1 /******************************************************************************
2 *
3 * Copyright 2019 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include "security/pairing_handler_le.h"
20
21 #include "os/rand.h"
22
23 namespace bluetooth {
24 namespace security {
25
GenerateOobData()26 MyOobData PairingHandlerLe::GenerateOobData() {
27 MyOobData data{};
28 std::tie(data.private_key, data.public_key) = GenerateECDHKeyPair();
29
30 data.r = bluetooth::os::GenerateRandom<16>();
31 data.c = crypto_toolbox::f4(data.public_key.x.data(), data.public_key.x.data(), data.r, 0);
32 return data;
33 }
34
PairingMain(InitialInformations i)35 void PairingHandlerLe::PairingMain(InitialInformations i) {
36 LOG_INFO("Pairing Started");
37
38 if (i.remotely_initiated) {
39 LOG_INFO("Was remotely initiated, presenting user with the accept prompt");
40 i.user_interface_handler->Post(common::BindOnce(&UI::DisplayPairingPrompt, common::Unretained(i.user_interface),
41 i.remote_connection_address, i.remote_name));
42
43 // If pairing was initiated by remote device, wait for the user to accept
44 // the request from the UI.
45 LOG_INFO("Waiting for the prompt response");
46 std::optional<PairingEvent> pairingAccepted = WaitUiPairingAccept();
47 if (!pairingAccepted || pairingAccepted->ui_value == 0) {
48 LOG_INFO("User either did not accept the remote pairing, or the prompt timed out");
49 // TODO: Uncomment this one once we find a way to attempt to send packet when the link is down
50 // SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
51 i.OnPairingFinished(PairingFailure("User either did not accept the remote pairing, or the prompt timed out"));
52 return;
53 }
54
55 LOG_INFO("Pairing prompt accepted");
56 }
57
58 /************************************************ PHASE 1 *********************************************************/
59 Phase1ResultOrFailure phase_1_result = ExchangePairingFeature(i);
60 if (std::holds_alternative<PairingFailure>(phase_1_result)) {
61 LOG_WARN("Pairing failed in phase 1");
62 // We already send pairing fialed in lower layer. Which one should do that ? how about disconneciton?
63 // SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
64 // TODO: disconnect?
65 i.OnPairingFinished(std::get<PairingFailure>(phase_1_result));
66 return;
67 }
68
69 auto [pairing_request, pairing_response] = std::get<Phase1Result>(phase_1_result);
70
71 uint8_t key_size =
72 std::min(pairing_request.GetMaximumEncryptionKeySize(), pairing_response.GetMaximumEncryptionKeySize());
73 if (key_size < 7 || key_size > 16) {
74 LOG_WARN("Resulting key size is bad %d", key_size);
75 SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::ENCRYPTION_KEY_SIZE));
76 i.OnPairingFinished(PairingFailure("Resulting key size is bad", PairingFailedReason::ENCRYPTION_KEY_SIZE));
77 return;
78 }
79 if (key_size != 16) {
80 LOG_WARN("Resulting key size is less than 16 octets!");
81 }
82
83 /************************************************ PHASE 2 *********************************************************/
84 bool isSecureConnections = pairing_request.GetAuthReq() & pairing_response.GetAuthReq() & AuthReqMaskSc;
85 if (isSecureConnections) {
86 // 2.3.5.6 LE Secure Connections pairing phase 2
87 LOG_INFO("Pairing Phase 2 LE Secure connections Started");
88
89 /*
90 TODO: what to do with this piece of spec ?
91 If Secure Connections pairing has been initiated over BR/EDR, the
92 following fields of the SM Pairing Request PDU are reserved for future use:
93 • the IO Capability field,
94 • the OOB data flag field, and
95 • all bits in the Auth Req field except the CT2 bit.
