1 // Copyright 2023 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14
15 #include "pw_bluetooth_sapphire/internal/host/sm/security_manager.h"
16
17 #include <pw_bytes/endian.h>
18
19 #include <chrono>
20 #include <cstdlib>
21
22 #include "pw_bluetooth_sapphire/internal/host/common/macros.h"
23 #include "pw_bluetooth_sapphire/internal/host/common/random.h"
24 #include "pw_bluetooth_sapphire/internal/host/gap/gap.h"
25 #include "pw_bluetooth_sapphire/internal/host/hci-spec/link_key.h"
26 #include "pw_bluetooth_sapphire/internal/host/hci/connection.h"
27 #include "pw_bluetooth_sapphire/internal/host/hci/fake_low_energy_connection.h"
28 #include "pw_bluetooth_sapphire/internal/host/l2cap/fake_channel_test.h"
29 #include "pw_bluetooth_sapphire/internal/host/sm/ecdh_key.h"
30 #include "pw_bluetooth_sapphire/internal/host/sm/error.h"
31 #include "pw_bluetooth_sapphire/internal/host/sm/packet.h"
32 #include "pw_bluetooth_sapphire/internal/host/sm/smp.h"
33 #include "pw_bluetooth_sapphire/internal/host/sm/types.h"
34 #include "pw_bluetooth_sapphire/internal/host/sm/util.h"
35 #include "pw_bluetooth_sapphire/internal/host/testing/controller_test.h"
36 #include "pw_bluetooth_sapphire/internal/host/testing/mock_controller.h"
37 #include "pw_bluetooth_sapphire/internal/host/testing/test_helpers.h"
38 #include "pw_bluetooth_sapphire/internal/host/testing/test_packets.h"
39 #include "pw_bluetooth_sapphire/internal/host/transport/error.h"
40
41 // inclusive-language: disable
42 namespace bt::sm {
43 namespace {
44
45 const DeviceAddress kLocalAddr(DeviceAddress::Type::kLEPublic,
46 {0xA6, 0xA5, 0xA4, 0xA3, 0xA2, 0xA1});
47 const DeviceAddress kPeerAddr(DeviceAddress::Type::kLERandom,
48 {0xB6, 0xB5, 0xB4, 0xB3, 0xB2, 0xB1});
49
50 const PairingRandomValue kHardCodedPairingRandom = {0x0,
51 0x1,
52 0x2,
53 0x3,
54 0x4,
55 0x5,
56 0x6,
57 0x7,
58 0x8,
59 0x9,
60 0xA,
61 0xB,
62 0xC,
63 0xD,
64 0xE,
65 0xF};
66
67 constexpr hci_spec::ConnectionHandle kConnectionHandle(1);
68
69 class SecurityManagerTest : public l2cap::testing::FakeChannelTest,
70 public sm::Delegate {
71 public:
SecurityManagerTest()72 SecurityManagerTest() : weak_delegate_(this) {}
73 ~SecurityManagerTest() override = default;
74
75 protected:
SetUp()76 void SetUp() override {
77 l2cap::testing::FakeChannelTest::SetUp();
78 InitializeTransport();
79 }
TearDown()80 void TearDown() override {
81 RunUntilIdle();
82 DestroySecurityManager();
83 fake_link_.reset();
84 transport_.reset();
85 l2cap::testing::FakeChannelTest::TearDown();
86 }
87
NewSecurityManager(Role role,IOCapability ioc,BondableMode bondable_mode)88 void NewSecurityManager(Role role,
89 IOCapability ioc,
90 BondableMode bondable_mode) {
91 // Setup fake SMP channel.
92 ChannelOptions options(l2cap::kLESMPChannelId);
93 fake_chan_ = CreateFakeChannel(options);
94 fake_chan_->SetSendCallback(
95 fit::bind_member<&SecurityManagerTest::OnDataReceived>(this),
96 dispatcher());
97
98 // Setup a fake logical link.
99 auto link_role = role == Role::kInitiator
100 ? pw::bluetooth::emboss::ConnectionRole::CENTRAL
101 : pw::bluetooth::emboss::ConnectionRole::PERIPHERAL;
102
103 if (fake_link_) {
104 auto status_event = testing::CommandStatusPacket(
105 hci_spec::kDisconnect, pw::bluetooth::emboss::StatusCode::SUCCESS);
106 auto disconnect_complete =
107 testing::DisconnectionCompletePacket(kConnectionHandle);
108 EXPECT_CMD_PACKET_OUT(controller_,
109 testing::DisconnectPacket(kConnectionHandle),
110 &status_event,
111 &disconnect_complete);
112 fake_link_.reset();
113 RunUntilIdle();
114 }
115 fake_link_ = std::make_unique<hci::testing::FakeLowEnergyConnection>(
116 kConnectionHandle,
117 kLocalAddr,
118 kPeerAddr,
119 link_role,
120 transport_->GetWeakPtr());
121
122 pairing_ = SecurityManager::Create(fake_link_->GetWeakPtr(),
123 fake_chan_->GetWeakPtr(),
124 ioc,
125 weak_delegate_.GetWeakPtr(),
126 bondable_mode,
127 gap::LESecurityMode::Mode1,
128 dispatcher());
129 }
130
DestroySecurityManager()131 void DestroySecurityManager() { pairing_ = nullptr; }
132
133 // sm::Delegate override:
ConfirmPairing(ConfirmCallback confirm)134 void ConfirmPairing(ConfirmCallback confirm) override {
135 if (confirm_delegate_) {
136 confirm_delegate_(std::move(confirm));
137 } else {
138 confirm(true);
139 }
140 }
141
142 // sm::Delegate override:
DisplayPasskey(uint32_t passkey,DisplayMethod method,ConfirmCallback confirm)143 void DisplayPasskey(uint32_t passkey,
144 DisplayMethod method,
145 ConfirmCallback confirm) override {
146 if (display_delegate_) {
147 display_delegate_(passkey, method, std::move(confirm));
148 } else {
149 ADD_FAILURE() << "No passkey display delegate set for "
150 << util::DisplayMethodToString(method) << " pairing";
151 }
152 }
153
154 // sm::Delegate override:
RequestPasskey(PasskeyResponseCallback respond)155 void RequestPasskey(PasskeyResponseCallback respond) override {
156 if (request_passkey_delegate_) {
157 request_passkey_delegate_(std::move(respond));
158 } else {
159 ADD_FAILURE()
160 << "No passkey entry delegate set for passkey entry pairing";
161 }
162 }
163
OnIdentityInformationRequest()164 std::optional<IdentityInfo> OnIdentityInformationRequest() override {
165 local_id_info_callback_count_++;
166 return local_id_info_;
167 }
168
169 // Called by |pairing_| when the pairing procedure ends.
OnPairingComplete(Result<> status)170 void OnPairingComplete(Result<> status) override {
171 pairing_complete_count_++;
172 pairing_complete_status_ = status;
173 }
174
175 // Called by |pairing_| when a new LTK is obtained.
OnNewPairingData(const PairingData & pairing_data)176 void OnNewPairingData(const PairingData& pairing_data) override {
177 pairing_data_callback_count_++;
178 pairing_data_ = pairing_data;
179 }
180
181 // Called by |pairing_| when any encryption procedure fails.
OnAuthenticationFailure(hci::Result<> status)182 void OnAuthenticationFailure(hci::Result<> status) override {
183 auth_failure_callback_count_++;
184 auth_failure_status_ = status;
185 }
186
187 // Called by |pairing_| when the link security properties change.
OnNewSecurityProperties(const SecurityProperties & sec)188 void OnNewSecurityProperties(const SecurityProperties& sec) override {
189 new_sec_props_count_++;
190 new_sec_props_ = sec;
191 }
192
UpgradeSecurity(SecurityLevel level)193 void UpgradeSecurity(SecurityLevel level) {
194 PW_DCHECK(pairing_);
195 pairing_->UpgradeSecurity(level, [this](auto status, const auto& props) {
196 security_callback_count_++;
197 security_status_ = status;
198 sec_props_ = props;
199 });
200 }
201
202 // Called when SMP sends a packet over the fake channel.
OnDataReceived(std::unique_ptr<const ByteBuffer> packet)203 void OnDataReceived(std::unique_ptr<const ByteBuffer> packet) {
204 PW_DCHECK(packet);
205
206 PacketReader reader(packet.get());
207 switch (reader.code()) {
208 case kPairingFailed:
209 pairing_failed_count_++;
210 received_error_code_ = reader.payload<PairingFailedParams>();
211 break;
212 case kSecurityRequest:
213 security_request_count_++;
214 security_auth_req_ = reader.payload<AuthReqField>();
215 break;
216 case kPairingRequest:
217 pairing_request_count_++;
218 packet->Copy(&local_pairing_cmd_);
219 break;
220 case kPairingResponse:
221 pairing_response_count_++;
222 packet->Copy(&local_pairing_cmd_);
223 break;
224 case kPairingPublicKey:
225 pairing_public_key_count_++;
226 public_ecdh_key_ = EcdhKey::ParseFromPublicKey(
227 reader.payload<PairingPublicKeyParams>());
228 break;
229 case kPairingConfirm:
230 pairing_confirm_count_++;
231 pairing_confirm_ = reader.payload<PairingConfirmValue>();
232 break;
233 case kPairingRandom:
234 pairing_random_count_++;
235 pairing_random_ = reader.payload<PairingRandomValue>();
236 break;
237 case kPairingDHKeyCheck:
238 pairing_dhkey_check_count_++;
239 pairing_dhkey_check_ = reader.payload<PairingDHKeyCheckValueE>();
240 break;
241 case kEncryptionInformation:
242 enc_info_count_++;
243 enc_info_ = reader.payload<EncryptionInformationParams>();
244 break;
245 case kCentralIdentification: {
246 const auto& params = reader.payload<CentralIdentificationParams>();
247 central_ident_count_++;
248 ediv_ = pw::bytes::ConvertOrderFrom(cpp20::endian::little, params.ediv);
249 rand_ = pw::bytes::ConvertOrderFrom(cpp20::endian::little, params.rand);
250 break;
251 }
252 case kIdentityInformation:
253 id_info_count_++;
254 id_info_ = reader.payload<UInt128>();
255 break;
256 case kIdentityAddressInformation: {
257 const auto& params = reader.payload<IdentityAddressInformationParams>();
258 id_addr_info_count_++;
259 id_addr_info_ = DeviceAddress(params.type == AddressType::kStaticRandom
260 ? DeviceAddress::Type::kLERandom
261 : DeviceAddress::Type::kLEPublic,
262 params.bd_addr);
263 break;
264 }
265 default:
266 FAIL() << "Sent unsupported SMP command";
267 }
268 }
269
270 // Emulates the receipt of pairing features (both as initiator and responder).
ReceivePairingFeatures(const PairingRequestParams & params,bool peer_initiator=false)271 void ReceivePairingFeatures(const PairingRequestParams& params,
272 bool peer_initiator = false) {
273 PacketWriter writer(peer_initiator ? kPairingRequest : kPairingResponse,
274 &peer_pairing_cmd_);
275 *writer.mutable_payload<PairingRequestParams>() = params;
276 fake_chan()->Receive(peer_pairing_cmd_);
277 }
278
ReceivePairingFeatures(IOCapability ioc=IOCapability::kNoInputNoOutput,AuthReqField auth_req=0,uint8_t max_enc_key_size=kMaxEncryptionKeySize,bool peer_initiator=false)279 void ReceivePairingFeatures(IOCapability ioc = IOCapability::kNoInputNoOutput,
280 AuthReqField auth_req = 0,
281 uint8_t max_enc_key_size = kMaxEncryptionKeySize,
282 bool peer_initiator = false) {
283 PairingRequestParams pairing_params;
284 std::memset(&pairing_params, 0, sizeof(pairing_params));
285 pairing_params.io_capability = ioc;
286 pairing_params.auth_req = auth_req;
287 pairing_params.max_encryption_key_size = max_enc_key_size;
288
289 ReceivePairingFeatures(pairing_params, peer_initiator);
290 }
291
ReceivePairingFailed(ErrorCode error_code)292 void ReceivePairingFailed(ErrorCode error_code) {
293 StaticByteBuffer<sizeof(Header) + sizeof(ErrorCode)> buffer;
294 PacketWriter writer(kPairingFailed, &buffer);
295 *writer.mutable_payload<PairingFailedParams>() = error_code;
296 fake_chan()->Receive(buffer);
297 }
298
ReceivePairingPublicKey(const PairingPublicKeyParams & key)299 void ReceivePairingPublicKey(const PairingPublicKeyParams& key) {
300 StaticByteBuffer<util::PacketSize<PairingPublicKeyParams>()> buffer;
301 PacketWriter writer(kPairingPublicKey, &buffer);
302 std::memcpy(
303 writer.mutable_payload_bytes(), &key, sizeof(PairingPublicKeyParams));
304 fake_chan()->Receive(buffer);
305 }
306
ReceivePairingConfirm(const UInt128 & confirm)307 void ReceivePairingConfirm(const UInt128& confirm) {
308 Receive128BitCmd(kPairingConfirm, confirm);
309 }
310
ReceivePairingRandom(const UInt128 & random)311 void ReceivePairingRandom(const UInt128& random) {
312 Receive128BitCmd(kPairingRandom, random);
313 }
314
ReceivePairingDHKeyCheck(const UInt128 & check)315 void ReceivePairingDHKeyCheck(const UInt128& check) {
316 Receive128BitCmd(kPairingDHKeyCheck, check);
317 }
318
ReceiveEncryptionInformation(const UInt128 & ltk)319 void ReceiveEncryptionInformation(const UInt128& ltk) {
320 Receive128BitCmd(kEncryptionInformation, ltk);
321 }
322
ReceiveCentralIdentification(uint64_t random,uint16_t ediv)323 void ReceiveCentralIdentification(uint64_t random, uint16_t ediv) {
324 StaticByteBuffer<sizeof(Header) + sizeof(CentralIdentificationParams)>
325 buffer;
326 PacketWriter writer(kCentralIdentification, &buffer);
327 auto* params = writer.mutable_payload<CentralIdentificationParams>();
328 params->ediv = pw::bytes::ConvertOrderTo(cpp20::endian::little, ediv);
329 params->rand = pw::bytes::ConvertOrderTo(cpp20::endian::little, random);
330 fake_chan()->Receive(buffer);
331 }
332
ReceiveIdentityResolvingKey(const UInt128 & irk)333 void ReceiveIdentityResolvingKey(const UInt128& irk) {
334 Receive128BitCmd(kIdentityInformation, irk);
335 }
336
ReceiveNonBondablePairingResponse()337 void ReceiveNonBondablePairingResponse() {
338 // clang-format off
339 const StaticByteBuffer kResponse(
340 0x02, // code: Pairing Response
341 0x00, // IO cap.: DisplayOnly
342 0x00, // OOB: not present
343 0x00, // AuthReq: no bonding, MITM not required
344 0x07, // encr. key size: 7 (default min)
345 0x00, // initiator keys: none
346 0x00 // responder keys: none - nonbondable mode
347 );
348 // clang-format on
349 fake_chan()->Receive(kResponse);
350 }
351
ReceiveIdentityAddress(const DeviceAddress & address)352 void ReceiveIdentityAddress(const DeviceAddress& address) {
353 StaticByteBuffer<sizeof(Header) + sizeof(IdentityAddressInformationParams)>
354 buffer;
355 PacketWriter writer(kIdentityAddressInformation, &buffer);
356 auto* params = writer.mutable_payload<IdentityAddressInformationParams>();
357 params->type = address.type() == DeviceAddress::Type::kLEPublic
358 ? AddressType::kPublic
359 : AddressType::kStaticRandom;
360 params->bd_addr = address.value();
361 fake_chan()->Receive(buffer);
362 }
363
ReceiveSecurityRequest(AuthReqField auth_req=0u)364 void ReceiveSecurityRequest(AuthReqField auth_req = 0u) {
365 StaticByteBuffer<sizeof(Header) + sizeof(AuthReqField)> buffer;
366 buffer[0] = kSecurityRequest;
367 buffer[1] = auth_req;
368 fake_chan()->Receive(buffer);
369 RunUntilIdle();
370 }
371
GenerateLegacyConfirmValue(const UInt128 & random,UInt128 * out_value,bool peer_initiator=false,uint32_t tk=0)372 void GenerateLegacyConfirmValue(const UInt128& random,
373 UInt128* out_value,
374 bool peer_initiator = false,
375 uint32_t tk = 0) {
376 PW_DCHECK(out_value);
377
378 tk = pw::bytes::ConvertOrderTo(cpp20::endian::little, tk);
379 UInt128 tk128;
380 tk128.fill(0);
381 std::memcpy(tk128.data(), &tk, sizeof(tk));
382
383 const ByteBuffer *preq, *pres;
384 const DeviceAddress *init_addr, *rsp_addr;
385 if (peer_initiator) {
386 preq = &peer_pairing_cmd();
387 pres = &local_pairing_cmd();
388 init_addr = &kPeerAddr;
389 rsp_addr = &kLocalAddr;
390 } else {
391 preq = &local_pairing_cmd();
392 pres = &peer_pairing_cmd();
393 init_addr = &kLocalAddr;
394 rsp_addr = &kPeerAddr;
395 }
396
397 util::C1(tk128, random, *preq, *pres, *init_addr, *rsp_addr, out_value);
398 }
399
GenerateScConfirmValue(const LocalEcdhKey & peer_key,const UInt128 & random,Role local_role,bool gen_initiator_confirm,uint8_t r=0)400 UInt128 GenerateScConfirmValue(const LocalEcdhKey& peer_key,
401 const UInt128& random,
402 Role local_role,
403 bool gen_initiator_confirm,
404 uint8_t r = 0) {
405 PW_CHECK(public_ecdh_key_.has_value(),
406 "cannot compute confirm, missing key!");
407 UInt256 pka = public_ecdh_key_->GetPublicKeyX(),
408 pkb = peer_key.GetPublicKeyX();
409 if (local_role == Role::kResponder) {
410 std::swap(pka, pkb);
411 }
412 return gen_initiator_confirm ? util::F4(pka, pkb, random, r).value()
413 : util::F4(pkb, pka, random, r).value();
414 }
415
pairing() const416 SecurityManager* pairing() const { return pairing_.get(); }
fake_chan() const417 l2cap::testing::FakeChannel* fake_chan() const { return fake_chan_.get(); }
fake_link() const418 hci::testing::FakeLowEnergyConnection* fake_link() const {
419 return fake_link_.get();
420 }
421
security_callback_count() const422 int security_callback_count() const { return security_callback_count_; }
received_error_code() const423 const std::optional<ErrorCode>& received_error_code() const {
424 return received_error_code_;
425 }
security_status() const426 const Result<>& security_status() const { return security_status_; }
sec_props() const427 const SecurityProperties& sec_props() const { return sec_props_; }
428
pairing_complete_count() const429 int pairing_complete_count() const { return pairing_complete_count_; }
pairing_complete_status() const430 const Result<>& pairing_complete_status() const {
431 return pairing_complete_status_;
432 }
433
pairing_data_callback_count() const434 int pairing_data_callback_count() const {
435 return pairing_data_callback_count_;
436 }
437
auth_failure_callback_count() const438 int auth_failure_callback_count() const {
439 return auth_failure_callback_count_;
440 }
auth_failure_status() const441 const hci::Result<>& auth_failure_status() const {
442 return auth_failure_status_;
443 }
444
local_id_info_callback_count() const445 int local_id_info_callback_count() const {
446 return local_id_info_callback_count_;
447 }
448
new_sec_props_count() const449 int new_sec_props_count() const { return new_sec_props_count_; }
new_sec_props() const450 const SecurityProperties& new_sec_props() const { return new_sec_props_; }
451
peer_ltk() const452 const std::optional<LTK>& peer_ltk() const { return pairing_data_.peer_ltk; }
local_ltk() const453 const std::optional<LTK>& local_ltk() const {
454 return pairing_data_.local_ltk;
455 }
irk() const456 const std::optional<Key>& irk() const { return pairing_data_.irk; }
identity() const457 const std::optional<DeviceAddress>& identity() const {
458 return pairing_data_.identity_address;
459 }
csrk() const460 const std::optional<Key>& csrk() const { return pairing_data_.csrk; }
461
462 using ConfirmDelegate = fit::function<void(ConfirmCallback)>;
set_confirm_delegate(ConfirmDelegate delegate)463 void set_confirm_delegate(ConfirmDelegate delegate) {
464 confirm_delegate_ = std::move(delegate);
465 }
466
467 using DisplayDelegate =
468 fit::function<void(uint32_t, DisplayMethod, ConfirmCallback)>;
set_display_delegate(DisplayDelegate delegate)469 void set_display_delegate(DisplayDelegate delegate) {
470 display_delegate_ = std::move(delegate);
471 }
472
473 // sm::Delegate override:
474 using RequestPasskeyDelegate = fit::function<void(PasskeyResponseCallback)>;
set_request_passkey_delegate(RequestPasskeyDelegate delegate)475 void set_request_passkey_delegate(RequestPasskeyDelegate delegate) {
476 request_passkey_delegate_ = std::move(delegate);
477 }
478
set_local_id_info(std::optional<IdentityInfo> info)479 void set_local_id_info(std::optional<IdentityInfo> info) {
480 local_id_info_ = info;
481 }
482
security_request_count() const483 int security_request_count() const { return security_request_count_; }
pairing_failed_count() const484 int pairing_failed_count() const { return pairing_failed_count_; }
pairing_request_count() const485 int pairing_request_count() const { return pairing_request_count_; }
pairing_response_count() const486 int pairing_response_count() const { return pairing_response_count_; }
pairing_public_key_count() const487 int pairing_public_key_count() const { return pairing_public_key_count_; }
pairing_confirm_count() const488 int pairing_confirm_count() const { return pairing_confirm_count_; }
pairing_random_count() const489 int pairing_random_count() const { return pairing_random_count_; }
pairing_dhkey_check_count() const490 int pairing_dhkey_check_count() const { return pairing_dhkey_check_count_; }
enc_info_count() const491 int enc_info_count() const { return enc_info_count_; }
id_info_count() const492 int id_info_count() const { return id_info_count_; }
id_addr_info_count() const493 int id_addr_info_count() const { return id_addr_info_count_; }
central_ident_count() const494 int central_ident_count() const { return central_ident_count_; }
495
security_request_payload() const496 AuthReqField security_request_payload() const { return security_auth_req_; }
public_ecdh_key() const497 const std::optional<EcdhKey>& public_ecdh_key() const {
498 return public_ecdh_key_;
499 }
pairing_confirm() const500 const UInt128& pairing_confirm() const { return pairing_confirm_; }
pairing_random() const501 const UInt128& pairing_random() const { return pairing_random_; }
pairing_dhkey_check() const502 const UInt128& pairing_dhkey_check() const { return pairing_dhkey_check_; }
enc_info() const503 const UInt128& enc_info() const { return enc_info_; }
id_info() const504 const UInt128& id_info() const { return id_info_; }
id_addr_info() const505 const DeviceAddress& id_addr_info() const { return id_addr_info_; }
ediv() const506 uint16_t ediv() const { return ediv_; }
rand() const507 uint64_t rand() const { return rand_; }
pairing_data() const508 const PairingData& pairing_data() const { return pairing_data_; }
509
local_pairing_cmd() const510 const ByteBuffer& local_pairing_cmd() const { return local_pairing_cmd_; }
peer_pairing_cmd() const511 const ByteBuffer& peer_pairing_cmd() const { return peer_pairing_cmd_; }
512
513 private:
Receive128BitCmd(Code cmd_code,const UInt128 & value)514 void Receive128BitCmd(Code cmd_code, const UInt128& value) {
515 StaticByteBuffer<sizeof(Header) + sizeof(UInt128)> buffer;
516 PacketWriter writer(cmd_code, &buffer);
517 *writer.mutable_payload<UInt128>() = value;
518 fake_chan()->Receive(buffer);
519 }
520
InitializeTransport()521 void InitializeTransport() {
522 // Ensure any tasks posted by an existing transport are dispatched.
