1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE address management.
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "ble"
26
27 #include "stack/include/btm_ble_addr.h"
28
29 #include <base/functional/bind.h>
30 #include <bluetooth/log.h>
31 #include <string.h>
32
33 #include "btm_ble_int.h"
34 #include "btm_dev.h"
35 #include "btm_sec_cb.h"
36 #include "crypto_toolbox/crypto_toolbox.h"
37 #include "hci/controller_interface.h"
38 #include "main/shim/entry.h"
39 #include "stack/btm/btm_int_types.h"
40 #include "stack/include/acl_api.h"
41 #include "stack/include/bt_octets.h"
42 #include "stack/include/btm_ble_privacy.h"
43 #include "types/ble_address_with_type.h"
44 #include "types/raw_address.h"
45
46 using namespace bluetooth;
47
48 extern tBTM_CB btm_cb;
49
50 /*******************************************************************************
51 * Utility functions for Random address resolving
52 ******************************************************************************/
53
54 /*******************************************************************************
55 *
56 * Function btm_ble_init_pseudo_addr
57 *
58 * Description This function is used to initialize pseudo address.
59 * If pseudo address is not available, use dummy address
60 *
61 * Returns true is updated; false otherwise.
62 *
63 ******************************************************************************/
btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC * p_dev_rec,const RawAddress & new_pseudo_addr)64 bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec, const RawAddress& new_pseudo_addr) {
65 if (p_dev_rec->ble.pseudo_addr.IsEmpty()) {
66 p_dev_rec->ble.pseudo_addr = new_pseudo_addr;
67 return true;
68 }
69
70 return false;
71 }
72
73 /* Return true if given Resolvable Privae Address |rpa| matches Identity
74 * Resolving Key |irk| */
rpa_matches_irk(const RawAddress & rpa,const Octet16 & irk)75 static bool rpa_matches_irk(const RawAddress& rpa, const Octet16& irk) {
76 /* use the 3 MSB of bd address as prand */
77 Octet16 rand{};
78 rand[0] = rpa.address[2];
79 rand[1] = rpa.address[1];
80 rand[2] = rpa.address[0];
81
82 /* generate X = E irk(R0, R1, R2) and R is random address 3 LSO */
83 Octet16 x = crypto_toolbox::aes_128(irk, rand);
84
85 rand[0] = rpa.address[5];
86 rand[1] = rpa.address[4];
87 rand[2] = rpa.address[3];
88
89 if (memcmp(x.data(), rand.data(), 3) == 0) {
90 // match
91 return true;
92 }
93 // not a match
94 return false;
95 }
96
97 /** This function checks if a RPA is resolvable by the device key.
98 * Returns true is resolvable; false otherwise.
99 */
btm_ble_addr_resolvable(const RawAddress & rpa,tBTM_SEC_DEV_REC * p_dev_rec)100 bool btm_ble_addr_resolvable(const RawAddress& rpa, tBTM_SEC_DEV_REC* p_dev_rec) {
101 if (!BTM_BLE_IS_RESOLVE_BDA(rpa)) {
102 return false;
103 }
104
105 if ((p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) &&
106 (p_dev_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PID)) {
107 if (rpa_matches_irk(rpa, p_dev_rec->sec_rec.ble_keys.irk)) {
108 btm_ble_init_pseudo_addr(p_dev_rec, rpa);
109 return true;
110 }
111 }
112 return false;
113 }
114
115 /** This function match the random address to the appointed device record,
116 * starting from calculating IRK. If the record index exceeds the maximum record
117 * number, matching failed and send a callback. */
btm_ble_match_random_bda(void * data,void * context)118 static bool btm_ble_match_random_bda(void* data, void* context) {
119 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(data);
120 RawAddress* random_bda = static_cast<RawAddress*>(context);
121
122 if (!(p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) ||
123 !(p_dev_rec->sec_rec.ble_keys.key_type & BTM_LE_KEY_PID)) {
124 // Match fails preconditions
125 return true;
126 }
127
128 if (rpa_matches_irk(*random_bda, p_dev_rec->sec_rec.ble_keys.irk)) {
129 // Matched
130 return false;
131 }
132
133 // This item not a match, continue iteration
134 return true;
135 }
136
137 /** This function is called to resolve a random address.
138 * Returns pointer to the security record of the device whom a random address is
139 * matched to.