96 */
97
98 OobDataFlag remote_have_oob_data =
99 IAmCentral(i) ? pairing_response.GetOobDataFlag() : pairing_request.GetOobDataFlag();
100
101 auto key_exchange_result = ExchangePublicKeys(i, remote_have_oob_data);
102 if (std::holds_alternative<PairingFailure>(key_exchange_result)) {
103 LOG_ERROR("Public key exchange failed");
104 i.OnPairingFinished(std::get<PairingFailure>(key_exchange_result));
105 return;
106 }
107 auto [PKa, PKb, dhkey] = std::get<KeyExchangeResult>(key_exchange_result);
108
109 // Public key exchange finished, Diffie-Hellman key computed.
110
111 Stage1ResultOrFailure stage1result = DoSecureConnectionsStage1(i, PKa, PKb, pairing_request, pairing_response);
112 if (std::holds_alternative<PairingFailure>(stage1result)) {
113 i.OnPairingFinished(std::get<PairingFailure>(stage1result));
114 return;
115 }
116
117 Stage2ResultOrFailure stage_2_result = DoSecureConnectionsStage2(i, PKa, PKb, pairing_request, pairing_response,
118 std::get<Stage1Result>(stage1result), dhkey);
119 if (std::holds_alternative<PairingFailure>(stage_2_result)) {
120 i.OnPairingFinished(std::get<PairingFailure>(stage_2_result));
121 return;
122 }
123
124 Octet16 ltk = std::get<Octet16>(stage_2_result);
125 // Mask the key
126 std::fill(ltk.begin() + key_size, ltk.end(), 0x00);
127
128 if (IAmCentral(i)) {
129 LOG_INFO("Sending start encryption request");
130 SendHciLeStartEncryption(i, i.connection_handle, {0}, {0}, ltk);
131 } else {
132 auto ltk_req = WaitLeLongTermKeyRequest();
133 SendHciLeLongTermKeyReply(i, i.connection_handle, ltk);
134 }
135 } else {
136 // 2.3.5.5 LE legacy pairing phase 2
137 LOG_INFO("Pairing Phase 2 LE legacy pairing Started");
138
139 LegacyStage1ResultOrFailure stage1result = DoLegacyStage1(i, pairing_request, pairing_response);
140 if (std::holds_alternative<PairingFailure>(stage1result)) {
141 LOG_ERROR("Phase 1 failed");
142 i.OnPairingFinished(std::get<PairingFailure>(stage1result));
143 return;
144 }
145
146 Octet16 tk = std::get<Octet16>(stage1result);
147 StkOrFailure stage2result = DoLegacyStage2(i, pairing_request, pairing_response, tk);
148 if (std::holds_alternative<PairingFailure>(stage2result)) {
149 LOG_ERROR("stage 2 failed");
150 i.OnPairingFinished(std::get<PairingFailure>(stage2result));
151 return;
152 }
153
154 Octet16 stk = std::get<Octet16>(stage2result);
155 // Mask the key
156 std::fill(stk.begin() + key_size, stk.end(), 0x00);
157 if (IAmCentral(i)) {
158 LOG_INFO("Sending start encryption request");
159 SendHciLeStartEncryption(i, i.connection_handle, {0}, {0}, stk);
160 } else {
161 auto ltk_req = WaitLeLongTermKeyRequest();
162 SendHciLeLongTermKeyReply(i, i.connection_handle, stk);
163 }
164 }
165
166 /************************************************ PHASE 3 *********************************************************/
167 LOG_INFO("Waiting for encryption changed");
168 auto encryption_change_result = WaitEncryptionChanged();
169 if (std::holds_alternative<PairingFailure>(encryption_change_result)) {
170 i.OnPairingFinished(std::get<PairingFailure>(encryption_change_result));
171 return;
172 } else if (std::holds_alternative<EncryptionChangeView>(encryption_change_result)) {
173 EncryptionChangeView encryption_changed = std::get<EncryptionChangeView>(encryption_change_result);
174 if (encryption_changed.GetStatus() != hci::ErrorCode::SUCCESS ||
175 encryption_changed.GetEncryptionEnabled() != hci::EncryptionEnabled::ON) {
176 i.OnPairingFinished(PairingFailure("Encryption change failed"));
177 return;
178 }
