fix(ble): refuse to operate on unbonded LE links

Per CTAP 2.2 §11.4, BLE FIDO authenticator traffic MUST run on a
bonded LE Secure Connections link. The previous connect path issued
FIDO operations without verifying bonding state, so a session that
fell back to an unauthenticated link would proceed in violation of
the spec.

Adds a pairing module that, on Linux, queries
org.bluez.Device1.Paired and org.bluez.Device1.Bonded over DBus and
refuses to proceed if either is false. The DBus call is dispatched on
spawn_blocking so it doesn't stall the tokio runtime. On non-bluez
backends or when DBus is unreachable the check falls back gracefully:
macOS and Windows enforce bonding at the OS level for authenticated
GATT characteristics, so deferring there is acceptable. The library
itself cannot trigger pairing; the user is expected to pair the device
beforehand (e.g. via bluetoothctl).

manager::connect calls enforce_bonded after establishing the link and
before discovering services.

Author: AlfioEmanueleFresta

libwebauthn/src/transport/ble/btleplug/manager.rs

@@ -11,6 +11,7 @@ use uuid::Uuid;
 
 use super::device::FidoEndpoints;
 use super::gatt::get_gatt_characteristic;
+use super::pairing::enforce_bonded;
 use super::{Connection, Error, FidoDevice};
 use crate::fido::{FidoProtocol, FidoRevision};
 
@@ -207,8 +208,8 @@ pub async fn supported_fido_revisions(
     Ok(supported)
 }
 
-/// Connect, discover FIDO services on this device, and
-/// select the FIDO revision to be used.
+/// Connect, discover FIDO services on this device, and select the FIDO
+/// revision to be used. Refuses unbonded LE links (CTAP 2.2 §11.4).
 pub async fn connect(
     peripheral: &Peripheral,
     revision: &FidoRevision,
@@ -217,6 +218,7 @@ pub async fn connect(
         .connect()
         .await
         .or(Err(Error::ConnectionFailed))?;
+    enforce_bonded(peripheral).await?;
     peripheral
         .discover_services()
         .await

libwebauthn/src/transport/ble/btleplug/mod.rs

@@ -3,6 +3,7 @@ pub mod device;
 pub mod error;
 pub mod gatt;
 pub mod manager;
+pub(crate) mod pairing;
 
 pub use connection::Connection;
 pub use device::FidoDevice;

libwebauthn/src/transport/ble/btleplug/pairing.rs

@@ -0,0 +1,111 @@
+//! Bonding enforcement for BLE FIDO authenticators.
+//!
+//! CTAP 2.2 §11.4 requires the platform-authenticator BLE link to be
+//! bonded with LE Secure Connections. btleplug doesn't surface bonding
+//! state, so on Linux we query bluez's `org.bluez.Device1.{Paired,Bonded}`
+//! directly. Pairing itself is the OS's responsibility (e.g.
+//! `bluetoothctl pair <ADDR>`); this module only verifies the link.
+
+use btleplug::api::{BDAddr, Peripheral as _};
+use btleplug::platform::Peripheral;
+use tracing::{debug, info, warn};
+
+use super::Error;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum BondingState {
+    Bonded,
+    NotBonded,
+    /// Bonding state could not be determined (non-bluez backend or DBus
+    /// unreachable); the caller decides whether to proceed.
+    Unknown,
+}
+
+/// Reads `Paired` and `Bonded` from bluez DBus for `peripheral`.
+pub(crate) async fn check_bonded(peripheral: &Peripheral) -> BondingState {
+    let address = peripheral.address();
+    debug!(?address, "Checking bonded state via bluez DBus");
+
+    let result = tokio::task::spawn_blocking(move || query_bluez_bonded(address)).await;
+
+    match result {
+        Ok(Ok((paired, bonded))) => {
+            info!(?address, paired, bonded, "bluez bonding state");
+            if paired && bonded {
+                BondingState::Bonded
+            } else {
+                BondingState::NotBonded
+            }
+        }
+        Ok(Err(e)) => {
+            warn!(?address, error = ?e, "Could not query bluez bonding state");
+            BondingState::Unknown
+        }
+        Err(e) => {
+            warn!(error = ?e, "bluez bonding query task panicked");
+            BondingState::Unknown
+        }
+    }
+}
+
+/// Returns `Err(ConnectionFailed)` when the device is reachable but
+/// explicitly not bonded; falls through on `Unknown`.
+pub(crate) async fn enforce_bonded(peripheral: &Peripheral) -> Result<(), Error> {
+    match check_bonded(peripheral).await {
+        BondingState::Bonded => Ok(()),
+        BondingState::Unknown => {
+            warn!(
+                "Could not verify LE Secure Connections bonding via bluez; \
+                 proceeding under OS pairing enforcement"
+            );
+            Ok(())
+        }
+        BondingState::NotBonded => {
+            warn!(
+                "BLE FIDO authenticator is not bonded with LE Secure Connections; \
+                 CTAP 2.2 §11.4 requires bonding. Pair the device via the OS \
+                 (e.g. `bluetoothctl pair <ADDR>`) before retrying."
+            );
+            Err(Error::ConnectionFailed)
+        }
+    }
+}
+
+/// btleplug doesn't expose the adapter index, so we walk the bluez
+/// ObjectManager tree and match the first device with this address.
+fn query_bluez_bonded(address: BDAddr) -> Result<(bool, bool), String> {
+    use dbus::arg::{PropMap, RefArg};
+    use dbus::blocking::stdintf::org_freedesktop_dbus::ObjectManager;
+    use dbus::blocking::{Connection, Proxy};
+    use std::time::Duration as StdDuration;
+
+    let conn = Connection::new_system().map_err(|e| format!("dbus connect: {e}"))?;
+    let manager = Proxy::new("org.bluez", "/", StdDuration::from_secs(2), &conn);
+    let objects = manager
+        .get_managed_objects()
+        .map_err(|e| format!("GetManagedObjects: {e}"))?;
+
+    let mac_lower = format!("{:x}", address);
+    let dev_segment = format!("dev_{}", mac_lower.replace(':', "_").to_uppercase());
+
+    for (path, interfaces) in objects {
+        let path_str = path.to_string();
+        if !path_str.starts_with("/org/bluez/") || !path_str.ends_with(&dev_segment) {
+            continue;
+        }
+        let Some(device_props): Option<&PropMap> = interfaces.get("org.bluez.Device1") else {
+            continue;
+        };
+        let paired = device_props
+            .get("Paired")
+            .and_then(|v| v.0.as_any().downcast_ref::<bool>().copied())
+            .unwrap_or(false);
+        let bonded = device_props
+            .get("Bonded")
+            .and_then(|v| v.0.as_any().downcast_ref::<bool>().copied())
+            .unwrap_or(false);
+        return Ok((paired, bonded));
+    }
+
+    Err(format!("device {address} not found in bluez ObjectManager"))
+}