hap_crypto/

pair_verify.rs

//! HomeKit **Pair Verify** (M3) — establish a fresh session from an existing
//! pairing.
//!
//! Once Pair Setup ([`crate::pair_setup`]) has stored an accessory's pairing
//! identifier and Ed25519 long-term public key (an [`AccessoryPairing`]), every
//! subsequent connection runs Pair Verify to establish a fresh, mutually
//! authenticated session. The exchange is a four-message TLV8 flow over an
//! ephemeral X25519 Diffie-Hellman key exchange plus Ed25519 signatures:
//!
//! | Step | Direction | Contents |
//! | ---- | --------- | -------- |
//! | M1   | controller → accessory | `State=1`, `PublicKey` = controller ephemeral X25519 public key |
//! | M2   | accessory → controller | `State=2`, `PublicKey` = accessory ephemeral X25519 public key, `EncryptedData` over `{ Identifier, Signature }` |
//! | M3   | controller → accessory | `State=3`, `EncryptedData` over `{ Identifier, Signature }` |
//! | M4   | accessory → controller | `State=4` on success, or `State=4` + `Error` |
//!
//! From the X25519 shared secret three keys are derived with HKDF-SHA512:
//!
//! - the **Pair-Verify encryption key** (decrypts M2, encrypts M3) — salt
//!   `"Pair-Verify-Encrypt-Salt"`, info `"Pair-Verify-Encrypt-Info"`;
//! - the **read key** (accessory→controller session traffic) — salt
//!   `"Control-Salt"`, info `"Control-Read-Encryption-Key"`;
//! - the **write key** (controller→accessory session traffic) — salt
//!   `"Control-Salt"`, info `"Control-Write-Encryption-Key"`.
//!
//! The accessory's M2 signature, verified against the stored
//! [`AccessoryPairing::ltpk`], is what authenticates the accessory; a mismatch
//! (or any malformed/forged accessory input) is a [`CryptoError`], never a
//! panic. On success [`PairVerifyClient::handle`] yields [`SessionKeys`], which
//! the transport record layer (M4) uses to encrypt and decrypt session traffic.
//!
//! Every byte produced and consumed here is cross-verified against a real
//! captured Pair Verify trace (see the integration tests).

use ed25519_dalek::{Signer, SigningKey};
use hap_tlv8::{Tlv8Map, Tlv8Writer};

use crate::aead::{decrypt, encrypt, hap_nonce};
use crate::error::{CryptoError, Result};
use crate::kdf::hkdf_sha512;
use crate::keys::{verify_ed25519, ControllerKeypair};
use crate::pair_setup::AccessoryPairing;
use crate::tlv_types as tlv;
use crate::x25519::EphemeralKeypair;

// HKDF salt/info constants (HAP, chapter 5 "Pair Verify").
/// HKDF salt for the Pair-Verify encryption key (decrypts M2, encrypts M3).
const PV_ENCRYPT_SALT: &[u8] = b"Pair-Verify-Encrypt-Salt";
/// HKDF info for the Pair-Verify encryption key.
const PV_ENCRYPT_INFO: &[u8] = b"Pair-Verify-Encrypt-Info";
/// HKDF salt shared by both directional session keys.
const CONTROL_SALT: &[u8] = b"Control-Salt";
/// HKDF info for the accessory→controller (read) session key.
const CONTROL_READ_INFO: &[u8] = b"Control-Read-Encryption-Key";
/// HKDF info for the controller→accessory (write) session key.
const CONTROL_WRITE_INFO: &[u8] = b"Control-Write-Encryption-Key";

/// ChaCha20-Poly1305 nonce label for the encrypted M2 sub-TLV.
const NONCE_M2: &[u8] = b"PV-Msg02";
/// ChaCha20-Poly1305 nonce label for the encrypted M3 sub-TLV.
const NONCE_M3: &[u8] = b"PV-Msg03";