179 } else if (std::holds_alternative<EncryptionKeyRefreshCompleteView>(encryption_change_result)) {
180 EncryptionKeyRefreshCompleteView encryption_changed =
181 std::get<EncryptionKeyRefreshCompleteView>(encryption_change_result);
182 if (encryption_changed.GetStatus() != hci::ErrorCode::SUCCESS) {
183 i.OnPairingFinished(PairingFailure("Encryption key refresh failed"));
184 return;
185 }
186 } else {
187 i.OnPairingFinished(PairingFailure("Unknown case of encryption change result"));
188 return;
189 }
190 LOG_INFO("Encryption change finished successfully");
191
192 DistributedKeysOrFailure keyExchangeStatus = DistributeKeys(i, pairing_response, isSecureConnections);
193 if (std::holds_alternative<PairingFailure>(keyExchangeStatus)) {
194 i.OnPairingFinished(std::get<PairingFailure>(keyExchangeStatus));
195 LOG_ERROR("Key exchange failed");
196 return;
197 }
198
199 // If it's secure connections pairing, do cross-transport key derivation
200 DistributedKeys distributed_keys = std::get<DistributedKeys>(keyExchangeStatus);
201 if ((pairing_response.GetAuthReq() & AuthReqMaskSc) && distributed_keys.remote_ltk.has_value()) {
202 bool use_h7 = (pairing_response.GetAuthReq() & AuthReqMaskCt2);
203 Octet16 link_key = crypto_toolbox::ltk_to_link_key(*(distributed_keys.remote_ltk), use_h7);
204 distributed_keys.remote_link_key = link_key;
205 }
206
207 // bool bonding = pairing_request.GetAuthReq() & pairing_response.GetAuthReq() & AuthReqMaskBondingFlag;
208
209 i.OnPairingFinished(PairingResult{
210 .connection_address = i.remote_connection_address,
211 .distributed_keys = distributed_keys,
212 .key_size = key_size,
213 });
214
215 LOG_INFO("Pairing finished successfully.");
216 }
217
ExchangePairingFeature(const InitialInformations & i)218 Phase1ResultOrFailure PairingHandlerLe::ExchangePairingFeature(const InitialInformations& i) {
219 LOG_INFO("Phase 1 start");
220
221 if (IAmCentral(i)) {
222 // Send Pairing Request
223 const auto& x = i.myPairingCapabilities;
224 auto pairing_request_builder =
225 PairingRequestBuilder::Create(x.io_capability, x.oob_data_flag, x.auth_req, x.maximum_encryption_key_size,
226 x.initiator_key_distribution, x.responder_key_distribution);
227 // basically pairing_request = myPairingCapabilities;
228
229 // Convert builder to view
230 std::shared_ptr<std::vector<uint8_t>> packet_bytes = std::make_shared<std::vector<uint8_t>>();
231 BitInserter it(*packet_bytes);
232 pairing_request_builder->Serialize(it);
233 PacketView<kLittleEndian> packet_bytes_view(packet_bytes);
234 auto temp_cmd_view = CommandView::Create(packet_bytes_view);
235 auto pairing_request = PairingRequestView::Create(temp_cmd_view);
236 ASSERT(pairing_request.IsValid());
237
238 LOG_INFO("Sending Pairing Request");
239 SendL2capPacket(i, std::move(pairing_request_builder));
240
241 LOG_INFO("Waiting for Pairing Response");
242 auto response = WaitPairingResponse();
243
244 /* There is a potential collision where the peripheral initiates the pairing at the same time we initiate it, by
245 * sending security request. */
246 if (std::holds_alternative<PairingFailure>(response) &&
247 std::get<PairingFailure>(response).received_code_ == Code::SECURITY_REQUEST) {
248 LOG_INFO("Received security request, waiting for Pairing Response again...");
249 response = WaitPairingResponse();
250 }
251
252 if (std::holds_alternative<PairingFailure>(response)) {
253 // TODO: should the failure reason be different in some cases ? How about
254 // when we lost connection ? Don't send anything at all, or have L2CAP
255 // layer ignore it?
