1 // Copyright 2023 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14
15 #include "pw_bluetooth_sapphire/internal/host/sm/security_manager.h"
16
17 #include <chrono>
18 #include <cstdlib>
19
20 #include "pw_bluetooth_sapphire/internal/host/common/macros.h"
21 #include "pw_bluetooth_sapphire/internal/host/common/random.h"
22 #include "pw_bluetooth_sapphire/internal/host/gap/gap.h"
23 #include "pw_bluetooth_sapphire/internal/host/hci-spec/link_key.h"
24 #include "pw_bluetooth_sapphire/internal/host/hci/connection.h"
25 #include "pw_bluetooth_sapphire/internal/host/hci/fake_low_energy_connection.h"
26 #include "pw_bluetooth_sapphire/internal/host/l2cap/fake_channel_test.h"
27 #include "pw_bluetooth_sapphire/internal/host/sm/ecdh_key.h"
28 #include "pw_bluetooth_sapphire/internal/host/sm/error.h"
29 #include "pw_bluetooth_sapphire/internal/host/sm/packet.h"
30 #include "pw_bluetooth_sapphire/internal/host/sm/smp.h"
31 #include "pw_bluetooth_sapphire/internal/host/sm/types.h"
32 #include "pw_bluetooth_sapphire/internal/host/sm/util.h"
33 #include "pw_bluetooth_sapphire/internal/host/testing/controller_test.h"
34 #include "pw_bluetooth_sapphire/internal/host/testing/mock_controller.h"
35 #include "pw_bluetooth_sapphire/internal/host/testing/test_helpers.h"
36 #include "pw_bluetooth_sapphire/internal/host/testing/test_packets.h"
37 #include "pw_bluetooth_sapphire/internal/host/transport/error.h"
38
39 // inclusive-language: disable
40 namespace bt::sm {
41 namespace {
42
43 const DeviceAddress kLocalAddr(DeviceAddress::Type::kLEPublic,
44 {0xA6, 0xA5, 0xA4, 0xA3, 0xA2, 0xA1});
45 const DeviceAddress kPeerAddr(DeviceAddress::Type::kLERandom,
46 {0xB6, 0xB5, 0xB4, 0xB3, 0xB2, 0xB1});
47
48 const PairingRandomValue kHardCodedPairingRandom = {0x0,
49 0x1,
50 0x2,
51 0x3,
52 0x4,
53 0x5,
54 0x6,
55 0x7,
56 0x8,
57 0x9,
58 0xA,
59 0xB,
60 0xC,
61 0xD,
62 0xE,
63 0xF};
64
65 constexpr hci_spec::ConnectionHandle kConnectionHandle(1);
66
67 class SecurityManagerTest : public l2cap::testing::FakeChannelTest,
68 public sm::Delegate {
69 public:
SecurityManagerTest()70 SecurityManagerTest() : weak_delegate_(this) {}
71 ~SecurityManagerTest() override = default;
72
73 protected:
SetUp()74 void SetUp() override {
75 l2cap::testing::FakeChannelTest::SetUp();
76 InitializeTransport();
77 }
TearDown()78 void TearDown() override {
79 RunUntilIdle();
80 DestroySecurityManager();
81 fake_link_.reset();
82 transport_.reset();
83 l2cap::testing::FakeChannelTest::TearDown();
84 }
85
NewSecurityManager(Role role,IOCapability ioc,BondableMode bondable_mode)86 void NewSecurityManager(Role role,
87 IOCapability ioc,
88 BondableMode bondable_mode) {
89 // Setup fake SMP channel.
90 ChannelOptions options(l2cap::kLESMPChannelId);
91 fake_chan_ = CreateFakeChannel(options);
92 fake_chan_->SetSendCallback(
93 fit::bind_member<&SecurityManagerTest::OnDataReceived>(this),
94 dispatcher());
95
96 // Setup a fake logical link.
97 auto link_role = role == Role::kInitiator
98 ? pw::bluetooth::emboss::ConnectionRole::CENTRAL
99 : pw::bluetooth::emboss::ConnectionRole::PERIPHERAL;
100
101 if (fake_link_) {
102 auto status_event = testing::CommandStatusPacket(
103 hci_spec::kDisconnect, pw::bluetooth::emboss::StatusCode::SUCCESS);
104 auto disconnect_complete =
105 testing::DisconnectionCompletePacket(kConnectionHandle);
106 EXPECT_CMD_PACKET_OUT(controller_,
107 testing::DisconnectPacket(kConnectionHandle),
108 &status_event,
109 &disconnect_complete);
110 fake_link_.reset();
111 RunUntilIdle();
112 }
113 fake_link_ = std::make_unique<hci::testing::FakeLowEnergyConnection>(
114 kConnectionHandle,
115 kLocalAddr,
116 kPeerAddr,
117 link_role,
118 transport_->GetWeakPtr());
119
120 pairing_ = SecurityManager::Create(fake_link_->GetWeakPtr(),
121 fake_chan_->GetWeakPtr(),
122 ioc,
123 weak_delegate_.GetWeakPtr(),
124 bondable_mode,
125 gap::LESecurityMode::Mode1,
126 dispatcher());
127 }
128
DestroySecurityManager()129 void DestroySecurityManager() { pairing_ = nullptr; }
130
131 // sm::Delegate override:
ConfirmPairing(ConfirmCallback confirm)132 void ConfirmPairing(ConfirmCallback confirm) override {
133 if (confirm_delegate_) {
134 confirm_delegate_(std::move(confirm));
135 } else {
136 confirm(true);
137 }
138 }
139
140 // sm::Delegate override:
DisplayPasskey(uint32_t passkey,DisplayMethod method,ConfirmCallback confirm)141 void DisplayPasskey(uint32_t passkey,
142 DisplayMethod method,
143 ConfirmCallback confirm) override {
144 if (display_delegate_) {
145 display_delegate_(passkey, method, std::move(confirm));
146 } else {
147 ADD_FAILURE() << "No passkey display delegate set for "
148 << util::DisplayMethodToString(method) << " pairing";
149 }
150 }
151
152 // sm::Delegate override:
RequestPasskey(PasskeyResponseCallback respond)153 void RequestPasskey(PasskeyResponseCallback respond) override {
154 if (request_passkey_delegate_) {
155 request_passkey_delegate_(std::move(respond));
156 } else {
157 ADD_FAILURE()
158 << "No passkey entry delegate set for passkey entry pairing";
159 }
160 }
161
OnIdentityInformationRequest()162 std::optional<IdentityInfo> OnIdentityInformationRequest() override {
163 local_id_info_callback_count_++;
164 return local_id_info_;
165 }
166
167 // Called by |pairing_| when the pairing procedure ends.
OnPairingComplete(Result<> status)168 void OnPairingComplete(Result<> status) override {
169 pairing_complete_count_++;
170 pairing_complete_status_ = status;
171 }
172
173 // Called by |pairing_| when a new LTK is obtained.
OnNewPairingData(const PairingData & pairing_data)174 void OnNewPairingData(const PairingData& pairing_data) override {
175 pairing_data_callback_count_++;
176 pairing_data_ = pairing_data;
177 }
178
179 // Called by |pairing_| when any encryption procedure fails.
OnAuthenticationFailure(hci::Result<> status)180 void OnAuthenticationFailure(hci::Result<> status) override {
181 auth_failure_callback_count_++;
182 auth_failure_status_ = status;
183 }
184
185 // Called by |pairing_| when the link security properties change.
OnNewSecurityProperties(const SecurityProperties & sec)186 void OnNewSecurityProperties(const SecurityProperties& sec) override {
187 new_sec_props_count_++;
188 new_sec_props_ = sec;
189 }
190
UpgradeSecurity(SecurityLevel level)191 void UpgradeSecurity(SecurityLevel level) {
192 BT_DEBUG_ASSERT(pairing_);
193 pairing_->UpgradeSecurity(level, [this](auto status, const auto& props) {
194 security_callback_count_++;
195 security_status_ = status;
196 sec_props_ = props;
197 });
198 }
199
200 // Called when SMP sends a packet over the fake channel.
OnDataReceived(std::unique_ptr<const ByteBuffer> packet)201 void OnDataReceived(std::unique_ptr<const ByteBuffer> packet) {
202 BT_DEBUG_ASSERT(packet);
203
204 PacketReader reader(packet.get());
205 switch (reader.code()) {
206 case kPairingFailed:
207 pairing_failed_count_++;
208 received_error_code_ = reader.payload<PairingFailedParams>();
209 break;
210 case kSecurityRequest:
211 security_request_count_++;
212 security_auth_req_ = reader.payload<AuthReqField>();
213 break;
214 case kPairingRequest:
215 pairing_request_count_++;
216 packet->Copy(&local_pairing_cmd_);
217 break;
218 case kPairingResponse:
219 pairing_response_count_++;
220 packet->Copy(&local_pairing_cmd_);
221 break;
222 case kPairingPublicKey:
223 pairing_public_key_count_++;
224 public_ecdh_key_ = EcdhKey::ParseFromPublicKey(
225 reader.payload<PairingPublicKeyParams>());
226 break;
227 case kPairingConfirm:
228 pairing_confirm_count_++;
229 pairing_confirm_ = reader.payload<PairingConfirmValue>();
230 break;
231 case kPairingRandom:
232 pairing_random_count_++;
233 pairing_random_ = reader.payload<PairingRandomValue>();
234 break;
235 case kPairingDHKeyCheck:
236 pairing_dhkey_check_count_++;
237 pairing_dhkey_check_ = reader.payload<PairingDHKeyCheckValueE>();
238 break;
239 case kEncryptionInformation:
240 enc_info_count_++;
241 enc_info_ = reader.payload<EncryptionInformationParams>();
242 break;
243 case kCentralIdentification: {
244 const auto& params = reader.payload<CentralIdentificationParams>();
245 central_ident_count_++;
246 ediv_ = le16toh(params.ediv);
247 rand_ = le64toh(params.rand);
248 break;
249 }
250 case kIdentityInformation:
251 id_info_count_++;
252 id_info_ = reader.payload<UInt128>();
253 break;
254 case kIdentityAddressInformation: {
255 const auto& params = reader.payload<IdentityAddressInformationParams>();
256 id_addr_info_count_++;
257 id_addr_info_ = DeviceAddress(params.type == AddressType::kStaticRandom
258 ? DeviceAddress::Type::kLERandom
259 : DeviceAddress::Type::kLEPublic,
260 params.bd_addr);
261 break;
262 }
263 default:
264 FAIL() << "Sent unsupported SMP command";
265 }
266 }
267
268 // Emulates the receipt of pairing features (both as initiator and responder).
ReceivePairingFeatures(const PairingRequestParams & params,bool peer_initiator=false)269 void ReceivePairingFeatures(const PairingRequestParams& params,
270 bool peer_initiator = false) {
271 PacketWriter writer(peer_initiator ? kPairingRequest : kPairingResponse,
272 &peer_pairing_cmd_);
273 *writer.mutable_payload<PairingRequestParams>() = params;
274 fake_chan()->Receive(peer_pairing_cmd_);
275 }
276
ReceivePairingFeatures(IOCapability ioc=IOCapability::kNoInputNoOutput,AuthReqField auth_req=0,uint8_t max_enc_key_size=kMaxEncryptionKeySize,bool peer_initiator=false)277 void ReceivePairingFeatures(IOCapability ioc = IOCapability::kNoInputNoOutput,
278 AuthReqField auth_req = 0,
279 uint8_t max_enc_key_size = kMaxEncryptionKeySize,
280 bool peer_initiator = false) {
281 PairingRequestParams pairing_params;
282 std::memset(&pairing_params, 0, sizeof(pairing_params));
283 pairing_params.io_capability = ioc;
284 pairing_params.auth_req = auth_req;
285 pairing_params.max_encryption_key_size = max_enc_key_size;
286
287 ReceivePairingFeatures(pairing_params, peer_initiator);
288 }
289
ReceivePairingFailed(ErrorCode error_code)290 void ReceivePairingFailed(ErrorCode error_code) {
291 StaticByteBuffer<sizeof(Header) + sizeof(ErrorCode)> buffer;
292 PacketWriter writer(kPairingFailed, &buffer);
293 *writer.mutable_payload<PairingFailedParams>() = error_code;
294 fake_chan()->Receive(buffer);
295 }
296
ReceivePairingPublicKey(const PairingPublicKeyParams & key)297 void ReceivePairingPublicKey(const PairingPublicKeyParams& key) {
298 StaticByteBuffer<util::PacketSize<PairingPublicKeyParams>()> buffer;
299 PacketWriter writer(kPairingPublicKey, &buffer);
300 std::memcpy(
301 writer.mutable_payload_bytes(), &key, sizeof(PairingPublicKeyParams));
302 fake_chan()->Receive(buffer);
303 }
304
ReceivePairingConfirm(const UInt128 & confirm)305 void ReceivePairingConfirm(const UInt128& confirm) {
306 Receive128BitCmd(kPairingConfirm, confirm);
307 }
308
ReceivePairingRandom(const UInt128 & random)309 void ReceivePairingRandom(const UInt128& random) {
310 Receive128BitCmd(kPairingRandom, random);
311 }
312
ReceivePairingDHKeyCheck(const UInt128 & check)313 void ReceivePairingDHKeyCheck(const UInt128& check) {
314 Receive128BitCmd(kPairingDHKeyCheck, check);
315 }
316
ReceiveEncryptionInformation(const UInt128 & ltk)317 void ReceiveEncryptionInformation(const UInt128& ltk) {
318 Receive128BitCmd(kEncryptionInformation, ltk);
319 }
320
ReceiveCentralIdentification(uint64_t random,uint16_t ediv)321 void ReceiveCentralIdentification(uint64_t random, uint16_t ediv) {
322 StaticByteBuffer<sizeof(Header) + sizeof(CentralIdentificationParams)>
323 buffer;
324 PacketWriter writer(kCentralIdentification, &buffer);
325 auto* params = writer.mutable_payload<CentralIdentificationParams>();
326 params->ediv = htole16(ediv);
327 params->rand = htole64(random);
328 fake_chan()->Receive(buffer);
329 }
330
ReceiveIdentityResolvingKey(const UInt128 & irk)331 void ReceiveIdentityResolvingKey(const UInt128& irk) {
332 Receive128BitCmd(kIdentityInformation, irk);
333 }
334
ReceiveNonBondablePairingResponse()335 void ReceiveNonBondablePairingResponse() {
336 // clang-format off
337 const StaticByteBuffer kResponse(
338 0x02, // code: Pairing Response
339 0x00, // IO cap.: DisplayOnly
340 0x00, // OOB: not present
341 0x00, // AuthReq: no bonding, MITM not required
342 0x07, // encr. key size: 7 (default min)
343 0x00, // initiator keys: none
344 0x00 // responder keys: none - nonbondable mode
345 );
346 // clang-format on
347 fake_chan()->Receive(kResponse);
348 }
349
ReceiveIdentityAddress(const DeviceAddress & address)350 void ReceiveIdentityAddress(const DeviceAddress& address) {
351 StaticByteBuffer<sizeof(Header) + sizeof(IdentityAddressInformationParams)>
352 buffer;
353 PacketWriter writer(kIdentityAddressInformation, &buffer);
354 auto* params = writer.mutable_payload<IdentityAddressInformationParams>();
355 params->type = address.type() == DeviceAddress::Type::kLEPublic
356 ? AddressType::kPublic
357 : AddressType::kStaticRandom;
358 params->bd_addr = address.value();
359 fake_chan()->Receive(buffer);
360 }
361
ReceiveSecurityRequest(AuthReqField auth_req=0u)362 void ReceiveSecurityRequest(AuthReqField auth_req = 0u) {
363 StaticByteBuffer<sizeof(Header) + sizeof(AuthReqField)> buffer;
364 buffer[0] = kSecurityRequest;
365 buffer[1] = auth_req;
366 fake_chan()->Receive(buffer);
367 RunUntilIdle();
368 }
369
GenerateLegacyConfirmValue(const UInt128 & random,UInt128 * out_value,bool peer_initiator=false,uint32_t tk=0)370 void GenerateLegacyConfirmValue(const UInt128& random,
371 UInt128* out_value,
372 bool peer_initiator = false,
373 uint32_t tk = 0) {
374 BT_DEBUG_ASSERT(out_value);
375
376 tk = htole32(tk);
377 UInt128 tk128;
378 tk128.fill(0);
379 std::memcpy(tk128.data(), &tk, sizeof(tk));
380
381 const ByteBuffer *preq, *pres;
382 const DeviceAddress *init_addr, *rsp_addr;
383 if (peer_initiator) {
384 preq = &peer_pairing_cmd();
385 pres = &local_pairing_cmd();
386 init_addr = &kPeerAddr;
387 rsp_addr = &kLocalAddr;
388 } else {
389 preq = &local_pairing_cmd();
390 pres = &peer_pairing_cmd();
391 init_addr = &kLocalAddr;
392 rsp_addr = &kPeerAddr;
393 }
394
395 util::C1(tk128, random, *preq, *pres, *init_addr, *rsp_addr, out_value);
396 }
397
GenerateScConfirmValue(const LocalEcdhKey & peer_key,const UInt128 & random,Role local_role,bool gen_initiator_confirm,uint8_t r=0)398 UInt128 GenerateScConfirmValue(const LocalEcdhKey& peer_key,
399 const UInt128& random,
400 Role local_role,
401 bool gen_initiator_confirm,
402 uint8_t r = 0) {
403 BT_ASSERT_MSG(public_ecdh_key_.has_value(),
404 "cannot compute confirm, missing key!");
405 UInt256 pka = public_ecdh_key_->GetPublicKeyX(),
406 pkb = peer_key.GetPublicKeyX();
407 if (local_role == Role::kResponder) {
408 std::swap(pka, pkb);
409 }
410 return gen_initiator_confirm ? util::F4(pka, pkb, random, r).value()
411 : util::F4(pkb, pka, random, r).value();
412 }
413
pairing() const414 SecurityManager* pairing() const { return pairing_.get(); }
fake_chan() const415 l2cap::testing::FakeChannel* fake_chan() const { return fake_chan_.get(); }
fake_link() const416 hci::testing::FakeLowEnergyConnection* fake_link() const {
417 return fake_link_.get();
418 }
419
security_callback_count() const420 int security_callback_count() const { return security_callback_count_; }
received_error_code() const421 const std::optional<ErrorCode>& received_error_code() const {
422 return received_error_code_;
423 }
security_status() const424 const Result<>& security_status() const { return security_status_; }
sec_props() const425 const SecurityProperties& sec_props() const { return sec_props_; }
426
pairing_complete_count() const427 int pairing_complete_count() const { return pairing_complete_count_; }
pairing_complete_status() const428 const Result<>& pairing_complete_status() const {
429 return pairing_complete_status_;
430 }
431
pairing_data_callback_count() const432 int pairing_data_callback_count() const {
433 return pairing_data_callback_count_;
434 }
435
auth_failure_callback_count() const436 int auth_failure_callback_count() const {
437 return auth_failure_callback_count_;
438 }
auth_failure_status() const439 const hci::Result<>& auth_failure_status() const {
440 return auth_failure_status_;
441 }
442
local_id_info_callback_count() const443 int local_id_info_callback_count() const {
444 return local_id_info_callback_count_;
445 }
446
new_sec_props_count() const447 int new_sec_props_count() const { return new_sec_props_count_; }
new_sec_props() const448 const SecurityProperties& new_sec_props() const { return new_sec_props_; }
449
peer_ltk() const450 const std::optional<LTK>& peer_ltk() const { return pairing_data_.peer_ltk; }
local_ltk() const451 const std::optional<LTK>& local_ltk() const {
452 return pairing_data_.local_ltk;
453 }
irk() const454 const std::optional<Key>& irk() const { return pairing_data_.irk; }
identity() const455 const std::optional<DeviceAddress>& identity() const {
456 return pairing_data_.identity_address;
457 }
csrk() const458 const std::optional<Key>& csrk() const { return pairing_data_.csrk; }
459
460 using ConfirmDelegate = fit::function<void(ConfirmCallback)>;
set_confirm_delegate(ConfirmDelegate delegate)461 void set_confirm_delegate(ConfirmDelegate delegate) {
462 confirm_delegate_ = std::move(delegate);
463 }
464
465 using DisplayDelegate =
466 fit::function<void(uint32_t, DisplayMethod, ConfirmCallback)>;
set_display_delegate(DisplayDelegate delegate)467 void set_display_delegate(DisplayDelegate delegate) {
468 display_delegate_ = std::move(delegate);
469 }
470
471 // sm::Delegate override:
472 using RequestPasskeyDelegate = fit::function<void(PasskeyResponseCallback)>;
set_request_passkey_delegate(RequestPasskeyDelegate delegate)473 void set_request_passkey_delegate(RequestPasskeyDelegate delegate) {
474 request_passkey_delegate_ = std::move(delegate);
475 }
476
set_local_id_info(std::optional<IdentityInfo> info)477 void set_local_id_info(std::optional<IdentityInfo> info) {
478 local_id_info_ = info;
479 }
480
security_request_count() const481 int security_request_count() const { return security_request_count_; }
pairing_failed_count() const482 int pairing_failed_count() const { return pairing_failed_count_; }
pairing_request_count() const483 int pairing_request_count() const { return pairing_request_count_; }
pairing_response_count() const484 int pairing_response_count() const { return pairing_response_count_; }
pairing_public_key_count() const485 int pairing_public_key_count() const { return pairing_public_key_count_; }
pairing_confirm_count() const486 int pairing_confirm_count() const { return pairing_confirm_count_; }
pairing_random_count() const487 int pairing_random_count() const { return pairing_random_count_; }
pairing_dhkey_check_count() const488 int pairing_dhkey_check_count() const { return pairing_dhkey_check_count_; }
enc_info_count() const489 int enc_info_count() const { return enc_info_count_; }
id_info_count() const490 int id_info_count() const { return id_info_count_; }
id_addr_info_count() const491 int id_addr_info_count() const { return id_addr_info_count_; }
central_ident_count() const492 int central_ident_count() const { return central_ident_count_; }
493
security_request_payload() const494 AuthReqField security_request_payload() const { return security_auth_req_; }
public_ecdh_key() const495 const std::optional<EcdhKey>& public_ecdh_key() const {
496 return public_ecdh_key_;
497 }
pairing_confirm() const498 const UInt128& pairing_confirm() const { return pairing_confirm_; }
pairing_random() const499 const UInt128& pairing_random() const { return pairing_random_; }
pairing_dhkey_check() const500 const UInt128& pairing_dhkey_check() const { return pairing_dhkey_check_; }
enc_info() const501 const UInt128& enc_info() const { return enc_info_; }
id_info() const502 const UInt128& id_info() const { return id_info_; }
id_addr_info() const503 const DeviceAddress& id_addr_info() const { return id_addr_info_; }
ediv() const504 uint16_t ediv() const { return ediv_; }
rand() const505 uint64_t rand() const { return rand_; }
pairing_data() const506 const PairingData& pairing_data() const { return pairing_data_; }
507
local_pairing_cmd() const508 const ByteBuffer& local_pairing_cmd() const { return local_pairing_cmd_; }
peer_pairing_cmd() const509 const ByteBuffer& peer_pairing_cmd() const { return peer_pairing_cmd_; }
510
511 private:
Receive128BitCmd(Code cmd_code,const UInt128 & value)512 void Receive128BitCmd(Code cmd_code, const UInt128& value) {
513 StaticByteBuffer<sizeof(Header) + sizeof(UInt128)> buffer;
514 PacketWriter writer(cmd_code, &buffer);
515 *writer.mutable_payload<UInt128>() = value;
516 fake_chan()->Receive(buffer);
517 }
518
InitializeTransport()519 void InitializeTransport() {
520 // Ensure any tasks posted by an existing transport are dispatched.
