1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE address management.
22 *
23 ******************************************************************************/
24
25 #include <base/bind.h>
26 #include <string.h>
27
28 #include "bt_types.h"
29 #include "btm_int.h"
30 #include "btu.h"
31 #include "device/include/controller.h"
32 #include "gap_api.h"
33 #include "hcimsgs.h"
34
35 #include "btm_ble_int.h"
36 #include "stack/crypto_toolbox/crypto_toolbox.h"
37
38 /* This function generates Resolvable Private Address (RPA) from Identity
39 * Resolving Key |irk| and |random|*/
generate_rpa_from_irk_and_rand(const Octet16 & irk,BT_OCTET8 random)40 RawAddress generate_rpa_from_irk_and_rand(const Octet16& irk,
41 BT_OCTET8 random) {
42 random[2] &= (~BLE_RESOLVE_ADDR_MASK);
43 random[2] |= BLE_RESOLVE_ADDR_MSB;
44
45 RawAddress address;
46 address.address[2] = random[0];
47 address.address[1] = random[1];
48 address.address[0] = random[2];
49
50 /* encrypt with IRK */
51 Octet16 p = crypto_toolbox::aes_128(irk, random, 3);
52
53 /* set hash to be LSB of rpAddress */
54 address.address[5] = p[0];
55 address.address[4] = p[1];
56 address.address[3] = p[2];
57 return address;
58 }
59
60 /** This function is called when random address for local controller was
61 * generated */
btm_gen_resolve_paddr_low(const RawAddress & address)62 void btm_gen_resolve_paddr_low(const RawAddress& address) {
63 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
64
65 BTM_TRACE_EVENT("btm_gen_resolve_paddr_low");
66
67 p_cb->private_addr = address;
68
69 /* set it to controller */
70 btm_ble_set_random_address(p_cb->private_addr);
71
72 p_cb->own_addr_type = BLE_ADDR_RANDOM;
73
74 /* start a periodical timer to refresh random addr */
75 uint64_t interval_ms = BTM_BLE_PRIVATE_ADDR_INT_MS;
76 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
77 interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000;
78 #endif
79 alarm_set_on_mloop(p_cb->refresh_raddr_timer, interval_ms,
80 btm_ble_refresh_raddr_timer_timeout, NULL);
81 }
82
83 /** This function generate a resolvable private address using local IRK */
btm_gen_resolvable_private_addr(base::Callback<void (const RawAddress &)> cb)84 void btm_gen_resolvable_private_addr(
85 base::Callback<void(const RawAddress&)> cb) {
86 BTM_TRACE_EVENT("%s", __func__);
87 /* generate 3B rand as BD LSB, SRK with it, get BD MSB */
88 btsnd_hcic_ble_rand(base::Bind(
89 [](base::Callback<void(const RawAddress&)> cb, BT_OCTET8 random) {
90 const Octet16& irk = BTM_GetDeviceIDRoot();
91 cb.Run(generate_rpa_from_irk_and_rand(irk, random));
92 },
93 std::move(cb)));
94 }
95
96 /*******************************************************************************
97 *
98 * Function btm_gen_non_resolve_paddr_cmpl
99 *
100 * Description This is the callback function when non-resolvable private
101 * function is generated and write to controller.
102 *
103 * Returns void
104 *
105 ******************************************************************************/
btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand)106 static void btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand) {
107 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
108 tBTM_BLE_ADDR_CBACK* p_cback = p_cb->p_generate_cback;
109 void* p_data = p_cb->p;
110 uint8_t* pp;
111 RawAddress static_random;
112
113 BTM_TRACE_EVENT("btm_gen_non_resolve_paddr_cmpl");
114
115 p_cb->p_generate_cback = NULL;
116 pp = rand;
117 STREAM_TO_BDADDR(static_random, pp);
118 /* mask off the 2 MSB */
119 static_random.address[0] &= BLE_STATIC_PRIVATE_MSB_MASK;
120
121 /* report complete */
122 if (p_cback) (*p_cback)(static_random, p_data);
123 }
124 /*******************************************************************************
125 *
126 * Function btm_gen_non_resolvable_private_addr
127 *
128 * Description This function generate a non-resolvable private address.