256 SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
257 return std::get<PairingFailure>(response);
258 }
259
260 auto pairing_response = std::get<PairingResponseView>(response);
261
262 LOG_INFO("Phase 1 finish");
263 return Phase1Result{pairing_request, pairing_response};
264 } else {
265 std::optional<PairingRequestView> pairing_request;
266
267 if (i.remotely_initiated) {
268 if (!i.pairing_request.has_value()) {
269 return PairingFailure("You must pass PairingRequest as a initial information to peripheral!");
270 }
271
272 pairing_request = i.pairing_request.value();
273
274 if (!pairing_request->IsValid()) return PairingFailure("Malformed PairingRequest");
275 } else {
276 SendL2capPacket(i, SecurityRequestBuilder::Create(i.myPairingCapabilities.auth_req));
277
278 LOG_INFO("Waiting for Pairing Request");
279 auto request = WaitPairingRequest();
280 if (std::holds_alternative<PairingFailure>(request)) {
281 LOG_INFO("%s", std::get<PairingFailure>(request).message.c_str());
282 SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::UNSPECIFIED_REASON));
283 return std::get<PairingFailure>(request);
284 }
285
286 pairing_request = std::get<PairingRequestView>(request);
287 }
288
289 uint8_t key_size = pairing_request->GetMaximumEncryptionKeySize();
290 if (key_size < 7 || key_size > 16) {
291 LOG_WARN("Resulting key size is bad %d", key_size);
292 SendL2capPacket(i, PairingFailedBuilder::Create(PairingFailedReason::ENCRYPTION_KEY_SIZE));
293 return PairingFailure("Resulting key size is bad", PairingFailedReason::ENCRYPTION_KEY_SIZE);
294 }
295
296 // Send Pairing Request
297 const auto& x = i.myPairingCapabilities;
298 // basically pairing_response_builder = my_first_packet;
299 // We are not allowed to enable bits that the remote did not allow us to set in initiator_key_dist and
300 // responder_key_distribution
301 auto pairing_response_builder =
302 PairingResponseBuilder::Create(x.io_capability, x.oob_data_flag, x.auth_req, x.maximum_encryption_key_size,
303 x.initiator_key_distribution & pairing_request->GetInitiatorKeyDistribution(),
304 x.responder_key_distribution & pairing_request->GetResponderKeyDistribution());
305
306 // Convert builder to view
307 std::shared_ptr<std::vector<uint8_t>> packet_bytes = std::make_shared<std::vector<uint8_t>>();
308 BitInserter it(*packet_bytes);
309 pairing_response_builder->Serialize(it);
310 PacketView<kLittleEndian> packet_bytes_view(packet_bytes);
311 auto temp_cmd_view = CommandView::Create(packet_bytes_view);
312 auto pairing_response = PairingResponseView::Create(temp_cmd_view);
313 ASSERT(pairing_response.IsValid());
314
315 LOG_INFO("Sending Pairing Response");
316 SendL2capPacket(i, std::move(pairing_response_builder));
317
318 LOG_INFO("Phase 1 finish");
319 return Phase1Result{pairing_request.value(), pairing_response};
320 }
321 }
322
DistributeKeys(const InitialInformations & i,const PairingResponseView & pairing_response,bool isSecureConnections)323 DistributedKeysOrFailure PairingHandlerLe::DistributeKeys(const InitialInformations& i,
324 const PairingResponseView& pairing_response,
325 bool isSecureConnections) {
326 uint8_t keys_i_receive =
