1 /* Bluetooth Mesh */
2
3 /*
4 * SPDX-FileCopyrightText: 2017 Intel Corporation
5 * SPDX-FileContributor: 2018-2021 Espressif Systems (Shanghai) CO LTD
6 *
7 * SPDX-License-Identifier: Apache-2.0
8 */
9
10 #include <string.h>
11 #include <stdbool.h>
12 #include <errno.h>
13
14 #include <tinycrypt/aes.h>
15 #include <tinycrypt/constants.h>
16 #include <tinycrypt/cmac_mode.h>
17
18 #include "crypto.h"
19 #include "mesh_common.h"
20 #include "mesh_bearer_adapt.h"
21
22 #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4)
23 #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4)
24
bt_mesh_aes_cmac(const uint8_t key[16],struct bt_mesh_sg * sg,size_t sg_len,uint8_t mac[16])25 int bt_mesh_aes_cmac(const uint8_t key[16], struct bt_mesh_sg *sg,
26 size_t sg_len, uint8_t mac[16])
27 {
28 struct tc_aes_key_sched_struct sched = {0};
29 struct tc_cmac_struct state = {0};
30
31 if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
32 return -EIO;
33 }
34
35 for (; sg_len; sg_len--, sg++) {
36 if (tc_cmac_update(&state, sg->data,
37 sg->len) == TC_CRYPTO_FAIL) {
38 return -EIO;
39 }
40 }
41
42 if (tc_cmac_final(mac, &state) == TC_CRYPTO_FAIL) {
43 return -EIO;
44 }
45
46 return 0;
47 }
48
bt_mesh_k1(const uint8_t * ikm,size_t ikm_len,const uint8_t salt[16],const char * info,uint8_t okm[16])49 int bt_mesh_k1(const uint8_t *ikm, size_t ikm_len, const uint8_t salt[16],
50 const char *info, uint8_t okm[16])
51 {
52 int err = 0;
53
54 err = bt_mesh_aes_cmac_one(salt, ikm, ikm_len, okm);
55 if (err < 0) {
56 return err;
57 }
58
59 return bt_mesh_aes_cmac_one(okm, info, strlen(info), okm);
60 }
61
bt_mesh_k2(const uint8_t n[16],const uint8_t * p,size_t p_len,uint8_t net_id[1],uint8_t enc_key[16],uint8_t priv_key[16])62 int bt_mesh_k2(const uint8_t n[16], const uint8_t *p, size_t p_len,
63 uint8_t net_id[1], uint8_t enc_key[16], uint8_t priv_key[16])
64 {
65 struct bt_mesh_sg sg[3] = {0};
66 uint8_t salt[16] = {0};
67 uint8_t out[16] = {0};
68 uint8_t t[16] = {0};
69 uint8_t pad = 0U;
70 int err = 0;
71
72 BT_DBG("n %s", bt_hex(n, 16));
73 BT_DBG("p %s", bt_hex(p, p_len));
74
75 err = bt_mesh_s1("smk2", salt);
76 if (err) {
77 return err;
78 }
79
80 err = bt_mesh_aes_cmac_one(salt, n, 16, t);
81 if (err) {
82 return err;
83 }
84
85 pad = 0x01;
86
87 sg[0].data = NULL;
88 sg[0].len = 0;
89 sg[1].data = p;
90 sg[1].len = p_len;
91 sg[2].data = &pad;
92 sg[2].len = sizeof(pad);
93
94 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
95 if (err) {
96 return err;
97 }
98
99 net_id[0] = out[15] & 0x7f;
100
101 sg[0].data = out;
102 sg[0].len = sizeof(out);
103 pad = 0x02;
104
105 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
106 if (err) {
107 return err;
108 }
109
110 memcpy(enc_key, out, 16);
111
112 pad = 0x03;
113
114 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
115 if (err) {
116 return err;
117 }
118
119 memcpy(priv_key, out, 16);
120
121 BT_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, 16));
122 BT_DBG("priv_key %s", bt_hex(priv_key, 16));
123
124 return 0;
125 }
