1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE address management.
22 *
23 ******************************************************************************/
24
25 #include <base/bind.h>
26 #include <string.h>
27
28 #include "bt_types.h"
29 #include "btm_int.h"
30 #include "btu.h"
31 #include "device/include/controller.h"
32 #include "gap_api.h"
33 #include "hcimsgs.h"
34
35 #include "btm_ble_int.h"
36 #include "smp_api.h"
37
38 extern fixed_queue_t* btu_general_alarm_queue;
39
40 /*******************************************************************************
41 *
42 * Function btm_gen_resolve_paddr_cmpl
43 *
44 * Description This is callback functioin when resolvable private address
45 * generation is complete.
46 *
47 * Returns void
48 *
49 ******************************************************************************/
btm_gen_resolve_paddr_cmpl(tSMP_ENC * p)50 static void btm_gen_resolve_paddr_cmpl(tSMP_ENC* p) {
51 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
52 BTM_TRACE_EVENT("btm_gen_resolve_paddr_cmpl");
53
54 if (p) {
55 /* set hash to be LSB of rpAddress */
56 p_cb->private_addr[5] = p->param_buf[0];
57 p_cb->private_addr[4] = p->param_buf[1];
58 p_cb->private_addr[3] = p->param_buf[2];
59 /* set it to controller */
60 btm_ble_set_random_address(p_cb->private_addr);
61
62 p_cb->own_addr_type = BLE_ADDR_RANDOM;
63
64 /* start a periodical timer to refresh random addr */
65 period_ms_t interval_ms = BTM_BLE_PRIVATE_ADDR_INT_MS;
66 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
67 interval_ms = btm_cb.ble_ctr_cb.rpa_tout * 1000;
68 #endif
69 alarm_set_on_queue(p_cb->refresh_raddr_timer, interval_ms,
70 btm_ble_refresh_raddr_timer_timeout, NULL,
71 btu_general_alarm_queue);
72 } else {
73 /* random address set failure */
74 BTM_TRACE_DEBUG("set random address failed");
75 }
76 }
77 /*******************************************************************************
78 *
79 * Function btm_gen_resolve_paddr_low
80 *
81 * Description This function is called when random address has generate the
82 * random number base for low 3 byte bd address.
83 *
84 * Returns void
85 *
86 ******************************************************************************/
btm_gen_resolve_paddr_low(BT_OCTET8 rand)87 void btm_gen_resolve_paddr_low(BT_OCTET8 rand) {
88 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
89 tSMP_ENC output;
90
91 BTM_TRACE_EVENT("btm_gen_resolve_paddr_low");
92 rand[2] &= (~BLE_RESOLVE_ADDR_MASK);
93 rand[2] |= BLE_RESOLVE_ADDR_MSB;
94
95 p_cb->private_addr[2] = rand[0];
96 p_cb->private_addr[1] = rand[1];
97 p_cb->private_addr[0] = rand[2];
98
99 /* encrypt with ur IRK */
100 if (!SMP_Encrypt(btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN, rand, 3,
101 &output)) {
102 btm_gen_resolve_paddr_cmpl(NULL);
103 } else {
104 btm_gen_resolve_paddr_cmpl(&output);
105 }
106 }
107 /*******************************************************************************
108 *
109 * Function btm_gen_resolvable_private_addr
110 *
111 * Description This function generate a resolvable private address.
112 *
113 * Returns void
114 *
115 ******************************************************************************/
btm_gen_resolvable_private_addr(base::Callback<void (BT_OCTET8)> cb)116 void btm_gen_resolvable_private_addr(base::Callback<void(BT_OCTET8)> cb) {
117 BTM_TRACE_EVENT("%s", __func__);
118 /* generate 3B rand as BD LSB, SRK with it, get BD MSB */
119 btsnd_hcic_ble_rand(std::move(cb));
120 }
121 /*******************************************************************************
122 *
123 * Function btm_gen_non_resolve_paddr_cmpl
124 *
125 * Description This is the callback function when non-resolvable private
126 * function is generated and write to controller.