129 *
130 *
131 * Returns void
132 *
133 ******************************************************************************/
btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK * p_cback,void * p)134 void btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK* p_cback,
135 void* p) {
136 tBTM_LE_RANDOM_CB* p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
137
138 BTM_TRACE_EVENT("btm_gen_non_resolvable_private_addr");
139
140 if (p_mgnt_cb->p_generate_cback != NULL) return;
141
142 p_mgnt_cb->p_generate_cback = p_cback;
143 p_mgnt_cb->p = p;
144 btsnd_hcic_ble_rand(base::Bind(&btm_gen_non_resolve_paddr_cmpl));
145 }
146
147 /*******************************************************************************
148 * Utility functions for Random address resolving
149 ******************************************************************************/
150
151 /*******************************************************************************
152 *
153 * Function btm_ble_init_pseudo_addr
154 *
155 * Description This function is used to initialize pseudo address.
156 * If pseudo address is not available, use dummy address
157 *
158 * Returns true is updated; false otherwise.
159 *
160 ******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,const RawAddress & new_pseudo_addr)161 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec,
162 const RawAddress& new_pseudo_addr) {
163 if (p_dev_rec->ble.pseudo_addr.IsEmpty()) {
164 p_dev_rec->ble.pseudo_addr = new_pseudo_addr;
165 return true;
166 }
167
168 return false;
169 }
170
171 /* Return true if given Resolvable Privae Address |rpa| matches Identity
172 * Resolving Key |irk| */
rpa_matches_irk(const RawAddress & rpa,const Octet16 & irk)173 static bool rpa_matches_irk(const RawAddress& rpa, const Octet16& irk) {
174 /* use the 3 MSB of bd address as prand */
175 uint8_t rand[3];
176 rand[0] = rpa.address[2];
177 rand[1] = rpa.address[1];
178 rand[2] = rpa.address[0];
179
180 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
181 Octet16 x = crypto_toolbox::aes_128(irk, &rand[0], 3);
182
183 rand[0] = rpa.address[5];
184 rand[1] = rpa.address[4];
185 rand[2] = rpa.address[3];
186
187 if (memcmp(x.data(), &rand[0], 3) == 0) {
188 // match
189 return true;
190 }
191 // not a match
192 return false;
193 }
194
195 /** This function checks if a RPA is resolvable by the device key.
196 * Returns true is resolvable; false otherwise.
197 */
btm_ble_addr_resolvable(const RawAddress & rpa,tBTM_SEC_DEV_REC * p_dev_rec)198 bool btm_ble_addr_resolvable(const RawAddress& rpa,
199 tBTM_SEC_DEV_REC* p_dev_rec) {
200 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) return false;
201
202 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
203 (p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) {
204 BTM_TRACE_DEBUG("%s try to resolve", __func__);
205
206 if (rpa_matches_irk(rpa, p_dev_rec->ble.keys.irk)) {
207 btm_ble_init_pseudo_addr(p_dev_rec, rpa);
208 return true;
209 }
210 }
211 return false;
212 }
213
214 /** This function match the random address to the appointed device record,
215 * starting from calculating IRK. If the record index exceeds the maximum record
216 * number, matching failed and send a callback. */
btm_ble_match_random_bda(void * data,void * context)217 static bool btm_ble_match_random_bda(void* data, void* context) {
218 BTM_TRACE_EVENT("%s next iteration", __func__);
219 RawAddress* random_bda = (RawAddress*)context;
220
221 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
222
223 BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags,
224 p_dev_rec->device_type);
225
226 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
227 !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID))
228 return true;
229
230 if (rpa_matches_irk(*random_bda, p_dev_rec->ble.keys.irk)) {
231 BTM_TRACE_EVENT("match is found");
232 // if it was match, finish iteration, otherwise continue
233 return false;
234 }
235
236 // not a match, continue iteration
237 return true;
238 }
239
240 /** This function is called to resolve a random address.
