1 // Copyright 2023 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14
15 #include "pw_bluetooth_sapphire/internal/host/sm/security_manager.h"
16
17 #include <memory>
18 #include <optional>
19 #include <type_traits>
20 #include <utility>
21 #include <variant>
22
23 #include "lib/fit/function.h"
24 #include "pw_bluetooth_sapphire/internal/host/common/assert.h"
25 #include "pw_bluetooth_sapphire/internal/host/common/byte_buffer.h"
26 #include "pw_bluetooth_sapphire/internal/host/common/device_address.h"
27 #include "pw_bluetooth_sapphire/internal/host/common/log.h"
28 #include "pw_bluetooth_sapphire/internal/host/common/random.h"
29 #include "pw_bluetooth_sapphire/internal/host/common/uint128.h"
30 #include "pw_bluetooth_sapphire/internal/host/gap/gap.h"
31 #include "pw_bluetooth_sapphire/internal/host/hci-spec/link_key.h"
32 #include "pw_bluetooth_sapphire/internal/host/hci/low_energy_connection.h"
33 #include "pw_bluetooth_sapphire/internal/host/sm/error.h"
34 #include "pw_bluetooth_sapphire/internal/host/sm/packet.h"
35 #include "pw_bluetooth_sapphire/internal/host/sm/phase_2_secure_connections.h"
36 #include "pw_bluetooth_sapphire/internal/host/sm/security_request_phase.h"
37 #include "pw_bluetooth_sapphire/internal/host/sm/smp.h"
38 #include "pw_bluetooth_sapphire/internal/host/sm/types.h"
39 #include "pw_bluetooth_sapphire/internal/host/sm/util.h"
40 #include "pw_bluetooth_sapphire/internal/host/transport/error.h"
41
42 namespace bt::sm {
43
44 namespace {
45
FeaturesToProperties(const PairingFeatures & features)46 SecurityProperties FeaturesToProperties(const PairingFeatures& features) {
47 return SecurityProperties(features.method == PairingMethod::kJustWorks
48 ? SecurityLevel::kEncrypted
49 : SecurityLevel::kAuthenticated,
50 features.encryption_key_size,
51 features.secure_connections);
52 }
53 } // namespace
54
55 class SecurityManagerImpl final : public SecurityManager,
56 public PairingPhase::Listener,
57 public PairingChannel::Handler {
58 public:
59 ~SecurityManagerImpl() override;
60 SecurityManagerImpl(hci::LowEnergyConnection::WeakPtr link,
61 l2cap::Channel::WeakPtr smp,
62 IOCapability io_capability,
63 Delegate::WeakPtr delegate,
64 BondableMode bondable_mode,
65 gap::LESecurityMode security_mode,
66 pw::async::Dispatcher& dispatcher);
67 // SecurityManager overrides:
68 bool AssignLongTermKey(const LTK& ltk) override;
69 void UpgradeSecurity(SecurityLevel level, PairingCallback callback) override;
70 void Reset(IOCapability io_capability) override;
71 void Abort(ErrorCode ecode) override;
72
73 private:
74 // Represents a pending request to update the security level.
75 struct PendingRequest {
76 PendingRequest(SecurityLevel level, PairingCallback callback);
77 PendingRequest(PendingRequest&&) = default;
78 PendingRequest& operator=(PendingRequest&&) = default;
79
80 SecurityLevel level;
81 PairingCallback callback;
82 };
83
84 // Called when we receive a peer security request as initiator, will start
85 // Phase 1.
86 void OnSecurityRequest(AuthReqField auth_req);
87
88 // Called when we receive a peer pairing request as responder, will start
89 // Phase 1.
90 void OnPairingRequest(const PairingRequestParams& req_params);
91
92 // Pulls the next PendingRequest off |request_queue_| and starts a security
93 // upgrade to that |level| by either sending a Pairing Request as initiator or
94 // a Security Request as responder.
95 void UpgradeSecurityInternal();
96
97 // Creates the pairing phase responsible for sending the security upgrade
98 // request to the peer (a PairingRequest if we are initiator, otherwise a
99 // SecurityRequest). Returns fit::error(ErrorCode::
100 // kAuthenticationRequirements) if the local IOCapabilities are insufficient
101 // for SecurityLevel, otherwise returns fit::ok().
102 [[nodiscard]] fit::result<ErrorCode> RequestSecurityUpgrade(
103 SecurityLevel level);
104
105 // Called when the feature exchange (Phase 1) completes and the relevant
106 // features of both sides have been resolved into `features`. `preq` and
107 // `pres` need to be retained for cryptographic calculations in Phase 2.
108 // Causes a state transition from Phase 1 to Phase 2
109 void OnFeatureExchange(PairingFeatures features,
110 PairingRequestParams preq,
111 PairingResponseParams pres);
112
113 // Called when Phase 2 generates an encryption key, so the link can be
114 // encrypted with it.
115 void OnPhase2EncryptionKey(const UInt128& new_key);
116
117 // Check if encryption using `current_ltk` will satisfy the current security
118 // requirements.
119 static bool CurrentLtkInsufficientlySecureForEncryption(
120 std::optional<LTK> current_ltk,
121 SecurityRequestPhase* security_request_phase,
122 gap::LESecurityMode mode);
123
124 // Called when the encryption state of the LE link changes.
125 void OnEncryptionChange(hci::Result<bool> enabled_result);
126
127 // Called when the link is encrypted at the end of pairing Phase 2.
128 void EndPhase2();
129
130 // Cleans up pairing state, updates the current security level, and notifies
131 // parties that requested security of the link's updated security properties.
