1 /*  Bluetooth Mesh */
2 
3 /*
4  * SPDX-FileCopyrightText: 2017 Intel Corporation
5  * SPDX-FileContributor: 2018-2021 Espressif Systems (Shanghai) CO LTD
6  *
7  * SPDX-License-Identifier: Apache-2.0
8  */
9 #include <errno.h>
10 #include <string.h>
11 
12 #include "crypto.h"
13 #include "adv.h"
14 #include "mesh.h"
15 #include "access.h"
16 #include "foundation.h"
17 #include "mesh_common.h"
18 #include "mesh_proxy.h"
19 #include "proxy_server.h"
20 #include "prov.h"
21 
22 #if CONFIG_BLE_MESH_NODE
23 
24 /* 3 transmissions, 20ms interval */
25 #define PROV_XMIT              BLE_MESH_TRANSMIT(2, 20)
26 
27 #define AUTH_METHOD_NO_OOB     0x00
28 #define AUTH_METHOD_STATIC     0x01
29 #define AUTH_METHOD_OUTPUT     0x02
30 #define AUTH_METHOD_INPUT      0x03
31 
32 #define OUTPUT_OOB_BLINK       0x00
33 #define OUTPUT_OOB_BEEP        0x01
34 #define OUTPUT_OOB_VIBRATE     0x02
35 #define OUTPUT_OOB_NUMBER      0x03
36 #define OUTPUT_OOB_STRING      0x04
37 
38 #define INPUT_OOB_PUSH         0x00
39 #define INPUT_OOB_TWIST        0x01
40 #define INPUT_OOB_NUMBER       0x02
41 #define INPUT_OOB_STRING       0x03
42 
43 #define PUB_KEY_NO_OOB         0x00
44 #define PUB_KEY_OOB            0x01
45 
46 #define PROV_ERR_NONE          0x00
47 #define PROV_ERR_NVAL_PDU      0x01
48 #define PROV_ERR_NVAL_FMT      0x02
49 #define PROV_ERR_UNEXP_PDU     0x03
50 #define PROV_ERR_CFM_FAILED    0x04
51 #define PROV_ERR_RESOURCES     0x05
52 #define PROV_ERR_DECRYPT       0x06
53 #define PROV_ERR_UNEXP_ERR     0x07
54 #define PROV_ERR_ADDR          0x08
55 
56 #define PROV_INVITE            0x00
57 #define PROV_CAPABILITIES      0x01
58 #define PROV_START             0x02
59 #define PROV_PUB_KEY           0x03
60 #define PROV_INPUT_COMPLETE    0x04
61 #define PROV_CONFIRM           0x05
62 #define PROV_RANDOM            0x06
63 #define PROV_DATA              0x07
64 #define PROV_COMPLETE          0x08
65 #define PROV_FAILED            0x09
66 
67 #define PROV_ALG_P256          0x00
68 
69 #define GPCF(gpc)              (gpc & 0x03)
70 #define GPC_START(last_seg)    (((last_seg) << 2) | 0x00)
71 #define GPC_ACK                0x01
72 #define GPC_CONT(seg_id)       (((seg_id) << 2) | 0x02)
73 #define GPC_CTL(op)            (((op) << 2) | 0x03)
74 
75 #define START_PAYLOAD_MAX      20
76 #define CONT_PAYLOAD_MAX       23
77 #define START_LAST_SEG_MAX     2
78 
79 #define START_LAST_SEG(gpc)    (gpc >> 2)
80 #define CONT_SEG_INDEX(gpc)    (gpc >> 2)
81 
82 #define BEARER_CTL(gpc)        (gpc >> 2)
83 #define LINK_OPEN              0x00
84 #define LINK_ACK               0x01
85 #define LINK_CLOSE             0x02
86 
87 #define CLOSE_REASON_SUCCESS   0x00
88 #define CLOSE_REASON_TIMEOUT   0x01
89 #define CLOSE_REASON_FAILED    0x02
90 
91 #define XACT_SEG_DATA(_seg) (&link.rx.buf->data[20 + ((_seg - 1) * 23)])
92 #define XACT_SEG_RECV(_seg) (link.rx.seg &= ~(1 << (_seg)))
93 
94 #define XACT_NVAL              0xff
95 
96 enum {
97     REMOTE_PUB_KEY,        /* Remote key has been received */
98     OOB_PUB_KEY,           /* OOB public key is available */
99     LINK_ACTIVE,           /* Link has been opened */
100     HAVE_DHKEY,            /* DHKey has been calculated */
101     SEND_CONFIRM,          /* Waiting to send Confirm value */
102     WAIT_NUMBER,           /* Waiting for number input from user */
103     WAIT_STRING,           /* Waiting for string input from user */
104     LINK_INVALID,          /* Error occurred during provisioning */
105 
106     NUM_FLAGS,
107 };
108 
109 struct prov_link {
110     BLE_MESH_ATOMIC_DEFINE(flags, NUM_FLAGS);
111 #if defined(CONFIG_BLE_MESH_PB_GATT)
112     struct bt_mesh_conn *conn;  /* GATT connection */
113 #endif
114     uint8_t  dhkey[32];         /* Calculated DHKey */
115     uint8_t  expect;            /* Next expected PDU */
116 
117     bool     oob_pk_flag;       /* Flag indicates whether using OOB public key */
118 
119     uint8_t  oob_method;
120     uint8_t  oob_action;
121     uint8_t  oob_size;
122 
123     uint8_t  conf[16];          /* Remote Confirmation */
124     uint8_t  rand[16];          /* Local Random */
125     uint8_t  auth[16];          /* Authentication Value */
126 
127     uint8_t  conf_salt[16];     /* ConfirmationSalt */
128     uint8_t  conf_key[16];      /* ConfirmationKey */
129     uint8_t  conf_inputs[145];  /* ConfirmationInputs */
130     uint8_t  prov_salt[16];     /* Provisioning Salt */
131 
132 #if defined(CONFIG_BLE_MESH_PB_ADV)
133     uint32_t id;                /* Link ID */
134     uint8_t  tx_pdu_type;       /* The previously transmitted Provisioning PDU type */
135 
136     struct {
137         uint8_t id;         /* Transaction ID */
138         uint8_t prev_id;    /* Previous Transaction ID */
139         uint8_t seg;        /* Bit-field of unreceived segments */
140         uint8_t last_seg;   /* Last segment (to check length) */
141         uint8_t fcs;        /* Expected FCS value */
142         struct net_buf_simple *buf;
143     } rx;
144 
145     struct {
146         /* Start timestamp of the transaction */
147         int64_t start;
148 
149         /* Transaction id*/
150         uint8_t id;
151 
152         /* Pending outgoing buffer(s) */
153         struct net_buf *buf[3];
154 
155         /* Retransmit timer */
156         struct k_delayed_work retransmit;