126
bt_mesh_k3(const uint8_t n[16],uint8_t out[8])127 int bt_mesh_k3(const uint8_t n[16], uint8_t out[8])
128 {
129 uint8_t id64[] = { 'i', 'd', '6', '4', 0x01 };
130 uint8_t tmp[16] = {0};
131 uint8_t t[16] = {0};
132 int err = 0;
133
134 err = bt_mesh_s1("smk3", tmp);
135 if (err) {
136 return err;
137 }
138
139 err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
140 if (err) {
141 return err;
142 }
143
144 err = bt_mesh_aes_cmac_one(t, id64, sizeof(id64), tmp);
145 if (err) {
146 return err;
147 }
148
149 memcpy(out, tmp + 8, 8);
150
151 return 0;
152 }
153
bt_mesh_k4(const uint8_t n[16],uint8_t out[1])154 int bt_mesh_k4(const uint8_t n[16], uint8_t out[1])
155 {
156 uint8_t id6[] = { 'i', 'd', '6', 0x01 };
157 uint8_t tmp[16] = {0};
158 uint8_t t[16] = {0};
159 int err = 0;
160
161 err = bt_mesh_s1("smk4", tmp);
162 if (err) {
163 return err;
164 }
165
166 err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
167 if (err) {
168 return err;
169 }
170
171 err = bt_mesh_aes_cmac_one(t, id6, sizeof(id6), tmp);
172 if (err) {
173 return err;
174 }
175
176 out[0] = tmp[15] & BIT_MASK(6);
177
178 return 0;
179 }
180
bt_mesh_id128(const uint8_t n[16],const char * s,uint8_t out[16])181 int bt_mesh_id128(const uint8_t n[16], const char *s, uint8_t out[16])
182 {
183 const char *id128 = "id128\x01";
184 uint8_t salt[16] = {0};
185 int err = 0;
186
187 err = bt_mesh_s1(s, salt);
188 if (err) {
189 return err;
190 }
191
192 return bt_mesh_k1(n, 16, salt, id128, out);
193 }
194
bt_mesh_ccm_decrypt(const uint8_t key[16],uint8_t nonce[13],const uint8_t * enc_msg,size_t msg_len,const uint8_t * aad,size_t aad_len,uint8_t * out_msg,size_t mic_size)195 static int bt_mesh_ccm_decrypt(const uint8_t key[16], uint8_t nonce[13],
196 const uint8_t *enc_msg, size_t msg_len,
197 const uint8_t *aad, size_t aad_len,
198 uint8_t *out_msg, size_t mic_size)
199 {
200 uint8_t msg[16] = {0}, pmsg[16] = {0}, cmic[16] = {0},
201 cmsg[16] = {0}, Xn[16] = {0}, mic[16] = {0};
202 uint16_t last_blk = 0U, blk_cnt = 0U;
203 size_t i = 0U, j = 0U;
204 int err = 0;
205
206 if (msg_len < 1 || aad_len >= 0xff00) {
207 return -EINVAL;
208 }
209
210 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
211 pmsg[0] = 0x01;
212 memcpy(pmsg + 1, nonce, 13);
213 sys_put_be16(0x0000, pmsg + 14);
214
215 err = bt_mesh_encrypt_be(key, pmsg, cmic);
216 if (err) {
217 return err;
218 }
219
220 /* X_0 = e(AppKey, 0x09 || nonce || length) */
221 if (mic_size == sizeof(uint64_t)) {
222 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
223 } else {
224 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
225 }
226
227 memcpy(pmsg + 1, nonce, 13);
228 sys_put_be16(msg_len, pmsg + 14);
229
230 err = bt_mesh_encrypt_be(key, pmsg, Xn);
231 if (err) {
232 return err;
233 }
234
235 /* If AAD is being used to authenticate, include it here */
236 if (aad_len) {
237 sys_put_be16(aad_len, pmsg);
238
239 for (i = 0; i < sizeof(uint16_t); i++) {
240 pmsg[i] = Xn[i] ^ pmsg[i];
241 }
242
243 j = 0;
244 aad_len += sizeof(uint16_t);