127 *
128 * Returns void
129 *
130 ******************************************************************************/
btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand)131 static void btm_gen_non_resolve_paddr_cmpl(BT_OCTET8 rand) {
132 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
133 tBTM_BLE_ADDR_CBACK* p_cback = p_cb->p_generate_cback;
134 void* p_data = p_cb->p;
135 uint8_t* pp;
136 BD_ADDR static_random;
137
138 BTM_TRACE_EVENT("btm_gen_non_resolve_paddr_cmpl");
139
140 p_cb->p_generate_cback = NULL;
141 pp = rand;
142 STREAM_TO_BDADDR(static_random, pp);
143 /* mask off the 2 MSB */
144 static_random[0] &= BLE_STATIC_PRIVATE_MSB_MASK;
145
146 /* report complete */
147 if (p_cback) (*p_cback)(static_random, p_data);
148 }
149 /*******************************************************************************
150 *
151 * Function btm_gen_non_resolvable_private_addr
152 *
153 * Description This function generate a non-resolvable private address.
154 *
155 *
156 * Returns void
157 *
158 ******************************************************************************/
btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK * p_cback,void * p)159 void btm_gen_non_resolvable_private_addr(tBTM_BLE_ADDR_CBACK* p_cback,
160 void* p) {
161 tBTM_LE_RANDOM_CB* p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
162
163 BTM_TRACE_EVENT("btm_gen_non_resolvable_private_addr");
164
165 if (p_mgnt_cb->p_generate_cback != NULL) return;
166
167 p_mgnt_cb->p_generate_cback = p_cback;
168 p_mgnt_cb->p = p;
169 btsnd_hcic_ble_rand(base::Bind(&btm_gen_non_resolve_paddr_cmpl));
170 }
171
172 /*******************************************************************************
173 * Utility functions for Random address resolving
174 ******************************************************************************/
175 /*******************************************************************************
176 *
177 * Function btm_ble_proc_resolve_x
178 *
179 * Description This function compares the X with random address 3 MSO bytes
180 * to find a match.
181 *
182 * Returns true on match, false otherwise
183 *
184 ******************************************************************************/
btm_ble_proc_resolve_x(const tSMP_ENC & encrypt_output,const bt_bdaddr_t & random_bda)185 static bool btm_ble_proc_resolve_x(const tSMP_ENC& encrypt_output,
186 const bt_bdaddr_t& random_bda) {
187 BTM_TRACE_EVENT("btm_ble_proc_resolve_x");
188
189 /* compare the hash with 3 LSB of bd address */
190 uint8_t comp[3];
191 comp[0] = random_bda.address[5];
192 comp[1] = random_bda.address[4];
193 comp[2] = random_bda.address[3];
194
195 if (!memcmp(encrypt_output.param_buf, comp, 3)) {
196 BTM_TRACE_EVENT("match is found");
197 return true;
198 }
199
200 return false;
201 }
202
203 /*******************************************************************************
204 *
205 * Function btm_ble_init_pseudo_addr
206 *
207 * Description This function is used to initialize pseudo address.
208 * If pseudo address is not available, use dummy address
209 *
210 * Returns true is updated; false otherwise.
211 *
212 ******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,BD_ADDR new_pseudo_addr)213 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec,
214 BD_ADDR new_pseudo_addr) {
215 BD_ADDR dummy_bda = {0};
216
217 if (memcmp(p_dev_rec->ble.pseudo_addr, dummy_bda, BD_ADDR_LEN) == 0) {
218 memcpy(p_dev_rec->ble.pseudo_addr, new_pseudo_addr, BD_ADDR_LEN);
219 return true;
220 }
221
222 return false;
223 }
224
225 /*******************************************************************************
226 *
227 * Function btm_ble_addr_resolvable
228 *
229 * Description This function checks if a RPA is resolvable by the device
230 * key.
231 *
232 * Returns true is resolvable; false otherwise.