132 void OnPairingComplete(PairingData data);
133
134 // After a call to UpgradeSecurity results in an increase of the link security
135 // level (through pairing completion or SMP Security Requested encryption),
136 // this method notifies all the callbacks associated with SecurityUpgrade
137 // requests.
138 void NotifySecurityCallbacks();
139
140 // Assign the current security properties and notify the delegate of the
141 // change.
142 void SetSecurityProperties(const SecurityProperties& sec);
143
144 // Directly assigns the current |ltk_| and the underlying |le_link_|'s link
145 // key. This function does not initiate link layer encryption and can be
146 // called during and outside of pairing.
147 void OnNewLongTermKey(const LTK& ltk);
148
149 // PairingPhase::Listener overrides:
150 void OnPairingFailed(Error error) override;
151 std::optional<IdentityInfo> OnIdentityRequest() override;
152 void ConfirmPairing(ConfirmCallback confirm) override;
153 void DisplayPasskey(uint32_t passkey,
154 Delegate::DisplayMethod method,
155 ConfirmCallback cb) override;
156 void RequestPasskey(PasskeyResponseCallback respond) override;
157
158 // PairingChannel::Handler overrides. SecurityManagerImpl is only the fallback
159 // handler, meaning these methods are only called by PairingChannel when no
160 // security upgrade is in progress:
161 void OnRxBFrame(ByteBufferPtr sdu) override;
162 void OnChannelClosed() override;
163
164 // Starts the SMP timer. Stops and cancels any in-progress timers.
165 void StartNewTimer();
166 // Stops and resets the SMP Pairing Timer.
167 void StopTimer();
168 // Called when the pairing timer expires, forcing the pairing process to stop
169 void OnPairingTimeout();
170
171 // Returns a std::pair<InitiatorAddress, ResponderAddress>. Will assert if
172 // called outside active pairing or before Phase 1 is complete.
173 std::pair<DeviceAddress, DeviceAddress> LEPairingAddresses();
174
175 // Puts the class into a non-pairing state.
176 void ResetState();
177
178 // Returns true if the pairing state machine is currently in Phase 2 of
179 // pairing.
InPhase2() const180 bool InPhase2() const {
181 return std::holds_alternative<Phase2Legacy>(current_phase_) ||
182 std::holds_alternative<Phase2SecureConnections>(current_phase_);
183 }
184
SecurityUpgradeInProgress() const185 bool SecurityUpgradeInProgress() const {
186 return !std::holds_alternative<std::monostate>(current_phase_);
187 }
188
189 // Validates that both SM and the link have stored LTKs, and that these values
190 // match. Disconnects the link if it finds an issue. Should only be called
191 // when an LTK is expected to exist.
192 Result<> ValidateExistingLocalLtk();
193
194 pw::async::Dispatcher& pw_dispatcher_;
195
196 // The ID that will be assigned to the next pairing operation.
197 PairingProcedureId next_pairing_id_;
198
199 // The higher-level class acting as a delegate for operations outside of SMP.
200 Delegate::WeakPtr delegate_;
201
202 // Data for the currently registered LE-U link, if any.
203 hci::LowEnergyConnection::WeakPtr le_link_;
204
205 // The IO capabilities of the device
206 IOCapability io_cap_;
207
208 // The current LTK assigned to this connection. This can be assigned directly
209 // by calling AssignLongTermKey() or as a result of a pairing procedure.
210 std::optional<LTK> ltk_;
211
212 // If a pairing is in progress and Phase 1 (feature exchange) has completed,
213 // this will store the result of that feature exchange. Otherwise, this will
214 // be std::nullopt.
215 std::optional<PairingFeatures> features_;
216
217 // The pending security requests added via UpgradeSecurity().
218 std::queue<PendingRequest> request_queue_;
219
220 // Fixed SMP Channel used to send/receive packets
221 std::unique_ptr<PairingChannel> sm_chan_;
222
223 // The role of the local device in pairing.
224 Role role_;
225
226 SmartTask timeout_task_{pw_dispatcher_};
227
228 // The presence of a particular phase in this variant indicates that a
229 // security upgrade is in progress at the stored phase. No security upgrade is
230 // in progress if std::monostate is present.
231 std::variant<std::monostate,
232 SecurityRequestPhase,
233 std::unique_ptr<Phase1>,
234 Phase2Legacy,
235 Phase2SecureConnections,
236 Phase3>
237 current_phase_;
238
239 WeakSelf<SecurityManagerImpl> weak_self_;
240 WeakSelf<PairingPhase::Listener> weak_listener_;
241 WeakSelf<PairingChannel::Handler> weak_handler_;
242
243 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(SecurityManagerImpl);
244 };
245
PendingRequest(SecurityLevel level,PairingCallback callback)246 SecurityManagerImpl::PendingRequest::PendingRequest(SecurityLevel level,
247 PairingCallback callback)
248 : level(level), callback(std::move(callback)) {}
249
~SecurityManagerImpl()250 SecurityManagerImpl::~SecurityManagerImpl() {
251 if (le_link_.is_alive()) {
252 le_link_->set_encryption_change_callback({});
253 }
254 }
255
SecurityManagerImpl(hci::LowEnergyConnection::WeakPtr link,l2cap::Channel::WeakPtr smp,IOCapability io_capability,Delegate::WeakPtr delegate,BondableMode bondable_mode,gap::LESecurityMode security_mode,pw::async::Dispatcher & dispatcher)256 SecurityManagerImpl::SecurityManagerImpl(hci::LowEnergyConnection::WeakPtr link,
257 l2cap::Channel::WeakPtr smp,
258 IOCapability io_capability,
259 Delegate::WeakPtr delegate,
260 BondableMode bondable_mode,
261 gap::LESecurityMode security_mode,
262 pw::async::Dispatcher& dispatcher)
263 : SecurityManager(bondable_mode, security_mode),
264 pw_dispatcher_(dispatcher),
265 next_pairing_id_(0),
266 delegate_(std::move(delegate)),
267 le_link_(std::move(link)),
268 io_cap_(io_capability),
269 sm_chan_(std::make_unique<PairingChannel>(
270 smp, fit::bind_member<&SecurityManagerImpl::StartNewTimer>(this))),
271 role_(le_link_->role() == pw::bluetooth::emboss::ConnectionRole::CENTRAL
272 ? Role::kInitiator
273 : Role::kResponder),
274 weak_self_(this),
275 weak_listener_(this),
276 weak_handler_(this) {
277 BT_ASSERT(delegate_.is_alive());
278 BT_ASSERT(le_link_.is_alive());
279 BT_ASSERT(smp.is_alive());
280 BT_ASSERT(le_link_->handle() == smp->link_handle());
281 BT_ASSERT(smp->id() == l2cap::kLESMPChannelId);
282 // `current_phase_` is default constructed into std::monostate in the
283 // initializer list as no security upgrade is in progress upon construction.