157     } tx;
158 #endif
159 
160     struct k_delayed_work prot_timer;
161 };
162 
163 struct prov_rx {
164     uint32_t link_id;
165     uint8_t  xact_id;
166     uint8_t  gpc;
167 };
168 
169 #define BUF_TIMEOUT          K_MSEC(400)
170 
171 #if defined(CONFIG_BLE_MESH_FAST_PROV)
172 #define RETRANSMIT_TIMEOUT   K_MSEC(360)
173 #define TRANSACTION_TIMEOUT  K_SECONDS(3)
174 #define PROTOCOL_TIMEOUT     K_SECONDS(6)
175 #else
176 #define RETRANSMIT_TIMEOUT   K_MSEC(500)
177 #define TRANSACTION_TIMEOUT  K_SECONDS(30)
178 #define PROTOCOL_TIMEOUT     K_SECONDS(60)
179 #endif /* CONFIG_BLE_MESH_FAST_PROV */
180 
181 #if defined(CONFIG_BLE_MESH_PB_GATT)
182 #define PROV_BUF_HEADROOM 5
183 #else
184 #define PROV_BUF_HEADROOM 0
185 NET_BUF_SIMPLE_DEFINE_STATIC(rx_buf, 65);
186 #endif
187 
188 #define PROV_BUF(name, len) \
189     NET_BUF_SIMPLE_DEFINE(name, PROV_BUF_HEADROOM + len)
190 
191 static struct prov_link link;
192 
193 static const struct bt_mesh_prov *prov;
194 
195 #if defined(CONFIG_BLE_MESH_PB_ADV)
196 static bt_mesh_mutex_t pb_buf_lock;
197 
bt_mesh_pb_buf_mutex_new(void)198 static inline void bt_mesh_pb_buf_mutex_new(void)
199 {
200     if (!pb_buf_lock.mutex) {
201         bt_mesh_mutex_create(&pb_buf_lock);
202     }
203 }
204 
205 #if CONFIG_BLE_MESH_DEINIT
bt_mesh_pb_buf_mutex_free(void)206 static inline void bt_mesh_pb_buf_mutex_free(void)
207 {
208     bt_mesh_mutex_free(&pb_buf_lock);
209 }
210 #endif /* CONFIG_BLE_MESH_DEINIT */
211 
bt_mesh_pb_buf_lock(void)212 static inline void bt_mesh_pb_buf_lock(void)
213 {
214     bt_mesh_mutex_lock(&pb_buf_lock);
215 }
216 
bt_mesh_pb_buf_unlock(void)217 static inline void bt_mesh_pb_buf_unlock(void)
218 {
219     bt_mesh_mutex_unlock(&pb_buf_lock);
220 }
221 #endif /* CONFIG_BLE_MESH_PB_ADV */
222 
reset_state(void)223 static void reset_state(void)
224 {
225     k_delayed_work_cancel(&link.prot_timer);
226 
227     /* Disable Attention Timer if it was set */
228     if (link.conf_inputs[0]) {
229         bt_mesh_attention(NULL, 0);
230     }
231 
232 #if defined(CONFIG_BLE_MESH_PB_GATT)
233     if (link.conn) {
234         bt_mesh_conn_unref(link.conn);
235     }
236 #endif
237 
238 #if defined(CONFIG_BLE_MESH_PB_ADV)
239     /* Clear everything except the retransmit and protocol timer
240      * delayed work objects.
241      */
242     (void)memset(&link, 0, offsetof(struct prov_link, tx.retransmit));
243     link.rx.prev_id = XACT_NVAL;
244 
245 #if defined(CONFIG_BLE_MESH_PB_GATT)
246     link.rx.buf = bt_mesh_proxy_server_get_buf();
247 #else
248     net_buf_simple_reset(&rx_buf);
249     link.rx.buf = &rx_buf;
250 #endif /* PB_GATT */
251 
252 #else /* !PB_ADV */
253     /* Clear everything except the protocol timer (k_delayed_work) */
254     (void)memset(&link, 0, offsetof(struct prov_link, prot_timer));
255 #endif /* PB_ADV */
256 }
257 
258 #if defined(CONFIG_BLE_MESH_PB_ADV)
buf_sent(int err,void * user_data)259 static void buf_sent(int err, void *user_data)
260 {
261     if (!link.tx.buf[0]) {
262         return;
263     }
264 
265     k_delayed_work_submit(&link.tx.retransmit, RETRANSMIT_TIMEOUT);
266 }
267 
268 static struct bt_mesh_send_cb buf_sent_cb = {
269     .end = buf_sent,
270 };
271 
free_segments(void)272 static void free_segments(void)
273 {
274     int i;
275 
276     bt_mesh_pb_buf_lock();
277 
278     for (i = 0; i < ARRAY_SIZE(link.tx.buf); i++) {
279         struct net_buf *buf = link.tx.buf[i];
280 
281         if (!buf) {
282             break;
283         }
284 
285         link.tx.buf[i] = NULL;
286         bt_mesh_adv_buf_ref_debug(__func__, buf, 3U, BLE_MESH_BUF_REF_SMALL);
287         /* Mark as canceled */
288         bt_mesh_atomic_set(&BLE_MESH_ADV_BUSY(buf), 0);
289         net_buf_unref(buf);
290     }
291 
292     bt_mesh_pb_buf_unlock();
293 }
294 
prov_clear_tx(void)295 static void prov_clear_tx(void)
296 {
297     BT_DBG("%s", __func__);
298 
299     k_delayed_work_cancel(&link.tx.retransmit);
300 
301     free_segments();
302 }
303 
reset_adv_link(void)304 static void reset_adv_link(void)
305 {
306     prov_clear_tx();
307 
308     if (prov->link_close) {
309         prov->link_close(BLE_MESH_PROV_ADV);
310     }
311 
312 #if defined(CONFIG_BLE_MESH_USE_DUPLICATE_SCAN)
313     /* Remove the link id from exceptional list */
314     bt_mesh_update_exceptional_list(BLE_MESH_EXCEP_LIST_SUB_CODE_REMOVE,
315                                     BLE_MESH_EXCEP_LIST_TYPE_MESH_LINK_ID, &link.id);
316 #endif
317 
318     reset_state();
319 }
320 
adv_buf_create(void)321 static struct net_buf *adv_buf_create(void)
322 {
323     struct net_buf *buf = NULL;
324 
325     buf = bt_mesh_adv_create(BLE_MESH_ADV_PROV, PROV_XMIT, BUF_TIMEOUT);
326     if (!buf) {
327         BT_ERR("Out of provisioning buffers");
328         return NULL;
329     }
330 
331     return buf;
332 }
333 
334 static uint8_t pending_ack = XACT_NVAL;
335 
ack_complete(uint16_t duration,int err,void * user_data)336 static void ack_complete(uint16_t duration, int err, void *user_data)
337 {
338     BT_DBG("xact %u complete", (uint8_t)pending_ack);
339     pending_ack = XACT_NVAL;
340 }
341 
gen_prov_ack_send(uint8_t xact_id)342 static void gen_prov_ack_send(uint8_t xact_id)
343 {
344     static const struct bt_mesh_send_cb cb = {
345         .start = ack_complete,
346     };