140 */
btm_ble_resolve_random_addr(const RawAddress & random_bda)141 tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(const RawAddress& random_bda) {
142 if (btm_sec_cb.sec_dev_rec == nullptr) {
143 return nullptr;
144 }
145 list_node_t* n =
146 list_foreach(btm_sec_cb.sec_dev_rec, btm_ble_match_random_bda, (void*)&random_bda);
147 return (n == nullptr) ? (nullptr) : (static_cast<tBTM_SEC_DEV_REC*>(list_node(n)));
148 }
149
150 /*******************************************************************************
151 * address mapping between pseudo address and real connection address
152 ******************************************************************************/
153 /** Find the security record whose LE identity address is matching */
btm_find_dev_by_identity_addr(const RawAddress & bd_addr,uint8_t addr_type)154 static tBTM_SEC_DEV_REC* btm_find_dev_by_identity_addr(const RawAddress& bd_addr,
155 uint8_t addr_type) {
156 if (btm_sec_cb.sec_dev_rec == nullptr) {
157 return nullptr;
158 }
159
160 list_node_t* end = list_end(btm_sec_cb.sec_dev_rec);
161 for (list_node_t* node = list_begin(btm_sec_cb.sec_dev_rec); node != end;
162 node = list_next(node)) {
163 tBTM_SEC_DEV_REC* p_dev_rec = static_cast<tBTM_SEC_DEV_REC*>(list_node(node));
164 if (p_dev_rec->ble.identity_address_with_type.bda == bd_addr) {
165 if ((p_dev_rec->ble.identity_address_with_type.type & (~BLE_ADDR_TYPE_ID_BIT)) !=
166 (addr_type & (~BLE_ADDR_TYPE_ID_BIT))) {
167 log::warn("pseudo->random match with diff addr type: {} vs {}",
168 p_dev_rec->ble.identity_address_with_type.type, addr_type);
169 }
170
171 /* found the match */
172 return p_dev_rec;
173 }
174 }
175
176 return NULL;
177 }
178
179 /*******************************************************************************
180 *
181 * Function btm_identity_addr_to_random_pseudo
182 *
183 * Description This function map a static BD address to a pseudo random
184 * address in security database.
185 *
186 ******************************************************************************/
btm_identity_addr_to_random_pseudo(RawAddress * bd_addr,tBLE_ADDR_TYPE * p_addr_type,bool refresh)187 bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr, tBLE_ADDR_TYPE* p_addr_type,
188 bool refresh) {
189 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_identity_addr(*bd_addr, *p_addr_type);
190 if (p_dev_rec == nullptr) {
191 return false;
192 }
193
194 /* evt reported on static address, map static address to random pseudo */
195 /* if RPA offloading is supported, or 4.2 controller, do RPA refresh */
196 if (refresh && bluetooth::shim::GetController()->GetLeResolvingListSize() != 0) {
197 btm_ble_read_resolving_list_entry(p_dev_rec);
198 }
199
200 /* assign the original address to be the current report address */
201 if (!btm_ble_init_pseudo_addr(p_dev_rec, *bd_addr)) {
202 *bd_addr = p_dev_rec->ble.pseudo_addr;
203 }
204
205 *p_addr_type = p_dev_rec->ble.AddressType();
206 return true;
207 }
208
btm_identity_addr_to_random_pseudo_from_address_with_type(tBLE_BD_ADDR * address_with_type,bool refresh)209 bool btm_identity_addr_to_random_pseudo_from_address_with_type(tBLE_BD_ADDR* address_with_type,
210 bool refresh) {
211 return btm_identity_addr_to_random_pseudo(&(address_with_type->bda), &(address_with_type->type),
212 refresh);
213 }
214
215 /*******************************************************************************
216 *
217 * Function btm_random_pseudo_to_identity_addr
218 *
219 * Description This function map a random pseudo address to a public
220 * address. random_pseudo is input and output parameter
221 *
222 ******************************************************************************/
btm_random_pseudo_to_identity_addr(RawAddress * random_pseudo,tBLE_ADDR_TYPE * p_identity_addr_type)223 bool btm_random_pseudo_to_identity_addr(RawAddress* random_pseudo,
224 tBLE_ADDR_TYPE* p_identity_addr_type) {
225 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*random_pseudo);
226
227 if (p_dev_rec != NULL) {
228 if (p_dev_rec->ble.in_controller_list & BTM_RESOLVING_LIST_BIT) {
229 *p_identity_addr_type = p_dev_rec->ble.identity_address_with_type.type;
230 *random_pseudo = p_dev_rec->ble.identity_address_with_type.bda;
231 if (bluetooth::shim::GetController()->SupportsBlePrivacy()) {
232 *p_identity_addr_type |= BLE_ADDR_TYPE_ID_BIT;
233 }
234 return true;
235 }
236 }
237 return false;
238 }
239
240 /*******************************************************************************
241 *
242 * Function btm_ble_refresh_peer_resolvable_private_addr
243 *
244 * Description This function refresh the currently used resolvable remote
245 * private address into security database and set active
246 * connection address.
