1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for BLE controller based privacy.
22  *
23  ******************************************************************************/
24 #include <string.h>
25 #include "common/bt_target.h"
26 
27 #if (BLE_INCLUDED == TRUE && BLE_PRIVACY_SPT == TRUE)
28 #include "stack/bt_types.h"
29 #include "stack/hcimsgs.h"
30 #include "stack/btu.h"
31 //#include "vendor_hcidefs.h"
32 #include "btm_int.h"
33 #include "device/controller.h"
34 #include "stack/hcidefs.h"
35 
36 #define HCI_VENDOR_BLE_RPA_VSC          (0x0155 | HCI_GRP_VENDOR_SPECIFIC)
37 
38 /* RPA offload VSC specifics */
39 #define BTM_BLE_META_IRK_ENABLE         0x01
40 #define BTM_BLE_META_ADD_IRK_ENTRY      0x02
41 #define BTM_BLE_META_REMOVE_IRK_ENTRY   0x03
42 #define BTM_BLE_META_CLEAR_IRK_LIST     0x04
43 #define BTM_BLE_META_READ_IRK_ENTRY     0x05
44 #define BTM_BLE_META_CS_RESOLVE_ADDR    0x00000001
45 #define BTM_BLE_IRK_ENABLE_LEN          2
46 
47 #define BTM_BLE_META_ADD_IRK_LEN        24
48 #define BTM_BLE_META_REMOVE_IRK_LEN     8
49 #define BTM_BLE_META_CLEAR_IRK_LEN      1
50 #define BTM_BLE_META_READ_IRK_LEN       2
51 #define BTM_BLE_META_ADD_WL_ATTR_LEN    9
52 
53 /*******************************************************************************
54 **         Functions implemented controller based privacy using Resolving List
55 *******************************************************************************/
56 /*******************************************************************************
57 **
58 ** Function         btm_ble_enq_resolving_list_pending
59 **
60 ** Description      add target address into resolving pending operation queue
61 **
62 ** Parameters       target_bda: target device address
63 **                  add_entry: TRUE for add entry, FALSE for remove entry
64 **
65 ** Returns          void
66 **
67 *******************************************************************************/
btm_ble_enq_resolving_list_pending(BD_ADDR pseudo_bda,UINT8 op_code)68 void btm_ble_enq_resolving_list_pending(BD_ADDR pseudo_bda, UINT8 op_code)
69 {
70     tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q;
71 
72     memcpy(p_q->resolve_q_random_pseudo[p_q->q_next], pseudo_bda, BD_ADDR_LEN);
73     p_q->resolve_q_action[p_q->q_next] = op_code;
74     p_q->q_next ++;
75     p_q->q_next %= controller_get_interface()->get_ble_resolving_list_max_size();
76 }
77 
78 /*******************************************************************************
79 **
80 ** Function         btm_ble_brcm_find_resolving_pending_entry
81 **
82 ** Description      check to see if the action is in pending list
83 **
84 ** Parameters       TRUE: action pending;
85 **                  FALSE: new action
86 **
87 ** Returns          void
88 **
89 *******************************************************************************/
btm_ble_brcm_find_resolving_pending_entry(BD_ADDR pseudo_addr,UINT8 action)90 BOOLEAN btm_ble_brcm_find_resolving_pending_entry(BD_ADDR pseudo_addr, UINT8 action)
91 {
92     tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q;
93 
94     for (UINT8 i = p_q->q_pending; i != p_q->q_next;) {
95         if (memcmp(p_q->resolve_q_random_pseudo[i], pseudo_addr, BD_ADDR_LEN) == 0 &&
96                 action == p_q->resolve_q_action[i]) {
97             return TRUE;
98         }
99 
100         i ++;
101         i %= controller_get_interface()->get_ble_resolving_list_max_size();
102     }
103     return FALSE;
104 }
105 
106 /*******************************************************************************
107 **
108 ** Function         btm_ble_deq_resolving_pending
109 **
110 ** Description      dequeue target address from resolving pending operation queue
111 **
112 ** Parameters       pseudo_addr: pseudo_addr device address
113 **
114 ** Returns          void
115 **
116 *******************************************************************************/
btm_ble_deq_resolving_pending(BD_ADDR pseudo_addr)117 BOOLEAN btm_ble_deq_resolving_pending(BD_ADDR pseudo_addr)
118 {
119     tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q;
120 
121     if (p_q->q_next != p_q->q_pending) {
122         memcpy(pseudo_addr, p_q->resolve_q_random_pseudo[p_q->q_pending], BD_ADDR_LEN);
123         memset(p_q->resolve_q_random_pseudo[p_q->q_pending], 0, BD_ADDR_LEN);
124         p_q->q_pending ++;
