1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE address management.
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "ble"
26
27 #include "stack/include/btm_ble_addr.h"
28
29 #include <base/functional/bind.h>
30 #include <bluetooth/log.h>
31 #include <string.h>
32
33 #include "btm_ble_int.h"
34 #include "btm_dev.h"
35 #include "btm_sec_cb.h"
36 #include "crypto_toolbox/crypto_toolbox.h"
37 #include "hci/controller_interface.h"
38 #include "main/shim/entry.h"
39 #include "os/log.h"
40 #include "stack/btm/btm_int_types.h"
41 #include "stack/include/acl_api.h"
42 #include "stack/include/bt_octets.h"
43 #include "stack/include/btm_ble_privacy.h"
44 #include "types/ble_address_with_type.h"
45 #include "types/raw_address.h"
46
47 using namespace bluetooth;
48
49 extern tBTM_CB btm_cb;
50
51 /*******************************************************************************
52 * Utility functions for Random address resolving
53 ******************************************************************************/
54
55 /*******************************************************************************
56 *
57 * Function btm_ble_init_pseudo_addr
58 *
59 * Description This function is used to initialize pseudo address.
60 * If pseudo address is not available, use dummy address
61 *
62 * Returns true is updated; false otherwise.
63 *
64 ******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,const RawAddress & new_pseudo_addr)65 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec,
66 const RawAddress& new_pseudo_addr) {
67 if (p_dev_rec->ble.pseudo_addr.IsEmpty()) {
68 p_dev_rec->ble.pseudo_addr = new_pseudo_addr;
69 return true;
70 }
71
72 return false;
73 }
74
75 /* Return true if given Resolvable Privae Address |rpa| matches Identity
76 * Resolving Key |irk| */
rpa_matches_irk(const RawAddress & rpa,const Octet16 & irk)77 static bool rpa_matches_irk(const RawAddress& rpa, const Octet16& irk) {
78 /* use the 3 MSB of bd address as prand */
79 Octet16 rand{};
80 rand[0] = rpa.address[2];
81 rand[1] = rpa.address[1];
82 rand[2] = rpa.address[0];
83
84 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
85 Octet16 x = crypto_toolbox::aes_128(irk, rand);
86
87 rand[0] = rpa.address[5];
88 rand[1] = rpa.address[4];
89 rand[2] = rpa.address[3];
90
91 if (memcmp(x.data(), rand.data(), 3) == 0) {
92 // match
93 return true;
94 }
95 // not a match
96 return false;
97 }
98
99 /** This function checks if a RPA is resolvable by the device key.
100 * Returns true is resolvable; false otherwise.
101 */
btm_ble_addr_resolvable(const RawAddress & rpa,tBTM_SEC_DEV_REC * p_dev_rec)102 bool btm_ble_addr_resolvable(const RawAddress& rpa,
103 tBTM_SEC_DEV_REC* p_dev_rec) {
104 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) return false;
105
106 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
107 (p_dev_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PID)) {
108 if (rpa_matches_irk(rpa, p_dev_rec->sec_rec.ble_keys.irk)) {
109 btm_ble_init_pseudo_addr(p_dev_rec, rpa);
110 return true;
111 }
112 }
113 return false;
114 }
115
116 /** This function match the random address to the appointed device record,
117 * starting from calculating IRK. If the record index exceeds the maximum record
118 * number, matching failed and send a callback. */
btm_ble_match_random_bda(void * data,void * context)119 static bool btm_ble_match_random_bda(void* data, void* context) {
120 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
121 RawAddress* random_bda = static_cast<RawAddress*>(context);
122
123 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
124 !(p_dev_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PID))
125 // Match fails preconditions
126 return true;
127
128 if (rpa_matches_irk(*random_bda, p_dev_rec->sec_rec.ble_keys.irk)) {
129 // Matched
130 return false;
131 }
132
133 // This item not a match, continue iteration
134 return true;
135 }
136
137 /** This function is called to resolve a random address.
138 * Returns pointer to the security record of the device whom a random address is
139 * matched to.