521 RunUntilIdle();
522 auto mock_controller =
523 std::make_unique<bt::testing::MockController>(dispatcher());
524 controller_ = mock_controller->GetWeakPtr();
525 transport_ = std::make_unique<hci::Transport>(std::move(mock_controller),
526 dispatcher());
527 std::optional<bool> init_success;
528 transport_->Initialize([&](bool success) { init_success = success; });
529 RunUntilIdle();
530 ASSERT_TRUE(init_success.has_value());
531 ASSERT_TRUE(init_success.value());
532 transport_->InitializeACLDataChannel(hci::DataBufferInfo(1, 1),
533 hci::DataBufferInfo(1, 1));
534 }
535
536 testing::MockController::WeakPtr controller_;
537 std::unique_ptr<hci::Transport> transport_;
538
539 // We store the preq/pres values here to generate a valid confirm value for
540 // the fake side.
541 StaticByteBuffer<sizeof(Header) + sizeof(PairingRequestParams)>
542 local_pairing_cmd_, peer_pairing_cmd_;
543
544 // Number of times the security callback given to UpgradeSecurity has been
545 // called and the most recent parameters that it was called with.
546 int security_callback_count_ = 0;
547 Result<> security_status_ = fit::ok();
548 SecurityProperties sec_props_;
549
550 // Number of times the pairing data callback has been called and the most
551 // recent value that it was called with.
552 int pairing_data_callback_count_ = 0;
553 PairingData pairing_data_;
554
555 // Number of times the link security properties have been notified via
556 // OnNewSecurityProperties().
557 int new_sec_props_count_ = 0;
558 SecurityProperties new_sec_props_;
559
560 // State tracking the OnPairingComplete event.
561 int pairing_complete_count_ = 0;
562 Result<> pairing_complete_status_ = fit::ok();
563
564 // State tracking the OnAuthenticationFailure event.
565 int auth_failure_callback_count_ = 0;
566 hci::Result<> auth_failure_status_ = fit::ok();
567
568 // State tracking the OnIdentityInformationRequest event.
569 int local_id_info_callback_count_ = 0;
570 std::optional<IdentityInfo> local_id_info_;
571
572 // Delegate functions used to respond to user input requests from the Security
573 // Manager.
574 ConfirmDelegate confirm_delegate_;
575 DisplayDelegate display_delegate_;
576 RequestPasskeyDelegate request_passkey_delegate_;
577
578 // Counts of commands that we have sent out to the peer.
579 int security_request_count_ = 0;
580 int pairing_failed_count_ = 0;
581 int pairing_request_count_ = 0;
582 int pairing_response_count_ = 0;
583 int pairing_public_key_count_ = 0;
584 int pairing_confirm_count_ = 0;
585 int pairing_random_count_ = 0;
586 int pairing_dhkey_check_count_ = 0;
587 int enc_info_count_ = 0;
588 int id_info_count_ = 0;
589 int id_addr_info_count_ = 0;
590 int central_ident_count_ = 0;
591
592 // Values that have we have sent to the peer.
593 AuthReqField security_auth_req_ = 0;
594 std::optional<EcdhKey> public_ecdh_key_;
595 UInt128 pairing_confirm_ = {};
596 UInt128 pairing_random_ = {};
597 UInt128 pairing_dhkey_check_ = {};
598 UInt128 enc_info_ = {};
599 UInt128 id_info_ = {};
600 DeviceAddress id_addr_info_;
601 uint16_t ediv_ = 0;
602 uint64_t rand_ = 0;
603
604 std::optional<ErrorCode> received_error_code_;
605
606 std::unique_ptr<l2cap::testing::FakeChannel> fake_chan_;
607 std::unique_ptr<hci::testing::FakeLowEnergyConnection> fake_link_;
608 std::unique_ptr<SecurityManager> pairing_;
609
610 WeakSelf<Delegate> weak_delegate_;
611
612 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(SecurityManagerTest);
613 };
614
615 class InitiatorPairingTest : public SecurityManagerTest {
616 public:
617 InitiatorPairingTest() = default;
618 ~InitiatorPairingTest() override = default;
619
SetUp()620 void SetUp() override {
621 SecurityManagerTest::SetUp();
622 SetUpSecurityManager();
623 }
624
SetUpSecurityManager(IOCapability ioc=IOCapability::kDisplayOnly,BondableMode bondable_mode=BondableMode::Bondable)625 void SetUpSecurityManager(
626 IOCapability ioc = IOCapability::kDisplayOnly,
627 BondableMode bondable_mode = BondableMode::Bondable) {
628 NewSecurityManager(Role::kInitiator, ioc, bondable_mode);
629 }
630
GenerateMatchingLegacyConfirmAndRandom(UInt128 * out_confirm,UInt128 * out_random,uint32_t tk=0)631 void GenerateMatchingLegacyConfirmAndRandom(UInt128* out_confirm,
632 UInt128* out_random,
633 uint32_t tk = 0) {
634 BT_DEBUG_ASSERT(out_confirm);
635 BT_DEBUG_ASSERT(out_random);
636 *out_random = kHardCodedPairingRandom;
637 GenerateLegacyConfirmValue(
638 *out_random, out_confirm, /*peer_initiator=*/false, tk);
639 }
640
641 struct MatchingPair {
642 UInt128 confirm;
643 UInt128 random;
644 };
GenerateMatchingScConfirmAndRandom(const LocalEcdhKey & peer_key,uint8_t r=0)645 MatchingPair GenerateMatchingScConfirmAndRandom(const LocalEcdhKey& peer_key,
646 uint8_t r = 0) {
647 MatchingPair pair;
648 pair.random = kHardCodedPairingRandom;
649 pair.confirm = GenerateScConfirmValue(peer_key,
650 pair.random,
651 Role::kInitiator,
652 /*gen_initiator_confirm=*/false,
653 r);
654 return pair;
655 }
656 // Emulate legacy pairing up until before encryption with STK. Returns the STK
657 // that the initiator is expected to encrypt the link with in |out_stk|.
658 //
659 // This will not resolve the encryption request that is made by using the STK
660 // before this function returns (this is to unit test encryption failure). Use
661 // FastForwardToPhase3() to also emulate successful encryption.
FastForwardToSTK(UInt128 * out_stk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)662 void FastForwardToSTK(UInt128* out_stk,
663 SecurityLevel level = SecurityLevel::kEncrypted,
664 KeyDistGenField remote_keys = 0,
665 KeyDistGenField local_keys = 0,
666 uint8_t max_key_size = kMaxEncryptionKeySize,
667 BondableMode bondable_mode = BondableMode::Bondable) {
668 UpgradeSecurity(level);
669
670 PairingRequestParams pairing_params;
671 pairing_params.io_capability = IOCapability::kNoInputNoOutput;
672 AuthReqField bondable = (bondable_mode == BondableMode::Bondable)
673 ? AuthReq::kBondingFlag
674 : 0,
675 mitm_protected = (level >= SecurityLevel::kAuthenticated)
676 ? AuthReq::kMITM
677 : 0;
678 pairing_params.auth_req = mitm_protected | bondable;
679 pairing_params.max_encryption_key_size = max_key_size;
680 pairing_params.initiator_key_dist_gen = local_keys;
681 pairing_params.responder_key_dist_gen = remote_keys;
682 ReceivePairingFeatures(pairing_params);
683
684 // Run the loop until the harness caches the feature exchange PDUs (preq &
685 // pres) so that we can generate a valid confirm value.
686 RunUntilIdle();
687
688 UInt128 sconfirm, srand;
689 GenerateMatchingLegacyConfirmAndRandom(&sconfirm, &srand);
690 ReceivePairingConfirm(sconfirm);
691 ReceivePairingRandom(srand);
692 RunUntilIdle();
693
694 EXPECT_EQ(1, pairing_confirm_count());
695 EXPECT_EQ(1, pairing_random_count());
696 EXPECT_EQ(0, pairing_failed_count());
697 EXPECT_EQ(0, security_callback_count());
698
699 BT_DEBUG_ASSERT(out_stk);
700
701 UInt128 tk;
702 tk.fill(0);
703 util::S1(tk, srand, pairing_random(), out_stk);
704 }
705
FastForwardToPhase3(UInt128 * out_encryption_key,bool secure_connections=false,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)706 void FastForwardToPhase3(
707 UInt128* out_encryption_key,
708 bool secure_connections = false,
709 SecurityLevel level = SecurityLevel::kEncrypted,
710 KeyDistGenField remote_keys = 0,
711 KeyDistGenField local_keys = 0,
712 uint8_t max_key_size = kMaxEncryptionKeySize,
713 BondableMode bondable_mode = BondableMode::Bondable) {
714 if (secure_connections) {
715 FastForwardToScLtk(
716 out_encryption_key, level, remote_keys, local_keys, bondable_mode);
717 } else {
718 FastForwardToSTK(out_encryption_key,
719 level,
720 remote_keys,
721 local_keys,
722 max_key_size,
723 bondable_mode);
724 }
725
726 ASSERT_TRUE(fake_link()->ltk());
727 EXPECT_EQ(1, fake_link()->start_encryption_count());
728
729 // Resolve the encryption request.
730 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
731 RunUntilIdle();
732 EXPECT_EQ(1, new_sec_props_count());
733 EXPECT_EQ(level, new_sec_props().level());
734 }
735
FastForwardToScLtk(UInt128 * out_ltk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField peer_keys=0,KeyDistGenField local_keys=0,BondableMode bondable=BondableMode::Bondable)736 void FastForwardToScLtk(UInt128* out_ltk,
737 SecurityLevel level = SecurityLevel::kEncrypted,
738 KeyDistGenField peer_keys = 0,
739 KeyDistGenField local_keys = 0,
740 BondableMode bondable = BondableMode::Bondable) {
741 UpgradeSecurity(level);
742 RunUntilIdle();
743
744 ASSERT_EQ(1, pairing_request_count());
745 PairingRequestParams pres;
746 pres.io_capability = IOCapability::kDisplayYesNo;
747 pres.oob_data_flag = OOBDataFlag::kNotPresent;
748 AuthReqField bondable_flag =
749 (bondable == BondableMode::Bondable) ? AuthReq::kBondingFlag : 0;
750 AuthReqField mitm_flag =
751 (level >= SecurityLevel::kAuthenticated) ? AuthReq::kMITM : 0;
752 pres.auth_req = AuthReq::kSC | mitm_flag | bondable_flag;
753 pres.max_encryption_key_size = kMaxEncryptionKeySize;
754 pres.initiator_key_dist_gen = local_keys;
755 pres.responder_key_dist_gen = peer_keys;
756 ReceivePairingFeatures(pres);
757 RunUntilIdle();
758
759 ASSERT_TRUE(public_ecdh_key().has_value());
760 LocalEcdhKey peer_key = *LocalEcdhKey::Create();
761 ReceivePairingPublicKey(peer_key.GetSerializedPublicKey());
762 RunUntilIdle();
763 // We're in SC Numeric Comparison/Just Works, so as initiator we should not
764 // send a confirm.
765 ASSERT_EQ(0, pairing_confirm_count());
766 MatchingPair phase_2_vals = GenerateMatchingScConfirmAndRandom(peer_key);
767 ReceivePairingConfirm(phase_2_vals.confirm);
768 RunUntilIdle();
769 ASSERT_EQ(1, pairing_random_count());
770 // If using MITM, we expect to be in Numeric Comparison
771 ConfirmCallback display_cb = nullptr;
772 if (mitm_flag != 0) {
773 uint32_t kExpectedDisplayVal =
774 *util::G2(public_ecdh_key()->GetPublicKeyX(),
775 peer_key.GetPublicKeyX(),
776 pairing_random(),
777 phase_2_vals.random) %
778 1000000;
779 set_display_delegate(
780 [kExpectedDisplayVal, &display_cb](uint32_t compare_value,
781 Delegate::DisplayMethod method,
782 ConfirmCallback cb) {
783 ASSERT_TRUE(method == Delegate::DisplayMethod::kComparison);
784 ASSERT_EQ(kExpectedDisplayVal, compare_value);
785 display_cb = std::move(cb);
786 });
787 }
788 ReceivePairingRandom(phase_2_vals.random);
789 RunUntilIdle();
790 if (mitm_flag != 0) {
791 ASSERT_TRUE(display_cb);
792 display_cb(true);
793 } // Else we are content to use the default confirm delegate behavior to
794 // accept the pairing.
795
796 util::F5Results f5 = *util::F5(peer_key.CalculateDhKey(*public_ecdh_key()),
797 pairing_random(),
798 phase_2_vals.random,
799 kLocalAddr,
800 kPeerAddr);
801
802 UInt128 r_array{0};
803 PacketReader reader(&local_pairing_cmd());
804 PairingResponseParams preq = reader.payload<PairingRequestParams>();
805 UInt128 dhkey_check_a = *util::F6(f5.mac_key,
806 pairing_random(),
807 phase_2_vals.random,
808 r_array,
809 preq.auth_req,
810 preq.oob_data_flag,
811 preq.io_capability,
812 kLocalAddr,
813 kPeerAddr);
814 UInt128 dhkey_check_b = *util::F6(f5.mac_key,
815 phase_2_vals.random,
816 pairing_random(),
817 r_array,
818 pres.auth_req,
819 pres.oob_data_flag,
820 pres.io_capability,
821 kPeerAddr,
822 kLocalAddr);
823 RunUntilIdle();
824 EXPECT_EQ(1, pairing_dhkey_check_count());
825 ASSERT_EQ(dhkey_check_a, pairing_dhkey_check());
826 ReceivePairingDHKeyCheck(dhkey_check_b);
827 RunUntilIdle();
828 EXPECT_EQ(0, pairing_failed_count());
829 EXPECT_EQ(0, security_callback_count());
830
831 ASSERT_TRUE(out_ltk);
832 *out_ltk = f5.ltk;
833 }
834
835 private:
836 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(InitiatorPairingTest);
837 };
838
839 class ResponderPairingTest : public SecurityManagerTest {
840 public:
841 ResponderPairingTest() = default;
842 ~ResponderPairingTest() override = default;
843
SetUp()844 void SetUp() override {
845 SecurityManagerTest::SetUp();
846 SetUpSecurityManager();
847 }
848
SetUpSecurityManager(IOCapability ioc=IOCapability::kDisplayOnly,BondableMode bondable_mode=BondableMode::Bondable)849 void SetUpSecurityManager(
850 IOCapability ioc = IOCapability::kDisplayOnly,
851 BondableMode bondable_mode = BondableMode::Bondable) {
852 NewSecurityManager(Role::kResponder, ioc, bondable_mode);
853 }
854
GenerateMatchingLegacyConfirmAndRandom(UInt128 * out_confirm,UInt128 * out_random,uint32_t tk=0)855 void GenerateMatchingLegacyConfirmAndRandom(UInt128* out_confirm,
856 UInt128* out_random,
857 uint32_t tk = 0) {
858 BT_DEBUG_ASSERT(out_confirm);
859 BT_DEBUG_ASSERT(out_random);
860 *out_random = kHardCodedPairingRandom;
861 GenerateLegacyConfirmValue(
862 *out_random, out_confirm, /*peer_initiator=*/true, tk);
863 }
864 struct MatchingPair {
865 UInt128 confirm;
866 UInt128 random;
867 };
GenerateMatchingScConfirmAndRandom(const LocalEcdhKey & peer_key,uint8_t r=0)868 MatchingPair GenerateMatchingScConfirmAndRandom(const LocalEcdhKey& peer_key,
869 uint8_t r = 0) {
870 MatchingPair pair;
871 pair.random = kHardCodedPairingRandom;
872 pair.confirm = GenerateScConfirmValue(peer_key,
873 pair.random,
874 Role::kResponder,
875 /*gen_initiator_confirm=*/true,
876 r);
877 return pair;
878 }
ReceivePairingRequest(IOCapability ioc=IOCapability::kNoInputNoOutput,AuthReqField auth_req=0,uint8_t max_enc_key_size=kMaxEncryptionKeySize)879 void ReceivePairingRequest(IOCapability ioc = IOCapability::kNoInputNoOutput,
880 AuthReqField auth_req = 0,
881 uint8_t max_enc_key_size = kMaxEncryptionKeySize) {
882 ReceivePairingFeatures(
883 ioc, auth_req, max_enc_key_size, /*peer_initiator=*/true);
884 }
885
FastForwardToSTK(UInt128 * out_stk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)886 void FastForwardToSTK(UInt128* out_stk,
887 SecurityLevel level = SecurityLevel::kEncrypted,
888 KeyDistGenField remote_keys = 0,
889 KeyDistGenField local_keys = 0,
890 uint8_t max_key_size = kMaxEncryptionKeySize,
891 BondableMode bondable_mode = BondableMode::Bondable) {
892 PairingRequestParams pairing_params;
893 pairing_params.io_capability = IOCapability::kNoInputNoOutput;
894 AuthReqField bondable = (bondable_mode == BondableMode::Bondable)
895 ? AuthReq::kBondingFlag
896 : 0,
897 mitm_protected = (level >= SecurityLevel::kAuthenticated)
898 ? AuthReq::kMITM
899 : 0;
900 pairing_params.auth_req = mitm_protected | bondable;
901 pairing_params.max_encryption_key_size = max_key_size;
902 pairing_params.initiator_key_dist_gen = remote_keys;
903 pairing_params.responder_key_dist_gen = local_keys;
904 ReceivePairingFeatures(pairing_params, /*peer_initiator=*/true);
905
906 // Run the loop until the harness caches the feature exchange PDUs (preq &
907 // pres) so that we can generate a valid confirm value.
908 RunUntilIdle();
909 EXPECT_EQ(0, pairing_request_count());
910 EXPECT_EQ(1, pairing_response_count());
911
912 // The initiator should start the confirm/random exchange to generate the
913 // Phase 2 keys.
914 EXPECT_EQ(0, pairing_confirm_count());
915 EXPECT_EQ(0, pairing_random_count());
916
917 UInt128 mconfirm, mrand;
918 GenerateMatchingLegacyConfirmAndRandom(&mconfirm, &mrand);
919 ReceivePairingConfirm(mconfirm);
920 RunUntilIdle();
921 EXPECT_EQ(1, pairing_confirm_count());
922 EXPECT_EQ(0, pairing_random_count());
923
924 ReceivePairingRandom(mrand);
925 RunUntilIdle();
926 EXPECT_EQ(1, pairing_confirm_count());
927 EXPECT_EQ(1, pairing_random_count());
928 EXPECT_EQ(0, pairing_failed_count());
929 EXPECT_EQ(0, security_callback_count());
930
931 BT_DEBUG_ASSERT(out_stk);
932
933 UInt128 tk;
934 tk.fill(0);
935 util::S1(tk, pairing_random(), mrand, out_stk);
936 }
937
FastForwardToPhase3(UInt128 * out_encryption_key,bool secure_connections=false,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)938 void FastForwardToPhase3(
939 UInt128* out_encryption_key,
940 bool secure_connections = false,
941 SecurityLevel level = SecurityLevel::kEncrypted,
942 KeyDistGenField remote_keys = 0,
943 KeyDistGenField local_keys = 0,
944 uint8_t max_key_size = kMaxEncryptionKeySize,
945 BondableMode bondable_mode = BondableMode::Bondable) {
946 if (secure_connections) {
947 FastForwardToScLtk(
948 out_encryption_key, level, remote_keys, local_keys, bondable_mode);
949 } else {
950 FastForwardToSTK(out_encryption_key,
951 level,
952 remote_keys,
953 local_keys,
954 max_key_size,
955 bondable_mode);
956 }
957
958 ASSERT_TRUE(fake_link()->ltk());
959
960 // No local start encryption request should be made.
961 EXPECT_EQ(0, fake_link()->start_encryption_count());
962
963 // Pretend that the initiator succeeded in encrypting the connection.
964 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
965 RunUntilIdle();
966 EXPECT_EQ(1, new_sec_props_count());
967 EXPECT_EQ(level, new_sec_props().level());
968 }
969
FastForwardToScLtk(UInt128 * out_ltk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField peer_keys=0,KeyDistGenField local_keys=0,BondableMode bondable=BondableMode::Bondable)970 void FastForwardToScLtk(UInt128* out_ltk,
971 SecurityLevel level = SecurityLevel::kEncrypted,
972 KeyDistGenField peer_keys = 0,
973 KeyDistGenField local_keys = 0,
974 BondableMode bondable = BondableMode::Bondable) {
975 PairingRequestParams preq;
976 preq.io_capability = IOCapability::kDisplayYesNo;
977 preq.oob_data_flag = OOBDataFlag::kNotPresent;
978 AuthReqField bondable_flag =
979 (bondable == BondableMode::Bondable) ? AuthReq::kBondingFlag : 0;
980 AuthReqField mitm_flag =
981 (level >= SecurityLevel::kAuthenticated) ? AuthReq::kMITM : 0;
982 preq.auth_req = AuthReq::kSC | mitm_flag | bondable_flag;
983 preq.max_encryption_key_size = kMaxEncryptionKeySize;
984 preq.initiator_key_dist_gen = local_keys;
985 preq.responder_key_dist_gen = peer_keys;
986 ReceivePairingFeatures(preq, /*peer_initiator=*/true);
987 RunUntilIdle();
988 ASSERT_EQ(1, pairing_response_count());
989
990 LocalEcdhKey peer_key = *LocalEcdhKey::Create();
991 ReceivePairingPublicKey(peer_key.GetSerializedPublicKey());
992 RunUntilIdle();
993 ASSERT_TRUE(public_ecdh_key().has_value());
994 ASSERT_EQ(1, pairing_public_key_count());
995
996 // We are in Just Works or Numeric Comparison based on IOCapabilities/MITM
997 // preferences, so we expect the confirm value immediately after the public
998 // key.