284
285 // Set up HCI encryption event.
286 le_link_->set_encryption_change_callback(
287 fit::bind_member<&SecurityManagerImpl::OnEncryptionChange>(this));
288 sm_chan_->SetChannelHandler(weak_handler_.GetWeakPtr());
289
290 timeout_task_.set_function(
291 [this](pw::async::Context /*ctx*/, pw::Status status) {
292 if (status.ok()) {
293 OnPairingTimeout();
294 }
295 });
296 }
297
OnSecurityRequest(AuthReqField auth_req)298 void SecurityManagerImpl::OnSecurityRequest(AuthReqField auth_req) {
299 BT_ASSERT(!SecurityUpgradeInProgress());
300
301 if (role_ != Role::kInitiator) {
302 bt_log(
303 INFO,
304 "sm",
305 "Received spurious Security Request while not acting as SM initiator");
306 sm_chan_->SendMessageNoTimerReset(kPairingFailed,
307 ErrorCode::kCommandNotSupported);
308 return;
309 }
310
311 SecurityLevel requested_level;
312 // inclusive-language: ignore
313 if (auth_req & AuthReq::kMITM) {
314 requested_level = SecurityLevel::kAuthenticated;
315 } else {
316 requested_level = SecurityLevel::kEncrypted;
317 }
318
319 // If we already have a LTK and its security properties satisfy the request,
320 // then we start link layer encryption (which will either encrypt the link or
321 // perform a key refresh). See Vol 3, Part H, Figure 2.7 for the algorithm.
322 if (ltk_ && (ltk_->security().level() >= requested_level) &&
323 (!(auth_req & AuthReq::kSC) || ltk_->security().secure_connections())) {
324 if (bt_is_error(
325 ValidateExistingLocalLtk(),
326 ERROR,
327 "sm",
328 "disconnecting link as it cannot be encrypted with LTK status")) {
329 return;
330 }
331 le_link_->StartEncryption();
332 return;
333 }
334 // V5.1 Vol. 3 Part H Section 3.4: "Upon [...] reception of the Security
335 // Request command, the Security Manager Timer shall be [...] restarted."
336 StartNewTimer();
337 if (fit::result result = RequestSecurityUpgrade(requested_level);
338 result.is_error()) {
339 // Per v5.3 Vol. 3 Part H 2.4.6, "When a Central receives a Security Request
340 // command it may
341 // [...] reject the request.", which we do here as we know we are unable to
342 // fulfill it.
343 sm_chan_->SendMessageNoTimerReset(kPairingFailed, result.error_value());
344 // If we fail to start pairing, we need to stop the timer.
345 StopTimer();
346 }
347 }
348
UpgradeSecurity(SecurityLevel level,PairingCallback callback)349 void SecurityManagerImpl::UpgradeSecurity(SecurityLevel level,
350 PairingCallback callback) {
351 if (SecurityUpgradeInProgress()) {
352 bt_log(TRACE,
353 "sm",
354 "LE security upgrade in progress; request for %s security queued",
355 LevelToString(level));
356 request_queue_.emplace(level, std::move(callback));
357 return;
358 }
359
360 if (level <= security().level()) {
361 callback(fit::ok(), security());
362 return;
363 }
364
365 // Secure Connections only mode only permits Secure Connections authenticated
366 // pairing with a 128- bit encryption key, so we force all security upgrade
367 // requests to that level.
368 if (security_mode() == gap::LESecurityMode::SecureConnectionsOnly) {
369 level = SecurityLevel::kSecureAuthenticated;
370 }
371
372 // |request_queue| must be empty if there is no active security upgrade
373 // request, which is equivalent to being in idle phase with no pending
374 // security request.
375 BT_ASSERT(request_queue_.empty());
376 request_queue_.emplace(level, std::move(callback));
377 UpgradeSecurityInternal();
378 }
379
OnPairingRequest(const PairingRequestParams & req_params)380 void SecurityManagerImpl::OnPairingRequest(
381 const PairingRequestParams& req_params) {
382 // Only the initiator may send the Pairing Request (V5.0 Vol. 3 Part H 3.5.1).