347     const struct bt_mesh_send_cb *complete = NULL;
348     struct net_buf *buf = NULL;
349 
350     BT_DBG("xact_id %u", xact_id);
351 
352     if (pending_ack == xact_id) {
353         BT_DBG("Not sending duplicate ack");
354         return;
355     }
356 
357     buf = adv_buf_create();
358     if (!buf) {
359         return;
360     }
361 
362     if (pending_ack == XACT_NVAL) {
363         pending_ack = xact_id;
364         complete = &cb;
365     } else {
366         complete = NULL;
367     }
368 
369     net_buf_add_be32(buf, link.id);
370     net_buf_add_u8(buf, xact_id);
371     net_buf_add_u8(buf, GPC_ACK);
372 
373     bt_mesh_adv_send(buf, complete, NULL);
374     net_buf_unref(buf);
375 }
376 
send_reliable(void)377 static void send_reliable(void)
378 {
379     int i;
380 
381     link.tx.start = k_uptime_get();
382 
383     for (i = 0; i < ARRAY_SIZE(link.tx.buf); i++) {
384         struct net_buf *buf = link.tx.buf[i];
385 
386         if (!buf) {
387             break;
388         }
389 
390         if (i + 1 < ARRAY_SIZE(link.tx.buf) && link.tx.buf[i + 1]) {
391             bt_mesh_adv_send(buf, NULL, NULL);
392         } else {
393             bt_mesh_adv_send(buf, &buf_sent_cb, NULL);
394         }
395     }
396 }
397 
bearer_ctl_send(uint8_t op,void * data,uint8_t data_len)398 static int bearer_ctl_send(uint8_t op, void *data, uint8_t data_len)
399 {
400     struct net_buf *buf = NULL;
401 
402     BT_DBG("op 0x%02x data_len %u", op, data_len);
403 
404     prov_clear_tx();
405 
406     buf = adv_buf_create();
407     if (!buf) {
408         return -ENOBUFS;
409     }
410 
411     net_buf_add_be32(buf, link.id);
412     /* Transaction ID, always 0 for Bearer messages */
413     net_buf_add_u8(buf, 0x00);
414     net_buf_add_u8(buf, GPC_CTL(op));
415     net_buf_add_mem(buf, data, data_len);
416 
417     link.tx.buf[0] = buf;
418     send_reliable();
419 
420     return 0;
421 }
422 
last_seg(uint8_t len)423 static uint8_t last_seg(uint8_t len)
424 {
425     if (len <= START_PAYLOAD_MAX) {
426         return 0;
427     }
428 
429     len -= START_PAYLOAD_MAX;
430 
431     return 1 + (len / CONT_PAYLOAD_MAX);
432 }
433 
next_transaction_id(void)434 static inline uint8_t next_transaction_id(void)
435 {
436     if (link.tx.id != 0U && link.tx.id != 0xFF) {
437         return ++link.tx.id;
438     }
439 
440     link.tx.id = 0x80;
441     return link.tx.id;
442 }
443 
prov_send_adv(struct net_buf_simple * msg)444 static int prov_send_adv(struct net_buf_simple *msg)
445 {
446     struct net_buf *start = NULL, *buf = NULL;
447     uint8_t seg_len = 0U, seg_id = 0U;
448     uint8_t xact_id = 0U;
449     int32_t timeout = PROTOCOL_TIMEOUT;
450 
451     BT_DBG("len %u: %s", msg->len, bt_hex(msg->data, msg->len));
452 
453     prov_clear_tx();
454 
455     start = adv_buf_create();
456     if (!start) {
457         return -ENOBUFS;
458     }
459 
460     xact_id = next_transaction_id();
461     net_buf_add_be32(start, link.id);
462     net_buf_add_u8(start, xact_id);
463 
464     net_buf_add_u8(start, GPC_START(last_seg(msg->len)));
465     net_buf_add_be16(start, msg->len);
466     net_buf_add_u8(start, bt_mesh_fcs_calc(msg->data, msg->len));
467 
468     link.tx.buf[0] = start;
469     /* Changed by Espressif, get message type */
470     link.tx_pdu_type = msg->data[0];
471 
472     seg_len = MIN(msg->len, START_PAYLOAD_MAX);
473     BT_DBG("seg 0 len %u: %s", seg_len, bt_hex(msg->data, seg_len));
474     net_buf_add_mem(start, msg->data, seg_len);
475     net_buf_simple_pull(msg, seg_len);
476 
477     buf = start;
478     for (seg_id = 1U; msg->len > 0; seg_id++) {
479         if (seg_id >= ARRAY_SIZE(link.tx.buf)) {
480             BT_ERR("Too big message (seg_id %d)", seg_id);
481             free_segments();
482             return -E2BIG;
483         }
484 
485         buf = adv_buf_create();
486         if (!buf) {
487             free_segments();
488             return -ENOBUFS;
489         }
490 
491         link.tx.buf[seg_id] = buf;
492 
493         seg_len = MIN(msg->len, CONT_PAYLOAD_MAX);
494 
495         BT_DBG("seg_id %u len %u: %s", seg_id, seg_len,
496                bt_hex(msg->data, seg_len));
497 
498         net_buf_add_be32(buf, link.id);
499         net_buf_add_u8(buf, xact_id);
500         net_buf_add_u8(buf, GPC_CONT(seg_id));
501         net_buf_add_mem(buf, msg->data, seg_len);
502         net_buf_simple_pull(msg, seg_len);
503     }
504 
505     send_reliable();
506 
507     /* Changed by Espressif, add provisioning timeout timer operations.
508      * When sending a provisioning PDU successfully, restart the 60s timer.
509      */
510 #if defined(CONFIG_BLE_MESH_FAST_PROV)
511     if (link.tx_pdu_type >= PROV_COMPLETE) {
512         timeout = K_SECONDS(60);
513     }
514 #endif
515     k_delayed_work_submit(&link.prot_timer, timeout);
516 
517     return 0;
518 }
519 
520 #endif /* CONFIG_BLE_MESH_PB_ADV */
521 
522 #if defined(CONFIG_BLE_MESH_PB_GATT)
prov_send_gatt(struct net_buf_simple * msg)523 static int prov_send_gatt(struct net_buf_simple *msg)
524 {
525     int err = 0;
526 
527     if (!link.conn) {
528         return -ENOTCONN;
529     }
530 
531     /* Changed by Espressif, add provisioning timeout timer operations.
532      * When sending a provisioning PDU successfully, restart the 60s timer.