/// The two directional session keys produced by a successful Pair Verify.
///
/// The transport record layer encrypts controller→accessory traffic with
/// [`write_key`](SessionKeys::write_key) and decrypts accessory→controller
/// traffic with [`read_key`](SessionKeys::read_key).
#[derive(Clone, PartialEq, Eq)]
pub struct SessionKeys {
    /// Accessory→controller key (`Control-Read-Encryption-Key`).
    pub read_key: [u8; 32],
    /// Controller→accessory key (`Control-Write-Encryption-Key`).
    pub write_key: [u8; 32],
}

// Avoid leaking key material through the default derived `Debug`.
impl core::fmt::Debug for SessionKeys {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        f.debug_struct("SessionKeys").finish_non_exhaustive()
    }
}

/// The result of feeding one accessory response to [`PairVerifyClient::handle`].
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum PairVerifyStep {
    /// The next controller message (M3) to transmit to the accessory.
    Send(Vec<u8>),
    /// Pair Verify completed; the [`SessionKeys`] are ready for the record layer.
    Done(SessionKeys),
}

/// Internal progress of the [`PairVerifyClient`] exchange.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum State {
    /// Created; [`PairVerifyClient::start`] not yet called.
    Init,
    /// M1 sent; awaiting M2.
    AwaitM2,
    /// M3 sent; awaiting M4.
    AwaitM4,
    /// Finished (success or terminal error); no further input accepted.
    Done,
}

/// Drives the controller side of HomeKit Pair Verify (M1–M4).
///
/// Construct with [`new`](PairVerifyClient::new), call
/// [`start`](PairVerifyClient::start) to obtain the M1 payload, then feed each
/// accessory response to [`handle`](PairVerifyClient::handle) and transmit the
/// [`PairVerifyStep::Send`] payload it yields, until
/// [`PairVerifyStep::Done`] returns the [`SessionKeys`].
pub struct PairVerifyClient {
    controller_id: String,
    signing: SigningKey,
    accessory: AccessoryPairing,
    ephemeral: EphemeralKeypair,
    shared_secret: Option<[u8; 32]>,
    state: State,
}

impl PairVerifyClient {
    /// Create a client that verifies against `accessory` using `controller`'s
    /// long-term identity. A fresh random ephemeral X25519 keypair is generated.
    #[must_use]
    pub fn new(controller: &ControllerKeypair, accessory: &AccessoryPairing) -> Self {
        Self::build(controller, accessory, EphemeralKeypair::generate())
    }

    /// Test/replay constructor that injects a fixed ephemeral X25519 secret so a
    /// captured trace can be reproduced deterministically.
    ///
    /// Production code calls [`PairVerifyClient::new`], which generates a fresh
    /// random ephemeral keypair. Mirrors `PairSetupClient::new_with_private`.
    #[must_use]
    pub fn new_with_ephemeral(
        controller: &ControllerKeypair,
        accessory: &AccessoryPairing,
        ephemeral_secret: [u8; 32],
    ) -> Self {
        Self::build(
            controller,
            accessory,
            EphemeralKeypair::from_secret(ephemeral_secret),
        )
    }

    fn build(
        controller: &ControllerKeypair,
        accessory: &AccessoryPairing,
        ephemeral: EphemeralKeypair,
    ) -> Self {
        Self {
            controller_id: controller.id.clone(),
            signing: controller.signing_key(),
            accessory: accessory.clone(),
            ephemeral,
            shared_secret: None,
            state: State::Init,
        }
    }

    /// Produce the M1 payload (`State=1`, `PublicKey`) and advance the state
    /// machine to await M2.
    pub fn start(&mut self) -> Vec<u8> {
        let mut out = Vec::new();
        let mut w = Tlv8Writer::new(&mut out);
        w.push_u8(tlv::STATE, tlv::STATE_M1);
        w.push(tlv::PUBLIC_KEY, &self.ephemeral.public());
        self.state = State::AwaitM2;
        out
    }