383 if (role_ != Role::kResponder) {
384 bt_log(INFO, "sm", "rejecting \"Pairing Request\" as initiator");
385 sm_chan_->SendMessageNoTimerReset(kPairingFailed,
386 ErrorCode::kCommandNotSupported);
387 return;
388 }
389 // V5.1 Vol. 3 Part H Section 3.4: "Upon [...] reception of the Pairing
390 // Request command, the Security Manager Timer shall be reset and started."
391 StartNewTimer();
392
393 // We only require authentication as Responder if there is a pending Security
394 // Request for it.
395 SecurityRequestPhase* security_req_phase =
396 std::get_if<SecurityRequestPhase>(¤t_phase_);
397 auto required_level = security_req_phase
398 ? security_req_phase->pending_security_request()
399 : SecurityLevel::kEncrypted;
400
401 // Secure Connections only mode only permits Secure Connections authenticated
402 // pairing with a 128- bit encryption key, so we force all security upgrade
403 // requests to that level.
404 if (security_mode() == gap::LESecurityMode::SecureConnectionsOnly) {
405 required_level = SecurityLevel::kSecureAuthenticated;
406 }
407
408 current_phase_ = Phase1::CreatePhase1Responder(
409 sm_chan_->GetWeakPtr(),
410 weak_listener_.GetWeakPtr(),
411 req_params,
412 io_cap_,
413 bondable_mode(),
414 required_level,
415 fit::bind_member<&SecurityManagerImpl::OnFeatureExchange>(this));
416 std::get<std::unique_ptr<Phase1>>(current_phase_)->Start();
417 }
418
UpgradeSecurityInternal()419 void SecurityManagerImpl::UpgradeSecurityInternal() {
420 BT_ASSERT_MSG(
421 !SecurityUpgradeInProgress(),
422 "cannot upgrade security while security upgrade already in progress!");
423 const PendingRequest& next_req = request_queue_.front();
424 if (fit::result result = RequestSecurityUpgrade(next_req.level);
425 result.is_error()) {
426 next_req.callback(ToResult(result.error_value()), security());
427 request_queue_.pop();
428 if (!request_queue_.empty()) {
429 UpgradeSecurityInternal();
430 }
431 }
432 }
433
RequestSecurityUpgrade(SecurityLevel level)434 fit::result<ErrorCode> SecurityManagerImpl::RequestSecurityUpgrade(
435 SecurityLevel level) {
436 if (level >= SecurityLevel::kAuthenticated &&
437 io_cap_ == IOCapability::kNoInputNoOutput) {
438 bt_log(WARN,
439 "sm",
440 "cannot fulfill authenticated security request as IOCapabilities "
441 "are NoInputNoOutput");
442 return fit::error(ErrorCode::kAuthenticationRequirements);
443 }
444
445 if (role_ == Role::kInitiator) {
446 current_phase_ = Phase1::CreatePhase1Initiator(
447 sm_chan_->GetWeakPtr(),
448 weak_listener_.GetWeakPtr(),
449 io_cap_,
450 bondable_mode(),
451 level,
452 fit::bind_member<&SecurityManagerImpl::OnFeatureExchange>(this));
453 std::get<std::unique_ptr<Phase1>>(current_phase_)->Start();
454 } else {
455 current_phase_.emplace<SecurityRequestPhase>(
456 sm_chan_->GetWeakPtr(),
457 weak_listener_.GetWeakPtr(),
458 level,
459 bondable_mode(),
460 fit::bind_member<&SecurityManagerImpl::OnPairingRequest>(this));
461 std::get<SecurityRequestPhase>(current_phase_).Start();
462 }
463 return fit::ok();
464 }
465
OnFeatureExchange(PairingFeatures features,PairingRequestParams preq,PairingResponseParams pres)466 void SecurityManagerImpl::OnFeatureExchange(PairingFeatures features,
467 PairingRequestParams preq,
468 PairingResponseParams pres) {
469 BT_ASSERT(std::holds_alternative<std::unique_ptr<Phase1>>(current_phase_));
470 bt_log(TRACE, "sm", "obtained LE Pairing features");
471 next_pairing_id_++;
472 features_ = features;
473
474 const auto [initiator_addr, responder_addr] = LEPairingAddresses();
475 auto self = weak_listener_.GetWeakPtr();
476 if (!features.secure_connections) {
477 auto preq_pdu = util::NewPdu(sizeof(PairingRequestParams)),
478 pres_pdu = util::NewPdu(sizeof(PairingResponseParams));
479 PacketWriter preq_writer(kPairingRequest, preq_pdu.get()),
480 pres_writer(kPairingResponse, pres_pdu.get());
481 *preq_writer.mutable_payload<PairingRequestParams>() = preq;
482 *pres_writer.mutable_payload<PairingRequestParams>() = pres;
483 current_phase_.emplace<Phase2Legacy>(
484 sm_chan_->GetWeakPtr(),
485 self,
486 role_,
487 features,
488 *preq_pdu,
489 *pres_pdu,
490 initiator_addr,
491 responder_addr,
492 fit::bind_member<&SecurityManagerImpl::OnPhase2EncryptionKey>(this));
493 std::get<Phase2Legacy>(current_phase_).Start();
494 } else {
495 current_phase_.emplace<Phase2SecureConnections>(
496 sm_chan_->GetWeakPtr(),
497 self,
498 role_,
499 features,
500 preq,
501 pres,
502 initiator_addr,
503 responder_addr,
504 fit::bind_member<&SecurityManagerImpl::OnPhase2EncryptionKey>(this));
505 std::get<Phase2SecureConnections>(current_phase_).Start();
506 }
507 }
508
OnPhase2EncryptionKey(const UInt128 & new_key)509 void SecurityManagerImpl::OnPhase2EncryptionKey(const UInt128& new_key) {
510 BT_ASSERT(le_link_.is_alive());
511 BT_ASSERT(features_);
512 BT_ASSERT(InPhase2());
513 // EDiv and Rand values are 0 for Phase 2 keys generated by Legacy or Secure
514 // Connections (Vol 3, Part H, 2.4.4 / 2.4.4.1). Secure Connections generates
515 // an LTK, while Legacy generates an STK.