140 */
btm_ble_resolve_random_addr(const RawAddress & random_bda)141 tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(const RawAddress& random_bda) {
142 if (btm_sec_cb.sec_dev_rec == nullptr) return nullptr;
143 list_node_t* n = list_foreach(btm_sec_cb.sec_dev_rec,
144 btm_ble_match_random_bda, (void*)&random_bda);
145 return (n == nullptr) ? (nullptr)
146 : (static_cast<tBTM_SEC_DEV_REC*>(list_node(n)));
147 }
148
149 /*******************************************************************************
150 * address mapping between pseudo address and real connection address
151 ******************************************************************************/
152 /** Find the security record whose LE identity address is matching */
btm_find_dev_by_identity_addr(const RawAddress & bd_addr,uint8_t addr_type)153 static tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(
154 const RawAddress& bd_addr, uint8_t addr_type) {
155 if (btm_sec_cb.sec_dev_rec == nullptr) return nullptr;
156
157 list_node_t* end = list_end(btm_sec_cb.sec_dev_rec);
158 for (list_node_t* node = list_begin(btm_sec_cb.sec_dev_rec); node != end;
159 node = list_next(node)) {
160 tBTM_SEC_DEV_REC* p_dev_rec =
161 static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
162 if (p_dev_rec->ble.identity_address_with_type.bda == bd_addr) {
163 if ((p_dev_rec->ble.identity_address_with_type.type &
164 (~BLE_ADDR_TYPE_ID_BIT)) != (addr_type & (~BLE_ADDR_TYPE_ID_BIT)))
165 log::warn("pseudo->random match with diff addr type: {} vs {}",
166 p_dev_rec->ble.identity_address_with_type.type, addr_type);
167
168 /* found the match */
169 return p_dev_rec;
170 }
171 }
172
173 return NULL;
174 }
175
176 /*******************************************************************************
177 *
178 * Function btm_identity_addr_to_random_pseudo
179 *
180 * Description This function map a static BD address to a pseudo random
181 * address in security database.
182 *
183 ******************************************************************************/
btm_identity_addr_to_random_pseudo(RawAddress * bd_addr,tBLE_ADDR_TYPE * p_addr_type,bool refresh)184 bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr,
185 tBLE_ADDR_TYPE* p_addr_type,
186 bool refresh) {
187 tBTM_SEC_DEV_REC* p_dev_rec =
188 btm_find_dev_by_identity_addr(*bd_addr, *p_addr_type);
189 if (p_dev_rec == nullptr) {
190 return false;
191 }
192
193 /* evt reported on static address, map static address to random pseudo */
194 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
195 if (refresh &&
196 bluetooth::shim::GetController()->GetLeResolvingListSize() != 0) {
197 btm_ble_read_resolving_list_entry(p_dev_rec);
198 }
199
200 /* assign the original address to be the current report address */
201 if (!btm_ble_init_pseudo_addr(p_dev_rec, *bd_addr)) {
202 *bd_addr = p_dev_rec->ble.pseudo_addr;
203 }
204
205 *p_addr_type = p_dev_rec->ble.AddressType();
206 return true;
207 }
208
btm_identity_addr_to_random_pseudo_from_address_with_type(tBLE_BD_ADDR * address_with_type,bool refresh)209 bool btm_identity_addr_to_random_pseudo_from_address_with_type(
210 tBLE_BD_ADDR* address_with_type, bool refresh) {
211 return btm_identity_addr_to_random_pseudo(
212 &(address_with_type->bda), &(address_with_type->type), refresh);
213 }
214
215 /*******************************************************************************
216 *
217 * Function btm_random_pseudo_to_identity_addr
218 *
219 * Description This function map a random pseudo address to a public
220 * address. random_pseudo is input and output parameter
221 *
222 ******************************************************************************/
btm_random_pseudo_to_identity_addr(RawAddress * random_pseudo,tBLE_ADDR_TYPE * p_identity_addr_type)223 bool btm_random_pseudo_to_identity_addr(RawAddress* random_pseudo,
224 tBLE_ADDR_TYPE* p_identity_addr_type) {
225 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*random_pseudo);
226
227 if (p_dev_rec != NULL) {
228 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) {
229 *p_identity_addr_type = p_dev_rec->ble.identity_address_with_type.type;
230 *random_pseudo = p_dev_rec->ble.identity_address_with_type.bda;
231 if (bluetooth::shim::GetController()->SupportsBlePrivacy())
232 *p_identity_addr_type |= BLE_ADDR_TYPE_ID_BIT;
233 return true;
234 }
235 }
236 return false;
237 }
238
239 /*******************************************************************************
240 *
241 * Function btm_ble_refresh_peer_resolvable_private_addr
242 *
243 * Description This function refresh the currently used resolvable remote
244 * private address into security database and set active
245 * connection address.
