1 /****************************************************************************** 2 * 3 * Copyright (C) 1999-2012 Broadcom Corporation 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at: 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 ******************************************************************************/ 18 19 /****************************************************************************** 20 * 21 * This file contains functions for BLE address management. 22 * 23 ******************************************************************************/ 24 25 #include <string.h> 26 27 #include "bt_types.h" 28 #include "hcimsgs.h" 29 #include "btu.h" 30 #include "btm_int.h" 31 #include "gap_api.h" 32 #include "device/include/controller.h" 33 34 #if (defined BLE_INCLUDED && BLE_INCLUDED == TRUE) 35 #include "btm_ble_int.h" 36 #include "smp_api.h" 37 38 39 extern fixed_queue_t *btu_general_alarm_queue; 40 41 /******************************************************************************* 42 ** 43 ** Function btm_gen_resolve_paddr_cmpl 44 ** 45 ** Description This is callback functioin when resolvable private address 46 ** generation is complete. 47 ** 48 ** Returns void 49 ** 50 *******************************************************************************/ 51 static void btm_gen_resolve_paddr_cmpl(tSMP_ENC *p) 52 { 53 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 54 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_cmpl"); 55 56 if (p) 57 { 58 /* set hash to be LSB of rpAddress */ 59 p_cb->private_addr[5] = p->param_buf[0]; 60 p_cb->private_addr[4] = p->param_buf[1]; 61 p_cb->private_addr[3] = p->param_buf[2]; 62 /* set it to controller */ 63 btsnd_hcic_ble_set_random_addr(p_cb->private_addr); 64 65 p_cb->own_addr_type = BLE_ADDR_RANDOM; 66 67 /* start a periodical timer to refresh random addr */ 68 period_ms_t interval_ms = BTM_BLE_PRIVATE_ADDR_INT_MS; 69 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE) 70 interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000; 71 #endif 72 alarm_set_on_queue(p_cb->refresh_raddr_timer, interval_ms, 73 btm_ble_refresh_raddr_timer_timeout, NULL, 74 btu_general_alarm_queue); 75 } 76 else 77 { 78 /* random address set failure */ 79 BTM_TRACE_DEBUG("set random address failed"); 80 } 81 } 82 /******************************************************************************* 83 ** 84 ** Function btm_gen_resolve_paddr_low 85 ** 86 ** Description This function is called when random address has generate the 87 ** random number base for low 3 byte bd address. 88 ** 89 ** Returns void 90 ** 91 *******************************************************************************/ 92 void btm_gen_resolve_paddr_low(tBTM_RAND_ENC *p) 93 { 94 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 95 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 96 tSMP_ENC output; 97 98 BTM_TRACE_EVENT ("btm_gen_resolve_paddr_low"); 99 if (p) 100 { 101 p->param_buf[2] &= (~BLE_RESOLVE_ADDR_MASK); 102 p->param_buf[2] |= BLE_RESOLVE_ADDR_MSB; 103 104 p_cb->private_addr[2] = p->param_buf[0]; 105 p_cb->private_addr[1] = p->param_buf[1]; 106 p_cb->private_addr[0] = p->param_buf[2]; 107 108 /* encrypt with ur IRK */ 109 if (!SMP_Encrypt(btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN, p->param_buf, 3, &output)) 110 { 111 btm_gen_resolve_paddr_cmpl(NULL); 112 } 113 else 114 { 115 btm_gen_resolve_paddr_cmpl(&output); 116 } 117 } 118 #endif 119 } 120 /******************************************************************************* 121 ** 122 ** Function btm_gen_resolvable_private_addr 123 ** 124 ** Description This function generate a resolvable private address. 