245 while (aad_len > 16) {
246 do {
247 pmsg[i] = Xn[i] ^ aad[j];
248 i++, j++;
249 } while (i < 16);
250
251 aad_len -= 16;
252 i = 0;
253
254 err = bt_mesh_encrypt_be(key, pmsg, Xn);
255 if (err) {
256 return err;
257 }
258 }
259
260 for (; i < aad_len; i++, j++) {
261 pmsg[i] = Xn[i] ^ aad[j];
262 }
263
264 for (i = aad_len; i < 16; i++) {
265 pmsg[i] = Xn[i];
266 }
267
268 err = bt_mesh_encrypt_be(key, pmsg, Xn);
269 if (err) {
270 return err;
271 }
272 }
273
274 last_blk = msg_len % 16;
275 blk_cnt = (msg_len + 15) / 16;
276 if (!last_blk) {
277 last_blk = 16U;
278 }
279
280 for (j = 0; j < blk_cnt; j++) {
281 if (j + 1 == blk_cnt) {
282 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
283 pmsg[0] = 0x01;
284 memcpy(pmsg + 1, nonce, 13);
285 sys_put_be16(j + 1, pmsg + 14);
286
287 err = bt_mesh_encrypt_be(key, pmsg, cmsg);
288 if (err) {
289 return err;
290 }
291
292 /* Encrypted = Payload[0-15] ^ C_1 */
293 for (i = 0; i < last_blk; i++) {
294 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
295 }
296
297 memcpy(out_msg + (j * 16), msg, last_blk);
298
299 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
300 for (i = 0; i < last_blk; i++) {
301 pmsg[i] = Xn[i] ^ msg[i];
302 }
303
304 for (i = last_blk; i < 16; i++) {
305 pmsg[i] = Xn[i] ^ 0x00;
306 }
307
308 err = bt_mesh_encrypt_be(key, pmsg, Xn);
309 if (err) {
310 return err;
311 }
312
313 /* MIC = C_mic ^ X_1 */
314 for (i = 0; i < sizeof(mic); i++) {
315 mic[i] = cmic[i] ^ Xn[i];
316 }
317 } else {
318 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
319 pmsg[0] = 0x01;
320 memcpy(pmsg + 1, nonce, 13);
321 sys_put_be16(j + 1, pmsg + 14);
322
323 err = bt_mesh_encrypt_be(key, pmsg, cmsg);
324 if (err) {
325 return err;
326 }
327
328 /* Encrypted = Payload[0-15] ^ C_1 */
329 for (i = 0; i < 16; i++) {
330 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
331 }
332
333 memcpy(out_msg + (j * 16), msg, 16);
334
335 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
336 for (i = 0; i < 16; i++) {
337 pmsg[i] = Xn[i] ^ msg[i];
338 }
339
340 err = bt_mesh_encrypt_be(key, pmsg, Xn);
341 if (err) {
342 return err;
343 }
344 }
345 }
346
347 if (memcmp(mic, enc_msg + msg_len, mic_size)) {
348 return -EBADMSG;
349 }
350
351 return 0;
352 }
353
bt_mesh_ccm_encrypt(const uint8_t key[16],uint8_t nonce[13],const uint8_t * msg,size_t msg_len,const uint8_t * aad,size_t aad_len,uint8_t * out_msg,size_t mic_size)354 static int bt_mesh_ccm_encrypt(const uint8_t key[16], uint8_t nonce[13],
355 const uint8_t *msg, size_t msg_len,
356 const uint8_t *aad, size_t aad_len,
357 uint8_t *out_msg, size_t mic_size)
358 {
359 uint8_t pmsg[16] = {0}, cmic[16] = {0}, cmsg[16] = {0},
360 mic[16] = {0}, Xn[16] = {0};
361 uint16_t blk_cnt = 0U, last_blk = 0U;
362 size_t i = 0U, j = 0U;
363 int err = 0;
364
365 BT_DBG("key %s", bt_hex(key, 16));
366 BT_DBG("nonce %s", bt_hex(nonce, 13));
367 BT_DBG("msg (len %u) %s", msg_len, bt_hex(msg, msg_len));
368 BT_DBG("aad_len %u mic_size %u", aad_len, mic_size);
369
370 /* Unsupported AAD size */
