• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for BLE address management.
22  *
23  ******************************************************************************/
24 
25 #include <base/bind.h>
26 #include <string.h>
27 
28 #include "bt_types.h"
29 #include "btm_int.h"
30 #include "btu.h"
31 #include "device/include/controller.h"
32 #include "gap_api.h"
33 #include "hcimsgs.h"
34 
35 #include "btm_ble_int.h"
36 #include "stack/crypto_toolbox/crypto_toolbox.h"
37 
38 /* This function generates Resolvable Private Address (RPA) from Identity
39  * Resolving Key |irk| and |random|*/
generate_rpa_from_irk_and_rand(const Octet16 & irk,BT_OCTET8 random)40 RawAddress generate_rpa_from_irk_and_rand(const Octet16& irk,
41                                           BT_OCTET8 random) {
42   random[2] &= (~BLE_RESOLVE_ADDR_MASK);
43   random[2] |= BLE_RESOLVE_ADDR_MSB;
44 
45   RawAddress address;
46   address.address[2] = random[0];
47   address.address[1] = random[1];
48   address.address[0] = random[2];
49 
50   /* encrypt with IRK */
51   Octet16 p = crypto_toolbox::aes_128(irk, random, 3);
52 
53   /* set hash to be LSB of rpAddress */
54   address.address[5] = p[0];
55   address.address[4] = p[1];
56   address.address[3] = p[2];
57   return address;
58 }
59 
60 /** This function is called when random address for local controller was
61  * generated */
btm_gen_resolve_paddr_low(const RawAddress & address)62 void btm_gen_resolve_paddr_low(const RawAddress& address) {
63   tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
64 
65   BTM_TRACE_EVENT("btm_gen_resolve_paddr_low");
66 
67   p_cb->private_addr = address;
68 
69   /* set it to controller */
70   btm_ble_set_random_address(p_cb->private_addr);
71 
72   p_cb->own_addr_type = BLE_ADDR_RANDOM;
73 
74   /* start a periodical timer to refresh random addr */
75   uint64_t interval_ms = btm_get_next_private_addrress_interval_ms();
76 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
77   interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000;
78 #endif
79   alarm_set_on_mloop(p_cb->refresh_raddr_timer, interval_ms,
80                      btm_ble_refresh_raddr_timer_timeout, NULL);
81 }
82 
83 /** This function generate a resolvable private address using local IRK */
btm_gen_resolvable_private_addr(base::Callback<void (const RawAddress &)> cb)84 void btm_gen_resolvable_private_addr(
85     base::Callback<void(const RawAddress&)> cb) {
86   BTM_TRACE_EVENT("%s", __func__);
87   /* generate 3B rand as BD LSB, SRK with it, get BD MSB */
88   btsnd_hcic_ble_rand(base::Bind(
89       [](base::Callback<void(const RawAddress&)> cb, BT_OCTET8 random) {
90         const Octet16& irk = BTM_GetDeviceIDRoot();
91         cb.Run(generate_rpa_from_irk_and_rand(irk, random));
92       },
93       std::move(cb)));
94 }
95 
btm_get_next_private_addrress_interval_ms()96 uint64_t btm_get_next_private_addrress_interval_ms() {
97   /* 7 minutes minimum, 15 minutes maximum for random address refreshing */
98   const uint64_t interval_min_ms = (7 * 60 * 1000);
99   const uint64_t interval_random_part_max_ms = (8 * 60 * 1000);
100 
101   return interval_min_ms + std::rand() % interval_random_part_max_ms;
102 }
103 
104 /*******************************************************************************
105  *
106  * Function         btm_gen_non_resolve_paddr_cmpl
107  *
108  * Description      This is the callback function when non-resolvable private
109  *                  function is generated and write to controller.