523 RunUntilIdle();
524 auto mock_controller =
525 std::make_unique<bt::testing::MockController>(dispatcher());
526 controller_ = mock_controller->GetWeakPtr();
527 transport_ = std::make_unique<hci::Transport>(std::move(mock_controller),
528 dispatcher());
529 std::optional<bool> init_success;
530 transport_->Initialize([&](bool success) { init_success = success; });
531 RunUntilIdle();
532 ASSERT_TRUE(init_success.has_value());
533 ASSERT_TRUE(init_success.value());
534 transport_->InitializeACLDataChannel(hci::DataBufferInfo(1, 1),
535 hci::DataBufferInfo(1, 1));
536 }
537
538 testing::MockController::WeakPtr controller_;
539 std::unique_ptr<hci::Transport> transport_;
540
541 // We store the preq/pres values here to generate a valid confirm value for
542 // the fake side.
543 StaticByteBuffer<sizeof(Header) + sizeof(PairingRequestParams)>
544 local_pairing_cmd_, peer_pairing_cmd_;
545
546 // Number of times the security callback given to UpgradeSecurity has been
547 // called and the most recent parameters that it was called with.
548 int security_callback_count_ = 0;
549 Result<> security_status_ = fit::ok();
550 SecurityProperties sec_props_;
551
552 // Number of times the pairing data callback has been called and the most
553 // recent value that it was called with.
554 int pairing_data_callback_count_ = 0;
555 PairingData pairing_data_;
556
557 // Number of times the link security properties have been notified via
558 // OnNewSecurityProperties().
559 int new_sec_props_count_ = 0;
560 SecurityProperties new_sec_props_;
561
562 // State tracking the OnPairingComplete event.
563 int pairing_complete_count_ = 0;
564 Result<> pairing_complete_status_ = fit::ok();
565
566 // State tracking the OnAuthenticationFailure event.
567 int auth_failure_callback_count_ = 0;
568 hci::Result<> auth_failure_status_ = fit::ok();
569
570 // State tracking the OnIdentityInformationRequest event.
571 int local_id_info_callback_count_ = 0;
572 std::optional<IdentityInfo> local_id_info_;
573
574 // Delegate functions used to respond to user input requests from the Security
575 // Manager.
576 ConfirmDelegate confirm_delegate_;
577 DisplayDelegate display_delegate_;
578 RequestPasskeyDelegate request_passkey_delegate_;
579
580 // Counts of commands that we have sent out to the peer.
581 int security_request_count_ = 0;
582 int pairing_failed_count_ = 0;
583 int pairing_request_count_ = 0;
584 int pairing_response_count_ = 0;
585 int pairing_public_key_count_ = 0;
586 int pairing_confirm_count_ = 0;
587 int pairing_random_count_ = 0;
588 int pairing_dhkey_check_count_ = 0;
589 int enc_info_count_ = 0;
590 int id_info_count_ = 0;
591 int id_addr_info_count_ = 0;
592 int central_ident_count_ = 0;
593
594 // Values that have we have sent to the peer.
595 AuthReqField security_auth_req_ = 0;
596 std::optional<EcdhKey> public_ecdh_key_;
597 UInt128 pairing_confirm_ = {};
598 UInt128 pairing_random_ = {};
599 UInt128 pairing_dhkey_check_ = {};
600 UInt128 enc_info_ = {};
601 UInt128 id_info_ = {};
602 DeviceAddress id_addr_info_;
603 uint16_t ediv_ = 0;
604 uint64_t rand_ = 0;
605
606 std::optional<ErrorCode> received_error_code_;
607
608 std::unique_ptr<l2cap::testing::FakeChannel> fake_chan_;
609 std::unique_ptr<hci::testing::FakeLowEnergyConnection> fake_link_;
610 std::unique_ptr<SecurityManager> pairing_;
611
612 WeakSelf<Delegate> weak_delegate_;
613
614 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(SecurityManagerTest);
615 };
616
617 class InitiatorPairingTest : public SecurityManagerTest {
618 public:
619 InitiatorPairingTest() = default;
620 ~InitiatorPairingTest() override = default;
621
SetUp()622 void SetUp() override {
623 SecurityManagerTest::SetUp();
624 SetUpSecurityManager();
625 }
626
SetUpSecurityManager(IOCapability ioc=IOCapability::kDisplayOnly,BondableMode bondable_mode=BondableMode::Bondable)627 void SetUpSecurityManager(
628 IOCapability ioc = IOCapability::kDisplayOnly,
629 BondableMode bondable_mode = BondableMode::Bondable) {
630 NewSecurityManager(Role::kInitiator, ioc, bondable_mode);
631 }
632
GenerateMatchingLegacyConfirmAndRandom(UInt128 * out_confirm,UInt128 * out_random,uint32_t tk=0)633 void GenerateMatchingLegacyConfirmAndRandom(UInt128* out_confirm,
634 UInt128* out_random,
635 uint32_t tk = 0) {
636 PW_DCHECK(out_confirm);
637 PW_DCHECK(out_random);
638 *out_random = kHardCodedPairingRandom;
639 GenerateLegacyConfirmValue(
640 *out_random, out_confirm, /*peer_initiator=*/false, tk);
641 }
642
643 struct MatchingPair {
644 UInt128 confirm;
645 UInt128 random;
646 };
GenerateMatchingScConfirmAndRandom(const LocalEcdhKey & peer_key,uint8_t r=0)647 MatchingPair GenerateMatchingScConfirmAndRandom(const LocalEcdhKey& peer_key,
648 uint8_t r = 0) {
649 MatchingPair pair;
650 pair.random = kHardCodedPairingRandom;
651 pair.confirm = GenerateScConfirmValue(peer_key,
652 pair.random,
653 Role::kInitiator,
654 /*gen_initiator_confirm=*/false,
655 r);
656 return pair;
657 }
658 // Emulate legacy pairing up until before encryption with STK. Returns the STK
659 // that the initiator is expected to encrypt the link with in |out_stk|.
660 //
661 // This will not resolve the encryption request that is made by using the STK
662 // before this function returns (this is to unit test encryption failure). Use
663 // FastForwardToPhase3() to also emulate successful encryption.
FastForwardToSTK(UInt128 * out_stk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)664 void FastForwardToSTK(UInt128* out_stk,
665 SecurityLevel level = SecurityLevel::kEncrypted,
666 KeyDistGenField remote_keys = 0,
667 KeyDistGenField local_keys = 0,
668 uint8_t max_key_size = kMaxEncryptionKeySize,
669 BondableMode bondable_mode = BondableMode::Bondable) {
670 UpgradeSecurity(level);
671
672 PairingRequestParams pairing_params;
673 pairing_params.io_capability = IOCapability::kNoInputNoOutput;
674 AuthReqField bondable = (bondable_mode == BondableMode::Bondable)
675 ? AuthReq::kBondingFlag
676 : 0,
677 mitm_protected = (level >= SecurityLevel::kAuthenticated)
678 ? AuthReq::kMITM
679 : 0;
680 pairing_params.auth_req = mitm_protected | bondable;
681 pairing_params.max_encryption_key_size = max_key_size;
682 pairing_params.initiator_key_dist_gen = local_keys;
683 pairing_params.responder_key_dist_gen = remote_keys;
684 ReceivePairingFeatures(pairing_params);
685
686 // Run the loop until the harness caches the feature exchange PDUs (preq &
687 // pres) so that we can generate a valid confirm value.
688 RunUntilIdle();
689
690 UInt128 sconfirm, srand;
691 GenerateMatchingLegacyConfirmAndRandom(&sconfirm, &srand);
692 ReceivePairingConfirm(sconfirm);
693 ReceivePairingRandom(srand);
694 RunUntilIdle();
695
696 EXPECT_EQ(1, pairing_confirm_count());
697 EXPECT_EQ(1, pairing_random_count());
698 EXPECT_EQ(0, pairing_failed_count());
699 EXPECT_EQ(0, security_callback_count());
700
701 PW_DCHECK(out_stk);
702
703 UInt128 tk;
704 tk.fill(0);
705 util::S1(tk, srand, pairing_random(), out_stk);
706 }
707
FastForwardToPhase3(UInt128 * out_encryption_key,bool secure_connections=false,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)708 void FastForwardToPhase3(
709 UInt128* out_encryption_key,
710 bool secure_connections = false,
711 SecurityLevel level = SecurityLevel::kEncrypted,
712 KeyDistGenField remote_keys = 0,
713 KeyDistGenField local_keys = 0,
714 uint8_t max_key_size = kMaxEncryptionKeySize,
715 BondableMode bondable_mode = BondableMode::Bondable) {
716 if (secure_connections) {
717 FastForwardToScLtk(
718 out_encryption_key, level, remote_keys, local_keys, bondable_mode);
719 } else {
720 FastForwardToSTK(out_encryption_key,
721 level,
722 remote_keys,
723 local_keys,
724 max_key_size,
725 bondable_mode);
726 }
727
728 ASSERT_TRUE(fake_link()->ltk());
729 EXPECT_EQ(1, fake_link()->start_encryption_count());
730
731 // Resolve the encryption request.
732 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
733 RunUntilIdle();
734 EXPECT_EQ(1, new_sec_props_count());
735 EXPECT_EQ(level, new_sec_props().level());
736 }
737
FastForwardToScLtk(UInt128 * out_ltk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField peer_keys=0,KeyDistGenField local_keys=0,BondableMode bondable=BondableMode::Bondable)738 void FastForwardToScLtk(UInt128* out_ltk,
739 SecurityLevel level = SecurityLevel::kEncrypted,
740 KeyDistGenField peer_keys = 0,
741 KeyDistGenField local_keys = 0,
742 BondableMode bondable = BondableMode::Bondable) {
743 UpgradeSecurity(level);
744 RunUntilIdle();
745
746 ASSERT_EQ(1, pairing_request_count());
747 PairingRequestParams pres;
748 pres.io_capability = IOCapability::kDisplayYesNo;
749 pres.oob_data_flag = OOBDataFlag::kNotPresent;
750 AuthReqField bondable_flag =
751 (bondable == BondableMode::Bondable) ? AuthReq::kBondingFlag : 0;
752 AuthReqField mitm_flag =
753 (level >= SecurityLevel::kAuthenticated) ? AuthReq::kMITM : 0;
754 pres.auth_req = AuthReq::kSC | mitm_flag | bondable_flag;
755 pres.max_encryption_key_size = kMaxEncryptionKeySize;
756 pres.initiator_key_dist_gen = local_keys;
757 pres.responder_key_dist_gen = peer_keys;
758 ReceivePairingFeatures(pres);
759 RunUntilIdle();
760
761 ASSERT_TRUE(public_ecdh_key().has_value());
762 LocalEcdhKey peer_key = *LocalEcdhKey::Create();
763 ReceivePairingPublicKey(peer_key.GetSerializedPublicKey());
764 RunUntilIdle();
765 // We're in SC Numeric Comparison/Just Works, so as initiator we should not
766 // send a confirm.
767 ASSERT_EQ(0, pairing_confirm_count());
768 MatchingPair phase_2_vals = GenerateMatchingScConfirmAndRandom(peer_key);
769 ReceivePairingConfirm(phase_2_vals.confirm);
770 RunUntilIdle();
771 ASSERT_EQ(1, pairing_random_count());
772 // If using MITM, we expect to be in Numeric Comparison
773 ConfirmCallback display_cb = nullptr;
774 if (mitm_flag != 0) {
775 uint32_t kExpectedDisplayVal =
776 *util::G2(public_ecdh_key()->GetPublicKeyX(),
777 peer_key.GetPublicKeyX(),
778 pairing_random(),
779 phase_2_vals.random) %
780 1000000;
781 set_display_delegate(
782 [kExpectedDisplayVal, &display_cb](uint32_t compare_value,
783 Delegate::DisplayMethod method,
784 ConfirmCallback cb) {
785 ASSERT_TRUE(method == Delegate::DisplayMethod::kComparison);
786 ASSERT_EQ(kExpectedDisplayVal, compare_value);
787 display_cb = std::move(cb);
788 });
789 }
790 ReceivePairingRandom(phase_2_vals.random);
791 RunUntilIdle();
792 if (mitm_flag != 0) {
793 ASSERT_TRUE(display_cb);
794 display_cb(true);
795 } // Else we are content to use the default confirm delegate behavior to
796 // accept the pairing.
797
798 util::F5Results f5 = *util::F5(peer_key.CalculateDhKey(*public_ecdh_key()),
799 pairing_random(),
800 phase_2_vals.random,
801 kLocalAddr,
802 kPeerAddr);
803
804 UInt128 r_array{0};
805 PacketReader reader(&local_pairing_cmd());
806 PairingResponseParams preq = reader.payload<PairingRequestParams>();
807 UInt128 dhkey_check_a = *util::F6(f5.mac_key,
808 pairing_random(),
809 phase_2_vals.random,
810 r_array,
811 preq.auth_req,
812 preq.oob_data_flag,
813 preq.io_capability,
814 kLocalAddr,
815 kPeerAddr);
816 UInt128 dhkey_check_b = *util::F6(f5.mac_key,
817 phase_2_vals.random,
818 pairing_random(),
819 r_array,
820 pres.auth_req,
821 pres.oob_data_flag,
822 pres.io_capability,
823 kPeerAddr,
824 kLocalAddr);
825 RunUntilIdle();
826 EXPECT_EQ(1, pairing_dhkey_check_count());
827 ASSERT_EQ(dhkey_check_a, pairing_dhkey_check());
828 ReceivePairingDHKeyCheck(dhkey_check_b);
829 RunUntilIdle();
830 EXPECT_EQ(0, pairing_failed_count());
831 EXPECT_EQ(0, security_callback_count());
832
833 ASSERT_TRUE(out_ltk);
834 *out_ltk = f5.ltk;
835 }
836
837 private:
838 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(InitiatorPairingTest);
839 };
840
841 class ResponderPairingTest : public SecurityManagerTest {
842 public:
843 ResponderPairingTest() = default;
844 ~ResponderPairingTest() override = default;
845
SetUp()846 void SetUp() override {
847 SecurityManagerTest::SetUp();
848 SetUpSecurityManager();
849 }
850
SetUpSecurityManager(IOCapability ioc=IOCapability::kDisplayOnly,BondableMode bondable_mode=BondableMode::Bondable)851 void SetUpSecurityManager(
852 IOCapability ioc = IOCapability::kDisplayOnly,
853 BondableMode bondable_mode = BondableMode::Bondable) {
854 NewSecurityManager(Role::kResponder, ioc, bondable_mode);
855 }
856
GenerateMatchingLegacyConfirmAndRandom(UInt128 * out_confirm,UInt128 * out_random,uint32_t tk=0)857 void GenerateMatchingLegacyConfirmAndRandom(UInt128* out_confirm,
858 UInt128* out_random,
859 uint32_t tk = 0) {
860 PW_DCHECK(out_confirm);
861 PW_DCHECK(out_random);
862 *out_random = kHardCodedPairingRandom;
863 GenerateLegacyConfirmValue(
864 *out_random, out_confirm, /*peer_initiator=*/true, tk);
865 }
866 struct MatchingPair {
867 UInt128 confirm;
868 UInt128 random;
869 };
GenerateMatchingScConfirmAndRandom(const LocalEcdhKey & peer_key,uint8_t r=0)870 MatchingPair GenerateMatchingScConfirmAndRandom(const LocalEcdhKey& peer_key,
871 uint8_t r = 0) {
872 MatchingPair pair;
873 pair.random = kHardCodedPairingRandom;
874 pair.confirm = GenerateScConfirmValue(peer_key,
875 pair.random,
876 Role::kResponder,
877 /*gen_initiator_confirm=*/true,
878 r);
879 return pair;
880 }
ReceivePairingRequest(IOCapability ioc=IOCapability::kNoInputNoOutput,AuthReqField auth_req=0,uint8_t max_enc_key_size=kMaxEncryptionKeySize)881 void ReceivePairingRequest(IOCapability ioc = IOCapability::kNoInputNoOutput,
882 AuthReqField auth_req = 0,
883 uint8_t max_enc_key_size = kMaxEncryptionKeySize) {
884 ReceivePairingFeatures(
885 ioc, auth_req, max_enc_key_size, /*peer_initiator=*/true);
886 }
887
FastForwardToSTK(UInt128 * out_stk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)888 void FastForwardToSTK(UInt128* out_stk,
889 SecurityLevel level = SecurityLevel::kEncrypted,
890 KeyDistGenField remote_keys = 0,
891 KeyDistGenField local_keys = 0,
892 uint8_t max_key_size = kMaxEncryptionKeySize,
893 BondableMode bondable_mode = BondableMode::Bondable) {
894 PairingRequestParams pairing_params;
895 pairing_params.io_capability = IOCapability::kNoInputNoOutput;
896 AuthReqField bondable = (bondable_mode == BondableMode::Bondable)
897 ? AuthReq::kBondingFlag
898 : 0,
899 mitm_protected = (level >= SecurityLevel::kAuthenticated)
900 ? AuthReq::kMITM
901 : 0;
902 pairing_params.auth_req = mitm_protected | bondable;
903 pairing_params.max_encryption_key_size = max_key_size;
904 pairing_params.initiator_key_dist_gen = remote_keys;
905 pairing_params.responder_key_dist_gen = local_keys;
906 ReceivePairingFeatures(pairing_params, /*peer_initiator=*/true);
907
908 // Run the loop until the harness caches the feature exchange PDUs (preq &
909 // pres) so that we can generate a valid confirm value.
910 RunUntilIdle();
911 EXPECT_EQ(0, pairing_request_count());
912 EXPECT_EQ(1, pairing_response_count());
913
914 // The initiator should start the confirm/random exchange to generate the
915 // Phase 2 keys.
916 EXPECT_EQ(0, pairing_confirm_count());
917 EXPECT_EQ(0, pairing_random_count());
918
919 UInt128 mconfirm, mrand;
920 GenerateMatchingLegacyConfirmAndRandom(&mconfirm, &mrand);
921 ReceivePairingConfirm(mconfirm);
922 RunUntilIdle();
923 EXPECT_EQ(1, pairing_confirm_count());
924 EXPECT_EQ(0, pairing_random_count());
925
926 ReceivePairingRandom(mrand);
927 RunUntilIdle();
928 EXPECT_EQ(1, pairing_confirm_count());
929 EXPECT_EQ(1, pairing_random_count());
930 EXPECT_EQ(0, pairing_failed_count());
931 EXPECT_EQ(0, security_callback_count());
932
933 PW_DCHECK(out_stk);
934
935 UInt128 tk;
936 tk.fill(0);
937 util::S1(tk, pairing_random(), mrand, out_stk);
938 }
939
FastForwardToPhase3(UInt128 * out_encryption_key,bool secure_connections=false,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField remote_keys=0,KeyDistGenField local_keys=0,uint8_t max_key_size=kMaxEncryptionKeySize,BondableMode bondable_mode=BondableMode::Bondable)940 void FastForwardToPhase3(
941 UInt128* out_encryption_key,
942 bool secure_connections = false,
943 SecurityLevel level = SecurityLevel::kEncrypted,
944 KeyDistGenField remote_keys = 0,
945 KeyDistGenField local_keys = 0,
946 uint8_t max_key_size = kMaxEncryptionKeySize,
947 BondableMode bondable_mode = BondableMode::Bondable) {
948 if (secure_connections) {
949 FastForwardToScLtk(
950 out_encryption_key, level, remote_keys, local_keys, bondable_mode);
951 } else {
952 FastForwardToSTK(out_encryption_key,
953 level,
954 remote_keys,
955 local_keys,
956 max_key_size,
957 bondable_mode);
958 }
959
960 ASSERT_TRUE(fake_link()->ltk());
961
962 // No local start encryption request should be made.
963 EXPECT_EQ(0, fake_link()->start_encryption_count());
964
965 // Pretend that the initiator succeeded in encrypting the connection.
966 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
967 RunUntilIdle();
968 EXPECT_EQ(1, new_sec_props_count());
969 EXPECT_EQ(level, new_sec_props().level());
970 }
971
FastForwardToScLtk(UInt128 * out_ltk,SecurityLevel level=SecurityLevel::kEncrypted,KeyDistGenField peer_keys=0,KeyDistGenField local_keys=0,BondableMode bondable=BondableMode::Bondable)972 void FastForwardToScLtk(UInt128* out_ltk,
973 SecurityLevel level = SecurityLevel::kEncrypted,
974 KeyDistGenField peer_keys = 0,
975 KeyDistGenField local_keys = 0,
976 BondableMode bondable = BondableMode::Bondable) {
977 PairingRequestParams preq;
978 preq.io_capability = IOCapability::kDisplayYesNo;
979 preq.oob_data_flag = OOBDataFlag::kNotPresent;
980 AuthReqField bondable_flag =
981 (bondable == BondableMode::Bondable) ? AuthReq::kBondingFlag : 0;
982 AuthReqField mitm_flag =
983 (level >= SecurityLevel::kAuthenticated) ? AuthReq::kMITM : 0;
984 preq.auth_req = AuthReq::kSC | mitm_flag | bondable_flag;
985 preq.max_encryption_key_size = kMaxEncryptionKeySize;
986 preq.initiator_key_dist_gen = local_keys;
987 preq.responder_key_dist_gen = peer_keys;
988 ReceivePairingFeatures(preq, /*peer_initiator=*/true);
989 RunUntilIdle();
990 ASSERT_EQ(1, pairing_response_count());
991
992 LocalEcdhKey peer_key = *LocalEcdhKey::Create();
993 ReceivePairingPublicKey(peer_key.GetSerializedPublicKey());
994 RunUntilIdle();
995 ASSERT_TRUE(public_ecdh_key().has_value());
996 ASSERT_EQ(1, pairing_public_key_count());
997
998 // We are in Just Works or Numeric Comparison based on IOCapabilities/MITM
999 // preferences, so we expect the confirm value immediately after the public
1000 // key.