371 if (aad_len >= 0xff00) {
372 return -EINVAL;
373 }
374
375 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
376 pmsg[0] = 0x01;
377 memcpy(pmsg + 1, nonce, 13);
378 sys_put_be16(0x0000, pmsg + 14);
379
380 err = bt_mesh_encrypt_be(key, pmsg, cmic);
381 if (err) {
382 return err;
383 }
384
385 /* X_0 = e(AppKey, 0x09 || nonce || length) */
386 if (mic_size == sizeof(uint64_t)) {
387 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
388 } else {
389 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
390 }
391
392 memcpy(pmsg + 1, nonce, 13);
393 sys_put_be16(msg_len, pmsg + 14);
394
395 err = bt_mesh_encrypt_be(key, pmsg, Xn);
396 if (err) {
397 return err;
398 }
399
400 /* If AAD is being used to authenticate, include it here */
401 if (aad_len) {
402 sys_put_be16(aad_len, pmsg);
403
404 for (i = 0; i < sizeof(uint16_t); i++) {
405 pmsg[i] = Xn[i] ^ pmsg[i];
406 }
407
408 j = 0;
409 aad_len += sizeof(uint16_t);
410 while (aad_len > 16) {
411 do {
412 pmsg[i] = Xn[i] ^ aad[j];
413 i++, j++;
414 } while (i < 16);
415
416 aad_len -= 16;
417 i = 0;
418
419 err = bt_mesh_encrypt_be(key, pmsg, Xn);
420 if (err) {
421 return err;
422 }
423 }
424
425 for (; i < aad_len; i++, j++) {
426 pmsg[i] = Xn[i] ^ aad[j];
427 }
428
429 for (i = aad_len; i < 16; i++) {
430 pmsg[i] = Xn[i];
431 }
432
433 err = bt_mesh_encrypt_be(key, pmsg, Xn);
434 if (err) {
435 return err;
436 }
437 }
438
439 last_blk = msg_len % 16;
440 blk_cnt = (msg_len + 15) / 16;
441 if (!last_blk) {
442 last_blk = 16U;
443 }
444
445 for (j = 0; j < blk_cnt; j++) {
446 if (j + 1 == blk_cnt) {
447 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
448 for (i = 0; i < last_blk; i++) {
449 pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
450 }
451 for (i = last_blk; i < 16; i++) {
452 pmsg[i] = Xn[i] ^ 0x00;
453 }
454
455 err = bt_mesh_encrypt_be(key, pmsg, Xn);
456 if (err) {
457 return err;
458 }
459
460 /* MIC = C_mic ^ X_1 */
461 for (i = 0; i < sizeof(mic); i++) {
462 mic[i] = cmic[i] ^ Xn[i];
463 }
464
465 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
466 pmsg[0] = 0x01;
467 memcpy(pmsg + 1, nonce, 13);
468 sys_put_be16(j + 1, pmsg + 14);
469
470 err = bt_mesh_encrypt_be(key, pmsg, cmsg);
471 if (err) {
472 return err;
473 }
474
475 /* Encrypted = Payload[0-15] ^ C_1 */
476 for (i = 0; i < last_blk; i++) {
477 out_msg[(j * 16) + i] =
478 msg[(j * 16) + i] ^ cmsg[i];
479 }
480 } else {
481 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
482 for (i = 0; i < 16; i++) {
483 pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
484 }
485
486 err = bt_mesh_encrypt_be(key, pmsg, Xn);
487 if (err) {
488 return err;
489 }
490
491 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
492 pmsg[0] = 0x01;
493 memcpy(pmsg + 1, nonce, 13);
494 sys_put_be16(j + 1, pmsg + 14);
495
496 err = bt_mesh_encrypt_be(key, pmsg, cmsg);
497 if (err) {
498 return err;
499 }
500
501 /* Encrypted = Payload[0-15] ^ C_N */
502 for (i = 0; i < 16; i++) {
503 out_msg[(j * 16) + i] =
504 msg[(j * 16) + i] ^ cmsg[i];
505 }