125         p_q->q_pending %= controller_get_interface()->get_ble_resolving_list_max_size();
126         return TRUE;
127     }
128 
129     return FALSE;
130 }
131 
132 /*******************************************************************************
133 **
134 ** Function         btm_ble_clear_irk_index
135 **
136 ** Description      clear IRK list index mask for availability
137 **
138 ** Returns          none
139 **
140 *******************************************************************************/
btm_ble_clear_irk_index(UINT8 index)141 void btm_ble_clear_irk_index(UINT8 index)
142 {
143     UINT8 byte;
144     UINT8 bit;
145 
146     if (index < controller_get_interface()->get_ble_resolving_list_max_size()) {
147         byte = index / 8;
148         bit = index % 8;
149         btm_cb.ble_ctr_cb.irk_list_mask[byte] &= (~(1 << bit));
150     }
151 }
152 
153 /*******************************************************************************
154 **
155 ** Function         btm_ble_find_irk_index
156 **
157 ** Description      find the first available IRK list index
158 **
159 ** Returns          index from 0 ~ max (127 default)
160 **
161 *******************************************************************************/
btm_ble_find_irk_index(void)162 UINT8 btm_ble_find_irk_index(void)
163 {
164     UINT8 i = 0;
165     UINT8 byte;
166     UINT8 bit;
167 
168     while (i < controller_get_interface()->get_ble_resolving_list_max_size()) {
169         byte = i / 8;
170         bit = i % 8;
171 
172         if ((btm_cb.ble_ctr_cb.irk_list_mask[byte] & (1 << bit)) == 0) {
173             btm_cb.ble_ctr_cb.irk_list_mask[byte] |= (1 << bit);
174             return i;
175         }
176         i++;
177     }
178 
179     BTM_TRACE_ERROR ("%s failed, list full", __func__);
180     return i;
181 }
182 
183 /*******************************************************************************
184 **
185 ** Function         btm_ble_update_resolving_list
186 **
187 ** Description      update resolving list entry in host maintained record
188 **
189 ** Returns          void
190 **
191 *******************************************************************************/
btm_ble_update_resolving_list(BD_ADDR pseudo_bda,BOOLEAN add)192 void btm_ble_update_resolving_list(BD_ADDR pseudo_bda, BOOLEAN add)
193 {
194     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_bda);
195     if (p_dev_rec == NULL) {
196         return;
197     }
198 
199     if (add) {
200         p_dev_rec->ble.in_controller_list |= BTM_RESOLVING_LIST_BIT;
201         if (!controller_get_interface()->supports_ble_privacy()) {
202             p_dev_rec->ble.resolving_list_index = btm_ble_find_irk_index();
203         }
204     } else {
205         p_dev_rec->ble.in_controller_list &= ~BTM_RESOLVING_LIST_BIT;
206         if (!controller_get_interface()->supports_ble_privacy()) {
207             /* clear IRK list index mask */
208             btm_ble_clear_irk_index(p_dev_rec->ble.resolving_list_index);
209             p_dev_rec->ble.resolving_list_index = 0;
210         }
211     }
212 }
213 
214 /*******************************************************************************
215 **
216 ** Function         btm_ble_clear_resolving_list_complete
217 **
218 ** Description      This function is called when command complete for
219 **                  clear resolving list
220 **
221 ** Returns          void
222 **
223 *******************************************************************************/
btm_ble_clear_resolving_list_complete(UINT8 * p,UINT16 evt_len)224 void btm_ble_clear_resolving_list_complete(UINT8 *p, UINT16 evt_len)
225 {
226     UINT8 status = 0;
227     STREAM_TO_UINT8(status, p);
228 
229     BTM_TRACE_DEBUG("%s status=%d", __func__, status);
230 
231     if (status == HCI_SUCCESS) {
232         if (evt_len >= 3) {
233             /* VSC complete has one extra byte for op code and list size, skip it here */
234             p ++;
235 
236             /* updated the available list size, and current list size */
237             uint8_t irk_list_sz_max = 0;
238             STREAM_TO_UINT8(irk_list_sz_max, p);
239 
240             if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) {
241                 btm_ble_resolving_list_init(irk_list_sz_max);
242             }
243 
244             uint8_t irk_mask_size = (irk_list_sz_max % 8) ?