    /// Feed the accessory's next response. Returns [`PairVerifyStep::Send`] with
    /// the M3 payload after consuming M2, then [`PairVerifyStep::Done`] with the
    /// [`SessionKeys`] after consuming M4.
    ///
    /// # Errors
    ///
    /// Returns a [`CryptoError`] if `handle` is called before
    /// [`start`](PairVerifyClient::start) or after completion, if the accessory
    /// response is malformed or carries an error code, if M2 decryption or the
    /// accessory's Ed25519 signature fails to verify, or if the accessory's
    /// identifier does not match the stored pairing.
    pub fn handle(&mut self, response: &[u8]) -> Result<PairVerifyStep> {
        match self.state {
            State::Init => Err(CryptoError::Encoding(
                "Pair Verify handle called before start",
            )),
            State::AwaitM2 => self.handle_m2(response),
            State::AwaitM4 => self.handle_m4(response),
            State::Done => Err(CryptoError::Encoding(
                "Pair Verify handle called after completion",
            )),
        }
    }

    /// Handle M2: parse the accessory ephemeral key, derive the shared secret and
    /// the Pair-Verify encryption key, decrypt the sub-TLV, verify the accessory
    /// signature against the stored LTPK, and build M3.
    fn handle_m2(&mut self, response: &[u8]) -> Result<PairVerifyStep> {
        let map = Tlv8Map::parse(response)?;
        check_error(&map)?;
        expect_state(&map, tlv::STATE_M2)?;

        let accessory_eph_pub: [u8; 32] = map
            .get(tlv::PUBLIC_KEY)
            .ok_or(CryptoError::Encoding("M2 missing accessory ephemeral key"))?
            .try_into()
            .map_err(|_| CryptoError::Encoding("M2 accessory ephemeral key not 32 bytes"))?;
        let encrypted = map
            .get(tlv::ENCRYPTED_DATA)
            .ok_or(CryptoError::Encoding("M2 missing encrypted data"))?;

        let controller_eph_pub = self.ephemeral.public();
        let shared = self.ephemeral.diffie_hellman(&accessory_eph_pub);

        let pv_key = derive_key(&shared, PV_ENCRYPT_SALT, PV_ENCRYPT_INFO)?;
        let nonce = hap_nonce(NONCE_M2);
        let plaintext = decrypt(&pv_key, &nonce, b"", encrypted)?;

        // Decrypted sub-TLV: { Identifier, Signature }.
        let sub = Tlv8Map::parse(&plaintext)?;
        let identifier = sub
            .get(tlv::IDENTIFIER)
            .ok_or(CryptoError::Encoding("M2 sub-TLV missing identifier"))?;
        let signature: [u8; 64] = sub
            .get(tlv::SIGNATURE)
            .ok_or(CryptoError::Encoding("M2 sub-TLV missing signature"))?
            .try_into()
            .map_err(|_| CryptoError::Encoding("M2 signature not 64 bytes"))?;

        // The accessory id in the sub-TLV must match the stored pairing.
        if identifier != self.accessory.pairing_id.as_bytes() {
            return Err(CryptoError::Encoding(
                "M2 accessory identifier does not match stored pairing",
            ));
        }

        // Verify Ed25519(AccessoryLTPK,
        //   accessoryEph ‖ AccessoryPairingID ‖ controllerEph).
        let mut signed = Vec::with_capacity(32 + identifier.len() + 32);
        signed.extend_from_slice(&accessory_eph_pub);
        signed.extend_from_slice(identifier);
        signed.extend_from_slice(&controller_eph_pub);
        verify_ed25519(&self.accessory.ltpk, &signed, &signature)?;

        // Build M3: encrypt { Identifier=controller_id, Signature } and frame.
        let m3 = self.build_m3(&pv_key, &controller_eph_pub, &accessory_eph_pub)?;

        self.shared_secret = Some(shared);
        self.state = State::AwaitM4;
        Ok(PairVerifyStep::Send(m3))
    }