999 ASSERT_EQ(1, pairing_confirm_count());
1000 std::optional<uint32_t> display_val;
1001 if (mitm_flag != 0) {
1002 set_display_delegate([&](uint32_t compare_value,
1003 Delegate::DisplayMethod method,
1004 ConfirmCallback cb) {
1005 ASSERT_TRUE(method == Delegate::DisplayMethod::kComparison);
1006 display_val = compare_value;
1007 cb(true);
1008 });
1009 } // Else we are content to use the default confirm delegate behavior to
1010 // accept the pairing.
1011 auto peer_rand = Random<PairingRandomValue>();
1012 ReceivePairingRandom(peer_rand);
1013 RunUntilIdle();
1014 ASSERT_EQ(1, pairing_random_count());
1015 ASSERT_EQ(GenerateScConfirmValue(
1016 peer_key, pairing_random(), Role::kResponder, false),
1017 pairing_confirm());
1018 if (mitm_flag != 0) {
1019 ASSERT_TRUE(display_val.has_value());
1020 uint32_t kExpectedDisplayVal =
1021 *util::G2(peer_key.GetPublicKeyX(),
1022 public_ecdh_key()->GetPublicKeyX(),
1023 peer_rand,
1024 pairing_random()) %
1025 1000000;
1026
1027 EXPECT_EQ(kExpectedDisplayVal, display_val);
1028 }
1029
1030 util::F5Results f5 = *util::F5(peer_key.CalculateDhKey(*public_ecdh_key()),
1031 peer_rand,
1032 pairing_random(),
1033 kPeerAddr,
1034 kLocalAddr);
1035
1036 UInt128 r_array{0};
1037 PacketReader reader(&local_pairing_cmd());
1038 PairingResponseParams pres = reader.payload<PairingResponseParams>();
1039 UInt128 dhkey_check_a = *util::F6(f5.mac_key,
1040 peer_rand,
1041 pairing_random(),
1042 r_array,
1043 preq.auth_req,
1044 preq.oob_data_flag,
1045 preq.io_capability,
1046 kPeerAddr,
1047 kLocalAddr);
1048 UInt128 dhkey_check_b = *util::F6(f5.mac_key,
1049 pairing_random(),
1050 peer_rand,
1051 r_array,
1052 pres.auth_req,
1053 pres.oob_data_flag,
1054 pres.io_capability,
1055 kLocalAddr,
1056 kPeerAddr);
1057 ReceivePairingDHKeyCheck(dhkey_check_a);
1058 RunUntilIdle();
1059 EXPECT_EQ(1, pairing_dhkey_check_count());
1060 ASSERT_EQ(dhkey_check_b, pairing_dhkey_check());
1061 EXPECT_EQ(0, pairing_failed_count());
1062 EXPECT_EQ(0, pairing_complete_count());
1063
1064 ASSERT_TRUE(out_ltk);
1065 *out_ltk = f5.ltk;
1066 }
1067
1068 private:
1069 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(ResponderPairingTest);
1070 };
1071
1072 // Calling `Abort` with no in-progress security upgrade should not cause a
1073 // PairingComplete event.
TEST_F(InitiatorPairingTest,AbortNoSecurityUpgradeInProgress)1074 TEST_F(InitiatorPairingTest, AbortNoSecurityUpgradeInProgress) {
1075 pairing()->Abort();
1076 RunUntilIdle();
1077 EXPECT_EQ(0, pairing_complete_count());
1078 }
1079
1080 // Disconnecting with no in-progress security upgrade should not cause a
1081 // PairingComplete event.
TEST_F(InitiatorPairingTest,DisconnectNoSecurityUpgradeInProgress)1082 TEST_F(InitiatorPairingTest, DisconnectNoSecurityUpgradeInProgress) {
1083 fake_chan()->Close();
1084 RunUntilIdle();
1085 EXPECT_EQ(0, pairing_complete_count());
1086 }
1087
1088 // Requesting pairing at the current security level should succeed immediately.
TEST_F(InitiatorPairingTest,UpgradeSecurityCurrentLevel)1089 TEST_F(InitiatorPairingTest, UpgradeSecurityCurrentLevel) {
1090 UpgradeSecurity(SecurityLevel::kNoSecurity);
1091 RunUntilIdle();
1092
1093 // No pairing requests should have been made.
1094 EXPECT_EQ(0, pairing_request_count());
1095 EXPECT_EQ(0, pairing_complete_count());
1096
1097 // Pairing should succeed.
1098 EXPECT_EQ(1, security_callback_count());
1099 EXPECT_EQ(fit::ok(), security_status());
1100 EXPECT_EQ(SecurityLevel::kNoSecurity, sec_props().level());
1101 EXPECT_EQ(0u, sec_props().enc_key_size());
1102 EXPECT_FALSE(sec_props().secure_connections());
1103 }
1104
1105 // Peer aborts during Phase 1.
TEST_F(InitiatorPairingTest,PairingFailedInPhase1)1106 TEST_F(InitiatorPairingTest, PairingFailedInPhase1) {
1107 UpgradeSecurity(SecurityLevel::kEncrypted);
1108 RunUntilIdle();
1109
1110 // Pairing not complete yet but we should be in Phase 1.
1111 EXPECT_EQ(0, security_callback_count());
1112 EXPECT_EQ(1, pairing_request_count());
1113
1114 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1115 RunUntilIdle();
1116
1117 EXPECT_EQ(1, security_callback_count());
1118 EXPECT_EQ(1, pairing_request_count());
1119 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1120
1121 EXPECT_EQ(1, pairing_complete_count());
1122 EXPECT_EQ(security_status(), pairing_complete_status());
1123 }
1124
1125 // Local aborts during Phase 1.
TEST_F(InitiatorPairingTest,PairingAbortedInPhase1)1126 TEST_F(InitiatorPairingTest, PairingAbortedInPhase1) {
1127 UpgradeSecurity(SecurityLevel::kEncrypted);
1128 RunUntilIdle();
1129
1130 // Pairing not complete yet but we should be in Phase 1.
1131 EXPECT_EQ(0, security_callback_count());
1132 EXPECT_EQ(1, pairing_request_count());
1133
1134 pairing()->Abort();
1135 RunUntilIdle();
1136
1137 EXPECT_EQ(1, security_callback_count());
1138 EXPECT_EQ(1, pairing_request_count());
1139 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1140
1141 EXPECT_EQ(1, pairing_complete_count());
1142 EXPECT_EQ(security_status(), pairing_complete_status());
1143 }
1144
1145 // Local resets I/O capabilities while pairing. This should abort any ongoing
1146 // pairing and the new I/O capabilities should be used in following pairing
1147 // requests.
TEST_F(InitiatorPairingTest,SecurityManagerResetDuringPairing)1148 TEST_F(InitiatorPairingTest, SecurityManagerResetDuringPairing) {
1149 UpgradeSecurity(SecurityLevel::kEncrypted);
1150 RunUntilIdle();
1151
1152 // Pairing not complete yet but we should be in Phase 1.
1153 EXPECT_EQ(0, security_callback_count());
1154 EXPECT_EQ(1, pairing_request_count());
1155
1156 pairing()->Reset(IOCapability::kNoInputNoOutput);
1157 RunUntilIdle();
1158
1159 EXPECT_EQ(1, security_callback_count());
1160 EXPECT_EQ(1, pairing_request_count());
1161 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1162
1163 EXPECT_EQ(1, pairing_complete_count());
1164 EXPECT_EQ(security_status(), pairing_complete_status());
1165
1166 UpgradeSecurity(SecurityLevel::kEncrypted);
1167 RunUntilIdle();
1168
1169 // Should have sent a new pairing request.
1170 EXPECT_EQ(2, pairing_request_count());
1171
1172 // Make sure that the new request has the new I/O capabilities.
1173 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
1174 EXPECT_EQ(IOCapability::kNoInputNoOutput, params.io_capability);
1175 }
1176
TEST_F(InitiatorPairingTest,ReceiveConfirmValueWhileNotPairing)1177 TEST_F(InitiatorPairingTest, ReceiveConfirmValueWhileNotPairing) {
1178 UInt128 confirm;
1179 ReceivePairingConfirm(confirm);
1180 RunUntilIdle();
1181
1182 // Nothing should happen.
1183 EXPECT_EQ(0, pairing_confirm_count());
1184 EXPECT_EQ(0, pairing_random_count());
1185 EXPECT_EQ(0, pairing_failed_count());
1186 EXPECT_EQ(0, security_callback_count());
1187 }
1188
TEST_F(InitiatorPairingTest,ReceiveConfirmValueInPhase1)1189 TEST_F(InitiatorPairingTest, ReceiveConfirmValueInPhase1) {
1190 UpgradeSecurity(SecurityLevel::kEncrypted);
1191 RunUntilIdle();
1192
1193 UInt128 confirm;
1194 ReceivePairingConfirm(confirm);
1195 RunUntilIdle();
1196
1197 EXPECT_EQ(0, pairing_confirm_count());
1198 EXPECT_EQ(0, pairing_random_count());
1199 EXPECT_EQ(1, pairing_failed_count());
1200 EXPECT_EQ(1, security_callback_count());
1201 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1202
1203 EXPECT_EQ(1, pairing_complete_count());
1204 EXPECT_EQ(security_status(), pairing_complete_status());
1205 }
1206
TEST_F(InitiatorPairingTest,RejectUnauthenticatedPairingInSecureConnectionsOnlyMode)1207 TEST_F(InitiatorPairingTest,
1208 RejectUnauthenticatedPairingInSecureConnectionsOnlyMode) {
1209 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
1210 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1211 // In SC Only mode, SM should translate this "encrypted" request into a MITM
1212 // requirement.
1213 UpgradeSecurity(SecurityLevel::kEncrypted);
1214 // The peer has NoInputNoOutput IOCapabilities, thus cannot perform
1215 // authenticated pairing.
1216 ReceivePairingFeatures(IOCapability::kNoInputNoOutput,
1217 AuthReq::kBondingFlag | AuthReq::kSC);
1218 RunUntilIdle();
1219
1220 EXPECT_EQ(1, pairing_failed_count());
1221 EXPECT_EQ(1, security_callback_count());
1222 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
1223 security_status());
1224 EXPECT_EQ(1, pairing_complete_count());
1225 EXPECT_EQ(security_status(), pairing_complete_status());
1226 }
1227
TEST_F(InitiatorPairingTest,RejectUnauthenticatedEncryptionInSecureConnectionsOnlyMode)1228 TEST_F(InitiatorPairingTest,
1229 RejectUnauthenticatedEncryptionInSecureConnectionsOnlyMode) {
1230 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1231 const LTK kUnauthenticatedLtk(SecurityProperties(/*encrypted=*/true,
1232 /*authenticated=*/false,
1233 /*secure_connections=*/true,
1234 kMaxEncryptionKeySize),
1235 hci_spec::LinkKey());
1236 pairing()->AssignLongTermKey(kUnauthenticatedLtk);
1237 RunUntilIdle();
1238 // After setting SC Only mode, assigning and encrypting with an
1239 // unauthenticated LTK should cause the channel to be disconnected with an
1240 // authentication failure.
1241 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
1242 RunUntilIdle();
1243
1244 EXPECT_EQ(1, auth_failure_callback_count());
1245 EXPECT_EQ(ToResult(HostError::kInsufficientSecurity), auth_failure_status());
1246 EXPECT_TRUE(fake_chan()->link_error());
1247 }
1248
TEST_F(InitiatorPairingTest,AllowSecureAuthenticatedPairingInSecureConnectionsOnlyMode)1249 TEST_F(InitiatorPairingTest,
1250 AllowSecureAuthenticatedPairingInSecureConnectionsOnlyMode) {
1251 SetUpSecurityManager(IOCapability::kDisplayYesNo);
1252 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1253 UInt128 enc_key;
1254 FastForwardToPhase3(&enc_key,
1255 /*secure_connections=*/true,
1256 SecurityLevel::kSecureAuthenticated);
1257 RunUntilIdle();
1258 // After setting SC Only mode, secure authenticated pairing should still
1259 // complete successfully.
1260 EXPECT_EQ(1, pairing_data_callback_count());
1261 EXPECT_TRUE(peer_ltk().has_value());
1262 EXPECT_EQ(0, pairing_failed_count());
1263 EXPECT_EQ(1, security_callback_count());
1264 EXPECT_EQ(1, pairing_complete_count());
1265 EXPECT_EQ(fit::ok(), security_status());
1266 EXPECT_EQ(security_status(), pairing_complete_status());
1267
1268 EXPECT_EQ(SecurityLevel::kSecureAuthenticated, sec_props().level());
1269 }
1270
1271 // In Phase 2 but still waiting to receive TK.
TEST_F(InitiatorPairingTest,ReceiveConfirmValueWhileWaitingForUserInput)1272 TEST_F(InitiatorPairingTest, ReceiveConfirmValueWhileWaitingForUserInput) {
1273 bool tk_requested = false;
1274 set_confirm_delegate([&](ConfirmCallback) { tk_requested = true; });
1275
1276 UpgradeSecurity(SecurityLevel::kEncrypted);
1277 ReceivePairingFeatures();
1278 RunUntilIdle();
1279 EXPECT_TRUE(tk_requested);
1280
1281 UInt128 confirm;
1282 ReceivePairingConfirm(confirm);
1283 RunUntilIdle();
1284
1285 EXPECT_EQ(0, pairing_confirm_count());
1286 EXPECT_EQ(0, pairing_random_count());
1287 EXPECT_EQ(1, pairing_failed_count());
1288 EXPECT_EQ(1, security_callback_count());
1289 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1290
1291 EXPECT_EQ(1, pairing_complete_count());
1292 EXPECT_EQ(security_status(), pairing_complete_status());
1293 }
1294
1295 // SecurityManager destroyed when waiting for Just Works user confirmation.
TEST_F(InitiatorPairingTest,SecurityManagerDestroyedStateWhileWaitingForUserInput)1296 TEST_F(InitiatorPairingTest,
1297 SecurityManagerDestroyedStateWhileWaitingForUserInput) {
1298 ConfirmCallback respond;
1299 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1300
1301 UpgradeSecurity(SecurityLevel::kEncrypted);
1302 ReceivePairingFeatures();
1303 RunUntilIdle();
1304 EXPECT_TRUE(respond);
1305
1306 DestroySecurityManager();
1307
1308 // This should proceed safely.
1309 respond(true);
1310 RunUntilIdle();
1311 }
1312
1313 // Pairing no longer in progress when waiting for Just Works user confirmation.
TEST_F(InitiatorPairingTest,PairingAbortedWhileWaitingForUserInput)1314 TEST_F(InitiatorPairingTest, PairingAbortedWhileWaitingForUserInput) {
1315 ConfirmCallback respond;
1316 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1317
1318 UpgradeSecurity(SecurityLevel::kEncrypted);
1319 ReceivePairingFeatures();
1320 RunUntilIdle();
1321 EXPECT_TRUE(respond);
1322
1323 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1324 RunUntilIdle();
1325 EXPECT_EQ(1, security_callback_count());
1326 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1327
1328 EXPECT_EQ(1, pairing_complete_count());
1329 EXPECT_EQ(security_status(), pairing_complete_status());
1330
1331 // This should have no effect.
1332 respond(true);
1333 RunUntilIdle();
1334 EXPECT_EQ(1, pairing_request_count());
1335 EXPECT_EQ(0, pairing_response_count());
1336 EXPECT_EQ(0, pairing_confirm_count());
1337 EXPECT_EQ(0, pairing_random_count());
1338 EXPECT_EQ(0, pairing_failed_count());
1339 EXPECT_EQ(1, security_callback_count());
1340 EXPECT_EQ(1, pairing_complete_count());
1341 EXPECT_EQ(0, pairing_data_callback_count());
1342 }
1343
1344 // Pairing procedure stopped and restarted when TKResponse runs. The TKResponse
1345 // does not belong to the current pairing.
TEST_F(InitiatorPairingTest,PairingRestartedWhileWaitingForTK)1346 TEST_F(InitiatorPairingTest, PairingRestartedWhileWaitingForTK) {
1347 ConfirmCallback respond;
1348 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1349
1350 UpgradeSecurity(SecurityLevel::kEncrypted);
1351 ReceivePairingFeatures();
1352 RunUntilIdle();
1353 EXPECT_TRUE(respond);
1354
1355 // Stop pairing.
1356 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1357 RunUntilIdle();
1358 EXPECT_EQ(1, security_callback_count());
1359 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1360
1361 EXPECT_EQ(1, pairing_complete_count());
1362 EXPECT_EQ(security_status(), pairing_complete_status());
1363
1364 // Reset the delegate so that |respond| doesn't get overwritten by the second
1365 // pairing.
1366 set_confirm_delegate(nullptr);
1367
1368 UpgradeSecurity(SecurityLevel::kEncrypted);
1369 ReceivePairingFeatures();
1370 RunUntilIdle();
1371 EXPECT_EQ(2, pairing_request_count());
1372 EXPECT_EQ(0, pairing_response_count());
1373 EXPECT_EQ(1, pairing_confirm_count());
1374 EXPECT_EQ(0, pairing_random_count());
1375 EXPECT_EQ(0, pairing_failed_count());
1376 EXPECT_EQ(1, security_callback_count());
1377 EXPECT_EQ(0, pairing_data_callback_count());
1378
1379 // This should have no effect.
1380 respond(true);
1381 RunUntilIdle();
1382 EXPECT_EQ(2, pairing_request_count());
1383 EXPECT_EQ(0, pairing_response_count());
1384 EXPECT_EQ(1, pairing_confirm_count());
1385 EXPECT_EQ(0, pairing_random_count());
1386 EXPECT_EQ(0, pairing_failed_count());
1387 EXPECT_EQ(1, security_callback_count());
1388 EXPECT_EQ(1, pairing_complete_count());
1389 EXPECT_EQ(0, pairing_data_callback_count());
1390 }
1391
TEST_F(InitiatorPairingTest,ReceiveRandomValueWhileNotPairing)1392 TEST_F(InitiatorPairingTest, ReceiveRandomValueWhileNotPairing) {
1393 UInt128 random;
1394 ReceivePairingRandom(random);
1395 RunUntilIdle();
1396
1397 // Nothing should happen.
1398 EXPECT_EQ(0, pairing_confirm_count());
1399 EXPECT_EQ(0, pairing_random_count());
1400 EXPECT_EQ(0, pairing_failed_count());
1401 EXPECT_EQ(0, security_callback_count());
1402 }
1403
TEST_F(InitiatorPairingTest,ReceiveRandomValueInPhase1)1404 TEST_F(InitiatorPairingTest, ReceiveRandomValueInPhase1) {
1405 UpgradeSecurity(SecurityLevel::kEncrypted);
1406 RunUntilIdle();
1407
1408 UInt128 random;
1409 ReceivePairingRandom(random);
1410 RunUntilIdle();
1411
1412 EXPECT_EQ(0, pairing_confirm_count());
1413 EXPECT_EQ(0, pairing_random_count());
1414 EXPECT_EQ(1, pairing_failed_count());
1415 EXPECT_EQ(1, security_callback_count());
1416 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1417
1418 EXPECT_EQ(1, pairing_complete_count());
1419 EXPECT_EQ(security_status(), pairing_complete_status());
1420 }
1421
1422 // In Phase 2 but still waiting to receive TK.
TEST_F(InitiatorPairingTest,ReceiveRandomValueWhileWaitingForTK)1423 TEST_F(InitiatorPairingTest, ReceiveRandomValueWhileWaitingForTK) {
1424 bool confirmation_requested = false;
1425 set_confirm_delegate([&](ConfirmCallback) { confirmation_requested = true; });
1426
1427 UpgradeSecurity(SecurityLevel::kEncrypted);
1428 ReceivePairingFeatures();
1429 RunUntilIdle();
1430 EXPECT_TRUE(confirmation_requested);
1431
1432 UInt128 random;
1433 ReceivePairingRandom(random);
1434 RunUntilIdle();
1435
1436 EXPECT_EQ(0, pairing_confirm_count());
1437 EXPECT_EQ(0, pairing_random_count());
1438 EXPECT_EQ(1, pairing_failed_count());
1439 EXPECT_EQ(1, security_callback_count());
1440 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1441
1442 EXPECT_EQ(1, pairing_complete_count());
1443 EXPECT_EQ(security_status(), pairing_complete_status());
1444 }
1445
TEST_F(InitiatorPairingTest,LegacyPhase2SconfirmValueReceivedTwice)1446 TEST_F(InitiatorPairingTest, LegacyPhase2SconfirmValueReceivedTwice) {
1447 UpgradeSecurity(SecurityLevel::kEncrypted);
1448 RunUntilIdle();
1449
1450 ReceivePairingFeatures();
1451 RunUntilIdle();
1452
1453 // Should have received Mconfirm.
1454 EXPECT_EQ(1, pairing_confirm_count());
1455 EXPECT_EQ(0, pairing_random_count());
1456 EXPECT_EQ(0, security_callback_count());
1457
1458 UInt128 confirm;
1459 ReceivePairingConfirm(confirm);
1460 RunUntilIdle();
1461
1462 // Should have received Mrand.
1463 EXPECT_EQ(1, pairing_confirm_count());
1464 EXPECT_EQ(1, pairing_random_count());
1465 EXPECT_EQ(0, security_callback_count());
1466
1467 // Send Mconfirm again
1468 ReceivePairingConfirm(confirm);
1469 RunUntilIdle();
1470
1471 EXPECT_EQ(1, pairing_confirm_count());
1472 EXPECT_EQ(1, pairing_random_count());
1473 EXPECT_EQ(1, pairing_failed_count());
1474 EXPECT_EQ(1, security_callback_count());
1475 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1476
1477 EXPECT_EQ(1, pairing_complete_count());
1478 EXPECT_EQ(security_status(), pairing_complete_status());
1479 }
1480
TEST_F(InitiatorPairingTest,LegacyPhase2ReceiveRandomValueInWrongOrder)1481 TEST_F(InitiatorPairingTest, LegacyPhase2ReceiveRandomValueInWrongOrder) {
1482 UpgradeSecurity(SecurityLevel::kEncrypted);
1483 RunUntilIdle();
1484
1485 ReceivePairingFeatures();
1486 RunUntilIdle();
1487
1488 // Should have received Mconfirm.
