1 /*
2 * Copyright (c) 2017 Intel Corporation
3 * Copyright (c) 2022 Nordic Semiconductor ASA
4 *
5 * SPDX-License-Identifier: Apache-2.0
6 */
7
8 #include <string.h>
9 #include <stdbool.h>
10 #include <errno.h>
11 #include <zephyr/sys/byteorder.h>
12 #include <zephyr/bluetooth/mesh.h>
13
14 #include "common/bt_str.h"
15
16 #include "mesh.h"
17 #include "crypto.h"
18
19 #define LOG_LEVEL CONFIG_BT_MESH_CRYPTO_LOG_LEVEL
20 #include <zephyr/logging/log.h>
21 LOG_MODULE_REGISTER(bt_mesh_crypto);
22
23 #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4)
24 #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4)
25
bt_mesh_aes_cmac_one_raw_key(const uint8_t key[16],const void * m,size_t len,uint8_t mac[16])26 static int bt_mesh_aes_cmac_one_raw_key(const uint8_t key[16], const void *m,
27 size_t len, uint8_t mac[16])
28 {
29 struct bt_mesh_sg sg = {.data = m, .len = len};
30
31 return bt_mesh_aes_cmac_raw_key(key, &sg, 1, mac);
32 }
33
bt_mesh_aes_cmac_one_mesh_key(const struct bt_mesh_key * key,const void * m,size_t len,uint8_t mac[16])34 static int bt_mesh_aes_cmac_one_mesh_key(const struct bt_mesh_key *key, const void *m,
35 size_t len, uint8_t mac[16])
36 {
37 struct bt_mesh_sg sg = {.data = m, .len = len};
38
39 return bt_mesh_aes_cmac_mesh_key(key, &sg, 1, mac);
40 }
41
bt_mesh_sha256_hmac_one_raw_key(const uint8_t key[32],const void * m,size_t len,uint8_t mac[32])42 static int bt_mesh_sha256_hmac_one_raw_key(const uint8_t key[32], const void *m, size_t len,
43 uint8_t mac[32])
44 {
45 struct bt_mesh_sg sg = {.data = m, .len = len};
46
47 return bt_mesh_sha256_hmac_raw_key(key, &sg, 1, mac);
48 }
49
bt_mesh_s1(const char * m,size_t m_len,uint8_t salt[16])50 int bt_mesh_s1(const char *m, size_t m_len, uint8_t salt[16])
51 {
52 const uint8_t zero[16] = { 0 };
53
54 return bt_mesh_aes_cmac_one_raw_key(zero, m, m_len, salt);
55 }
56
bt_mesh_s2(const char * m,size_t m_len,uint8_t salt[32])57 int bt_mesh_s2(const char *m, size_t m_len, uint8_t salt[32])
58 {
59 const uint8_t zero[32] = { 0 };
60
61 return bt_mesh_sha256_hmac_one_raw_key(zero, m, m_len, salt);
62 }
63
bt_mesh_k1(const uint8_t * ikm,size_t ikm_len,const uint8_t salt[16],const char * info,uint8_t okm[16])64 int bt_mesh_k1(const uint8_t *ikm, size_t ikm_len, const uint8_t salt[16],
65 const char *info, uint8_t okm[16])
66 {
67 int err;
68
69 err = bt_mesh_aes_cmac_one_raw_key(salt, ikm, ikm_len, okm);
70 if (err < 0) {
71 return err;
72 }
73
74 return bt_mesh_aes_cmac_one_raw_key(okm, info, strlen(info), okm);
75 }
76
bt_mesh_k2(const uint8_t n[16],const uint8_t * p,size_t p_len,uint8_t net_id[1],struct bt_mesh_key * enc_key,struct bt_mesh_key * priv_key)77 int bt_mesh_k2(const uint8_t n[16], const uint8_t *p, size_t p_len,
78 uint8_t net_id[1], struct bt_mesh_key *enc_key, struct bt_mesh_key *priv_key)
79 {
80 struct bt_mesh_sg sg[3];
81 uint8_t salt[16];
82 uint8_t out[16];
83 uint8_t t[16];
84 uint8_t pad;
85 int err;
86
87 LOG_DBG("n %s", bt_hex(n, 16));
88 LOG_DBG("p %s", bt_hex(p, p_len));
89
90 err = bt_mesh_s1_str("smk2", salt);
91 if (err) {
92 return err;
93 }
94
95 err = bt_mesh_aes_cmac_one_raw_key(salt, n, 16, t);
96 if (err) {