241 * Returns pointer to the security record of the device whom a random address is
242 * matched to.
243 */
btm_ble_resolve_random_addr(const RawAddress & random_bda)244 tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(const RawAddress& random_bda) {
245 BTM_TRACE_EVENT("%s", __func__);
246
247 /* start to resolve random address */
248 /* check for next security record */
249
250 list_node_t* n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda,
251 (void*)&random_bda);
252 tBTM_SEC_DEV_REC* p_dev_rec = nullptr;
253 if (n != nullptr) p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
254
255 BTM_TRACE_EVENT("%s: %sresolved", __func__,
256 (p_dev_rec == nullptr ? "not " : ""));
257 return p_dev_rec;
258 }
259
260 /*******************************************************************************
261 * address mapping between pseudo address and real connection address
262 ******************************************************************************/
263 /** Find the security record whose LE identity address is matching */
btm_find_dev_by_identity_addr(const RawAddress & bd_addr,uint8_t addr_type)264 tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(const RawAddress& bd_addr,
265 uint8_t addr_type) {
266 #if (BLE_PRIVACY_SPT == TRUE)
267 list_node_t* end = list_end(btm_cb.sec_dev_rec);
268 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
269 node = list_next(node)) {
270 tBTM_SEC_DEV_REC* p_dev_rec =
271 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
272 if (p_dev_rec->ble.identity_addr == bd_addr) {
273 if ((p_dev_rec->ble.identity_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) !=
274 (addr_type & (~BLE_ADDR_TYPE_ID_BIT)))
275 BTM_TRACE_WARNING(
276 "%s find pseudo->random match with diff addr type: %d vs %d",
277 __func__, p_dev_rec->ble.identity_addr_type, addr_type);
278
279 /* found the match */
280 return p_dev_rec;
281 }
282 }
283 #endif
284
285 return NULL;
286 }
287
288 /*******************************************************************************
289 *
290 * Function btm_identity_addr_to_random_pseudo
291 *
292 * Description This function map a static BD address to a pseudo random
293 * address in security database.
294 *
295 ******************************************************************************/
btm_identity_addr_to_random_pseudo(RawAddress * bd_addr,uint8_t * p_addr_type,bool refresh)296 bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr,
297 uint8_t* p_addr_type, bool refresh) {
298 #if (BLE_PRIVACY_SPT == TRUE)
299 tBTM_SEC_DEV_REC* p_dev_rec =
300 btm_find_dev_by_identity_addr(*bd_addr, *p_addr_type);
301
302 BTM_TRACE_EVENT("%s", __func__);
303 /* evt reported on static address, map static address to random pseudo */
304 if (p_dev_rec != NULL) {
305 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
306 if (refresh &&
307 controller_get_interface()->get_ble_resolving_list_max_size() != 0)
308 btm_ble_read_resolving_list_entry(p_dev_rec);
309
310 /* assign the original address to be the current report address */
311 if (!btm_ble_init_pseudo_addr(p_dev_rec, *bd_addr))
312 *bd_addr = p_dev_rec->ble.pseudo_addr;
313
314 *p_addr_type = p_dev_rec->ble.ble_addr_type;
315 return true;
316 }
317 #endif
318 return false;
319 }
320
321 /*******************************************************************************
322 *
323 * Function btm_random_pseudo_to_identity_addr
324 *
325 * Description This function map a random pseudo address to a public
326 * address. random_pseudo is input and output parameter
327 *
328 ******************************************************************************/
btm_random_pseudo_to_identity_addr(RawAddress * random_pseudo,uint8_t * p_identity_addr_type)329 bool btm_random_pseudo_to_identity_addr(RawAddress* random_pseudo,
330 uint8_t* p_identity_addr_type) {
331 #if (BLE_PRIVACY_SPT == TRUE)
332 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*random_pseudo);
333
334 if (p_dev_rec != NULL) {
335 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) {
336 *p_identity_addr_type = p_dev_rec->ble.identity_addr_type;
337 *random_pseudo = p_dev_rec->ble.identity_addr;
338 if (controller_get_interface()->supports_ble_privacy())
339 *p_identity_addr_type |= BLE_ADDR_TYPE_ID_BIT;
340 return true;
341 }
342 }
343 #endif
344 return false;
345 }
346
347 /*******************************************************************************
348 *
349 * Function btm_ble_refresh_peer_resolvable_private_addr
350 *
351 * Description This function refresh the currently used resolvable remote
352 * private address into security database and set active
353 * connection address.