233 *
234 ******************************************************************************/
btm_ble_addr_resolvable(BD_ADDR rpa,tBTM_SEC_DEV_REC * p_dev_rec)235 bool btm_ble_addr_resolvable(BD_ADDR rpa, tBTM_SEC_DEV_REC* p_dev_rec) {
236 bool rt = false;
237
238 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) return rt;
239
240 uint8_t rand[3];
241 tSMP_ENC output;
242 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
243 (p_dev_rec->ble.key_type & BTM_LE_KEY_PID)) {
244 BTM_TRACE_DEBUG("%s try to resolve", __func__);
245 /* use the 3 MSB of bd address as prand */
246 rand[0] = rpa[2];
247 rand[1] = rpa[1];
248 rand[2] = rpa[0];
249
250 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
251 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, &rand[0], 3, &output);
252
253 rand[0] = rpa[5];
254 rand[1] = rpa[4];
255 rand[2] = rpa[3];
256
257 if (!memcmp(output.param_buf, &rand[0], 3)) {
258 btm_ble_init_pseudo_addr(p_dev_rec, rpa);
259 rt = true;
260 }
261 }
262 return rt;
263 }
264
265 /*******************************************************************************
266 *
267 * Function btm_ble_match_random_bda
268 *
269 * Description This function match the random address to the appointed
270 * device record, starting from calculating IRK. If the record
271 * index exceeds the maximum record number, matching failed and
272 * send a callback.
273 *
274 * Returns None.
275 *
276 ******************************************************************************/
btm_ble_match_random_bda(void * data,void * context)277 static bool btm_ble_match_random_bda(void* data, void* context) {
278 bt_bdaddr_t random_bda;
279 bdcpy(random_bda.address, (uint8_t *)context);
280
281 /* use the 3 MSB of bd address as prand */
282
283 uint8_t rand[3];
284 rand[0] = random_bda.address[2];
285 rand[1] = random_bda.address[1];
286 rand[2] = random_bda.address[0];
287
288 BTM_TRACE_EVENT("%s next iteration", __func__);
289
290 tSMP_ENC output;
291 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
292
293 BTM_TRACE_DEBUG("sec_flags = %02x device_type = %d", p_dev_rec->sec_flags,
294 p_dev_rec->device_type);
295
296 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
297 !(p_dev_rec->ble.key_type & BTM_LE_KEY_PID))
298 return true;
299
300 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
301 SMP_Encrypt(p_dev_rec->ble.keys.irk, BT_OCTET16_LEN, &rand[0], 3, &output);
302 // if it was match, finish iteration, otherwise continue
303 return !btm_ble_proc_resolve_x(output, random_bda);
304 }
305
306 /*******************************************************************************
307 *
308 * Function btm_ble_resolve_random_addr
309 *
310 * Description This function is called to resolve a random address.
311 *
312 * Returns pointer to the security record of the device whom a random
313 * address is matched to.