1489 EXPECT_EQ(1, pairing_confirm_count());
1490 EXPECT_EQ(0, pairing_random_count());
1491 EXPECT_EQ(0, security_callback_count());
1492
1493 UInt128 random;
1494 ReceivePairingRandom(random);
1495 RunUntilIdle();
1496
1497 // Should have aborted pairing if Srand arrives before Srand.
1498 EXPECT_EQ(1, pairing_confirm_count());
1499 EXPECT_EQ(0, pairing_random_count());
1500 EXPECT_EQ(1, pairing_failed_count());
1501 EXPECT_EQ(1, security_callback_count());
1502 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1503
1504 EXPECT_EQ(1, pairing_complete_count());
1505 EXPECT_EQ(security_status(), pairing_complete_status());
1506 }
1507
TEST_F(InitiatorPairingTest,LegacyPhase2SconfirmValueInvalid)1508 TEST_F(InitiatorPairingTest, LegacyPhase2SconfirmValueInvalid) {
1509 UpgradeSecurity(SecurityLevel::kEncrypted);
1510 RunUntilIdle();
1511
1512 // Pick I/O capabilities and MITM flags that will result in Just Works
1513 // pairing.
1514 ReceivePairingFeatures();
1515 RunUntilIdle();
1516
1517 // Should have received Mconfirm.
1518 EXPECT_EQ(1, pairing_confirm_count());
1519 EXPECT_EQ(0, pairing_random_count());
1520 EXPECT_EQ(0, security_callback_count());
1521
1522 // Receive Sconfirm and Srand values that don't match.
1523 UInt128 confirm, random;
1524 confirm.fill(0);
1525 random.fill(1);
1526
1527 ReceivePairingConfirm(confirm);
1528 RunUntilIdle();
1529
1530 // Should have received Mrand.
1531 EXPECT_EQ(1, pairing_confirm_count());
1532 EXPECT_EQ(1, pairing_random_count());
1533 EXPECT_EQ(0, security_callback_count());
1534
1535 // Our Mconfirm/Mrand should be correct.
1536 UInt128 expected_confirm;
1537 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1538 EXPECT_EQ(expected_confirm, pairing_confirm());
1539
1540 // Send the non-matching Srandom.
1541 ReceivePairingRandom(random);
1542 RunUntilIdle();
1543
1544 EXPECT_EQ(1, pairing_confirm_count());
1545 EXPECT_EQ(1, pairing_random_count());
1546 EXPECT_EQ(1, pairing_failed_count());
1547 EXPECT_EQ(1, security_callback_count());
1548 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed), security_status());
1549
1550 EXPECT_EQ(1, pairing_complete_count());
1551 EXPECT_EQ(security_status(), pairing_complete_status());
1552 }
1553
TEST_F(InitiatorPairingTest,LegacyPhase2RandomValueReceivedTwice)1554 TEST_F(InitiatorPairingTest, LegacyPhase2RandomValueReceivedTwice) {
1555 UpgradeSecurity(SecurityLevel::kEncrypted);
1556 RunUntilIdle();
1557
1558 // Pick I/O capabilities and MITM flags that will result in Just Works
1559 // pairing.
1560 ReceivePairingFeatures();
1561 RunUntilIdle();
1562
1563 // Should have received Mconfirm.
1564 EXPECT_EQ(1, pairing_confirm_count());
1565 EXPECT_EQ(0, pairing_random_count());
1566 EXPECT_EQ(0, security_callback_count());
1567
1568 // Receive Sconfirm and Srand values that match.
1569 UInt128 confirm, random;
1570 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1571
1572 ReceivePairingConfirm(confirm);
1573 RunUntilIdle();
1574
1575 // Should have received Mrand.
1576 EXPECT_EQ(1, pairing_confirm_count());
1577 EXPECT_EQ(1, pairing_random_count());
1578 EXPECT_EQ(0, security_callback_count());
1579
1580 // Our Mconfirm/Mrand should be correct.
1581 UInt128 expected_confirm;
1582 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1583 EXPECT_EQ(expected_confirm, pairing_confirm());
1584
1585 // Send Srandom.
1586 ReceivePairingRandom(random);
1587 RunUntilIdle();
1588
1589 EXPECT_EQ(1, pairing_confirm_count());
1590 EXPECT_EQ(1, pairing_random_count());
1591 EXPECT_EQ(0, pairing_failed_count());
1592 EXPECT_EQ(0, security_callback_count());
1593
1594 // Send Srandom again.
1595 ReceivePairingRandom(random);
1596 RunUntilIdle();
1597
1598 EXPECT_EQ(1, pairing_confirm_count());
1599 EXPECT_EQ(1, pairing_random_count());
1600 EXPECT_EQ(1, pairing_failed_count());
1601 EXPECT_EQ(1, security_callback_count());
1602 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1603
1604 EXPECT_EQ(1, pairing_complete_count());
1605 EXPECT_EQ(security_status(), pairing_complete_status());
1606 }
1607
TEST_F(InitiatorPairingTest,LegacyPhase2ConfirmValuesExchanged)1608 TEST_F(InitiatorPairingTest, LegacyPhase2ConfirmValuesExchanged) {
1609 UpgradeSecurity(SecurityLevel::kEncrypted);
1610 RunUntilIdle();
1611
1612 // Pick I/O capabilities and MITM flags that will result in Just Works
1613 // pairing.
1614 ReceivePairingFeatures();
1615 RunUntilIdle();
1616
1617 // Should have received Mconfirm.
1618 EXPECT_EQ(1, pairing_confirm_count());
1619 EXPECT_EQ(0, pairing_random_count());
1620 EXPECT_EQ(0, security_callback_count());
1621
1622 // Receive Sconfirm and Srand values that match.
1623 UInt128 confirm, random;
1624 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1625
1626 ReceivePairingConfirm(confirm);
1627 RunUntilIdle();
1628
1629 // Should have received Mrand.
1630 EXPECT_EQ(1, pairing_confirm_count());
1631 EXPECT_EQ(1, pairing_random_count());
1632 EXPECT_EQ(0, security_callback_count());
1633
1634 // Our Mconfirm/Mrand should be correct.
1635 UInt128 expected_confirm;
1636 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1637 EXPECT_EQ(expected_confirm, pairing_confirm());
1638
1639 // Send Srandom.
1640 ReceivePairingRandom(random);
1641 RunUntilIdle();
1642
1643 EXPECT_EQ(1, pairing_confirm_count());
1644 EXPECT_EQ(1, pairing_random_count());
1645 EXPECT_EQ(0, pairing_failed_count());
1646 EXPECT_EQ(0, security_callback_count());
1647 }
1648
1649 // TK delegate rejects pairing. When pairing method is "PasskeyEntryInput", this
1650 // should result in a "Passkey Entry Failed" error.
TEST_F(InitiatorPairingTest,LegacyPhase2TKDelegateRejectsPasskeyInput)1651 TEST_F(InitiatorPairingTest, LegacyPhase2TKDelegateRejectsPasskeyInput) {
1652 SetUpSecurityManager(IOCapability::kKeyboardOnly);
1653
1654 bool tk_requested = false;
1655 PasskeyResponseCallback respond;
1656 set_request_passkey_delegate([&](PasskeyResponseCallback cb_rsp) {
1657 tk_requested = true;
1658 respond = std::move(cb_rsp);
1659 });
1660
1661 UpgradeSecurity(SecurityLevel::kEncrypted);
1662 RunUntilIdle();
1663
1664 // Pick I/O capabilities and MITM flags that will result in Passkey Entry
1665 // pairing.
1666 ReceivePairingFeatures(IOCapability::kDisplayOnly, AuthReq::kMITM);
1667 RunUntilIdle();
1668 ASSERT_TRUE(tk_requested);
1669
1670 // Reject pairing.
1671 respond(-1);
1672 RunUntilIdle();
1673
1674 EXPECT_EQ(0, pairing_confirm_count());
1675 EXPECT_EQ(0, pairing_random_count());
1676 EXPECT_EQ(1, pairing_failed_count());
1677 EXPECT_EQ(1, security_callback_count());
1678 EXPECT_EQ(ToResult(ErrorCode::kPasskeyEntryFailed), security_status());
1679 }
1680
1681 // TK delegate rejects pairing.
TEST_F(InitiatorPairingTest,LegacyPhase2TKDelegateRejectsPairing)1682 TEST_F(InitiatorPairingTest, LegacyPhase2TKDelegateRejectsPairing) {
1683 bool tk_requested = false;
1684 ConfirmCallback respond;
1685 set_confirm_delegate([&](ConfirmCallback cb_rsp) {
1686 tk_requested = true;
1687 respond = std::move(cb_rsp);
1688 });
1689
1690 UpgradeSecurity(SecurityLevel::kEncrypted);
1691 RunUntilIdle();
1692
1693 ReceivePairingFeatures();
1694 RunUntilIdle();
1695 ASSERT_TRUE(tk_requested);
1696
1697 // Reject pairing.
1698 respond(false);
1699 RunUntilIdle();
1700
1701 EXPECT_EQ(0, pairing_confirm_count());
1702 EXPECT_EQ(0, pairing_random_count());
1703 EXPECT_EQ(1, pairing_failed_count());
1704 EXPECT_EQ(1, security_callback_count());
1705 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1706 }
1707
TEST_F(InitiatorPairingTest,IgnoresExpiredConfirmRequestCallback)1708 TEST_F(InitiatorPairingTest, IgnoresExpiredConfirmRequestCallback) {
1709 ConfirmCallback respond = nullptr;
1710 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1711
1712 UpgradeSecurity(SecurityLevel::kEncrypted);
1713 RunUntilIdle();
1714
1715 ReceivePairingFeatures();
1716 RunUntilIdle();
1717 ASSERT_TRUE(respond);
1718 ConfirmCallback first_pairing_cb = std::move(respond);
1719 pairing()->Abort();
1720 RunUntilIdle();
1721 EXPECT_EQ(1, pairing_failed_count());
1722
1723 // We reset the respond variable so we can "catch" the next PairingDelegate
1724 // request in the same variable (the `set_confirm_delegate` callback still has
1725 // the reference to `respond`)
1726 respond = nullptr;
1727
1728 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1729 // was `Abort`ed
1730 UpgradeSecurity(SecurityLevel::kEncrypted);
1731 RunUntilIdle();
1732
1733 ReceivePairingFeatures();
1734 RunUntilIdle();
1735 first_pairing_cb(true);
1736 RunUntilIdle();
1737 // The callback from the `Abort`ed pairing should be ignored, while calling
1738 // `respond`, which is associated with the active pairing, should cause the
1739 // expected Pairing Confirm to be sent.
1740 EXPECT_EQ(0, pairing_confirm_count());
1741 ASSERT_TRUE(respond);
1742 respond(true);
1743 RunUntilIdle();
1744 EXPECT_EQ(1, pairing_confirm_count());
1745 }
1746
TEST_F(InitiatorPairingTest,IgnoresExpiredDisplayRequestCallback)1747 TEST_F(InitiatorPairingTest, IgnoresExpiredDisplayRequestCallback) {
1748 SetUpSecurityManager(IOCapability::kDisplayOnly);
1749 ConfirmCallback respond = nullptr;
1750 set_display_delegate(
1751 [&](uint32_t /**/, Delegate::DisplayMethod method, ConfirmCallback rsp) {
1752 ASSERT_EQ(Delegate::DisplayMethod::kPeerEntry, method);
1753 respond = std::move(rsp);
1754 });
1755
1756 // Must request MITM to test PasskeyEntryDisplay instead of JustWorks pairing
1757 UpgradeSecurity(SecurityLevel::kAuthenticated);
1758 RunUntilIdle();
1759
1760 ReceivePairingFeatures(IOCapability::kKeyboardOnly);
1761 RunUntilIdle();
1762 ASSERT_TRUE(respond);
1763 ConfirmCallback first_pairing_cb = std::move(respond);
1764 pairing()->Abort();
1765 RunUntilIdle();
1766 EXPECT_EQ(1, pairing_failed_count());
1767
1768 // We reset the respond variable so we can "catch" the next PairingDelegate
1769 // request in the same variable (the `set_display_delegate` callback still has
1770 // the reference to `respond`)
1771 respond = nullptr;
1772
1773 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1774 // was `Abort`ed
1775 UpgradeSecurity(SecurityLevel::kAuthenticated);
1776 RunUntilIdle();
1777
1778 ReceivePairingFeatures(IOCapability::kKeyboardOnly);
1779 RunUntilIdle();
1780 first_pairing_cb(true);
1781 RunUntilIdle();
1782 // The callback from the `Abort`ed pairing should be ignored, while calling
1783 // `respond`, which is associated with the active pairing, should cause the
1784 // expected Pairing Confirm to be sent.
1785 EXPECT_EQ(0, pairing_confirm_count());
1786 ASSERT_TRUE(respond);
1787 respond(true);
1788 RunUntilIdle();
1789 EXPECT_EQ(1, pairing_confirm_count());
1790 }
1791
TEST_F(InitiatorPairingTest,IgnoresExpiredPasskeyEntryInputCallback)1792 TEST_F(InitiatorPairingTest, IgnoresExpiredPasskeyEntryInputCallback) {
1793 SetUpSecurityManager(IOCapability::kKeyboardOnly);
1794 PasskeyResponseCallback passkey_cb = nullptr;
1795 set_request_passkey_delegate(
1796 [&](PasskeyResponseCallback cb) { passkey_cb = std::move(cb); });
1797
1798 // Must request MITM to test PasskeyEntryInput instead of JustWorks pairing
1799 UpgradeSecurity(SecurityLevel::kAuthenticated);
1800 RunUntilIdle();
1801
1802 ReceivePairingFeatures(IOCapability::kDisplayOnly);
1803 RunUntilIdle();
1804 ASSERT_TRUE(passkey_cb);
1805 PasskeyResponseCallback first_pairing_cb = std::move(passkey_cb);
1806 pairing()->Abort();
1807 RunUntilIdle();
1808 EXPECT_EQ(1, pairing_failed_count());
1809
1810 // We reset the respond variable so we can "catch" the next PairingDelegate
1811 // request in the same variable (the `set_display_delegate` callback still has
1812 // the reference to `respond`)
1813 passkey_cb = nullptr;
1814
1815 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1816 // was `Abort`ed
1817 UpgradeSecurity(SecurityLevel::kAuthenticated);
1818 RunUntilIdle();
1819
1820 ReceivePairingFeatures(IOCapability::kDisplayOnly);
1821 RunUntilIdle();
1822 const int32_t kGenericPositive6DigitNumber = 123456;
1823 first_pairing_cb(kGenericPositive6DigitNumber);
1824 RunUntilIdle();
1825 // The callback from the `Abort`ed pairing should be ignored, while calling
1826 // `respond`, which is associated with the active pairing, should cause the
1827 // expected Pairing Confirm to be sent.
1828 EXPECT_EQ(0, pairing_confirm_count());
1829 ASSERT_TRUE(passkey_cb);
1830 passkey_cb(kGenericPositive6DigitNumber);
1831 RunUntilIdle();
1832 EXPECT_EQ(1, pairing_confirm_count());
1833 }
1834
1835 // The TK delegate is called with the correct pairing method and the TK is
1836 // factored into the confirm value generation.
TEST_F(InitiatorPairingTest,LegacyPhase2ConfirmValuesExchangedWithUserTK)1837 TEST_F(InitiatorPairingTest, LegacyPhase2ConfirmValuesExchangedWithUserTK) {
1838 std::optional<uint32_t> tk = std::nullopt;
1839 auto method = Delegate::DisplayMethod::kComparison;
1840 ConfirmCallback respond;
1841 set_display_delegate([&](uint32_t passkey,
1842 Delegate::DisplayMethod cb_method,
1843 ConfirmCallback cb_rsp) {
1844 tk = passkey;
1845 method = cb_method;
1846 respond = std::move(cb_rsp);
1847 });
1848
1849 UpgradeSecurity(SecurityLevel::kEncrypted);
1850 RunUntilIdle();
1851
1852 // Pick I/O capabilities and MITM flags that will result in Passkey Entry
1853 // pairing.
1854 ReceivePairingFeatures(IOCapability::kKeyboardOnly, AuthReq::kMITM);
1855 RunUntilIdle();
1856 ASSERT_TRUE(tk.has_value());
1857
1858 // DisplayMethod should be kPeerEntry, as Comparison is only for Secure
1859 // Connections, not Legacy.
1860 ASSERT_EQ(Delegate::DisplayMethod::kPeerEntry, method);
1861
1862 // Notify that TK was displayed.
1863 respond(true);
1864 RunUntilIdle();
1865
1866 // Should have received Mconfirm.
1867 EXPECT_EQ(1, pairing_confirm_count());
1868 EXPECT_EQ(0, pairing_random_count());
1869 EXPECT_EQ(0, security_callback_count());
1870
1871 // Receive Sconfirm and Srand values that match.
1872 UInt128 confirm, random;
1873 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random, *tk);
1874
1875 ReceivePairingConfirm(confirm);
1876 RunUntilIdle();
1877
1878 // Should have received Mrand.
1879 EXPECT_EQ(1, pairing_confirm_count());
1880 EXPECT_EQ(1, pairing_random_count());
1881 EXPECT_EQ(0, security_callback_count());
1882
1883 // Our Mconfirm/Mrand should be correct.
1884 UInt128 expected_confirm;
1885 GenerateLegacyConfirmValue(
1886 pairing_random(), &expected_confirm, /*peer_initiator=*/false, *tk);
1887 EXPECT_EQ(expected_confirm, pairing_confirm());
1888
1889 // Send Srandom.
1890 ReceivePairingRandom(random);
1891 RunUntilIdle();
1892
1893 EXPECT_EQ(1, pairing_confirm_count());
1894 EXPECT_EQ(1, pairing_random_count());
1895 EXPECT_EQ(0, pairing_failed_count());
1896 EXPECT_EQ(0, security_callback_count());
1897 }
1898
1899 // Peer aborts during Phase 2.
TEST_F(InitiatorPairingTest,PairingFailedInPhase2)1900 TEST_F(InitiatorPairingTest, PairingFailedInPhase2) {
1901 UpgradeSecurity(SecurityLevel::kEncrypted);
1902 ReceivePairingFeatures();
1903 RunUntilIdle();
1904
1905 UInt128 confirm, random;
1906 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1907
1908 ReceivePairingConfirm(confirm);
1909 RunUntilIdle();
1910
1911 EXPECT_EQ(1, pairing_confirm_count());
1912 EXPECT_EQ(1, pairing_random_count());
1913 EXPECT_EQ(0, pairing_failed_count());
1914 EXPECT_EQ(0, security_callback_count());
1915
1916 ReceivePairingFailed(ErrorCode::kConfirmValueFailed);
1917 RunUntilIdle();
1918
1919 EXPECT_EQ(1, pairing_confirm_count());
1920 EXPECT_EQ(1, pairing_random_count());
1921 EXPECT_EQ(0, pairing_failed_count());
1922 EXPECT_EQ(1, security_callback_count());
1923 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed), security_status());
1924 }
1925
1926 // Encryption with STK fails.
TEST_F(InitiatorPairingTest,EncryptionWithSTKFails)1927 TEST_F(InitiatorPairingTest, EncryptionWithSTKFails) {
1928 UInt128 stk;
1929 FastForwardToSTK(&stk);
1930
1931 ASSERT_TRUE(fake_link()->ltk());
1932 EXPECT_EQ(stk, fake_link()->ltk()->value());
1933 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
1934 EXPECT_EQ(0u, fake_link()->ltk()->rand());
1935
1936 // The host should have requested encryption.
1937 EXPECT_EQ(SecurityProperties(), pairing()->security());
1938 EXPECT_EQ(1, fake_link()->start_encryption_count());
1939
1940 fake_link()->TriggerEncryptionChangeCallback(
1941 ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING)
1942 .take_error());
1943 RunUntilIdle();
1944
1945 EXPECT_EQ(1, pairing_failed_count());
1946 EXPECT_EQ(1, security_callback_count());
1947 EXPECT_EQ(1, auth_failure_callback_count());
1948 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1949 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
1950 EXPECT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
1951 auth_failure_status());
1952
1953 // No security property update should have been sent since the security
1954 // properties have not changed.
1955 EXPECT_EQ(0, new_sec_props_count());
1956 EXPECT_EQ(SecurityProperties(), pairing()->security());
1957 }
1958
TEST_F(InitiatorPairingTest,EncryptionDisabledInPhase2)1959 TEST_F(InitiatorPairingTest, EncryptionDisabledInPhase2) {
1960 UInt128 stk;
1961 FastForwardToSTK(&stk);
1962
1963 ASSERT_TRUE(fake_link()->ltk());
1964 EXPECT_EQ(stk, fake_link()->ltk()->value());
1965 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
1966 EXPECT_EQ(0u, fake_link()->ltk()->rand());
1967
1968 // The host should have requested encryption.
1969 EXPECT_EQ(1, fake_link()->start_encryption_count());
1970 EXPECT_EQ(SecurityProperties(), pairing()->security());
1971
1972 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/false));
1973 RunUntilIdle();
1974
1975 EXPECT_EQ(1, pairing_failed_count());
1976 EXPECT_EQ(1, security_callback_count());
1977 EXPECT_EQ(0, auth_failure_callback_count());
1978 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1979 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
1980
1981 // No security property update should have been sent since the security
1982 // properties have not changed.
1983 EXPECT_EQ(0, new_sec_props_count());
1984 EXPECT_EQ(SecurityProperties(), pairing()->security());
1985 }
1986
1987 // Tests that the STK is generated according to the max length provided
TEST_F(InitiatorPairingTest,StkLengthGeneration)1988 TEST_F(InitiatorPairingTest, StkLengthGeneration) {
1989 UInt128 stk;
1990 uint8_t max_key_size = 10;
1991 FastForwardToSTK(&stk, SecurityLevel::kEncrypted, 0, 0, max_key_size);
1992
1993 // At this stage, the stk is stored here
1994 ASSERT_TRUE(fake_link()->ltk());
1995
1996 // Ensure that most significant (16 - max_key_size) bytes are zero. The key
1997 // should be generated up to the max_key_size.
