1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
|
/******************************************************************************
*
* Copyright 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************************/
#include "security/pairing_handler_le.h"
#include "os/rand.h"
namespace bluetooth {
namespace security {
MyOobData PairingHandlerLe::GenerateOobData() {
MyOobData data{};
std::tie(data.private_key, data.public_key) = GenerateECDHKeyPair();
data.r = bluetooth::os::GenerateRandom<16>();
data.c = crypto_toolbox::f4(data.public_key.x.data(), data.public_key.x.data(), data.r, 0);
return data;
}
void PairingHandlerLe::PairingMain(InitialInformations i) {
LOG_INFO("Pairing Started");
if (i.remotely_initiated) {
LOG_INFO("Was remotely initiated, presenting user with the accept prompt");
i.user_interface_handler->Post(common::BindOnce(&UI::DisplayPairingPrompt, common::Unretained(i.user_interface),
i.remote_connection_address, i.remote_name));
// If pairing was initiated by remote device, wait for the user to accept
// the request from the UI.
LOG_INFO("Waiting for the prompt response");
std::optional<PairingEvent> pairingAccepted = WaitUiPairingAccept();
if (!pairingAccepted || pairingAccepted->ui_value == 0) {
LOG_INFO("User either did not accept the remote pairing, or the prompt timed out");
// TODO: Uncomment this one once we find a way to attempt to send packet when the link is down
// SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
i.OnPairingFinished(PairingFailure("User either did not accept the remote pairing, or the prompt timed out"));
return;
}
LOG_INFO("Pairing prompt accepted");
}
/************************************************ PHASE 1 *********************************************************/
Phase1ResultOrFailure phase_1_result = ExchangePairingFeature(i);
if (std::holds_alternative<PairingFailure>(phase_1_result)) {
LOG_WARN("Pairing failed in phase 1");
// We already send pairing fialed in lower layer. Which one should do that ? how about disconneciton?
// SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
// TODO: disconnect?
i.OnPairingFinished(std::get<PairingFailure>(phase_1_result));
return;
}
auto [pairing_request, pairing_response] = std::get<Phase1Result>(phase_1_result);
uint8_t key_size =
std::min(pairing_request.GetMaximumEncryptionKeySize(), pairing_response.GetMaximumEncryptionKeySize());
if (key_size < 7 || key_size > 16) {
LOG_WARN("Resulting key size is bad %d", key_size);
SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::ENCRYPTION_KEY_SIZE));
i.OnPairingFinished(PairingFailure("Resulting key size is bad", PairingFailedReason::ENCRYPTION_KEY_SIZE));
return;
}
if (key_size != 16) {
LOG_WARN("Resulting key size is less than 16 octets!");
}
/************************************************ PHASE 2 *********************************************************/
bool isSecureConnections = pairing_request.GetAuthReq() & pairing_response.GetAuthReq() & AuthReqMaskSc;
if (isSecureConnections) {
// 2.3.5.6 LE Secure Connections pairing phase 2
LOG_INFO("Pairing Phase 2 LE Secure connections Started");
/*
TODO: what to do with this piece of spec ?
If Secure Connections pairing has been initiated over BR/EDR, the
following fields of the SM Pairing Request PDU are reserved for future use:
• the IO Capability field,
• the OOB data flag field, and
• all bits in the Auth Req field except the CT2 bit.
*/
OobDataFlag remote_have_oob_data =
IAmCentral(i) ? pairing_response.GetOobDataFlag() : pairing_request.GetOobDataFlag();
auto key_exchange_result = ExchangePublicKeys(i, remote_have_oob_data);
if (std::holds_alternative<PairingFailure>(key_exchange_result)) {
LOG_ERROR("Public key exchange failed");
i.OnPairingFinished(std::get<PairingFailure>(key_exchange_result));
return;
}
auto [PKa, PKb, dhkey] = std::get<KeyExchangeResult>(key_exchange_result);
// Public key exchange finished, Diffie-Hellman key computed.
