forked from auracaster/bumble_mirror
300 lines
9.2 KiB
Python
300 lines
9.2 KiB
Python
# Copyright 2021-2022 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# https://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Crypto support
|
|
#
|
|
# See Bluetooth spec Vol 3, Part H - 2.2 CRYPTOGRAPHIC TOOLBOX
|
|
# -----------------------------------------------------------------------------
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Imports
|
|
# -----------------------------------------------------------------------------
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
import operator
|
|
|
|
import secrets
|
|
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
|
from cryptography.hazmat.primitives.asymmetric.ec import (
|
|
generate_private_key,
|
|
ECDH,
|
|
EllipticCurvePrivateKey,
|
|
EllipticCurvePublicNumbers,
|
|
EllipticCurvePrivateNumbers,
|
|
SECP256R1,
|
|
)
|
|
from cryptography.hazmat.primitives import cmac
|
|
from typing import Tuple
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Logging
|
|
# -----------------------------------------------------------------------------
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Classes
|
|
# -----------------------------------------------------------------------------
|
|
class EccKey:
|
|
def __init__(self, private_key: EllipticCurvePrivateKey) -> None:
|
|
self.private_key = private_key
|
|
|
|
@classmethod
|
|
def generate(cls) -> EccKey:
|
|
private_key = generate_private_key(SECP256R1())
|
|
return cls(private_key)
|
|
|
|
@classmethod
|
|
def from_private_key_bytes(
|
|
cls, d_bytes: bytes, x_bytes: bytes, y_bytes: bytes
|
|
) -> EccKey:
|
|
d = int.from_bytes(d_bytes, byteorder='big', signed=False)
|
|
x = int.from_bytes(x_bytes, byteorder='big', signed=False)
|
|
y = int.from_bytes(y_bytes, byteorder='big', signed=False)
|
|
private_key = EllipticCurvePrivateNumbers(
|
|
d, EllipticCurvePublicNumbers(x, y, SECP256R1())
|
|
).private_key()
|
|
return cls(private_key)
|
|
|
|
@property
|
|
def x(self) -> bytes:
|
|
return (
|
|
self.private_key.public_key()
|
|
.public_numbers()
|
|
.x.to_bytes(32, byteorder='big')
|
|
)
|
|
|
|
@property
|
|
def y(self) -> bytes:
|
|
return (
|
|
self.private_key.public_key()
|
|
.public_numbers()
|
|
.y.to_bytes(32, byteorder='big')
|
|
)
|
|
|
|
def dh(self, public_key_x: bytes, public_key_y: bytes) -> bytes:
|
|
x = int.from_bytes(public_key_x, byteorder='big', signed=False)
|
|
y = int.from_bytes(public_key_y, byteorder='big', signed=False)
|
|
public_key = EllipticCurvePublicNumbers(x, y, SECP256R1()).public_key()
|
|
shared_key = self.private_key.exchange(ECDH(), public_key)
|
|
|
|
return shared_key
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Functions
|
|
# -----------------------------------------------------------------------------
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def generate_prand() -> bytes:
|
|
'''Generates random 3 bytes, with the 2 most significant bits of 0b01.
|
|
|
|
See Bluetooth spec, Vol 6, Part E - Table 1.2.
|
|
'''
|
|
prand_bytes = secrets.token_bytes(6)
|
|
return prand_bytes[:2] + bytes([(prand_bytes[2] & 0b01111111) | 0b01000000])
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def xor(x: bytes, y: bytes) -> bytes:
|
|
assert len(x) == len(y)
|
|
return bytes(map(operator.xor, x, y))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def reverse(input: bytes) -> bytes:
|
|
'''
|
|
Returns bytes of input in reversed endianness.
|
|
'''
|
|
return input[::-1]
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def r() -> bytes:
|
|
'''
|
|
Generate 16 bytes of random data
|
|
'''
|
|
return secrets.token_bytes(16)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def e(key: bytes, data: bytes) -> bytes:
|
|
'''
|
|
AES-128 ECB, expecting byte-swapped inputs and producing a byte-swapped output.