1998 for (auto i = max_key_size; i < fake_link()->ltk()->value().size(); i++) {
1999 EXPECT_TRUE(fake_link()->ltk()->value()[i] == 0);
2000 }
2001 }
2002
2003 // Tests that the pairing procedure ends after encryption with the STK if there
2004 // are no keys to distribute, and that no keys are notified for Legacy pairing
2005 // in this case.
TEST_F(InitiatorPairingTest,LegacyPhase3CompleteWithoutKeyExchange)2006 TEST_F(InitiatorPairingTest, LegacyPhase3CompleteWithoutKeyExchange) {
2007 UInt128 stk;
2008 FastForwardToSTK(&stk);
2009
2010 ASSERT_TRUE(fake_link()->ltk());
2011 EXPECT_EQ(stk, fake_link()->ltk()->value());
2012 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
2013 EXPECT_EQ(0u, fake_link()->ltk()->rand());
2014
2015 // The host should have requested encryption.
2016 EXPECT_EQ(1, fake_link()->start_encryption_count());
2017
2018 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2019 RunUntilIdle();
2020
2021 // Pairing should succeed without any pairing data.
2022 EXPECT_EQ(1, pairing_data_callback_count());
2023 EXPECT_FALSE(peer_ltk());
2024 EXPECT_FALSE(irk());
2025 EXPECT_FALSE(identity());
2026 EXPECT_FALSE(csrk());
2027
2028 // Should have been called at least once to determine local identity
2029 // availability.
2030 EXPECT_NE(0, local_id_info_callback_count());
2031
2032 EXPECT_EQ(0, pairing_failed_count());
2033 EXPECT_EQ(1, security_callback_count());
2034 EXPECT_EQ(1, pairing_complete_count());
2035 EXPECT_EQ(0, id_info_count());
2036 EXPECT_EQ(0, id_addr_info_count());
2037 EXPECT_EQ(fit::ok(), security_status());
2038 EXPECT_EQ(security_status(), pairing_complete_status());
2039
2040 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2041 EXPECT_EQ(16u, sec_props().enc_key_size());
2042 EXPECT_FALSE(sec_props().secure_connections());
2043
2044 // The security properties should have been updated to match the STK.
2045 EXPECT_EQ(1, new_sec_props_count());
2046 EXPECT_EQ(sec_props(), pairing()->security());
2047
2048 ASSERT_TRUE(fake_link()->ltk());
2049 }
2050
2051 // Tests that for Secure Connections, the pairing procedure ends after
2052 // encryption with the LTK if there are no keys to distribute, and that the LTK
2053 // is notified.
TEST_F(InitiatorPairingTest,ScPhase3CompleteWithoutKeyExchange)2054 TEST_F(InitiatorPairingTest, ScPhase3CompleteWithoutKeyExchange) {
2055 UInt128 ltk_bytes;
2056 const SecurityProperties kExpectedSecurity(SecurityLevel::kEncrypted,
2057 kMaxEncryptionKeySize,
2058 /*secure_connections=*/true);
2059 FastForwardToPhase3(<k_bytes,
2060 /*secure_connections=*/true,
2061 kExpectedSecurity.level(),
2062 KeyDistGenField{0},
2063 KeyDistGenField{0});
2064
2065 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
2066 ASSERT_TRUE(fake_link()->ltk());
2067 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
2068
2069 // Pairing should succeed with the LTK as the SC pairing is bondable, even
2070 // though no keys need to be distributed in Phase 3.
2071 EXPECT_EQ(1, pairing_data_callback_count());
2072 EXPECT_TRUE(peer_ltk().has_value());
2073 EXPECT_EQ(kExpectedLtk, peer_ltk());
2074 EXPECT_EQ(peer_ltk(), local_ltk());
2075 EXPECT_FALSE(irk());
2076 EXPECT_FALSE(identity());
2077 EXPECT_FALSE(csrk());
2078
2079 // Should have been called at least once to determine local identity
2080 // availability.
2081 EXPECT_NE(0, local_id_info_callback_count());
2082
2083 EXPECT_EQ(0, pairing_failed_count());
2084 EXPECT_EQ(1, security_callback_count());
2085 EXPECT_EQ(1, pairing_complete_count());
2086 EXPECT_EQ(0, id_info_count());
2087 EXPECT_EQ(0, id_addr_info_count());
2088 EXPECT_EQ(fit::ok(), security_status());
2089 EXPECT_EQ(security_status(), pairing_complete_status());
2090
2091 EXPECT_EQ(kExpectedSecurity, sec_props());
2092
2093 // The security properties should have been updated to match the LTK.
2094 EXPECT_EQ(1, new_sec_props_count());
2095 EXPECT_EQ(sec_props(), pairing()->security());
2096
2097 ASSERT_TRUE(fake_link()->ltk());
2098 }
2099
2100 // Tests that Secure Connections ignores the EncKey bit in the key distribution
2101 // field.
TEST_F(InitiatorPairingTest,ScPhase3EncKeyBitSetNotDistributed)2102 TEST_F(InitiatorPairingTest, ScPhase3EncKeyBitSetNotDistributed) {
2103 UInt128 ltk_bytes;
2104 const SecurityProperties kExpectedSecurity(SecurityLevel::kEncrypted,
2105 kMaxEncryptionKeySize,
2106 /*secure_connections=*/true);
2107 // We will request the EncKey from the peer and the peer will respond that it
2108 // is capable of sending it, but as this is SC pairing that should not occur.
2109 KeyDistGenField remote_keys{KeyDistGen::kEncKey}, local_keys{0};
2110 FastForwardToScLtk(<k_bytes,
2111 kExpectedSecurity.level(),
2112 remote_keys,
2113 local_keys,
2114 BondableMode::Bondable);
2115
2116 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
2117 ASSERT_TRUE(fake_link()->ltk());
2118 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
2119
2120 // The host should have requested encryption.
2121 EXPECT_EQ(1, fake_link()->start_encryption_count());
2122
2123 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2124 RunUntilIdle();
2125
2126 // Pairing should succeed without any messages being sent in "Phase 3". The
2127 // LTK was generated in SC Phase 2, and as the pairing is bondable, it is
2128 // included in the callback.
2129 EXPECT_EQ(1, pairing_data_callback_count());
2130 EXPECT_TRUE(peer_ltk().has_value());
2131 EXPECT_EQ(kExpectedLtk, peer_ltk());
2132 EXPECT_FALSE(irk());
2133 EXPECT_FALSE(identity());
2134 EXPECT_FALSE(csrk());
2135
2136 // Should have been called at least once to determine local identity
2137 // availability.
2138 EXPECT_NE(0, local_id_info_callback_count());
2139
2140 EXPECT_EQ(0, pairing_failed_count());
2141 EXPECT_EQ(1, security_callback_count());
2142 EXPECT_EQ(1, pairing_complete_count());
2143 EXPECT_EQ(0, id_info_count());
2144 EXPECT_EQ(0, id_addr_info_count());
2145 EXPECT_EQ(fit::ok(), security_status());
2146 EXPECT_EQ(security_status(), pairing_complete_status());
2147
2148 EXPECT_EQ(kExpectedSecurity, sec_props());
2149
2150 // The security properties should have been updated to match the LTK.
2151 EXPECT_EQ(1, new_sec_props_count());
2152 EXPECT_EQ(sec_props(), pairing()->security());
2153
2154 ASSERT_TRUE(fake_link()->ltk());
2155 }
2156
2157 // Tests that for Secure Connections non-bondable mode, the pairing procedure
2158 // ends after encryption with the key generated in Phase 2, but the upper layers
2159 // are not notified of that key as an LTK.
TEST_F(InitiatorPairingTest,ScPhase3NonBondableCompleteWithoutKeyExchange)2160 TEST_F(InitiatorPairingTest, ScPhase3NonBondableCompleteWithoutKeyExchange) {
2161 // Must have DisplayYesNo IOC to generate Authenticated security per
2162 // kExpectedSecurity
2163 SetUpSecurityManager(IOCapability::kDisplayYesNo);
2164 const SecurityProperties kExpectedSecurity(SecurityLevel::kAuthenticated,
2165 kMaxEncryptionKeySize,
2166 /*secure_connections=*/true);
2167 UInt128 ltk_bytes;
2168 FastForwardToScLtk(<k_bytes,
2169 kExpectedSecurity.level(),
2170 KeyDistGenField{0},
2171 KeyDistGenField{0},
2172 BondableMode::NonBondable);
2173
2174 const hci_spec::LinkKey kExpectedLinkKey(ltk_bytes, 0, 0);
2175 ASSERT_TRUE(fake_link()->ltk());
2176 EXPECT_EQ(kExpectedLinkKey, fake_link()->ltk());
2177
2178 // The host should have requested encryption.
2179 EXPECT_EQ(1, fake_link()->start_encryption_count());
2180
2181 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2182 RunUntilIdle();
2183
2184 // Pairing should succeed with the LTK as we are in SC, but as the pairing is
2185 // non-bondable, no LTK should be relayed up to the delegate.
2186 EXPECT_EQ(0, pairing_data_callback_count());
2187
2188 EXPECT_EQ(0, pairing_failed_count());
2189 EXPECT_EQ(1, security_callback_count());
2190 EXPECT_EQ(1, pairing_complete_count());
2191 EXPECT_EQ(0, id_info_count());
2192 EXPECT_EQ(0, id_addr_info_count());
2193 EXPECT_EQ(fit::ok(), security_status());
2194 EXPECT_EQ(security_status(), pairing_complete_status());
2195
2196 EXPECT_EQ(kExpectedSecurity, sec_props());
2197
2198 // The security properties should have been updated to match the LTK.
2199 EXPECT_EQ(1, new_sec_props_count());
2200 EXPECT_EQ(sec_props(), pairing()->security());
2201
2202 ASSERT_TRUE(fake_link()->ltk());
2203 }
2204
TEST_F(InitiatorPairingTest,Phase3EncryptionInformationReceivedTwice)2205 TEST_F(InitiatorPairingTest, Phase3EncryptionInformationReceivedTwice) {
2206 UInt128 stk;
2207 FastForwardToPhase3(&stk,
2208 /*secure_connections=*/false,
2209 SecurityLevel::kEncrypted,
2210 KeyDistGen::kEncKey);
2211
2212 // Pairing should still be in progress.
2213 EXPECT_EQ(0, pairing_failed_count());
2214 EXPECT_EQ(0, security_callback_count());
2215 EXPECT_EQ(0, pairing_data_callback_count());
2216
2217 ReceiveEncryptionInformation(UInt128());
2218 RunUntilIdle();
2219
2220 // Waiting for EDIV and Rand
2221 EXPECT_EQ(0, pairing_failed_count());
2222 EXPECT_EQ(0, security_callback_count());
2223
2224 // Send the LTK twice. This should cause pairing to fail.
2225 ReceiveEncryptionInformation(UInt128());
2226 RunUntilIdle();
2227 EXPECT_EQ(1, pairing_failed_count());
2228 EXPECT_EQ(1, security_callback_count());
2229 EXPECT_EQ(1, pairing_complete_count());
2230 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2231 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2232 EXPECT_EQ(security_status(), pairing_complete_status());
2233 }
2234
2235 // The responder sends EDIV and Rand before LTK.
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceivedInWrongOrder)2236 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceivedInWrongOrder) {
2237 UInt128 stk;
2238 FastForwardToPhase3(&stk,
2239 /*secure_connections=*/false,
2240 SecurityLevel::kEncrypted,
2241 KeyDistGen::kEncKey);
2242
2243 // Pairing should still be in progress.
2244 EXPECT_EQ(0, pairing_failed_count());
2245 EXPECT_EQ(0, security_callback_count());
2246 EXPECT_EQ(0, pairing_data_callback_count());
2247
2248 // Send central identification before encryption information. This should
2249 // cause pairing to fail.
2250 ReceiveCentralIdentification(1, 2);
2251 RunUntilIdle();
2252
2253 EXPECT_EQ(1, pairing_failed_count());
2254 EXPECT_EQ(1, security_callback_count());
2255 EXPECT_EQ(1, pairing_complete_count());
2256 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2257 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2258 EXPECT_EQ(security_status(), pairing_complete_status());
2259 }
2260
2261 // The responder sends the sample LTK from the specification doc
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveSampleLTK)2262 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveSampleLTK) {
2263 UInt128 stk;
2264 FastForwardToPhase3(&stk,
2265 /*secure_connections=*/false,
2266 SecurityLevel::kEncrypted,
2267 KeyDistGen::kEncKey);
2268
2269 const UInt128 kLtkSample{{0xBF,
2270 0x01,
2271 0xFB,
2272 0x9D,
2273 0x4E,
2274 0xF3,
2275 0xBC,
2276 0x36,
2277 0xD8,
2278 0x74,
2279 0xF5,
2280 0x39,
2281 0x41,
2282 0x38,
2283 0x68,
2284 0x4C}};
2285
2286 // Pairing should still be in progress.
2287 EXPECT_EQ(0, pairing_failed_count());
2288 EXPECT_EQ(0, security_callback_count());
2289 EXPECT_EQ(0, pairing_data_callback_count());
2290
2291 // Send a bad LTK, this should cause pairing to fail.
2292 ReceiveEncryptionInformation(kLtkSample);
2293 RunUntilIdle();
2294
2295 EXPECT_EQ(1, pairing_failed_count());
2296 EXPECT_EQ(1, security_callback_count());
2297 EXPECT_EQ(1, pairing_complete_count());
2298 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2299 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2300 EXPECT_EQ(security_status(), pairing_complete_status());
2301 }
2302
2303 // The responder sends the sample Rand from the specification doc
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveExampleRand)2304 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveExampleRand) {
2305 UInt128 stk;
2306 FastForwardToPhase3(&stk,
2307 /*secure_connections=*/false,
2308 SecurityLevel::kEncrypted,
2309 KeyDistGen::kEncKey);
2310
2311 uint64_t kRandSample = 0xABCDEF1234567890;
2312 uint16_t kEDiv = 20;
2313
2314 // Pairing should still be in progress.
2315 EXPECT_EQ(0, pairing_failed_count());
2316 EXPECT_EQ(0, security_callback_count());
2317 EXPECT_EQ(0, pairing_data_callback_count());
2318
2319 // Send a bad Rand, this should cause pairing to fail.
2320 ReceiveEncryptionInformation(UInt128());
2321 ReceiveCentralIdentification(kRandSample, kEDiv);
2322 RunUntilIdle();
2323
2324 EXPECT_EQ(1, pairing_failed_count());
2325 EXPECT_EQ(1, security_callback_count());
2326 EXPECT_EQ(1, pairing_complete_count());
2327 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2328 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2329 EXPECT_EQ(security_status(), pairing_complete_status());
2330 }
2331
2332 // The responder sends an LTK that is longer than the max key size
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveLongLTK)2333 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveLongLTK) {
2334 UInt128 stk;
2335 auto max_key_size = 8;
2336 FastForwardToPhase3(&stk,
2337 /*secure_connections=*/false,
2338 SecurityLevel::kEncrypted,
2339 KeyDistGen::kEncKey,
2340 0,
2341 max_key_size);
2342
2343 const UInt128 kLtk{{1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8}};
2344
2345 // Pairing should still be in progress.
2346 EXPECT_EQ(0, pairing_failed_count());
2347 EXPECT_EQ(0, security_callback_count());
2348 EXPECT_EQ(0, pairing_data_callback_count());
2349
2350 // Send a long LTK, this should cause pairing to fail.
2351 ReceiveEncryptionInformation(kLtk);
2352 RunUntilIdle();
2353
2354 EXPECT_EQ(1, pairing_failed_count());
2355 EXPECT_EQ(1, security_callback_count());
2356 EXPECT_EQ(1, pairing_complete_count());
2357 EXPECT_EQ(ToResult(ErrorCode::kInvalidParameters), security_status());
2358 EXPECT_EQ(ErrorCode::kInvalidParameters, received_error_code());
2359 EXPECT_EQ(security_status(), pairing_complete_status());
2360 }
2361
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceivedTwice)2362 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceivedTwice) {
2363 UInt128 stk;
2364 FastForwardToPhase3(&stk,
2365 /*secure_connections=*/false,
2366 SecurityLevel::kEncrypted,
2367 KeyDistGen::kEncKey);
2368
2369 // Pairing should still be in progress.
2370 EXPECT_EQ(0, pairing_failed_count());
2371 EXPECT_EQ(0, security_callback_count());
2372 EXPECT_EQ(0, pairing_data_callback_count());
2373
2374 constexpr uint16_t kEdiv = 1;
2375 constexpr uint64_t kRand = 2;
2376 constexpr uint16_t kDupEdiv = 3;
2377 constexpr uint64_t kDupRand = 4;
2378
2379 // Send duplicate central identification. Pairing should complete with the
2380 // first set of information. The second set should get ignored.
2381 ReceiveEncryptionInformation(UInt128());
2382 ReceiveCentralIdentification(kRand, kEdiv);
2383 ReceiveCentralIdentification(kDupRand, kDupEdiv);
2384 RunUntilIdle();
2385
2386 EXPECT_EQ(0, pairing_failed_count());
2387 EXPECT_EQ(1, security_callback_count());
2388 EXPECT_EQ(1, pairing_complete_count());
2389 EXPECT_EQ(1, pairing_data_callback_count());
2390 EXPECT_EQ(fit::ok(), security_status());
2391 EXPECT_EQ(security_status(), pairing_complete_status());
2392 ASSERT_TRUE(pairing_data().peer_ltk.has_value());
2393 EXPECT_EQ(kEdiv, pairing_data().peer_ltk->key().ediv());
2394 EXPECT_EQ(kRand, pairing_data().peer_ltk->key().rand());
2395 }
2396
2397 // Pairing completes after obtaining peer encryption information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithReceivingEncKey)2398 TEST_F(InitiatorPairingTest, Phase3CompleteWithReceivingEncKey) {
2399 UInt128 stk;
2400 FastForwardToPhase3(&stk,
2401 /*secure_connections=*/false,
2402 SecurityLevel::kEncrypted,
2403 KeyDistGen::kEncKey);
2404
2405 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2406 uint64_t kRand = 5;
2407 uint16_t kEDiv = 20;
2408
2409 ReceiveEncryptionInformation(kLTK);
2410 ReceiveCentralIdentification(kRand, kEDiv);
2411 RunUntilIdle();
2412
2413 // Pairing should have succeeded.
2414 EXPECT_EQ(0, pairing_failed_count());
2415 EXPECT_EQ(1, security_callback_count());
2416 EXPECT_EQ(1, pairing_complete_count());
2417 EXPECT_EQ(fit::ok(), security_status());
2418 EXPECT_EQ(security_status(), pairing_complete_status());
2419
2420 // LTK should have been assigned to the link.
2421 ASSERT_TRUE(fake_link()->ltk());
2422 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2423 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2424 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2425
2426 // We don't re-encrypt with the LTK while the link is already authenticated
2427 // with the STK.
2428 EXPECT_EQ(1, fake_link()->start_encryption_count());
2429
2430 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2431 EXPECT_EQ(16u, sec_props().enc_key_size());
2432 EXPECT_FALSE(sec_props().secure_connections());
2433
2434 // Should have been called at least once to determine local identity
2435 // availability.
2436 EXPECT_NE(0, local_id_info_callback_count());
2437
2438 // Local identity information should not have been distributed by us since it
2439 // isn't available.
2440 EXPECT_EQ(0, id_info_count());
2441 EXPECT_EQ(0, id_addr_info_count());
2442
2443 // Should have notified the LTK.
2444 EXPECT_EQ(1, pairing_data_callback_count());
2445 ASSERT_TRUE(peer_ltk());
2446 ASSERT_FALSE(irk());
2447 ASSERT_FALSE(identity());
2448 ASSERT_FALSE(csrk());
2449 EXPECT_EQ(sec_props(), peer_ltk()->security());
2450 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2451 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2452 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2453
2454 // No security property update should have been sent for the LTK. This is
2455 // because the LTK and the STK are expected to have the same properties.
2456 EXPECT_EQ(1, new_sec_props_count());
2457 }
2458
TEST_F(InitiatorPairingTest,Phase3CompleteWithSendingEncKey)2459 TEST_F(InitiatorPairingTest, Phase3CompleteWithSendingEncKey) {
2460 UInt128 stk;
2461 KeyDistGenField remote_keys{0u}, local_keys{KeyDistGen::kEncKey};
2462 FastForwardToPhase3(&stk,
2463 /*secure_connections=*/false,
2464 SecurityLevel::kEncrypted,
2465 remote_keys,
2466 local_keys);
2467 RunUntilIdle();
2468
2469 // Pairing should have succeeded.
2470 EXPECT_EQ(0, pairing_failed_count());
2471 EXPECT_EQ(1, security_callback_count());
2472 EXPECT_EQ(1, pairing_complete_count());
2473 EXPECT_EQ(fit::ok(), security_status());
2474 EXPECT_EQ(security_status(), pairing_complete_status());
2475
2476 // Only the STK should be assigned to the link, as the distributed LTK was
2477 // initiator-generated. This means it can only be used to encrypt future
2478 // connections where the roles are reversed.
2479 EXPECT_EQ(stk, fake_link()->ltk()->value());
2480 EXPECT_EQ(1, fake_link()->start_encryption_count());
2481
2482 // Should have been called at least once to determine local identity
2483 // availability.
2484 EXPECT_NE(0, local_id_info_callback_count());
2485
2486 // Should have notified pairing data callback with the LTK.
2487 EXPECT_EQ(1, pairing_data_callback_count());
2488 ASSERT_TRUE(local_ltk());
2489
2490 // LTK sent OTA should match what we notified the pairing data callback with.
2491 EXPECT_EQ(local_ltk()->key(), hci_spec::LinkKey(enc_info(), rand(), ediv()));
2492 }
2493
2494 // Pairing completes after obtaining short encryption information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithShortEncKey)2495 TEST_F(InitiatorPairingTest, Phase3CompleteWithShortEncKey) {
2496 UInt128 stk;
2497 uint8_t max_key_size = 12;
2498 FastForwardToPhase3(&stk,
2499 /*secure_connections=*/false,
2500 SecurityLevel::kEncrypted,
2501 KeyDistGen::kEncKey,
2502 0u,
2503 max_key_size);
2504
2505 // This LTK is within the max_key_size specified above.
2506 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 0, 0, 0, 0}};
2507 uint64_t kRand = 5;
2508 uint16_t kEDiv = 20;
2509
2510 ReceiveEncryptionInformation(kLTK);
2511 ReceiveCentralIdentification(kRand, kEDiv);
2512 RunUntilIdle();
2513
2514 // Pairing should have succeeded.
