1 /* Copyright (c) 2022 Nordic Semiconductor ASA
2 * SPDX-License-Identifier: Apache-2.0
3 */
4
5 #include <errno.h>
6 #include <string.h>
7
8 #include <zephyr/sys/byteorder.h>
9
10 #include <tinycrypt/cmac_mode.h>
11 #include <tinycrypt/constants.h>
12
13 #include "common/bt_str.h"
14 #include "bt_crypto.h"
15
16 #define LOG_LEVEL CONFIG_BT_CRYPTO_LOG_LEVEL
17 #include <zephyr/logging/log.h>
18 LOG_MODULE_REGISTER(bt_crypto);
19
20
bt_crypto_aes_cmac(const uint8_t * key,const uint8_t * in,size_t len,uint8_t * out)21 int bt_crypto_aes_cmac(const uint8_t *key, const uint8_t *in, size_t len, uint8_t *out)
22 {
23 struct tc_aes_key_sched_struct sched;
24 struct tc_cmac_struct state;
25
26 if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
27 return -EIO;
28 }
29
30 if (tc_cmac_update(&state, in, len) == TC_CRYPTO_FAIL) {
31 return -EIO;
32 }
33
34 if (tc_cmac_final(out, &state) == TC_CRYPTO_FAIL) {
35 return -EIO;
36 }
37
38 return 0;
39 }
40
bt_crypto_f4(const uint8_t * u,const uint8_t * v,const uint8_t * x,uint8_t z,uint8_t res[16])41 int bt_crypto_f4(const uint8_t *u, const uint8_t *v, const uint8_t *x, uint8_t z, uint8_t res[16])
42 {
43 uint8_t xs[16];
44 uint8_t m[65];
45 int err;
46
47 LOG_DBG("u %s", bt_hex(u, 32));
48 LOG_DBG("v %s", bt_hex(v, 32));
49 LOG_DBG("x %s z 0x%x", bt_hex(x, 16), z);
50
51 /*
52 * U, V and Z are concatenated and used as input m to the function
53 * AES-CMAC and X is used as the key k.
54 *
55 * Core Spec 4.2 Vol 3 Part H 2.2.5
56 *
57 * note:
58 * bt_smp_aes_cmac uses BE data and smp_f4 accept LE so we swap
59 */
60 sys_memcpy_swap(m, u, 32);
61 sys_memcpy_swap(m + 32, v, 32);
62 m[64] = z;
63
64 sys_memcpy_swap(xs, x, 16);
65
66 err = bt_crypto_aes_cmac(xs, m, sizeof(m), res);
67 if (err) {
68 return err;
69 }
70
71 sys_mem_swap(res, 16);
72
73 LOG_DBG("res %s", bt_hex(res, 16));
74
75 return err;
76 }
77
bt_crypto_f5(const uint8_t * w,const uint8_t * n1,const uint8_t * n2,const bt_addr_le_t * a1,const bt_addr_le_t * a2,uint8_t * mackey,uint8_t * ltk)78 int bt_crypto_f5(const uint8_t *w, const uint8_t *n1, const uint8_t *n2, const bt_addr_le_t *a1,
79 const bt_addr_le_t *a2, uint8_t *mackey, uint8_t *ltk)
80 {
81 static const uint8_t salt[16] = {0x6c, 0x88, 0x83, 0x91, 0xaa, 0xf5, 0xa5, 0x38,
82 0x60, 0x37, 0x0b, 0xdb, 0x5a, 0x60, 0x83, 0xbe};
83 uint8_t m[53] = {0x00, /* counter */
84 0x62, 0x74, 0x6c, 0x65, /* keyID */
85 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*n1*/
86 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
87 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*2*/
88 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