97 return err;
98 }
99
100 pad = 0x01;
101
102 sg[0].data = NULL;
103 sg[0].len = 0;
104 sg[1].data = p;
105 sg[1].len = p_len;
106 sg[2].data = &pad;
107 sg[2].len = sizeof(pad);
108
109 err = bt_mesh_aes_cmac_raw_key(t, sg, ARRAY_SIZE(sg), out);
110 if (err) {
111 return err;
112 }
113
114 net_id[0] = out[15] & 0x7f;
115
116 sg[0].data = out;
117 sg[0].len = sizeof(out);
118 pad = 0x02;
119
120 err = bt_mesh_aes_cmac_raw_key(t, sg, ARRAY_SIZE(sg), out);
121 if (err) {
122 return err;
123 }
124
125 err = bt_mesh_key_import(BT_MESH_KEY_TYPE_CCM, out, enc_key);
126 if (err) {
127 return err;
128 }
129
130 pad = 0x03;
131
132 err = bt_mesh_aes_cmac_raw_key(t, sg, ARRAY_SIZE(sg), out);
133 if (err) {
134 return err;
135 }
136
137 err = bt_mesh_key_import(BT_MESH_KEY_TYPE_ECB, out, priv_key);
138 if (err) {
139 return err;
140 }
141
142 LOG_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, sizeof(struct bt_mesh_key)));
143 LOG_DBG("priv_key %s", bt_hex(priv_key, sizeof(struct bt_mesh_key)));
144
145 return 0;
146 }
147
bt_mesh_k3(const uint8_t n[16],uint8_t out[8])148 int bt_mesh_k3(const uint8_t n[16], uint8_t out[8])
149 {
150 uint8_t id64[] = { 'i', 'd', '6', '4', 0x01 };
151 uint8_t tmp[16];
152 uint8_t t[16];
153 int err;
154
155 err = bt_mesh_s1_str("smk3", tmp);
156 if (err) {
157 return err;
158 }
159
160 err = bt_mesh_aes_cmac_one_raw_key(tmp, n, 16, t);
161 if (err) {
162 return err;
163 }
164
165 err = bt_mesh_aes_cmac_one_raw_key(t, id64, sizeof(id64), tmp);
166 if (err) {
167 return err;
168 }
169
170 memcpy(out, tmp + 8, 8);
171
172 return 0;
173 }
174
bt_mesh_k4(const uint8_t n[16],uint8_t out[1])175 int bt_mesh_k4(const uint8_t n[16], uint8_t out[1])
176 {
177 uint8_t id6[] = { 'i', 'd', '6', 0x01 };
178 uint8_t tmp[16];
179 uint8_t t[16];
180 int err;
181
182 err = bt_mesh_s1_str("smk4", tmp);
183 if (err) {
184 return err;
185 }
186
187 err = bt_mesh_aes_cmac_one_raw_key(tmp, n, 16, t);
188 if (err) {
189 return err;
190 }
191
192 err = bt_mesh_aes_cmac_one_raw_key(t, id6, sizeof(id6), tmp);
193 if (err) {
194 return err;
195 }
196
197 out[0] = tmp[15] & BIT_MASK(6);
198
199 return 0;
200 }
201
bt_mesh_k5(const uint8_t * n,size_t n_len,const uint8_t salt[32],uint8_t * p,uint8_t out[32])202 int bt_mesh_k5(const uint8_t *n, size_t n_len, const uint8_t salt[32],
203 uint8_t *p, uint8_t out[32])
204 {
205 uint8_t t[32];
206 int err;
207
208 err = bt_mesh_sha256_hmac_one_raw_key(salt, n, n_len, t);
209 if (err) {
210 return err;
211 }
212
213 err = bt_mesh_sha256_hmac_one_raw_key(t, p, strlen(p), out);
214 if (err) {
215 return err;
216 }
217
218 return 0;
219 }
220
bt_mesh_id128(const uint8_t n[16],const char * s,enum bt_mesh_key_type type,struct bt_mesh_key * out)221 int bt_mesh_id128(const uint8_t n[16], const char *s, enum bt_mesh_key_type type,
222 struct bt_mesh_key *out)
223 {
224 const char *id128 = "id128\x01";
225 uint8_t salt[16];
226 uint8_t k1_out[16];
227 int err;
228
229 err = bt_mesh_s1_str(s, salt);
230 if (err) {
231 return err;
232 }
233
234 err = bt_mesh_k1(n, 16, salt, id128, k1_out);
235 if (err) {
236 return err;
237 }
238
239 err = bt_mesh_key_import(type, k1_out, out);