245                                     (irk_list_sz_max / 8 + 1) : (irk_list_sz_max / 8);
246             memset(btm_cb.ble_ctr_cb.irk_list_mask, 0, irk_mask_size);
247         }
248 
249         btm_cb.ble_ctr_cb.resolving_list_avail_size =
250             controller_get_interface()->get_ble_resolving_list_max_size();
251 
252         BTM_TRACE_DEBUG("%s resolving_list_avail_size=%d",
253                         __func__, btm_cb.ble_ctr_cb.resolving_list_avail_size);
254 
255 	list_node_t *p_node = NULL;
256         tBTM_SEC_DEV_REC *p_dev_rec = NULL;
257         for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) {
258 	    p_dev_rec = list_node(p_node);
259             p_dev_rec->ble.in_controller_list &= ~BTM_RESOLVING_LIST_BIT;
260 	}
261     }
262 }
263 
264 /*******************************************************************************
265 **
266 ** Function         btm_ble_add_resolving_list_entry_complete
267 **
268 ** Description      This function is called when command complete for
269 **                  add resolving list entry
270 **
271 ** Returns          void
272 **
273 *******************************************************************************/
btm_ble_add_resolving_list_entry_complete(UINT8 * p,UINT16 evt_len)274 void btm_ble_add_resolving_list_entry_complete(UINT8 *p, UINT16 evt_len)
275 {
276     UINT8 status;
277     STREAM_TO_UINT8(status, p);
278 
279     BTM_TRACE_DEBUG("%s status = %d", __func__, status);
280 
281     BD_ADDR pseudo_bda;
282     if (!btm_ble_deq_resolving_pending(pseudo_bda)) {
283         BTM_TRACE_DEBUG("no pending resolving list operation");
284         return;
285     }
286 
287     if (status == HCI_SUCCESS) {
288         /* privacy 1.2 command complete does not have these extra byte */
289         if (evt_len > 2) {
290             /* VSC complete has one extra byte for op code, skip it here */
291             p ++;
292             STREAM_TO_UINT8(btm_cb.ble_ctr_cb.resolving_list_avail_size, p);
293         } else {
294             btm_cb.ble_ctr_cb.resolving_list_avail_size --;
295         }
296     } else if (status == HCI_ERR_MEMORY_FULL) { /* BT_ERROR_CODE_MEMORY_CAPACITY_EXCEEDED  */
297         btm_cb.ble_ctr_cb.resolving_list_avail_size = 0;
298         BTM_TRACE_ERROR("%s Resolving list Full ", __func__);
299     } else {
300         BTM_TRACE_ERROR("%s Add resolving list error %d ", __func__, status);
301     }
302 
303 }
304 
305 /*******************************************************************************
306 **
307 ** Function         btm_ble_remove_resolving_list_entry_complete
308 **
309 ** Description      This function is called when command complete for
310 **                  remove resolving list entry
311 **
312 ** Returns          void
313 **
314 *******************************************************************************/
btm_ble_remove_resolving_list_entry_complete(UINT8 * p,UINT16 evt_len)315 void btm_ble_remove_resolving_list_entry_complete(UINT8 *p, UINT16 evt_len)
316 {
317     BD_ADDR pseudo_bda;
318     UINT8 status;
319 
320     STREAM_TO_UINT8(status, p);
321 
322     BTM_TRACE_DEBUG("%s status = %d", __func__, status);
323 
324     if (!btm_ble_deq_resolving_pending(pseudo_bda)) {
325         BTM_TRACE_ERROR("%s no pending resolving list operation", __func__);
326         return;
327     }
328 
329     if (status == HCI_SUCCESS) {
330         /* proprietary: spec does not have these extra bytes */
331         if (evt_len > 2) {
332             p ++; /* skip opcode */
333             STREAM_TO_UINT8(btm_cb.ble_ctr_cb.resolving_list_avail_size, p);
334         } else {
335             btm_cb.ble_ctr_cb.resolving_list_avail_size++;
336         }
337     } else {
338         BTM_TRACE_ERROR("%s remove resolving list error 0x%x", __func__, status);
339     }
340 }
341 
342 /*******************************************************************************
343 **
344 ** Function         btm_ble_read_resolving_list_entry_complete
345 **
346 ** Description      This function is called when command complete for
347 **                  remove resolving list entry
348 **
349 ** Returns          void
350 **
351 *******************************************************************************/
btm_ble_read_resolving_list_entry_complete(UINT8 * p,UINT16 evt_len)352 void btm_ble_read_resolving_list_entry_complete(UINT8 *p, UINT16 evt_len)
353 {
354     UINT8           status, rra_type = BTM_BLE_ADDR_PSEUDO;
355     BD_ADDR         rra, pseudo_bda;
356 
357     STREAM_TO_UINT8  (status, p);
358 
359     BTM_TRACE_DEBUG("%s status = %d", __func__, status);
360 
361     if (!btm_ble_deq_resolving_pending(pseudo_bda)) {
362         BTM_TRACE_ERROR("no pending resolving list operation");
363         return;
364     }
365 
366     if (status == HCI_SUCCESS) {
367         /* proprietary spec has extra bytes */
368         if (evt_len > 8) {
369             p += (2 + 16 + 1 + 6); /* skip subcode, index, IRK value, address type, identity addr type */
370             STREAM_TO_BDADDR(rra, p);
371 
372             BTM_TRACE_ERROR("%s peer_addr: %02x:%02x:%02x:%02x:%02x:%02x",
373                             __func__, rra[0], rra[1], rra[2], rra[3], rra[4], rra[5]);
374         } else {
375             STREAM_TO_BDADDR(rra, p);
376         }
377         btm_ble_refresh_peer_resolvable_private_addr(pseudo_bda, rra, rra_type);
378     }
379 }
380 /*******************************************************************************
381                 VSC that implement controller based privacy
382 ********************************************************************************/
383 /*******************************************************************************
384 **
385 ** Function         btm_ble_resolving_list_vsc_op_cmpl
386 **
387 ** Description      IRK operation VSC complete handler
388 **
389 ** Parameters
390 **
391 ** Returns          void
392 **
393 *******************************************************************************/