533      */
534     err = bt_mesh_proxy_server_send(link.conn, BLE_MESH_PROXY_PROV, msg);
535     if (err) {
536         BT_ERR("Failed to send provisioning PDU");
537         return err;
538     }
539 
540     k_delayed_work_submit(&link.prot_timer, PROTOCOL_TIMEOUT);
541 
542     return 0;
543 }
544 #endif /* CONFIG_BLE_MESH_PB_GATT */
545 
prov_send(struct net_buf_simple * buf)546 static inline int prov_send(struct net_buf_simple *buf)
547 {
548 #if defined(CONFIG_BLE_MESH_PB_GATT)
549     if (link.conn) {
550         return prov_send_gatt(buf);
551     }
552 #endif
553 #if defined(CONFIG_BLE_MESH_PB_ADV)
554     return prov_send_adv(buf);
555 #else
556     return 0;
557 #endif
558 }
559 
prov_buf_init(struct net_buf_simple * buf,uint8_t type)560 static void prov_buf_init(struct net_buf_simple *buf, uint8_t type)
561 {
562     net_buf_simple_reserve(buf, PROV_BUF_HEADROOM);
563     net_buf_simple_add_u8(buf, type);
564 }
565 
prov_send_fail_msg(uint8_t err)566 static void prov_send_fail_msg(uint8_t err)
567 {
568     PROV_BUF(buf, 2);
569 
570     prov_buf_init(&buf, PROV_FAILED);
571     net_buf_simple_add_u8(&buf, err);
572 
573     if (prov_send(&buf)) {
574         BT_ERR("Failed to send Provisioning Failed message");
575     }
576 
577     bt_mesh_atomic_set_bit(link.flags, LINK_INVALID);
578 }
579 
prov_invite(const uint8_t * data)580 static void prov_invite(const uint8_t *data)
581 {
582     PROV_BUF(buf, 12);
583 
584     BT_DBG("Attention Duration: %u seconds", data[0]);
585 
586     if (data[0]) {
587         bt_mesh_attention(NULL, data[0]);
588     }
589 
590     link.conf_inputs[0] = data[0];
591 
592     prov_buf_init(&buf, PROV_CAPABILITIES);
593 
594     /* Number of Elements supported */
595     net_buf_simple_add_u8(&buf, bt_mesh_elem_count());
596 
597     /* Supported algorithms - FIPS P-256 Eliptic Curve */
598     net_buf_simple_add_be16(&buf, BIT(PROV_ALG_P256));
599 
600     /* Public Key Type */
601     net_buf_simple_add_u8(&buf, prov->oob_pub_key);
602 
603     /* Static OOB Type */
604     net_buf_simple_add_u8(&buf, prov->static_val ? BIT(0) : 0x00);
605 
606     /* Output OOB Size */
607     net_buf_simple_add_u8(&buf, prov->output_size);
608 
609     /* Output OOB Action */
610     net_buf_simple_add_be16(&buf, prov->output_actions);
611 
612     /* Input OOB Size */
613     net_buf_simple_add_u8(&buf, prov->input_size);
614 
615     /* Input OOB Action */
616     net_buf_simple_add_be16(&buf, prov->input_actions);
617 
618     memcpy(&link.conf_inputs[1], &buf.data[1], 11);
619 
620     if (prov_send(&buf)) {
621         BT_ERR("Failed to send capabilities");
622         return;
623     }
624 
625     link.expect = PROV_START;
626 }
627 
prov_capabilities(const uint8_t * data)628 static void prov_capabilities(const uint8_t *data)
629 {
630     uint16_t algorithms = 0U, output_action = 0U, input_action = 0U;
631 
632     BT_DBG("Elements: %u", data[0]);
633 
634     algorithms = sys_get_be16(&data[1]);
635     BT_DBG("Algorithms:        %u", algorithms);
636 
637     BT_DBG("Public Key Type:   0x%02x", data[3]);
638     BT_DBG("Static OOB Type:   0x%02x", data[4]);
639     BT_DBG("Output OOB Size:   %u", data[5]);
640 
641     output_action = sys_get_be16(&data[6]);
642     BT_DBG("Output OOB Action: 0x%04x", output_action);
643 
644     BT_DBG("Input OOB Size:    %u", data[8]);
645 
646     input_action = sys_get_be16(&data[9]);
647     BT_DBG("Input OOB Action:  0x%04x", input_action);
648 
649     ((void) algorithms);
650     ((void) output_action);
651     ((void) input_action);
652 }
653 
output_action(uint8_t action)654 static bt_mesh_output_action_t output_action(uint8_t action)
655 {
656     switch (action) {
657     case OUTPUT_OOB_BLINK:
658         return BLE_MESH_BLINK;
659     case OUTPUT_OOB_BEEP:
660         return BLE_MESH_BEEP;
661     case OUTPUT_OOB_VIBRATE:
662         return BLE_MESH_VIBRATE;
663     case OUTPUT_OOB_NUMBER:
664         return BLE_MESH_DISPLAY_NUMBER;
665     case OUTPUT_OOB_STRING:
666         return BLE_MESH_DISPLAY_STRING;
667     default:
668         return BLE_MESH_NO_OUTPUT;
669     }
670 }
671 
input_action(uint8_t action)672 static bt_mesh_input_action_t input_action(uint8_t action)
673 {
674     switch (action) {
675     case INPUT_OOB_PUSH:
676         return BLE_MESH_PUSH;
677     case INPUT_OOB_TWIST:
678         return BLE_MESH_TWIST;
679     case INPUT_OOB_NUMBER:
680         return BLE_MESH_ENTER_NUMBER;
681     case INPUT_OOB_STRING:
682         return BLE_MESH_ENTER_STRING;
683     default:
684         return BLE_MESH_NO_INPUT;
685     }
686 }
687 
prov_auth(uint8_t method,uint8_t action,uint8_t size)688 static int prov_auth(uint8_t method, uint8_t action, uint8_t size)
689 {
690     bt_mesh_output_action_t output = 0U;
691     bt_mesh_input_action_t input = 0U;
692 
693     switch (method) {
694     case AUTH_METHOD_NO_OOB:
695         if (action || size) {
696             return -EINVAL;
697         }
698 
699         (void)memset(link.auth, 0, sizeof(link.auth));
700         return 0;
701     case AUTH_METHOD_STATIC:
702         if (action || size) {
703             return -EINVAL;
704         }
705 
706         memcpy(link.auth + 16 - prov->static_val_len,
707                prov->static_val, prov->static_val_len);
708         (void)memset(link.auth, 0,
709                      sizeof(link.auth) - prov->static_val_len);
710         return 0;
711 
712     case AUTH_METHOD_OUTPUT:
713         output = output_action(action);
714         if (!output) {
715             return -EINVAL;
716         }
717 
718         if (!(prov->output_actions & output)) {
719             return -EINVAL;
720         }
721 
722         if (size > prov->output_size) {
723             return -EINVAL;
724         }
725 
726         if (output == BLE_MESH_DISPLAY_STRING) {
727             unsigned char str[9] = {'\0'};
728             uint8_t i = 0U;
729 
730             bt_mesh_rand(str, size);
731 
732             /* Normalize to '0' .. '9' & 'A' .. 'Z' */
733             for (i = 0U; i < size; i++) {
734                 str[i] %= 36;
735                 if (str[i] < 10) {
736                     str[i] += '0';
737                 } else {
738                     str[i] += 'A' - 10;
739                 }
740             }
741             str[size] = '\0';
742 
743             memcpy(link.auth, str, size);
744             (void)memset(link.auth + size, 0,
745                          sizeof(link.auth) - size);
746 
747             return prov->output_string((char *)str);
748         } else {
749             uint32_t div[8] = { 10, 100, 1000, 10000, 100000,
750                                 1000000, 10000000, 100000000
751                               };
752             uint32_t num = 0U;
753 
754             bt_mesh_rand(&num, sizeof(num));
755 
756             if (output == BLE_MESH_BLINK ||
757                 output == BLE_MESH_BEEP ||
758                 output == BLE_MESH_VIBRATE) {
759                 /** NOTE: According to the Bluetooth Mesh Profile Specification
760                  *  Section 5.4.2.4, blink, beep and vibrate should be a random
761                  *  integer between 0 and 10^size.