506
507 }
508 }
509
510 memcpy(out_msg + msg_len, mic, mic_size);
511
512 return 0;
513 }
514
515 #if defined(CONFIG_BLE_MESH_PROXY)
create_proxy_nonce(uint8_t nonce[13],const uint8_t * pdu,uint32_t iv_index)516 static void create_proxy_nonce(uint8_t nonce[13], const uint8_t *pdu,
517 uint32_t iv_index)
518 {
519 /* Nonce Type */
520 nonce[0] = 0x03;
521
522 /* Pad */
523 nonce[1] = 0x00;
524
525 /* Sequence Number */
526 nonce[2] = pdu[2];
527 nonce[3] = pdu[3];
528 nonce[4] = pdu[4];
529
530 /* Source Address */
531 nonce[5] = pdu[5];
532 nonce[6] = pdu[6];
533
534 /* Pad */
535 nonce[7] = 0U;
536 nonce[8] = 0U;
537
538 /* IV Index */
539 sys_put_be32(iv_index, &nonce[9]);
540 }
541 #endif /* PROXY */
542
create_net_nonce(uint8_t nonce[13],const uint8_t * pdu,uint32_t iv_index)543 static void create_net_nonce(uint8_t nonce[13], const uint8_t *pdu,
544 uint32_t iv_index)
545 {
546 /* Nonce Type */
547 nonce[0] = 0x00;
548
549 /* FRND + TTL */
550 nonce[1] = pdu[1];
551
552 /* Sequence Number */
553 nonce[2] = pdu[2];
554 nonce[3] = pdu[3];
555 nonce[4] = pdu[4];
556
557 /* Source Address */
558 nonce[5] = pdu[5];
559 nonce[6] = pdu[6];
560
561 /* Pad */
562 nonce[7] = 0U;
563 nonce[8] = 0U;
564
565 /* IV Index */
566 sys_put_be32(iv_index, &nonce[9]);
567 }
568
bt_mesh_net_obfuscate(uint8_t * pdu,uint32_t iv_index,const uint8_t privacy_key[16])569 int bt_mesh_net_obfuscate(uint8_t *pdu, uint32_t iv_index,
570 const uint8_t privacy_key[16])
571 {
572 uint8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, };
573 uint8_t tmp[16] = {0};
574 int err = 0, i;
575
576 BT_DBG("IVIndex %u, PrivacyKey %s", iv_index, bt_hex(privacy_key, 16));
577
578 sys_put_be32(iv_index, &priv_rand[5]);
579 memcpy(&priv_rand[9], &pdu[7], 7);
580
581 BT_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16));
582
583 err = bt_mesh_encrypt_be(privacy_key, priv_rand, tmp);
584 if (err) {
585 return err;
586 }
587
588 for (i = 0; i < 6; i++) {
589 pdu[1 + i] ^= tmp[i];
590 }
591
592 return 0;
593 }
594
bt_mesh_net_encrypt(const uint8_t key[16],struct net_buf_simple * buf,uint32_t iv_index,bool proxy)595 int bt_mesh_net_encrypt(const uint8_t key[16], struct net_buf_simple *buf,
596 uint32_t iv_index, bool proxy)
597 {
598 uint8_t mic_len = NET_MIC_LEN(buf->data);
599 uint8_t nonce[13] = {0};
600 int err = 0;
601
602 BT_DBG("IVIndex %u EncKey %s mic_len %u", iv_index, bt_hex(key, 16),
603 mic_len);
604 BT_DBG("PDU (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
605
606 #if defined(CONFIG_BLE_MESH_PROXY)
607 if (proxy) {
608 create_proxy_nonce(nonce, buf->data, iv_index);
609 } else {
610 create_net_nonce(nonce, buf->data, iv_index);
611 }
612 #else
613 create_net_nonce(nonce, buf->data, iv_index);
614 #endif
615
616 BT_DBG("Nonce %s", bt_hex(nonce, 13));
617
618 err = bt_mesh_ccm_encrypt(key, nonce, &buf->data[7], buf->len - 7,
619 NULL, 0, &buf->data[7], mic_len);
620 if (!err) {
621 net_buf_simple_add(buf, mic_len);
622 }
623
624 return err;
625 }
626