125 ** 126 ** Returns void 127 ** 128 *******************************************************************************/ 129 void btm_gen_resolvable_private_addr (void *p_cmd_cplt_cback) 130 { 131 BTM_TRACE_EVENT ("btm_gen_resolvable_private_addr"); 132 /* generate 3B rand as BD LSB, SRK with it, get BD MSB */ 133 if (!btsnd_hcic_ble_rand((void *)p_cmd_cplt_cback)) 134 btm_gen_resolve_paddr_cmpl(NULL); 135 } 136 /******************************************************************************* 137 ** 138 ** Function btm_gen_non_resolve_paddr_cmpl 139 ** 140 ** Description This is the callback function when non-resolvable private 141 ** function is generated and write to controller. 142 ** 143 ** Returns void 144 ** 145 *******************************************************************************/ 146 static void btm_gen_non_resolve_paddr_cmpl(tBTM_RAND_ENC *p) 147 { 148 tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 149 tBTM_BLE_ADDR_CBACK *p_cback = p_cb->p_generate_cback; 150 void *p_data = p_cb->p; 151 UINT8 *pp; 152 BD_ADDR static_random; 153 154 BTM_TRACE_EVENT ("btm_gen_non_resolve_paddr_cmpl"); 155 156 p_cb->p_generate_cback = NULL; 157 if (p) 158 { 159 160 pp = p->param_buf; 161 STREAM_TO_BDADDR(static_random, pp); 162 /* mask off the 2 MSB */ 163 static_random[0] &= BLE_STATIC_PRIVATE_MSB_MASK; 164 165 /* report complete */ 166 if (p_cback) 167 (* p_cback)(static_random, p_data); 168 } 169 else 170 { 171 BTM_TRACE_DEBUG("btm_gen_non_resolvable_private_addr failed"); 172 if (p_cback) 173 (* p_cback)(NULL, p_data); 174 } 175 } 176 /******************************************************************************* 177 ** 178 ** Function btm_gen_non_resolvable_private_addr 179 ** 180 ** Description This function generate a non-resolvable private address. 181 ** 182 ** 183 ** Returns void 184 ** 185 *******************************************************************************/ 186 void btm_gen_non_resolvable_private_addr (tBTM_BLE_ADDR_CBACK *p_cback, void *p) 187 { 188 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 189 190 BTM_TRACE_EVENT ("btm_gen_non_resolvable_private_addr"); 191 192 if (p_mgnt_cb->p_generate_cback != NULL) 193 return; 194 195 p_mgnt_cb->p_generate_cback = p_cback; 196 p_mgnt_cb->p = p; 197 if (!btsnd_hcic_ble_rand((void *)btm_gen_non_resolve_paddr_cmpl)) 198 { 199 btm_gen_non_resolve_paddr_cmpl(NULL); 200 } 201 202 } 203 204 #if SMP_INCLUDED == TRUE 205 /******************************************************************************* 206 ** Utility functions for Random address resolving 207 *******************************************************************************/ 208 /******************************************************************************* 209 ** 210 ** Function btm_ble_proc_resolve_x 211 ** 212 ** Description This function compares the X with random address 3 MSO bytes 213 ** to find a match. 214 ** 215 ** Returns TRUE on match, FALSE otherwise 216 ** 217 *******************************************************************************/ 218 static BOOLEAN btm_ble_proc_resolve_x(tSMP_ENC *p) 219 { 220 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 221 UINT8 comp[3]; 222 BTM_TRACE_EVENT ("btm_ble_proc_resolve_x"); 223 /* compare the hash with 3 LSB of bd address */ 224 comp[0] = p_mgnt_cb->random_bda[5]; 225 comp[1] = p_mgnt_cb->random_bda[4]; 226 comp[2] = p_mgnt_cb->random_bda[3]; 227 228 if (p) 229 { 230 if (!memcmp(p->param_buf, &comp[0], 3)) 231 { 232 /* match is found */ 233 BTM_TRACE_EVENT ("match is found"); 234 return TRUE; 235 } 236 } 237 return FALSE; 238 } 239 240 /******************************************************************************* 241 ** 242 ** Function btm_ble_init_pseudo_addr 243 ** 244 ** Description This function is used to initialize pseudo address. 245 ** If pseudo address is not available, use dummy address 246 ** 247 ** Returns TRUE is updated; FALSE otherwise. 