247 *
248 ******************************************************************************/
btm_ble_refresh_peer_resolvable_private_addr(const RawAddress & pseudo_bda,const RawAddress & rpa,tBLE_RAND_ADDR_TYPE rra_type)249 void btm_ble_refresh_peer_resolvable_private_addr(const RawAddress& pseudo_bda,
250 const RawAddress& rpa,
251 tBLE_RAND_ADDR_TYPE rra_type) {
252 tBTM_SEC_DEV_REC* p_sec_rec = btm_find_dev(pseudo_bda);
253 if (p_sec_rec == nullptr) {
254 log::warn("No matching known device in record");
255 return;
256 }
257
258 p_sec_rec->ble.cur_rand_addr = rpa;
259
260 if (rra_type == BTM_BLE_ADDR_PSEUDO) {
261 p_sec_rec->ble.active_addr_type = rpa.IsEmpty() ? BTM_BLE_ADDR_STATIC : BTM_BLE_ADDR_RRA;
262 } else {
263 p_sec_rec->ble.active_addr_type = rra_type;
264 }
265
266 /* connection refresh remote address */
267 const auto& identity_address = p_sec_rec->ble.identity_address_with_type.bda;
268 auto identity_address_type = p_sec_rec->ble.identity_address_with_type.type;
269
270 if (!acl_refresh_remote_address(identity_address, identity_address_type, p_sec_rec->bd_addr,
271 rra_type, rpa)) {
272 // Try looking up the pseudo random address
273 if (!acl_refresh_remote_address(identity_address, identity_address_type,
274 p_sec_rec->ble.pseudo_addr, rra_type, rpa)) {
275 log::error("Unknown device to refresh remote device");
276 }
277 }
278 }
279
maybe_resolve_address(RawAddress * bda,tBLE_ADDR_TYPE * bda_type)280 bool maybe_resolve_address(RawAddress* bda, tBLE_ADDR_TYPE* bda_type) {
281 bool is_in_security_db = false;
282 tBLE_ADDR_TYPE peer_addr_type = *bda_type;
283 bool addr_is_rpa = (peer_addr_type == BLE_ADDR_RANDOM && BTM_BLE_IS_RESOLVE_BDA(*bda));
284
285 /* We must translate whatever address we received into the "pseudo" address.
286 * i.e. if we bonded with device that was using RPA for first connection,
287 * "pseudo" address is equal to this RPA. If it later decides to use Public
288 * address, or Random Static Address, we convert it into the "pseudo"
289 * address here. */
290 if (!addr_is_rpa || peer_addr_type & BLE_ADDR_TYPE_ID_BIT) {
291 is_in_security_db = btm_identity_addr_to_random_pseudo(bda, bda_type, true);
292 }
293
294 /* possiblly receive connection complete with resolvable random while
295 the device has been paired */
296 if (!is_in_security_db && addr_is_rpa) {
297 tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(*bda);
298 if (match_rec) {
299 log::info("matched/resolved random address:{}", *bda);
300 is_in_security_db = true;
301 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
302 match_rec->ble.cur_rand_addr = *bda;
303 if (!btm_ble_init_pseudo_addr(match_rec, *bda)) {
304 /* assign the original address to be the current report address */
305 *bda = match_rec->ble.pseudo_addr;
306 *bda_type = match_rec->ble.AddressType();
307 } else {
308 *bda = match_rec->bd_addr;
309 }
310 } else {
311 log::info("unable to match/resolve random address:{}", *bda);
312 }
313 }
314 return is_in_security_db;
315 }
316