btm_ble_resolving_list_vsc_op_cmpl(tBTM_VSC_CMPL * p_params)394 void btm_ble_resolving_list_vsc_op_cmpl (tBTM_VSC_CMPL *p_params)
395 {
396     UINT8  *p = p_params->p_param_buf, op_subcode;
397     UINT16  evt_len = p_params->param_len;
398 
399     op_subcode   = *(p + 1);
400 
401     BTM_TRACE_DEBUG("%s op_subcode = %d", __func__, op_subcode);
402 
403     if (op_subcode == BTM_BLE_META_CLEAR_IRK_LIST) {
404         btm_ble_clear_resolving_list_complete(p, evt_len);
405     } else if (op_subcode == BTM_BLE_META_ADD_IRK_ENTRY) {
406         btm_ble_add_resolving_list_entry_complete(p, evt_len);
407     } else if (op_subcode == BTM_BLE_META_REMOVE_IRK_ENTRY) {
408         btm_ble_remove_resolving_list_entry_complete(p, evt_len);
409     } else if (op_subcode == BTM_BLE_META_READ_IRK_ENTRY) {
410         btm_ble_read_resolving_list_entry_complete(p, evt_len);
411     } else if (op_subcode == BTM_BLE_META_IRK_ENABLE) {
412         /* RPA offloading enable/disabled */
413     }
414 }
415 
416 /*******************************************************************************
417 **
418 ** Function         btm_ble_remove_resolving_list_entry
419 **
420 ** Description      This function to remove an IRK entry from the list
421 **
422 ** Parameters       ble_addr_type: address type
423 **                  ble_addr: LE adddress
424 **
425 ** Returns          status
426 **
427 *******************************************************************************/
btm_ble_remove_resolving_list_entry(tBTM_SEC_DEV_REC * p_dev_rec)428 tBTM_STATUS btm_ble_remove_resolving_list_entry(tBTM_SEC_DEV_REC *p_dev_rec)
429 {
430     /* if controller does not support RPA offloading or privacy 1.2, skip */
431     if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) {
432         return BTM_WRONG_MODE;
433     }
434 
435     tBTM_STATUS st = BTM_NO_RESOURCES;
436     if (controller_get_interface()->supports_ble_privacy()) {
437         if (btsnd_hcic_ble_rm_device_resolving_list(p_dev_rec->ble.static_addr_type,
438                 p_dev_rec->ble.static_addr)) {
439             st =  BTM_CMD_STARTED;
440         }
441     } else {
442         UINT8 param[20] = {0};
443         UINT8 *p = param;
444 
445         UINT8_TO_STREAM(p, BTM_BLE_META_REMOVE_IRK_ENTRY);
446         UINT8_TO_STREAM(p, p_dev_rec->ble.static_addr_type);
447         BDADDR_TO_STREAM(p, p_dev_rec->ble.static_addr);
448 
449         st = BTM_VendorSpecificCommand(HCI_VENDOR_BLE_RPA_VSC,
450                                        BTM_BLE_META_REMOVE_IRK_LEN,
451                                        param,
452                                        btm_ble_resolving_list_vsc_op_cmpl);
453     }
454 
455     if (st == BTM_CMD_STARTED) {
456         btm_ble_enq_resolving_list_pending( p_dev_rec->bd_addr, BTM_BLE_META_REMOVE_IRK_ENTRY);
457     }
458 
459     return st;
460 }
461 
462 /*******************************************************************************
463 **
464 ** Function         btm_ble_clear_resolving_list
465 **
466 ** Description      This function clears the resolving  list
467 **
468 ** Parameters       None.
469 **
470 ** Returns          status
471 **
472 *******************************************************************************/
btm_ble_clear_resolving_list(void)473 tBTM_STATUS btm_ble_clear_resolving_list(void)
474 {
475     tBTM_STATUS st = BTM_NO_RESOURCES;
476 
477     if (controller_get_interface()->supports_ble_privacy()) {
478         if (btsnd_hcic_ble_clear_resolving_list()) {
479             st =  BTM_SUCCESS;
480         }
481     } else {
482         UINT8 param[20] = {0};
483         UINT8 *p = param;
484 
485         UINT8_TO_STREAM(p, BTM_BLE_META_CLEAR_IRK_LIST);
486         st = BTM_VendorSpecificCommand (HCI_VENDOR_BLE_RPA_VSC,
487                                         BTM_BLE_META_CLEAR_IRK_LEN,
488                                         param,
489                                         btm_ble_resolving_list_vsc_op_cmpl);
490     }
491 
492     return st;
493 }
494 
495 /*******************************************************************************
496 **
497 ** Function         btm_ble_read_resolving_list_entry
498 **
499 ** Description      This function read an IRK entry by index
500 **
501 ** Parameters       entry index.
502 **
503 ** Returns          status
504 **
505 *******************************************************************************/
btm_ble_read_resolving_list_entry(tBTM_SEC_DEV_REC * p_dev_rec)506 tBTM_STATUS btm_ble_read_resolving_list_entry(tBTM_SEC_DEV_REC *p_dev_rec)
507 {
508     tBTM_STATUS st = BTM_NO_RESOURCES;
509 
510     if (!(p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT)) {
511         return BTM_WRONG_MODE;
512     }
513 
514     if (controller_get_interface()->supports_ble_privacy()) {
515         if (btsnd_hcic_ble_read_resolvable_addr_peer(p_dev_rec->ble.static_addr_type,
516                 p_dev_rec->ble.static_addr)) {
517             st =  BTM_CMD_STARTED;
518         }
519     } else {
520         UINT8 param[20] = {0};
521         UINT8 *p = param;
522 
523         UINT8_TO_STREAM(p, BTM_BLE_META_READ_IRK_ENTRY);
524         UINT8_TO_STREAM(p, p_dev_rec->ble.resolving_list_index);
525 
526         st = BTM_VendorSpecificCommand (HCI_VENDOR_BLE_RPA_VSC,
527                                         BTM_BLE_META_READ_IRK_LEN,
528                                         param,
529                                         btm_ble_resolving_list_vsc_op_cmpl);
530     }
531 
532     if (st == BTM_CMD_STARTED) {
533         btm_ble_enq_resolving_list_pending(p_dev_rec->bd_addr,
534                                            BTM_BLE_META_READ_IRK_ENTRY);
535     }
536 
537     return st;
538 }
539 
540 
541 /*******************************************************************************
542 **
543 ** Function         btm_ble_suspend_resolving_list_activity
544 **
545 ** Description      This function suspends all resolving list activity, including
546 **                  scan, initiating, and advertising, if resolving list is being
547 **                  enabled.