1001 ASSERT_EQ(1, pairing_confirm_count());
1002 std::optional<uint32_t> display_val;
1003 if (mitm_flag != 0) {
1004 set_display_delegate([&](uint32_t compare_value,
1005 Delegate::DisplayMethod method,
1006 ConfirmCallback cb) {
1007 ASSERT_TRUE(method == Delegate::DisplayMethod::kComparison);
1008 display_val = compare_value;
1009 cb(true);
1010 });
1011 } // Else we are content to use the default confirm delegate behavior to
1012 // accept the pairing.
1013 auto peer_rand = Random<PairingRandomValue>();
1014 ReceivePairingRandom(peer_rand);
1015 RunUntilIdle();
1016 ASSERT_EQ(1, pairing_random_count());
1017 ASSERT_EQ(GenerateScConfirmValue(
1018 peer_key, pairing_random(), Role::kResponder, false),
1019 pairing_confirm());
1020 if (mitm_flag != 0) {
1021 ASSERT_TRUE(display_val.has_value());
1022 uint32_t kExpectedDisplayVal =
1023 *util::G2(peer_key.GetPublicKeyX(),
1024 public_ecdh_key()->GetPublicKeyX(),
1025 peer_rand,
1026 pairing_random()) %
1027 1000000;
1028
1029 EXPECT_EQ(kExpectedDisplayVal, display_val);
1030 }
1031
1032 util::F5Results f5 = *util::F5(peer_key.CalculateDhKey(*public_ecdh_key()),
1033 peer_rand,
1034 pairing_random(),
1035 kPeerAddr,
1036 kLocalAddr);
1037
1038 UInt128 r_array{0};
1039 PacketReader reader(&local_pairing_cmd());
1040 PairingResponseParams pres = reader.payload<PairingResponseParams>();
1041 UInt128 dhkey_check_a = *util::F6(f5.mac_key,
1042 peer_rand,
1043 pairing_random(),
1044 r_array,
1045 preq.auth_req,
1046 preq.oob_data_flag,
1047 preq.io_capability,
1048 kPeerAddr,
1049 kLocalAddr);
1050 UInt128 dhkey_check_b = *util::F6(f5.mac_key,
1051 pairing_random(),
1052 peer_rand,
1053 r_array,
1054 pres.auth_req,
1055 pres.oob_data_flag,
1056 pres.io_capability,
1057 kLocalAddr,
1058 kPeerAddr);
1059 ReceivePairingDHKeyCheck(dhkey_check_a);
1060 RunUntilIdle();
1061 EXPECT_EQ(1, pairing_dhkey_check_count());
1062 ASSERT_EQ(dhkey_check_b, pairing_dhkey_check());
1063 EXPECT_EQ(0, pairing_failed_count());
1064 EXPECT_EQ(0, pairing_complete_count());
1065
1066 ASSERT_TRUE(out_ltk);
1067 *out_ltk = f5.ltk;
1068 }
1069
1070 private:
1071 BT_DISALLOW_COPY_AND_ASSIGN_ALLOW_MOVE(ResponderPairingTest);
1072 };
1073
1074 // Calling `Abort` with no in-progress security upgrade should not cause a
1075 // PairingComplete event.
TEST_F(InitiatorPairingTest,AbortNoSecurityUpgradeInProgress)1076 TEST_F(InitiatorPairingTest, AbortNoSecurityUpgradeInProgress) {
1077 pairing()->Abort();
1078 RunUntilIdle();
1079 EXPECT_EQ(0, pairing_complete_count());
1080 }
1081
1082 // Disconnecting with no in-progress security upgrade should not cause a
1083 // PairingComplete event.
TEST_F(InitiatorPairingTest,DisconnectNoSecurityUpgradeInProgress)1084 TEST_F(InitiatorPairingTest, DisconnectNoSecurityUpgradeInProgress) {
1085 fake_chan()->Close();
1086 RunUntilIdle();
1087 EXPECT_EQ(0, pairing_complete_count());
1088 }
1089
1090 // Requesting pairing at the current security level should succeed immediately.
TEST_F(InitiatorPairingTest,UpgradeSecurityCurrentLevel)1091 TEST_F(InitiatorPairingTest, UpgradeSecurityCurrentLevel) {
1092 UpgradeSecurity(SecurityLevel::kNoSecurity);
1093 RunUntilIdle();
1094
1095 // No pairing requests should have been made.
1096 EXPECT_EQ(0, pairing_request_count());
1097 EXPECT_EQ(0, pairing_complete_count());
1098
1099 // Pairing should succeed.
1100 EXPECT_EQ(1, security_callback_count());
1101 EXPECT_EQ(fit::ok(), security_status());
1102 EXPECT_EQ(SecurityLevel::kNoSecurity, sec_props().level());
1103 EXPECT_EQ(0u, sec_props().enc_key_size());
1104 EXPECT_FALSE(sec_props().secure_connections());
1105 }
1106
1107 // Peer aborts during Phase 1.
TEST_F(InitiatorPairingTest,PairingFailedInPhase1)1108 TEST_F(InitiatorPairingTest, PairingFailedInPhase1) {
1109 UpgradeSecurity(SecurityLevel::kEncrypted);
1110 RunUntilIdle();
1111
1112 // Pairing not complete yet but we should be in Phase 1.
1113 EXPECT_EQ(0, security_callback_count());
1114 EXPECT_EQ(1, pairing_request_count());
1115
1116 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1117 RunUntilIdle();
1118
1119 EXPECT_EQ(1, security_callback_count());
1120 EXPECT_EQ(1, pairing_request_count());
1121 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1122
1123 EXPECT_EQ(1, pairing_complete_count());
1124 EXPECT_EQ(security_status(), pairing_complete_status());
1125 }
1126
1127 // Local aborts during Phase 1.
TEST_F(InitiatorPairingTest,PairingAbortedInPhase1)1128 TEST_F(InitiatorPairingTest, PairingAbortedInPhase1) {
1129 UpgradeSecurity(SecurityLevel::kEncrypted);
1130 RunUntilIdle();
1131
1132 // Pairing not complete yet but we should be in Phase 1.
1133 EXPECT_EQ(0, security_callback_count());
1134 EXPECT_EQ(1, pairing_request_count());
1135
1136 pairing()->Abort();
1137 RunUntilIdle();
1138
1139 EXPECT_EQ(1, security_callback_count());
1140 EXPECT_EQ(1, pairing_request_count());
1141 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1142
1143 EXPECT_EQ(1, pairing_complete_count());
1144 EXPECT_EQ(security_status(), pairing_complete_status());
1145 }
1146
1147 // Local resets I/O capabilities while pairing. This should abort any ongoing
1148 // pairing and the new I/O capabilities should be used in following pairing
1149 // requests.
TEST_F(InitiatorPairingTest,SecurityManagerResetDuringPairing)1150 TEST_F(InitiatorPairingTest, SecurityManagerResetDuringPairing) {
1151 UpgradeSecurity(SecurityLevel::kEncrypted);
1152 RunUntilIdle();
1153
1154 // Pairing not complete yet but we should be in Phase 1.
1155 EXPECT_EQ(0, security_callback_count());
1156 EXPECT_EQ(1, pairing_request_count());
1157
1158 pairing()->Reset(IOCapability::kNoInputNoOutput);
1159 RunUntilIdle();
1160
1161 EXPECT_EQ(1, security_callback_count());
1162 EXPECT_EQ(1, pairing_request_count());
1163 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1164
1165 EXPECT_EQ(1, pairing_complete_count());
1166 EXPECT_EQ(security_status(), pairing_complete_status());
1167
1168 UpgradeSecurity(SecurityLevel::kEncrypted);
1169 RunUntilIdle();
1170
1171 // Should have sent a new pairing request.
1172 EXPECT_EQ(2, pairing_request_count());
1173
1174 // Make sure that the new request has the new I/O capabilities.
1175 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
1176 EXPECT_EQ(IOCapability::kNoInputNoOutput, params.io_capability);
1177 }
1178
TEST_F(InitiatorPairingTest,ReceiveConfirmValueWhileNotPairing)1179 TEST_F(InitiatorPairingTest, ReceiveConfirmValueWhileNotPairing) {
1180 UInt128 confirm;
1181 ReceivePairingConfirm(confirm);
1182 RunUntilIdle();
1183
1184 // Nothing should happen.
1185 EXPECT_EQ(0, pairing_confirm_count());
1186 EXPECT_EQ(0, pairing_random_count());
1187 EXPECT_EQ(0, pairing_failed_count());
1188 EXPECT_EQ(0, security_callback_count());
1189 }
1190
TEST_F(InitiatorPairingTest,ReceiveConfirmValueInPhase1)1191 TEST_F(InitiatorPairingTest, ReceiveConfirmValueInPhase1) {
1192 UpgradeSecurity(SecurityLevel::kEncrypted);
1193 RunUntilIdle();
1194
1195 UInt128 confirm;
1196 ReceivePairingConfirm(confirm);
1197 RunUntilIdle();
1198
1199 EXPECT_EQ(0, pairing_confirm_count());
1200 EXPECT_EQ(0, pairing_random_count());
1201 EXPECT_EQ(1, pairing_failed_count());
1202 EXPECT_EQ(1, security_callback_count());
1203 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1204
1205 EXPECT_EQ(1, pairing_complete_count());
1206 EXPECT_EQ(security_status(), pairing_complete_status());
1207 }
1208
TEST_F(InitiatorPairingTest,RejectUnauthenticatedPairingInSecureConnectionsOnlyMode)1209 TEST_F(InitiatorPairingTest,
1210 RejectUnauthenticatedPairingInSecureConnectionsOnlyMode) {
1211 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
1212 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1213 // In SC Only mode, SM should translate this "encrypted" request into a MITM
1214 // requirement.
1215 UpgradeSecurity(SecurityLevel::kEncrypted);
1216 // The peer has NoInputNoOutput IOCapabilities, thus cannot perform
1217 // authenticated pairing.
1218 ReceivePairingFeatures(IOCapability::kNoInputNoOutput,
1219 AuthReq::kBondingFlag | AuthReq::kSC);
1220 RunUntilIdle();
1221
1222 EXPECT_EQ(1, pairing_failed_count());
1223 EXPECT_EQ(1, security_callback_count());
1224 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
1225 security_status());
1226 EXPECT_EQ(1, pairing_complete_count());
1227 EXPECT_EQ(security_status(), pairing_complete_status());
1228 }
1229
TEST_F(InitiatorPairingTest,RejectUnauthenticatedEncryptionInSecureConnectionsOnlyMode)1230 TEST_F(InitiatorPairingTest,
1231 RejectUnauthenticatedEncryptionInSecureConnectionsOnlyMode) {
1232 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1233 const LTK kUnauthenticatedLtk(SecurityProperties(/*encrypted=*/true,
1234 /*authenticated=*/false,
1235 /*secure_connections=*/true,
1236 kMaxEncryptionKeySize),
1237 hci_spec::LinkKey());
1238 pairing()->AssignLongTermKey(kUnauthenticatedLtk);
1239 RunUntilIdle();
1240 // After setting SC Only mode, assigning and encrypting with an
1241 // unauthenticated LTK should cause the channel to be disconnected with an
1242 // authentication failure.
1243 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
1244 RunUntilIdle();
1245
1246 EXPECT_EQ(1, auth_failure_callback_count());
1247 EXPECT_EQ(ToResult(HostError::kInsufficientSecurity), auth_failure_status());
1248 EXPECT_TRUE(fake_chan()->link_error());
1249 }
1250
TEST_F(InitiatorPairingTest,AllowSecureAuthenticatedPairingInSecureConnectionsOnlyMode)1251 TEST_F(InitiatorPairingTest,
1252 AllowSecureAuthenticatedPairingInSecureConnectionsOnlyMode) {
1253 SetUpSecurityManager(IOCapability::kDisplayYesNo);
1254 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
1255 UInt128 enc_key;
1256 FastForwardToPhase3(&enc_key,
1257 /*secure_connections=*/true,
1258 SecurityLevel::kSecureAuthenticated);
1259 RunUntilIdle();
1260 // After setting SC Only mode, secure authenticated pairing should still
1261 // complete successfully.
1262 EXPECT_EQ(1, pairing_data_callback_count());
1263 EXPECT_TRUE(peer_ltk().has_value());
1264 EXPECT_EQ(0, pairing_failed_count());
1265 EXPECT_EQ(1, security_callback_count());
1266 EXPECT_EQ(1, pairing_complete_count());
1267 EXPECT_EQ(fit::ok(), security_status());
1268 EXPECT_EQ(security_status(), pairing_complete_status());
1269
1270 EXPECT_EQ(SecurityLevel::kSecureAuthenticated, sec_props().level());
1271 }
1272
1273 // In Phase 2 but still waiting to receive TK.
TEST_F(InitiatorPairingTest,ReceiveConfirmValueWhileWaitingForUserInput)1274 TEST_F(InitiatorPairingTest, ReceiveConfirmValueWhileWaitingForUserInput) {
1275 bool tk_requested = false;
1276 set_confirm_delegate([&](ConfirmCallback) { tk_requested = true; });
1277
1278 UpgradeSecurity(SecurityLevel::kEncrypted);
1279 ReceivePairingFeatures();
1280 RunUntilIdle();
1281 EXPECT_TRUE(tk_requested);
1282
1283 UInt128 confirm;
1284 ReceivePairingConfirm(confirm);
1285 RunUntilIdle();
1286
1287 EXPECT_EQ(0, pairing_confirm_count());
1288 EXPECT_EQ(0, pairing_random_count());
1289 EXPECT_EQ(1, pairing_failed_count());
1290 EXPECT_EQ(1, security_callback_count());
1291 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1292
1293 EXPECT_EQ(1, pairing_complete_count());
1294 EXPECT_EQ(security_status(), pairing_complete_status());
1295 }
1296
1297 // SecurityManager destroyed when waiting for Just Works user confirmation.
TEST_F(InitiatorPairingTest,SecurityManagerDestroyedStateWhileWaitingForUserInput)1298 TEST_F(InitiatorPairingTest,
1299 SecurityManagerDestroyedStateWhileWaitingForUserInput) {
1300 ConfirmCallback respond;
1301 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1302
1303 UpgradeSecurity(SecurityLevel::kEncrypted);
1304 ReceivePairingFeatures();
1305 RunUntilIdle();
1306 EXPECT_TRUE(respond);
1307
1308 DestroySecurityManager();
1309
1310 // This should proceed safely.
1311 respond(true);
1312 RunUntilIdle();
1313 }
1314
1315 // Pairing no longer in progress when waiting for Just Works user confirmation.
TEST_F(InitiatorPairingTest,PairingAbortedWhileWaitingForUserInput)1316 TEST_F(InitiatorPairingTest, PairingAbortedWhileWaitingForUserInput) {
1317 ConfirmCallback respond;
1318 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1319
1320 UpgradeSecurity(SecurityLevel::kEncrypted);
1321 ReceivePairingFeatures();
1322 RunUntilIdle();
1323 EXPECT_TRUE(respond);
1324
1325 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1326 RunUntilIdle();
1327 EXPECT_EQ(1, security_callback_count());
1328 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1329
1330 EXPECT_EQ(1, pairing_complete_count());
1331 EXPECT_EQ(security_status(), pairing_complete_status());
1332
1333 // This should have no effect.
1334 respond(true);
1335 RunUntilIdle();
1336 EXPECT_EQ(1, pairing_request_count());
1337 EXPECT_EQ(0, pairing_response_count());
1338 EXPECT_EQ(0, pairing_confirm_count());
1339 EXPECT_EQ(0, pairing_random_count());
1340 EXPECT_EQ(0, pairing_failed_count());
1341 EXPECT_EQ(1, security_callback_count());
1342 EXPECT_EQ(1, pairing_complete_count());
1343 EXPECT_EQ(0, pairing_data_callback_count());
1344 }
1345
1346 // Pairing procedure stopped and restarted when TKResponse runs. The TKResponse
1347 // does not belong to the current pairing.
TEST_F(InitiatorPairingTest,PairingRestartedWhileWaitingForTK)1348 TEST_F(InitiatorPairingTest, PairingRestartedWhileWaitingForTK) {
1349 ConfirmCallback respond;
1350 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1351
1352 UpgradeSecurity(SecurityLevel::kEncrypted);
1353 ReceivePairingFeatures();
1354 RunUntilIdle();
1355 EXPECT_TRUE(respond);
1356
1357 // Stop pairing.
1358 ReceivePairingFailed(ErrorCode::kPairingNotSupported);
1359 RunUntilIdle();
1360 EXPECT_EQ(1, security_callback_count());
1361 EXPECT_EQ(ToResult(ErrorCode::kPairingNotSupported), security_status());
1362
1363 EXPECT_EQ(1, pairing_complete_count());
1364 EXPECT_EQ(security_status(), pairing_complete_status());
1365
1366 // Reset the delegate so that |respond| doesn't get overwritten by the second
1367 // pairing.
1368 set_confirm_delegate(nullptr);
1369
1370 UpgradeSecurity(SecurityLevel::kEncrypted);
1371 ReceivePairingFeatures();
1372 RunUntilIdle();
1373 EXPECT_EQ(2, pairing_request_count());
1374 EXPECT_EQ(0, pairing_response_count());
1375 EXPECT_EQ(1, pairing_confirm_count());
1376 EXPECT_EQ(0, pairing_random_count());
1377 EXPECT_EQ(0, pairing_failed_count());
1378 EXPECT_EQ(1, security_callback_count());
1379 EXPECT_EQ(0, pairing_data_callback_count());
1380
1381 // This should have no effect.
1382 respond(true);
1383 RunUntilIdle();
1384 EXPECT_EQ(2, pairing_request_count());
1385 EXPECT_EQ(0, pairing_response_count());
1386 EXPECT_EQ(1, pairing_confirm_count());
1387 EXPECT_EQ(0, pairing_random_count());
1388 EXPECT_EQ(0, pairing_failed_count());
1389 EXPECT_EQ(1, security_callback_count());
1390 EXPECT_EQ(1, pairing_complete_count());
1391 EXPECT_EQ(0, pairing_data_callback_count());
1392 }
1393
TEST_F(InitiatorPairingTest,ReceiveRandomValueWhileNotPairing)1394 TEST_F(InitiatorPairingTest, ReceiveRandomValueWhileNotPairing) {
1395 UInt128 random;
1396 ReceivePairingRandom(random);
1397 RunUntilIdle();
1398
1399 // Nothing should happen.
1400 EXPECT_EQ(0, pairing_confirm_count());
1401 EXPECT_EQ(0, pairing_random_count());
1402 EXPECT_EQ(0, pairing_failed_count());
1403 EXPECT_EQ(0, security_callback_count());
1404 }
1405
TEST_F(InitiatorPairingTest,ReceiveRandomValueInPhase1)1406 TEST_F(InitiatorPairingTest, ReceiveRandomValueInPhase1) {
1407 UpgradeSecurity(SecurityLevel::kEncrypted);
1408 RunUntilIdle();
1409
1410 UInt128 random;
1411 ReceivePairingRandom(random);
1412 RunUntilIdle();
1413
1414 EXPECT_EQ(0, pairing_confirm_count());
1415 EXPECT_EQ(0, pairing_random_count());
1416 EXPECT_EQ(1, pairing_failed_count());
1417 EXPECT_EQ(1, security_callback_count());
1418 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1419
1420 EXPECT_EQ(1, pairing_complete_count());
1421 EXPECT_EQ(security_status(), pairing_complete_status());
1422 }
1423
1424 // In Phase 2 but still waiting to receive TK.
TEST_F(InitiatorPairingTest,ReceiveRandomValueWhileWaitingForTK)1425 TEST_F(InitiatorPairingTest, ReceiveRandomValueWhileWaitingForTK) {
1426 bool confirmation_requested = false;
1427 set_confirm_delegate([&](ConfirmCallback) { confirmation_requested = true; });
1428
1429 UpgradeSecurity(SecurityLevel::kEncrypted);
1430 ReceivePairingFeatures();
1431 RunUntilIdle();
1432 EXPECT_TRUE(confirmation_requested);
1433
1434 UInt128 random;
1435 ReceivePairingRandom(random);
1436 RunUntilIdle();
1437
1438 EXPECT_EQ(0, pairing_confirm_count());
1439 EXPECT_EQ(0, pairing_random_count());
1440 EXPECT_EQ(1, pairing_failed_count());
1441 EXPECT_EQ(1, security_callback_count());
1442 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1443
1444 EXPECT_EQ(1, pairing_complete_count());
1445 EXPECT_EQ(security_status(), pairing_complete_status());
1446 }
1447
TEST_F(InitiatorPairingTest,LegacyPhase2SconfirmValueReceivedTwice)1448 TEST_F(InitiatorPairingTest, LegacyPhase2SconfirmValueReceivedTwice) {
1449 UpgradeSecurity(SecurityLevel::kEncrypted);
1450 RunUntilIdle();
1451
1452 ReceivePairingFeatures();
1453 RunUntilIdle();
1454
1455 // Should have received Mconfirm.
1456 EXPECT_EQ(1, pairing_confirm_count());
1457 EXPECT_EQ(0, pairing_random_count());
1458 EXPECT_EQ(0, security_callback_count());
1459
1460 UInt128 confirm;
1461 ReceivePairingConfirm(confirm);
1462 RunUntilIdle();
1463
1464 // Should have received Mrand.
1465 EXPECT_EQ(1, pairing_confirm_count());
1466 EXPECT_EQ(1, pairing_random_count());
1467 EXPECT_EQ(0, security_callback_count());
1468
1469 // Send Mconfirm again
1470 ReceivePairingConfirm(confirm);
1471 RunUntilIdle();
1472
1473 EXPECT_EQ(1, pairing_confirm_count());
1474 EXPECT_EQ(1, pairing_random_count());
1475 EXPECT_EQ(1, pairing_failed_count());
1476 EXPECT_EQ(1, security_callback_count());
1477 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1478
1479 EXPECT_EQ(1, pairing_complete_count());
1480 EXPECT_EQ(security_status(), pairing_complete_status());
1481 }
1482
TEST_F(InitiatorPairingTest,LegacyPhase2ReceiveRandomValueInWrongOrder)1483 TEST_F(InitiatorPairingTest, LegacyPhase2ReceiveRandomValueInWrongOrder) {
1484 UpgradeSecurity(SecurityLevel::kEncrypted);
1485 RunUntilIdle();
1486
1487 ReceivePairingFeatures();
1488 RunUntilIdle();
1489
1490 // Should have received Mconfirm.
1491 EXPECT_EQ(1, pairing_confirm_count());
1492 EXPECT_EQ(0, pairing_random_count());
1493 EXPECT_EQ(0, security_callback_count());
1494
1495 UInt128 random;
1496 ReceivePairingRandom(random);
1497 RunUntilIdle();
1498
1499 // Should have aborted pairing if Srand arrives before Srand.
