Only allow BLE modes with MITM mitigations enabled, and require bonding

2025-01-26 22:37:13 -05:00 · 2024-09-30 13:50:06 +02:00 · 2024-09-30 13:50:06 +02:00 · a9a68d164e
commit a9a68d164e
parent dfd62f4d94
1 changed files with 78 additions and 12 deletions
--- a/Bluetooth.h
+++ b/Bluetooth.h
@ -170,6 +170,8 @@ char bt_devname[11];

  #elif HAS_BLE == true
    BLESecurity *ble_security = new BLESecurity();
+    bool ble_authenticated = false;
+    uint32_t pairing_pin = 0;

    void bt_flush() { if (bt_state == BT_STATE_CONNECTED) { SerialBT.flush(); } }

@ -181,6 +183,7 @@ char bt_devname[11];
    }

    void bt_passkey_notify_callback(uint32_t passkey) {
+      // Serial.printf("Got passkey notification: %d\n", passkey);
      bt_ssp_pin = passkey;
      bt_state = BT_STATE_PAIRING;
      bt_allow_pairing = true;
@ -188,33 +191,100 @@ char bt_devname[11];
      kiss_indicate_btpin();
    }

+    bool bt_confirm_pin_callback(uint32_t pin) {
+      // Serial.printf("Confirm PIN callback: %d\n", pin);
+      return true;
+    }
+
+    void bt_debond_all() {
+      // Serial.println("Debonding all");
+      int dev_num = esp_ble_get_bond_device_num();
+      esp_ble_bond_dev_t *dev_list = (esp_ble_bond_dev_t *)malloc(sizeof(esp_ble_bond_dev_t) * dev_num);
+      esp_ble_get_bond_device_list(&dev_num, dev_list);
+      for (int i = 0; i < dev_num; i++) { esp_ble_remove_bond_device(dev_list[i].bd_addr); }
+      free(dev_list);
+    }
+
+    void bt_update_passkey() {
+      // Serial.println("Updating passkey");
+      pairing_pin = random(899999)+100000;
+      bt_ssp_pin = pairing_pin;
+    }
+
    uint32_t bt_passkey_callback() {
-      uint32_t pairing_pin = random(899999)+100000;
+      // Serial.println("API passkey request");
+      if (pairing_pin == 0) { bt_update_passkey(); }
      return pairing_pin;
    }

+    bool bt_client_authenticated() {
+      return ble_authenticated;
+    }
+
+    void bt_security_setup() {
+      uint32_t passkey = bt_passkey_callback();
+
+      // Serial.printf("Executing BT security setup, passkey is %d\n", passkey);
+
+      uint8_t key_size = 16;
+      uint8_t init_key = ESP_BLE_ENC_KEY_MASK | ESP_BLE_ID_KEY_MASK;
+      uint8_t rsp_key = ESP_BLE_ENC_KEY_MASK | ESP_BLE_ID_KEY_MASK;
+
+      esp_ble_auth_req_t auth_req = ESP_LE_AUTH_REQ_SC_MITM_BOND;
+      uint8_t auth_option = ESP_BLE_ONLY_ACCEPT_SPECIFIED_AUTH_ENABLE;
+      uint8_t oob_support = ESP_BLE_OOB_DISABLE;
+
+      esp_ble_io_cap_t iocap = ESP_IO_CAP_OUT;
+
+      esp_ble_gap_set_security_param(ESP_BLE_SM_SET_STATIC_PASSKEY, &passkey, sizeof(uint32_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_AUTHEN_REQ_MODE, &auth_req, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_IOCAP_MODE, &iocap, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_MAX_KEY_SIZE, &key_size, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_ONLY_ACCEPT_SPECIFIED_SEC_AUTH, &auth_option, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_OOB_SUPPORT, &oob_support, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_SET_INIT_KEY, &init_key, sizeof(uint8_t));
+      esp_ble_gap_set_security_param(ESP_BLE_SM_SET_RSP_KEY, &rsp_key, sizeof(uint8_t));
+    }
+
    bool bt_security_request_callback() {
-      return true;
+      if (bt_allow_pairing) {
+          // Serial.println("Accepting security request");
+          return true;
+        } else {
+          // Serial.println("Rejecting security request");
+          return false;
+        }
    }

    void bt_authentication_complete_callback(esp_ble_auth_cmpl_t auth_result) {
      if (auth_result.success == true) {
+        // Serial.println("Authentication success");
+        ble_authenticated = true;
        bt_state = BT_STATE_CONNECTED;
      } else {
+        // Serial.println("Authentication fail");
+        ble_authenticated = false;
        bt_state = BT_STATE_ON;
+        bt_security_setup();
      }
      bt_allow_pairing = false;
      bt_ssp_pin = 0;
    }

-    void bt_connect_callback(uint16_t conn_handle) {
+    void bt_connect_callback(BLEServer *server) {
+      // uint16_t conn_id = server->getConnId();
+      // Serial.printf("Connected: %d\n", conn_id);
      display_unblank();
+      ble_authenticated = false;
      bt_state = BT_STATE_CONNECTED;
      cable_state = CABLE_STATE_DISCONNECTED;
    }

-    void bt_disconnect_callback(uint16_t conn_handle, uint8_t reason) {
+    void bt_disconnect_callback(BLEServer *server) {
+      // uint16_t conn_id = server->getConnId();
+      // Serial.printf("Disconnected: %d\n", conn_id);
      display_unblank();
+      ble_authenticated = false;
      bt_state = BT_STATE_ON;
    }

@ -239,6 +309,8 @@ char bt_devname[11];
              sprintf(bt_devname, "RNode %02X%02X", bt_dh[14], bt_dh[15]);
              free(data);

+              bt_security_setup();
+
              bt_ready = true;
              return true;

@ -280,14 +352,8 @@ char bt_devname[11];
      display_unblank();
      if (bt_state == BT_STATE_OFF) bt_start();

-      int dev_num = esp_ble_get_bond_device_num();
-      esp_ble_bond_dev_t *dev_list = (esp_ble_bond_dev_t *)malloc(sizeof(esp_ble_bond_dev_t) * dev_num);
-      esp_ble_get_bond_device_list(&dev_num, dev_list);
-      for (int i = 0; i < dev_num; i++) { esp_ble_remove_bond_device(dev_list[i].bd_addr); }
-      free(dev_list);
-
-      ble_security->setStaticPIN(bt_passkey_callback());
-      ble_security->setAuthenticationMode(ESP_LE_AUTH_REQ_SC_MITM_BOND);
+      bt_debond_all();
+      bt_update_passkey();

      bt_allow_pairing = true;
      bt_pairing_started = millis();