240 if (err) {
241 return err;
242 }
243
244 return 0;
245 }
246
bt_mesh_prov_nonce(const uint8_t dhkey[32],const uint8_t prov_salt[16],uint8_t nonce[13])247 int bt_mesh_prov_nonce(const uint8_t dhkey[32], const uint8_t prov_salt[16], uint8_t nonce[13])
248 {
249 uint8_t tmp[16];
250 int err;
251
252 err = bt_mesh_k1(dhkey, 32, prov_salt, "prsn", tmp);
253 if (!err) {
254 memcpy(nonce, tmp + 3, 13);
255 }
256
257 return err;
258 }
259
bt_mesh_session_key(const uint8_t dhkey[32],const uint8_t prov_salt[16],struct bt_mesh_key * session_key)260 int bt_mesh_session_key(const uint8_t dhkey[32], const uint8_t prov_salt[16],
261 struct bt_mesh_key *session_key)
262 {
263 uint8_t raw_key[16];
264 int err;
265
266 err = bt_mesh_k1(dhkey, 32, prov_salt, "prsk", raw_key);
267
268 if (!err) {
269 LOG_DBG("SessionKey: %s", bt_hex(raw_key, 16));
270 err = bt_mesh_key_import(BT_MESH_KEY_TYPE_CCM, raw_key, session_key);
271 }
272
273 return err;
274 }
275
bt_mesh_dev_key(const uint8_t dhkey[32],const uint8_t prov_salt[16],uint8_t dev_key[16])276 int bt_mesh_dev_key(const uint8_t dhkey[32], const uint8_t prov_salt[16], uint8_t dev_key[16])
277 {
278 int err;
279
280 err = bt_mesh_k1(dhkey, 32, prov_salt, "prdk", dev_key);
281
282 if (!err) {
283 LOG_DBG("DevKey: %s", bt_hex(dev_key, 16));
284 }
285
286 return err;
287 }
288
create_proxy_nonce(uint8_t nonce[13],const uint8_t * pdu,uint32_t iv_index)289 static void create_proxy_nonce(uint8_t nonce[13], const uint8_t *pdu,
290 uint32_t iv_index)
291 {
292 memset(nonce, 0, 13);
293
294 /* Nonce Type */
295 nonce[0] = 0x03;
296
297 /* Sequence Number */
298 nonce[2] = pdu[2];
299 nonce[3] = pdu[3];
300 nonce[4] = pdu[4];
301
302 /* Source Address */
303 nonce[5] = pdu[5];
304 nonce[6] = pdu[6];
305
306 /* IV Index */
307 sys_put_be32(iv_index, &nonce[9]);
308 }
309
create_proxy_sol_nonce(uint8_t nonce[13],const uint8_t * pdu)310 static void create_proxy_sol_nonce(uint8_t nonce[13], const uint8_t *pdu)
311 {
312 memset(nonce, 0, 13);
313
314 /* Nonce Type */
315 nonce[0] = 0x04;
316
317 /* Sequence Number */
318 nonce[2] = pdu[2];
319 nonce[3] = pdu[3];
320 nonce[4] = pdu[4];
321
322 /* Source Address */
323 nonce[5] = pdu[5];
324 nonce[6] = pdu[6];
325 }
326
create_net_nonce(uint8_t nonce[13],const uint8_t * pdu,uint32_t iv_index)327 static void create_net_nonce(uint8_t nonce[13], const uint8_t *pdu,
328 uint32_t iv_index)
329 {
330 /* Nonce Type */
331 nonce[0] = 0x00;
332
333 /* FRND + TTL */
334 nonce[1] = pdu[1];
335
336 /* Sequence Number */
337 nonce[2] = pdu[2];
338 nonce[3] = pdu[3];
339 nonce[4] = pdu[4];
340
341 /* Source Address */
342 nonce[5] = pdu[5];
343 nonce[6] = pdu[6];
344
345 /* Pad */
346 nonce[7] = 0U;
347 nonce[8] = 0U;
348
349 /* IV Index */
350 sys_put_be32(iv_index, &nonce[9]);
351 }
352
bt_mesh_net_obfuscate(uint8_t * pdu,uint32_t iv_index,const struct bt_mesh_key * privacy_key)353 int bt_mesh_net_obfuscate(uint8_t *pdu, uint32_t iv_index, const struct bt_mesh_key *privacy_key)
354 {
355 uint8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, };
356 uint8_t tmp[16];
357 int err, i;
358
359 LOG_DBG("IVIndex %u, PrivacyKey %s", iv_index,