516 auto new_link_key = hci_spec::LinkKey(new_key, 0, 0);
517
518 if (features_->secure_connections) {
519 OnNewLongTermKey(LTK(FeaturesToProperties(*features_), new_link_key));
520 } else {
521 // `set_le_ltk` sets the encryption key of the LE link (which is the STK for
522 // Legacy), not the long-term key that results from pairing (which is
523 // generated in Phase 3 for Legacy).
524 le_link_->set_ltk(new_link_key);
525 }
526 // If we're the initiator, we encrypt the link. If we're the responder, we
527 // wait for the initiator to encrypt the link with the new key.|le_link_| will
528 // respond to the HCI "LTK request" event with the `new_link_key` assigned
529 // above, which should trigger OnEncryptionChange.
530 if (role_ == Role::kInitiator) {
531 if (!le_link_->StartEncryption()) {
532 bt_log(ERROR, "sm", "failed to start encryption");
533 Abort(ErrorCode::kUnspecifiedReason);
534 }
535 }
536 }
537
CurrentLtkInsufficientlySecureForEncryption(std::optional<LTK> current_ltk,SecurityRequestPhase * security_request_phase,gap::LESecurityMode mode)538 bool SecurityManagerImpl::CurrentLtkInsufficientlySecureForEncryption(
539 std::optional<LTK> current_ltk,
540 SecurityRequestPhase* security_request_phase,
541 gap::LESecurityMode mode) {
542 SecurityLevel current_ltk_sec = current_ltk ? current_ltk->security().level()
543 : SecurityLevel::kNoSecurity;
544 return (security_request_phase &&
545 security_request_phase->pending_security_request() >
546 current_ltk_sec) ||
547 (mode == gap::LESecurityMode::SecureConnectionsOnly &&
548 current_ltk_sec != SecurityLevel::kSecureAuthenticated);
549 }
550
OnEncryptionChange(hci::Result<bool> enabled_result)551 void SecurityManagerImpl::OnEncryptionChange(hci::Result<bool> enabled_result) {
552 // First notify the delegate in case of failure.
553 if (bt_is_error(
554 enabled_result, ERROR, "sm", "link layer authentication failed")) {
555 BT_ASSERT(delegate_.is_alive());
556 delegate_->OnAuthenticationFailure(
557 fit::error(enabled_result.error_value()));
558 }
559
560 if (enabled_result.is_error() || !enabled_result.value()) {
561 bt_log(WARN,
562 "sm",
563 "encryption of link (handle: %#.4x) %s%s!",
564 le_link_->handle(),
565 enabled_result.is_error()
566 ? bt_lib_cpp_string::StringPrintf("failed with %s",
567 bt_str(enabled_result))
568 .c_str()
569 : "disabled",
570 SecurityUpgradeInProgress() ? "" : " during security upgrade");
571 SetSecurityProperties(sm::SecurityProperties());
572 if (SecurityUpgradeInProgress()) {
573 Abort(ErrorCode::kUnspecifiedReason);
574 }
575 return;
576 }
577
578 SecurityRequestPhase* security_request_phase =
579 std::get_if<SecurityRequestPhase>(¤t_phase_);
580 if (CurrentLtkInsufficientlySecureForEncryption(
581 ltk_, security_request_phase, security_mode())) {
582 bt_log(WARN,
583 "sm",
584 "peer encrypted link with insufficiently secure key, disconnecting");
585 delegate_->OnAuthenticationFailure(
586 ToResult(HostError::kInsufficientSecurity));
587 sm_chan_->SignalLinkError();
588 return;
589 }
590
591 if (!SecurityUpgradeInProgress() || security_request_phase) {
592 bt_log(DEBUG, "sm", "encryption enabled while not pairing");
593 if (bt_is_error(
594 ValidateExistingLocalLtk(),
595 ERROR,
596 "sm",
597 "disconnecting link as it cannot be encrypted with LTK status")) {
598 return;
599 }
600 // If encryption is enabled while not pairing, we update the security
601 // properties to those of `ltk_`. Otherwise, we let the EndPhase2 pairing
602 // function determine the security properties.
603 SetSecurityProperties(ltk_->security());
604 if (security_request_phase) {
605 BT_ASSERT(role_ == Role::kResponder);
606 BT_ASSERT(!request_queue_.empty());
607 NotifySecurityCallbacks();
608 }
609 return;
610 }
611
612 if (InPhase2()) {
613 bt_log(DEBUG, "sm", "link encrypted with phase 2 generated key");
614 EndPhase2();
615 }
616 }
617
EndPhase2()618 void SecurityManagerImpl::EndPhase2() {
619 BT_ASSERT(features_.has_value());
620 BT_ASSERT(InPhase2());
621
622 SetSecurityProperties(FeaturesToProperties(*features_));
623 // If there are no keys to distribute, don't bother creating Phase 3
624 if (!HasKeysToDistribute(*features_)) {
625 OnPairingComplete(PairingData());
626 return;
627 }
628 auto self = weak_listener_.GetWeakPtr();
629 current_phase_.emplace<Phase3>(
630 sm_chan_->GetWeakPtr(),
631 self,
632 role_,
633 *features_,
634 security(),
635 fit::bind_member<&SecurityManagerImpl::OnPairingComplete>(this));
636 std::get<Phase3>(current_phase_).Start();
637 }
638
OnPairingComplete(PairingData pairing_data)639 void SecurityManagerImpl::OnPairingComplete(PairingData pairing_data) {
640 // We must either be in Phase3 or Phase 2 with no keys to distribute if
641 // pairing has completed.