    /// Build the controller's M3 payload: sign
    /// `controllerEph ‖ ControllerID ‖ accessoryEph`, wrap it in the
    /// `{ Identifier, Signature }` sub-TLV, encrypt under `pv_key` with the M3
    /// nonce, and frame as `State=3`, `EncryptedData`.
    fn build_m3(
        &self,
        pv_key: &[u8; 32],
        controller_eph_pub: &[u8; 32],
        accessory_eph_pub: &[u8; 32],
    ) -> Result<Vec<u8>> {
        let id = self.controller_id.as_bytes();

        let mut signed = Vec::with_capacity(32 + id.len() + 32);
        signed.extend_from_slice(controller_eph_pub);
        signed.extend_from_slice(id);
        signed.extend_from_slice(accessory_eph_pub);
        let signature: [u8; 64] = self.signing.sign(&signed).to_bytes();

        let mut sub = Vec::new();
        let mut sw = Tlv8Writer::new(&mut sub);
        sw.push(tlv::IDENTIFIER, id);
        sw.push(tlv::SIGNATURE, &signature);

        let nonce = hap_nonce(NONCE_M3);
        let sealed = encrypt(pv_key, &nonce, b"", &sub)?;

        let mut out = Vec::new();
        let mut w = Tlv8Writer::new(&mut out);
        w.push_u8(tlv::STATE, tlv::STATE_M3);
        w.push(tlv::ENCRYPTED_DATA, &sealed);
        Ok(out)
    }

    /// Handle M4: accept `State=4` (surfacing an accessory error code) and emit
    /// the derived [`SessionKeys`].
    fn handle_m4(&mut self, response: &[u8]) -> Result<PairVerifyStep> {
        let map = Tlv8Map::parse(response)?;
        check_error(&map)?;
        expect_state(&map, tlv::STATE_M4)?;

        let shared = self
            .shared_secret
            .ok_or(CryptoError::Encoding("Pair Verify shared secret missing"))?;
        let read_key = derive_key(&shared, CONTROL_SALT, CONTROL_READ_INFO)?;
        let write_key = derive_key(&shared, CONTROL_SALT, CONTROL_WRITE_INFO)?;

        self.state = State::Done;
        Ok(PairVerifyStep::Done(SessionKeys {
            read_key,
            write_key,
        }))
    }
}

/// Derive a 32-byte key with HKDF-SHA512 over the X25519 `shared` secret.
fn derive_key(shared: &[u8; 32], salt: &[u8], info: &[u8]) -> Result<[u8; 32]> {
    let mut out = [0u8; 32];
    hkdf_sha512(shared, salt, info, &mut out)?;
    Ok(out)
}

/// Map an accessory `Error` TLV to a [`CryptoError`], if present.
fn check_error(map: &Tlv8Map) -> Result<()> {
    match map.get(tlv::ERROR) {
        None | Some([]) => Ok(()),
        Some(_) => Err(CryptoError::Encoding(
            "accessory returned a Pair Verify error",
        )),
    }
}

/// Require the response to carry the expected `State` value.
fn expect_state(map: &Tlv8Map, expected: u8) -> Result<()> {
    match map.get_u8(tlv::STATE)? {
        // Some accessories omit State (a known quirk); tolerate that.
        None => Ok(()),
        Some(s) if s == expected => Ok(()),
        Some(_) => Err(CryptoError::Encoding("unexpected Pair Verify state")),
    }
}

#[cfg(test)]
// Test code only: CLAUDE.md carves out `unwrap`/`expect` and indexing for tests
// with a documented justification. Fixtures are fixed captured/known values, so
// a failing `unwrap`/index here is itself a test failure, which is intended.
#[allow(clippy::unwrap_used, clippy::expect_used, clippy::indexing_slicing)]
mod tests {
    use super::*;
    use std::fs;
    use std::path::PathBuf;

    /// Load a committed fixture from the workspace `test-vectors/pair-verify/`
    /// tree, returning `None` when the directory/file is absent so CI without
    /// the captured trace still passes (mirrors the M2 fixture tests).
    fn vec_dir() -> PathBuf {
        PathBuf::from(env!("CARGO_MANIFEST_DIR"))
            .join("../..")
            .join("test-vectors/pair-verify")
    }

    fn load(name: &str) -> Option<Vec<u8>> {
        fs::read(vec_dir().join(name)).ok()
    }

    fn load32(name: &str) -> Option<[u8; 32]> {
        load(name).and_then(|v| v.try_into().ok())
    }