360 bt_hex(privacy_key, sizeof(struct bt_mesh_key)));
361
362 sys_put_be32(iv_index, &priv_rand[5]);
363 memcpy(&priv_rand[9], &pdu[7], 7);
364
365 LOG_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16));
366
367 err = bt_mesh_encrypt(privacy_key, priv_rand, tmp);
368 if (err) {
369 return err;
370 }
371
372 for (i = 0; i < 6; i++) {
373 pdu[1 + i] ^= tmp[i];
374 }
375
376 return 0;
377 }
378
bt_mesh_net_encrypt(const struct bt_mesh_key * key,struct net_buf_simple * buf,uint32_t iv_index,enum bt_mesh_nonce_type type)379 int bt_mesh_net_encrypt(const struct bt_mesh_key *key, struct net_buf_simple *buf,
380 uint32_t iv_index, enum bt_mesh_nonce_type type)
381 {
382 uint8_t mic_len = NET_MIC_LEN(buf->data);
383 uint8_t nonce[13];
384 int err;
385
386 LOG_DBG("IVIndex %u EncKey %s mic_len %u", iv_index,
387 bt_hex(key, sizeof(struct bt_mesh_key)), mic_len);
388 LOG_DBG("PDU (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
389
390 if (IS_ENABLED(CONFIG_BT_MESH_PROXY) && type == BT_MESH_NONCE_PROXY) {
391 create_proxy_nonce(nonce, buf->data, iv_index);
392 } else if (IS_ENABLED(CONFIG_BT_MESH_OD_PRIV_PROXY_SRV) &&
393 type == BT_MESH_NONCE_SOLICITATION) {
394 create_proxy_sol_nonce(nonce, buf->data);
395 } else {
396 create_net_nonce(nonce, buf->data, iv_index);
397 }
398
399 LOG_DBG("Nonce %s", bt_hex(nonce, 13));
400
401 err = bt_mesh_ccm_encrypt(key, nonce, &buf->data[7], buf->len - 7, NULL, 0,
402 &buf->data[7], mic_len);
403 if (!err) {
404 net_buf_simple_add(buf, mic_len);
405 }
406
407 return err;
408 }
409
bt_mesh_net_decrypt(const struct bt_mesh_key * key,struct net_buf_simple * buf,uint32_t iv_index,enum bt_mesh_nonce_type type)410 int bt_mesh_net_decrypt(const struct bt_mesh_key *key, struct net_buf_simple *buf,
411 uint32_t iv_index, enum bt_mesh_nonce_type type)
412 {
413 uint8_t mic_len = NET_MIC_LEN(buf->data);
414 uint8_t nonce[13];
415
416 LOG_DBG("PDU (%u bytes) %s", buf->len, bt_hex(buf->data, buf->len));
417 LOG_DBG("iv_index %u, key %s mic_len %u", iv_index, bt_hex(key, sizeof(struct bt_mesh_key)),
418 mic_len);
419
420 if (IS_ENABLED(CONFIG_BT_MESH_PROXY) && type == BT_MESH_NONCE_PROXY) {
421 create_proxy_nonce(nonce, buf->data, iv_index);
422 } else if (IS_ENABLED(CONFIG_BT_MESH_SOLICITATION) &&
423 type == BT_MESH_NONCE_SOLICITATION) {
424 create_proxy_sol_nonce(nonce, buf->data);
425 } else {
426 create_net_nonce(nonce, buf->data, iv_index);
427 }
428
429 LOG_DBG("Nonce %s", bt_hex(nonce, 13));
430
431 buf->len -= mic_len;
432
433 return bt_mesh_ccm_decrypt(key, nonce, &buf->data[7], buf->len - 7, NULL, 0,
434 &buf->data[7], mic_len);
435 }
436
create_app_nonce(uint8_t nonce[13],const struct bt_mesh_app_crypto_ctx * ctx)437 static void create_app_nonce(uint8_t nonce[13],
438 const struct bt_mesh_app_crypto_ctx *ctx)
439 {
440 if (ctx->dev_key) {
441 nonce[0] = 0x02;
442 } else {
443 nonce[0] = 0x01;
444 }
445
446 sys_put_be32((ctx->seq_num | ((uint32_t)ctx->aszmic << 31)), &nonce[1]);
447
448 sys_put_be16(ctx->src, &nonce[5]);
449 sys_put_be16(ctx->dst, &nonce[7]);
450
451 sys_put_be32(ctx->iv_index, &nonce[9]);
452 }
453