110  *
111  * Returns          void
112  *
113  ******************************************************************************/
btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand)114 static void btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand) {
115   tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
116   tBTM_BLE_ADDR_CBACK* p_cback = p_cb->p_generate_cback;
117   void* p_data = p_cb->p;
118   uint8_t* pp;
119   RawAddress static_random;
120 
121   BTM_TRACE_EVENT("btm_gen_non_resolve_paddr_cmpl");
122 
123   p_cb->p_generate_cback = NULL;
124   pp = rand;
125   STREAM_TO_BDADDR(static_random, pp);
126   /* mask off the 2 MSB */
127   static_random.address[0] &= BLE_STATIC_PRIVATE_MSB_MASK;
128 
129   /* report complete */
130   if (p_cback) (*p_cback)(static_random, p_data);
131 }
132 /*******************************************************************************
133  *
134  * Function         btm_gen_non_resolvable_private_addr
135  *
136  * Description      This function generate a non-resolvable private address.
137  *
138  *
139  * Returns          void
140  *
141  ******************************************************************************/
btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK * p_cback,void * p)142 void btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK* p_cback,
143                                          void* p) {
144   tBTM_LE_RANDOM_CB* p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
145 
146   BTM_TRACE_EVENT("btm_gen_non_resolvable_private_addr");
147 
148   if (p_mgnt_cb->p_generate_cback != NULL) return;
149 
150   p_mgnt_cb->p_generate_cback = p_cback;
151   p_mgnt_cb->p = p;
152   btsnd_hcic_ble_rand(base::Bind(&btm_gen_non_resolve_paddr_cmpl));
153 }
154 
155 /*******************************************************************************
156  *  Utility functions for Random address resolving
157  ******************************************************************************/
158 
159 /*******************************************************************************
160  *
161  * Function         btm_ble_init_pseudo_addr
162  *
163  * Description      This function is used to initialize pseudo address.
164  *                  If pseudo address is not available, use dummy address
165  *
166  * Returns          true is updated; false otherwise.
167  *
168  ******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,const RawAddress & new_pseudo_addr)169 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec,
170                               const RawAddress& new_pseudo_addr) {
171   if (p_dev_rec->ble.pseudo_addr.IsEmpty()) {
172     p_dev_rec->ble.pseudo_addr = new_pseudo_addr;
173     return true;
174   }
175 
176   return false;
177 }
178 
179 /* Return true if given Resolvable Privae Address |rpa| matches Identity
180  * Resolving Key |irk| */
rpa_matches_irk(const RawAddress & rpa,const Octet16 & irk)181 static bool rpa_matches_irk(const RawAddress& rpa, const Octet16& irk) {
182   /* use the 3 MSB of bd address as prand */
183   uint8_t rand[3];
184   rand[0] = rpa.address[2];
185   rand[1] = rpa.address[1];
186   rand[2] = rpa.address[0];
187 
188   /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
189   Octet16 x = crypto_toolbox::aes_128(irk, &rand[0], 3);
190 
191   rand[0] = rpa.address[5];
192   rand[1] = rpa.address[4];
193   rand[2] = rpa.address[3];
194 
195   if (memcmp(x.data(), &rand[0], 3) == 0) {
196     // match
197     return true;
198   }
199   // not a match
200   return false;
201 }
202 
203 /** This function checks if a RPA is resolvable by the device key.
204  *  Returns true is resolvable; false otherwise.
205  */
btm_ble_addr_resolvable(const RawAddress & rpa,tBTM_SEC_DEV_REC * p_dev_rec)206 bool btm_ble_addr_resolvable(const RawAddress& rpa,
207                              tBTM_SEC_DEV_REC* p_dev_rec) {
208   if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) return false;
209 
210   if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
211       (p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) {
212     BTM_TRACE_DEBUG("%s try to resolve", __func__);
213 
214     if (rpa_matches_irk(rpa, p_dev_rec->ble.keys.irk)) {
215       btm_ble_init_pseudo_addr(p_dev_rec, rpa);
216       return true;
217     }
218   }
219   return false;
220 }
221 
222 /** This function match the random address to the appointed device record,
223  * starting from calculating IRK. If the record index exceeds the maximum record
224  * number, matching failed and send a callback. */
btm_ble_match_random_bda(void * data,void * context)225 static bool btm_ble_match_random_bda(void* data, void* context) {
226   BTM_TRACE_EVENT("%s next iteration", __func__);
227   RawAddress* random_bda = (RawAddress*)context;
228 
229   tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
230 
231   BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags,
232                   p_dev_rec->device_type);
233 
234   if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
235       !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID))
236     return true;
237 
238   if (rpa_matches_irk(*random_bda, p_dev_rec->ble.keys.irk)) {
239     BTM_TRACE_EVENT("match is found");
240     // if it was match, finish iteration, otherwise continue
241     return false;
242   }
243 
244   // not a match, continue iteration
245   return true;
246 }
247 
248 /** This function is called to resolve a random address.