762                  */
763                 num = (num % (div[size - 1] - 1)) + 1;
764             } else {
765                 num %= div[size - 1];
766             }
767 
768             sys_put_be32(num, &link.auth[12]);
769             (void)memset(link.auth, 0, 12);
770 
771             return prov->output_number(output, num);
772         }
773 
774     case AUTH_METHOD_INPUT:
775         input = input_action(action);
776         if (!input) {
777             return -EINVAL;
778         }
779 
780         if (!(prov->input_actions & input)) {
781             return -EINVAL;
782         }
783 
784         if (size > prov->input_size) {
785             return -EINVAL;
786         }
787 
788         if (input == BLE_MESH_ENTER_STRING) {
789             bt_mesh_atomic_set_bit(link.flags, WAIT_STRING);
790         } else {
791             bt_mesh_atomic_set_bit(link.flags, WAIT_NUMBER);
792         }
793 
794         return prov->input(input, size);
795 
796     default:
797         return -EINVAL;
798     }
799 }
800 
prov_start(const uint8_t * data)801 static void prov_start(const uint8_t *data)
802 {
803     BT_INFO("Algorithm:   0x%02x", data[0]);
804     BT_INFO("Public Key:  0x%02x", data[1]);
805     BT_INFO("Auth Method: 0x%02x", data[2]);
806     BT_INFO("Auth Action: 0x%02x", data[3]);
807     BT_INFO("Auth Size:   0x%02x", data[4]);
808 
809     if (data[0] != PROV_ALG_P256) {
810         BT_ERR("Unknown algorithm 0x%02x", data[0]);
811         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
812         return;
813     }
814 
815     if (data[1] != prov->oob_pub_key) {
816         BT_ERR("Invalid public key type: 0x%02x", data[1]);
817         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
818         return;
819     }
820 
821     memcpy(&link.conf_inputs[12], data, 5);
822 
823     link.expect = PROV_PUB_KEY;
824 
825     /* If Provisioning Start PDU indicates that provisioner chooses
826      * OOB public key, then callback to the application layer to let
827      * users input public & private key pair.
828      */
829     link.oob_pk_flag = data[1] ? true : false;
830     if (link.oob_pk_flag) {
831         prov->oob_pub_key_cb();
832     }
833 
834     if (prov_auth(data[2], data[3], data[4]) < 0) {
835         BT_ERR("Invalid authentication method: 0x%02x; "
836                "action: 0x%02x; size: 0x%02x",
837                data[2], data[3], data[4]);
838         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
839     }
840 }
841 
send_confirm(void)842 static void send_confirm(void)
843 {
844     uint8_t *local_conf = NULL;
845     PROV_BUF(cfm, 17);
846 
847     BT_DBG("ConfInputs[0]   %s", bt_hex(link.conf_inputs, 64));
848     BT_DBG("ConfInputs[64]  %s", bt_hex(&link.conf_inputs[64], 64));
849     BT_DBG("ConfInputs[128] %s", bt_hex(&link.conf_inputs[128], 17));
850 
851     if (bt_mesh_prov_conf_salt(link.conf_inputs, link.conf_salt)) {
852         BT_ERR("Unable to generate confirmation salt");
853         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
854         return;
855     }
856 
857     BT_DBG("ConfirmationSalt: %s", bt_hex(link.conf_salt, 16));
858 
859     if (bt_mesh_prov_conf_key(link.dhkey, link.conf_salt, link.conf_key)) {
860         BT_ERR("Unable to generate confirmation key");
861         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
862         return;
863     }
864 
865     BT_DBG("ConfirmationKey: %s", bt_hex(link.conf_key, 16));
866 
867     if (bt_mesh_rand(link.rand, 16)) {
868         BT_ERR("Unable to generate random number");
869         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
870         return;
871     }
872 
873     BT_DBG("LocalRandom: %s", bt_hex(link.rand, 16));
874 
875     prov_buf_init(&cfm, PROV_CONFIRM);
876 
877     local_conf = net_buf_simple_add(&cfm, 16);
878 
879     if (bt_mesh_prov_conf(link.conf_key, link.rand, link.auth,
880                           local_conf)) {
881         BT_ERR("Unable to generate confirmation value");
882         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
883         return;
884     }
885 
886     if (!memcmp(link.conf, local_conf, 16)) {
887         BT_ERR("Confirmation value is identical to ours, rejecting.");
888         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
889         return;
890     }
891 
892     if (prov_send(&cfm)) {
893         BT_ERR("Unable to send Provisioning Confirm");
894         return;
895     }
896 
897     link.expect = PROV_RANDOM;
898 }
899 
send_input_complete(void)900 static void send_input_complete(void)
901 {
902     PROV_BUF(buf, 1);
903 
904     prov_buf_init(&buf, PROV_INPUT_COMPLETE);
905     if (prov_send(&buf)) {
906         BT_ERR("Failed to send Provisioning Input Complete");
907     }
908 }
909 
bt_mesh_input_number(uint32_t num)910 int bt_mesh_input_number(uint32_t num)
911 {
912     BT_INFO("%u", num);
913 
914     if (!bt_mesh_atomic_test_and_clear_bit(link.flags, WAIT_NUMBER)) {
915         return -EINVAL;
916     }
917 
918     sys_put_be32(num, &link.auth[12]);
919 
920     send_input_complete();
921 
922     if (!bt_mesh_atomic_test_bit(link.flags, HAVE_DHKEY)) {
923         return 0;
924     }
925 
926     if (bt_mesh_atomic_test_and_clear_bit(link.flags, SEND_CONFIRM)) {
927         send_confirm();
928     }
929 
930     return 0;
931 }
932 
bt_mesh_input_string(const char * str)933 int bt_mesh_input_string(const char *str)
934 {
935     BT_INFO("%s", str);
936 
937     if (!bt_mesh_atomic_test_and_clear_bit(link.flags, WAIT_STRING)) {
938         return -EINVAL;
939     }
940 
941     (void)memcpy(link.auth, str, prov->input_size);
942 
943     send_input_complete();
944 
945     if (!bt_mesh_atomic_test_bit(link.flags, HAVE_DHKEY)) {
946         return 0;
947     }
948 
949     if (bt_mesh_atomic_test_and_clear_bit(link.flags, SEND_CONFIRM)) {
950         send_confirm();
951     }
952 
953     return 0;
954 }
955 
prov_dh_key_cb(const uint8_t key[32],const uint8_t idx)956 static void prov_dh_key_cb(const uint8_t key[32], const uint8_t idx)
957 {
958     BT_DBG("%p", key);
959 
960     if (!key) {
961         BT_ERR("DHKey generation failed");
962         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
963         return;
964     }
965 
966     sys_memcpy_swap(link.dhkey, key, 32);
967 
968     BT_DBG("DHkey: %s", bt_hex(link.dhkey, 32));
969 
970     bt_mesh_atomic_set_bit(link.flags, HAVE_DHKEY);
971 
972     if (bt_mesh_atomic_test_bit(link.flags, WAIT_NUMBER) ||
973             bt_mesh_atomic_test_bit(link.flags, WAIT_STRING)) {
974         return;
975     }
976 
977     if (bt_mesh_atomic_test_and_clear_bit(link.flags, SEND_CONFIRM)) {
978         send_confirm();
979     }
980 }
981 
send_pub_key(void)982 static void send_pub_key(void)
983 {
984     PROV_BUF(buf, 65);
985     const uint8_t *key = NULL;
986 
987     /* Copy remote key in little-endian for bt_mesh_dh_key_gen().
988      * X and Y halves are swapped independently. Use response
989      * buffer as a temporary storage location. The validating of
990      * the remote public key is finished when it is received.