246 *
247 ******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(const RawAddress & pseudo_bda,const RawAddress & rpa,tBLE_RAND_ADDR_TYPE rra_type)248 void btm_ble_refresh_peer_resolvable_private_addr(
249 const RawAddress& pseudo_bda, const RawAddress& rpa,
250 tBLE_RAND_ADDR_TYPE rra_type) {
251 tBTM_SEC_DEV_REC* p_sec_rec = btm_find_dev(pseudo_bda);
252 if (p_sec_rec == nullptr) {
253 log::warn("No matching known device in record");
254 return;
255 }
256
257 p_sec_rec->ble.cur_rand_addr = rpa;
258
259 if (rra_type == BTM_BLE_ADDR_PSEUDO) {
260 p_sec_rec->ble.active_addr_type =
261 rpa.IsEmpty() ? BTM_BLE_ADDR_STATIC : BTM_BLE_ADDR_RRA;
262 } else {
263 p_sec_rec->ble.active_addr_type = rra_type;
264 }
265
266 /* connection refresh remote address */
267 const auto& identity_address = p_sec_rec->ble.identity_address_with_type.bda;
268 auto identity_address_type = p_sec_rec->ble.identity_address_with_type.type;
269
270 if (!acl_refresh_remote_address(identity_address, identity_address_type,
271 p_sec_rec->bd_addr, rra_type, rpa)) {
272 // Try looking up the pseudo random address
273 if (!acl_refresh_remote_address(identity_address, identity_address_type,
274 p_sec_rec->ble.pseudo_addr, rra_type,
275 rpa)) {
276 log::error("Unknown device to refresh remote device");
277 }
278 }
279 }
280
maybe_resolve_address(RawAddress * bda,tBLE_ADDR_TYPE * bda_type)281 bool maybe_resolve_address(RawAddress* bda, tBLE_ADDR_TYPE* bda_type) {
282 bool is_in_security_db = false;
283 tBLE_ADDR_TYPE peer_addr_type = *bda_type;
284 bool addr_is_rpa =
285 (peer_addr_type == BLE_ADDR_RANDOM && BTM_BLE_IS_RESOLVE_BDA(*bda));
286
287 /* We must translate whatever address we received into the "pseudo" address.
288 * i.e. if we bonded with device that was using RPA for first connection,
289 * "pseudo" address is equal to this RPA. If it later decides to use Public
290 * address, or Random Static Address, we convert it into the "pseudo"
291 * address here. */
292 if (!addr_is_rpa || peer_addr_type & BLE_ADDR_TYPE_ID_BIT) {
293 is_in_security_db = btm_identity_addr_to_random_pseudo(bda, bda_type, true);
294 }
295
296 /* possiblly receive connection complete with resolvable random while
297 the device has been paired */
298 if (!is_in_security_db && addr_is_rpa) {
299 tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(*bda);
300 if (match_rec) {
301 log::info("matched/resolved random address:{}", *bda);
302 is_in_security_db = true;
303 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
304 match_rec->ble.cur_rand_addr = *bda;
305 if (!btm_ble_init_pseudo_addr(match_rec, *bda)) {
306 /* assign the original address to be the current report address */
307 *bda = match_rec->ble.pseudo_addr;
308 *bda_type = match_rec->ble.AddressType();
309 } else {
310 *bda = match_rec->bd_addr;
311 }
312 } else {
313 log::info("unable to match/resolve random address:{}", *bda);
314 }
315 }
316 return is_in_security_db;
317 }
318