642 if (!std::holds_alternative<Phase3>(current_phase_)) {
643 BT_ASSERT(InPhase2());
644 BT_ASSERT(!HasKeysToDistribute(*features_));
645 }
646 BT_ASSERT(delegate_.is_alive());
647 BT_ASSERT(features_.has_value());
648 bt_log(DEBUG, "sm", "LE pairing complete");
649 delegate_->OnPairingComplete(fit::ok());
650 // In Secure Connections, the LTK will be generated in Phase 2, not exchanged
651 // in Phase 3, so we want to ensure that it is still put in the pairing_data.
652 if (features_->secure_connections) {
653 BT_ASSERT(ltk_.has_value());
654 pairing_data.peer_ltk = pairing_data.local_ltk = ltk_;
655 } else {
656 // The SM-internal LTK is used to validate future encryption events on the
657 // existing link. Encryption with LTKs generated by LE legacy pairing uses
658 // the key received by the link-layer central - so as initiator, this is the
659 // peer key, and as responder, this is the local key.
660 const std::optional<LTK>& new_ltk = role_ == Role::kInitiator
661 ? pairing_data.peer_ltk
662 : pairing_data.local_ltk;
663 if (new_ltk.has_value()) {
664 OnNewLongTermKey(*new_ltk);
665 }
666 }
667
668 if (features_->generate_ct_key.has_value()) {
669 // If we are generating the CT key, we must be using secure connections, and
670 // as such the peer and local LTKs will be equivalent.
671 BT_ASSERT(features_->secure_connections);
672 BT_ASSERT(pairing_data.peer_ltk == pairing_data.local_ltk);
673 std::optional<UInt128> ct_key_value = util::LeLtkToBrEdrLinkKey(
674 ltk_->key().value(), features_->generate_ct_key.value());
675 if (ct_key_value) {
676 pairing_data.cross_transport_key =
677 sm::LTK(ltk_->security(), hci_spec::LinkKey(*ct_key_value, 0, 0));
678 } else {
679 bt_log(WARN, "sm", "failed to generate cross-transport key");
680 }
681 }
682
683 if (features_->will_bond) {
684 delegate_->OnNewPairingData(pairing_data);
685 } else {
686 bt_log(INFO,
687 "gap-le",
688 " %s pairing complete in non-bondable mode with [%s%s%s%s%s]",
689 features_->secure_connections ? "secure connections" : "legacy",
690 pairing_data.peer_ltk ? "peer_ltk " : "",
691 pairing_data.local_ltk ? "local_ltk " : "",
692 pairing_data.irk ? "irk " : "",
693 pairing_data.identity_address
694 ? bt_lib_cpp_string::StringPrintf(
695 "(identity: %s) ", bt_str(*pairing_data.identity_address))
696 .c_str()
697 : "",
698 pairing_data.csrk ? "csrk " : "");
699 }
700 // So we can pair again if need be.
701 ResetState();
702
703 NotifySecurityCallbacks();
704 }
705
NotifySecurityCallbacks()706 void SecurityManagerImpl::NotifySecurityCallbacks() {
707 // Separate out the requests that are satisfied by the current security level
708 // from those that require a higher level. We'll retry pairing for the latter.
709 std::queue<PendingRequest> satisfied;
710 std::queue<PendingRequest> unsatisfied;
711 while (!request_queue_.empty()) {
712 auto& request = request_queue_.front();
713 if (request.level <= security().level()) {
714 satisfied.push(std::move(request));
715 } else {
716 unsatisfied.push(std::move(request));
717 }
718 request_queue_.pop();
719 }
720
721 request_queue_ = std::move(unsatisfied);
722
723 // Notify the satisfied requests with success.
724 while (!satisfied.empty()) {
725 satisfied.front().callback(fit::ok(), security());
726 satisfied.pop();
727 }
728
729 if (!request_queue_.empty()) {
730 UpgradeSecurityInternal();
731 }
732 }
733
Reset(IOCapability io_capability)734 void SecurityManagerImpl::Reset(IOCapability io_capability) {
735 Abort(ErrorCode::kUnspecifiedReason);
736 io_cap_ = io_capability;
737 ResetState();
738 }
739
ResetState()740 void SecurityManagerImpl::ResetState() {
741 StopTimer();
742 features_.reset();
743 sm_chan_->SetChannelHandler(weak_handler_.GetWeakPtr());
744 current_phase_ = std::monostate{};
745 }
746
AssignLongTermKey(const LTK & ltk)747 bool SecurityManagerImpl::AssignLongTermKey(const LTK& ltk) {
748 if (SecurityUpgradeInProgress()) {
749 bt_log(
750 DEBUG, "sm", "Cannot directly assign LTK while pairing is in progress");
751 return false;
752 }
753
754 OnNewLongTermKey(ltk);
755
756 // The initiatior starts encryption when it receives a new LTK from GAP.