548 **
549 ** Parameters
550 **
551 ** Returns          TRUE if suspended; FALSE otherwise
552 **
553 *******************************************************************************/
btm_ble_suspend_resolving_list_activity(void)554 BOOLEAN btm_ble_suspend_resolving_list_activity(void)
555 {
556     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
557 
558     /* if resolving list is not enabled, do not need to terminate any activity */
559     /* if asking for stop all activity */
560     /* if already suspended */
561     if (p_ble_cb->suspended_rl_state != BTM_BLE_RL_IDLE) {
562         return TRUE;
563     }
564 
565     /* direct connection active, wait until it completed */
566     if (btm_ble_get_conn_st() == BLE_DIR_CONN) {
567         BTM_TRACE_ERROR("resolving list can not be edited, EnQ now");
568         return FALSE;
569     }
570 
571     p_ble_cb->suspended_rl_state = BTM_BLE_RL_IDLE;
572 
573     if (p_ble_cb->inq_var.adv_mode == BTM_BLE_ADV_ENABLE) {
574         btm_ble_stop_adv();
575         p_ble_cb->suspended_rl_state |= BTM_BLE_RL_ADV;
576     }
577 
578     if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) {
579         btm_ble_stop_scan();
580         p_ble_cb->suspended_rl_state |= BTM_BLE_RL_SCAN;
581     }
582 
583     if (btm_ble_suspend_bg_conn()) {
584         p_ble_cb->suspended_rl_state |= BTM_BLE_RL_INIT;
585     }
586 
587     return TRUE;
588 }
589 
590 /*******************************************************************************
591 **
592 ** Function         btm_ble_resume_resolving_list_activity
593 **
594 ** Description      This function resumes the resolving list activity, including
595 **                  scanning, initiating, and advertising, if any of these
596 **                  activities has been suspended earlier.
597 **
598 ** Returns          none
599 **
600 *******************************************************************************/
btm_ble_resume_resolving_list_activity(void)601 void btm_ble_resume_resolving_list_activity(void)
602 {
603     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
604 
605     if (p_ble_cb->suspended_rl_state & BTM_BLE_RL_ADV) {
606         btm_ble_start_adv();
607     }
608 
609     if (p_ble_cb->suspended_rl_state & BTM_BLE_RL_SCAN) {
610         btm_ble_start_scan();
611     }
612 
613     if  (p_ble_cb->suspended_rl_state & BTM_BLE_RL_INIT) {
614         btm_ble_resume_bg_conn();
615     }
616 
617     p_ble_cb->suspended_rl_state = BTM_BLE_RL_IDLE;
618 }
619 
620 /*******************************************************************************
621 **
622 ** Function         btm_ble_vendor_enable_irk_feature
623 **
624 ** Description      This function is called to enable or disable the RRA
625 **                  offloading feature.
626 **
627 ** Parameters       enable: enable or disable the RRA offloading feature
628 **
629 ** Returns          BTM_SUCCESS if successful
630 **
631 *******************************************************************************/
btm_ble_vendor_enable_irk_feature(BOOLEAN enable)632 tBTM_STATUS btm_ble_vendor_enable_irk_feature(BOOLEAN enable)
633 {
634     UINT8           param[20], *p;
635     tBTM_STATUS     st = BTM_MODE_UNSUPPORTED;
636 
637     p = param;
638     memset(param, 0, 20);
639 
640     /* select feature based on control block settings */
641     UINT8_TO_STREAM(p, BTM_BLE_META_IRK_ENABLE);
642     UINT8_TO_STREAM(p, enable ? 0x01 : 0x00);
643 
644     st = BTM_VendorSpecificCommand (HCI_VENDOR_BLE_RPA_VSC, BTM_BLE_IRK_ENABLE_LEN,
645                                     param, btm_ble_resolving_list_vsc_op_cmpl);
646 
647     return st;
648 }
649 
650 /*******************************************************************************
651 **
652 ** Function         btm_ble_exe_disable_resolving_list
653 **
654 ** Description      execute resolving list disable
655 **
656 ** Returns          none
657 **
658 *******************************************************************************/
btm_ble_exe_disable_resolving_list(void)659 BOOLEAN btm_ble_exe_disable_resolving_list(void)
660 {
661     if (!btm_ble_suspend_resolving_list_activity()) {
662         return FALSE;
663     }
664 
665     if (!controller_get_interface()->supports_ble_privacy()) {
666         btm_ble_vendor_enable_irk_feature(FALSE);
667     } else {
668         //btsnd_hcic_ble_set_addr_resolution_enable(FALSE);
669     }
670 
671     return TRUE;
672 }
673 
674 /*******************************************************************************
675 **
676 ** Function         btm_ble_exe_enable_resolving_list
677 **
678 ** Description      enable LE resolve address list
679 **
680 ** Returns          none
681 **
682 *******************************************************************************/
btm_ble_exe_enable_resolving_list(void)683 void btm_ble_exe_enable_resolving_list(void)