354 *
355 ******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(const RawAddress & pseudo_bda,const RawAddress & rpa,uint8_t rra_type)356 void btm_ble_refresh_peer_resolvable_private_addr(const RawAddress& pseudo_bda,
357 const RawAddress& rpa,
358 uint8_t rra_type) {
359 #if (BLE_PRIVACY_SPT == TRUE)
360 uint8_t rra_dummy = false;
361 if (rpa.IsEmpty()) rra_dummy = true;
362
363 /* update security record here, in adv event or connection complete process */
364 tBTM_SEC_DEV_REC* p_sec_rec = btm_find_dev(pseudo_bda);
365 if (p_sec_rec != NULL) {
366 p_sec_rec->ble.cur_rand_addr = rpa;
367
368 /* unknown, if dummy address, set to static */
369 if (rra_type == BTM_BLE_ADDR_PSEUDO)
370 p_sec_rec->ble.active_addr_type =
371 rra_dummy ? BTM_BLE_ADDR_STATIC : BTM_BLE_ADDR_RRA;
372 else
373 p_sec_rec->ble.active_addr_type = rra_type;
374 } else {
375 BTM_TRACE_ERROR("No matching known device in record");
376 return;
377 }
378
379 BTM_TRACE_DEBUG("%s: active_addr_type: %d ", __func__,
380 p_sec_rec->ble.active_addr_type);
381
382 /* connection refresh remote address */
383 tACL_CONN* p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE);
384 if (p_acl == NULL)
385 p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE);
386
387 if (p_acl != NULL) {
388 if (rra_type == BTM_BLE_ADDR_PSEUDO) {
389 /* use identity address, resolvable_private_addr is empty */
390 if (rra_dummy) {
391 p_acl->active_remote_addr_type = p_sec_rec->ble.identity_addr_type;
392 p_acl->active_remote_addr = p_sec_rec->ble.identity_addr;
393 } else {
394 p_acl->active_remote_addr_type = BLE_ADDR_RANDOM;
395 p_acl->active_remote_addr = rpa;
396 }
397 } else {
398 p_acl->active_remote_addr_type = rra_type;
399 p_acl->active_remote_addr = rpa;
400 }
401
402 BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ",
403 p_acl->active_remote_addr_type);
404 VLOG(1) << __func__ << " conn_addr: " << p_acl->active_remote_addr;
405 }
406 #endif
407 }
408
409 /*******************************************************************************
410 *
411 * Function btm_ble_refresh_local_resolvable_private_addr
412 *
413 * Description This function refresh the currently used resolvable private
414 * address for the active link to the remote device
415 *
416 ******************************************************************************/
btm_ble_refresh_local_resolvable_private_addr(const RawAddress & pseudo_addr,const RawAddress & local_rpa)417 void btm_ble_refresh_local_resolvable_private_addr(
418 const RawAddress& pseudo_addr, const RawAddress& local_rpa) {
419 #if (BLE_PRIVACY_SPT == TRUE)
420 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
421
422 if (p != NULL) {
423 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
424 p->conn_addr_type = BLE_ADDR_RANDOM;
425 if (!local_rpa.IsEmpty())
426 p->conn_addr = local_rpa;
427 else
428 p->conn_addr = btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr;
429 } else {
430 p->conn_addr_type = BLE_ADDR_PUBLIC;
431 p->conn_addr = *controller_get_interface()->get_address();
432 }
433 }
434 #endif
435 }
436