757 if (role_ == Role::kInitiator && !le_link_->StartEncryption()) {
758 bt_log(ERROR, "sm", "Failed to initiate authentication procedure");
759 return false;
760 }
761
762 return true;
763 }
764
SetSecurityProperties(const SecurityProperties & sec)765 void SecurityManagerImpl::SetSecurityProperties(const SecurityProperties& sec) {
766 if (sec != security()) {
767 bt_log(DEBUG,
768 "sm",
769 "security properties changed - handle: %#.4x, new: %s, old: %s",
770 le_link_->handle(),
771 bt_str(sec),
772 bt_str(security()));
773 set_security(sec);
774 delegate_->OnNewSecurityProperties(security());
775 }
776 }
777
Abort(ErrorCode ecode)778 void SecurityManagerImpl::Abort(ErrorCode ecode) {
779 std::visit(
780 [=](auto& arg) {
781 using T = std::decay_t<decltype(arg)>;
782 if constexpr (std::is_same_v<std::unique_ptr<Phase1>, T>) {
783 arg->Abort(ecode);
784 } else if constexpr (std::is_base_of_v<PairingPhase, T>) {
785 arg.Abort(ecode);
786 } else {
787 bt_log(DEBUG,
788 "sm",
789 "Attempted to abort security upgrade while not in progress");
790 }
791 },
792 current_phase_);
793 // "Abort" should trigger OnPairingFailed.
794 }
795
OnIdentityRequest()796 std::optional<IdentityInfo> SecurityManagerImpl::OnIdentityRequest() {
797 // This is called by the bearer to determine if we have local identity
798 // information to distribute.
799 BT_ASSERT(delegate_.is_alive());
800 return delegate_->OnIdentityInformationRequest();
801 }
802
ConfirmPairing(ConfirmCallback confirm)803 void SecurityManagerImpl::ConfirmPairing(ConfirmCallback confirm) {
804 BT_ASSERT(delegate_.is_alive());
805 delegate_->ConfirmPairing([id = next_pairing_id_,
806 self = weak_self_.GetWeakPtr(),
807 cb = std::move(confirm)](bool confirm) {
808 if (!self.is_alive() || self->next_pairing_id_ != id) {
809 bt_log(TRACE,
810 "sm",
811 "ignoring user confirmation for expired pairing: id = %lu",
812 id);
813 return;
814 }
815 cb(confirm);
816 });
817 }
818
DisplayPasskey(uint32_t passkey,Delegate::DisplayMethod method,ConfirmCallback confirm)819 void SecurityManagerImpl::DisplayPasskey(uint32_t passkey,
820 Delegate::DisplayMethod method,
821 ConfirmCallback confirm) {
822 BT_ASSERT(delegate_.is_alive());
823 delegate_->DisplayPasskey(
824 passkey,
825 method,
826 [id = next_pairing_id_,
827 self = weak_self_.GetWeakPtr(),
828 method,
829 cb = std::move(confirm)](bool confirm) {
830 if (!self.is_alive() || self->next_pairing_id_ != id) {
831 bt_log(TRACE,
832 "sm",
833 "ignoring %s response for expired pairing: id = %lu",
834 util::DisplayMethodToString(method).c_str(),
835 id);
836 return;
837 }
838 cb(confirm);
839 });
840 }
841
RequestPasskey(PasskeyResponseCallback respond)842 void SecurityManagerImpl::RequestPasskey(PasskeyResponseCallback respond) {
843 BT_ASSERT(delegate_.is_alive());
844 delegate_->RequestPasskey([id = next_pairing_id_,
845 self = weak_self_.GetWeakPtr(),
846 cb = std::move(respond)](int64_t passkey) {
847 if (!self.is_alive() || self->next_pairing_id_ != id) {
848 bt_log(TRACE,
849 "sm",
850 "ignoring passkey input response for expired pairing: id = %lu",
851 id);
852 return;
853 }
854 cb(passkey);
855 });
856 }
857
OnRxBFrame(ByteBufferPtr sdu)858 void SecurityManagerImpl::OnRxBFrame(ByteBufferPtr sdu) {
859 fit::result<ErrorCode, ValidPacketReader> maybe_reader =
860 ValidPacketReader::ParseSdu(sdu);
861 if (maybe_reader.is_error()) {
862 bt_log(INFO,
863 "sm",
864 "dropped SMP packet: %s",
865 bt_str(ToResult(maybe_reader.error_value())));
866 return;
867 }
868 ValidPacketReader reader = maybe_reader.value();
869 Code smp_code = reader.code();
870
871 if (smp_code == kPairingRequest) {
872 OnPairingRequest(reader.payload<PairingRequestParams>());
873 } else if (smp_code == kSecurityRequest) {
874 OnSecurityRequest(reader.payload<AuthReqField>());
875 } else {
876 bt_log(INFO,
877 "sm",
878 "dropped unexpected SMP code %#.2X when not pairing",
879 smp_code);
880 }
881 }
882
OnChannelClosed()883 void SecurityManagerImpl::OnChannelClosed() {
884 bt_log(DEBUG, "sm", "SMP channel closed while not pairing");
885 }
886
OnPairingFailed(Error error)887 void SecurityManagerImpl::OnPairingFailed(Error error) {
888 std::string phase_status = std::visit(
889 [=](auto& arg) {
890 using T = std::decay_t<decltype(arg)>;
891 std::string s;
892 if constexpr (std::is_same_v<std::unique_ptr<Phase1>, T>) {
893 s = arg->ToString();
894 } else if constexpr (std::is_base_of_v<PairingPhase, T>) {
895 s = arg.ToString();
896 } else {
897 BT_PANIC(
898 "security upgrade cannot fail when current_phase_ is "
899 "std::monostate!");
900 }
901 return s;
902 },
903 current_phase_);
904 bt_log(ERROR,
905 "sm",
906 "LE pairing failed: %s. Current pairing phase: %s",
907 bt_str(error),
908 phase_status.c_str());
909 StopTimer();
910 // TODO(fxbug.dev/42172514): implement "waiting interval" to prevent repeated
911 // attempts as described in Vol 3, Part H, 2.3.6.