89 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a1 */
90 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a2 */
91 0x01, 0x00 /* length */};
92 uint8_t t[16], ws[32];
93 int err;
94
95 LOG_DBG("w %s", bt_hex(w, 32));
96 LOG_DBG("n1 %s", bt_hex(n1, 16));
97 LOG_DBG("n2 %s", bt_hex(n2, 16));
98
99 sys_memcpy_swap(ws, w, 32);
100
101 err = bt_crypto_aes_cmac(salt, ws, 32, t);
102 if (err) {
103 return err;
104 }
105
106 LOG_DBG("t %s", bt_hex(t, 16));
107
108 sys_memcpy_swap(m + 5, n1, 16);
109 sys_memcpy_swap(m + 21, n2, 16);
110 m[37] = a1->type;
111 sys_memcpy_swap(m + 38, a1->a.val, 6);
112 m[44] = a2->type;
113 sys_memcpy_swap(m + 45, a2->a.val, 6);
114
115 err = bt_crypto_aes_cmac(t, m, sizeof(m), mackey);
116 if (err) {
117 return err;
118 }
119
120 LOG_DBG("mackey %1s", bt_hex(mackey, 16));
121
122 sys_mem_swap(mackey, 16);
123
124 /* counter for ltk is 1 */
125 m[0] = 0x01;
126
127 err = bt_crypto_aes_cmac(t, m, sizeof(m), ltk);
128 if (err) {
129 return err;
130 }
131
132 LOG_DBG("ltk %s", bt_hex(ltk, 16));
133
134 sys_mem_swap(ltk, 16);
135
136 return 0;
137 }
138
bt_crypto_f6(const uint8_t * w,const uint8_t * n1,const uint8_t * n2,const uint8_t * r,const uint8_t * iocap,const bt_addr_le_t * a1,const bt_addr_le_t * a2,uint8_t * check)139 int bt_crypto_f6(const uint8_t *w, const uint8_t *n1, const uint8_t *n2, const uint8_t *r,
140 const uint8_t *iocap, const bt_addr_le_t *a1, const bt_addr_le_t *a2,
141 uint8_t *check)
142 {
143 uint8_t ws[16];
144 uint8_t m[65];
145 int err;
146
147 LOG_DBG("w %s", bt_hex(w, 16));
148 LOG_DBG("n1 %s", bt_hex(n1, 16));
149 LOG_DBG("n2 %s", bt_hex(n2, 16));
150 LOG_DBG("r %s", bt_hex(r, 16));
151 LOG_DBG("io_cap %s", bt_hex(iocap, 3));
152 LOG_DBG("a1 %s", bt_hex(a1, 7));
153 LOG_DBG("a2 %s", bt_hex(a2, 7));
154
155 sys_memcpy_swap(m, n1, 16);
156 sys_memcpy_swap(m + 16, n2, 16);
157 sys_memcpy_swap(m + 32, r, 16);
158 sys_memcpy_swap(m + 48, iocap, 3);
159
160 m[51] = a1->type;
161 memcpy(m + 52, a1->a.val, 6);
162 sys_memcpy_swap(m + 52, a1->a.val, 6);
163
164 m[58] = a2->type;
165 memcpy(m + 59, a2->a.val, 6);
166 sys_memcpy_swap(m + 59, a2->a.val, 6);
167
168 sys_memcpy_swap(ws, w, 16);
169
170 err = bt_crypto_aes_cmac(ws, m, sizeof(m), check);
171 if (err) {
172 return err;
173 }
174
175 LOG_DBG("res %s", bt_hex(check, 16));
176
177 sys_mem_swap(check, 16);
178
179 return 0;
180 }
181
bt_crypto_g2(const uint8_t u[32],const uint8_t v[32],const uint8_t x[16],const uint8_t y[16],uint32_t * passkey)182 int bt_crypto_g2(const uint8_t u[32], const uint8_t v[32], const uint8_t x[16], const uint8_t y[16],
183 uint32_t *passkey)
184 {