bt_mesh_net_decrypt(const uint8_t key[16],struct net_buf_simple * buf,uint32_t iv_index,bool proxy)627 int bt_mesh_net_decrypt(const uint8_t key[16], struct net_buf_simple *buf,
628 uint32_t iv_index, bool proxy)
629 {
630 uint8_t mic_len = NET_MIC_LEN(buf->data);
631 uint8_t nonce[13] = {0};
632
633 BT_DBG("PDU (%u bytes) %s", buf->len, bt_hex(buf->data, buf->len));
634 BT_DBG("iv_index %u, key %s mic_len %u", iv_index, bt_hex(key, 16),
635 mic_len);
636
637 #if defined(CONFIG_BLE_MESH_PROXY)
638 if (proxy) {
639 create_proxy_nonce(nonce, buf->data, iv_index);
640 } else {
641 create_net_nonce(nonce, buf->data, iv_index);
642 }
643 #else
644 create_net_nonce(nonce, buf->data, iv_index);
645 #endif
646
647 BT_DBG("Nonce %s", bt_hex(nonce, 13));
648
649 buf->len -= mic_len;
650
651 return bt_mesh_ccm_decrypt(key, nonce, &buf->data[7], buf->len - 7,
652 NULL, 0, &buf->data[7], mic_len);
653 }
654
create_app_nonce(uint8_t nonce[13],bool dev_key,uint8_t aszmic,uint16_t src,uint16_t dst,uint32_t seq_num,uint32_t iv_index)655 static void create_app_nonce(uint8_t nonce[13], bool dev_key, uint8_t aszmic,
656 uint16_t src, uint16_t dst, uint32_t seq_num,
657 uint32_t iv_index)
658 {
659 if (dev_key) {
660 nonce[0] = 0x02;
661 } else {
662 nonce[0] = 0x01;
663 }
664
665 sys_put_be32((seq_num | ((uint32_t)aszmic << 31)), &nonce[1]);
666
667 sys_put_be16(src, &nonce[5]);
668 sys_put_be16(dst, &nonce[7]);
669
670 sys_put_be32(iv_index, &nonce[9]);
671 }
672
bt_mesh_app_encrypt(const uint8_t key[16],bool dev_key,uint8_t aszmic,struct net_buf_simple * buf,const uint8_t * ad,uint16_t src,uint16_t dst,uint32_t seq_num,uint32_t iv_index)673 int bt_mesh_app_encrypt(const uint8_t key[16], bool dev_key, uint8_t aszmic,
674 struct net_buf_simple *buf, const uint8_t *ad,
675 uint16_t src, uint16_t dst, uint32_t seq_num, uint32_t iv_index)
676 {
677 uint8_t nonce[13] = {0};
678 int err = 0;
679
680 BT_DBG("AppKey %s", bt_hex(key, 16));
681 BT_DBG("dev_key %u src 0x%04x dst 0x%04x", dev_key, src, dst);
682 BT_DBG("seq_num 0x%08x iv_index 0x%08x", seq_num, iv_index);
683 BT_DBG("Clear: %s", bt_hex(buf->data, buf->len));
684
685 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
686
687 BT_DBG("Nonce %s", bt_hex(nonce, 13));
688
689 err = bt_mesh_ccm_encrypt(key, nonce, buf->data, buf->len, ad,
690 ad ? 16 : 0, buf->data, APP_MIC_LEN(aszmic));
691 if (!err) {
692 net_buf_simple_add(buf, APP_MIC_LEN(aszmic));
693 BT_DBG("Encr: %s", bt_hex(buf->data, buf->len));
694 }
695
696 return err;
697 }
698
bt_mesh_app_decrypt(const uint8_t key[16],bool dev_key,uint8_t aszmic,struct net_buf_simple * buf,struct net_buf_simple * out,const uint8_t * ad,uint16_t src,uint16_t dst,uint32_t seq_num,uint32_t iv_index)699 int bt_mesh_app_decrypt(const uint8_t key[16], bool dev_key, uint8_t aszmic,
700 struct net_buf_simple *buf, struct net_buf_simple *out,
701 const uint8_t *ad, uint16_t src, uint16_t dst, uint32_t seq_num,
702 uint32_t iv_index)
703 {
704 uint8_t nonce[13] = {0};
705 int err = 0;
706
707 BT_DBG("EncData (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