1500 EXPECT_EQ(1, pairing_confirm_count());
1501 EXPECT_EQ(0, pairing_random_count());
1502 EXPECT_EQ(1, pairing_failed_count());
1503 EXPECT_EQ(1, security_callback_count());
1504 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1505
1506 EXPECT_EQ(1, pairing_complete_count());
1507 EXPECT_EQ(security_status(), pairing_complete_status());
1508 }
1509
TEST_F(InitiatorPairingTest,LegacyPhase2SconfirmValueInvalid)1510 TEST_F(InitiatorPairingTest, LegacyPhase2SconfirmValueInvalid) {
1511 UpgradeSecurity(SecurityLevel::kEncrypted);
1512 RunUntilIdle();
1513
1514 // Pick I/O capabilities and MITM flags that will result in Just Works
1515 // pairing.
1516 ReceivePairingFeatures();
1517 RunUntilIdle();
1518
1519 // Should have received Mconfirm.
1520 EXPECT_EQ(1, pairing_confirm_count());
1521 EXPECT_EQ(0, pairing_random_count());
1522 EXPECT_EQ(0, security_callback_count());
1523
1524 // Receive Sconfirm and Srand values that don't match.
1525 UInt128 confirm, random;
1526 confirm.fill(0);
1527 random.fill(1);
1528
1529 ReceivePairingConfirm(confirm);
1530 RunUntilIdle();
1531
1532 // Should have received Mrand.
1533 EXPECT_EQ(1, pairing_confirm_count());
1534 EXPECT_EQ(1, pairing_random_count());
1535 EXPECT_EQ(0, security_callback_count());
1536
1537 // Our Mconfirm/Mrand should be correct.
1538 UInt128 expected_confirm;
1539 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1540 EXPECT_EQ(expected_confirm, pairing_confirm());
1541
1542 // Send the non-matching Srandom.
1543 ReceivePairingRandom(random);
1544 RunUntilIdle();
1545
1546 EXPECT_EQ(1, pairing_confirm_count());
1547 EXPECT_EQ(1, pairing_random_count());
1548 EXPECT_EQ(1, pairing_failed_count());
1549 EXPECT_EQ(1, security_callback_count());
1550 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed), security_status());
1551
1552 EXPECT_EQ(1, pairing_complete_count());
1553 EXPECT_EQ(security_status(), pairing_complete_status());
1554 }
1555
TEST_F(InitiatorPairingTest,LegacyPhase2RandomValueReceivedTwice)1556 TEST_F(InitiatorPairingTest, LegacyPhase2RandomValueReceivedTwice) {
1557 UpgradeSecurity(SecurityLevel::kEncrypted);
1558 RunUntilIdle();
1559
1560 // Pick I/O capabilities and MITM flags that will result in Just Works
1561 // pairing.
1562 ReceivePairingFeatures();
1563 RunUntilIdle();
1564
1565 // Should have received Mconfirm.
1566 EXPECT_EQ(1, pairing_confirm_count());
1567 EXPECT_EQ(0, pairing_random_count());
1568 EXPECT_EQ(0, security_callback_count());
1569
1570 // Receive Sconfirm and Srand values that match.
1571 UInt128 confirm, random;
1572 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1573
1574 ReceivePairingConfirm(confirm);
1575 RunUntilIdle();
1576
1577 // Should have received Mrand.
1578 EXPECT_EQ(1, pairing_confirm_count());
1579 EXPECT_EQ(1, pairing_random_count());
1580 EXPECT_EQ(0, security_callback_count());
1581
1582 // Our Mconfirm/Mrand should be correct.
1583 UInt128 expected_confirm;
1584 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1585 EXPECT_EQ(expected_confirm, pairing_confirm());
1586
1587 // Send Srandom.
1588 ReceivePairingRandom(random);
1589 RunUntilIdle();
1590
1591 EXPECT_EQ(1, pairing_confirm_count());
1592 EXPECT_EQ(1, pairing_random_count());
1593 EXPECT_EQ(0, pairing_failed_count());
1594 EXPECT_EQ(0, security_callback_count());
1595
1596 // Send Srandom again.
1597 ReceivePairingRandom(random);
1598 RunUntilIdle();
1599
1600 EXPECT_EQ(1, pairing_confirm_count());
1601 EXPECT_EQ(1, pairing_random_count());
1602 EXPECT_EQ(1, pairing_failed_count());
1603 EXPECT_EQ(1, security_callback_count());
1604 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1605
1606 EXPECT_EQ(1, pairing_complete_count());
1607 EXPECT_EQ(security_status(), pairing_complete_status());
1608 }
1609
TEST_F(InitiatorPairingTest,LegacyPhase2ConfirmValuesExchanged)1610 TEST_F(InitiatorPairingTest, LegacyPhase2ConfirmValuesExchanged) {
1611 UpgradeSecurity(SecurityLevel::kEncrypted);
1612 RunUntilIdle();
1613
1614 // Pick I/O capabilities and MITM flags that will result in Just Works
1615 // pairing.
1616 ReceivePairingFeatures();
1617 RunUntilIdle();
1618
1619 // Should have received Mconfirm.
1620 EXPECT_EQ(1, pairing_confirm_count());
1621 EXPECT_EQ(0, pairing_random_count());
1622 EXPECT_EQ(0, security_callback_count());
1623
1624 // Receive Sconfirm and Srand values that match.
1625 UInt128 confirm, random;
1626 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1627
1628 ReceivePairingConfirm(confirm);
1629 RunUntilIdle();
1630
1631 // Should have received Mrand.
1632 EXPECT_EQ(1, pairing_confirm_count());
1633 EXPECT_EQ(1, pairing_random_count());
1634 EXPECT_EQ(0, security_callback_count());
1635
1636 // Our Mconfirm/Mrand should be correct.
1637 UInt128 expected_confirm;
1638 GenerateLegacyConfirmValue(pairing_random(), &expected_confirm);
1639 EXPECT_EQ(expected_confirm, pairing_confirm());
1640
1641 // Send Srandom.
1642 ReceivePairingRandom(random);
1643 RunUntilIdle();
1644
1645 EXPECT_EQ(1, pairing_confirm_count());
1646 EXPECT_EQ(1, pairing_random_count());
1647 EXPECT_EQ(0, pairing_failed_count());
1648 EXPECT_EQ(0, security_callback_count());
1649 }
1650
1651 // TK delegate rejects pairing. When pairing method is "PasskeyEntryInput", this
1652 // should result in a "Passkey Entry Failed" error.
TEST_F(InitiatorPairingTest,LegacyPhase2TKDelegateRejectsPasskeyInput)1653 TEST_F(InitiatorPairingTest, LegacyPhase2TKDelegateRejectsPasskeyInput) {
1654 SetUpSecurityManager(IOCapability::kKeyboardOnly);
1655
1656 bool tk_requested = false;
1657 PasskeyResponseCallback respond;
1658 set_request_passkey_delegate([&](PasskeyResponseCallback cb_rsp) {
1659 tk_requested = true;
1660 respond = std::move(cb_rsp);
1661 });
1662
1663 UpgradeSecurity(SecurityLevel::kEncrypted);
1664 RunUntilIdle();
1665
1666 // Pick I/O capabilities and MITM flags that will result in Passkey Entry
1667 // pairing.
1668 ReceivePairingFeatures(IOCapability::kDisplayOnly, AuthReq::kMITM);
1669 RunUntilIdle();
1670 ASSERT_TRUE(tk_requested);
1671
1672 // Reject pairing.
1673 respond(-1);
1674 RunUntilIdle();
1675
1676 EXPECT_EQ(0, pairing_confirm_count());
1677 EXPECT_EQ(0, pairing_random_count());
1678 EXPECT_EQ(1, pairing_failed_count());
1679 EXPECT_EQ(1, security_callback_count());
1680 EXPECT_EQ(ToResult(ErrorCode::kPasskeyEntryFailed), security_status());
1681 }
1682
1683 // TK delegate rejects pairing.
TEST_F(InitiatorPairingTest,LegacyPhase2TKDelegateRejectsPairing)1684 TEST_F(InitiatorPairingTest, LegacyPhase2TKDelegateRejectsPairing) {
1685 bool tk_requested = false;
1686 ConfirmCallback respond;
1687 set_confirm_delegate([&](ConfirmCallback cb_rsp) {
1688 tk_requested = true;
1689 respond = std::move(cb_rsp);
1690 });
1691
1692 UpgradeSecurity(SecurityLevel::kEncrypted);
1693 RunUntilIdle();
1694
1695 ReceivePairingFeatures();
1696 RunUntilIdle();
1697 ASSERT_TRUE(tk_requested);
1698
1699 // Reject pairing.
1700 respond(false);
1701 RunUntilIdle();
1702
1703 EXPECT_EQ(0, pairing_confirm_count());
1704 EXPECT_EQ(0, pairing_random_count());
1705 EXPECT_EQ(1, pairing_failed_count());
1706 EXPECT_EQ(1, security_callback_count());
1707 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1708 }
1709
TEST_F(InitiatorPairingTest,IgnoresExpiredConfirmRequestCallback)1710 TEST_F(InitiatorPairingTest, IgnoresExpiredConfirmRequestCallback) {
1711 ConfirmCallback respond = nullptr;
1712 set_confirm_delegate([&](ConfirmCallback rsp) { respond = std::move(rsp); });
1713
1714 UpgradeSecurity(SecurityLevel::kEncrypted);
1715 RunUntilIdle();
1716
1717 ReceivePairingFeatures();
1718 RunUntilIdle();
1719 ASSERT_TRUE(respond);
1720 ConfirmCallback first_pairing_cb = std::move(respond);
1721 pairing()->Abort();
1722 RunUntilIdle();
1723 EXPECT_EQ(1, pairing_failed_count());
1724
1725 // We reset the respond variable so we can "catch" the next PairingDelegate
1726 // request in the same variable (the `set_confirm_delegate` callback still has
1727 // the reference to `respond`)
1728 respond = nullptr;
1729
1730 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1731 // was `Abort`ed
1732 UpgradeSecurity(SecurityLevel::kEncrypted);
1733 RunUntilIdle();
1734
1735 ReceivePairingFeatures();
1736 RunUntilIdle();
1737 first_pairing_cb(true);
1738 RunUntilIdle();
1739 // The callback from the `Abort`ed pairing should be ignored, while calling
1740 // `respond`, which is associated with the active pairing, should cause the
1741 // expected Pairing Confirm to be sent.
1742 EXPECT_EQ(0, pairing_confirm_count());
1743 ASSERT_TRUE(respond);
1744 respond(true);
1745 RunUntilIdle();
1746 EXPECT_EQ(1, pairing_confirm_count());
1747 }
1748
TEST_F(InitiatorPairingTest,IgnoresExpiredDisplayRequestCallback)1749 TEST_F(InitiatorPairingTest, IgnoresExpiredDisplayRequestCallback) {
1750 SetUpSecurityManager(IOCapability::kDisplayOnly);
1751 ConfirmCallback respond = nullptr;
1752 set_display_delegate(
1753 [&](uint32_t /**/, Delegate::DisplayMethod method, ConfirmCallback rsp) {
1754 ASSERT_EQ(Delegate::DisplayMethod::kPeerEntry, method);
1755 respond = std::move(rsp);
1756 });
1757
1758 // Must request MITM to test PasskeyEntryDisplay instead of JustWorks pairing
1759 UpgradeSecurity(SecurityLevel::kAuthenticated);
1760 RunUntilIdle();
1761
1762 ReceivePairingFeatures(IOCapability::kKeyboardOnly);
1763 RunUntilIdle();
1764 ASSERT_TRUE(respond);
1765 ConfirmCallback first_pairing_cb = std::move(respond);
1766 pairing()->Abort();
1767 RunUntilIdle();
1768 EXPECT_EQ(1, pairing_failed_count());
1769
1770 // We reset the respond variable so we can "catch" the next PairingDelegate
1771 // request in the same variable (the `set_display_delegate` callback still has
1772 // the reference to `respond`)
1773 respond = nullptr;
1774
1775 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1776 // was `Abort`ed
1777 UpgradeSecurity(SecurityLevel::kAuthenticated);
1778 RunUntilIdle();
1779
1780 ReceivePairingFeatures(IOCapability::kKeyboardOnly);
1781 RunUntilIdle();
1782 first_pairing_cb(true);
1783 RunUntilIdle();
1784 // The callback from the `Abort`ed pairing should be ignored, while calling
1785 // `respond`, which is associated with the active pairing, should cause the
1786 // expected Pairing Confirm to be sent.
1787 EXPECT_EQ(0, pairing_confirm_count());
1788 ASSERT_TRUE(respond);
1789 respond(true);
1790 RunUntilIdle();
1791 EXPECT_EQ(1, pairing_confirm_count());
1792 }
1793
TEST_F(InitiatorPairingTest,IgnoresExpiredPasskeyEntryInputCallback)1794 TEST_F(InitiatorPairingTest, IgnoresExpiredPasskeyEntryInputCallback) {
1795 SetUpSecurityManager(IOCapability::kKeyboardOnly);
1796 PasskeyResponseCallback passkey_cb = nullptr;
1797 set_request_passkey_delegate(
1798 [&](PasskeyResponseCallback cb) { passkey_cb = std::move(cb); });
1799
1800 // Must request MITM to test PasskeyEntryInput instead of JustWorks pairing
1801 UpgradeSecurity(SecurityLevel::kAuthenticated);
1802 RunUntilIdle();
1803
1804 ReceivePairingFeatures(IOCapability::kDisplayOnly);
1805 RunUntilIdle();
1806 ASSERT_TRUE(passkey_cb);
1807 PasskeyResponseCallback first_pairing_cb = std::move(passkey_cb);
1808 pairing()->Abort();
1809 RunUntilIdle();
1810 EXPECT_EQ(1, pairing_failed_count());
1811
1812 // We reset the respond variable so we can "catch" the next PairingDelegate
1813 // request in the same variable (the `set_display_delegate` callback still has
1814 // the reference to `respond`)
1815 passkey_cb = nullptr;
1816
1817 // Start a separate pairing from the one captured in `first_pairing_cb`, which
1818 // was `Abort`ed
1819 UpgradeSecurity(SecurityLevel::kAuthenticated);
1820 RunUntilIdle();
1821
1822 ReceivePairingFeatures(IOCapability::kDisplayOnly);
1823 RunUntilIdle();
1824 const int32_t kGenericPositive6DigitNumber = 123456;
1825 first_pairing_cb(kGenericPositive6DigitNumber);
1826 RunUntilIdle();
1827 // The callback from the `Abort`ed pairing should be ignored, while calling
1828 // `respond`, which is associated with the active pairing, should cause the
1829 // expected Pairing Confirm to be sent.
1830 EXPECT_EQ(0, pairing_confirm_count());
1831 ASSERT_TRUE(passkey_cb);
1832 passkey_cb(kGenericPositive6DigitNumber);
1833 RunUntilIdle();
1834 EXPECT_EQ(1, pairing_confirm_count());
1835 }
1836
1837 // The TK delegate is called with the correct pairing method and the TK is
1838 // factored into the confirm value generation.
TEST_F(InitiatorPairingTest,LegacyPhase2ConfirmValuesExchangedWithUserTK)1839 TEST_F(InitiatorPairingTest, LegacyPhase2ConfirmValuesExchangedWithUserTK) {
1840 std::optional<uint32_t> tk = std::nullopt;
1841 auto method = Delegate::DisplayMethod::kComparison;
1842 ConfirmCallback respond;
1843 set_display_delegate([&](uint32_t passkey,
1844 Delegate::DisplayMethod cb_method,
1845 ConfirmCallback cb_rsp) {
1846 tk = passkey;
1847 method = cb_method;
1848 respond = std::move(cb_rsp);
1849 });
1850
1851 UpgradeSecurity(SecurityLevel::kEncrypted);
1852 RunUntilIdle();
1853
1854 // Pick I/O capabilities and MITM flags that will result in Passkey Entry
1855 // pairing.
1856 ReceivePairingFeatures(IOCapability::kKeyboardOnly, AuthReq::kMITM);
1857 RunUntilIdle();
1858 ASSERT_TRUE(tk.has_value());
1859
1860 // DisplayMethod should be kPeerEntry, as Comparison is only for Secure
1861 // Connections, not Legacy.
1862 ASSERT_EQ(Delegate::DisplayMethod::kPeerEntry, method);
1863
1864 // Notify that TK was displayed.
1865 respond(true);
1866 RunUntilIdle();
1867
1868 // Should have received Mconfirm.
1869 EXPECT_EQ(1, pairing_confirm_count());
1870 EXPECT_EQ(0, pairing_random_count());
1871 EXPECT_EQ(0, security_callback_count());
1872
1873 // Receive Sconfirm and Srand values that match.
1874 UInt128 confirm, random;
1875 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random, *tk);
1876
1877 ReceivePairingConfirm(confirm);
1878 RunUntilIdle();
1879
1880 // Should have received Mrand.
1881 EXPECT_EQ(1, pairing_confirm_count());
1882 EXPECT_EQ(1, pairing_random_count());
1883 EXPECT_EQ(0, security_callback_count());
1884
1885 // Our Mconfirm/Mrand should be correct.
1886 UInt128 expected_confirm;
1887 GenerateLegacyConfirmValue(
1888 pairing_random(), &expected_confirm, /*peer_initiator=*/false, *tk);
1889 EXPECT_EQ(expected_confirm, pairing_confirm());
1890
1891 // Send Srandom.
1892 ReceivePairingRandom(random);
1893 RunUntilIdle();
1894
1895 EXPECT_EQ(1, pairing_confirm_count());
1896 EXPECT_EQ(1, pairing_random_count());
1897 EXPECT_EQ(0, pairing_failed_count());
1898 EXPECT_EQ(0, security_callback_count());
1899 }
1900
1901 // Peer aborts during Phase 2.
TEST_F(InitiatorPairingTest,PairingFailedInPhase2)1902 TEST_F(InitiatorPairingTest, PairingFailedInPhase2) {
1903 UpgradeSecurity(SecurityLevel::kEncrypted);
1904 ReceivePairingFeatures();
1905 RunUntilIdle();
1906
1907 UInt128 confirm, random;
1908 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
1909
1910 ReceivePairingConfirm(confirm);
1911 RunUntilIdle();
1912
1913 EXPECT_EQ(1, pairing_confirm_count());
1914 EXPECT_EQ(1, pairing_random_count());
1915 EXPECT_EQ(0, pairing_failed_count());
1916 EXPECT_EQ(0, security_callback_count());
1917
1918 ReceivePairingFailed(ErrorCode::kConfirmValueFailed);
1919 RunUntilIdle();
1920
1921 EXPECT_EQ(1, pairing_confirm_count());
1922 EXPECT_EQ(1, pairing_random_count());
1923 EXPECT_EQ(0, pairing_failed_count());
1924 EXPECT_EQ(1, security_callback_count());
1925 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed), security_status());
1926 }
1927
1928 // Encryption with STK fails.
TEST_F(InitiatorPairingTest,EncryptionWithSTKFails)1929 TEST_F(InitiatorPairingTest, EncryptionWithSTKFails) {
1930 UInt128 stk;
1931 FastForwardToSTK(&stk);
1932
1933 ASSERT_TRUE(fake_link()->ltk());
1934 EXPECT_EQ(stk, fake_link()->ltk()->value());
1935 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
1936 EXPECT_EQ(0u, fake_link()->ltk()->rand());
1937
1938 // The host should have requested encryption.
1939 EXPECT_EQ(SecurityProperties(), pairing()->security());
1940 EXPECT_EQ(1, fake_link()->start_encryption_count());
1941
1942 fake_link()->TriggerEncryptionChangeCallback(
1943 ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING)
1944 .take_error());
1945 RunUntilIdle();
1946
1947 EXPECT_EQ(1, pairing_failed_count());
1948 EXPECT_EQ(1, security_callback_count());
1949 EXPECT_EQ(1, auth_failure_callback_count());
1950 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1951 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
1952 EXPECT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
1953 auth_failure_status());
1954
1955 // No security property update should have been sent since the security
1956 // properties have not changed.
1957 EXPECT_EQ(0, new_sec_props_count());
1958 EXPECT_EQ(SecurityProperties(), pairing()->security());
1959 }
1960
TEST_F(InitiatorPairingTest,EncryptionDisabledInPhase2)1961 TEST_F(InitiatorPairingTest, EncryptionDisabledInPhase2) {
1962 UInt128 stk;
1963 FastForwardToSTK(&stk);
1964
1965 ASSERT_TRUE(fake_link()->ltk());
1966 EXPECT_EQ(stk, fake_link()->ltk()->value());
1967 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
1968 EXPECT_EQ(0u, fake_link()->ltk()->rand());
1969
1970 // The host should have requested encryption.
1971 EXPECT_EQ(1, fake_link()->start_encryption_count());
1972 EXPECT_EQ(SecurityProperties(), pairing()->security());
1973
1974 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/false));
1975 RunUntilIdle();
1976
1977 EXPECT_EQ(1, pairing_failed_count());
1978 EXPECT_EQ(1, security_callback_count());
1979 EXPECT_EQ(0, auth_failure_callback_count());
1980 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
1981 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
1982
1983 // No security property update should have been sent since the security
1984 // properties have not changed.
1985 EXPECT_EQ(0, new_sec_props_count());
1986 EXPECT_EQ(SecurityProperties(), pairing()->security());
1987 }
1988
1989 // Tests that the STK is generated according to the max length provided
TEST_F(InitiatorPairingTest,StkLengthGeneration)1990 TEST_F(InitiatorPairingTest, StkLengthGeneration) {
1991 UInt128 stk;
1992 uint8_t max_key_size = 10;
1993 FastForwardToSTK(&stk, SecurityLevel::kEncrypted, 0, 0, max_key_size);
1994
1995 // At this stage, the stk is stored here
1996 ASSERT_TRUE(fake_link()->ltk());
1997
1998 // Ensure that most significant (16 - max_key_size) bytes are zero. The key
1999 // should be generated up to the max_key_size.
2000 for (auto i = max_key_size; i < fake_link()->ltk()->value().size(); i++) {
2001 EXPECT_TRUE(fake_link()->ltk()->value()[i] == 0);
2002 }
2003 }
2004
2005 // Tests that the pairing procedure ends after encryption with the STK if there
2006 // are no keys to distribute, and that no keys are notified for Legacy pairing
2007 // in this case.
TEST_F(InitiatorPairingTest,LegacyPhase3CompleteWithoutKeyExchange)2008 TEST_F(InitiatorPairingTest, LegacyPhase3CompleteWithoutKeyExchange) {
2009 UInt128 stk;
2010 FastForwardToSTK(&stk);
2011
2012 ASSERT_TRUE(fake_link()->ltk());
2013 EXPECT_EQ(stk, fake_link()->ltk()->value());
2014 EXPECT_EQ(0u, fake_link()->ltk()->ediv());
2015 EXPECT_EQ(0u, fake_link()->ltk()->rand());
2016
2017 // The host should have requested encryption.
2018 EXPECT_EQ(1, fake_link()->start_encryption_count());
2019
2020 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2021 RunUntilIdle();
2022
2023 // Pairing should succeed without any pairing data.