    /// A throwaway controller identity for signing M3 (the real controller LTSK
    /// is not committed, so M3 cannot be compared byte-for-byte).
    fn test_controller() -> ControllerKeypair {
        ControllerKeypair::from_seed("ABCDEF01-2345-6789".to_string(), [7u8; 32])
    }

    fn accessory_from_fixtures() -> Option<AccessoryPairing> {
        let id = String::from_utf8(load("accessory_id.txt")?)
            .ok()?
            .trim()
            .to_string();
        let ltpk = load32("accessory_ltpk.bin")?;
        Some(AccessoryPairing {
            pairing_id: id,
            ltpk,
        })
    }

    // --- Test 1: M1 reproduces the captured m1.bin byte-for-byte. ---
    #[test]
    fn m1_reproduces_captured() {
        let (Some(accessory), Some(eph_priv), Some(m1)) = (
            accessory_from_fixtures(),
            load32("ios_eph_priv.bin"),
            load("m1.bin"),
        ) else {
            eprintln!("skipping m1_reproduces_captured: fixtures absent");
            return;
        };
        let mut client =
            PairVerifyClient::new_with_ephemeral(&test_controller(), &accessory, eph_priv);
        assert_eq!(client.start(), m1);
    }

    // --- Test 2: X25519 shared secret matches the captured value. ---
    #[test]
    fn x25519_matches_captured_shared_secret() {
        let (Some(eph_priv), Some(m2), Some(shared)) = (
            load32("ios_eph_priv.bin"),
            load("m2.bin"),
            load32("shared_secret.bin"),
        ) else {
            eprintln!("skipping x25519_matches_captured_shared_secret: fixtures absent");
            return;
        };
        let map = Tlv8Map::parse(&m2).unwrap();
        let accessory_eph: [u8; 32] = map.get(tlv::PUBLIC_KEY).unwrap().try_into().unwrap();
        let kp = EphemeralKeypair::from_secret(eph_priv);
        assert_eq!(kp.diffie_hellman(&accessory_eph), shared);
        // Free-function path agrees too.
        assert_eq!(
            crate::x25519::x25519_shared(&eph_priv, &accessory_eph),
            shared
        );
    }

    // --- Test 3: session-key derivation matches the captured control keys. ---
    #[test]
    fn session_keys_match_captured() {
        let (Some(shared), Some(read), Some(write)) = (
            load32("shared_secret.bin"),
            load32("control_read_encryption_key.bin"),
            load32("control_write_encryption_key.bin"),
        ) else {
            eprintln!("skipping session_keys_match_captured: fixtures absent");
            return;
        };
        assert_eq!(
            derive_key(&shared, CONTROL_SALT, CONTROL_READ_INFO).unwrap(),
            read
        );
        assert_eq!(
            derive_key(&shared, CONTROL_SALT, CONTROL_WRITE_INFO).unwrap(),
            write
        );
    }

    // --- Test 4: full handle replay against the real trace. This is the
    // high-value cross-check: it exercises HKDF + ChaCha + PV-Msg02 nonce +
    // Ed25519 verification of the accessory signature over real bytes. ---
    #[test]
    fn full_replay_reaches_done_with_matching_keys() {
        let (Some(accessory), Some(eph_priv), Some(m2), Some(m4), Some(read), Some(write)) = (
            accessory_from_fixtures(),
            load32("ios_eph_priv.bin"),
            load("m2.bin"),
            load("m4.bin"),
            load32("control_read_encryption_key.bin"),
            load32("control_write_encryption_key.bin"),
        ) else {
            eprintln!("skipping full_replay_reaches_done_with_matching_keys: fixtures absent");
            return;
        };

        let mut client =
            PairVerifyClient::new_with_ephemeral(&test_controller(), &accessory, eph_priv);
        let _m1 = client.start();