249  * Returns pointer to the security record of the device whom a random address is
250  * matched to.
251  */
btm_ble_resolve_random_addr(const RawAddress & random_bda)252 tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(const RawAddress& random_bda) {
253   BTM_TRACE_EVENT("%s", __func__);
254 
255   /* start to resolve random address */
256   /* check for next security record */
257 
258   list_node_t* n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda,
259                                 (void*)&random_bda);
260   tBTM_SEC_DEV_REC* p_dev_rec = nullptr;
261   if (n != nullptr) p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
262 
263   BTM_TRACE_EVENT("%s:  %sresolved", __func__,
264                   (p_dev_rec == nullptr ? "not " : ""));
265   return p_dev_rec;
266 }
267 
268 /*******************************************************************************
269  *  address mapping between pseudo address and real connection address
270  ******************************************************************************/
271 /** Find the security record whose LE identity address is matching */
btm_find_dev_by_identity_addr(const RawAddress & bd_addr,uint8_t addr_type)272 tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(const RawAddress& bd_addr,
273                                                 uint8_t addr_type) {
274 #if (BLE_PRIVACY_SPT == TRUE)
275   list_node_t* end = list_end(btm_cb.sec_dev_rec);
276   for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
277        node = list_next(node)) {
278     tBTM_SEC_DEV_REC* p_dev_rec =
279         static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
280     if (p_dev_rec->ble.identity_addr == bd_addr) {
281       if ((p_dev_rec->ble.identity_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) !=
282           (addr_type & (~BLE_ADDR_TYPE_ID_BIT)))
283         BTM_TRACE_WARNING(
284             "%s find pseudo->random match with diff addr type: %d vs %d",
285             __func__, p_dev_rec->ble.identity_addr_type, addr_type);
286 
287       /* found the match */
288       return p_dev_rec;
289     }
290   }
291 #endif
292 
293   return NULL;
294 }
295 
296 /*******************************************************************************
297  *
298  * Function         btm_identity_addr_to_random_pseudo
299  *
300  * Description      This function map a static BD address to a pseudo random
301  *                  address in security database.
302  *
303  ******************************************************************************/
btm_identity_addr_to_random_pseudo(RawAddress * bd_addr,uint8_t * p_addr_type,bool refresh)304 bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr,
305                                         uint8_t* p_addr_type, bool refresh) {
306 #if (BLE_PRIVACY_SPT == TRUE)
307   tBTM_SEC_DEV_REC* p_dev_rec =
308       btm_find_dev_by_identity_addr(*bd_addr, *p_addr_type);
309 
310   BTM_TRACE_EVENT("%s", __func__);
311   /* evt reported on static address, map static address to random pseudo */
312   if (p_dev_rec != NULL) {
313     /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
314     if (refresh &&
315         controller_get_interface()->get_ble_resolving_list_max_size() != 0)
316       btm_ble_read_resolving_list_entry(p_dev_rec);
317 
318     /* assign the original address to be the current report address */
319     if (!btm_ble_init_pseudo_addr(p_dev_rec, *bd_addr))
320       *bd_addr = p_dev_rec->ble.pseudo_addr;
321 
322     *p_addr_type = p_dev_rec->ble.ble_addr_type;
323     return true;
324   }
325 #endif
326   return false;
327 }
328 
329 /*******************************************************************************
330  *
331  * Function         btm_random_pseudo_to_identity_addr
332  *
333  * Description      This function map a random pseudo address to a public
334  *                  address. random_pseudo is input and output parameter
335  *
336  ******************************************************************************/
btm_random_pseudo_to_identity_addr(RawAddress * random_pseudo,uint8_t * p_identity_addr_type)337 bool btm_random_pseudo_to_identity_addr(RawAddress* random_pseudo,
338                                         uint8_t* p_identity_addr_type) {
339 #if (BLE_PRIVACY_SPT == TRUE)
340   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*random_pseudo);
341 
342   if (p_dev_rec != NULL) {
343     if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) {
344       *p_identity_addr_type = p_dev_rec->ble.identity_addr_type;
345       *random_pseudo = p_dev_rec->ble.identity_addr;
346       if (controller_get_interface()->supports_ble_privacy())
347         *p_identity_addr_type |= BLE_ADDR_TYPE_ID_BIT;
348       return true;
349     }
350   }
351 #endif
352   return false;
353 }
354 
355 /*******************************************************************************
356  *
357  * Function         btm_ble_refresh_peer_resolvable_private_addr
358  *
359  * Description      This function refresh the currently used resolvable remote
360  *                  private address into security database and set active
361  *                  connection address.