327 IAmCentral(i) ? pairing_response.GetResponderKeyDistribution() : pairing_response.GetInitiatorKeyDistribution();
328 uint8_t keys_i_send =
329 IAmCentral(i) ? pairing_response.GetInitiatorKeyDistribution() : pairing_response.GetResponderKeyDistribution();
330
331 // In Secure Connections on the LE Transport, the EncKey field shall be ignored
332 if (isSecureConnections) {
333 keys_i_send = (~KeyMaskEnc) & keys_i_send;
334 keys_i_receive = (~KeyMaskEnc) & keys_i_receive;
335 }
336
337 LOG_INFO("Key distribution start, keys_i_send=0x%02x, keys_i_receive=0x%02x", keys_i_send, keys_i_receive);
338
339 // TODO: obtain actual values, and apply key_size to the LTK
340 Octet16 my_ltk = bluetooth::os::GenerateRandom<16>();
341 uint16_t my_ediv = bluetooth::os::GenerateRandom();
342 std::array<uint8_t, 8> my_rand = bluetooth::os::GenerateRandom<8>();
343
344 Octet16 my_irk = i.my_identity_resolving_key;
345 Address my_identity_address = i.my_identity_address.GetAddress();
346 AddrType my_identity_address_type =
347 static_cast<bluetooth::security::AddrType>(i.my_identity_address.GetAddressType());
348 Octet16 my_signature_key{0};
349
350 if (IAmCentral(i)) {
351 // EncKey is unused for LE Secure Connections
352 DistributedKeysOrFailure keys = ReceiveKeys(keys_i_receive);
353 if (std::holds_alternative<PairingFailure>(keys)) {
354 return keys;
355 }
356
357 SendKeys(i, keys_i_send, my_ltk, my_ediv, my_rand, my_irk, my_identity_address, my_identity_address_type,
358 my_signature_key);
359
360 std::get<DistributedKeys>(keys).local_ltk = my_ltk;
361 std::get<DistributedKeys>(keys).local_ediv = my_ediv;
362 std::get<DistributedKeys>(keys).local_rand = my_rand;
363 LOG_INFO("Key distribution finish");
364 return keys;
365 } else {
366 SendKeys(i, keys_i_send, my_ltk, my_ediv, my_rand, my_irk, my_identity_address, my_identity_address_type,
367 my_signature_key);
368
369 DistributedKeysOrFailure keys = ReceiveKeys(keys_i_receive);
370 if (std::holds_alternative<PairingFailure>(keys)) {
371 return keys;
372 }
373
374 std::get<DistributedKeys>(keys).local_ltk = my_ltk;
375 std::get<DistributedKeys>(keys).local_ediv = my_ediv;
376 std::get<DistributedKeys>(keys).local_rand = my_rand;
377 LOG_INFO("Key distribution finish");
378 return keys;
379 }
380 }
381
ReceiveKeys(const uint8_t & keys_i_receive)382 DistributedKeysOrFailure PairingHandlerLe::ReceiveKeys(const uint8_t& keys_i_receive) {
383 std::optional<Octet16> ltk; /* Legacy only */
384 std::optional<uint16_t> ediv; /* Legacy only */
385 std::optional<std::array<uint8_t, 8>> rand; /* Legacy only */
386 std::optional<hci::AddressWithType> identity_address;
387 std::optional<Octet16> irk;
388 std::optional<Octet16> signature_key;
389
390 if (keys_i_receive & KeyMaskEnc) {
391 {
392 auto packet = WaitEncryptionInformation();
393 if (std::holds_alternative<PairingFailure>(packet)) {
394 LOG_ERROR(" Was expecting Encryption Information but did not receive!");
395 return std::get<PairingFailure>(packet);
396 }
397 ltk = std::get<EncryptionInformationView>(packet).GetLongTermKey();
398 }
399
400 {
401 auto packet = WaitCentralIdentification();
402 if (std::holds_alternative<PairingFailure>(packet)) {