2515 EXPECT_EQ(0, pairing_failed_count());
2516 EXPECT_EQ(1, security_callback_count());
2517 EXPECT_EQ(1, pairing_complete_count());
2518 EXPECT_EQ(fit::ok(), security_status());
2519 EXPECT_EQ(security_status(), pairing_complete_status());
2520
2521 // LTK should have been assigned to the link.
2522 ASSERT_TRUE(fake_link()->ltk());
2523 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2524 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2525 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2526
2527 // We don't re-encrypt with the LTK while the link is already authenticated
2528 // with the STK.
2529 EXPECT_EQ(1, fake_link()->start_encryption_count());
2530
2531 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2532 EXPECT_EQ(max_key_size, sec_props().enc_key_size());
2533 EXPECT_FALSE(sec_props().secure_connections());
2534
2535 // Should have been called at least once to determine local identity
2536 // availability.
2537 EXPECT_NE(0, local_id_info_callback_count());
2538
2539 // Local identity information should not have been distributed by us since it
2540 // isn't available.
2541 EXPECT_EQ(0, id_info_count());
2542 EXPECT_EQ(0, id_addr_info_count());
2543
2544 // Should have notified the LTK.
2545 EXPECT_EQ(1, pairing_data_callback_count());
2546 ASSERT_TRUE(peer_ltk());
2547 ASSERT_FALSE(irk());
2548 ASSERT_FALSE(identity());
2549 ASSERT_FALSE(csrk());
2550 EXPECT_EQ(sec_props(), peer_ltk()->security());
2551 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2552 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2553 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2554
2555 // No security property update should have been sent for the LTK. This is
2556 // because the LTK and the STK are expected to have the same properties.
2557 EXPECT_EQ(1, new_sec_props_count());
2558 }
2559
TEST_F(InitiatorPairingTest,Phase3WithLocalIdKey)2560 TEST_F(InitiatorPairingTest, Phase3WithLocalIdKey) {
2561 IdentityInfo local_id_info;
2562 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2563 local_id_info.address = kLocalAddr;
2564 set_local_id_info(local_id_info);
2565
2566 UInt128 stk;
2567 FastForwardToPhase3(&stk,
2568 /*secure_connections=*/false,
2569 SecurityLevel::kEncrypted,
2570 0, // remote keys
2571 KeyDistGen::kIdKey); // local keys
2572
2573 // Local identity information should have been sent.
2574 EXPECT_EQ(1, id_info_count());
2575 EXPECT_EQ(local_id_info.irk, id_info());
2576 EXPECT_EQ(1, id_addr_info_count());
2577 EXPECT_EQ(local_id_info.address, id_addr_info());
2578
2579 // Pairing should succeed without notifying any keys.
2580 EXPECT_EQ(0, pairing_failed_count());
2581 EXPECT_EQ(1, security_callback_count());
2582 EXPECT_EQ(1, pairing_complete_count());
2583 EXPECT_EQ(fit::ok(), security_status());
2584 EXPECT_EQ(security_status(), pairing_complete_status());
2585 }
2586
2587 // Tests that pairing results in an error if a local ID key was initially
2588 // negotiated but gets removed before the distribution phase.
TEST_F(InitiatorPairingTest,Phase3IsAbortedIfLocalIdKeyIsRemoved)2589 TEST_F(InitiatorPairingTest, Phase3IsAbortedIfLocalIdKeyIsRemoved) {
2590 IdentityInfo local_id_info;
2591 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2592 local_id_info.address = kLocalAddr;
2593 set_local_id_info(local_id_info);
2594
2595 UInt128 stk;
2596 FastForwardToSTK(&stk,
2597 SecurityLevel::kEncrypted,
2598 0, // remote keys
2599 KeyDistGen::kIdKey); // local keys
2600
2601 // Local identity information should not have been sent yet.
2602 EXPECT_EQ(0, id_info_count());
2603 EXPECT_EQ(0, id_addr_info_count());
2604
2605 // Pairing still in progress.
2606 EXPECT_EQ(0, pairing_failed_count());
2607 EXPECT_EQ(0, security_callback_count());
2608 EXPECT_EQ(0, pairing_complete_count());
2609
2610 // Remove the local identity information.
2611 set_local_id_info(std::nullopt);
2612
2613 // Encrypt with the STK to finish phase 2.
2614 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2615 RunUntilIdle();
2616
2617 // Pairing should have been aborted.
2618 EXPECT_EQ(0, id_info_count());
2619 EXPECT_EQ(0, id_addr_info_count());
2620 EXPECT_EQ(1, pairing_failed_count());
2621 EXPECT_EQ(1, security_callback_count());
2622 EXPECT_EQ(1, pairing_complete_count());
2623 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2624 }
2625
TEST_F(InitiatorPairingTest,Phase3IRKReceivedTwice)2626 TEST_F(InitiatorPairingTest, Phase3IRKReceivedTwice) {
2627 UInt128 stk;
2628 FastForwardToPhase3(&stk,
2629 /*secure_connections=*/false,
2630 SecurityLevel::kEncrypted,
2631 KeyDistGen::kIdKey);
2632
2633 // Pairing should still be in progress.
2634 EXPECT_EQ(0, pairing_failed_count());
2635 EXPECT_EQ(0, security_callback_count());
2636 EXPECT_EQ(0, pairing_data_callback_count());
2637
2638 ReceiveIdentityResolvingKey(UInt128());
2639 RunUntilIdle();
2640
2641 // Waiting for identity address.
2642 EXPECT_EQ(0, pairing_failed_count());
2643 EXPECT_EQ(0, security_callback_count());
2644 EXPECT_EQ(0, pairing_complete_count());
2645
2646 // Send an IRK again. This should cause pairing to fail.
2647 ReceiveIdentityResolvingKey(UInt128());
2648 RunUntilIdle();
2649 EXPECT_EQ(1, pairing_failed_count());
2650 EXPECT_EQ(1, security_callback_count());
2651 EXPECT_EQ(1, pairing_complete_count());
2652 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2653 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2654 EXPECT_EQ(security_status(), pairing_complete_status());
2655 }
2656
2657 // The responder sends its identity address before sending its IRK.
TEST_F(InitiatorPairingTest,Phase3IdentityAddressReceivedInWrongOrder)2658 TEST_F(InitiatorPairingTest, Phase3IdentityAddressReceivedInWrongOrder) {
2659 UInt128 stk;
2660 FastForwardToPhase3(&stk,
2661 /*secure_connections=*/false,
2662 SecurityLevel::kEncrypted,
2663 KeyDistGen::kIdKey);
2664
2665 // Pairing should still be in progress.
2666 EXPECT_EQ(0, pairing_failed_count());
2667 EXPECT_EQ(0, security_callback_count());
2668 EXPECT_EQ(0, pairing_data_callback_count());
2669 EXPECT_EQ(0, pairing_complete_count());
2670
2671 // Send identity address before the IRK. This should cause pairing to fail.
2672 ReceiveIdentityAddress(kPeerAddr);
2673 RunUntilIdle();
2674
2675 EXPECT_EQ(1, pairing_failed_count());
2676 EXPECT_EQ(1, security_callback_count());
2677 EXPECT_EQ(1, pairing_complete_count());
2678 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2679 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2680 EXPECT_EQ(security_status(), pairing_complete_status());
2681 }
2682
TEST_F(InitiatorPairingTest,Phase3IdentityAddressReceivedTwice)2683 TEST_F(InitiatorPairingTest, Phase3IdentityAddressReceivedTwice) {
2684 UInt128 stk;
2685 // Request enc key to prevent pairing from completing after sending the first
2686 // identity address.
2687 FastForwardToPhase3(&stk,
2688 /*secure_connections=*/false,
2689 SecurityLevel::kEncrypted,
2690 KeyDistGen::kEncKey | KeyDistGen::kIdKey);
2691
2692 // Pairing should still be in progress.
2693 EXPECT_EQ(0, pairing_failed_count());
2694 EXPECT_EQ(0, security_callback_count());
2695 EXPECT_EQ(0, pairing_data_callback_count());
2696 EXPECT_EQ(0, pairing_complete_count());
2697
2698 ReceiveIdentityResolvingKey(UInt128());
2699 ReceiveIdentityAddress(kPeerAddr);
2700 ReceiveIdentityAddress(kPeerAddr);
2701 RunUntilIdle();
2702
2703 EXPECT_EQ(1, pairing_failed_count());
2704 EXPECT_EQ(1, security_callback_count());
2705 EXPECT_EQ(1, pairing_complete_count());
2706 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2707 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2708 EXPECT_EQ(security_status(), pairing_complete_status());
2709 }
2710
2711 // Pairing completes after obtaining identity information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithIdKey)2712 TEST_F(InitiatorPairingTest, Phase3CompleteWithIdKey) {
2713 UInt128 stk;
2714 FastForwardToPhase3(&stk,
2715 /*secure_connections=*/false,
2716 SecurityLevel::kEncrypted,
2717 KeyDistGen::kIdKey);
2718
2719 // Pairing should still be in progress.
2720 EXPECT_EQ(0, pairing_failed_count());
2721 EXPECT_EQ(0, security_callback_count());
2722 EXPECT_EQ(0, pairing_data_callback_count());
2723 EXPECT_EQ(0, pairing_complete_count());
2724
2725 const UInt128 kIRK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2726
2727 ReceiveIdentityResolvingKey(kIRK);
2728 ReceiveIdentityAddress(kPeerAddr);
2729 RunUntilIdle();
2730
2731 EXPECT_EQ(0, pairing_failed_count());
2732 EXPECT_EQ(1, security_callback_count());
2733 EXPECT_EQ(1, pairing_complete_count());
2734 EXPECT_EQ(fit::ok(), security_status());
2735 EXPECT_EQ(security_status(), pairing_complete_status());
2736
2737 // The link remains encrypted with the STK.
2738 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2739 EXPECT_EQ(16u, sec_props().enc_key_size());
2740 EXPECT_FALSE(sec_props().secure_connections());
2741
2742 EXPECT_EQ(1, pairing_data_callback_count());
2743 ASSERT_FALSE(peer_ltk());
2744 ASSERT_TRUE(irk());
2745 ASSERT_TRUE(identity());
2746 ASSERT_FALSE(csrk());
2747
2748 EXPECT_EQ(sec_props(), irk()->security());
2749 EXPECT_EQ(kIRK, irk()->value());
2750 EXPECT_EQ(kPeerAddr, *identity());
2751 }
2752
TEST_F(InitiatorPairingTest,Phase3CompleteWithAllKeys)2753 TEST_F(InitiatorPairingTest, Phase3CompleteWithAllKeys) {
2754 UInt128 stk;
2755 FastForwardToPhase3(&stk,
2756 /*secure_connections=*/false,
2757 SecurityLevel::kEncrypted,
2758 KeyDistGen::kEncKey | KeyDistGen::kIdKey);
2759
2760 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2761 const UInt128 kIRK{{8, 7, 6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 7, 8}};
2762 uint64_t kRand = 5;
2763 uint16_t kEDiv = 20;
2764
2765 // The link should be assigned the STK as its link key.
2766 EXPECT_EQ(stk, fake_link()->ltk()->value());
2767
2768 // Receive EncKey
2769 ReceiveEncryptionInformation(kLTK);
2770 ReceiveCentralIdentification(kRand, kEDiv);
2771 RunUntilIdle();
2772
2773 // Pairing still pending. SMP does not assign the LTK to the link until
2774 // pairing completes.
2775 EXPECT_EQ(0, pairing_failed_count());
2776 EXPECT_EQ(0, security_callback_count());
2777 EXPECT_EQ(0, pairing_complete_count());
2778
2779 // Receive IdKey
2780 ReceiveIdentityResolvingKey(kIRK);
2781 ReceiveIdentityAddress(kPeerAddr);
2782 RunUntilIdle();
2783
2784 // Pairing should have succeeded
2785 EXPECT_EQ(0, pairing_failed_count());
2786 EXPECT_EQ(1, security_callback_count());
2787 EXPECT_EQ(1, pairing_complete_count());
2788 EXPECT_EQ(fit::ok(), security_status());
2789 EXPECT_EQ(security_status(), pairing_complete_status());
2790
2791 // LTK should have been assigned to the link.
2792 ASSERT_TRUE(fake_link()->ltk());
2793 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2794 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2795 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2796
2797 // We don't re-encrypt with the LTK while the link is already authenticated
2798 // with the STK.
2799 EXPECT_EQ(1, fake_link()->start_encryption_count());
2800
2801 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2802 EXPECT_EQ(16u, sec_props().enc_key_size());
2803 EXPECT_FALSE(sec_props().secure_connections());
2804
2805 // Should have notified the LTK.
2806 EXPECT_EQ(1, pairing_data_callback_count());
2807 ASSERT_TRUE(peer_ltk());
2808 ASSERT_TRUE(irk());
2809 ASSERT_TRUE(identity());
2810 ASSERT_FALSE(csrk());
2811 EXPECT_EQ(sec_props(), peer_ltk()->security());
2812 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2813 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2814 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2815 EXPECT_EQ(sec_props(), irk()->security());
2816 EXPECT_EQ(kIRK, irk()->value());
2817 EXPECT_EQ(kPeerAddr, *identity());
2818 }
2819
TEST_F(InitiatorPairingTest,GenerateCrossTransportLinkKey)2820 TEST_F(InitiatorPairingTest, GenerateCrossTransportLinkKey) {
2821 UInt128 stk;
2822 // Indicate support for SC and for link keys in both directions to enable
2823 // CTKG.
2824 FastForwardToPhase3(&stk,
2825 /*secure_connections=*/true,
2826 SecurityLevel::kEncrypted,
2827 KeyDistGen::kLinkKey,
2828 KeyDistGen::kLinkKey);
2829 RunUntilIdle();
2830
2831 // Pairing should have succeeded
2832 EXPECT_EQ(0, pairing_failed_count());
2833 EXPECT_EQ(1, security_callback_count());
2834 EXPECT_EQ(1, pairing_complete_count());
2835 EXPECT_EQ(fit::ok(), security_status());
2836 EXPECT_EQ(security_status(), pairing_complete_status());
2837
2838 // The PairingData should contain the CTKGenerated BR/EDR link key.
2839 EXPECT_TRUE(pairing_data().cross_transport_key.has_value());
2840 }
2841
TEST_F(InitiatorPairingTest,AssignLongTermKeyFailsDuringPairing)2842 TEST_F(InitiatorPairingTest, AssignLongTermKeyFailsDuringPairing) {
2843 UpgradeSecurity(SecurityLevel::kEncrypted); // Initiate pairing.
2844 SecurityProperties sec_props(
2845 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
2846 EXPECT_FALSE(
2847 pairing()->AssignLongTermKey(LTK(sec_props, hci_spec::LinkKey())));
2848 EXPECT_EQ(0, fake_link()->start_encryption_count());
2849 EXPECT_EQ(SecurityLevel::kNoSecurity, pairing()->security().level());
2850 }
2851
TEST_F(InitiatorPairingTest,AssignLongTermKey)2852 TEST_F(InitiatorPairingTest, AssignLongTermKey) {
2853 SecurityProperties sec_props(
2854 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
2855 LTK ltk(sec_props, hci_spec::LinkKey());
2856
2857 EXPECT_TRUE(pairing()->AssignLongTermKey(ltk));
2858 EXPECT_EQ(1, fake_link()->start_encryption_count());
2859 ASSERT_TRUE(fake_link()->ltk());
2860 EXPECT_EQ(ltk.key(), *fake_link()->ltk());
2861
2862 // The link security level is not assigned until successful encryption.
2863 EXPECT_EQ(SecurityProperties(), pairing()->security());
2864 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2865 RunUntilIdle();
2866
2867 EXPECT_EQ(1, new_sec_props_count());
2868 EXPECT_EQ(sec_props, new_sec_props());
2869 EXPECT_EQ(sec_props, pairing()->security());
2870 }
2871
TEST_F(InitiatorPairingTest,ReceiveSecurityRequest)2872 TEST_F(InitiatorPairingTest, ReceiveSecurityRequest) {
2873 ReceiveSecurityRequest(AuthReq::kMITM);
2874 RunUntilIdle();
2875
2876 // Should have requested pairing with MITM protection.
2877 EXPECT_EQ(1, pairing_request_count());
2878 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
2879 EXPECT_TRUE(params.auth_req & AuthReq::kMITM);
2880 }
2881
TEST_F(InitiatorPairingTest,ReceiveSecurityRequestWhenPaired)2882 TEST_F(InitiatorPairingTest, ReceiveSecurityRequestWhenPaired) {
2883 UInt128 stk;
2884 FastForwardToPhase3(&stk,
2885 /*secure_connections=*/false,
2886 SecurityLevel::kEncrypted,
2887 KeyDistGen::kEncKey);
2888 EXPECT_EQ(stk, fake_link()->ltk()->value());
2889 EXPECT_EQ(1, pairing_request_count());
2890
2891 // Receive EncKey and wait until the link is encrypted with the LTK.
2892 UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2893 uint64_t kRand = 5;
2894 uint16_t kEDiv = 20;
2895 ReceiveEncryptionInformation(kLTK);
2896 ReceiveCentralIdentification(kRand, kEDiv);
2897 RunUntilIdle();
2898 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2899 RunUntilIdle();
2900 ASSERT_EQ(1, pairing_complete_count());
2901 ASSERT_EQ(fit::ok(), security_status());
2902 ASSERT_TRUE(peer_ltk());
2903 ASSERT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2904 ASSERT_EQ(1, fake_link()->start_encryption_count()); // Once for the STK
2905 ASSERT_EQ(1, pairing_request_count());
2906
2907 // Receive a security request with the no MITM requirement. This should
2908 // trigger an encryption key refresh and no pairing request.
2909 ReceiveSecurityRequest();
2910 EXPECT_EQ(1, pairing_request_count());
2911
2912 // Once for the STK and once again due to the locally initiated key refresh.
2913 ASSERT_EQ(2, fake_link()->start_encryption_count());
2914
2915 // Receive a security request with a higher security requirement. This should
2916 // trigger a pairing request.
2917 ReceiveSecurityRequest(AuthReq::kMITM);
2918 EXPECT_EQ(2, pairing_request_count());
2919 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
2920 EXPECT_TRUE(params.auth_req & AuthReq::kMITM);
2921 }
2922
TEST_F(InitiatorPairingTest,ReceiveMITMSecurityRequestLocalIoCapNoInputNoOutput)2923 TEST_F(InitiatorPairingTest,
2924 ReceiveMITMSecurityRequestLocalIoCapNoInputNoOutput) {
2925 SetUpSecurityManager(IOCapability::kNoInputNoOutput);
2926 ReceiveSecurityRequest(AuthReq::kMITM);
2927 // We should notify the peer that we cannot complete the security request due
2928 // to authentication requirements.
2929 EXPECT_EQ(1, pairing_failed_count());
2930 EXPECT_EQ(ErrorCode::kAuthenticationRequirements, received_error_code());
2931
2932 // When we receive a Security Request, we start a timer. Run the loop to
2933 // ensure that when we can't fulfill the Security Request, we stop the timer
2934 // before it expires as we never started pairing.
2935 RunFor(kPairingTimeout + std::chrono::seconds(1));
2936 // Double check we haven't sent any more Pairing Failed messages
2937 EXPECT_EQ(1, pairing_failed_count());
2938 // We should not notify local clients of any pairing completion, because no
2939 // pairing ever started.
2940 EXPECT_EQ(0, pairing_complete_count());
2941 }
2942
TEST_F(InitiatorPairingTest,RejectPairingRequest)2943 TEST_F(InitiatorPairingTest, RejectPairingRequest) {
2944 // Although we are the initiator, set the peer_initiator=true for this test so
2945 // that we emulate reception of the Pairing Request command, not the Pairing
2946 // Response command.
2947 ReceivePairingFeatures(IOCapability::kDisplayYesNo,
2948 AuthReqField{0},
2949 kMaxEncryptionKeySize,
2950 /*peer_initiator=*/true);
2951 RunUntilIdle();
2952 // We should reject the security request with CommandNotSupported as
2953 // initiator.
2954 EXPECT_EQ(1, pairing_failed_count());
2955 EXPECT_EQ(ErrorCode::kCommandNotSupported, received_error_code());
2956
2957 // Run for the full pairing timeout to ensure we do not timeout due to sending
2958 // a message.
2959 RunFor(kPairingTimeout + std::chrono::seconds(1));
2960 // No pairing occurred, as we rejected the security request command.
2961 EXPECT_EQ(0, pairing_complete_count());
2962 EXPECT_EQ(1, pairing_failed_count());
2963 }
2964
TEST_F(InitiatorPairingTest,PairingTimeoutWorks)2965 TEST_F(InitiatorPairingTest, PairingTimeoutWorks) {
2966 UpgradeSecurity(SecurityLevel::kEncrypted);
2967 RunUntilIdle();
2968 ASSERT_EQ(1, pairing_request_count());
2969 // Expiration of the pairing timeout should trigger the link error callback
2970 // per v5.2 Vol. 3 Part H 3.4. Link disconnection will generally cause channel
2971 // closure, so this simulates that behavior to validate that SM handles this
2972 // safely.
2973 fake_chan()->SetLinkErrorCallback([chan = fake_chan()]() { chan->Close(); });
2974 RunFor(kPairingTimeout);
2975 EXPECT_TRUE(fake_chan()->link_error());
2976 ASSERT_EQ(1, security_callback_count());
2977 EXPECT_EQ(ToResult(HostError::kTimedOut), security_status());
2978 ASSERT_EQ(1, pairing_complete_count());
2979 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
2980 }
2981
TEST_F(InitiatorPairingTest,NoTimeoutAfterSuccessfulPairing)2982 TEST_F(InitiatorPairingTest, NoTimeoutAfterSuccessfulPairing) {
2983 UInt128 out_stk;
2984 FastForwardToPhase3(&out_stk,
2985 /*secure_connections=*/false,
2986 SecurityLevel::kEncrypted,
2987 KeyDistGenField{0},
2988 KeyDistGenField{0});
2989 ASSERT_EQ(1, pairing_complete_count());
2990 ASSERT_EQ(1, security_callback_count());
2991 ASSERT_EQ(fit::ok(), security_status());
2992 ASSERT_EQ(fit::ok(), pairing_complete_status());
2993 // Verify that no timeout occurs after a successful pairing followed by a long
2994 // interval.