2024 EXPECT_EQ(1, pairing_data_callback_count());
2025 EXPECT_FALSE(peer_ltk());
2026 EXPECT_FALSE(irk());
2027 EXPECT_FALSE(identity());
2028 EXPECT_FALSE(csrk());
2029
2030 // Should have been called at least once to determine local identity
2031 // availability.
2032 EXPECT_NE(0, local_id_info_callback_count());
2033
2034 EXPECT_EQ(0, pairing_failed_count());
2035 EXPECT_EQ(1, security_callback_count());
2036 EXPECT_EQ(1, pairing_complete_count());
2037 EXPECT_EQ(0, id_info_count());
2038 EXPECT_EQ(0, id_addr_info_count());
2039 EXPECT_EQ(fit::ok(), security_status());
2040 EXPECT_EQ(security_status(), pairing_complete_status());
2041
2042 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2043 EXPECT_EQ(16u, sec_props().enc_key_size());
2044 EXPECT_FALSE(sec_props().secure_connections());
2045
2046 // The security properties should have been updated to match the STK.
2047 EXPECT_EQ(1, new_sec_props_count());
2048 EXPECT_EQ(sec_props(), pairing()->security());
2049
2050 ASSERT_TRUE(fake_link()->ltk());
2051 }
2052
2053 // Tests that for Secure Connections, the pairing procedure ends after
2054 // encryption with the LTK if there are no keys to distribute, and that the LTK
2055 // is notified.
TEST_F(InitiatorPairingTest,ScPhase3CompleteWithoutKeyExchange)2056 TEST_F(InitiatorPairingTest, ScPhase3CompleteWithoutKeyExchange) {
2057 UInt128 ltk_bytes;
2058 const SecurityProperties kExpectedSecurity(SecurityLevel::kEncrypted,
2059 kMaxEncryptionKeySize,
2060 /*secure_connections=*/true);
2061 FastForwardToPhase3(<k_bytes,
2062 /*secure_connections=*/true,
2063 kExpectedSecurity.level(),
2064 KeyDistGenField{0},
2065 KeyDistGenField{0});
2066
2067 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
2068 ASSERT_TRUE(fake_link()->ltk());
2069 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
2070
2071 // Pairing should succeed with the LTK as the SC pairing is bondable, even
2072 // though no keys need to be distributed in Phase 3.
2073 EXPECT_EQ(1, pairing_data_callback_count());
2074 EXPECT_TRUE(peer_ltk().has_value());
2075 EXPECT_EQ(kExpectedLtk, peer_ltk());
2076 EXPECT_EQ(peer_ltk(), local_ltk());
2077 EXPECT_FALSE(irk());
2078 EXPECT_FALSE(identity());
2079 EXPECT_FALSE(csrk());
2080
2081 // Should have been called at least once to determine local identity
2082 // availability.
2083 EXPECT_NE(0, local_id_info_callback_count());
2084
2085 EXPECT_EQ(0, pairing_failed_count());
2086 EXPECT_EQ(1, security_callback_count());
2087 EXPECT_EQ(1, pairing_complete_count());
2088 EXPECT_EQ(0, id_info_count());
2089 EXPECT_EQ(0, id_addr_info_count());
2090 EXPECT_EQ(fit::ok(), security_status());
2091 EXPECT_EQ(security_status(), pairing_complete_status());
2092
2093 EXPECT_EQ(kExpectedSecurity, sec_props());
2094
2095 // The security properties should have been updated to match the LTK.
2096 EXPECT_EQ(1, new_sec_props_count());
2097 EXPECT_EQ(sec_props(), pairing()->security());
2098
2099 ASSERT_TRUE(fake_link()->ltk());
2100 }
2101
2102 // Tests that Secure Connections ignores the EncKey bit in the key distribution
2103 // field.
TEST_F(InitiatorPairingTest,ScPhase3EncKeyBitSetNotDistributed)2104 TEST_F(InitiatorPairingTest, ScPhase3EncKeyBitSetNotDistributed) {
2105 UInt128 ltk_bytes;
2106 const SecurityProperties kExpectedSecurity(SecurityLevel::kEncrypted,
2107 kMaxEncryptionKeySize,
2108 /*secure_connections=*/true);
2109 // We will request the EncKey from the peer and the peer will respond that it
2110 // is capable of sending it, but as this is SC pairing that should not occur.
2111 KeyDistGenField remote_keys{KeyDistGen::kEncKey}, local_keys{0};
2112 FastForwardToScLtk(<k_bytes,
2113 kExpectedSecurity.level(),
2114 remote_keys,
2115 local_keys,
2116 BondableMode::Bondable);
2117
2118 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
2119 ASSERT_TRUE(fake_link()->ltk());
2120 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
2121
2122 // The host should have requested encryption.
2123 EXPECT_EQ(1, fake_link()->start_encryption_count());
2124
2125 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2126 RunUntilIdle();
2127
2128 // Pairing should succeed without any messages being sent in "Phase 3". The
2129 // LTK was generated in SC Phase 2, and as the pairing is bondable, it is
2130 // included in the callback.
2131 EXPECT_EQ(1, pairing_data_callback_count());
2132 EXPECT_TRUE(peer_ltk().has_value());
2133 EXPECT_EQ(kExpectedLtk, peer_ltk());
2134 EXPECT_FALSE(irk());
2135 EXPECT_FALSE(identity());
2136 EXPECT_FALSE(csrk());
2137
2138 // Should have been called at least once to determine local identity
2139 // availability.
2140 EXPECT_NE(0, local_id_info_callback_count());
2141
2142 EXPECT_EQ(0, pairing_failed_count());
2143 EXPECT_EQ(1, security_callback_count());
2144 EXPECT_EQ(1, pairing_complete_count());
2145 EXPECT_EQ(0, id_info_count());
2146 EXPECT_EQ(0, id_addr_info_count());
2147 EXPECT_EQ(fit::ok(), security_status());
2148 EXPECT_EQ(security_status(), pairing_complete_status());
2149
2150 EXPECT_EQ(kExpectedSecurity, sec_props());
2151
2152 // The security properties should have been updated to match the LTK.
2153 EXPECT_EQ(1, new_sec_props_count());
2154 EXPECT_EQ(sec_props(), pairing()->security());
2155
2156 ASSERT_TRUE(fake_link()->ltk());
2157 }
2158
2159 // Tests that for Secure Connections non-bondable mode, the pairing procedure
2160 // ends after encryption with the key generated in Phase 2, but the upper layers
2161 // are not notified of that key as an LTK.
TEST_F(InitiatorPairingTest,ScPhase3NonBondableCompleteWithoutKeyExchange)2162 TEST_F(InitiatorPairingTest, ScPhase3NonBondableCompleteWithoutKeyExchange) {
2163 // Must have DisplayYesNo IOC to generate Authenticated security per
2164 // kExpectedSecurity
2165 SetUpSecurityManager(IOCapability::kDisplayYesNo);
2166 const SecurityProperties kExpectedSecurity(SecurityLevel::kAuthenticated,
2167 kMaxEncryptionKeySize,
2168 /*secure_connections=*/true);
2169 UInt128 ltk_bytes;
2170 FastForwardToScLtk(<k_bytes,
2171 kExpectedSecurity.level(),
2172 KeyDistGenField{0},
2173 KeyDistGenField{0},
2174 BondableMode::NonBondable);
2175
2176 const hci_spec::LinkKey kExpectedLinkKey(ltk_bytes, 0, 0);
2177 ASSERT_TRUE(fake_link()->ltk());
2178 EXPECT_EQ(kExpectedLinkKey, fake_link()->ltk());
2179
2180 // The host should have requested encryption.
2181 EXPECT_EQ(1, fake_link()->start_encryption_count());
2182
2183 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2184 RunUntilIdle();
2185
2186 // Pairing should succeed with the LTK as we are in SC, but as the pairing is
2187 // non-bondable, no LTK should be relayed up to the delegate.
2188 EXPECT_EQ(0, pairing_data_callback_count());
2189
2190 EXPECT_EQ(0, pairing_failed_count());
2191 EXPECT_EQ(1, security_callback_count());
2192 EXPECT_EQ(1, pairing_complete_count());
2193 EXPECT_EQ(0, id_info_count());
2194 EXPECT_EQ(0, id_addr_info_count());
2195 EXPECT_EQ(fit::ok(), security_status());
2196 EXPECT_EQ(security_status(), pairing_complete_status());
2197
2198 EXPECT_EQ(kExpectedSecurity, sec_props());
2199
2200 // The security properties should have been updated to match the LTK.
2201 EXPECT_EQ(1, new_sec_props_count());
2202 EXPECT_EQ(sec_props(), pairing()->security());
2203
2204 ASSERT_TRUE(fake_link()->ltk());
2205 }
2206
TEST_F(InitiatorPairingTest,Phase3EncryptionInformationReceivedTwice)2207 TEST_F(InitiatorPairingTest, Phase3EncryptionInformationReceivedTwice) {
2208 UInt128 stk;
2209 FastForwardToPhase3(&stk,
2210 /*secure_connections=*/false,
2211 SecurityLevel::kEncrypted,
2212 KeyDistGen::kEncKey);
2213
2214 // Pairing should still be in progress.
2215 EXPECT_EQ(0, pairing_failed_count());
2216 EXPECT_EQ(0, security_callback_count());
2217 EXPECT_EQ(0, pairing_data_callback_count());
2218
2219 ReceiveEncryptionInformation(UInt128());
2220 RunUntilIdle();
2221
2222 // Waiting for EDIV and Rand
2223 EXPECT_EQ(0, pairing_failed_count());
2224 EXPECT_EQ(0, security_callback_count());
2225
2226 // Send the LTK twice. This should cause pairing to fail.
2227 ReceiveEncryptionInformation(UInt128());
2228 RunUntilIdle();
2229 EXPECT_EQ(1, pairing_failed_count());
2230 EXPECT_EQ(1, security_callback_count());
2231 EXPECT_EQ(1, pairing_complete_count());
2232 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2233 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2234 EXPECT_EQ(security_status(), pairing_complete_status());
2235 }
2236
2237 // The responder sends EDIV and Rand before LTK.
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceivedInWrongOrder)2238 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceivedInWrongOrder) {
2239 UInt128 stk;
2240 FastForwardToPhase3(&stk,
2241 /*secure_connections=*/false,
2242 SecurityLevel::kEncrypted,
2243 KeyDistGen::kEncKey);
2244
2245 // Pairing should still be in progress.
2246 EXPECT_EQ(0, pairing_failed_count());
2247 EXPECT_EQ(0, security_callback_count());
2248 EXPECT_EQ(0, pairing_data_callback_count());
2249
2250 // Send central identification before encryption information. This should
2251 // cause pairing to fail.
2252 ReceiveCentralIdentification(1, 2);
2253 RunUntilIdle();
2254
2255 EXPECT_EQ(1, pairing_failed_count());
2256 EXPECT_EQ(1, security_callback_count());
2257 EXPECT_EQ(1, pairing_complete_count());
2258 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2259 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2260 EXPECT_EQ(security_status(), pairing_complete_status());
2261 }
2262
2263 // The responder sends the sample LTK from the specification doc
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveSampleLTK)2264 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveSampleLTK) {
2265 UInt128 stk;
2266 FastForwardToPhase3(&stk,
2267 /*secure_connections=*/false,
2268 SecurityLevel::kEncrypted,
2269 KeyDistGen::kEncKey);
2270
2271 const UInt128 kLtkSample{{0xBF,
2272 0x01,
2273 0xFB,
2274 0x9D,
2275 0x4E,
2276 0xF3,
2277 0xBC,
2278 0x36,
2279 0xD8,
2280 0x74,
2281 0xF5,
2282 0x39,
2283 0x41,
2284 0x38,
2285 0x68,
2286 0x4C}};
2287
2288 // Pairing should still be in progress.
2289 EXPECT_EQ(0, pairing_failed_count());
2290 EXPECT_EQ(0, security_callback_count());
2291 EXPECT_EQ(0, pairing_data_callback_count());
2292
2293 // Send a bad LTK, this should cause pairing to fail.
2294 ReceiveEncryptionInformation(kLtkSample);
2295 RunUntilIdle();
2296
2297 EXPECT_EQ(1, pairing_failed_count());
2298 EXPECT_EQ(1, security_callback_count());
2299 EXPECT_EQ(1, pairing_complete_count());
2300 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2301 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2302 EXPECT_EQ(security_status(), pairing_complete_status());
2303 }
2304
2305 // The responder sends the sample Rand from the specification doc
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveExampleRand)2306 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveExampleRand) {
2307 UInt128 stk;
2308 FastForwardToPhase3(&stk,
2309 /*secure_connections=*/false,
2310 SecurityLevel::kEncrypted,
2311 KeyDistGen::kEncKey);
2312
2313 uint64_t kRandSample = 0xABCDEF1234567890;
2314 uint16_t kEDiv = 20;
2315
2316 // Pairing should still be in progress.
2317 EXPECT_EQ(0, pairing_failed_count());
2318 EXPECT_EQ(0, security_callback_count());
2319 EXPECT_EQ(0, pairing_data_callback_count());
2320
2321 // Send a bad Rand, this should cause pairing to fail.
2322 ReceiveEncryptionInformation(UInt128());
2323 ReceiveCentralIdentification(kRandSample, kEDiv);
2324 RunUntilIdle();
2325
2326 EXPECT_EQ(1, pairing_failed_count());
2327 EXPECT_EQ(1, security_callback_count());
2328 EXPECT_EQ(1, pairing_complete_count());
2329 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2330 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2331 EXPECT_EQ(security_status(), pairing_complete_status());
2332 }
2333
2334 // The responder sends an LTK that is longer than the max key size
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceiveLongLTK)2335 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceiveLongLTK) {
2336 UInt128 stk;
2337 auto max_key_size = 8;
2338 FastForwardToPhase3(&stk,
2339 /*secure_connections=*/false,
2340 SecurityLevel::kEncrypted,
2341 KeyDistGen::kEncKey,
2342 0,
2343 max_key_size);
2344
2345 const UInt128 kLtk{{1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8}};
2346
2347 // Pairing should still be in progress.
2348 EXPECT_EQ(0, pairing_failed_count());
2349 EXPECT_EQ(0, security_callback_count());
2350 EXPECT_EQ(0, pairing_data_callback_count());
2351
2352 // Send a long LTK, this should cause pairing to fail.
2353 ReceiveEncryptionInformation(kLtk);
2354 RunUntilIdle();
2355
2356 EXPECT_EQ(1, pairing_failed_count());
2357 EXPECT_EQ(1, security_callback_count());
2358 EXPECT_EQ(1, pairing_complete_count());
2359 EXPECT_EQ(ToResult(ErrorCode::kInvalidParameters), security_status());
2360 EXPECT_EQ(ErrorCode::kInvalidParameters, received_error_code());
2361 EXPECT_EQ(security_status(), pairing_complete_status());
2362 }
2363
TEST_F(InitiatorPairingTest,Phase3CentralIdentificationReceivedTwice)2364 TEST_F(InitiatorPairingTest, Phase3CentralIdentificationReceivedTwice) {
2365 UInt128 stk;
2366 FastForwardToPhase3(&stk,
2367 /*secure_connections=*/false,
2368 SecurityLevel::kEncrypted,
2369 KeyDistGen::kEncKey);
2370
2371 // Pairing should still be in progress.
2372 EXPECT_EQ(0, pairing_failed_count());
2373 EXPECT_EQ(0, security_callback_count());
2374 EXPECT_EQ(0, pairing_data_callback_count());
2375
2376 constexpr uint16_t kEdiv = 1;
2377 constexpr uint64_t kRand = 2;
2378 constexpr uint16_t kDupEdiv = 3;
2379 constexpr uint64_t kDupRand = 4;
2380
2381 // Send duplicate central identification. Pairing should complete with the
2382 // first set of information. The second set should get ignored.
2383 ReceiveEncryptionInformation(UInt128());
2384 ReceiveCentralIdentification(kRand, kEdiv);
2385 ReceiveCentralIdentification(kDupRand, kDupEdiv);
2386 RunUntilIdle();
2387
2388 EXPECT_EQ(0, pairing_failed_count());
2389 EXPECT_EQ(1, security_callback_count());
2390 EXPECT_EQ(1, pairing_complete_count());
2391 EXPECT_EQ(1, pairing_data_callback_count());
2392 EXPECT_EQ(fit::ok(), security_status());
2393 EXPECT_EQ(security_status(), pairing_complete_status());
2394 ASSERT_TRUE(pairing_data().peer_ltk.has_value());
2395 EXPECT_EQ(kEdiv, pairing_data().peer_ltk->key().ediv());
2396 EXPECT_EQ(kRand, pairing_data().peer_ltk->key().rand());
2397 }
2398
2399 // Pairing completes after obtaining peer encryption information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithReceivingEncKey)2400 TEST_F(InitiatorPairingTest, Phase3CompleteWithReceivingEncKey) {
2401 UInt128 stk;
2402 FastForwardToPhase3(&stk,
2403 /*secure_connections=*/false,
2404 SecurityLevel::kEncrypted,
2405 KeyDistGen::kEncKey);
2406
2407 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2408 uint64_t kRand = 5;
2409 uint16_t kEDiv = 20;
2410
2411 ReceiveEncryptionInformation(kLTK);
2412 ReceiveCentralIdentification(kRand, kEDiv);
2413 RunUntilIdle();
2414
2415 // Pairing should have succeeded.
2416 EXPECT_EQ(0, pairing_failed_count());
2417 EXPECT_EQ(1, security_callback_count());
2418 EXPECT_EQ(1, pairing_complete_count());
2419 EXPECT_EQ(fit::ok(), security_status());
2420 EXPECT_EQ(security_status(), pairing_complete_status());
2421
2422 // LTK should have been assigned to the link.
2423 ASSERT_TRUE(fake_link()->ltk());
2424 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2425 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2426 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2427
2428 // We don't re-encrypt with the LTK while the link is already authenticated
2429 // with the STK.
2430 EXPECT_EQ(1, fake_link()->start_encryption_count());
2431
2432 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2433 EXPECT_EQ(16u, sec_props().enc_key_size());
2434 EXPECT_FALSE(sec_props().secure_connections());
2435
2436 // Should have been called at least once to determine local identity
2437 // availability.
2438 EXPECT_NE(0, local_id_info_callback_count());
2439
2440 // Local identity information should not have been distributed by us since it
2441 // isn't available.
2442 EXPECT_EQ(0, id_info_count());
2443 EXPECT_EQ(0, id_addr_info_count());
2444
2445 // Should have notified the LTK.
2446 EXPECT_EQ(1, pairing_data_callback_count());
2447 ASSERT_TRUE(peer_ltk());
2448 ASSERT_FALSE(irk());
2449 ASSERT_FALSE(identity());
2450 ASSERT_FALSE(csrk());
2451 EXPECT_EQ(sec_props(), peer_ltk()->security());
2452 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2453 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2454 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2455
2456 // No security property update should have been sent for the LTK. This is
2457 // because the LTK and the STK are expected to have the same properties.
2458 EXPECT_EQ(1, new_sec_props_count());
2459 }
2460
TEST_F(InitiatorPairingTest,Phase3CompleteWithSendingEncKey)2461 TEST_F(InitiatorPairingTest, Phase3CompleteWithSendingEncKey) {
2462 UInt128 stk;
2463 KeyDistGenField remote_keys{0u}, local_keys{KeyDistGen::kEncKey};
2464 FastForwardToPhase3(&stk,
2465 /*secure_connections=*/false,
2466 SecurityLevel::kEncrypted,
2467 remote_keys,
2468 local_keys);
2469 RunUntilIdle();
2470
2471 // Pairing should have succeeded.
2472 EXPECT_EQ(0, pairing_failed_count());
2473 EXPECT_EQ(1, security_callback_count());
2474 EXPECT_EQ(1, pairing_complete_count());
2475 EXPECT_EQ(fit::ok(), security_status());
2476 EXPECT_EQ(security_status(), pairing_complete_status());
2477
2478 // Only the STK should be assigned to the link, as the distributed LTK was
2479 // initiator-generated. This means it can only be used to encrypt future
2480 // connections where the roles are reversed.
2481 EXPECT_EQ(stk, fake_link()->ltk()->value());
2482 EXPECT_EQ(1, fake_link()->start_encryption_count());
2483
2484 // Should have been called at least once to determine local identity
2485 // availability.
2486 EXPECT_NE(0, local_id_info_callback_count());
2487
2488 // Should have notified pairing data callback with the LTK.
2489 EXPECT_EQ(1, pairing_data_callback_count());
2490 ASSERT_TRUE(local_ltk());
2491
2492 // LTK sent OTA should match what we notified the pairing data callback with.
2493 EXPECT_EQ(local_ltk()->key(), hci_spec::LinkKey(enc_info(), rand(), ediv()));
2494 }
2495
2496 // Pairing completes after obtaining short encryption information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithShortEncKey)2497 TEST_F(InitiatorPairingTest, Phase3CompleteWithShortEncKey) {
2498 UInt128 stk;
2499 uint8_t max_key_size = 12;
2500 FastForwardToPhase3(&stk,
2501 /*secure_connections=*/false,
2502 SecurityLevel::kEncrypted,
2503 KeyDistGen::kEncKey,
2504 0u,
2505 max_key_size);
2506
2507 // This LTK is within the max_key_size specified above.
2508 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 0, 0, 0, 0}};
2509 uint64_t kRand = 5;
2510 uint16_t kEDiv = 20;
2511
2512 ReceiveEncryptionInformation(kLTK);
2513 ReceiveCentralIdentification(kRand, kEDiv);
2514 RunUntilIdle();
2515
2516 // Pairing should have succeeded.
2517 EXPECT_EQ(0, pairing_failed_count());
2518 EXPECT_EQ(1, security_callback_count());
2519 EXPECT_EQ(1, pairing_complete_count());
2520 EXPECT_EQ(fit::ok(), security_status());
2521 EXPECT_EQ(security_status(), pairing_complete_status());
2522
2523 // LTK should have been assigned to the link.
2524 ASSERT_TRUE(fake_link()->ltk());
2525 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2526 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2527 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2528
2529 // We don't re-encrypt with the LTK while the link is already authenticated
2530 // with the STK.
2531 EXPECT_EQ(1, fake_link()->start_encryption_count());
2532
2533 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2534 EXPECT_EQ(max_key_size, sec_props().enc_key_size());
2535 EXPECT_FALSE(sec_props().secure_connections());
2536
2537 // Should have been called at least once to determine local identity
2538 // availability.
2539 EXPECT_NE(0, local_id_info_callback_count());
2540
2541 // Local identity information should not have been distributed by us since it
2542 // isn't available.
2543 EXPECT_EQ(0, id_info_count());
2544 EXPECT_EQ(0, id_addr_info_count());
2545
2546 // Should have notified the LTK.