403 LOG_ERROR(" Was expecting Central Identification but did not receive!");
404 return std::get<PairingFailure>(packet);
405 }
406 ediv = std::get<CentralIdentificationView>(packet).GetEdiv();
407 rand = std::get<CentralIdentificationView>(packet).GetRand();
408 }
409 }
410
411 if (keys_i_receive & KeyMaskId) {
412 auto packet = WaitIdentityInformation();
413 if (std::holds_alternative<PairingFailure>(packet)) {
414 LOG_ERROR(" Was expecting Identity Information but did not receive!");
415 return std::get<PairingFailure>(packet);
416 }
417
418 LOG_INFO("Received Identity Information");
419 irk = std::get<IdentityInformationView>(packet).GetIdentityResolvingKey();
420
421 auto iapacket = WaitIdentityAddressInformation();
422 if (std::holds_alternative<PairingFailure>(iapacket)) {
423 LOG_ERROR(
424 "Was expecting Identity Address Information but did "
425 "not receive!");
426 return std::get<PairingFailure>(iapacket);
427 }
428 LOG_INFO("Received Identity Address Information");
429 auto iapacketview = std::get<IdentityAddressInformationView>(iapacket);
430 identity_address = hci::AddressWithType(iapacketview.GetBdAddr(), iapacketview.GetAddrType() == AddrType::PUBLIC
431 ? hci::AddressType::PUBLIC_DEVICE_ADDRESS
432 : hci::AddressType::RANDOM_DEVICE_ADDRESS);
433 }
434
435 if (keys_i_receive & KeyMaskSign) {
436 auto packet = WaitSigningInformation();
437 if (std::holds_alternative<PairingFailure>(packet)) {
438 LOG_ERROR(" Was expecting Signing Information but did not receive!");
439 return std::get<PairingFailure>(packet);
440 }
441
442 LOG_INFO("Received Signing Information");
443 signature_key = std::get<SigningInformationView>(packet).GetSignatureKey();
444 }
445
446 return DistributedKeys{.remote_ltk = ltk,
447 .remote_ediv = ediv,
448 .remote_rand = rand,
449 .remote_identity_address = identity_address,
450 .remote_irk = irk,
451 .remote_signature_key = signature_key};
452 }
453
SendKeys(const InitialInformations & i,const uint8_t & keys_i_send,Octet16 ltk,uint16_t ediv,std::array<uint8_t,8> rand,Octet16 irk,Address identity_address,AddrType identity_addres_type,Octet16 signature_key)454 void PairingHandlerLe::SendKeys(const InitialInformations& i, const uint8_t& keys_i_send, Octet16 ltk, uint16_t ediv,
455 std::array<uint8_t, 8> rand, Octet16 irk, Address identity_address,
456 AddrType identity_addres_type, Octet16 signature_key) {
457 if (keys_i_send & KeyMaskEnc) {
458 LOG_INFO("Sending Encryption Information");
459 SendL2capPacket(i, EncryptionInformationBuilder::Create(ltk));
460 LOG_INFO("Sending Central Identification");
461 SendL2capPacket(i, CentralIdentificationBuilder::Create(ediv, rand));
462 }
463
464 if (keys_i_send & KeyMaskId) {
465 LOG_INFO("Sending Identity Information");
466 SendL2capPacket(i, IdentityInformationBuilder::Create(irk));
467 LOG_INFO("Sending Identity Address Information");
468 SendL2capPacket(i, IdentityAddressInformationBuilder::Create(identity_addres_type, identity_address));
469 }
470
471 if (keys_i_send & KeyMaskSign) {
472 LOG_INFO("Sending Signing Information");
473 SendL2capPacket(i, SigningInformationBuilder::Create(signature_key));
474 }
475 }
476
477 } // namespace security
478 } // namespace bluetooth