        // handle(M2) must DECRYPT and VERIFY the accessory signature, then emit M3.
        let step = client.handle(&m2).unwrap();
        let PairVerifyStep::Send(m3) = step else {
            panic!("expected Send(m3) after M2, got {step:?}");
        };
        // M3 is a well-formed State=3 + EncryptedData payload (not byte-compared:
        // the real controller LTSK is not committed).
        let m3map = Tlv8Map::parse(&m3).unwrap();
        assert_eq!(m3map.get_u8(tlv::STATE).unwrap(), Some(tlv::STATE_M3));
        assert!(m3map.get(tlv::ENCRYPTED_DATA).is_some());

        // handle(M4) yields the session keys matching the captured control keys.
        let done = client.handle(&m4).unwrap();
        let PairVerifyStep::Done(keys) = done else {
            panic!("expected Done(SessionKeys) after M4, got {done:?}");
        };
        assert_eq!(keys.read_key, read);
        assert_eq!(keys.write_key, write);
    }

    // --- Test 5 (negative): a corrupted M2 EncryptedData yields a CryptoError,
    // not a panic. ---
    #[test]
    fn corrupt_m2_encrypted_data_errors() {
        let (Some(accessory), Some(eph_priv), Some(m2)) = (
            accessory_from_fixtures(),
            load32("ios_eph_priv.bin"),
            load("m2.bin"),
        ) else {
            eprintln!("skipping corrupt_m2_encrypted_data_errors: fixtures absent");
            return;
        };

        // Flip a bit inside the EncryptedData item. Rebuild M2 with the tampered
        // ciphertext so the TLV framing stays valid but the AEAD tag fails.
        let map = Tlv8Map::parse(&m2).unwrap();
        let accessory_eph = map.get(tlv::PUBLIC_KEY).unwrap().to_vec();
        let mut enc = map.get(tlv::ENCRYPTED_DATA).unwrap().to_vec();
        enc[0] ^= 0x01;

        let mut tampered = Vec::new();
        let mut w = Tlv8Writer::new(&mut tampered);
        w.push_u8(tlv::STATE, tlv::STATE_M2);
        w.push(tlv::PUBLIC_KEY, &accessory_eph);
        w.push(tlv::ENCRYPTED_DATA, &enc);

        let mut client =
            PairVerifyClient::new_with_ephemeral(&test_controller(), &accessory, eph_priv);
        let _m1 = client.start();
        let err = client.handle(&tampered);
        assert!(
            matches!(err, Err(CryptoError::Aead | CryptoError::Signature)),
            "expected Aead/Signature error, got {err:?}"
        );
    }

    // --- Out-of-order: handle before start is rejected, not a panic. ---
    #[test]
    fn handle_before_start_errors() {
        let accessory = AccessoryPairing {
            pairing_id: "AA:BB:CC:DD:EE:FF".to_string(),
            ltpk: [0u8; 32],
        };
        let mut client = PairVerifyClient::new(&test_controller(), &accessory);
        assert!(client.handle(b"\x06\x01\x02").is_err());
    }

    // --- Accessory Error TLV in M4 is surfaced as an error. ---
    #[test]
    fn accessory_error_in_m4_errors() {
        let (Some(accessory), Some(eph_priv), Some(m2)) = (
            accessory_from_fixtures(),
            load32("ios_eph_priv.bin"),
            load("m2.bin"),
        ) else {
            eprintln!("skipping accessory_error_in_m4_errors: fixtures absent");
            return;
        };
        let mut client =
            PairVerifyClient::new_with_ephemeral(&test_controller(), &accessory, eph_priv);
        let _m1 = client.start();
        client.handle(&m2).unwrap();
        // M4 with State=4 + Error=2 (authentication).
        let mut m4err = Vec::new();
        let mut w = Tlv8Writer::new(&mut m4err);
        w.push_u8(tlv::STATE, tlv::STATE_M4);
        w.push_u8(tlv::ERROR, 2);
        assert!(client.handle(&m4err).is_err());
    }
}