Stage1ResultOrFailure stage1result = DoSecureConnectionsStage1(i, PKa, PKb, pairing_request, pairing_response);
if (std::holds_alternative<PairingFailure>(stage1result)) {
i.OnPairingFinished(std::get<PairingFailure>(stage1result));
return;
}
Stage2ResultOrFailure stage_2_result = DoSecureConnectionsStage2(i, PKa, PKb, pairing_request, pairing_response,
std::get<Stage1Result>(stage1result), dhkey);
if (std::holds_alternative<PairingFailure>(stage_2_result)) {
i.OnPairingFinished(std::get<PairingFailure>(stage_2_result));
return;
}
Octet16 ltk = std::get<Octet16>(stage_2_result);
// Mask the key
std::fill(ltk.begin() + key_size, ltk.end(), 0x00);
if (IAmCentral(i)) {
LOG_INFO("Sending start encryption request");
SendHciLeStartEncryption(i, i.connection_handle, {0}, {0}, ltk);
} else {
auto ltk_req = WaitLeLongTermKeyRequest();
SendHciLeLongTermKeyReply(i, i.connection_handle, ltk);
}
} else {
// 2.3.5.5 LE legacy pairing phase 2
LOG_INFO("Pairing Phase 2 LE legacy pairing Started");
LegacyStage1ResultOrFailure stage1result = DoLegacyStage1(i, pairing_request, pairing_response);
if (std::holds_alternative<PairingFailure>(stage1result)) {
LOG_ERROR("Phase 1 failed");
i.OnPairingFinished(std::get<PairingFailure>(stage1result));
return;
}
Octet16 tk = std::get<Octet16>(stage1result);
StkOrFailure stage2result = DoLegacyStage2(i, pairing_request, pairing_response, tk);
if (std::holds_alternative<PairingFailure>(stage2result)) {
LOG_ERROR("stage 2 failed");
i.OnPairingFinished(std::get<PairingFailure>(stage2result));
return;
}
Octet16 stk = std::get<Octet16>(stage2result);
// Mask the key
std::fill(stk.begin() + key_size, stk.end(), 0x00);
if (IAmCentral(i)) {
LOG_INFO("Sending start encryption request");
SendHciLeStartEncryption(i, i.connection_handle, {0}, {0}, stk);
} else {
auto ltk_req = WaitLeLongTermKeyRequest();
SendHciLeLongTermKeyReply(i, i.connection_handle, stk);
}
}
/************************************************ PHASE 3 *********************************************************/
LOG_INFO("Waiting for encryption changed");
auto encryption_change_result = WaitEncryptionChanged();
if (std::holds_alternative<PairingFailure>(encryption_change_result)) {
i.OnPairingFinished(std::get<PairingFailure>(encryption_change_result));
return;
} else if (std::holds_alternative<EncryptionChangeView>(encryption_change_result)) {
EncryptionChangeView encryption_changed = std::get<EncryptionChangeView>(encryption_change_result);
if (encryption_changed.GetStatus() != hci::ErrorCode::SUCCESS ||
encryption_changed.GetEncryptionEnabled() != hci::EncryptionEnabled::ON) {
i.OnPairingFinished(PairingFailure("Encryption change failed"));
return;
}
} else if (std::holds_alternative<EncryptionKeyRefreshCompleteView>(encryption_change_result)) {
EncryptionKeyRefreshCompleteView encryption_changed =
std::get<EncryptionKeyRefreshCompleteView>(encryption_change_result);
if (encryption_changed.GetStatus() != hci::ErrorCode::SUCCESS) {
i.OnPairingFinished(PairingFailure("Encryption key refresh failed"));
return;
}
} else {
i.OnPairingFinished(PairingFailure("Unknown case of encryption change result"));
return;
}
LOG_INFO("Encryption change finished successfully");
DistributedKeysOrFailure keyExchangeStatus = DistributeKeys(i, pairing_response, isSecureConnections);
if (std::holds_alternative<PairingFailure>(keyExchangeStatus)) {
i.OnPairingFinished(std::get<PairingFailure>(keyExchangeStatus));
LOG_ERROR("Key exchange failed");
return;
}
// If it's secure connections pairing, do cross-transport key derivation