|
|
|
|
See Bluetooth spec Vol 3, Part H - 2.2.1 Security function e
|
|
'''
|
|
|
|
cipher = Cipher(algorithms.AES(reverse(key)), modes.ECB())
|
|
encryptor = cipher.encryptor()
|
|
return reverse(encryptor.update(reverse(data)))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def ah(k: bytes, r: bytes) -> bytes: # pylint: disable=redefined-outer-name
|
|
'''
|
|
See Bluetooth spec Vol 3, Part H - 2.2.2 Random Address Hash function ah
|
|
'''
|
|
|
|
padding = bytes(13)
|
|
r_prime = r + padding
|
|
return e(k, r_prime)[0:3]
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def c1(
|
|
k: bytes,
|
|
r: bytes,
|
|
preq: bytes,
|
|
pres: bytes,
|
|
iat: int,
|
|
rat: int,
|
|
ia: bytes,
|
|
ra: bytes,
|
|
) -> bytes: # pylint: disable=redefined-outer-name
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.3 Confirm value generation function c1 for
|
|
LE Legacy Pairing
|
|
'''
|
|
|
|
p1 = bytes([iat, rat]) + preq + pres
|
|
p2 = ra + ia + bytes([0, 0, 0, 0])
|
|
return e(k, xor(e(k, xor(r, p1)), p2))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def s1(k: bytes, r1: bytes, r2: bytes) -> bytes:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.4 Key generation function s1 for LE Legacy
|
|
Pairing
|
|
'''
|
|
|
|
return e(k, r2[0:8] + r1[0:8])
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def aes_cmac(m: bytes, k: bytes) -> bytes:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.5 FunctionAES-CMAC
|
|
|
|
NOTE: the input and output of this internal function are in big-endian byte order
|
|
'''
|
|
mac = cmac.CMAC(algorithms.AES(k))
|
|
mac.update(m)
|
|
return mac.finalize()
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def f4(u: bytes, v: bytes, x: bytes, z: bytes) -> bytes:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.6 LE Secure Connections Confirm Value
|
|
Generation Function f4
|
|
'''
|
|
return reverse(aes_cmac(reverse(u) + reverse(v) + z, reverse(x)))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def f5(w: bytes, n1: bytes, n2: bytes, a1: bytes, a2: bytes) -> Tuple[bytes, bytes]:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.7 LE Secure Connections Key Generation
|
|
Function f5
|
|
|
|
NOTE: this returns a tuple: (MacKey, LTK) in little-endian byte order
|
|
'''
|
|
salt = bytes.fromhex('6C888391AAF5A53860370BDB5A6083BE')
|
|
t = aes_cmac(reverse(w), salt)
|
|
key_id = bytes([0x62, 0x74, 0x6C, 0x65])
|
|
return (
|
|
reverse(
|
|
aes_cmac(
|
|
bytes([0])
|
|
+ key_id
|
|
+ reverse(n1)
|
|
+ reverse(n2)
|
|
+ reverse(a1)
|
|
+ reverse(a2)
|
|
+ bytes([1, 0]),
|
|
t,
|
|
)
|
|
),
|
|
reverse(
|
|
aes_cmac(
|
|
bytes([1])
|
|
+ key_id
|
|
+ reverse(n1)
|
|
+ reverse(n2)
|
|
+ reverse(a1)
|
|
+ reverse(a2)
|
|
+ bytes([1, 0]),
|
|
t,
|
|
)
|
|
),
|
|
)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def f6(
|
|
w: bytes, n1: bytes, n2: bytes, r: bytes, io_cap: bytes, a1: bytes, a2: bytes
|
|
) -> bytes: # pylint: disable=redefined-outer-name
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.8 LE Secure Connections Check Value
|
|
Generation Function f6
|
|
'''
|
|
return reverse(
|
|
aes_cmac(
|
|
reverse(n1)
|
|
+ reverse(n2)
|
|
+ reverse(r)
|
|
+ reverse(io_cap)
|
|
+ reverse(a1)
|
|
+ reverse(a2),
|
|
reverse(w),
|
|
)
|
|
)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def g2(u: bytes, v: bytes, x: bytes, y: bytes) -> int:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.9 LE Secure Connections Numeric Comparison
|
|
Value Generation Function g2
|
|
'''
|
|
return int.from_bytes(
|
|
aes_cmac(
|
|
reverse(u) + reverse(v) + reverse(y),
|
|
reverse(x),
|
|
)[-4:],
|
|
byteorder='big',
|
|
)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def h6(w: bytes, key_id: bytes) -> bytes:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.10 Link key conversion function h6
|
|
'''
|
|
return reverse(aes_cmac(key_id, reverse(w)))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
def h7(salt: bytes, w: bytes) -> bytes:
|
|
'''
|
|
See Bluetooth spec, Vol 3, Part H - 2.2.11 Link key conversion function h7
|
|
'''
|
|
return reverse(aes_cmac(reverse(w), salt))
|