2547 EXPECT_EQ(1, pairing_data_callback_count());
2548 ASSERT_TRUE(peer_ltk());
2549 ASSERT_FALSE(irk());
2550 ASSERT_FALSE(identity());
2551 ASSERT_FALSE(csrk());
2552 EXPECT_EQ(sec_props(), peer_ltk()->security());
2553 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2554 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2555 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2556
2557 // No security property update should have been sent for the LTK. This is
2558 // because the LTK and the STK are expected to have the same properties.
2559 EXPECT_EQ(1, new_sec_props_count());
2560 }
2561
TEST_F(InitiatorPairingTest,Phase3WithLocalIdKey)2562 TEST_F(InitiatorPairingTest, Phase3WithLocalIdKey) {
2563 IdentityInfo local_id_info;
2564 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2565 local_id_info.address = kLocalAddr;
2566 set_local_id_info(local_id_info);
2567
2568 UInt128 stk;
2569 FastForwardToPhase3(&stk,
2570 /*secure_connections=*/false,
2571 SecurityLevel::kEncrypted,
2572 0, // remote keys
2573 KeyDistGen::kIdKey); // local keys
2574
2575 // Local identity information should have been sent.
2576 EXPECT_EQ(1, id_info_count());
2577 EXPECT_EQ(local_id_info.irk, id_info());
2578 EXPECT_EQ(1, id_addr_info_count());
2579 EXPECT_EQ(local_id_info.address, id_addr_info());
2580
2581 // Pairing should succeed without notifying any keys.
2582 EXPECT_EQ(0, pairing_failed_count());
2583 EXPECT_EQ(1, security_callback_count());
2584 EXPECT_EQ(1, pairing_complete_count());
2585 EXPECT_EQ(fit::ok(), security_status());
2586 EXPECT_EQ(security_status(), pairing_complete_status());
2587 }
2588
2589 // Tests that pairing results in an error if a local ID key was initially
2590 // negotiated but gets removed before the distribution phase.
TEST_F(InitiatorPairingTest,Phase3IsAbortedIfLocalIdKeyIsRemoved)2591 TEST_F(InitiatorPairingTest, Phase3IsAbortedIfLocalIdKeyIsRemoved) {
2592 IdentityInfo local_id_info;
2593 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2594 local_id_info.address = kLocalAddr;
2595 set_local_id_info(local_id_info);
2596
2597 UInt128 stk;
2598 FastForwardToSTK(&stk,
2599 SecurityLevel::kEncrypted,
2600 0, // remote keys
2601 KeyDistGen::kIdKey); // local keys
2602
2603 // Local identity information should not have been sent yet.
2604 EXPECT_EQ(0, id_info_count());
2605 EXPECT_EQ(0, id_addr_info_count());
2606
2607 // Pairing still in progress.
2608 EXPECT_EQ(0, pairing_failed_count());
2609 EXPECT_EQ(0, security_callback_count());
2610 EXPECT_EQ(0, pairing_complete_count());
2611
2612 // Remove the local identity information.
2613 set_local_id_info(std::nullopt);
2614
2615 // Encrypt with the STK to finish phase 2.
2616 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2617 RunUntilIdle();
2618
2619 // Pairing should have been aborted.
2620 EXPECT_EQ(0, id_info_count());
2621 EXPECT_EQ(0, id_addr_info_count());
2622 EXPECT_EQ(1, pairing_failed_count());
2623 EXPECT_EQ(1, security_callback_count());
2624 EXPECT_EQ(1, pairing_complete_count());
2625 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2626 }
2627
TEST_F(InitiatorPairingTest,Phase3IRKReceivedTwice)2628 TEST_F(InitiatorPairingTest, Phase3IRKReceivedTwice) {
2629 UInt128 stk;
2630 FastForwardToPhase3(&stk,
2631 /*secure_connections=*/false,
2632 SecurityLevel::kEncrypted,
2633 KeyDistGen::kIdKey);
2634
2635 // Pairing should still be in progress.
2636 EXPECT_EQ(0, pairing_failed_count());
2637 EXPECT_EQ(0, security_callback_count());
2638 EXPECT_EQ(0, pairing_data_callback_count());
2639
2640 ReceiveIdentityResolvingKey(UInt128());
2641 RunUntilIdle();
2642
2643 // Waiting for identity address.
2644 EXPECT_EQ(0, pairing_failed_count());
2645 EXPECT_EQ(0, security_callback_count());
2646 EXPECT_EQ(0, pairing_complete_count());
2647
2648 // Send an IRK again. This should cause pairing to fail.
2649 ReceiveIdentityResolvingKey(UInt128());
2650 RunUntilIdle();
2651 EXPECT_EQ(1, pairing_failed_count());
2652 EXPECT_EQ(1, security_callback_count());
2653 EXPECT_EQ(1, pairing_complete_count());
2654 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2655 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2656 EXPECT_EQ(security_status(), pairing_complete_status());
2657 }
2658
2659 // The responder sends its identity address before sending its IRK.
TEST_F(InitiatorPairingTest,Phase3IdentityAddressReceivedInWrongOrder)2660 TEST_F(InitiatorPairingTest, Phase3IdentityAddressReceivedInWrongOrder) {
2661 UInt128 stk;
2662 FastForwardToPhase3(&stk,
2663 /*secure_connections=*/false,
2664 SecurityLevel::kEncrypted,
2665 KeyDistGen::kIdKey);
2666
2667 // Pairing should still be in progress.
2668 EXPECT_EQ(0, pairing_failed_count());
2669 EXPECT_EQ(0, security_callback_count());
2670 EXPECT_EQ(0, pairing_data_callback_count());
2671 EXPECT_EQ(0, pairing_complete_count());
2672
2673 // Send identity address before the IRK. This should cause pairing to fail.
2674 ReceiveIdentityAddress(kPeerAddr);
2675 RunUntilIdle();
2676
2677 EXPECT_EQ(1, pairing_failed_count());
2678 EXPECT_EQ(1, security_callback_count());
2679 EXPECT_EQ(1, pairing_complete_count());
2680 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2681 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2682 EXPECT_EQ(security_status(), pairing_complete_status());
2683 }
2684
TEST_F(InitiatorPairingTest,Phase3IdentityAddressReceivedTwice)2685 TEST_F(InitiatorPairingTest, Phase3IdentityAddressReceivedTwice) {
2686 UInt128 stk;
2687 // Request enc key to prevent pairing from completing after sending the first
2688 // identity address.
2689 FastForwardToPhase3(&stk,
2690 /*secure_connections=*/false,
2691 SecurityLevel::kEncrypted,
2692 KeyDistGen::kEncKey | KeyDistGen::kIdKey);
2693
2694 // Pairing should still be in progress.
2695 EXPECT_EQ(0, pairing_failed_count());
2696 EXPECT_EQ(0, security_callback_count());
2697 EXPECT_EQ(0, pairing_data_callback_count());
2698 EXPECT_EQ(0, pairing_complete_count());
2699
2700 ReceiveIdentityResolvingKey(UInt128());
2701 ReceiveIdentityAddress(kPeerAddr);
2702 ReceiveIdentityAddress(kPeerAddr);
2703 RunUntilIdle();
2704
2705 EXPECT_EQ(1, pairing_failed_count());
2706 EXPECT_EQ(1, security_callback_count());
2707 EXPECT_EQ(1, pairing_complete_count());
2708 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), security_status());
2709 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
2710 EXPECT_EQ(security_status(), pairing_complete_status());
2711 }
2712
2713 // Pairing completes after obtaining identity information only.
TEST_F(InitiatorPairingTest,Phase3CompleteWithIdKey)2714 TEST_F(InitiatorPairingTest, Phase3CompleteWithIdKey) {
2715 UInt128 stk;
2716 FastForwardToPhase3(&stk,
2717 /*secure_connections=*/false,
2718 SecurityLevel::kEncrypted,
2719 KeyDistGen::kIdKey);
2720
2721 // Pairing should still be in progress.
2722 EXPECT_EQ(0, pairing_failed_count());
2723 EXPECT_EQ(0, security_callback_count());
2724 EXPECT_EQ(0, pairing_data_callback_count());
2725 EXPECT_EQ(0, pairing_complete_count());
2726
2727 const UInt128 kIRK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2728
2729 ReceiveIdentityResolvingKey(kIRK);
2730 ReceiveIdentityAddress(kPeerAddr);
2731 RunUntilIdle();
2732
2733 EXPECT_EQ(0, pairing_failed_count());
2734 EXPECT_EQ(1, security_callback_count());
2735 EXPECT_EQ(1, pairing_complete_count());
2736 EXPECT_EQ(fit::ok(), security_status());
2737 EXPECT_EQ(security_status(), pairing_complete_status());
2738
2739 // The link remains encrypted with the STK.
2740 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2741 EXPECT_EQ(16u, sec_props().enc_key_size());
2742 EXPECT_FALSE(sec_props().secure_connections());
2743
2744 EXPECT_EQ(1, pairing_data_callback_count());
2745 ASSERT_FALSE(peer_ltk());
2746 ASSERT_TRUE(irk());
2747 ASSERT_TRUE(identity());
2748 ASSERT_FALSE(csrk());
2749
2750 EXPECT_EQ(sec_props(), irk()->security());
2751 EXPECT_EQ(kIRK, irk()->value());
2752 EXPECT_EQ(kPeerAddr, *identity());
2753 }
2754
TEST_F(InitiatorPairingTest,Phase3CompleteWithAllKeys)2755 TEST_F(InitiatorPairingTest, Phase3CompleteWithAllKeys) {
2756 UInt128 stk;
2757 FastForwardToPhase3(&stk,
2758 /*secure_connections=*/false,
2759 SecurityLevel::kEncrypted,
2760 KeyDistGen::kEncKey | KeyDistGen::kIdKey);
2761
2762 const UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2763 const UInt128 kIRK{{8, 7, 6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 7, 8}};
2764 uint64_t kRand = 5;
2765 uint16_t kEDiv = 20;
2766
2767 // The link should be assigned the STK as its link key.
2768 EXPECT_EQ(stk, fake_link()->ltk()->value());
2769
2770 // Receive EncKey
2771 ReceiveEncryptionInformation(kLTK);
2772 ReceiveCentralIdentification(kRand, kEDiv);
2773 RunUntilIdle();
2774
2775 // Pairing still pending. SMP does not assign the LTK to the link until
2776 // pairing completes.
2777 EXPECT_EQ(0, pairing_failed_count());
2778 EXPECT_EQ(0, security_callback_count());
2779 EXPECT_EQ(0, pairing_complete_count());
2780
2781 // Receive IdKey
2782 ReceiveIdentityResolvingKey(kIRK);
2783 ReceiveIdentityAddress(kPeerAddr);
2784 RunUntilIdle();
2785
2786 // Pairing should have succeeded
2787 EXPECT_EQ(0, pairing_failed_count());
2788 EXPECT_EQ(1, security_callback_count());
2789 EXPECT_EQ(1, pairing_complete_count());
2790 EXPECT_EQ(fit::ok(), security_status());
2791 EXPECT_EQ(security_status(), pairing_complete_status());
2792
2793 // LTK should have been assigned to the link.
2794 ASSERT_TRUE(fake_link()->ltk());
2795 EXPECT_EQ(kLTK, fake_link()->ltk()->value());
2796 EXPECT_EQ(kRand, fake_link()->ltk()->rand());
2797 EXPECT_EQ(kEDiv, fake_link()->ltk()->ediv());
2798
2799 // We don't re-encrypt with the LTK while the link is already authenticated
2800 // with the STK.
2801 EXPECT_EQ(1, fake_link()->start_encryption_count());
2802
2803 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2804 EXPECT_EQ(16u, sec_props().enc_key_size());
2805 EXPECT_FALSE(sec_props().secure_connections());
2806
2807 // Should have notified the LTK.
2808 EXPECT_EQ(1, pairing_data_callback_count());
2809 ASSERT_TRUE(peer_ltk());
2810 ASSERT_TRUE(irk());
2811 ASSERT_TRUE(identity());
2812 ASSERT_FALSE(csrk());
2813 EXPECT_EQ(sec_props(), peer_ltk()->security());
2814 EXPECT_EQ(kLTK, peer_ltk()->key().value());
2815 EXPECT_EQ(kRand, peer_ltk()->key().rand());
2816 EXPECT_EQ(kEDiv, peer_ltk()->key().ediv());
2817 EXPECT_EQ(sec_props(), irk()->security());
2818 EXPECT_EQ(kIRK, irk()->value());
2819 EXPECT_EQ(kPeerAddr, *identity());
2820 }
2821
TEST_F(InitiatorPairingTest,GenerateCrossTransportLinkKey)2822 TEST_F(InitiatorPairingTest, GenerateCrossTransportLinkKey) {
2823 UInt128 stk;
2824 // Indicate support for SC and for link keys in both directions to enable
2825 // CTKG.
2826 FastForwardToPhase3(&stk,
2827 /*secure_connections=*/true,
2828 SecurityLevel::kEncrypted,
2829 KeyDistGen::kLinkKey,
2830 KeyDistGen::kLinkKey);
2831 RunUntilIdle();
2832
2833 // Pairing should have succeeded
2834 EXPECT_EQ(0, pairing_failed_count());
2835 EXPECT_EQ(1, security_callback_count());
2836 EXPECT_EQ(1, pairing_complete_count());
2837 EXPECT_EQ(fit::ok(), security_status());
2838 EXPECT_EQ(security_status(), pairing_complete_status());
2839
2840 // The PairingData should contain the CTKGenerated BR/EDR link key.
2841 EXPECT_TRUE(pairing_data().cross_transport_key.has_value());
2842 }
2843
TEST_F(InitiatorPairingTest,AssignLongTermKeyFailsDuringPairing)2844 TEST_F(InitiatorPairingTest, AssignLongTermKeyFailsDuringPairing) {
2845 UpgradeSecurity(SecurityLevel::kEncrypted); // Initiate pairing.
2846 SecurityProperties sec_props(
2847 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
2848 EXPECT_FALSE(
2849 pairing()->AssignLongTermKey(LTK(sec_props, hci_spec::LinkKey())));
2850 EXPECT_EQ(0, fake_link()->start_encryption_count());
2851 EXPECT_EQ(SecurityLevel::kNoSecurity, pairing()->security().level());
2852 }
2853
TEST_F(InitiatorPairingTest,AssignLongTermKey)2854 TEST_F(InitiatorPairingTest, AssignLongTermKey) {
2855 SecurityProperties sec_props(
2856 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
2857 LTK ltk(sec_props, hci_spec::LinkKey());
2858
2859 EXPECT_TRUE(pairing()->AssignLongTermKey(ltk));
2860 EXPECT_EQ(1, fake_link()->start_encryption_count());
2861 ASSERT_TRUE(fake_link()->ltk());
2862 EXPECT_EQ(ltk.key(), *fake_link()->ltk());
2863
2864 // The link security level is not assigned until successful encryption.
2865 EXPECT_EQ(SecurityProperties(), pairing()->security());
2866 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2867 RunUntilIdle();
2868
2869 EXPECT_EQ(1, new_sec_props_count());
2870 EXPECT_EQ(sec_props, new_sec_props());
2871 EXPECT_EQ(sec_props, pairing()->security());
2872 }
2873
TEST_F(InitiatorPairingTest,ReceiveSecurityRequest)2874 TEST_F(InitiatorPairingTest, ReceiveSecurityRequest) {
2875 ReceiveSecurityRequest(AuthReq::kMITM);
2876 RunUntilIdle();
2877
2878 // Should have requested pairing with MITM protection.
2879 EXPECT_EQ(1, pairing_request_count());
2880 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
2881 EXPECT_TRUE(params.auth_req & AuthReq::kMITM);
2882 }
2883
TEST_F(InitiatorPairingTest,ReceiveSecurityRequestWhenPaired)2884 TEST_F(InitiatorPairingTest, ReceiveSecurityRequestWhenPaired) {
2885 UInt128 stk;
2886 FastForwardToPhase3(&stk,
2887 /*secure_connections=*/false,
2888 SecurityLevel::kEncrypted,
2889 KeyDistGen::kEncKey);
2890 EXPECT_EQ(stk, fake_link()->ltk()->value());
2891 EXPECT_EQ(1, pairing_request_count());
2892
2893 // Receive EncKey and wait until the link is encrypted with the LTK.
2894 UInt128 kLTK{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
2895 uint64_t kRand = 5;
2896 uint16_t kEDiv = 20;
2897 ReceiveEncryptionInformation(kLTK);
2898 ReceiveCentralIdentification(kRand, kEDiv);
2899 RunUntilIdle();
2900 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
2901 RunUntilIdle();
2902 ASSERT_EQ(1, pairing_complete_count());
2903 ASSERT_EQ(fit::ok(), security_status());
2904 ASSERT_TRUE(peer_ltk());
2905 ASSERT_EQ(SecurityLevel::kEncrypted, sec_props().level());
2906 ASSERT_EQ(1, fake_link()->start_encryption_count()); // Once for the STK
2907 ASSERT_EQ(1, pairing_request_count());
2908
2909 // Receive a security request with the no MITM requirement. This should
2910 // trigger an encryption key refresh and no pairing request.
2911 ReceiveSecurityRequest();
2912 EXPECT_EQ(1, pairing_request_count());
2913
2914 // Once for the STK and once again due to the locally initiated key refresh.
2915 ASSERT_EQ(2, fake_link()->start_encryption_count());
2916
2917 // Receive a security request with a higher security requirement. This should
2918 // trigger a pairing request.
2919 ReceiveSecurityRequest(AuthReq::kMITM);
2920 EXPECT_EQ(2, pairing_request_count());
2921 const auto& params = local_pairing_cmd().view(1).To<PairingRequestParams>();
2922 EXPECT_TRUE(params.auth_req & AuthReq::kMITM);
2923 }
2924
TEST_F(InitiatorPairingTest,ReceiveMITMSecurityRequestLocalIoCapNoInputNoOutput)2925 TEST_F(InitiatorPairingTest,
2926 ReceiveMITMSecurityRequestLocalIoCapNoInputNoOutput) {
2927 SetUpSecurityManager(IOCapability::kNoInputNoOutput);
2928 ReceiveSecurityRequest(AuthReq::kMITM);
2929 // We should notify the peer that we cannot complete the security request due
2930 // to authentication requirements.
2931 EXPECT_EQ(1, pairing_failed_count());
2932 EXPECT_EQ(ErrorCode::kAuthenticationRequirements, received_error_code());
2933
2934 // When we receive a Security Request, we start a timer. Run the loop to
2935 // ensure that when we can't fulfill the Security Request, we stop the timer
2936 // before it expires as we never started pairing.
2937 RunFor(kPairingTimeout + std::chrono::seconds(1));
2938 // Double check we haven't sent any more Pairing Failed messages
2939 EXPECT_EQ(1, pairing_failed_count());
2940 // We should not notify local clients of any pairing completion, because no
2941 // pairing ever started.
2942 EXPECT_EQ(0, pairing_complete_count());
2943 }
2944
TEST_F(InitiatorPairingTest,RejectPairingRequest)2945 TEST_F(InitiatorPairingTest, RejectPairingRequest) {
2946 // Although we are the initiator, set the peer_initiator=true for this test so
2947 // that we emulate reception of the Pairing Request command, not the Pairing
2948 // Response command.
2949 ReceivePairingFeatures(IOCapability::kDisplayYesNo,
2950 AuthReqField{0},
2951 kMaxEncryptionKeySize,
2952 /*peer_initiator=*/true);
2953 RunUntilIdle();
2954 // We should reject the security request with CommandNotSupported as
2955 // initiator.
2956 EXPECT_EQ(1, pairing_failed_count());
2957 EXPECT_EQ(ErrorCode::kCommandNotSupported, received_error_code());
2958
2959 // Run for the full pairing timeout to ensure we do not timeout due to sending
2960 // a message.
2961 RunFor(kPairingTimeout + std::chrono::seconds(1));
2962 // No pairing occurred, as we rejected the security request command.
2963 EXPECT_EQ(0, pairing_complete_count());
2964 EXPECT_EQ(1, pairing_failed_count());
2965 }
2966
TEST_F(InitiatorPairingTest,PairingTimeoutWorks)2967 TEST_F(InitiatorPairingTest, PairingTimeoutWorks) {
2968 UpgradeSecurity(SecurityLevel::kEncrypted);
2969 RunUntilIdle();
2970 ASSERT_EQ(1, pairing_request_count());
2971 // Expiration of the pairing timeout should trigger the link error callback
2972 // per v5.2 Vol. 3 Part H 3.4. Link disconnection will generally cause channel
2973 // closure, so this simulates that behavior to validate that SM handles this
2974 // safely.
2975 fake_chan()->SetLinkErrorCallback([chan = fake_chan()]() { chan->Close(); });
2976 RunFor(kPairingTimeout);
2977 EXPECT_TRUE(fake_chan()->link_error());
2978 ASSERT_EQ(1, security_callback_count());
2979 EXPECT_EQ(ToResult(HostError::kTimedOut), security_status());
2980 ASSERT_EQ(1, pairing_complete_count());
2981 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
2982 }
2983
TEST_F(InitiatorPairingTest,NoTimeoutAfterSuccessfulPairing)2984 TEST_F(InitiatorPairingTest, NoTimeoutAfterSuccessfulPairing) {
2985 UInt128 out_stk;
2986 FastForwardToPhase3(&out_stk,
2987 /*secure_connections=*/false,
2988 SecurityLevel::kEncrypted,
2989 KeyDistGenField{0},
2990 KeyDistGenField{0});
2991 ASSERT_EQ(1, pairing_complete_count());
2992 ASSERT_EQ(1, security_callback_count());
2993 ASSERT_EQ(fit::ok(), security_status());
2994 ASSERT_EQ(fit::ok(), pairing_complete_status());
2995 // Verify that no timeout occurs after a successful pairing followed by a long
2996 // interval.
2997 RunFor(kPairingTimeout * 2);
2998 ASSERT_EQ(1, pairing_complete_count());
2999 ASSERT_EQ(1, security_callback_count());
3000 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
3001 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3002 }
3003
TEST_F(InitiatorPairingTest,AbortStopsPairingTimer)3004 TEST_F(InitiatorPairingTest, AbortStopsPairingTimer) {
3005 UpgradeSecurity(SecurityLevel::kEncrypted);
3006 RunUntilIdle();
3007 ASSERT_EQ(1, pairing_request_count());
3008 pairing()->Abort();
3009 // Calling Abort should stop the pairing procedure and the timer.
3010 ASSERT_EQ(1, pairing_complete_count());
3011 ASSERT_EQ(1, security_callback_count());
3012 // Run the loop for a time that would cause a timeout if a timer were active.
3013 RunFor(kPairingTimeout * 2);
3014 ASSERT_EQ(1, pairing_complete_count());
3015 ASSERT_EQ(1, security_callback_count());
3016 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
3017 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3018 }
3019
TEST_F(InitiatorPairingTest,ResetStopsPairingTimer)3020 TEST_F(InitiatorPairingTest, ResetStopsPairingTimer) {
3021 UpgradeSecurity(SecurityLevel::kEncrypted);
3022 RunUntilIdle();
3023 ASSERT_EQ(1, pairing_request_count());
3024 pairing()->Reset(IOCapability::kDisplayYesNo);
3025 // Resetting the pairing aborts the current procedure.