185 uint8_t m[80], xs[16];
186 int err;
187
188 LOG_DBG("u %s", bt_hex(u, 32));
189 LOG_DBG("v %s", bt_hex(v, 32));
190 LOG_DBG("x %s", bt_hex(x, 16));
191 LOG_DBG("y %s", bt_hex(y, 16));
192
193 sys_memcpy_swap(m, u, 32);
194 sys_memcpy_swap(m + 32, v, 32);
195 sys_memcpy_swap(m + 64, y, 16);
196
197 sys_memcpy_swap(xs, x, 16);
198
199 /* reuse xs (key) as buffer for result */
200 err = bt_crypto_aes_cmac(xs, m, sizeof(m), xs);
201 if (err) {
202 return err;
203 }
204 LOG_DBG("res %s", bt_hex(xs, 16));
205
206 memcpy(passkey, xs + 12, 4);
207 *passkey = sys_be32_to_cpu(*passkey) % 1000000;
208
209 LOG_DBG("passkey %u", *passkey);
210
211 return 0;
212 }
213
bt_crypto_h6(const uint8_t w[16],const uint8_t key_id[4],uint8_t res[16])214 int bt_crypto_h6(const uint8_t w[16], const uint8_t key_id[4], uint8_t res[16])
215 {
216 uint8_t ws[16];
217 uint8_t key_id_s[4];
218 int err;
219
220 LOG_DBG("w %s", bt_hex(w, 16));
221 LOG_DBG("key_id %s", bt_hex(key_id, 4));
222
223 sys_memcpy_swap(ws, w, 16);
224 sys_memcpy_swap(key_id_s, key_id, 4);
225
226 err = bt_crypto_aes_cmac(ws, key_id_s, 4, res);
227 if (err) {
228 return err;
229 }
230
231 LOG_DBG("res %s", bt_hex(res, 16));
232
233 sys_mem_swap(res, 16);
234
235 return 0;
236 }
237
bt_crypto_h7(const uint8_t salt[16],const uint8_t w[16],uint8_t res[16])238 int bt_crypto_h7(const uint8_t salt[16], const uint8_t w[16], uint8_t res[16])
239 {
240 uint8_t ws[16];
241 uint8_t salt_s[16];
242 int err;
243
244 LOG_DBG("w %s", bt_hex(w, 16));
245 LOG_DBG("salt %s", bt_hex(salt, 16));
246
247 sys_memcpy_swap(ws, w, 16);
248 sys_memcpy_swap(salt_s, salt, 16);
249
250 err = bt_crypto_aes_cmac(salt_s, ws, 16, res);
251 if (err) {
252 return err;
253 }
254
255 LOG_DBG("res %s", bt_hex(res, 16));
256
257 sys_mem_swap(res, 16);
258
259 return 0;
260 }
261
bt_crypto_h8(const uint8_t k[16],const uint8_t s[16],const uint8_t key_id[4],uint8_t res[16])262 int bt_crypto_h8(const uint8_t k[16], const uint8_t s[16], const uint8_t key_id[4], uint8_t res[16])
263 {
264 uint8_t key_id_s[4];
265 uint8_t iks[16];
266 uint8_t ks[16];
267 uint8_t ss[16];
268 int err;
269
270 LOG_DBG("k %s", bt_hex(k, 16));
271 LOG_DBG("s %s", bt_hex(s, 16));
272 LOG_DBG("key_id %s", bt_hex(key_id, 4));
273
274 sys_memcpy_swap(ks, k, 16);
275 sys_memcpy_swap(ss, s, 16);
276
277 err = bt_crypto_aes_cmac(ss, ks, 16, iks);
278 if (err) {
279 return err;
280 }
281
282 sys_memcpy_swap(key_id_s, key_id, 4);
283
284 err = bt_crypto_aes_cmac(iks, key_id_s, 4, res);
285 if (err) {
286 return err;
287 }
288
289 LOG_DBG("res %s", bt_hex(res, 16));
290
291 sys_mem_swap(res, 16);
292
293 return 0;
294 }
295
