_entry(p_dev_rec);
435
436 /* assign the original address to be the current report address */
437 if (!btm_ble_init_pseudo_addr (p_dev_rec, bd_addr))
438 memcpy(bd_addr, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN);
439
440 *p_addr_type = p_dev_rec->ble.ble_addr_type;
441 return TRUE;
442 }
443 #endif
444 return FALSE;
445 }
446
447 /*******************************************************************************
448 **
449 ** Function btm_random_pseudo_to_identity_addr
450 **
451 ** Description This function map a random pseudo address to a public address
452 ** random_pseudo is input and output parameter
453 **
454 *******************************************************************************/
btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo,UINT8 * p_static_addr_type)455 BOOLEAN btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo, UINT8 *p_static_addr_type)
456 {
457 #if BLE_PRIVACY_SPT == TRUE
458 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (random_pseudo);
459
460 if (p_dev_rec != NULL)
461 {
462 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT)
463 {
464 * p_static_addr_type = p_dev_rec->ble.static_addr_type;
465 memcpy(random_pseudo, p_dev_rec->ble.static_addr, BD_ADDR_LEN);
466 if (controller_get_interface()->supports_ble_privacy())
467 *p_static_addr_type |= BLE_ADDR_TYPE_ID_BIT;
468 return TRUE;
469 }
470 }
471 #endif
472 return FALSE;
473 }
474
475 /*******************************************************************************
476 **
477 ** Function btm_ble_refresh_peer_resolvable_private_addr
478 **
479 ** Description This function refresh the currently used resolvable remote private address into security
480 ** database and set active connection address.
481 **
482 *******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda,BD_ADDR rpa,UINT8 rra_type)483 void btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda, BD_ADDR rpa,
484 UINT8 rra_type)
485 {
486 #if BLE_PRIVACY_SPT == TRUE
487 UINT8 rra_dummy = FALSE;
488 BD_ADDR dummy_bda = {0};
489
490 if (memcmp(dummy_bda, rpa, BD_ADDR_LEN) == 0)
491 rra_dummy = TRUE;
492
493 /* update security record here, in adv event or connection complete process */
494 tBTM_SEC_DEV_REC *p_sec_rec = btm_find_dev(pseudo_bda);
495 if (p_sec_rec != NULL)
496 {
497 memcpy(p_sec_rec->ble.cur_rand_addr, rpa, BD_ADDR_LEN);
498
499 /* unknown, if dummy address, set to static */
500 if (rra_type == BTM_BLE_ADDR_PSEUDO)
501 p_sec_rec->ble.active_addr_type = rra_dummy ? BTM_BLE_ADDR_STATIC: BTM_BLE_ADDR_RRA;
502 else
503 p_sec_rec->ble.active_addr_type = rra_type;
504 }
505 else
506 {
507 BTM_TRACE_ERROR("No matching known device in record");
508 return;
509 }
510
511 BTM_TRACE_DEBUG("%s: active_addr_type: %d ",
512 __func__, p_sec_rec->ble.active_addr_type);
513
514 /* connection refresh remote address */
515 tACL_CONN *p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE);
516 if (p_acl == NULL)
517 p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE);
518
519 if (p_acl != NULL)
520 {
521 if (rra_type == BTM_BLE_ADDR_PSEUDO)
522 {
523 /* use static address, resolvable_private_addr is empty */
524 if (rra_dummy)
525 {
526 p_acl->active_remote_addr_type = p_sec_rec->ble.static_addr_type;
527 memcpy(p_acl->active_remote_addr, p_sec_rec->ble.static_addr, BD_ADDR_LEN);
528 }
529 else
530 {
531 p_acl->active_remote_addr_type = BLE_ADDR_RANDOM;
532 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN);
533 }
534 }
535 else
536 {
537 p_acl->active_remote_addr_type = rra_type;
538 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN);
539 }
540
541 BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ", p_acl->active_remote_addr_type);
542 BTM_TRACE_DEBUG("%s conn_addr: %02x:%02x:%02x:%02x:%02x:%02x",
543 __func__,p_acl->active_remote_addr[0], p_acl->active_remote_addr[1],
544 p_acl->active_remote_addr[2], p_acl->active_remote_addr[3],
545 p_acl->active_remote_addr[4], p_acl->active_remote_addr[5]);
546 }
547 #endif
548 }
549
550 /*******************************************************************************
551 **
552 ** Function btm_ble_refresh_local_resolvable_private_addr
553 **
554 ** Description This function refresh the currently used resolvable private address for the
555 ** active link to the remote device
556 **
557 *******************************************************************************/
btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr,BD_ADDR local_rpa)558 void btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr,
559 BD_ADDR local_rpa)
560 {
561 #if BLE_PRIVACY_SPT == TRUE
562 tACL_CONN *p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
563 BD_ADDR dummy_bda = {0};
564
565 if (p != NULL)
566 {
567 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE)
568 {
569 p->conn_addr_type = BLE_ADDR_RANDOM;
570 if (memcmp(local_rpa, dummy_bda, BD_ADDR_LEN))
571 memcpy(p->conn_addr, local_rpa, BD_ADDR_LEN);
572 else
573 memcpy(p->conn_addr, btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr, BD_ADDR_LEN);
574 }
575 else
576 {
577 p->conn_addr_type = BLE_ADDR_PUBLIC;
578 memcpy(p->conn_addr,&controller_get_interface()->get_address()->address, BD_ADDR_LEN);
579 }
580 }
581 #endif
582 }
583 #endif
584
585
586