DistributedKeys distributed_keys = std::get<DistributedKeys>(keyExchangeStatus);
if ((pairing_response.GetAuthReq() & AuthReqMaskSc) && distributed_keys.remote_ltk.has_value()) {
bool use_h7 = (pairing_response.GetAuthReq() & AuthReqMaskCt2);
Octet16 link_key = crypto_toolbox::ltk_to_link_key(*(distributed_keys.remote_ltk), use_h7);
distributed_keys.remote_link_key = link_key;
}
// bool bonding = pairing_request.GetAuthReq() & pairing_response.GetAuthReq() & AuthReqMaskBondingFlag;
i.OnPairingFinished(PairingResult{
.connection_address = i.remote_connection_address,
.distributed_keys = distributed_keys,
.key_size = key_size,
});
LOG_INFO("Pairing finished successfully.");
}
Phase1ResultOrFailure PairingHandlerLe::ExchangePairingFeature(const InitialInformations& i) {
LOG_INFO("Phase 1 start");
if (IAmCentral(i)) {
// Send Pairing Request
const auto& x = i.myPairingCapabilities;
auto pairing_request_builder =
PairingRequestBuilder::Create(x.io_capability, x.oob_data_flag, x.auth_req, x.maximum_encryption_key_size,
x.initiator_key_distribution, x.responder_key_distribution);
// basically pairing_request = myPairingCapabilities;
// Convert builder to view
std::shared_ptr<std::vector<uint8_t>> packet_bytes = std::make_shared<std::vector<uint8_t>>();
BitInserter it(*packet_bytes);
pairing_request_builder->Serialize(it);
PacketView<kLittleEndian> packet_bytes_view(packet_bytes);
auto temp_cmd_view = CommandView::Create(packet_bytes_view);
auto pairing_request = PairingRequestView::Create(temp_cmd_view);
ASSERT(pairing_request.IsValid());
LOG_INFO("Sending Pairing Request");
SendL2capPacket(i, std::move(pairing_request_builder));
LOG_INFO("Waiting for Pairing Response");
auto response = WaitPairingResponse();
/* There is a potential collision where the peripheral initiates the pairing at the same time we initiate it, by
* sending security request. */
if (std::holds_alternative<PairingFailure>(response) &&
std::get<PairingFailure>(response).received_code_ == Code::SECURITY_REQUEST) {
LOG_INFO("Received security request, waiting for Pairing Response again...");
response = WaitPairingResponse();
}
if (std::holds_alternative<PairingFailure>(response)) {
// TODO: should the failure reason be different in some cases ? How about
// when we lost connection ? Don't send anything at all, or have L2CAP
// layer ignore it?
SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
return std::get<PairingFailure>(response);
}
auto pairing_response = std::get<PairingResponseView>(response);
LOG_INFO("Phase 1 finish");
return Phase1Result{pairing_request, pairing_response};
} else {
std::optional<PairingRequestView> pairing_request;
if (i.remotely_initiated) {
if (!i.pairing_request.has_value()) {
return PairingFailure("You must pass PairingRequest as a initial information to peripheral!");
}
pairing_request = i.pairing_request.value();
if (!pairing_request->IsValid()) return PairingFailure("Malformed PairingRequest");
} else {
SendL2capPacket(i, SecurityRequestBuilder::Create(i.myPairingCapabilities.auth_req));
LOG_INFO("Waiting for Pairing Request");
auto request = WaitPairingRequest();
if (std::holds_alternative<PairingFailure>(request)) {
LOG_INFO("%s", std::get<PairingFailure>(request).message.c_str());
SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
return std::get<PairingFailure>(request);
}
pairing_request = std::get<PairingRequestView>(request);
}
uint8_t key_size = pairing_request->GetMaximumEncryptionKeySize();
if (key_size < 7 || key_size > 16) {
LOG_WARN("Resulting key size is bad %d", key_size);
SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::ENCRYPTION_KEY_SIZE));
return PairingFailure("Resulting key size is bad", PairingFailedReason::ENCRYPTION_KEY_SIZE);
}
// Send Pairing Request
const auto& x = i.myPairingCapabilities;
// basically pairing_response_builder = my_first_packet;
// We are not allowed to enable bits that the remote did not allow us to set in initiator_key_dist and
// responder_key_distribution
auto pairing_response_builder =
PairingResponseBuilder::Create(x.io_capability, x.oob_data_flag, x.auth_req, x.maximum_encryption_key_size,
x.initiator_key_distribution & pairing_request->GetInitiatorKeyDistribution(),
x.responder_key_distribution & pairing_request->GetResponderKeyDistribution());
// Convert builder to view
std::shared_ptr<std::vector<uint8_t>> packet_bytes = std::make_shared<std::vector<uint8_t>>();
BitInserter it(*packet_bytes);
pairing_response_builder->Serialize(it);
PacketView<kLittleEndian> packet_bytes_view(packet_bytes);
auto temp_cmd_view = CommandView::Create(packet_bytes_view);
auto pairing_response = PairingResponseView::Create(temp_cmd_view);
ASSERT(pairing_response.IsValid());
LOG_INFO("Sending Pairing Response");
SendL2capPacket(i, std::move(pairing_response_builder));
LOG_INFO("Phase 1 finish");
return Phase1Result{pairing_request.value(), pairing_response};
}
}
DistributedKeysOrFailure PairingHandlerLe::DistributeKeys(const InitialInformations& i,
const PairingResponseView& pairing_response,
bool isSecureConnections) {
uint8_t keys_i_receive =
IAmCentral(i) ? pairing_response.GetResponderKeyDistribution() : pairing_response.GetInitiatorKeyDistribution();
uint8_t keys_i_send =
IAmCentral(i) ? pairing_response.GetInitiatorKeyDistribution() : pairing_response.GetResponderKeyDistribution();
// In Secure Connections on the LE Transport, the EncKey field shall be ignored
if (isSecureConnections) {
keys_i_send = (~KeyMaskEnc) & keys_i_send;
keys_i_receive = (~KeyMaskEnc) & keys_i_receive;
}
LOG_INFO("Key distribution start, keys_i_send=0x%02x, keys_i_receive=0x%02x", keys_i_send, keys_i_receive);
// TODO: obtain actual values, and apply key_size to the LTK
Octet16 my_ltk = bluetooth::os::GenerateRandom<16>();
uint16_t my_ediv = bluetooth::os::GenerateRandom();
std::array<uint8_t, 8> my_rand = bluetooth::os::GenerateRandom<8>();
Octet16 my_irk = i.my_identity_resolving_key;
Address my_identity_address = i.my_identity_address.GetAddress();
AddrType my_identity_address_type =
static_cast<bluetooth::security::AddrType>(i.my_identity_address.GetAddressType());
Octet16 my_signature_key{0};
if (IAmCentral(i)) {
// EncKey is unused for LE Secure Connections
DistributedKeysOrFailure keys = ReceiveKeys(keys_i_receive);
if (std::holds_alternative<PairingFailure>(keys)) {
return keys;
}
SendKeys(i, keys_i_send, my_ltk, my_ediv, my_rand, my_irk, my_identity_address, my_identity_address_type,
my_signature_key);
std::get<DistributedKeys>(keys).local_ltk = my_ltk;
std::get<DistributedKeys>(keys).local_ediv = my_ediv;
std::get<DistributedKeys>(keys).local_rand = my_rand;
LOG_INFO("Key distribution finish");
return keys;
} else {
SendKeys(i, keys_i_send, my_ltk, my_ediv, my_rand, my_irk, my_identity_address, my_identity_address_type,
my_signature_key);
DistributedKeysOrFailure keys = ReceiveKeys(keys_i_receive);
if (std::holds_alternative<PairingFailure>(keys)) {
return keys;
}
std::get<DistributedKeys>(keys).local_ltk = my_ltk;
std::get<DistributedKeys>(keys).local_ediv = my_ediv;
std::get<DistributedKeys>(keys).local_rand = my_rand;