362  *
363  ******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(const RawAddress & pseudo_bda,const RawAddress & rpa,uint8_t rra_type)364 void btm_ble_refresh_peer_resolvable_private_addr(const RawAddress& pseudo_bda,
365                                                   const RawAddress& rpa,
366                                                   uint8_t rra_type) {
367 #if (BLE_PRIVACY_SPT == TRUE)
368   uint8_t rra_dummy = false;
369   if (rpa.IsEmpty()) rra_dummy = true;
370 
371   /* update security record here, in adv event or connection complete process */
372   tBTM_SEC_DEV_REC* p_sec_rec = btm_find_dev(pseudo_bda);
373   if (p_sec_rec != NULL) {
374     p_sec_rec->ble.cur_rand_addr = rpa;
375 
376     /* unknown, if dummy address, set to static */
377     if (rra_type == BTM_BLE_ADDR_PSEUDO)
378       p_sec_rec->ble.active_addr_type =
379           rra_dummy ? BTM_BLE_ADDR_STATIC : BTM_BLE_ADDR_RRA;
380     else
381       p_sec_rec->ble.active_addr_type = rra_type;
382   } else {
383     BTM_TRACE_ERROR("No matching known device in record");
384     return;
385   }
386 
387   BTM_TRACE_DEBUG("%s: active_addr_type: %d ", __func__,
388                   p_sec_rec->ble.active_addr_type);
389 
390   /* connection refresh remote address */
391   tACL_CONN* p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE);
392   if (p_acl == NULL)
393     p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE);
394 
395   if (p_acl != NULL) {
396     if (rra_type == BTM_BLE_ADDR_PSEUDO) {
397       /* use identity address, resolvable_private_addr is empty */
398       if (rra_dummy) {
399         p_acl->active_remote_addr_type = p_sec_rec->ble.identity_addr_type;
400         p_acl->active_remote_addr = p_sec_rec->ble.identity_addr;
401       } else {
402         p_acl->active_remote_addr_type = BLE_ADDR_RANDOM;
403         p_acl->active_remote_addr = rpa;
404       }
405     } else {
406       p_acl->active_remote_addr_type = rra_type;
407       p_acl->active_remote_addr = rpa;
408     }
409 
410     BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ",
411                     p_acl->active_remote_addr_type);
412     VLOG(1) << __func__ << " conn_addr: " << p_acl->active_remote_addr;
413   }
414 #endif
415 }
416 
417 /*******************************************************************************
418  *
419  * Function         btm_ble_refresh_local_resolvable_private_addr
420  *
421  * Description      This function refresh the currently used resolvable private
422  *                  address for the active link to the remote device
423  *
424  ******************************************************************************/
btm_ble_refresh_local_resolvable_private_addr(const RawAddress & pseudo_addr,const RawAddress & local_rpa)425 void btm_ble_refresh_local_resolvable_private_addr(
426     const RawAddress& pseudo_addr, const RawAddress& local_rpa) {
427 #if (BLE_PRIVACY_SPT == TRUE)
428   tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
429 
430   if (p != NULL) {
431     if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
432       p->conn_addr_type = BLE_ADDR_RANDOM;
433       if (!local_rpa.IsEmpty())
434         p->conn_addr = local_rpa;
435       else
436         p->conn_addr = btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr;
437     } else {
438       p->conn_addr_type = BLE_ADDR_PUBLIC;
439       p->conn_addr = *controller_get_interface()->get_address();
440     }
441   }
442 #endif
443 }
444