3026 ASSERT_EQ(1, pairing_complete_count());
3027 ASSERT_EQ(1, security_callback_count());
3028 // Run the loop for a time that would cause a timeout if a timer were active.
3029 RunFor(kPairingTimeout * 2);
3030 ASSERT_EQ(1, pairing_complete_count());
3031 ASSERT_EQ(1, security_callback_count());
3032 EXPECT_NE(ToResult(HostError::kTimedOut), pairing_complete_status());
3033 EXPECT_NE(ToResult(HostError::kTimedOut), security_status());
3034 }
3035
TEST_F(InitiatorPairingTest,SendingMessageRestartsTimer)3036 TEST_F(InitiatorPairingTest, SendingMessageRestartsTimer) {
3037 // SM will send the Pairing Request, which is special-cased to "reset and
3038 // start" the pairing timer (v5.2 Vol. 3 Part H 3.4), and thus not under test
3039 // here.
3040 UpgradeSecurity(SecurityLevel::kEncrypted);
3041 RunUntilIdle();
3042 ASSERT_EQ(1, pairing_request_count());
3043 // Run the loop until the pairing timeout has almost expired.
3044 RunFor(kPairingTimeout - pw::chrono::SystemClock::duration(1));
3045 // Receive the not special-cased Pairing Response, which should trigger SM to
3046 // send the also not special-cased Pairing Confirm.
3047 ReceivePairingFeatures();
3048 // Run the loop for 1 more second, which would timeout if the timer had not
3049 // been reset.
3050 RunFor(pw::chrono::SystemClock::duration(1));
3051 // The timeout should not have triggered, so there should be no notification
3052 // of pairing failure.
3053 ASSERT_EQ(0, pairing_complete_count());
3054 ASSERT_EQ(0, security_callback_count());
3055 // Verify that the timer is in fact still active; without receiving further
3056 // messages, the timeout should trigger.
3057 RunFor(kPairingTimeout);
3058 ASSERT_EQ(1, pairing_complete_count());
3059 ASSERT_EQ(1, security_callback_count());
3060 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
3061 EXPECT_EQ(ToResult(HostError::kTimedOut), security_status());
3062 }
3063
TEST_F(InitiatorPairingTest,ModifyAssignedLinkLtkBeforeSecurityRequestCausesDisconnect)3064 TEST_F(InitiatorPairingTest,
3065 ModifyAssignedLinkLtkBeforeSecurityRequestCausesDisconnect) {
3066 SecurityProperties sec_props(
3067 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3068 const LTK kOriginalLtk(sec_props, hci_spec::LinkKey({1}, 2, 3));
3069 const hci_spec::LinkKey kModifiedLtk(hci_spec::LinkKey({4}, 5, 6));
3070
3071 EXPECT_TRUE(pairing()->AssignLongTermKey(kOriginalLtk));
3072 fake_link()->set_ltk(kModifiedLtk);
3073 // When we receive the Security Request on a bonded (i.e. AssignLongTermKey
3074 // has been called) connection, we will refresh the encryption key. This
3075 // checks that the link LTK = the SMP LTK which is not the case.
3076 ReceiveSecurityRequest(AuthReqField{0});
3077 RunUntilIdle();
3078 ASSERT_TRUE(fake_chan()->link_error());
3079 ASSERT_EQ(1, auth_failure_callback_count());
3080 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3081 auth_failure_status());
3082 }
3083
TEST_F(ResponderPairingTest,SuccessfulPairAfterResetInProgressPairing)3084 TEST_F(ResponderPairingTest, SuccessfulPairAfterResetInProgressPairing) {
3085 ReceivePairingRequest();
3086 RunUntilIdle();
3087 // At this point, we expect to have completed Phase 1, and pairing should
3088 // still be in progress.
3089 EXPECT_EQ(1, pairing_response_count());
3090
3091 pairing()->Abort();
3092 RunUntilIdle();
3093 // Pairing should have failed and ended.
3094 EXPECT_EQ(1, pairing_failed_count());
3095 EXPECT_EQ(1, pairing_complete_count());
3096
3097 // Verify that the next pairing request is properly handled
3098 ReceivePairingRequest();
3099 RunUntilIdle();
3100 // At this point, we expect to have completed Phase 1, and pairing should
3101 // still be in progress.
3102 EXPECT_EQ(2, pairing_response_count());
3103 }
3104
TEST_F(ResponderPairingTest,SecurityRequestCausesPairing)3105 TEST_F(ResponderPairingTest, SecurityRequestCausesPairing) {
3106 UpgradeSecurity(SecurityLevel::kEncrypted);
3107 RunUntilIdle();
3108 AuthReqField expected_auth_req = AuthReq::kBondingFlag;
3109 EXPECT_EQ(1, security_request_count());
3110 EXPECT_EQ(expected_auth_req, security_request_payload());
3111 UInt128 ltk_bytes;
3112 FastForwardToPhase3(<k_bytes, /*secure_connections=*/true);
3113 // Pairing should have succeeded
3114 EXPECT_EQ(0, pairing_failed_count());
3115 EXPECT_EQ(1, security_callback_count());
3116 EXPECT_EQ(1, pairing_complete_count());
3117 EXPECT_EQ(fit::ok(), security_status());
3118 EXPECT_EQ(security_status(), pairing_complete_status());
3119
3120 // LTK should have been assigned to the link.
3121 hci_spec::LinkKey kExpectedLinkKey(ltk_bytes, 0, 0);
3122 ASSERT_TRUE(fake_link()->ltk());
3123 EXPECT_EQ(kExpectedLinkKey, fake_link()->ltk());
3124
3125 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
3126 EXPECT_EQ(16u, sec_props().enc_key_size());
3127 EXPECT_TRUE(sec_props().secure_connections());
3128
3129 // Should have notified the LTK.
3130 EXPECT_EQ(1, pairing_data_callback_count());
3131 ASSERT_TRUE(local_ltk());
3132 EXPECT_EQ(sec_props(), local_ltk()->security());
3133 EXPECT_EQ(kExpectedLinkKey, local_ltk()->key());
3134 }
3135
TEST_F(ResponderPairingTest,SecurityRequestWithExistingLtk)3136 TEST_F(ResponderPairingTest, SecurityRequestWithExistingLtk) {
3137 const SecurityProperties kProps(SecurityLevel::kAuthenticated,
3138 kMaxEncryptionKeySize,
3139 /*secure_connections=*/true);
3140 const LTK kLtk(kProps, hci_spec::LinkKey({1, 2, 3}, 0, 0));
3141 // This pretends that we have an already-bonded LTK.
3142 pairing()->AssignLongTermKey(kLtk);
3143 // LTK should have been assigned to the link.
3144 ASSERT_TRUE(fake_link()->ltk());
3145 EXPECT_EQ(kLtk.key(), fake_link()->ltk());
3146
3147 // Make the Security Upgrade request
3148 UpgradeSecurity(SecurityLevel::kAuthenticated);
3149 RunUntilIdle();
3150 AuthReqField expected_auth_req = AuthReq::kBondingFlag | AuthReq::kMITM;
3151 EXPECT_EQ(1, security_request_count());
3152 EXPECT_EQ(expected_auth_req, security_request_payload());
3153 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3154
3155 // Security should be upgraded.
3156 EXPECT_EQ(1, security_callback_count());
3157 EXPECT_EQ(fit::ok(), security_status());
3158 EXPECT_EQ(kProps.level(), sec_props().level());
3159 EXPECT_EQ(16u, sec_props().enc_key_size());
3160 EXPECT_TRUE(sec_props().secure_connections());
3161
3162 // No pairing should have taken place - we had an already-bonded LTK.
3163 EXPECT_EQ(0, pairing_failed_count());
3164 EXPECT_EQ(0, pairing_complete_count());
3165 EXPECT_EQ(0, pairing_data_callback_count());
3166 }
3167
TEST_F(ResponderPairingTest,SecurityRequestInitiatorEncryptsWithInsufficientSecurityLtk)3168 TEST_F(ResponderPairingTest,
3169 SecurityRequestInitiatorEncryptsWithInsufficientSecurityLtk) {
3170 const SecurityProperties kProps(SecurityLevel::kEncrypted,
3171 kMaxEncryptionKeySize,
3172 /*secure_connections=*/true);
3173 const LTK kLtk(kProps, hci_spec::LinkKey({1, 2, 3}, 0, 0));
3174 // This pretends that we have an already-bonded LTK with kEncrypted security
3175 // level.
3176 pairing()->AssignLongTermKey(kLtk);
3177 // LTK should have been assigned to the link.
3178 ASSERT_TRUE(fake_link()->ltk());
3179 EXPECT_EQ(kLtk.key(), fake_link()->ltk());
3180
3181 // Make a security request for authenticated security
3182 UpgradeSecurity(SecurityLevel::kAuthenticated);
3183 RunUntilIdle();
3184 AuthReqField expected_auth_req = AuthReq::kBondingFlag | AuthReq::kMITM;
3185 EXPECT_EQ(1, security_request_count());
3186 EXPECT_EQ(expected_auth_req, security_request_payload());
3187
3188 // Pretend the SMP initiator started encryption with the bonded LTK of
3189 // SecurityLevel::kEncrypted.
3190 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3191
3192 // If the peer responds to our MITM security request by encrypting with an
3193 // unauthenticated key, they stored the LTK/handle security request
3194 // incorrectly - either way, disconnect the link.
3195 ASSERT_TRUE(fake_chan()->link_error());
3196 }
3197
TEST_F(ResponderPairingTest,AuthenticatedSecurityRequestWithInsufficientIoCapRejected)3198 TEST_F(ResponderPairingTest,
3199 AuthenticatedSecurityRequestWithInsufficientIoCapRejected) {
3200 SetUpSecurityManager(IOCapability::kNoInputNoOutput);
3201 // Make a security request for authenticated security
3202 UpgradeSecurity(SecurityLevel::kAuthenticated);
3203 RunUntilIdle();
3204 // The security callback should have been rejected w/o sending any messages,
3205 // as our IOCap cannot perform authenticated pairing.
3206 EXPECT_EQ(0, security_request_count());
3207 EXPECT_EQ(1, security_callback_count());
3208 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
3209 security_status());
3210 EXPECT_EQ(SecurityLevel::kNoSecurity, sec_props().level());
3211 }
3212
TEST_F(ResponderPairingTest,HandlesMultipleSecurityRequestsCorrectly)3213 TEST_F(ResponderPairingTest, HandlesMultipleSecurityRequestsCorrectly) {
3214 // Make a security request for encrypted security
3215 UpgradeSecurity(SecurityLevel::kEncrypted);
3216 RunUntilIdle();
3217 AuthReqField expected_auth_req = AuthReq::kBondingFlag;
3218 EXPECT_EQ(1, security_request_count());
3219 EXPECT_EQ(expected_auth_req, security_request_payload());
3220
3221 // Making another security request, this time for authenticated security,
3222 // while the first is still pending should not cause another Security Request
3223 // message to be sent.
3224 UpgradeSecurity(SecurityLevel::kAuthenticated);
3225 RunUntilIdle();
3226 EXPECT_EQ(1, security_request_count());
3227
3228 // Handle the first Security Request
3229 UInt128 ltk_bytes;
3230 FastForwardToPhase3(
3231 <k_bytes, /*secure_connections=*/true, SecurityLevel::kEncrypted);
3232 // Pairing should have succeeded
3233 EXPECT_EQ(0, pairing_failed_count());
3234 EXPECT_EQ(1, security_callback_count());
3235 EXPECT_EQ(1, pairing_complete_count());
3236 EXPECT_EQ(fit::ok(), security_status());
3237 EXPECT_EQ(security_status(), pairing_complete_status());
3238
3239 EXPECT_EQ(SecurityLevel::kEncrypted, sec_props().level());
3240
3241 // Should have notified the LTK.
3242 EXPECT_EQ(1, pairing_data_callback_count());
3243 ASSERT_TRUE(local_ltk());
3244 EXPECT_EQ(sec_props(), local_ltk()->security());
3245 EXPECT_EQ(ltk_bytes, local_ltk()->key().value());
3246
3247 // After the first pairing satisfied the kEncrypted Security Request, the
3248 // pending kAuthenticated Security Request should have been sent immediately.
3249 EXPECT_EQ(2, security_request_count());
3250 }
3251
TEST_F(ResponderPairingTest,ReceiveSecondPairingRequestWhilePairing)3252 TEST_F(ResponderPairingTest, ReceiveSecondPairingRequestWhilePairing) {
3253 ReceivePairingRequest();
3254 RunUntilIdle();
3255
3256 // We should have sent a pairing response and should now be in Phase 2,
3257 // waiting for the peer to send us Mconfirm.
3258 EXPECT_EQ(0, pairing_request_count());
3259 EXPECT_EQ(1, pairing_response_count());
3260 EXPECT_EQ(0, pairing_confirm_count());
3261 EXPECT_EQ(0, pairing_random_count());
3262 EXPECT_EQ(0, pairing_failed_count());
3263 EXPECT_EQ(0, security_callback_count());
3264 EXPECT_EQ(0, pairing_complete_count());
3265
3266 // This should cause pairing to be aborted.
3267 ReceivePairingRequest();
3268 RunUntilIdle();
3269 EXPECT_EQ(0, pairing_request_count());
3270 // We will abort the second pairing request without responding if we're
3271 // already in progress
3272 EXPECT_EQ(1, pairing_response_count());
3273 EXPECT_EQ(0, pairing_confirm_count());
3274 EXPECT_EQ(0, pairing_random_count());
3275 EXPECT_EQ(1, pairing_failed_count());
3276 EXPECT_EQ(0, security_callback_count());
3277 EXPECT_EQ(1, pairing_complete_count());
3278 ASSERT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
3279 EXPECT_EQ(ToResult(received_error_code().value()), pairing_complete_status());
3280 }
3281
TEST_F(ResponderPairingTest,ReceiveConfirmValueWhileWaitingForTK)3282 TEST_F(ResponderPairingTest, ReceiveConfirmValueWhileWaitingForTK) {
3283 bool tk_requested = false;
3284 ConfirmCallback respond;
3285 set_confirm_delegate([&](ConfirmCallback cb) {
3286 tk_requested = true;
3287 respond = std::move(cb);
3288 });
3289
3290 ReceivePairingRequest();
3291 RunUntilIdle();
3292 ASSERT_TRUE(tk_requested);
3293
3294 UInt128 confirm;
3295 ReceivePairingConfirm(confirm);
3296 RunUntilIdle();
3297
3298 // Pairing should still be in progress without sending out any packets.
3299 EXPECT_EQ(0, pairing_confirm_count());
3300 EXPECT_EQ(0, pairing_random_count());
3301 EXPECT_EQ(0, pairing_failed_count());
3302 EXPECT_EQ(0, security_callback_count());
3303 EXPECT_EQ(0, pairing_complete_count());
3304
3305 // Respond with the TK. This should cause us to send Sconfirm.
3306 respond(true);
3307 RunUntilIdle();
3308 EXPECT_EQ(1, pairing_confirm_count());
3309 EXPECT_EQ(0, pairing_random_count());
3310 EXPECT_EQ(0, pairing_failed_count());
3311 EXPECT_EQ(0, security_callback_count());
3312 EXPECT_EQ(0, pairing_complete_count());
3313 }
3314
TEST_F(ResponderPairingTest,LegacyPhase2ReceivePairingRandomInWrongOrder)3315 TEST_F(ResponderPairingTest, LegacyPhase2ReceivePairingRandomInWrongOrder) {
3316 ReceivePairingRequest();
3317 RunUntilIdle();
3318
3319 // We should have sent a pairing response and should now be in Phase 2,
3320 // waiting for the peer to send us Mconfirm.
3321 EXPECT_EQ(0, pairing_request_count());
3322 EXPECT_EQ(1, pairing_response_count());
3323 EXPECT_EQ(0, pairing_confirm_count());
3324 EXPECT_EQ(0, pairing_random_count());
3325 EXPECT_EQ(0, pairing_failed_count());
3326 EXPECT_EQ(0, security_callback_count());
3327 EXPECT_EQ(0, pairing_complete_count());
3328
3329 // Peer sends Mrand before Mconfirm.
3330 UInt128 random;
3331 ReceivePairingRandom(random);
3332 RunUntilIdle();
3333 EXPECT_EQ(0, pairing_request_count());
3334 EXPECT_EQ(1, pairing_response_count());
3335 EXPECT_EQ(0, pairing_confirm_count());
3336 EXPECT_EQ(0, pairing_random_count());
3337 EXPECT_EQ(1, pairing_failed_count());
3338 EXPECT_EQ(0, security_callback_count());
3339 EXPECT_EQ(1, pairing_complete_count());
3340 EXPECT_EQ(ErrorCode::kUnspecifiedReason, received_error_code());
3341 EXPECT_EQ(ToResult(ErrorCode::kUnspecifiedReason), pairing_complete_status());
3342 }
3343
TEST_F(ResponderPairingTest,LegacyPhase2MconfirmValueInvalid)3344 TEST_F(ResponderPairingTest, LegacyPhase2MconfirmValueInvalid) {
3345 ReceivePairingRequest();
3346 RunUntilIdle();
3347
3348 // We should have sent a pairing response and should now be in Phase 2,
3349 // waiting for the peer to send us Mconfirm.
3350 EXPECT_EQ(0, pairing_request_count());
3351 EXPECT_EQ(1, pairing_response_count());
3352 EXPECT_EQ(0, pairing_confirm_count());
3353 EXPECT_EQ(0, pairing_random_count());
3354 EXPECT_EQ(0, pairing_failed_count());
3355 EXPECT_EQ(0, security_callback_count());
3356 EXPECT_EQ(0, pairing_complete_count());
3357
3358 // Set up values that don't match.
3359 UInt128 confirm, random;
3360 confirm.fill(0);
3361 random.fill(1);
3362
3363 ReceivePairingConfirm(confirm);
3364 RunUntilIdle();
3365
3366 // We should have sent Sconfirm.
3367 EXPECT_EQ(0, pairing_request_count());
3368 EXPECT_EQ(1, pairing_response_count());
3369 EXPECT_EQ(1, pairing_confirm_count());
3370 EXPECT_EQ(0, pairing_random_count());
3371 EXPECT_EQ(0, pairing_failed_count());
3372 EXPECT_EQ(0, security_callback_count());
3373 EXPECT_EQ(0, pairing_complete_count());
3374
3375 // Peer sends Mrand that doesn't match. We should reject the pairing
3376 // without sending Srand.
3377 ReceivePairingRandom(random);
3378 RunUntilIdle();
3379 EXPECT_EQ(0, pairing_request_count());
3380 EXPECT_EQ(1, pairing_response_count());
3381 EXPECT_EQ(1, pairing_confirm_count());
3382 EXPECT_EQ(0, pairing_random_count());
3383 EXPECT_EQ(1, pairing_failed_count());
3384 EXPECT_EQ(0, security_callback_count());
3385 EXPECT_EQ(1, pairing_complete_count());
3386 EXPECT_EQ(ErrorCode::kConfirmValueFailed, received_error_code());
3387 EXPECT_EQ(ToResult(ErrorCode::kConfirmValueFailed),
3388 pairing_complete_status());
3389 }
3390
TEST_F(ResponderPairingTest,LegacyPhase2ConfirmValuesExchanged)3391 TEST_F(ResponderPairingTest, LegacyPhase2ConfirmValuesExchanged) {
3392 ReceivePairingRequest();
3393 RunUntilIdle();
3394
3395 // We should have sent a pairing response and should now be in Phase 2,
3396 // waiting for the peer to send us Mconfirm.
3397 EXPECT_EQ(0, pairing_request_count());
3398 EXPECT_EQ(1, pairing_response_count());
3399 EXPECT_EQ(0, pairing_confirm_count());
3400 EXPECT_EQ(0, pairing_random_count());
3401 EXPECT_EQ(0, pairing_failed_count());
3402 EXPECT_EQ(0, security_callback_count());
3403 EXPECT_EQ(0, pairing_complete_count());
3404
3405 // Set up Sconfirm and Srand values that match.
3406 UInt128 confirm, random;
3407 GenerateMatchingLegacyConfirmAndRandom(&confirm, &random);
3408
3409 // Peer sends Mconfirm.
3410 ReceivePairingConfirm(confirm);
3411 RunUntilIdle();
3412
3413 // We should have sent Sconfirm.
3414 EXPECT_EQ(0, pairing_request_count());
3415 EXPECT_EQ(1, pairing_response_count());
3416 EXPECT_EQ(1, pairing_confirm_count());
3417 EXPECT_EQ(0, pairing_random_count());
3418 EXPECT_EQ(0, pairing_failed_count());
3419 EXPECT_EQ(0, security_callback_count());
3420 EXPECT_EQ(0, pairing_complete_count());
3421
3422 // Peer sends Mrand.
3423 ReceivePairingRandom(random);
3424 RunUntilIdle();
3425
3426 // We should have sent Srand.
3427 EXPECT_EQ(0, pairing_request_count());
3428 EXPECT_EQ(1, pairing_response_count());
3429 EXPECT_EQ(1, pairing_confirm_count());
3430 EXPECT_EQ(1, pairing_random_count());
3431 EXPECT_EQ(0, pairing_failed_count());
3432 EXPECT_EQ(0, security_callback_count());
3433 EXPECT_EQ(0, pairing_complete_count());
3434
3435 // Sconfirm/Srand values we sent should be correct.
3436 UInt128 expected_confirm;
3437 GenerateLegacyConfirmValue(
3438 pairing_random(), &expected_confirm, /*peer_initiator=*/true);
3439 EXPECT_EQ(expected_confirm, pairing_confirm());
3440 }
3441
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKDistributionNoRemoteKeys)3442 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKDistributionNoRemoteKeys) {
3443 EXPECT_EQ(0, enc_info_count());
3444 EXPECT_EQ(0, central_ident_count());
3445
3446 UInt128 stk;
3447 KeyDistGenField remote_keys{0}, local_keys{KeyDistGen::kEncKey};
3448 FastForwardToPhase3(&stk,
3449 /*secure_connections=*/false,
3450 SecurityLevel::kEncrypted,
3451 remote_keys,
3452 local_keys);
3453
3454 // Local LTK, EDiv, and Rand should be sent to the peer.
3455 EXPECT_EQ(1, enc_info_count());
3456 EXPECT_EQ(1, central_ident_count());
3457 ASSERT_TRUE(fake_link()->ltk());
3458 EXPECT_EQ(enc_info(), fake_link()->ltk()->value());
3459 EXPECT_EQ(ediv(), fake_link()->ltk()->ediv());
3460 EXPECT_EQ(rand(), fake_link()->ltk()->rand());
3461
3462 // This LTK should be stored with the pairing data but the pairing callback
3463 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3464 EXPECT_EQ(0, pairing_failed_count());
3465 EXPECT_EQ(0, security_callback_count());
3466
3467 // Pairing is considered complete when all keys have been distributed even if
3468 // we're still encrypted with the STK. This is because the initiator may not
3469 // always re-encrypt the link with the LTK until a reconnection.