bt_mesh_app_encrypt(const struct bt_mesh_key * key,const struct bt_mesh_app_crypto_ctx * ctx,struct net_buf_simple * buf)454 int bt_mesh_app_encrypt(const struct bt_mesh_key *key, const struct bt_mesh_app_crypto_ctx *ctx,
455 struct net_buf_simple *buf)
456 {
457 uint8_t nonce[13];
458 int err;
459
460 LOG_DBG("AppKey %s", bt_hex(key, sizeof(struct bt_mesh_key)));
461 LOG_DBG("dev_key %u src 0x%04x dst 0x%04x", ctx->dev_key, ctx->src, ctx->dst);
462 LOG_DBG("seq_num 0x%08x iv_index 0x%08x", ctx->seq_num, ctx->iv_index);
463 LOG_DBG("Clear: %s", bt_hex(buf->data, buf->len));
464
465 create_app_nonce(nonce, ctx);
466
467 LOG_DBG("Nonce %s", bt_hex(nonce, 13));
468
469 err = bt_mesh_ccm_encrypt(key, nonce, buf->data, buf->len, ctx->ad,
470 ctx->ad ? 16 : 0, buf->data,
471 APP_MIC_LEN(ctx->aszmic));
472 if (!err) {
473 net_buf_simple_add(buf, APP_MIC_LEN(ctx->aszmic));
474 LOG_DBG("Encr: %s", bt_hex(buf->data, buf->len));
475 }
476
477 return err;
478 }
479
bt_mesh_app_decrypt(const struct bt_mesh_key * key,const struct bt_mesh_app_crypto_ctx * ctx,struct net_buf_simple * buf,struct net_buf_simple * out)480 int bt_mesh_app_decrypt(const struct bt_mesh_key *key, const struct bt_mesh_app_crypto_ctx *ctx,
481 struct net_buf_simple *buf, struct net_buf_simple *out)
482 {
483 uint8_t nonce[13];
484 int err;
485
486 LOG_DBG("EncData (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
487
488 create_app_nonce(nonce, ctx);
489
490 LOG_DBG("AppKey %s", bt_hex(key, sizeof(struct bt_mesh_key)));
491 LOG_DBG("Nonce %s", bt_hex(nonce, 13));
492
493 err = bt_mesh_ccm_decrypt(key, nonce, buf->data, buf->len, ctx->ad,
494 ctx->ad ? 16 : 0, out->data,
495 APP_MIC_LEN(ctx->aszmic));
496 if (!err) {
497 net_buf_simple_add(out, buf->len);
498 }
499
500 return err;
501 }
502
503 /* reversed, 8-bit, poly=0x07 */
504 static const uint8_t crc_table[256] = {
505 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
506 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
507 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
508 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
509
510 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
511 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
512 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
513 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
514
515 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
516 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
517 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
518 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
519
520 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
521 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
522 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
523 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
524
525 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
526 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
527 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
528 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
529
530 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
531 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
532 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