684 {
685     if (!btm_ble_suspend_resolving_list_activity()) {
686         return;
687     }
688 
689     if (!controller_get_interface()->supports_ble_privacy()) {
690         btm_ble_vendor_enable_irk_feature(TRUE);
691     } else {
692         //btsnd_hcic_ble_set_addr_resolution_enable(TRUE);
693     }
694 }
695 
696 /*******************************************************************************
697 **
698 ** Function         btm_ble_disable_resolving_list
699 **
700 ** Description      Disable LE Address resolution
701 **
702 ** Returns          none
703 **
704 *******************************************************************************/
btm_ble_disable_resolving_list(UINT8 rl_mask,BOOLEAN to_resume)705 BOOLEAN btm_ble_disable_resolving_list(UINT8 rl_mask, BOOLEAN to_resume )
706 {
707     UINT8 rl_state = btm_cb.ble_ctr_cb.rl_state;
708 
709     /* if controller does not support RPA offloading or privacy 1.2, skip */
710     if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) {
711         return FALSE;
712     }
713 
714     btm_cb.ble_ctr_cb.rl_state &= ~rl_mask;
715 
716     if (rl_state != BTM_BLE_RL_IDLE && btm_cb.ble_ctr_cb.rl_state == BTM_BLE_RL_IDLE) {
717         if (btm_ble_exe_disable_resolving_list()) {
718             if (to_resume) {
719                 btm_ble_resume_resolving_list_activity();
720             }
721 
722             return TRUE;
723         } else {
724             return FALSE;
725         }
726     }
727 
728     return TRUE;
729 }
730 
731 /*******************************************************************************
732 **
733 ** Function         btm_ble_resolving_list_load_dev
734 **
735 ** Description      This function add a device which is using RPA into white list
736 **
737 ** Parameters       pointer to device security record
738 **
739 ** Returns          TRUE if device added, otherwise falase.
740 **
741 *******************************************************************************/
btm_ble_resolving_list_load_dev(tBTM_SEC_DEV_REC * p_dev_rec)742 BOOLEAN btm_ble_resolving_list_load_dev(tBTM_SEC_DEV_REC *p_dev_rec)
743 {
744     BOOLEAN rt = FALSE;
745 #if (SMP_INCLUDED == TRUE)
746     UINT8 rl_mask = btm_cb.ble_ctr_cb.rl_state;
747 
748     BTM_TRACE_DEBUG("%s btm_cb.ble_ctr_cb.privacy_mode = %d\n", __func__,
749                     btm_cb.ble_ctr_cb.privacy_mode);
750 
751     /* if controller does not support RPA offloading or privacy 1.2, skip */
752     if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) {
753         return FALSE;
754     }
755 
756     BTM_TRACE_DEBUG("%s btm_cb.ble_ctr_cb.privacy_mode = %d\n",
757                     __func__, btm_cb.ble_ctr_cb.privacy_mode);
758 
759     /* only add RPA enabled device into resolving list */
760     if (p_dev_rec != NULL && /* RPA is being used and PID is known */
761             (p_dev_rec->sec_flags & BTM_SEC_IN_USE) != 0 &&
762             ((p_dev_rec->ble.key_type & BTM_LE_KEY_PID) != 0 ||
763              (p_dev_rec->ble.key_type & BTM_LE_KEY_LID) != 0)) {
764         if (!(p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) &&
765                 btm_ble_brcm_find_resolving_pending_entry(p_dev_rec->bd_addr,
766                         BTM_BLE_META_ADD_IRK_ENTRY) == FALSE) {
767             if (btm_cb.ble_ctr_cb.resolving_list_avail_size > 0) {
768                 if (rl_mask) {
769                     if (!btm_ble_disable_resolving_list (rl_mask, FALSE)) {
770                         return FALSE;
771                     }
772                 }
773 
774                 btm_ble_update_resolving_list(p_dev_rec->bd_addr, TRUE);
775                 if (controller_get_interface()->supports_ble_privacy()) {
776                     BD_ADDR dummy_bda = {0};
777                     if (memcmp(p_dev_rec->ble.static_addr, dummy_bda, BD_ADDR_LEN) == 0) {
778                         memcpy(p_dev_rec->ble.static_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
779                         p_dev_rec->ble.static_addr_type = p_dev_rec->ble.ble_addr_type;
780                     }
781 
782 #if CONTROLLER_RPA_LIST_ENABLE
783                     BTM_TRACE_DEBUG("%s:adding device to controller resolving list\n", __func__);
784                     UINT8 *peer_irk = p_dev_rec->ble.keys.irk;
785                     UINT8 *local_irk = btm_cb.devcb.id_keys.irk;
786                     //use identical IRK for now
787                     rt = btsnd_hcic_ble_add_device_resolving_list(p_dev_rec->ble.static_addr_type,
788                            p_dev_rec->ble.static_addr, peer_irk, local_irk);
789 #else
790                     // do nothing
791                     /* It will cause that scanner doesn't send scan request to advertiser
792                      * which has sent IRK to us and we have stored the IRK in controller.