912
913 BT_ASSERT(delegate_.is_alive());
914 delegate_->OnPairingComplete(fit::error(error));
915
916 auto requests = std::move(request_queue_);
917 while (!requests.empty()) {
918 requests.front().callback(fit::error(error), security());
919 requests.pop();
920 }
921
922 if (SecurityUpgradeInProgress()) {
923 BT_ASSERT(le_link_.is_alive());
924 le_link_->set_ltk(hci_spec::LinkKey());
925 }
926 ResetState();
927 // Reset state before potentially disconnecting link to avoid causing pairing
928 // phase to fail twice.
929 if (error.is(HostError::kTimedOut)) {
930 // Per v5.2 Vol. 3 Part H 3.4, after a pairing timeout "No further SMP
931 // commands shall be sent over the L2CAP Security Manager Channel. A new
932 // Pairing process shall only be performed when a new physical link has been
933 // established."
934 bt_log(WARN, "sm", "pairing timed out! disconnecting link");
935 sm_chan_->SignalLinkError();
936 }
937 }
938
StartNewTimer()939 void SecurityManagerImpl::StartNewTimer() {
940 if (timeout_task_.is_pending()) {
941 BT_ASSERT(timeout_task_.Cancel());
942 }
943 timeout_task_.PostAfter(kPairingTimeout);
944 }
945
StopTimer()946 void SecurityManagerImpl::StopTimer() {
947 if (timeout_task_.is_pending() && !timeout_task_.Cancel()) {
948 bt_log(TRACE, "sm", "smp: failed to stop timer");
949 }
950 }
951
OnPairingTimeout()952 void SecurityManagerImpl::OnPairingTimeout() {
953 std::visit(
954 [=](auto& arg) {
955 using T = std::decay_t<decltype(arg)>;
956 if constexpr (std::is_same_v<std::unique_ptr<Phase1>, T>) {
957 arg->OnFailure(Error(HostError::kTimedOut));
958 } else if constexpr (std::is_base_of_v<PairingPhase, T>) {
959 arg.OnFailure(Error(HostError::kTimedOut));
960 } else {
961 BT_PANIC("cannot timeout when current_phase_ is std::monostate!");
962 }
963 },
964 current_phase_);
965 }
966
967 std::pair<DeviceAddress, DeviceAddress>
LEPairingAddresses()968 SecurityManagerImpl::LEPairingAddresses() {
969 BT_ASSERT(SecurityUpgradeInProgress());
970 const DeviceAddress *initiator = &le_link_->local_address(),
971 *responder = &le_link_->peer_address();
972 if (role_ == Role::kResponder) {
973 std::swap(initiator, responder);
974 }
975 return std::make_pair(*initiator, *responder);
976 }
977
OnNewLongTermKey(const LTK & ltk)978 void SecurityManagerImpl::OnNewLongTermKey(const LTK& ltk) {
979 ltk_ = ltk;
980 le_link_->set_ltk(ltk.key());
981 }
982
ValidateExistingLocalLtk()983 Result<> SecurityManagerImpl::ValidateExistingLocalLtk() {
984 Result<> status = fit::ok();
985 if (!ltk_.has_value() || !le_link_->ltk().has_value()) {
986 // The LTKs should always be present when this method is called.
987 status = fit::error(Error(HostError::kNotFound));
988 } else if (!(*le_link_->ltk() == ltk_->key())) {
989 // As only SM should ever change the LE Link encryption key, these two
990 // values should always be in sync, i.e. something in the system is acting
991 // unreliably if they get out of sync.
992 status = fit::error(Error(HostError::kNotReliable));
993 }
994 if (status.is_error()) {
995 // SM does not own the link, so although the checks above should never fail,
996 // disconnecting the link (vs. ASSERTing these checks) is safer against
997 // non-SM code potentially touching the key.
998 delegate_->OnAuthenticationFailure(
999 ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING));
1000 sm_chan_->SignalLinkError();
1001 }
1002 return status;
1003 }
1004
Create(hci::LowEnergyConnection::WeakPtr link,l2cap::Channel::WeakPtr smp,IOCapability io_capability,Delegate::WeakPtr delegate,BondableMode bondable_mode,gap::LESecurityMode security_mode,pw::async::Dispatcher & dispatcher)1005 std::unique_ptr<SecurityManager> SecurityManager::Create(
1006 hci::LowEnergyConnection::WeakPtr link,
1007 l2cap::Channel::WeakPtr smp,
1008 IOCapability io_capability,
1009 Delegate::WeakPtr delegate,
1010 BondableMode bondable_mode,
1011 gap::LESecurityMode security_mode,
1012 pw::async::Dispatcher& dispatcher) {
1013 return std::make_unique<SecurityManagerImpl>(std::move(link),
1014 std::move(smp),
1015 io_capability,
1016 std::move(delegate),
1017 bondable_mode,
1018 security_mode,
1019 dispatcher);
1020 }
1021
SecurityManager(BondableMode bondable_mode,gap::LESecurityMode security_mode)1022 SecurityManager::SecurityManager(BondableMode bondable_mode,
1023 gap::LESecurityMode security_mode)
1024 : bondable_mode_(bondable_mode), security_mode_(security_mode) {}
1025
1026 } // namespace bt::sm
1027