533 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
534
535 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
536 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
537 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
538 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
539
540 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
541 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
542 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
543 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
544 };
545
bt_mesh_fcs_calc(const uint8_t * data,uint8_t data_len)546 uint8_t bt_mesh_fcs_calc(const uint8_t *data, uint8_t data_len)
547 {
548 uint8_t fcs = 0xff;
549
550 while (data_len--) {
551 fcs = crc_table[fcs ^ *data++];
552 }
553
554 LOG_DBG("fcs 0x%02x", 0xff - fcs);
555
556 return 0xff - fcs;
557 }
558
bt_mesh_fcs_check(struct net_buf_simple * buf,uint8_t received_fcs)559 bool bt_mesh_fcs_check(struct net_buf_simple *buf, uint8_t received_fcs)
560 {
561 const uint8_t *data = buf->data;
562 uint16_t data_len = buf->len;
563 uint8_t fcs = 0xff;
564
565 while (data_len--) {
566 fcs = crc_table[fcs ^ *data++];
567 }
568
569 return crc_table[fcs ^ received_fcs] == 0xcf;
570 }
571
bt_mesh_virtual_addr(const uint8_t virtual_label[16],uint16_t * addr)572 int bt_mesh_virtual_addr(const uint8_t virtual_label[16], uint16_t *addr)
573 {
574 uint8_t salt[16];
575 uint8_t tmp[16];
576 int err;
577
578 err = bt_mesh_s1_str("vtad", salt);
579 if (err) {
580 return err;
581 }
582
583 err = bt_mesh_aes_cmac_one_raw_key(salt, virtual_label, 16, tmp);
584 if (err) {
585 return err;
586 }
587
588 *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000;
589
590 return 0;
591 }
592
bt_mesh_prov_salt(uint8_t algorithm,const uint8_t * conf_salt,const uint8_t * prov_rand,const uint8_t * dev_rand,uint8_t * prov_salt)593 int bt_mesh_prov_salt(uint8_t algorithm,
594 const uint8_t *conf_salt,
595 const uint8_t *prov_rand,
596 const uint8_t *dev_rand,
597 uint8_t *prov_salt)
598 {
599 uint8_t size = algorithm ? 32 : 16;
600 const uint8_t prov_salt_key[16] = { 0 };
601 struct bt_mesh_sg sg[] = {
602 { conf_salt, size },
603 { prov_rand, size },
604 { dev_rand, size },
605 };
606
607 return bt_mesh_aes_cmac_raw_key(prov_salt_key, sg, ARRAY_SIZE(sg), prov_salt);
608 }
609
bt_mesh_prov_conf_salt(uint8_t algorithm,const uint8_t conf_inputs[145],uint8_t * salt)610 int bt_mesh_prov_conf_salt(uint8_t algorithm, const uint8_t conf_inputs[145],
611 uint8_t *salt)
612 {
613 if (algorithm == BT_MESH_PROV_AUTH_HMAC_SHA256_AES_CCM &&
614 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_HMAC_SHA256_AES_CCM)) {
615
616 return bt_mesh_s2(conf_inputs, 145, salt);
617 }
618
619 if (algorithm == BT_MESH_PROV_AUTH_CMAC_AES128_AES_CCM &&
620 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_CMAC_AES128_AES_CCM)) {
621
622 return bt_mesh_s1(conf_inputs, 145, salt);
623 }
624
625 return -EINVAL;
626 }
627
bt_mesh_prov_conf_key(uint8_t algorithm,const uint8_t * k_input,const uint8_t * conf_salt,uint8_t * conf_key)628 int bt_mesh_prov_conf_key(uint8_t algorithm, const uint8_t *k_input,
629 const uint8_t *conf_salt, uint8_t *conf_key)