793                      * It is a hardware limitation. The preliminary solution is not to
794                      * send key to the controller, but to resolve the random address in host. */
795 
796 #endif
797 
798                 } else {
799                     UINT8 param[40] = {0};
800                     UINT8 *p = param;
801 
802                     UINT8_TO_STREAM(p, BTM_BLE_META_ADD_IRK_ENTRY);
803                     ARRAY_TO_STREAM(p, p_dev_rec->ble.keys.irk, BT_OCTET16_LEN);
804                     UINT8_TO_STREAM(p, p_dev_rec->ble.static_addr_type);
805                     BDADDR_TO_STREAM(p, p_dev_rec->ble.static_addr);
806 
807                     if (BTM_VendorSpecificCommand (HCI_VENDOR_BLE_RPA_VSC,
808                                                    BTM_BLE_META_ADD_IRK_LEN,
809                                                    param,
810                                                    btm_ble_resolving_list_vsc_op_cmpl)
811                             == BTM_CMD_STARTED) {
812                         rt = TRUE;
813                     }
814                 }
815 
816                 if (rt) {
817                     btm_ble_enq_resolving_list_pending(p_dev_rec->bd_addr,
818                                                        BTM_BLE_META_ADD_IRK_ENTRY);
819                 }
820 
821                 /* if resolving list has been turned on, re-enable it */
822                 // if (rl_mask) {
823                 //     btm_ble_enable_resolving_list(rl_mask);
824                 // } else {
825                 //     btm_ble_enable_resolving_list(BTM_BLE_RL_INIT);
826                 // }
827             } else {
828                 BTM_TRACE_WARNING("%s Resolving list full ", __func__);
829             }
830         } else {
831             BTM_TRACE_DEBUG("Device already in Resolving list\n");
832             rt = TRUE;
833         }
834     } else {
835         BTM_TRACE_DEBUG("Device not a RPA enabled device\n");
836     }
837 #endif  ///SMP_INCLUDED == TRUE
838     return rt;
839 }
840 
841 /*******************************************************************************
842 **
843 ** Function         btm_ble_resolving_list_remove_dev
844 **
845 ** Description      This function removes the device from resolving list
846 **
847 ** Parameters
848 **
849 ** Returns          status
850 **
851 *******************************************************************************/
btm_ble_resolving_list_remove_dev(tBTM_SEC_DEV_REC * p_dev_rec)852 void btm_ble_resolving_list_remove_dev(tBTM_SEC_DEV_REC *p_dev_rec)
853 {
854     UINT8 rl_mask = btm_cb.ble_ctr_cb.rl_state;
855 
856     BTM_TRACE_EVENT ("%s\n", __func__);
857     if (rl_mask) {
858         if (!btm_ble_disable_resolving_list (rl_mask, FALSE)) {
859             return;
860         }
861     }
862 
863     if ((p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) &&
864             btm_ble_brcm_find_resolving_pending_entry(p_dev_rec->bd_addr,
865                     BTM_BLE_META_REMOVE_IRK_ENTRY) == FALSE) {
866         btm_ble_update_resolving_list( p_dev_rec->bd_addr, FALSE);
867         btm_ble_remove_resolving_list_entry(p_dev_rec);
868     } else {
869         BTM_TRACE_DEBUG("Device not in resolving list\n");
870     }
871 
872     /* if resolving list has been turned on, re-enable it */
873     // if (rl_mask) {
874     //     btm_ble_enable_resolving_list(rl_mask);
875     // }
876 }
877 
878 /*******************************************************************************
879 **
880 ** Function         btm_ble_enable_resolving_list
881 **
882 ** Description      enable LE resolve address list
883 **
884 ** Returns          none
885 **
886 *******************************************************************************/
btm_ble_enable_resolving_list(UINT8 rl_mask)887 void btm_ble_enable_resolving_list(UINT8 rl_mask)
888 {
889     UINT8 rl_state = btm_cb.ble_ctr_cb.rl_state;
890 
891     btm_cb.ble_ctr_cb.rl_state |= rl_mask;
892     if (rl_state == BTM_BLE_RL_IDLE &&
893             btm_cb.ble_ctr_cb.rl_state != BTM_BLE_RL_IDLE &&
894             controller_get_interface()->get_ble_resolving_list_max_size() != 0) {
895         btm_ble_exe_enable_resolving_list();
896         btm_ble_resume_resolving_list_activity();
897     }
898 }
899 
900 #if 0 //Unused
901 /*******************************************************************************
902 **
903 ** Function         btm_ble_resolving_list_empty
904 **
905 ** Description      check to see if resoving list is empty or not
906 **
907 ** Returns          TRUE: empty; FALSE non-empty
908 **
909 *******************************************************************************/
910 BOOLEAN btm_ble_resolving_list_empty(void)
911 {
912     return (controller_get_interface()->get_ble_resolving_list_max_size() ==
913             btm_cb.ble_ctr_cb.resolving_list_avail_size);
914 }
915 #endif
916 
917 /*******************************************************************************
918 **
919 ** Function         btm_ble_enable_resolving_list_for_platform
920 **
921 ** Description      enable/disable resolving list feature depending on if any
922 **                  resolving list is empty and whitelist is involoved in the
923 **                  operation.