LOG_INFO("Key distribution finish");
return keys;
}
}
DistributedKeysOrFailure PairingHandlerLe::ReceiveKeys(const uint8_t& keys_i_receive) {
std::optional<Octet16> ltk; /* Legacy only */
std::optional<uint16_t> ediv; /* Legacy only */
std::optional<std::array<uint8_t, 8>> rand; /* Legacy only */
std::optional<hci::AddressWithType> identity_address;
std::optional<Octet16> irk;
std::optional<Octet16> signature_key;
if (keys_i_receive & KeyMaskEnc) {
{
auto packet = WaitEncryptionInformation();
if (std::holds_alternative<PairingFailure>(packet)) {
LOG_ERROR(" Was expecting Encryption Information but did not receive!");
return std::get<PairingFailure>(packet);
}
ltk = std::get<EncryptionInformationView>(packet).GetLongTermKey();
}
{
auto packet = WaitCentralIdentification();
if (std::holds_alternative<PairingFailure>(packet)) {
LOG_ERROR(" Was expecting Central Identification but did not receive!");
return std::get<PairingFailure>(packet);
}
ediv = std::get<CentralIdentificationView>(packet).GetEdiv();
rand = std::get<CentralIdentificationView>(packet).GetRand();
}
}
if (keys_i_receive & KeyMaskId) {
auto packet = WaitIdentityInformation();
if (std::holds_alternative<PairingFailure>(packet)) {
LOG_ERROR(" Was expecting Identity Information but did not receive!");
return std::get<PairingFailure>(packet);
}
LOG_INFO("Received Identity Information");
irk = std::get<IdentityInformationView>(packet).GetIdentityResolvingKey();
auto iapacket = WaitIdentityAddressInformation();
if (std::holds_alternative<PairingFailure>(iapacket)) {
LOG_ERROR(
"Was expecting Identity Address Information but did "
"not receive!");
return std::get<PairingFailure>(iapacket);
}
LOG_INFO("Received Identity Address Information");
auto iapacketview = std::get<IdentityAddressInformationView>(iapacket);
identity_address = hci::AddressWithType(iapacketview.GetBdAddr(), iapacketview.GetAddrType() == AddrType::PUBLIC
? hci::AddressType::PUBLIC_DEVICE_ADDRESS
: hci::AddressType::RANDOM_DEVICE_ADDRESS);
}
if (keys_i_receive & KeyMaskSign) {
auto packet = WaitSigningInformation();
if (std::holds_alternative<PairingFailure>(packet)) {
LOG_ERROR(" Was expecting Signing Information but did not receive!");
return std::get<PairingFailure>(packet);
}
LOG_INFO("Received Signing Information");
signature_key = std::get<SigningInformationView>(packet).GetSignatureKey();
}
return DistributedKeys{.remote_ltk = ltk,
.remote_ediv = ediv,
.remote_rand = rand,
.remote_identity_address = identity_address,
.remote_irk = irk,
.remote_signature_key = signature_key};
}
void PairingHandlerLe::SendKeys(const InitialInformations& i, const uint8_t& keys_i_send, Octet16 ltk, uint16_t ediv,
std::array<uint8_t, 8> rand, Octet16 irk, Address identity_address,
AddrType identity_addres_type, Octet16 signature_key) {
if (keys_i_send & KeyMaskEnc) {
LOG_INFO("Sending Encryption Information");
SendL2capPacket(i, EncryptionInformationBuilder::Create(ltk));
LOG_INFO("Sending Central Identification");
SendL2capPacket(i, CentralIdentificationBuilder::Create(ediv, rand));
}
if (keys_i_send & KeyMaskId) {
LOG_INFO("Sending Identity Information");
SendL2capPacket(i, IdentityInformationBuilder::Create(irk));
LOG_INFO("Sending Identity Address Information");
SendL2capPacket(i, IdentityAddressInformationBuilder::Create(identity_addres_type, identity_address));
}
if (keys_i_send & KeyMaskSign) {
LOG_INFO("Sending Signing Information");
SendL2capPacket(i, SigningInformationBuilder::Create(signature_key));
}
}
} // namespace security
} // namespace bluetooth
|