991      */
992     sys_memcpy_swap(buf.data, &link.conf_inputs[17], 32);
993     sys_memcpy_swap(&buf.data[32], &link.conf_inputs[49], 32);
994 
995     if (bt_mesh_dh_key_gen(buf.data, prov_dh_key_cb, 0)) {
996         BT_ERR("Unable to generate DHKey");
997         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
998         return;
999     }
1000 
1001     key = bt_mesh_pub_key_get();
1002     if (!key) {
1003         BT_ERR("No public key available");
1004         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1005         return;
1006     }
1007 
1008     BT_DBG("Local Public Key: %s", bt_hex(key, 64));
1009 
1010     prov_buf_init(&buf, PROV_PUB_KEY);
1011 
1012     /* Swap X and Y halves independently to big-endian */
1013     sys_memcpy_swap(net_buf_simple_add(&buf, 32), key, 32);
1014     sys_memcpy_swap(net_buf_simple_add(&buf, 32), &key[32], 32);
1015 
1016     memcpy(&link.conf_inputs[81], &buf.data[1], 64);
1017 
1018     if (prov_send(&buf)) {
1019         BT_ERR("Failed to send Public Key");
1020         return;
1021     }
1022 
1023     link.expect = PROV_CONFIRM;
1024 }
1025 
bt_mesh_calc_dh_key(void)1026 static int bt_mesh_calc_dh_key(void)
1027 {
1028     NET_BUF_SIMPLE_DEFINE(buf, 64);
1029 
1030     /* Copy remote key in little-endian for bt_mesh_dh_key_gen().
1031      * X and Y halves are swapped independently.
1032      */
1033     net_buf_simple_reset(&buf);
1034     sys_memcpy_swap(buf.data, &link.conf_inputs[17], 32);
1035     sys_memcpy_swap(&buf.data[32], &link.conf_inputs[49], 32);
1036 
1037     if (bt_mesh_dh_key_gen(buf.data, prov_dh_key_cb, 0)) {
1038         BT_ERR("Unable to generate DHKey");
1039         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1040         return -EIO;
1041     }
1042 
1043     return 0;
1044 }
1045 
bt_mesh_set_oob_pub_key(const uint8_t pub_key_x[32],const uint8_t pub_key_y[32],const uint8_t pri_key[32])1046 int bt_mesh_set_oob_pub_key(const uint8_t pub_key_x[32], const uint8_t pub_key_y[32],
1047                             const uint8_t pri_key[32])
1048 {
1049     if (!pub_key_x || !pub_key_y || !pri_key) {
1050         BT_ERR("%s, Invalid parameter", __func__);
1051         return -EINVAL;
1052     }
1053 
1054     /* Copy OOB public key in big-endian to Provisioning ConfirmationInputs,
1055      * X and Y halves are swapped independently.
1056      * And set input private key to mesh_bearer_adapt.c
1057      */
1058     sys_memcpy_swap(&link.conf_inputs[81], pub_key_x, 32);
1059     sys_memcpy_swap(&link.conf_inputs[81] + 32, pub_key_y, 32);
1060     bt_mesh_set_private_key(pri_key);
1061 
1062     bt_mesh_atomic_set_bit(link.flags, OOB_PUB_KEY);
1063 
1064     /* If remote public key is not got, just return */
1065     if (!bt_mesh_atomic_test_bit(link.flags, REMOTE_PUB_KEY)) {
1066         return 0;
1067     }
1068 
1069     return bt_mesh_calc_dh_key();
1070 }
1071 
prov_pub_key(const uint8_t * data)1072 static void prov_pub_key(const uint8_t *data)
1073 {
1074     BT_DBG("Remote Public Key: %s", bt_hex(data, 64));
1075 
1076     /* BLE Mesh BQB test case MESH/NODE/PROV/UPD/BI-13-C needs to
1077      * check the public key using the following rules:
1078      * (1) X > 0, Y > 0
1079      * (2) X > 0, Y = 0
1080      * (3) X = 0, Y = 0
1081      */
1082     if (!bt_mesh_check_public_key(data)) {
1083         BT_ERR("Invalid public key");
1084         prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
1085         return;
1086     }
1087 
1088     memcpy(&link.conf_inputs[17], data, 64);
1089     bt_mesh_atomic_set_bit(link.flags, REMOTE_PUB_KEY);
1090 
1091     if (!bt_mesh_pub_key_get()) {
1092         /* Clear retransmit timer */
1093 #if defined(CONFIG_BLE_MESH_PB_ADV)
1094         prov_clear_tx();
1095 #endif
1096         BT_WARN("Waiting for a local public key");
1097         return;
1098     }
1099 
1100     if (!link.oob_pk_flag) {
1101         send_pub_key();
1102     } else {
1103         link.expect = PROV_CONFIRM;
1104     }
1105 }
1106 
prov_input_complete(const uint8_t * data)1107 static void prov_input_complete(const uint8_t *data)
1108 {
1109     BT_DBG("%s", __func__);
1110 }
1111 
prov_confirm(const uint8_t * data)1112 static void prov_confirm(const uint8_t *data)
1113 {
1114     BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
1115 
1116     memcpy(link.conf, data, 16);
1117 
1118     if (!bt_mesh_atomic_test_bit(link.flags, HAVE_DHKEY)) {
1119 #if defined(CONFIG_BLE_MESH_PB_ADV)
1120         prov_clear_tx();
1121 #endif
1122         bt_mesh_atomic_set_bit(link.flags, SEND_CONFIRM);
1123         /* If using OOB public key and it has already got, calculates dhkey */
1124         if (link.oob_pk_flag && bt_mesh_atomic_test_bit(link.flags, OOB_PUB_KEY)) {
1125             bt_mesh_calc_dh_key();
1126         }
1127     } else {
1128         send_confirm();
1129     }
1130 }
1131 
prov_random(const uint8_t * data)1132 static void prov_random(const uint8_t *data)
1133 {
1134     PROV_BUF(rnd, 17);
1135     uint8_t conf_verify[16] = {0};
1136 
1137     BT_DBG("Remote Random: %s", bt_hex(data, 16));
1138 
1139     if (bt_mesh_prov_conf(link.conf_key, data, link.auth, conf_verify)) {
1140         BT_ERR("Unable to calculate confirmation verification");
1141         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1142         return;
1143     }
1144 
1145     if (memcmp(conf_verify, link.conf, 16)) {
1146         BT_ERR("Invalid confirmation value");
1147         BT_DBG("Received:   %s", bt_hex(link.conf, 16));
1148         BT_DBG("Calculated: %s",  bt_hex(conf_verify, 16));
1149         prov_send_fail_msg(PROV_ERR_CFM_FAILED);
1150         return;
1151     }
1152 
1153     prov_buf_init(&rnd, PROV_RANDOM);
1154     net_buf_simple_add_mem(&rnd, link.rand, 16);
1155 
1156     if (prov_send(&rnd)) {
1157         BT_ERR("Failed to send Provisioning Random");
1158         return;
1159     }
1160 
1161     if (bt_mesh_prov_salt(link.conf_salt, data, link.rand,
1162                           link.prov_salt)) {
1163         BT_ERR("Failed to generate provisioning salt");
1164         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1165         return;
1166     }
1167 
1168     BT_DBG("ProvisioningSalt: %s", bt_hex(link.prov_salt, 16));
1169 
1170     link.expect = PROV_DATA;
1171 }
1172 
is_pb_gatt(void)1173 static inline bool is_pb_gatt(void)
1174 {
1175 #if defined(CONFIG_BLE_MESH_PB_GATT)
1176     return !!link.conn;
1177 #else
1178     return false;
1179 #endif
1180 }
1181 
prov_data(const uint8_t * data)1182 static void prov_data(const uint8_t *data)