248 ** 249 *******************************************************************************/ 250 BOOLEAN btm_ble_init_pseudo_addr (tBTM_SEC_DEV_REC *p_dev_rec, BD_ADDR new_pseudo_addr) 251 { 252 BD_ADDR dummy_bda = {0}; 253 254 if (memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN) == 0) 255 { 256 memcpy(p_dev_rec->ble.pseudo_addr, new_pseudo_addr, BD_ADDR_LEN); 257 return TRUE; 258 } 259 260 return FALSE; 261 } 262 263 /******************************************************************************* 264 ** 265 ** Function btm_ble_addr_resolvable 266 ** 267 ** Description This function checks if a RPA is resolvable by the device key. 268 ** 269 ** Returns TRUE is resolvable; FALSE otherwise. 270 ** 271 *******************************************************************************/ 272 BOOLEAN btm_ble_addr_resolvable (BD_ADDR rpa, tBTM_SEC_DEV_REC *p_dev_rec) 273 { 274 BOOLEAN rt = FALSE; 275 276 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) 277 return rt; 278 279 UINT8 rand[3]; 280 tSMP_ENC output; 281 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) && 282 (p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) 283 { 284 BTM_TRACE_DEBUG("%s try to resolve", __func__); 285 /* use the 3 MSB of bd address as prand */ 286 rand[0] = rpa[2]; 287 rand[1] = rpa[1]; 288 rand[2] = rpa[0]; 289 290 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */ 291 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, 292 &rand[0], 3, &output); 293 294 rand[0] = rpa[5]; 295 rand[1] = rpa[4]; 296 rand[2] = rpa[3]; 297 298 if (!memcmp(output.param_buf, &rand[0], 3)) 299 { 300 btm_ble_init_pseudo_addr (p_dev_rec, rpa); 301 rt = TRUE; 302 } 303 } 304 return rt; 305 } 306 307 /******************************************************************************* 308 ** 309 ** Function btm_ble_match_random_bda 310 ** 311 ** Description This function match the random address to the appointed device 312 ** record, starting from calculating IRK. If record index exceed 313 ** the maximum record number, matching failed and send callback. 314 ** 315 ** Returns None. 316 ** 317 *******************************************************************************/ 318 static BOOLEAN btm_ble_match_random_bda(void *data, void *context) 319 { 320 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE) 321 /* use the 3 MSB of bd address as prand */ 322 323 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 324 UINT8 rand[3]; 325 rand[0] = p_mgnt_cb->random_bda[2]; 326 rand[1] = p_mgnt_cb->random_bda[1]; 327 rand[2] = p_mgnt_cb->random_bda[0]; 328 329 BTM_TRACE_EVENT("%s next iteration", __func__); 330 331 tSMP_ENC output; 332 tBTM_SEC_DEV_REC *p_dev_rec = data; 333 334 BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags, 335 p_dev_rec->device_type); 336 337 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) || 338 !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) 339 return TRUE; 340 341 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */ 342 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, 343 &rand[0], 3, &output); 344 // if it was match, finish iteration, otherwise continue 345 return !btm_ble_proc_resolve_x(&output); 346 #endif 347 } 348 349 /******************************************************************************* 350 ** 351 ** Function btm_ble_resolve_random_addr 352 ** 353 ** Description This function is called to resolve a random address. 