314 *
315 ******************************************************************************/
btm_ble_resolve_random_addr(BD_ADDR random_bda)316 tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(BD_ADDR random_bda) {
317 BTM_TRACE_EVENT("%s", __func__);
318
319 /* start to resolve random address */
320 /* check for next security record */
321
322 list_node_t* n =
323 list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, random_bda);
324 tBTM_SEC_DEV_REC* p_dev_rec = nullptr;
325 if (n != nullptr) p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(n));
326
327 BTM_TRACE_EVENT("%s: %sresolved", __func__,
328 (p_dev_rec == nullptr ? "not " : ""));
329 return p_dev_rec;
330 }
331
332 /*******************************************************************************
333 * address mapping between pseudo address and real connection address
334 ******************************************************************************/
335 /*******************************************************************************
336 *
337 * Function btm_find_dev_by_identity_addr
338 *
339 * Description find the security record whose LE static address is matching
340 *
341 ******************************************************************************/
btm_find_dev_by_identity_addr(BD_ADDR bd_addr,uint8_t addr_type)342 tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(BD_ADDR bd_addr,
343 uint8_t addr_type) {
344 #if (BLE_PRIVACY_SPT == TRUE)
345 list_node_t* end = list_end(btm_cb.sec_dev_rec);
346 for (list_node_t* node = list_begin(btm_cb.sec_dev_rec); node != end;
347 node = list_next(node)) {
348 tBTM_SEC_DEV_REC* p_dev_rec =
349 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
350 if (memcmp(p_dev_rec->ble.static_addr, bd_addr, BD_ADDR_LEN) == 0) {
351 if ((p_dev_rec->ble.static_addr_type & (~BLE_ADDR_TYPE_ID_BIT)) !=
352 (addr_type & (~BLE_ADDR_TYPE_ID_BIT)))
353 BTM_TRACE_WARNING(
354 "%s find pseudo->random match with diff addr type: %d vs %d",
355 __func__, p_dev_rec->ble.static_addr_type, addr_type);
356
357 /* found the match */
358 return p_dev_rec;
359 }
360 }
361 #endif
362
363 return NULL;
364 }
365
366 /*******************************************************************************
367 *
368 * Function btm_identity_addr_to_random_pseudo
369 *
370 * Description This function map a static BD address to a pseudo random
371 * address in security database.
372 *
373 ******************************************************************************/
btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr,uint8_t * p_addr_type,bool refresh)374 bool btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, uint8_t* p_addr_type,
375 bool refresh) {
376 #if (BLE_PRIVACY_SPT == TRUE)
377 tBTM_SEC_DEV_REC* p_dev_rec =
378 btm_find_dev_by_identity_addr(bd_addr, *p_addr_type);
379
380 BTM_TRACE_EVENT("%s", __func__);
381 /* evt reported on static address, map static address to random pseudo */
382 if (p_dev_rec != NULL) {
383 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
384 if (refresh &&
385 controller_get_interface()->get_ble_resolving_list_max_size() != 0)
386 btm_ble_read_resolving_list_entry(p_dev_rec);
387
388 /* assign the original address to be the current report address */
389 if (!btm_ble_init_pseudo_addr(p_dev_rec, bd_addr))
390 memcpy(bd_addr, p_dev_rec->ble.pseudo_addr, BD_ADDR_LEN);
391
392 *p_addr_type = p_dev_rec->ble.ble_addr_type;
393 return true;
394 }
395 #endif
396 return false;
397 }
398
399 /*******************************************************************************
400 *
401 * Function btm_random_pseudo_to_identity_addr
402 *
403 * Description This function map a random pseudo address to a public
404 * address. random_pseudo is input and output parameter
405 *
406 ******************************************************************************/
btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo,uint8_t * p_static_addr_type)407 bool btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo,
408 uint8_t* p_static_addr_type) {
409 #if (BLE_PRIVACY_SPT == TRUE)
410 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(random_pseudo);
411
412 if (p_dev_rec != NULL) {
413 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) {
414 *p_static_addr_type = p_dev_rec->ble.static_addr_type;
415 memcpy(random_pseudo, p_dev_rec->ble.static_addr, BD_ADDR_LEN);
416 if (controller_get_interface()->supports_ble_privacy())
417 *p_static_addr_type |= BLE_ADDR_TYPE_ID_BIT;
418 return true;
419 }
420 }
421 #endif
422 return false;
423 }
424
425 /*******************************************************************************
426 *
427 * Function btm_ble_refresh_peer_resolvable_private_addr
428 *
429 * Description This function refresh the currently used resolvable remote
430 * private address into security database and set active
431 * connection address.