3470 EXPECT_EQ(1, pairing_data_callback_count());
3471
3472 // Nonetheless the link should have been assigned the LTK.
3473 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3474 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3475
3476 // Make sure that an encryption change has no effect.
3477 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3478 RunUntilIdle();
3479 EXPECT_EQ(1, pairing_data_callback_count());
3480
3481 // No additional security property update should have been sent since the STK
3482 // and LTK have the same properties.
3483 EXPECT_EQ(1, new_sec_props_count());
3484 }
3485
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKDistributionWithRemoteKeys)3486 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKDistributionWithRemoteKeys) {
3487 EXPECT_EQ(0, enc_info_count());
3488 EXPECT_EQ(0, central_ident_count());
3489
3490 UInt128 stk;
3491 FastForwardToPhase3(&stk,
3492 /*secure_connections=*/false,
3493 SecurityLevel::kEncrypted,
3494 KeyDistGen::kIdKey, // remote keys
3495 KeyDistGen::kEncKey); // local keys
3496
3497 // Local LTK, EDiv, and Rand should be sent to the peer - we don't assign the
3498 // new LTK to the link until pairing is complete.
3499 EXPECT_EQ(1, enc_info_count());
3500 EXPECT_EQ(1, central_ident_count());
3501
3502 // No local identity information should have been sent.
3503 EXPECT_EQ(0, id_info_count());
3504 EXPECT_EQ(0, id_addr_info_count());
3505
3506 // This LTK should be stored with the pairing data but the pairing callback
3507 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3508 EXPECT_EQ(0, pairing_failed_count());
3509 EXPECT_EQ(0, security_callback_count());
3510
3511 // Still waiting for initiator's keys.
3512 EXPECT_EQ(0, pairing_data_callback_count());
3513
3514 const auto kIrk = Random<UInt128>();
3515 ReceiveIdentityResolvingKey(kIrk);
3516 ReceiveIdentityAddress(kPeerAddr);
3517 RunUntilIdle();
3518
3519 // Pairing is considered complete when all keys have been distributed even if
3520 // we're still encrypted with the STK. This is because the initiator may not
3521 // always re-encrypt the link with the LTK until a reconnection.
3522 EXPECT_EQ(1, pairing_data_callback_count());
3523
3524 // The peer should have sent us its identity information.
3525 ASSERT_TRUE(pairing_data().irk);
3526 EXPECT_EQ(kIrk, pairing_data().irk->value());
3527 ASSERT_TRUE(pairing_data().identity_address);
3528 EXPECT_EQ(kPeerAddr, *pairing_data().identity_address);
3529
3530 // Nonetheless the link should have been assigned the LTK.
3531 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3532 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3533 }
3534
3535 // Locally generated ltk length should match max key length specified
TEST_F(ResponderPairingTest,LegacyPhase3LocalLTKMaxLength)3536 TEST_F(ResponderPairingTest, LegacyPhase3LocalLTKMaxLength) {
3537 EXPECT_EQ(0, enc_info_count());
3538 EXPECT_EQ(0, central_ident_count());
3539
3540 UInt128 stk;
3541 uint16_t max_key_size = 7;
3542
3543 FastForwardToPhase3(&stk,
3544 /*secure_connections=*/false,
3545 SecurityLevel::kEncrypted,
3546 0u, // remote keys
3547 KeyDistGen::kEncKey, // local keys
3548 max_key_size);
3549
3550 // Local LTK, EDiv, and Rand should be sent to the peer.
3551 EXPECT_EQ(1, enc_info_count());
3552 EXPECT_EQ(1, central_ident_count());
3553 ASSERT_TRUE(fake_link()->ltk());
3554 EXPECT_EQ(enc_info(), fake_link()->ltk()->value());
3555 EXPECT_EQ(ediv(), fake_link()->ltk()->ediv());
3556 EXPECT_EQ(rand(), fake_link()->ltk()->rand());
3557
3558 // This LTK should be stored with the pairing data but the pairing callback
3559 // shouldn't be called because pairing wasn't initiated by UpgradeSecurity().
3560 EXPECT_EQ(0, pairing_failed_count());
3561 EXPECT_EQ(0, security_callback_count());
3562
3563 // Pairing is considered complete when all keys have been distributed even if
3564 // we're still encrypted with the STK. This is because the initiator may not
3565 // always re-encrypt the link with the LTK until a reconnection.
3566 EXPECT_EQ(1, pairing_data_callback_count());
3567
3568 // The link should have been assigned the LTK.
3569 ASSERT_TRUE(pairing_data().local_ltk.has_value());
3570 EXPECT_EQ(fake_link()->ltk(), pairing_data().local_ltk->key());
3571
3572 // Ensure that most significant (16 - max_key_size) bytes are zero. The key
3573 // should be generated up to the max_key_size.
3574 auto ltk = pairing_data().local_ltk->key().value();
3575 for (auto i = max_key_size; i < ltk.size(); i++) {
3576 EXPECT_TRUE(ltk[i] == 0);
3577 }
3578 }
3579
TEST_F(ResponderPairingTest,LegacyPhase3ReceiveInitiatorEncKey)3580 TEST_F(ResponderPairingTest, LegacyPhase3ReceiveInitiatorEncKey) {
3581 UInt128 stk;
3582 KeyDistGenField remote_keys{KeyDistGen::kEncKey}, local_keys{0u};
3583 FastForwardToPhase3(&stk,
3584 /*secure_connections=*/false,
3585 SecurityLevel::kEncrypted,
3586 remote_keys,
3587 local_keys);
3588
3589 const uint64_t kRand = 5;
3590 const uint16_t kEDiv = 20;
3591 const hci_spec::LinkKey kLTK(
3592 {1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}, kRand, kEDiv);
3593
3594 ReceiveEncryptionInformation(kLTK.value());
3595 ReceiveCentralIdentification(kRand, kEDiv);
3596 RunUntilIdle();
3597
3598 // Pairing should have succeeded.
3599 EXPECT_EQ(0, pairing_failed_count());
3600 EXPECT_EQ(1, pairing_complete_count());
3601 EXPECT_EQ(fit::ok(), security_status());
3602 EXPECT_EQ(security_status(), pairing_complete_status());
3603
3604 // No pairing callbacks needed as this is a peer-initiated pairing.
3605 EXPECT_EQ(0, security_callback_count());
3606
3607 // Only the STK should be assigned to the link, as the distributed LTK was
3608 // initiator-generated. This means it can only be used to encrypt future
3609 // connections where the roles are reversed.
3610 EXPECT_EQ(stk, fake_link()->ltk()->value());
3611
3612 // Should have been called at least once to determine local identity
3613 // availability.
3614 EXPECT_NE(0, local_id_info_callback_count());
3615
3616 // Should have notified pairing data callback with the LTK.
3617 EXPECT_EQ(1, pairing_data_callback_count());
3618 ASSERT_TRUE(peer_ltk());
3619
3620 // LTK received OTA should match what we notified the pairing data callback
3621 // with.
3622 EXPECT_EQ(kLTK, peer_ltk()->key());
3623 }
3624
TEST_F(ResponderPairingTest,LegacyPhase3LocalIdKeyDistributionWithRemoteKeys)3625 TEST_F(ResponderPairingTest, LegacyPhase3LocalIdKeyDistributionWithRemoteKeys) {
3626 IdentityInfo local_id_info;
3627 local_id_info.irk = UInt128{{1, 2, 3, 4, 5, 6, 7, 8, 7, 6, 5, 4, 3, 2, 1, 0}};
3628 local_id_info.address = kLocalAddr;
3629 set_local_id_info(local_id_info);
3630
3631 EXPECT_EQ(0, enc_info_count());
3632 EXPECT_EQ(0, central_ident_count());
3633
3634 UInt128 stk;
3635 FastForwardToPhase3(&stk,
3636 /*secure_connections=*/false,
3637 SecurityLevel::kEncrypted,
3638 KeyDistGen::kIdKey, // remote keys
3639 KeyDistGen::kIdKey); // local keys
3640
3641 // No local LTK, EDiv, and Rand should be sent to the peer.
3642 EXPECT_EQ(0, enc_info_count());
3643 EXPECT_EQ(0, central_ident_count());
3644
3645 // Local identity information should have been sent.
3646 EXPECT_EQ(1, id_info_count());
3647 EXPECT_EQ(local_id_info.irk, id_info());
3648 EXPECT_EQ(1, id_addr_info_count());
3649 EXPECT_EQ(local_id_info.address, id_addr_info());
3650
3651 // Still waiting for initiator's keys.
3652 EXPECT_EQ(0, pairing_data_callback_count());
3653
3654 const auto kIrk = Random<UInt128>();
3655 ReceiveIdentityResolvingKey(kIrk);
3656 ReceiveIdentityAddress(kPeerAddr);
3657 RunUntilIdle();
3658
3659 // Pairing is considered complete when all keys have been distributed even if
3660 // we're still encrypted with the STK. This is because the initiator may not
3661 // always re-encrypt the link with the LTK until a reconnection.
3662 EXPECT_EQ(1, pairing_data_callback_count());
3663
3664 // The peer should have sent us its identity information.
3665 ASSERT_TRUE(pairing_data().irk);
3666 EXPECT_EQ(kIrk, pairing_data().irk->value());
3667 ASSERT_TRUE(pairing_data().identity_address);
3668 EXPECT_EQ(kPeerAddr, *pairing_data().identity_address);
3669 }
3670
TEST_F(ResponderPairingTest,AssignLongTermKeyFailsDuringPairing)3671 TEST_F(ResponderPairingTest, AssignLongTermKeyFailsDuringPairing) {
3672 ReceivePairingRequest();
3673 RunUntilIdle();
3674 SecurityProperties sec_props(
3675 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3676 EXPECT_FALSE(
3677 pairing()->AssignLongTermKey(LTK(sec_props, hci_spec::LinkKey())));
3678 EXPECT_EQ(0, fake_link()->start_encryption_count());
3679 EXPECT_EQ(SecurityLevel::kNoSecurity, pairing()->security().level());
3680 }
3681
TEST_F(ResponderPairingTest,AssignLongTermKey)3682 TEST_F(ResponderPairingTest, AssignLongTermKey) {
3683 SecurityProperties sec_props(
3684 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3685 LTK ltk(sec_props, hci_spec::LinkKey());
3686
3687 EXPECT_TRUE(pairing()->AssignLongTermKey(ltk));
3688 ASSERT_TRUE(fake_link()->ltk());
3689 EXPECT_EQ(ltk.key(), *fake_link()->ltk());
3690
3691 // No encryption request should have been made as the initiator is expected to
3692 // do it.
3693 EXPECT_EQ(0, fake_link()->start_encryption_count());
3694
3695 // The link security level is not assigned until successful encryption.
3696 EXPECT_EQ(SecurityProperties(), pairing()->security());
3697 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3698 RunUntilIdle();
3699
3700 EXPECT_EQ(1, new_sec_props_count());
3701 EXPECT_EQ(sec_props, new_sec_props());
3702 EXPECT_EQ(sec_props, pairing()->security());
3703 }
3704
TEST_F(ResponderPairingTest,EncryptWithLinkKeyModifiedOutsideSmDisconnects)3705 TEST_F(ResponderPairingTest, EncryptWithLinkKeyModifiedOutsideSmDisconnects) {
3706 SecurityProperties sec_props(
3707 SecurityLevel::kAuthenticated, 16, /*secure_connections=*/false);
3708 const LTK kOriginalLtk(sec_props, hci_spec::LinkKey({1}, 2, 3));
3709 const hci_spec::LinkKey kModifiedLtk(hci_spec::LinkKey({4}, 5, 6));
3710
3711 EXPECT_TRUE(pairing()->AssignLongTermKey(kOriginalLtk));
3712 fake_link()->set_ltk(kModifiedLtk);
3713 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3714 RunUntilIdle();
3715 ASSERT_TRUE(fake_chan()->link_error());
3716 ASSERT_EQ(1, auth_failure_callback_count());
3717 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3718 auth_failure_status());
3719 }
3720
TEST_F(ResponderPairingTest,EncryptWithLinkKeyButNoSmLtkDisconnects)3721 TEST_F(ResponderPairingTest, EncryptWithLinkKeyButNoSmLtkDisconnects) {
3722 // The LE link LTK should always be assigned through SM, so while encryption
3723 // could succeed with a link LTK but no SM LTK, this is a violation of bt-host
3724 // assumptions and we will disconnect.
3725 fake_link()->set_ltk(hci_spec::LinkKey({1}, 2, 3));
3726 fake_link()->TriggerEncryptionChangeCallback(fit::ok(/*enabled=*/true));
3727 RunUntilIdle();
3728 ASSERT_TRUE(fake_chan()->link_error());
3729 ASSERT_EQ(1, auth_failure_callback_count());
3730 ASSERT_EQ(ToResult(pw::bluetooth::emboss::StatusCode::PIN_OR_KEY_MISSING),
3731 auth_failure_status());
3732 }
3733
3734 // As responder, we reject security requests, as the initiator should never send
3735 // them.
TEST_F(ResponderPairingTest,RejectSecurityRequest)3736 TEST_F(ResponderPairingTest, RejectSecurityRequest) {
3737 ReceiveSecurityRequest();
3738 EXPECT_EQ(1, pairing_failed_count());
3739 EXPECT_EQ(ErrorCode::kCommandNotSupported, received_error_code());
3740
3741 // Run for the full pairing timeout to ensure we do not timeout due to sending
3742 // a message.
3743 RunFor(kPairingTimeout + std::chrono::seconds(1));
3744 EXPECT_EQ(0, pairing_request_count());
3745 EXPECT_EQ(0, fake_link()->start_encryption_count());
3746 EXPECT_EQ(1, pairing_failed_count());
3747 }
3748
3749 // Test that LTK is generated and passed up to SecurityManager when both sides
3750 // request bonding
TEST_F(ResponderPairingTest,BothSidesRequestBondingLTKCreated)3751 TEST_F(ResponderPairingTest, BothSidesRequestBondingLTKCreated) {
3752 UInt128 stk;
3753 SetUpSecurityManager(IOCapability::kDisplayOnly);
3754 FastForwardToPhase3(&stk,
3755 /*secure_connections=*/false,
3756 SecurityLevel::kEncrypted,
3757 0u, // remote keys
3758 KeyDistGen::kEncKey, // local keys
3759 kMaxEncryptionKeySize,
3760 BondableMode::Bondable);
3761
3762 // The link should have been assigned the LTK.
3763 EXPECT_TRUE(pairing_data().local_ltk.has_value());
3764 }
3765
3766 // Test that LTK is not passed up to SecurityManager when local side requests
3767 // non-bondable mode and peer requests bondable mode.
TEST_F(ResponderPairingTest,LocalRequestsNonBondableNoLTKCreated)3768 TEST_F(ResponderPairingTest, LocalRequestsNonBondableNoLTKCreated) {
3769 UInt128 stk;
3770 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::NonBondable);
3771 FastForwardToPhase3(&stk,
3772 /*secure_connections=*/false,
3773 SecurityLevel::kEncrypted,
3774 0u, // remote keys
3775 KeyDistGen::kEncKey, // local keys
3776 kMaxEncryptionKeySize,
3777 BondableMode::Bondable);
3778
3779 // The link should not have been assigned the LTK.
3780 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3781 pairing_data().peer_ltk.has_value());
3782 }
3783
3784 // Test that LTK is not passed up to SecurityManager when local side requests
3785 // bondable mode and peer requests non-bondable mode.
TEST_F(ResponderPairingTest,PeerRequestsNonBondableNoLTKCreated)3786 TEST_F(ResponderPairingTest, PeerRequestsNonBondableNoLTKCreated) {
3787 UInt128 stk;
3788 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::Bondable);
3789 FastForwardToPhase3(&stk,
3790 /*secure_connections=*/false,
3791 SecurityLevel::kEncrypted,
3792 0u, // remote keys
3793 0u, // local keys
3794 kMaxEncryptionKeySize,
3795 BondableMode::NonBondable);
3796
3797 // The link should not have been assigned the LTK.
3798 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3799 pairing_data().peer_ltk.has_value());
3800 }
3801
3802 // Test that LTK is not generated and passed up to SecurityManager when both
3803 // sides request non-bondable mode.
TEST_F(ResponderPairingTest,BothSidesRequestNonBondableNoLTKCreated)3804 TEST_F(ResponderPairingTest, BothSidesRequestNonBondableNoLTKCreated) {
3805 UInt128 stk;
3806 SetUpSecurityManager(IOCapability::kDisplayOnly, BondableMode::NonBondable);
3807 FastForwardToPhase3(&stk,
3808 /*secure_connections=*/false,
3809 SecurityLevel::kEncrypted,
3810 0u, // remote keys
3811 0u, // local keys
3812 kMaxEncryptionKeySize,
3813 BondableMode::NonBondable);
3814
3815 // The link should not have been assigned the LTK.
3816 EXPECT_FALSE(pairing_data().local_ltk.has_value() ||
3817 pairing_data().peer_ltk.has_value());
3818 }
3819
TEST_F(ResponderPairingTest,PairingRequestStartsPairingTimer)3820 TEST_F(ResponderPairingTest, PairingRequestStartsPairingTimer) {
3821 ReceivePairingRequest();
3822 RunFor(kPairingTimeout);
3823 EXPECT_TRUE(fake_chan()->link_error());
3824 // Pairing should fail, but no callbacks should be notified because the
3825 // pairing was initiated remotely, not through UpgradeSecurity locally
3826 ASSERT_EQ(1, pairing_complete_count());
3827 EXPECT_EQ(ToResult(HostError::kTimedOut), pairing_complete_status());
3828 EXPECT_EQ(0, security_callback_count());
3829 }
3830
TEST_F(ResponderPairingTest,RejectUnauthenticatedPairingInSecureConnectionsOnlyMode)3831 TEST_F(ResponderPairingTest,
3832 RejectUnauthenticatedPairingInSecureConnectionsOnlyMode) {
3833 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
3834 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
3835 // In SC Only mode, SM should translate this "encrypted" request into a MITM
3836 // requirement.
3837 UpgradeSecurity(SecurityLevel::kEncrypted);
3838 RunUntilIdle();
3839 EXPECT_EQ(1, security_request_count());
3840 EXPECT_EQ(AuthReq::kBondingFlag | AuthReq::kMITM | AuthReq::kSC,
3841 security_request_payload());
3842 // The peer has NoInputNoOutput IOCapabilities, thus cannot perform
3843 // authenticated pairing.
3844 ReceivePairingRequest(IOCapability::kNoInputNoOutput,
3845 AuthReq::kBondingFlag | AuthReq::kSC);
3846 RunUntilIdle();
3847
3848 EXPECT_EQ(1, pairing_failed_count());
3849 EXPECT_EQ(1, security_callback_count());
3850 EXPECT_EQ(ToResult(ErrorCode::kAuthenticationRequirements),
3851 security_status());
3852 EXPECT_EQ(1, pairing_complete_count());
3853 EXPECT_EQ(security_status(), pairing_complete_status());
3854 }
3855
TEST_F(ResponderPairingTest,RejectInsufficientKeySizeRequestInSecureConnectionsOnlyMode)3856 TEST_F(ResponderPairingTest,
3857 RejectInsufficientKeySizeRequestInSecureConnectionsOnlyMode) {
3858 SetUpSecurityManager(IOCapability::kKeyboardDisplay);
3859 pairing()->set_security_mode(gap::LESecurityMode::SecureConnectionsOnly);
3860 // The peer encryption key size is not kMaxEncryptionKeySize, thus does not
3861 // meet the Secure Connections Only requirements.
3862 ReceivePairingRequest(IOCapability::kDisplayYesNo,
3863 AuthReq::kBondingFlag | AuthReq::kSC,
3864 kMaxEncryptionKeySize - 1);
3865 RunUntilIdle();
3866
3867 EXPECT_EQ(1, pairing_failed_count());
3868 EXPECT_EQ(1, pairing_complete_count());
3869 EXPECT_EQ(ToResult(ErrorCode::kEncryptionKeySize), pairing_complete_status());
3870 }
3871
3872 // Tests that Secure Connections works as responder
TEST_F(ResponderPairingTest,SecureConnectionsWorks)3873 TEST_F(ResponderPairingTest, SecureConnectionsWorks) {
3874 // Must have DisplayYesNo IOC to generate Authenticated security per
3875 // kExpectedSecurity
3876 SetUpSecurityManager(IOCapability::kDisplayYesNo);
3877 UInt128 ltk_bytes;
3878 const SecurityProperties kExpectedSecurity(SecurityLevel::kAuthenticated,
3879 kMaxEncryptionKeySize,
3880 /*secure_connections=*/true);
3881 FastForwardToPhase3(
3882 <k_bytes, /*secure_connections=*/true, kExpectedSecurity.level());
3883
3884 const LTK kExpectedLtk(kExpectedSecurity, hci_spec::LinkKey(ltk_bytes, 0, 0));
3885 ASSERT_TRUE(fake_link()->ltk());
3886 EXPECT_EQ(kExpectedLtk.key(), fake_link()->ltk());
3887
3888 // Pairing should succeed with the LTK as the SC pairing is bondable, even
3889 // though no keys need to be distributed in Phase 3.
3890 EXPECT_EQ(1, pairing_data_callback_count());
3891 EXPECT_TRUE(local_ltk().has_value());
3892 EXPECT_EQ(kExpectedLtk, local_ltk());
3893 EXPECT_EQ(local_ltk(), peer_ltk());
3894 EXPECT_FALSE(irk());
3895 EXPECT_FALSE(identity());
3896 EXPECT_FALSE(csrk());
3897
3898 // Should have been called at least once to determine local identity
3899 // availability.
3900 EXPECT_NE(0, local_id_info_callback_count());
3901 // Pairing should complete successfully
3902 EXPECT_EQ(1, pairing_complete_count());
3903 EXPECT_EQ(0, pairing_failed_count());
3904 EXPECT_EQ(fit::ok(), pairing_complete_status());
3905
3906 // No callbacks are notified as the peer started this pairing, not a call to
3907 // UpgradeSecurity.
3908 EXPECT_EQ(0, security_callback_count());
3909 EXPECT_EQ(0, id_info_count());
3910 EXPECT_EQ(0, id_addr_info_count());
3911
3912 EXPECT_EQ(kExpectedSecurity, pairing()->security());
3913
3914 // The security properties should have been updated to match the LTK.
3915 EXPECT_EQ(1, new_sec_props_count());
3916 EXPECT_EQ(pairing()->security(), new_sec_props());
3917
3918 ASSERT_TRUE(fake_link()->ltk());
3919 }
3920 } // namespace
3921 } // namespace bt::sm
3922 // inclusive-language: enable
3923