354 ** 355 ** Returns pointer to the security record of the device whom a random 356 ** address is matched to. 357 ** 358 *******************************************************************************/ 359 void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p) 360 { 361 tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; 362 363 BTM_TRACE_EVENT("%s", __func__); 364 if ( !p_mgnt_cb->busy) { 365 p_mgnt_cb->p = p; 366 p_mgnt_cb->busy = TRUE; 367 memcpy(p_mgnt_cb->random_bda, random_bda, BD_ADDR_LEN); 368 /* start to resolve random address */ 369 /* check for next security record */ 370 371 list_node_t * n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, NULL); 372 tBTM_SEC_DEV_REC *p_dev_rec = n ? list_node(n) : NULL; 373 374 BTM_TRACE_EVENT("%s: %sresolved", __func__, (p_dev_rec == NULL ? "not " : "")); 375 p_mgnt_cb->busy = FALSE; 376 377 (*p_cback)(p_dev_rec, p); 378 } else { 379 (*p_cback)(NULL, p); 380 } 381 } 382 #endif 383 384 /******************************************************************************* 385 ** address mapping between pseudo address and real connection address 386 *******************************************************************************/ 387 /******************************************************************************* 388 ** 389 ** Function btm_find_dev_by_identity_addr 390 ** 391 ** Description find the security record whose LE static address is matching 392 ** 393 *******************************************************************************/ 394 tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(BD_ADDR bd_addr, UINT8 addr_type) 395 { 396 #if BLE_PRIVACY_SPT == TRUE 397 list_node_t *end = list_end(btm_cb.sec_dev_rec); 398 for (list_node_t *node = list_begin(btm_cb.sec_dev_rec); node != end; node = list_next(node)) { 399 tBTM_SEC_DEV_REC *p_dev_rec = list_node(node); 400 if (memcmp(p_dev_rec->ble.static_addr, bd_addr, BD_ADDR_LEN) == 0) { 401 if ((p_dev_rec->ble.static_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) != 402 (addr_type & (~BLE_ADDR_TYPE_ID_BIT))) 403 BTM_TRACE_WARNING("%s find pseudo->random match with diff addr type: %d vs %d", 404 __func__, p_dev_rec->ble.static_addr_type, addr_type); 405 406 /* found the match */ 407 return p_dev_rec; 408 } 409 } 410 #endif 411 412 return NULL; 413 } 414 415 /******************************************************************************* 416 ** 417 ** Function btm_identity_addr_to_random_pseudo 418 ** 419 ** Description This function map a static BD address to a pseudo random address 420 ** in security database. 421 ** 422 *******************************************************************************/ 423 BOOLEAN btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, UINT8 *p_addr_type, BOOLEAN refresh) 424 { 425 #if BLE_PRIVACY_SPT == TRUE 426 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_identity_addr(bd_addr, *p_addr_type); 427 428 BTM_TRACE_EVENT ("%s", __func__); 429 /* evt reported on static address, map static address to random pseudo */ 430 if (p_dev_rec != NULL) 431 { 432 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */ 433 if (refresh && controller_get_interface()->get_ble_resolving_list_max_size() != 0) 434 btm_ble_read_resolving_list_entry(p_dev_rec); 435 436 /* assign the original address to be the current report address */ 437 if (!btm_ble_init_pseudo_addr (p_dev_rec, bd_addr)) 438 memcpy(bd_addr, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN); 439 440 *p_addr_type = p_dev_rec->ble.ble_addr_type; 441 return TRUE; 442 } 443 #endif 444 return FALSE; 445 } 446 447 /******************************************************************************* 448 ** 449 ** Function btm_random_pseudo_to_identity_addr 450 ** 451 ** Description This function map a random pseudo address to a public address 452 ** random_pseudo is input and output parameter 453 ** 454 *******************************************************************************/ 455 BOOLEAN btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo, UINT8 *p_static_addr_type) 456 { 457 #if BLE_PRIVACY_SPT == TRUE 458 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (random_pseudo); 459 460 if (p_dev_rec != NULL) 461 { 462 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) 463 { 464 * p_static_addr_type = p_dev_rec->ble.static_addr_type; 465 memcpy(random_pseudo, p_dev_rec->ble.static_addr, BD_ADDR_LEN); 466 if (controller_get_interface()->supports_ble_privacy()) 467 *p_static_addr_type |= BLE_ADDR_TYPE_ID_BIT; 468 return TRUE; 469 } 470 } 471 #endif 472 return FALSE; 473 } 474 475 /******************************************************************************* 476 ** 477 ** Function btm_ble_refresh_peer_resolvable_private_addr 478 ** 479 ** Description This function refresh the currently used resolvable remote private address into security 480 ** database and set active connection address. 