1183 {
1184     PROV_BUF(msg, 1);
1185     uint8_t session_key[16] = {0};
1186     uint8_t nonce[13] = {0};
1187     uint8_t dev_key[16] = {0};
1188     uint8_t pdu[25] = {0};
1189     uint8_t flags = 0U;
1190     uint32_t iv_index = 0U;
1191     uint16_t addr = 0U;
1192     uint16_t net_idx = 0U;
1193     int err = 0;
1194     bool identity_enable = false;
1195 
1196     BT_DBG("%s", __func__);
1197 
1198     err = bt_mesh_session_key(link.dhkey, link.prov_salt, session_key);
1199     if (err) {
1200         BT_ERR("Unable to generate session key");
1201         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1202         return;
1203     }
1204 
1205     BT_DBG("SessionKey: %s", bt_hex(session_key, 16));
1206 
1207     err = bt_mesh_prov_nonce(link.dhkey, link.prov_salt, nonce);
1208     if (err) {
1209         BT_ERR("Unable to generate session nonce");
1210         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1211         return;
1212     }
1213 
1214     BT_DBG("Nonce: %s", bt_hex(nonce, 13));
1215 
1216     err = bt_mesh_prov_decrypt(session_key, nonce, data, pdu);
1217     if (err) {
1218         BT_ERR("Unable to decrypt provisioning data");
1219         prov_send_fail_msg(PROV_ERR_DECRYPT);
1220         return;
1221     }
1222 
1223     err = bt_mesh_dev_key(link.dhkey, link.prov_salt, dev_key);
1224     if (err) {
1225         BT_ERR("Unable to generate device key");
1226         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1227         return;
1228     }
1229 
1230     BT_DBG("DevKey: %s", bt_hex(dev_key, 16));
1231 
1232     net_idx = sys_get_be16(&pdu[16]);
1233     flags = pdu[18];
1234     iv_index = sys_get_be32(&pdu[19]);
1235     addr = sys_get_be16(&pdu[23]);
1236 
1237     BT_DBG("net_idx %u iv_index 0x%08x, addr 0x%04x",
1238            net_idx, iv_index, addr);
1239 
1240     prov_buf_init(&msg, PROV_COMPLETE);
1241     if (prov_send(&msg)) {
1242         BT_ERR("Failed to send Provisioning Complete");
1243         return;
1244     }
1245 
1246     /* Ignore any further PDUs on this link */
1247     link.expect = 0U;
1248 
1249     /* Store info, since bt_mesh_provision() will end up clearing it */
1250     if (IS_ENABLED(CONFIG_BLE_MESH_GATT_PROXY_SERVER)) {
1251         identity_enable = is_pb_gatt();
1252     } else {
1253         identity_enable = false;
1254     }
1255 
1256     err = bt_mesh_provision(pdu, net_idx, flags, iv_index, addr, dev_key);
1257     if (err) {
1258         BT_ERR("Failed to provision (err %d)", err);
1259         return;
1260     }
1261 
1262     /* After PB-GATT provisioning we should start advertising
1263      * using Node Identity.
1264      */
1265     if (IS_ENABLED(CONFIG_BLE_MESH_GATT_PROXY_SERVER) && identity_enable) {
1266         bt_mesh_proxy_identity_enable();
1267     }
1268 }
1269 
prov_complete(const uint8_t * data)1270 static void prov_complete(const uint8_t *data)
1271 {
1272     BT_DBG("%s", __func__);
1273 }
1274 
prov_failed(const uint8_t * data)1275 static void prov_failed(const uint8_t *data)
1276 {
1277     BT_WARN("Error: 0x%02x", data[0]);
1278 }
1279 
1280 static const struct {
1281     void (*func)(const uint8_t *data);
1282     uint16_t len;
1283 } prov_handlers[] = {
1284     { prov_invite, 1 },
1285     { prov_capabilities, 11 },
1286     { prov_start, 5, },
1287     { prov_pub_key, 64 },
1288     { prov_input_complete, 0 },
1289     { prov_confirm, 16 },
1290     { prov_random, 16 },
1291     { prov_data, 33 },
1292     { prov_complete, 0 },
1293     { prov_failed, 1 },
1294 };
1295 
1296 #if defined(CONFIG_BLE_MESH_PB_ADV)
prov_retransmit(struct k_work * work)1297 static void prov_retransmit(struct k_work *work)
1298 {
1299     int64_t timeout = TRANSACTION_TIMEOUT;
1300     int i;
1301 
1302     BT_DBG("%s", __func__);
1303 
1304     if (!bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE)) {
1305         BT_WARN("Link not active");
1306         return;
1307     }
1308 
1309 #if defined(CONFIG_BLE_MESH_FAST_PROV)
1310     /* When Provisioning Failed PDU is sent, 3s may be used here. */
1311     if (link.tx_pdu_type >= PROV_COMPLETE) {
1312         timeout = K_SECONDS(30);
1313     }
1314 #endif
1315     if (k_uptime_get() - link.tx.start > timeout) {
1316         BT_WARN("Node timeout, giving up transaction");
1317         reset_adv_link();
1318         return;
1319     }
1320 
1321     bt_mesh_pb_buf_lock();
1322 
1323     for (i = 0; i < ARRAY_SIZE(link.tx.buf); i++) {
1324         struct net_buf *buf = link.tx.buf[i];
1325 
1326         if (!buf) {
1327             break;
1328         }
1329 
1330         if (bt_mesh_atomic_get(&BLE_MESH_ADV_BUSY(buf))) {
1331             continue;
1332         }
1333 
1334         BT_DBG("%u bytes: %s", buf->len, bt_hex(buf->data, buf->len));
1335 
1336         if (i + 1 < ARRAY_SIZE(link.tx.buf) && link.tx.buf[i + 1]) {
1337             bt_mesh_adv_send(buf, NULL, NULL);
1338         } else {
1339             bt_mesh_adv_send(buf, &buf_sent_cb, NULL);
1340         }
1341 
1342     }
1343 
1344     bt_mesh_pb_buf_unlock();
1345 }
1346 
link_open(struct prov_rx * rx,struct net_buf_simple * buf)1347 static void link_open(struct prov_rx *rx, struct net_buf_simple *buf)
1348 {
1349     BT_DBG("len %u", buf->len);
1350 
1351     if (buf->len < 16) {
1352         BT_ERR("Too short bearer open message (len %u)", buf->len);
1353         return;
1354     }
1355 
1356     if (bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE)) {
1357         /* Send another link ack if the provisioner missed the last */
1358         if (link.id == rx->link_id && link.expect == PROV_INVITE) {
1359             BT_DBG("Resending link ack");
1360             bearer_ctl_send(LINK_ACK, NULL, 0);
1361         } else {
1362             BT_INFO("Ignoring bearer open: link already active");
1363         }
1364 
1365         return;
1366     }
1367 
1368     if (memcmp(buf->data, prov->uuid, 16)) {
1369         BT_DBG("Bearer open message not for us");
1370         return;
1371     }
1372 
1373     if (prov->link_open) {
1374         prov->link_open(BLE_MESH_PROV_ADV);
1375     }
1376 
1377     link.id = rx->link_id;
1378     bt_mesh_atomic_set_bit(link.flags, LINK_ACTIVE);
1379     net_buf_simple_reset(link.rx.buf);
1380 
1381 #if defined(CONFIG_BLE_MESH_USE_DUPLICATE_SCAN)
1382     /* Add the link id into exceptional list */
1383     bt_mesh_update_exceptional_list(BLE_MESH_EXCEP_LIST_SUB_CODE_ADD,
1384                                     BLE_MESH_EXCEP_LIST_TYPE_MESH_LINK_ID, &link.id);