2995 RunFor(kPairingTimeout * 2);
2996 ASSERT_EQ(1, pairing_complete_count());
2997 ASSERT_EQ(1, security_callback_count());
2998 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
2999 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3000 }
3001
TEST_F(InitiatorPairingTest,AbortStopsPairingTimer)3002 TEST_F(InitiatorPairingTest, AbortStopsPairingTimer) {
3003 UpgradeSecurity(SecurityLevel::kEncrypted);
3004 RunUntilIdle();
3005 ASSERT_EQ(1, pairing_request_count());
3006 pairing()->Abort();
3007 // Calling Abort should stop the pairing procedure and the timer.
3008 ASSERT_EQ(1, pairing_complete_count());
3009 ASSERT_EQ(1, security_callback_count());
3010 // Run the loop for a time that would cause a timeout if a timer were active.
3011 RunFor(kPairingTimeout * 2);
3012 ASSERT_EQ(1, pairing_complete_count());
3013 ASSERT_EQ(1, security_callback_count());
3014 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
3015 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3016 }
3017
TEST_F(InitiatorPairingTest,ResetStopsPairingTimer)3018 TEST_F(InitiatorPairingTest, ResetStopsPairingTimer) {
3019 UpgradeSecurity(SecurityLevel::kEncrypted);
3020 RunUntilIdle();
3021 ASSERT_EQ(1, pairing_request_count());
3022 pairing()->Reset(IOCapability::kDisplayYesNo);
3023 // Resetting the pairing aborts the current procedure.
3024 ASSERT_EQ(1, pairing_complete_count());
3025 ASSERT_EQ(1, security_callback_count());
3026 // Run the loop for a time that would cause a timeout if a timer were active.
3027 RunFor(kPairingTimeout * 2);
3028 ASSERT_EQ(1, pairing_complete_count());
3029 ASSERT_EQ(1, security_callback_count());
3030 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
3031 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3032 }
3033
TEST_F(InitiatorPairingTest,SendingMessageRestartsTimer)3034 TEST_F(InitiatorPairingTest, SendingMessageRestartsTimer) {
3035 // SM will send the Pairing Request, which is special-cased to "reset and
3036 // start" the pairing timer (v5.2 Vol. 3 Part H 3.4), and thus not under test
3037 // here.
3038 UpgradeSecurity(SecurityLevel::kEncrypted);
3039 RunUntilIdle();
3040 ASSERT_EQ(1, pairing_request_count());
3041 // Run the loop until the pairing timeout has almost expired.
3042 RunFor(kPairingTimeout - pw::chrono::SystemClock::duration(1));
3043 // Receive the not special-cased Pairing Response, which should trigger SM to
3044 // send the also not special-cased Pairing Confirm.
3045 ReceivePairingFeatures();
3046 // Run the loop for 1 more second, which would timeout if the timer had not
3047 // been reset.
3048 RunFor(pw::chrono::SystemClock::duration(1));
3049 // The timeout should not have triggered, so there should be no notification
3050 // of pairing failure.
3051 ASSERT_EQ(0, pairing_complete_count());
3052 ASSERT_EQ(0, security_callback_count());
3053 // Verify that the timer is in fact still active; without receiving further
3054 // messages, the timeout should trigger.
3055 RunFor(kPairingTimeout);
3056 ASSERT_EQ(1, pairing_complete_count());
3057 ASSERT_EQ(1, security_callback_count());
3058 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
3059 EXPECT_EQ(ToResult(HostError::kTimedOut), security_status());
3060 }
3061
TEST_F(InitiatorPairingTest,ModifyAssignedLinkLtkBeforeSecurityRequestCausesDisconnect)3062 TEST_F(InitiatorPairingTest,
3063 ModifyAssignedLinkLtkBeforeSecurityRequestCausesDisconnect) {
3064 SecurityProperties sec_props(
3065 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3066 const LTK kOriginalLtk(sec_props, hci_spec::LinkKey({1}, 2, 3));
3067 const hci_spec::LinkKey kModifiedLtk(hci_spec::LinkKey({4}, 5, 6));
3068
3069 EXPECT_TRUE(pairing()->AssignLongTermKey(kOriginalLtk));
3070 fake_link()->set_ltk(kModifiedLtk);
3071 // When we receive the Security Request on a bonded (i.e. AssignLongTermKey
3072 // has been called) connection, we will refresh the encryption key. This
3073 // checks that the link LTK = the SMP LTK which is not the case.
3074 ReceiveSecurityRequest(AuthReqField{0});
3075 RunUntilIdle();
3076 ASSERT_TRUE(fake_chan()->link_error());
3077 ASSERT_EQ(1, auth_failure_callback_count());
3078 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3079 auth_failure_status());
3080 }
3081
TEST_F(ResponderPairingTest,SuccessfulPairAfterResetInProgressPairing)3082 TEST_F(ResponderPairingTest, SuccessfulPairAfterResetInProgressPairing) {
3083 ReceivePairingRequest();
3084 RunUntilIdle();
3085 // At this point, we expect to have completed Phase 1, and pairing should
3086 // still be in progress.
3087 EXPECT_EQ(1, pairing_response_count());
3088
3089 pairing()->Abort();
3090 RunUntilIdle();
3091 // Pairing should have failed and ended.
3092 EXPECT_EQ(1, pairing_failed_count());
3093 EXPECT_EQ(1, pairing_complete_count());
3094
3095 // Verify that the next pairing request is properly handled
3096 ReceivePairingRequest();
3097 RunUntilIdle();
3098 // At this point, we expect to have completed Phase 1, and pairing should
3099 // still be in progress.
3100 EXPECT_EQ(2, pairing_response_count());
3101 }
3102
TEST_F(ResponderPairingTest,SecurityRequestCausesPairing)3103 TEST_F(ResponderPairingTest, SecurityRequestCausesPairing) {
3104 UpgradeSecurity(SecurityLevel::kEncrypted);
3105 RunUntilIdle();
3106 AuthReqField expected_auth_req = AuthReq::kBondingFlag;
3107 EXPECT_EQ(1, security_request_count());
3108 EXPECT_EQ(expected_auth_req, security_request_payload());
3109 UInt128 ltk_bytes;
3110 FastForwardToPhase3(<k_bytes, /*secure_connections=*/true);
3111 // Pairing should have succeeded
3112 EXPECT_EQ(0, pairing_failed_count());
3113 EXPECT_EQ(1, security_callback_count());
3114 EXPECT_EQ(1, pairing_complete_count());
3115 EXPECT_EQ(fit::ok(), security_status());
3116 EXPECT_EQ(security_status(), pairing_complete_status());
3117
3118 // LTK should have been assigned to the link.
3119 hci_spec::LinkKey kExpectedLinkKey(ltk_bytes, 0, 0);
3120 ASSERT_TRUE(fake_link()->ltk());
3121 EXPECT_EQ(kExpectedLinkKey, fake_link()->ltk());
3122
3123 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
3124 EXPECT_EQ(16u, sec_props().enc_key_size());
3125 EXPECT_TRUE(sec_props().secure_connections());
3126
3127 // Should have notified the LTK.
3128 EXPECT_EQ(1, pairing_data_callback_count());
3129 ASSERT_TRUE(local_ltk());
3130 EXPECT_EQ(sec_props(), local_ltk()->security());
3131 EXPECT_EQ(kExpectedLinkKey, local_ltk()->key());
3132 }
3133
TEST_F(ResponderPairingTest,SecurityRequestWithExistingLtk)3134 TEST_F(ResponderPairingTest, SecurityRequestWithExistingLtk) {
3135 const SecurityProperties kProps(SecurityLevel::kAuthenticated,
3136 kMaxEncryptionKeySize,
3137 /*secure_connections=*/true);
3138 const LTK kLtk(kProps, hci_spec::LinkKey({1, 2, 3}, 0, 0));
3139 // This pretends that we have an already-bonded LTK.
3140 pairing()->AssignLongTermKey(kLtk);
3141 // LTK should have been assigned to the link.
3142 ASSERT_TRUE(fake_link()->ltk());
3143 EXPECT_EQ(kLtk.key(), fake_link()->ltk());
3144
3145 // Make the Security Upgrade request
3146 UpgradeSecurity(SecurityLevel::kAuthenticated);
3147 RunUntilIdle();
3148 AuthReqField expected_auth_req = AuthReq::kBondingFlag | AuthReq::kMITM;
3149 EXPECT_EQ(1, security_request_count());
3150 EXPECT_EQ(expected_auth_req, security_request_payload());
3151 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3152
3153 // Security should be upgraded.
3154 EXPECT_EQ(1, security_callback_count());
3155 EXPECT_EQ(fit::ok(), security_status());
3156 EXPECT_EQ(kProps.level(), sec_props().level());
3157 EXPECT_EQ(16u, sec_props().enc_key_size());
3158 EXPECT_TRUE(sec_props().secure_connections());
3159
3160 // No pairing should have taken place - we had an already-bonded LTK.
3161 EXPECT_EQ(0, pairing_failed_count());
3162 EXPECT_EQ(0, pairing_complete_count());
3163 EXPECT_EQ(0, pairing_data_callback_count());
3164 }
3165
TEST_F(ResponderPairingTest,SecurityRequestInitiatorEncryptsWithInsufficientSecurityLtk)3166 TEST_F(ResponderPairingTest,
3167 SecurityRequestInitiatorEncryptsWithInsufficientSecurityLtk) {
3168 const SecurityProperties kProps(SecurityLevel::kEncrypted,
3169 kMaxEncryptionKeySize,
3170 /*secure_connections=*/true);
3171 const LTK kLtk(kProps, hci_spec::LinkKey({1, 2, 3}, 0, 0));
3172 // This pretends that we have an already-bonded LTK with kEncrypted security
3173 // level.
3174 pairing()->AssignLongTermKey(kLtk);
3175 // LTK should have been assigned to the link.
3176 ASSERT_TRUE(fake_link()->ltk());
3177 EXPECT_EQ(kLtk.key(), fake_link()->ltk());
3178
3179 // Make a security request for authenticated security
3180 UpgradeSecurity(SecurityLevel::kAuthenticated);
3181 RunUntilIdle();
3182 AuthReqField expected_auth_req = AuthReq::kBondingFlag | AuthReq::kMITM;
3183 EXPECT_EQ(1, security_request_count());
3184 EXPECT_EQ(expected_auth_req, security_request_payload());
3185
3186 // Pretend the SMP initiator started encryption with the bonded LTK of
3187 // SecurityLevel::kEncrypted.
3188 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3189
3190 // If the peer responds to our MITM security request by encrypting with an
3191 // unauthenticated key, they stored the LTK/handle security request
3192 // incorrectly - either way, disconnect the link.
3193 ASSERT_TRUE(fake_chan()->link_error());
3194 }
3195
TEST_F(ResponderPairingTest,AuthenticatedSecurityRequestWithInsufficientIoCapRejected)3196 TEST_F(ResponderPairingTest,
3197 AuthenticatedSecurityRequestWithInsufficientIoCapRejected) {
3198 SetUpSecurityManager(IOCapability::kNoInputNoOutput);
3199 // Make a security request for authenticated security
3200 UpgradeSecurity(SecurityLevel::kAuthenticated);
3201 RunUntilIdle();
3202 // The security callback should have been rejected w/o sending any messages,
3203 // as our IOCap cannot perform authenticated pairing.
3204 EXPECT_EQ(0, security_request_count());
3205 EXPECT_EQ(1, security_callback_count());
3206 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
3207 security_status());
3208 EXPECT_EQ(SecurityLevel::kNoSecurity, sec_props().level());
3209 }
3210
TEST_F(ResponderPairingTest,HandlesMultipleSecurityRequestsCorrectly)3211 TEST_F(ResponderPairingTest, HandlesMultipleSecurityRequestsCorrectly) {
3212 // Make a security request for encrypted security
3213 UpgradeSecurity(SecurityLevel::kEncrypted);
3214 RunUntilIdle();
3215 AuthReqField expected_auth_req = AuthReq::kBondingFlag;
3216 EXPECT_EQ(1, security_request_count());
3217 EXPECT_EQ(expected_auth_req, security_request_payload());
3218
3219 // Making another security request, this time for authenticated security,
3220 // while the first is still pending should not cause another Security Request
3221 // message to be sent.
3222 UpgradeSecurity(SecurityLevel::kAuthenticated);
3223 RunUntilIdle();
3224 EXPECT_EQ(1, security_request_count());
3225
3226 // Handle the first Security Request
3227 UInt128 ltk_bytes;
3228 FastForwardToPhase3(
3229 <k_bytes, /*secure_connections=*/true, SecurityLevel::kEncrypted);
3230 // Pairing should have succeeded
3231 EXPECT_EQ(0, pairing_failed_count());
3232 EXPECT_EQ(1, security_callback_count());
3233 EXPECT_EQ(1, pairing_complete_count());
3234 EXPECT_EQ(fit::ok(), security_status());
3235 EXPECT_EQ(security_status(), pairing_complete_status());
3236
3237 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
3238
3239 // Should have notified the LTK.
3240 EXPECT_EQ(1, pairing_data_callback_count());
3241 ASSERT_TRUE(local_ltk());
3242 EXPECT_EQ(sec_props(), local_ltk()->security());
3243 EXPECT_EQ(ltk_bytes, local_ltk()->key().value());
3244
3245 // After the first pairing satisfied the kEncrypted Security Request, the
3246 // pending kAuthenticated Security Request should have been sent immediately.
3247 EXPECT_EQ(2, security_request_count());
3248 }
3249
TEST_F(ResponderPairingTest,ReceiveSecondPairingRequestWhilePairing)3250 TEST_F(ResponderPairingTest, ReceiveSecondPairingRequestWhilePairing) {
3251 ReceivePairingRequest();
3252 RunUntilIdle();
3253
3254 // We should have sent a pairing response and should now be in Phase 2,
3255 // waiting for the peer to send us Mconfirm.
3256 EXPECT_EQ(0, pairing_request_count());
3257 EXPECT_EQ(1, pairing_response_count());
3258 EXPECT_EQ(0, pairing_confirm_count());
3259 EXPECT_EQ(0, pairing_random_count());
3260 EXPECT_EQ(0, pairing_failed_count());
3261 EXPECT_EQ(0, security_callback_count());
3262 EXPECT_EQ(0, pairing_complete_count());
3263
3264 // This should cause pairing to be aborted.
3265 ReceivePairingRequest();
3266 RunUntilIdle();
3267 EXPECT_EQ(0, pairing_request_count());
3268 // We will abort the second pairing request without responding if we're
3269 // already in progress
3270 EXPECT_EQ(1, pairing_response_count());
3271 EXPECT_EQ(0, pairing_confirm_count());
3272 EXPECT_EQ(0, pairing_random_count());
3273 EXPECT_EQ(1, pairing_failed_count());
3274 EXPECT_EQ(0, security_callback_count());
3275 EXPECT_EQ(1, pairing_complete_count());
3276 ASSERT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
3277 EXPECT_EQ(ToResult(received_error_code().value()), pairing_complete_status());
3278 }
3279
TEST_F(ResponderPairingTest,ReceiveConfirmValueWhileWaitingForTK)3280 TEST_F(ResponderPairingTest, ReceiveConfirmValueWhileWaitingForTK) {
3281 bool tk_requested = false;
3282 ConfirmCallback respond;
3283 set_confirm_delegate([&](ConfirmCallback cb) {
3284 tk_requested = true;
3285 respond = std::move(cb);
3286 });
3287
3288 ReceivePairingRequest();
3289 RunUntilIdle();
3290 ASSERT_TRUE(tk_requested);
3291
3292 UInt128 confirm;
3293 ReceivePairingConfirm(confirm);
3294 RunUntilIdle();
3295
3296 // Pairing should still be in progress without sending out any packets.
3297 EXPECT_EQ(0, pairing_confirm_count());
3298 EXPECT_EQ(0, pairing_random_count());
3299 EXPECT_EQ(0, pairing_failed_count());
3300 EXPECT_EQ(0, security_callback_count());
3301 EXPECT_EQ(0, pairing_complete_count());
3302
3303 // Respond with the TK. This should cause us to send Sconfirm.
3304 respond(true);
3305 RunUntilIdle();
3306 EXPECT_EQ(1, pairing_confirm_count());
3307 EXPECT_EQ(0, pairing_random_count());
3308 EXPECT_EQ(0, pairing_failed_count());
3309 EXPECT_EQ(0, security_callback_count());
3310 EXPECT_EQ(0, pairing_complete_count());
3311 }
3312
TEST_F(ResponderPairingTest,LegacyPhase2ReceivePairingRandomInWrongOrder)3313 TEST_F(ResponderPairingTest, LegacyPhase2ReceivePairingRandomInWrongOrder) {
3314 ReceivePairingRequest();
3315 RunUntilIdle();
3316
3317 // We should have sent a pairing response and should now be in Phase 2,
3318 // waiting for the peer to send us Mconfirm.
3319 EXPECT_EQ(0, pairing_request_count());
3320 EXPECT_EQ(1, pairing_response_count());
3321 EXPECT_EQ(0, pairing_confirm_count());
3322 EXPECT_EQ(0, pairing_random_count());
3323 EXPECT_EQ(0, pairing_failed_count());
3324 EXPECT_EQ(0, security_callback_count());
3325 EXPECT_EQ(0, pairing_complete_count());
3326
3327 // Peer sends Mrand before Mconfirm.
3328 UInt128 random;
3329 ReceivePairingRandom(random);
3330 RunUntilIdle();
3331 EXPECT_EQ(0, pairing_request_count());
3332 EXPECT_EQ(1, pairing_response_count());
3333 EXPECT_EQ(0, pairing_confirm_count());
3334 EXPECT_EQ(0, pairing_random_count());
3335 EXPECT_EQ(1, pairing_failed_count());
3336 EXPECT_EQ(0, security_callback_count());
3337 EXPECT_EQ(1, pairing_complete_count());
3338 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
3339 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), pairing_complete_status());
3340 }
3341
TEST_F(ResponderPairingTest,LegacyPhase2MconfirmValueInvalid)3342 TEST_F(ResponderPairingTest, LegacyPhase2MconfirmValueInvalid) {
3343 ReceivePairingRequest();
3344 RunUntilIdle();
3345
3346 // We should have sent a pairing response and should now be in Phase 2,
3347 // waiting for the peer to send us Mconfirm.
3348 EXPECT_EQ(0, pairing_request_count());
3349 EXPECT_EQ(1, pairing_response_count());
3350 EXPECT_EQ(0, pairing_confirm_count());
3351 EXPECT_EQ(0, pairing_random_count());
3352 EXPECT_EQ(0, pairing_failed_count());
3353 EXPECT_EQ(0, security_callback_count());
3354 EXPECT_EQ(0, pairing_complete_count());
3355
3356 // Set up values that don't match.
3357 UInt128 confirm, random;
3358 confirm.fill(0);
3359 random.fill(1);
3360
3361 ReceivePairingConfirm(confirm);
3362 RunUntilIdle();
3363
3364 // We should have sent Sconfirm.
3365 EXPECT_EQ(0, pairing_request_count());
3366 EXPECT_EQ(1, pairing_response_count());
3367 EXPECT_EQ(1, pairing_confirm_count());
3368 EXPECT_EQ(0, pairing_random_count());
3369 EXPECT_EQ(0, pairing_failed_count());
3370 EXPECT_EQ(0, security_callback_count());
3371 EXPECT_EQ(0, pairing_complete_count());
3372
3373 // Peer sends Mrand that doesn't match. We should reject the pairing
3374 // without sending Srand.
3375 ReceivePairingRandom(random);
3376 RunUntilIdle();
3377 EXPECT_EQ(0, pairing_request_count());
3378 EXPECT_EQ(1, pairing_response_count());
3379 EXPECT_EQ(1, pairing_confirm_count());
3380 EXPECT_EQ(0, pairing_random_count());
3381 EXPECT_EQ(1, pairing_failed_count());
3382 EXPECT_EQ(0, security_callback_count());
3383 EXPECT_EQ(1, pairing_complete_count());
3384 EXPECT_EQ(ErrorCode::kConfirmValueFailed, received_error_code());
3385 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed),
3386 pairing_complete_status());
3387 }
3388
TEST_F(ResponderPairingTest,LegacyPhase2ConfirmValuesExchanged)3389 TEST_F(ResponderPairingTest, LegacyPhase2ConfirmValuesExchanged) {
3390 ReceivePairingRequest();
3391 RunUntilIdle();
3392
3393 // We should have sent a pairing response and should now be in Phase 2,
3394 // waiting for the peer to send us Mconfirm.
3395 EXPECT_EQ(0, pairing_request_count());
3396 EXPECT_EQ(1, pairing_response_count());
3397 EXPECT_EQ(0, pairing_confirm_count());
3398 EXPECT_EQ(0, pairing_random_count());
3399 EXPECT_EQ(0, pairing_failed_count());
3400 EXPECT_EQ(0, security_callback_count());
3401 EXPECT_EQ(0, pairing_complete_count());
3402
3403 // Set up Sconfirm and Srand values that match.
3404 UInt128 confirm, random;
3405 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
3406
3407 // Peer sends Mconfirm.
3408 ReceivePairingConfirm(confirm);
3409 RunUntilIdle();
3410
3411 // We should have sent Sconfirm.
3412 EXPECT_EQ(0, pairing_request_count());
3413 EXPECT_EQ(1, pairing_response_count());
3414 EXPECT_EQ(1, pairing_confirm_count());
3415 EXPECT_EQ(0, pairing_random_count());
3416 EXPECT_EQ(0, pairing_failed_count());
3417 EXPECT_EQ(0, security_callback_count());
3418 EXPECT_EQ(0, pairing_complete_count());
3419
3420 // Peer sends Mrand.
3421 ReceivePairingRandom(random);
3422 RunUntilIdle();
3423
3424 // We should have sent Srand.
3425 EXPECT_EQ(0, pairing_request_count());
3426 EXPECT_EQ(1, pairing_response_count());
3427 EXPECT_EQ(1, pairing_confirm_count());
3428 EXPECT_EQ(1, pairing_random_count());
3429 EXPECT_EQ(0, pairing_failed_count());
3430 EXPECT_EQ(0, security_callback_count());
3431 EXPECT_EQ(0, pairing_complete_count());
3432
3433 // Sconfirm/Srand values we sent should be correct.