708
709 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
710
711 BT_DBG("AppKey %s", bt_hex(key, 16));
712 BT_DBG("Nonce %s", bt_hex(nonce, 13));
713
714 err = bt_mesh_ccm_decrypt(key, nonce, buf->data, buf->len, ad,
715 ad ? 16 : 0, out->data, APP_MIC_LEN(aszmic));
716 if (!err) {
717 net_buf_simple_add(out, buf->len);
718 }
719
720 return err;
721 }
722
723 /* reversed, 8-bit, poly=0x07 */
724 static const uint8_t crc_table[256] = {
725 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
726 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
727 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
728 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
729
730 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
731 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
732 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
733 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
734
735 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
736 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
737 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
738 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
739
740 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
741 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
742 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
743 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
744
745 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
746 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
747 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
748 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
749
750 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
751 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
752 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
753 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
754
755 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
756 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
757 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
758 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
759
760 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
761 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
762 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
763 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
764 };
765
bt_mesh_fcs_calc(const uint8_t * data,uint8_t data_len)766 uint8_t bt_mesh_fcs_calc(const uint8_t *data, uint8_t data_len)
767 {
768 uint8_t fcs = 0xff;
769
770 while (data_len--) {
771 fcs = crc_table[fcs ^ *data++];
772 }
773
774 BT_DBG("fcs 0x%02x", 0xff - fcs);
775
776 return 0xff - fcs;
777 }
778
bt_mesh_fcs_check(struct net_buf_simple * buf,uint8_t received_fcs)779 bool bt_mesh_fcs_check(struct net_buf_simple *buf, uint8_t received_fcs)
780 {
781 const uint8_t *data = buf->data;
782 uint16_t data_len = buf->len;
783 uint8_t fcs = 0xff;
784
785 while (data_len--) {
786 fcs = crc_table[fcs ^ *data++];
787 }
788
789 return crc_table[fcs ^ received_fcs] == 0xcf;
790 }
791