481 ** 482 *******************************************************************************/ 483 void btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda, BD_ADDR rpa, 484 UINT8 rra_type) 485 { 486 #if BLE_PRIVACY_SPT == TRUE 487 UINT8 rra_dummy = FALSE; 488 BD_ADDR dummy_bda = {0}; 489 490 if (memcmp(dummy_bda, rpa, BD_ADDR_LEN) == 0) 491 rra_dummy = TRUE; 492 493 /* update security record here, in adv event or connection complete process */ 494 tBTM_SEC_DEV_REC *p_sec_rec = btm_find_dev(pseudo_bda); 495 if (p_sec_rec != NULL) 496 { 497 memcpy(p_sec_rec->ble.cur_rand_addr, rpa, BD_ADDR_LEN); 498 499 /* unknown, if dummy address, set to static */ 500 if (rra_type == BTM_BLE_ADDR_PSEUDO) 501 p_sec_rec->ble.active_addr_type = rra_dummy ? BTM_BLE_ADDR_STATIC: BTM_BLE_ADDR_RRA; 502 else 503 p_sec_rec->ble.active_addr_type = rra_type; 504 } 505 else 506 { 507 BTM_TRACE_ERROR("No matching known device in record"); 508 return; 509 } 510 511 BTM_TRACE_DEBUG("%s: active_addr_type: %d ", 512 __func__, p_sec_rec->ble.active_addr_type); 513 514 /* connection refresh remote address */ 515 tACL_CONN *p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE); 516 if (p_acl == NULL) 517 p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE); 518 519 if (p_acl != NULL) 520 { 521 if (rra_type == BTM_BLE_ADDR_PSEUDO) 522 { 523 /* use static address, resolvable_private_addr is empty */ 524 if (rra_dummy) 525 { 526 p_acl->active_remote_addr_type = p_sec_rec->ble.static_addr_type; 527 memcpy(p_acl->active_remote_addr, p_sec_rec->ble.static_addr, BD_ADDR_LEN); 528 } 529 else 530 { 531 p_acl->active_remote_addr_type = BLE_ADDR_RANDOM; 532 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN); 533 } 534 } 535 else 536 { 537 p_acl->active_remote_addr_type = rra_type; 538 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN); 539 } 540 541 BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ", p_acl->active_remote_addr_type); 542 BTM_TRACE_DEBUG("%s conn_addr: %02x:%02x:%02x:%02x:%02x:%02x", 543 __func__,p_acl->active_remote_addr[0], p_acl->active_remote_addr[1], 544 p_acl->active_remote_addr[2], p_acl->active_remote_addr[3], 545 p_acl->active_remote_addr[4], p_acl->active_remote_addr[5]); 546 } 547 #endif 548 } 549 550 /******************************************************************************* 551 ** 552 ** Function btm_ble_refresh_local_resolvable_private_addr 553 ** 554 ** Description This function refresh the currently used resolvable private address for the 555 ** active link to the remote device 556 ** 557 *******************************************************************************/ 558 void btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr, 559 BD_ADDR local_rpa) 560 { 561 #if BLE_PRIVACY_SPT == TRUE 562 tACL_CONN *p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE); 563 BD_ADDR dummy_bda = {0}; 564 565 if (p != NULL) 566 { 567 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) 568 { 569 p->conn_addr_type = BLE_ADDR_RANDOM; 570 if (memcmp(local_rpa, dummy_bda, BD_ADDR_LEN)) 571 memcpy(p->conn_addr, local_rpa, BD_ADDR_LEN); 572 else 573 memcpy(p->conn_addr, btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr, BD_ADDR_LEN); 574 } 575 else 576 { 577 p->conn_addr_type = BLE_ADDR_PUBLIC; 578 memcpy(p->conn_addr,&controller_get_interface()->get_address()->address, BD_ADDR_LEN); 579 } 580 } 581 #endif 582 } 583 #endif 584 585 586