630 {
631 if (algorithm == BT_MESH_PROV_AUTH_HMAC_SHA256_AES_CCM &&
632 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_HMAC_SHA256_AES_CCM)) {
633
634 return bt_mesh_k5(k_input, 64, conf_salt, "prck256", conf_key);
635 }
636
637 if (algorithm == BT_MESH_PROV_AUTH_CMAC_AES128_AES_CCM &&
638 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_CMAC_AES128_AES_CCM)) {
639
640 return bt_mesh_k1(k_input, 32, conf_salt, "prck", conf_key);
641 }
642
643 return -EINVAL;
644 }
645
bt_mesh_prov_conf(uint8_t algorithm,const uint8_t * conf_key,const uint8_t * prov_rand,const uint8_t * auth,uint8_t * conf)646 int bt_mesh_prov_conf(uint8_t algorithm, const uint8_t *conf_key,
647 const uint8_t *prov_rand, const uint8_t *auth, uint8_t *conf)
648 {
649 uint8_t auth_size = algorithm ? 32 : 16;
650
651 LOG_DBG("ConfirmationKey %s", bt_hex(conf_key, auth_size));
652 LOG_DBG("RandomDevice %s", bt_hex(prov_rand, auth_size));
653 LOG_DBG("AuthValue %s", bt_hex(auth, auth_size));
654
655 if (algorithm == BT_MESH_PROV_AUTH_HMAC_SHA256_AES_CCM &&
656 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_HMAC_SHA256_AES_CCM)) {
657
658 return bt_mesh_sha256_hmac_one_raw_key(conf_key, prov_rand, 32, conf);
659 }
660
661 if (algorithm == BT_MESH_PROV_AUTH_CMAC_AES128_AES_CCM &&
662 IS_ENABLED(CONFIG_BT_MESH_ECDH_P256_CMAC_AES128_AES_CCM)) {
663 struct bt_mesh_sg sg[] = { { prov_rand, 16 }, { auth, 16 } };
664
665 return bt_mesh_aes_cmac_raw_key(conf_key, sg, ARRAY_SIZE(sg), conf);
666 }
667
668 return -EINVAL;
669 }
670
bt_mesh_prov_decrypt(struct bt_mesh_key * key,uint8_t nonce[13],const uint8_t data[25+8],uint8_t out[25])671 int bt_mesh_prov_decrypt(struct bt_mesh_key *key, uint8_t nonce[13], const uint8_t data[25 + 8],
672 uint8_t out[25])
673 {
674 int err;
675
676 err = bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8);
677
678 return err;
679 }
680
bt_mesh_prov_encrypt(struct bt_mesh_key * key,uint8_t nonce[13],const uint8_t data[25],uint8_t out[25+8])681 int bt_mesh_prov_encrypt(struct bt_mesh_key *key, uint8_t nonce[13], const uint8_t data[25],
682 uint8_t out[25 + 8])
683 {
684 int err;
685
686 err = bt_mesh_ccm_encrypt(key, nonce, data, 25, NULL, 0, out, 8);
687
688 return err;
689 }
690
bt_mesh_beacon_auth(const struct bt_mesh_key * beacon_key,uint8_t flags,const uint8_t net_id[8],uint32_t iv_index,uint8_t auth[8])691 int bt_mesh_beacon_auth(const struct bt_mesh_key *beacon_key, uint8_t flags,
692 const uint8_t net_id[8], uint32_t iv_index, uint8_t auth[8])
693 {
694 uint8_t msg[13], tmp[16];
695 int err;
696
697 LOG_DBG("BeaconKey %s", bt_hex(beacon_key, sizeof(struct bt_mesh_key)));
698 LOG_DBG("NetId %s", bt_hex(net_id, 8));
699 LOG_DBG("IV Index 0x%08x", iv_index);
700
701 msg[0] = flags;
702 memcpy(&msg[1], net_id, 8);
703 sys_put_be32(iv_index, &msg[9]);
704
705 LOG_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg)));
706
707 err = bt_mesh_aes_cmac_one_mesh_key(beacon_key, msg, sizeof(msg), tmp);
708 if (!err) {
709 memcpy(auth, tmp, 8);
710 }
711
712 return err;
713 }
714
private_beacon_obf(const struct bt_mesh_key * pbk,const uint8_t data[5],const uint8_t random[13],uint8_t out[5])715 static int private_beacon_obf(const struct bt_mesh_key *pbk, const uint8_t data[5],