3434 UInt128 expected_confirm;
3435 GenerateLegacyConfirmValue(
3436 pairing_random(), &expected_confirm, /*peer_initiator=*/true);
3437 EXPECT_EQ(expected_confirm, pairing_confirm());
3438 }
3439
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKDistributionNoRemoteKeys)3440 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKDistributionNoRemoteKeys) {
3441 EXPECT_EQ(0, enc_info_count());
3442 EXPECT_EQ(0, central_ident_count());
3443
3444 UInt128 stk;
3445 KeyDistGenField remote_keys{0}, local_keys{KeyDistGen::kEncKey};
3446 FastForwardToPhase3(&stk,
3447 /*secure_connections=*/false,
3448 SecurityLevel::kEncrypted,
3449 remote_keys,
3450 local_keys);
3451
3452 // Local LTK, EDiv, and Rand should be sent to the peer.
3453 EXPECT_EQ(1, enc_info_count());
3454 EXPECT_EQ(1, central_ident_count());
3455 ASSERT_TRUE(fake_link()->ltk());
3456 EXPECT_EQ(enc_info(), fake_link()->ltk()->value());
3457 EXPECT_EQ(ediv(), fake_link()->ltk()->ediv());
3458 EXPECT_EQ(rand(), fake_link()->ltk()->rand());
3459
3460 // This LTK should be stored with the pairing data but the pairing callback
3461 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3462 EXPECT_EQ(0, pairing_failed_count());
3463 EXPECT_EQ(0, security_callback_count());
3464
3465 // Pairing is considered complete when all keys have been distributed even if
3466 // we're still encrypted with the STK. This is because the initiator may not
3467 // always re-encrypt the link with the LTK until a reconnection.
3468 EXPECT_EQ(1, pairing_data_callback_count());
3469
3470 // Nonetheless the link should have been assigned the LTK.
3471 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3472 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3473
3474 // Make sure that an encryption change has no effect.
3475 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3476 RunUntilIdle();
3477 EXPECT_EQ(1, pairing_data_callback_count());
3478
3479 // No additional security property update should have been sent since the STK
3480 // and LTK have the same properties.
3481 EXPECT_EQ(1, new_sec_props_count());
3482 }
3483
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKDistributionWithRemoteKeys)3484 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKDistributionWithRemoteKeys) {
3485 EXPECT_EQ(0, enc_info_count());
3486 EXPECT_EQ(0, central_ident_count());
3487
3488 UInt128 stk;
3489 FastForwardToPhase3(&stk,
3490 /*secure_connections=*/false,
3491 SecurityLevel::kEncrypted,
3492 KeyDistGen::kIdKey, // remote keys
3493 KeyDistGen::kEncKey); // local keys
3494
3495 // Local LTK, EDiv, and Rand should be sent to the peer - we don't assign the
3496 // new LTK to the link until pairing is complete.
3497 EXPECT_EQ(1, enc_info_count());
3498 EXPECT_EQ(1, central_ident_count());
3499
3500 // No local identity information should have been sent.
3501 EXPECT_EQ(0, id_info_count());
3502 EXPECT_EQ(0, id_addr_info_count());
3503
3504 // This LTK should be stored with the pairing data but the pairing callback
3505 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3506 EXPECT_EQ(0, pairing_failed_count());
3507 EXPECT_EQ(0, security_callback_count());
3508
3509 // Still waiting for initiator's keys.
3510 EXPECT_EQ(0, pairing_data_callback_count());
3511
3512 const auto kIrk = Random<UInt128>();
3513 ReceiveIdentityResolvingKey(kIrk);
3514 ReceiveIdentityAddress(kPeerAddr);
3515 RunUntilIdle();
3516
3517 // Pairing is considered complete when all keys have been distributed even if
3518 // we're still encrypted with the STK. This is because the initiator may not
3519 // always re-encrypt the link with the LTK until a reconnection.
3520 EXPECT_EQ(1, pairing_data_callback_count());
3521
3522 // The peer should have sent us its identity information.
3523 ASSERT_TRUE(pairing_data().irk);
3524 EXPECT_EQ(kIrk, pairing_data().irk->value());
3525 ASSERT_TRUE(pairing_data().identity_address);
3526 EXPECT_EQ(kPeerAddr, *pairing_data().identity_address);
3527
3528 // Nonetheless the link should have been assigned the LTK.
3529 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3530 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3531 }
3532
3533 // Locally generated ltk length should match max key length specified
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKMaxLength)3534 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKMaxLength) {
3535 EXPECT_EQ(0, enc_info_count());
3536 EXPECT_EQ(0, central_ident_count());
3537
3538 UInt128 stk;
3539 uint16_t max_key_size = 7;
3540
3541 FastForwardToPhase3(&stk,
3542 /*secure_connections=*/false,
3543 SecurityLevel::kEncrypted,
3544 0u, // remote keys
3545 KeyDistGen::kEncKey, // local keys
3546 max_key_size);
3547
3548 // Local LTK, EDiv, and Rand should be sent to the peer.
3549 EXPECT_EQ(1, enc_info_count());
3550 EXPECT_EQ(1, central_ident_count());
3551 ASSERT_TRUE(fake_link()->ltk());
3552 EXPECT_EQ(enc_info(), fake_link()->ltk()->value());
3553 EXPECT_EQ(ediv(), fake_link()->ltk()->ediv());
3554 EXPECT_EQ(rand(), fake_link()->ltk()->rand());
3555
3556 // This LTK should be stored with the pairing data but the pairing callback
3557 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3558 EXPECT_EQ(0, pairing_failed_count());
3559 EXPECT_EQ(0, security_callback_count());
3560
3561 // Pairing is considered complete when all keys have been distributed even if
3562 // we're still encrypted with the STK. This is because the initiator may not
3563 // always re-encrypt the link with the LTK until a reconnection.
3564 EXPECT_EQ(1, pairing_data_callback_count());
3565
3566 // The link should have been assigned the LTK.
3567 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3568 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3569
3570 // Ensure that most significant (16 - max_key_size) bytes are zero. The key
3571 // should be generated up to the max_key_size.
3572 auto ltk = pairing_data().local_ltk->key().value();
3573 for (auto i = max_key_size; i < ltk.size(); i++) {
3574 EXPECT_TRUE(ltk[i] == 0);
3575 }
3576 }
3577
TEST_F(ResponderPairingTest,LegacyPhase3ReceiveInitiatorEncKey)3578 TEST_F(ResponderPairingTest, LegacyPhase3ReceiveInitiatorEncKey) {
3579 UInt128 stk;
3580 KeyDistGenField remote_keys{KeyDistGen::kEncKey}, local_keys{0u};
3581 FastForwardToPhase3(&stk,
3582 /*secure_connections=*/false,
3583 SecurityLevel::kEncrypted,
3584 remote_keys,
3585 local_keys);
3586
3587 const uint64_t kRand = 5;
3588 const uint16_t kEDiv = 20;
3589 const hci_spec::LinkKey kLTK(
3590 {1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}, kRand, kEDiv);
3591
3592 ReceiveEncryptionInformation(kLTK.value());
3593 ReceiveCentralIdentification(kRand, kEDiv);
3594 RunUntilIdle();
3595
3596 // Pairing should have succeeded.
3597 EXPECT_EQ(0, pairing_failed_count());
3598 EXPECT_EQ(1, pairing_complete_count());
3599 EXPECT_EQ(fit::ok(), security_status());
3600 EXPECT_EQ(security_status(), pairing_complete_status());
3601
3602 // No pairing callbacks needed as this is a peer-initiated pairing.
3603 EXPECT_EQ(0, security_callback_count());
3604
3605 // Only the STK should be assigned to the link, as the distributed LTK was
3606 // initiator-generated. This means it can only be used to encrypt future
3607 // connections where the roles are reversed.
3608 EXPECT_EQ(stk, fake_link()->ltk()->value());
3609
3610 // Should have been called at least once to determine local identity
3611 // availability.
3612 EXPECT_NE(0, local_id_info_callback_count());
3613
3614 // Should have notified pairing data callback with the LTK.
3615 EXPECT_EQ(1, pairing_data_callback_count());
3616 ASSERT_TRUE(peer_ltk());
3617
3618 // LTK received OTA should match what we notified the pairing data callback
3619 // with.
3620 EXPECT_EQ(kLTK, peer_ltk()->key());
3621 }
3622
TEST_F(ResponderPairingTest,LegacyPhase3LocalIdKeyDistributionWithRemoteKeys)3623 TEST_F(ResponderPairingTest, LegacyPhase3LocalIdKeyDistributionWithRemoteKeys) {
3624 IdentityInfo local_id_info;
3625 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
3626 local_id_info.address = kLocalAddr;
3627 set_local_id_info(local_id_info);
3628
3629 EXPECT_EQ(0, enc_info_count());
3630 EXPECT_EQ(0, central_ident_count());
3631
3632 UInt128 stk;
3633 FastForwardToPhase3(&stk,
3634 /*secure_connections=*/false,
3635 SecurityLevel::kEncrypted,
3636 KeyDistGen::kIdKey, // remote keys
3637 KeyDistGen::kIdKey); // local keys
3638
3639 // No local LTK, EDiv, and Rand should be sent to the peer.
3640 EXPECT_EQ(0, enc_info_count());
3641 EXPECT_EQ(0, central_ident_count());
3642
3643 // Local identity information should have been sent.
3644 EXPECT_EQ(1, id_info_count());
3645 EXPECT_EQ(local_id_info.irk, id_info());
3646 EXPECT_EQ(1, id_addr_info_count());
3647 EXPECT_EQ(local_id_info.address, id_addr_info());
3648
3649 // Still waiting for initiator's keys.
3650 EXPECT_EQ(0, pairing_data_callback_count());
3651
3652 const auto kIrk = Random<UInt128>();
3653 ReceiveIdentityResolvingKey(kIrk);
3654 ReceiveIdentityAddress(kPeerAddr);
3655 RunUntilIdle();
3656
3657 // Pairing is considered complete when all keys have been distributed even if
3658 // we're still encrypted with the STK. This is because the initiator may not
3659 // always re-encrypt the link with the LTK until a reconnection.
3660 EXPECT_EQ(1, pairing_data_callback_count());
3661
3662 // The peer should have sent us its identity information.
3663 ASSERT_TRUE(pairing_data().irk);
3664 EXPECT_EQ(kIrk, pairing_data().irk->value());
3665 ASSERT_TRUE(pairing_data().identity_address);
3666 EXPECT_EQ(kPeerAddr, *pairing_data().identity_address);
3667 }
3668
TEST_F(ResponderPairingTest,AssignLongTermKeyFailsDuringPairing)3669 TEST_F(ResponderPairingTest, AssignLongTermKeyFailsDuringPairing) {
3670 ReceivePairingRequest();
3671 RunUntilIdle();
3672 SecurityProperties sec_props(
3673 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3674 EXPECT_FALSE(
3675 pairing()->AssignLongTermKey(LTK(sec_props, hci_spec::LinkKey())));
3676 EXPECT_EQ(0, fake_link()->start_encryption_count());
3677 EXPECT_EQ(SecurityLevel::kNoSecurity, pairing()->security().level());
3678 }
3679
TEST_F(ResponderPairingTest,AssignLongTermKey)3680 TEST_F(ResponderPairingTest, AssignLongTermKey) {
3681 SecurityProperties sec_props(
3682 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3683 LTK ltk(sec_props, hci_spec::LinkKey());
3684
3685 EXPECT_TRUE(pairing()->AssignLongTermKey(ltk));
3686 ASSERT_TRUE(fake_link()->ltk());
3687 EXPECT_EQ(ltk.key(), *fake_link()->ltk());
3688
3689 // No encryption request should have been made as the initiator is expected to
3690 // do it.
3691 EXPECT_EQ(0, fake_link()->start_encryption_count());
3692
3693 // The link security level is not assigned until successful encryption.
3694 EXPECT_EQ(SecurityProperties(), pairing()->security());
3695 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3696 RunUntilIdle();
3697
3698 EXPECT_EQ(1, new_sec_props_count());
3699 EXPECT_EQ(sec_props, new_sec_props());
3700 EXPECT_EQ(sec_props, pairing()->security());
3701 }
3702
TEST_F(ResponderPairingTest,EncryptWithLinkKeyModifiedOutsideSmDisconnects)3703 TEST_F(ResponderPairingTest, EncryptWithLinkKeyModifiedOutsideSmDisconnects) {
3704 SecurityProperties sec_props(
3705 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3706 const LTK kOriginalLtk(sec_props, hci_spec::LinkKey({1}, 2, 3));
3707 const hci_spec::LinkKey kModifiedLtk(hci_spec::LinkKey({4}, 5, 6));
3708
3709 EXPECT_TRUE(pairing()->AssignLongTermKey(kOriginalLtk));
3710 fake_link()->set_ltk(kModifiedLtk);
3711 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3712 RunUntilIdle();
3713 ASSERT_TRUE(fake_chan()->link_error());
3714 ASSERT_EQ(1, auth_failure_callback_count());
3715 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3716 auth_failure_status());
3717 }
3718
TEST_F(ResponderPairingTest,EncryptWithLinkKeyButNoSmLtkDisconnects)3719 TEST_F(ResponderPairingTest, EncryptWithLinkKeyButNoSmLtkDisconnects) {
3720 // The LE link LTK should always be assigned through SM, so while encryption
3721 // could succeed with a link LTK but no SM LTK, this is a violation of bt-host
3722 // assumptions and we will disconnect.
3723 fake_link()->set_ltk(hci_spec::LinkKey({1}, 2, 3));
3724 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3725 RunUntilIdle();
3726 ASSERT_TRUE(fake_chan()->link_error());
3727 ASSERT_EQ(1, auth_failure_callback_count());
3728 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3729 auth_failure_status());
3730 }
3731
3732 // As responder, we reject security requests, as the initiator should never send
3733 // them.
TEST_F(ResponderPairingTest,RejectSecurityRequest)3734 TEST_F(ResponderPairingTest, RejectSecurityRequest) {
3735 ReceiveSecurityRequest();
3736 EXPECT_EQ(1, pairing_failed_count());
3737 EXPECT_EQ(ErrorCode::kCommandNotSupported, received_error_code());
3738
3739 // Run for the full pairing timeout to ensure we do not timeout due to sending
3740 // a message.
3741 RunFor(kPairingTimeout + std::chrono::seconds(1));
3742 EXPECT_EQ(0, pairing_request_count());
3743 EXPECT_EQ(0, fake_link()->start_encryption_count());
3744 EXPECT_EQ(1, pairing_failed_count());
3745 }
3746
3747 // Test that LTK is generated and passed up to SecurityManager when both sides
3748 // request bonding
TEST_F(ResponderPairingTest,BothSidesRequestBondingLTKCreated)3749 TEST_F(ResponderPairingTest, BothSidesRequestBondingLTKCreated) {
3750 UInt128 stk;
3751 SetUpSecurityManager(IOCapability::kDisplayOnly);
3752 FastForwardToPhase3(&stk,
3753 /*secure_connections=*/false,
3754 SecurityLevel::kEncrypted,
3755 0u, // remote keys
3756 KeyDistGen::kEncKey, // local keys
3757 kMaxEncryptionKeySize,
3758 BondableMode::Bondable);
3759
3760 // The link should have been assigned the LTK.
3761 EXPECT_TRUE(pairing_data().local_ltk.has_value());
3762 }
3763
3764 // Test that LTK is not passed up to SecurityManager when local side requests
3765 // non-bondable mode and peer requests bondable mode.
TEST_F(ResponderPairingTest,LocalRequestsNonBondableNoLTKCreated)3766 TEST_F(ResponderPairingTest, LocalRequestsNonBondableNoLTKCreated) {
3767 UInt128 stk;
3768 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::NonBondable);
3769 FastForwardToPhase3(&stk,
3770 /*secure_connections=*/false,
3771 SecurityLevel::kEncrypted,
3772 0u, // remote keys
3773 KeyDistGen::kEncKey, // local keys
3774 kMaxEncryptionKeySize,
3775 BondableMode::Bondable);
3776
3777 // The link should not have been assigned the LTK.
3778 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3779 pairing_data().peer_ltk.has_value());
3780 }
3781
3782 // Test that LTK is not passed up to SecurityManager when local side requests
3783 // bondable mode and peer requests non-bondable mode.
TEST_F(ResponderPairingTest,PeerRequestsNonBondableNoLTKCreated)3784 TEST_F(ResponderPairingTest, PeerRequestsNonBondableNoLTKCreated) {
3785 UInt128 stk;
3786 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::Bondable);
3787 FastForwardToPhase3(&stk,
3788 /*secure_connections=*/false,
3789 SecurityLevel::kEncrypted,
3790 0u, // remote keys
3791 0u, // local keys
3792 kMaxEncryptionKeySize,
3793 BondableMode::NonBondable);
3794
3795 // The link should not have been assigned the LTK.
3796 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3797 pairing_data().peer_ltk.has_value());
3798 }
3799
3800 // Test that LTK is not generated and passed up to SecurityManager when both
3801 // sides request non-bondable mode.
TEST_F(ResponderPairingTest,BothSidesRequestNonBondableNoLTKCreated)3802 TEST_F(ResponderPairingTest, BothSidesRequestNonBondableNoLTKCreated) {
3803 UInt128 stk;
3804 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::NonBondable);
3805 FastForwardToPhase3(&stk,
3806 /*secure_connections=*/false,
3807 SecurityLevel::kEncrypted,
3808 0u, // remote keys
3809 0u, // local keys
3810 kMaxEncryptionKeySize,
3811 BondableMode::NonBondable);
3812
3813 // The link should not have been assigned the LTK.
3814 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3815 pairing_data().peer_ltk.has_value());
3816 }
3817
TEST_F(ResponderPairingTest,PairingRequestStartsPairingTimer)3818 TEST_F(ResponderPairingTest, PairingRequestStartsPairingTimer) {
3819 ReceivePairingRequest();
3820 RunFor(kPairingTimeout);
3821 EXPECT_TRUE(fake_chan()->link_error());
3822 // Pairing should fail, but no callbacks should be notified because the
3823 // pairing was initiated remotely, not through UpgradeSecurity locally
3824 ASSERT_EQ(1, pairing_complete_count());
3825 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
3826 EXPECT_EQ(0, security_callback_count());
3827 }
3828
TEST_F(ResponderPairingTest,RejectUnauthenticatedPairingInSecureConnectionsOnlyMode)3829 TEST_F(ResponderPairingTest,
3830 RejectUnauthenticatedPairingInSecureConnectionsOnlyMode) {
3831 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
3832 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
3833 // In SC Only mode, SM should translate this "encrypted" request into a MITM
3834 // requirement.
3835 UpgradeSecurity(SecurityLevel::kEncrypted);
3836 RunUntilIdle();
3837 EXPECT_EQ(1, security_request_count());
3838 EXPECT_EQ(AuthReq::kBondingFlag | AuthReq::kMITM | AuthReq::kSC,
3839 security_request_payload());
3840 // The peer has NoInputNoOutput IOCapabilities, thus cannot perform
3841 // authenticated pairing.
3842 ReceivePairingRequest(IOCapability::kNoInputNoOutput,
3843 AuthReq::kBondingFlag | AuthReq::kSC);
3844 RunUntilIdle();
3845
3846 EXPECT_EQ(1, pairing_failed_count());
3847 EXPECT_EQ(1, security_callback_count());
3848 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
3849 security_status());
3850 EXPECT_EQ(1, pairing_complete_count());
3851 EXPECT_EQ(security_status(), pairing_complete_status());
3852 }
3853
TEST_F(ResponderPairingTest,RejectInsufficientKeySizeRequestInSecureConnectionsOnlyMode)3854 TEST_F(ResponderPairingTest,
3855 RejectInsufficientKeySizeRequestInSecureConnectionsOnlyMode) {
3856 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
3857 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
3858 // The peer encryption key size is not kMaxEncryptionKeySize, thus does not
3859 // meet the Secure Connections Only requirements.
3860 ReceivePairingRequest(IOCapability::kDisplayYesNo,
3861 AuthReq::kBondingFlag | AuthReq::kSC,
3862 kMaxEncryptionKeySize - 1);
3863 RunUntilIdle();
3864
3865 EXPECT_EQ(1, pairing_failed_count());
3866 EXPECT_EQ(1, pairing_complete_count());
3867 EXPECT_EQ(ToResult(ErrorCode::kEncryptionKeySize), pairing_complete_status());
3868 }
3869
3870 // Tests that Secure Connections works as responder
TEST_F(ResponderPairingTest,SecureConnectionsWorks)3871 TEST_F(ResponderPairingTest, SecureConnectionsWorks) {
3872 // Must have DisplayYesNo IOC to generate Authenticated security per
3873 // kExpectedSecurity
3874 SetUpSecurityManager(IOCapability::kDisplayYesNo);
3875 UInt128 ltk_bytes;
3876 const SecurityProperties kExpectedSecurity(SecurityLevel::kAuthenticated,
3877 kMaxEncryptionKeySize,
3878 /*secure_connections=*/true);
3879 FastForwardToPhase3(
3880 <k_bytes, /*secure_connections=*/true, kExpectedSecurity.level());
3881
3882 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
3883 ASSERT_TRUE(fake_link()->ltk());
3884 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
3885
3886 // Pairing should succeed with the LTK as the SC pairing is bondable, even
3887 // though no keys need to be distributed in Phase 3.
3888 EXPECT_EQ(1, pairing_data_callback_count());
3889 EXPECT_TRUE(local_ltk().has_value());
3890 EXPECT_EQ(kExpectedLtk, local_ltk());
3891 EXPECT_EQ(local_ltk(), peer_ltk());
3892 EXPECT_FALSE(irk());
3893 EXPECT_FALSE(identity());
3894 EXPECT_FALSE(csrk());
3895
3896 // Should have been called at least once to determine local identity
3897 // availability.
3898 EXPECT_NE(0, local_id_info_callback_count());
3899 // Pairing should complete successfully
3900 EXPECT_EQ(1, pairing_complete_count());
3901 EXPECT_EQ(0, pairing_failed_count());
3902 EXPECT_EQ(fit::ok(), pairing_complete_status());
3903
3904 // No callbacks are notified as the peer started this pairing, not a call to
3905 // UpgradeSecurity.
3906 EXPECT_EQ(0, security_callback_count());
3907 EXPECT_EQ(0, id_info_count());
3908 EXPECT_EQ(0, id_addr_info_count());
3909
3910 EXPECT_EQ(kExpectedSecurity, pairing()->security());
3911
3912 // The security properties should have been updated to match the LTK.
3913 EXPECT_EQ(1, new_sec_props_count());
3914 EXPECT_EQ(pairing()->security(), new_sec_props());
3915
3916 ASSERT_TRUE(fake_link()->ltk());
3917 }
3918 } // namespace
3919 } // namespace bt::sm
3920 // inclusive-language: enable
3921