432 *
433 ******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda,BD_ADDR rpa,uint8_t rra_type)434 void btm_ble_refresh_peer_resolvable_private_addr(BD_ADDR pseudo_bda,
435 BD_ADDR rpa,
436 uint8_t rra_type) {
437 #if (BLE_PRIVACY_SPT == TRUE)
438 uint8_t rra_dummy = false;
439 BD_ADDR dummy_bda = {0};
440
441 if (memcmp(dummy_bda, rpa, BD_ADDR_LEN) == 0) rra_dummy = true;
442
443 /* update security record here, in adv event or connection complete process */
444 tBTM_SEC_DEV_REC* p_sec_rec = btm_find_dev(pseudo_bda);
445 if (p_sec_rec != NULL) {
446 memcpy(p_sec_rec->ble.cur_rand_addr, rpa, BD_ADDR_LEN);
447
448 /* unknown, if dummy address, set to static */
449 if (rra_type == BTM_BLE_ADDR_PSEUDO)
450 p_sec_rec->ble.active_addr_type =
451 rra_dummy ? BTM_BLE_ADDR_STATIC : BTM_BLE_ADDR_RRA;
452 else
453 p_sec_rec->ble.active_addr_type = rra_type;
454 } else {
455 BTM_TRACE_ERROR("No matching known device in record");
456 return;
457 }
458
459 BTM_TRACE_DEBUG("%s: active_addr_type: %d ", __func__,
460 p_sec_rec->ble.active_addr_type);
461
462 /* connection refresh remote address */
463 tACL_CONN* p_acl = btm_bda_to_acl(p_sec_rec->bd_addr, BT_TRANSPORT_LE);
464 if (p_acl == NULL)
465 p_acl = btm_bda_to_acl(p_sec_rec->ble.pseudo_addr, BT_TRANSPORT_LE);
466
467 if (p_acl != NULL) {
468 if (rra_type == BTM_BLE_ADDR_PSEUDO) {
469 /* use static address, resolvable_private_addr is empty */
470 if (rra_dummy) {
471 p_acl->active_remote_addr_type = p_sec_rec->ble.static_addr_type;
472 memcpy(p_acl->active_remote_addr, p_sec_rec->ble.static_addr,
473 BD_ADDR_LEN);
474 } else {
475 p_acl->active_remote_addr_type = BLE_ADDR_RANDOM;
476 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN);
477 }
478 } else {
479 p_acl->active_remote_addr_type = rra_type;
480 memcpy(p_acl->active_remote_addr, rpa, BD_ADDR_LEN);
481 }
482
483 BTM_TRACE_DEBUG("p_acl->active_remote_addr_type: %d ",
484 p_acl->active_remote_addr_type);
485 BTM_TRACE_DEBUG("%s conn_addr: %02x:%02x:%02x:%02x:%02x:%02x", __func__,
486 p_acl->active_remote_addr[0], p_acl->active_remote_addr[1],
487 p_acl->active_remote_addr[2], p_acl->active_remote_addr[3],
488 p_acl->active_remote_addr[4], p_acl->active_remote_addr[5]);
489 }
490 #endif
491 }
492
493 /*******************************************************************************
494 *
495 * Function btm_ble_refresh_local_resolvable_private_addr
496 *
497 * Description This function refresh the currently used resolvable private
498 * address for the active link to the remote device
499 *
500 ******************************************************************************/
btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr,BD_ADDR local_rpa)501 void btm_ble_refresh_local_resolvable_private_addr(BD_ADDR pseudo_addr,
502 BD_ADDR local_rpa) {
503 #if (BLE_PRIVACY_SPT == TRUE)
504 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
505 BD_ADDR dummy_bda = {0};
506
507 if (p != NULL) {
508 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
509 p->conn_addr_type = BLE_ADDR_RANDOM;
510 if (memcmp(local_rpa, dummy_bda, BD_ADDR_LEN))
511 memcpy(p->conn_addr, local_rpa, BD_ADDR_LEN);
512 else
513 memcpy(p->conn_addr, btm_cb.ble_ctr_cb.addr_mgnt_cb.private_addr,
514 BD_ADDR_LEN);
515 } else {
516 p->conn_addr_type = BLE_ADDR_PUBLIC;
517 memcpy(p->conn_addr, &controller_get_interface()->get_address()->address,
518 BD_ADDR_LEN);
519 }
520 }
521 #endif
522 }
523