716 const uint8_t random[13], uint8_t out[5])
717 {
718 uint8_t salt[16];
719 int i, err;
720
721 /* C1 = 0x01 | random | 0x0001 */
722 salt[0] = 0x01;
723 memcpy(&salt[1], random, 13);
724 sys_put_be16(0x0001, &salt[14]);
725
726 /* ObfData = e(pbk, C1) ^ (flags | iv_index) */
727 err = bt_mesh_encrypt(pbk, salt, salt);
728 if (err) {
729 return err;
730 }
731
732 for (i = 0; i < 5; i++) {
733 out[i] = data[i] ^ salt[i];
734 }
735
736
737 return 0;
738 }
739
private_beacon_auth(const struct bt_mesh_key * pbk,const uint8_t beacon_data[5],const uint8_t random[13],uint8_t auth[8])740 static int private_beacon_auth(const struct bt_mesh_key *pbk,
741 const uint8_t beacon_data[5],
742 const uint8_t random[13], uint8_t auth[8])
743 {
744 uint8_t salt[16], tmp[16];
745 int i, err;
746
747 /* B0 = 0x19 | random | 0x0005 */
748 salt[0] = 0x19;
749 memcpy(&salt[1], random, 13);
750 sys_put_be16(0x0005, &salt[14]);
751
752 /* T0 = e(PBK, b0) */
753 err = bt_mesh_encrypt(pbk, salt, tmp);
754 if (err) {
755 return err;
756 }
757
758 /* P = flags | iv_index | 000 */
759 /* T1 = e(PBK, P ^ T0) */
760 for (i = 0; i < 5; i++) {
761 tmp[i] ^= beacon_data[i];
762 }
763
764 err = bt_mesh_encrypt(pbk, tmp, tmp);
765 if (err) {
766 return err;
767 }
768
769 /* C0 = 0x01 | random | 0x0000 */
770 salt[0] = 0x01;
771 sys_put_be16(0x0000, &salt[14]);
772
773 /* T2 = T1 ^ e(PBK, C0) */
774 memcpy(auth, tmp, 8);
775
776 err = bt_mesh_encrypt(pbk, salt, tmp);
777 if (err) {
778 return err;
779 }
780
781 /* Auth = T2[0..7] */
782 for (i = 0; i < 8; i++) {
783 auth[i] ^= tmp[i];
784 }
785
786 return 0;
787 }
788
bt_mesh_beacon_decrypt(const struct bt_mesh_key * pbk,const uint8_t random[13],const uint8_t data[5],const uint8_t expected_auth[8],uint8_t out[5])789 int bt_mesh_beacon_decrypt(const struct bt_mesh_key *pbk, const uint8_t random[13],
790 const uint8_t data[5], const uint8_t expected_auth[8], uint8_t out[5])
791 {
792 uint8_t auth[8];
793 int err;
794
795 LOG_DBG("");
796
797 err = private_beacon_obf(pbk, data, random, out);
798 if (err) {
799 return err;
800 }
801
802 err = private_beacon_auth(pbk, out, random, auth);
803 if (err) {
804 return err;
805 }
806
807 LOG_DBG("0x%02x, 0x%08x", out[0], sys_get_be32(&out[1]));
808
809 if (memcmp(auth, expected_auth, 8)) {
810 LOG_DBG("Invalid auth rx: %s", bt_hex(auth, 8));
811 LOG_DBG("Expected auth: %s", bt_hex(expected_auth, 8));
812 return -EBADMSG;
813 }
814
815 return 0;
816 }
817
bt_mesh_beacon_encrypt(const struct bt_mesh_key * pbk,uint8_t flags,uint32_t iv_index,const uint8_t random[13],uint8_t data[5],uint8_t auth[8])818 int bt_mesh_beacon_encrypt(const struct bt_mesh_key *pbk, uint8_t flags, uint32_t iv_index,
819 const uint8_t random[13], uint8_t data[5], uint8_t auth[8])
820 {
821 int err;
822
823 LOG_WRN("Enc beacon: 0x%02x, 0x%08x", flags, iv_index);
824
825 data[0] = flags;
826 sys_put_be32(iv_index, &data[1]);
827
828 err = private_beacon_auth(pbk, data, random, auth);
829 if (err) {
830 return err;
831 }
832
833 return private_beacon_obf(pbk, data, random, data);
834 }
835