bt_mesh_virtual_addr(const uint8_t virtual_label[16],uint16_t * addr)792 int bt_mesh_virtual_addr(const uint8_t virtual_label[16], uint16_t *addr)
793 {
794 uint8_t salt[16] = {0};
795 uint8_t tmp[16] = {0};
796 int err = 0;
797
798 err = bt_mesh_s1("vtad", salt);
799 if (err) {
800 return err;
801 }
802
803 err = bt_mesh_aes_cmac_one(salt, virtual_label, 16, tmp);
804 if (err) {
805 return err;
806 }
807
808 *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000;
809
810 return 0;
811 }
812
bt_mesh_prov_conf_salt(const uint8_t conf_inputs[145],uint8_t salt[16])813 int bt_mesh_prov_conf_salt(const uint8_t conf_inputs[145], uint8_t salt[16])
814 {
815 const uint8_t conf_salt_key[16] = { 0 };
816
817 return bt_mesh_aes_cmac_one(conf_salt_key, conf_inputs, 145, salt);
818 }
819
bt_mesh_prov_conf_key(const uint8_t dhkey[32],const uint8_t conf_salt[16],uint8_t conf_key[16])820 int bt_mesh_prov_conf_key(const uint8_t dhkey[32], const uint8_t conf_salt[16],
821 uint8_t conf_key[16])
822 {
823 return bt_mesh_k1(dhkey, 32, conf_salt, "prck", conf_key);
824 }
825
bt_mesh_prov_conf(const uint8_t conf_key[16],const uint8_t rand[16],const uint8_t auth[16],uint8_t conf[16])826 int bt_mesh_prov_conf(const uint8_t conf_key[16], const uint8_t rand[16],
827 const uint8_t auth[16], uint8_t conf[16])
828 {
829 struct bt_mesh_sg sg[] = { { rand, 16 }, { auth, 16 } };
830
831 BT_DBG("ConfirmationKey %s", bt_hex(conf_key, 16));
832 BT_DBG("RandomDevice %s", bt_hex(rand, 16));
833 BT_DBG("AuthValue %s", bt_hex(auth, 16));
834
835 return bt_mesh_aes_cmac(conf_key, sg, ARRAY_SIZE(sg), conf);
836 }
837
bt_mesh_prov_decrypt(const uint8_t key[16],uint8_t nonce[13],const uint8_t data[25+8],uint8_t out[25])838 int bt_mesh_prov_decrypt(const uint8_t key[16], uint8_t nonce[13],
839 const uint8_t data[25 + 8], uint8_t out[25])
840 {
841 return bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8);
842 }
843
844 #if CONFIG_BLE_MESH_PROVISIONER
bt_mesh_prov_encrypt(const uint8_t key[16],uint8_t nonce[13],const uint8_t data[25],uint8_t out[33])845 int bt_mesh_prov_encrypt(const uint8_t key[16], uint8_t nonce[13],
846 const uint8_t data[25], uint8_t out[33])
847 {
848 return bt_mesh_ccm_encrypt(key, nonce, data, 25, NULL, 0, out, 8);
849 }
850 #endif
851
bt_mesh_beacon_auth(const uint8_t beacon_key[16],uint8_t flags,const uint8_t net_id[8],uint32_t iv_index,uint8_t auth[8])852 int bt_mesh_beacon_auth(const uint8_t beacon_key[16], uint8_t flags,
853 const uint8_t net_id[8], uint32_t iv_index,
854 uint8_t auth[8])
855 {
856 uint8_t msg[13] = {0}, tmp[16] = {0};
857 int err = 0;
858
859 BT_DBG("BeaconKey %s", bt_hex(beacon_key, 16));
860 BT_DBG("NetId %s", bt_hex(net_id, 8));
861 BT_DBG("IV Index 0x%08x", iv_index);
862
863 msg[0] = flags;
864 memcpy(&msg[1], net_id, 8);
865 sys_put_be32(iv_index, &msg[9]);
866
867 BT_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg)));
868
869 err = bt_mesh_aes_cmac_one(beacon_key, msg, sizeof(msg), tmp);
870 if (!err) {
871 memcpy(auth, tmp, 8);
872 }
873
874 return err;
875 }
876