924 **
925 ** Returns          none
926 **
927 *******************************************************************************/
btm_ble_enable_resolving_list_for_platform(UINT8 rl_mask)928 void btm_ble_enable_resolving_list_for_platform (UINT8 rl_mask)
929 {
930     /* if controller does not support, skip */
931     if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) {
932         return;
933     }
934 
935     if (btm_cb.ble_ctr_cb.wl_state == BTM_BLE_WL_IDLE) {
936         if (controller_get_interface()->get_ble_resolving_list_max_size() >
937                 btm_cb.ble_ctr_cb.resolving_list_avail_size) {
938             btm_ble_enable_resolving_list(rl_mask);
939         } else {
940             btm_ble_disable_resolving_list(rl_mask, TRUE);
941         }
942         return;
943     }
944 
945     tBTM_SEC_DEV_REC *p_dev = NULL;
946     list_node_t *p_node = NULL;
947     for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) {
948         p_dev = list_node(p_node);
949 	if ((p_dev->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) &&
950                 (p_dev->ble.in_controller_list & BTM_WHITE_LIST_BIT)) {
951             btm_ble_enable_resolving_list(rl_mask);
952             return;
953         }
954     }
955     btm_ble_disable_resolving_list(rl_mask, TRUE);
956 }
957 
958 /*******************************************************************************
959 **
960 ** Function         btm_ble_resolving_list_init
961 **
962 ** Description      Initialize resolving list in host stack
963 **
964 ** Parameters       Max resolving list size
965 **
966 ** Returns          void
967 **
968 *******************************************************************************/
btm_ble_resolving_list_init(UINT8 max_irk_list_sz)969 void btm_ble_resolving_list_init(UINT8 max_irk_list_sz)
970 {
971     tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q;
972     UINT8 irk_mask_size =  (max_irk_list_sz % 8) ?
973                            (max_irk_list_sz / 8 + 1) : (max_irk_list_sz / 8);
974 
975     if (max_irk_list_sz > 0) {
976         p_q->resolve_q_random_pseudo = (BD_ADDR *)osi_malloc(sizeof(BD_ADDR) * max_irk_list_sz);
977         p_q->resolve_q_action = (UINT8 *)osi_malloc(max_irk_list_sz);
978 
979         /* RPA offloading feature */
980         if (btm_cb.ble_ctr_cb.irk_list_mask == NULL) {
981             btm_cb.ble_ctr_cb.irk_list_mask = (UINT8 *)osi_malloc(irk_mask_size);
982         }
983 
984         BTM_TRACE_DEBUG ("%s max_irk_list_sz = %d", __func__, max_irk_list_sz);
985     }
986 
987     controller_get_interface()->set_ble_resolving_list_max_size(max_irk_list_sz);
988     btm_ble_clear_resolving_list();
989     btm_cb.ble_ctr_cb.resolving_list_avail_size = max_irk_list_sz;
990 }
991 
992 /*******************************************************************************
993 **
994 ** Function         btm_ble_resolving_list_cleanup
995 **
996 ** Description      Cleanup resolving list dynamic memory
997 **
998 ** Parameters
999 **
1000 ** Returns          void
1001 **
1002 *******************************************************************************/
btm_ble_resolving_list_cleanup(void)1003 void btm_ble_resolving_list_cleanup(void)
1004 {
1005     tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q;
1006 
1007     if (p_q->resolve_q_random_pseudo) {
1008         osi_free(p_q->resolve_q_random_pseudo);
1009         p_q->resolve_q_random_pseudo = NULL;
1010     }
1011 
1012     if (p_q->resolve_q_action) {
1013         osi_free(p_q->resolve_q_action);
1014         p_q->resolve_q_action = NULL;
1015     }
1016 
1017     controller_get_interface()->set_ble_resolving_list_max_size(0);
1018     if (btm_cb.ble_ctr_cb.irk_list_mask) {
1019         osi_free(btm_cb.ble_ctr_cb.irk_list_mask);
1020         btm_cb.ble_ctr_cb.irk_list_mask = NULL;
1021     }
1022 
1023 }
1024 
btm_ble_add_default_entry_to_resolving_list(void)1025 void btm_ble_add_default_entry_to_resolving_list(void)
1026 {
1027     /*
1028      * Add local IRK entry with 00:00:00:00:00:00 address. This entry will
1029      * be used to generate RPA for non-directed advertising if own_addr_type
1030      * is set to rpa_pub since we use all-zero address as peer addres in
1031      * such case. Peer IRK should be left all-zero since this is not for an
1032      * actual peer.
1033      */
1034     BD_ADDR peer_addr = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0};
1035     BT_OCTET16 peer_irk = {0x0};
1036 
1037     btsnd_hcic_ble_add_device_resolving_list (BLE_ADDR_PUBLIC, peer_addr, peer_irk, btm_cb.devcb.id_keys.irk);
1038 }
1039 #endif
1040