1385 #endif
1386 
1387     bearer_ctl_send(LINK_ACK, NULL, 0);
1388 
1389     link.expect = PROV_INVITE;
1390 }
1391 
link_ack(struct prov_rx * rx,struct net_buf_simple * buf)1392 static void link_ack(struct prov_rx *rx, struct net_buf_simple *buf)
1393 {
1394     BT_DBG("len %u", buf->len);
1395 }
1396 
link_close(struct prov_rx * rx,struct net_buf_simple * buf)1397 static void link_close(struct prov_rx *rx, struct net_buf_simple *buf)
1398 {
1399     BT_DBG("len %u", buf->len);
1400 
1401     reset_adv_link();
1402 }
1403 
gen_prov_ctl(struct prov_rx * rx,struct net_buf_simple * buf)1404 static void gen_prov_ctl(struct prov_rx *rx, struct net_buf_simple *buf)
1405 {
1406     BT_DBG("op 0x%02x len %u", BEARER_CTL(rx->gpc), buf->len);
1407 
1408     switch (BEARER_CTL(rx->gpc)) {
1409     case LINK_OPEN:
1410         link_open(rx, buf);
1411         break;
1412     case LINK_ACK:
1413         if (!bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE)) {
1414             return;
1415         }
1416 
1417         link_ack(rx, buf);
1418         break;
1419     case LINK_CLOSE:
1420         if (!bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE)) {
1421             return;
1422         }
1423 
1424         link_close(rx, buf);
1425         break;
1426     default:
1427         BT_ERR("Unknown bearer opcode: 0x%02x", BEARER_CTL(rx->gpc));
1428         return;
1429     }
1430 }
1431 
prov_msg_recv(void)1432 static void prov_msg_recv(void)
1433 {
1434     uint8_t type = link.rx.buf->data[0];
1435 
1436     BT_DBG("type 0x%02x len %u", type, link.rx.buf->len);
1437 
1438     if (!bt_mesh_fcs_check(link.rx.buf, link.rx.fcs)) {
1439         BT_ERR("Incorrect FCS");
1440         return;
1441     }
1442 
1443     gen_prov_ack_send(link.rx.id);
1444     link.rx.prev_id = link.rx.id;
1445     link.rx.id = 0U;
1446 
1447     if (bt_mesh_atomic_test_bit(link.flags, LINK_INVALID)) {
1448         BT_WARN("Unexpected msg 0x%02x on invalidated link", type);
1449         prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
1450         return;
1451     }
1452 
1453     /* For case MESH/NODE/PROV/BI-15-C, when the node receive a Provisioning PDU
1454      * with the Type field set to the lowest unsupported or RFU value, it sends a
1455      * Provisioning Failed PDU with the Error Code field set to Invalid PDU(0x01).
1456      */
1457     if (type >= ARRAY_SIZE(prov_handlers)) {
1458         BT_ERR("Unknown provisioning PDU type 0x%02x", type);
1459         prov_send_fail_msg(PROV_ERR_NVAL_PDU);
1460         return;
1461     }
1462 
1463     if (type != PROV_FAILED && type != link.expect) {
1464         BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
1465         prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
1466         return;
1467     }
1468 
1469     if (1 + prov_handlers[type].len != link.rx.buf->len) {
1470         BT_ERR("Invalid length %u for type 0x%02x",
1471                 link.rx.buf->len, type);
1472         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1473         return;
1474     }
1475 
1476     /* Changed by Espressif, add provisioning timeout timer operations.
1477      * When received a provisioning PDU, restart the 60s timer.
1478      */
1479     k_delayed_work_submit(&link.prot_timer, PROTOCOL_TIMEOUT);
1480 
1481     prov_handlers[type].func(&link.rx.buf->data[1]);
1482 }
1483 
gen_prov_cont(struct prov_rx * rx,struct net_buf_simple * buf)1484 static void gen_prov_cont(struct prov_rx *rx, struct net_buf_simple *buf)
1485 {
1486     uint8_t seg = CONT_SEG_INDEX(rx->gpc);
1487 
1488     BT_DBG("len %u, seg_index %u", buf->len, seg);
1489 
1490     if (!link.rx.seg && link.rx.prev_id == rx->xact_id) {
1491         BT_INFO("Resending ack");
1492         gen_prov_ack_send(rx->xact_id);
1493         return;
1494     }
1495 
1496     if (rx->xact_id != link.rx.id) {
1497         BT_WARN("Data for unknown transaction (%u != %u)",
1498                 rx->xact_id, link.rx.id);
1499         return;
1500     }
1501 
1502     if (seg > link.rx.last_seg) {
1503         BT_ERR("Invalid segment index %u", seg);
1504         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1505         return;
1506     } else if (seg == link.rx.last_seg) {
1507         uint8_t expect_len = 0U;
1508 
1509         expect_len = (link.rx.buf->len - 20U -
1510                       ((link.rx.last_seg - 1) * 23U));
1511         if (expect_len != buf->len) {
1512             BT_ERR("Incorrect last seg len: %u != %u",
1513                     expect_len, buf->len);
1514             prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1515             return;
1516         }
1517     }
1518 
1519     if (!(link.rx.seg & BIT(seg))) {
1520         BT_INFO("Ignoring already received segment");
1521         return;
1522     }
1523 
1524     memcpy(XACT_SEG_DATA(seg), buf->data, buf->len);
1525     XACT_SEG_RECV(seg);
1526 
1527     if (!link.rx.seg) {
1528         prov_msg_recv();
1529     }
1530 }
1531 
gen_prov_ack(struct prov_rx * rx,struct net_buf_simple * buf)1532 static void gen_prov_ack(struct prov_rx *rx, struct net_buf_simple *buf)
1533 {
1534     BT_DBG("len %u", buf->len);
1535 
1536     if (!link.tx.buf[0]) {
1537         return;
1538     }
1539 
1540     if (rx->xact_id == link.tx.id) {
1541         prov_clear_tx();
1542     }
1543 }
1544 
gen_prov_start(struct prov_rx * rx,struct net_buf_simple * buf)1545 static void gen_prov_start(struct prov_rx *rx, struct net_buf_simple *buf)
1546 {
1547     if (link.rx.seg) {
1548         BT_INFO("Got Start while there are unreceived segments");
1549         return;
1550     }
1551 
1552     if (link.rx.prev_id == rx->xact_id) {
1553         BT_INFO("Resending ack");
1554         gen_prov_ack_send(rx->xact_id);
1555         return;
1556     }
1557 
1558     link.rx.buf->len = net_buf_simple_pull_be16(buf);
1559     link.rx.id  = rx->xact_id;
1560     link.rx.fcs = net_buf_simple_pull_u8(buf);
1561 
1562     BT_DBG("len %u last_seg %u total_len %u fcs 0x%02x", buf->len,
1563            START_LAST_SEG(rx->gpc), link.rx.buf->len, link.rx.fcs);
1564 
1565     if (link.rx.buf->len < 1) {
1566         BT_ERR("Ignoring zero-length provisioning PDU");
1567         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1568         return;
1569     }
1570 
1571     if (START_LAST_SEG(rx->gpc) > START_LAST_SEG_MAX) {
1572         BT_ERR("Invalid SegN 0x%02x", START_LAST_SEG(rx->gpc));
1573         prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
1574         return;
1575     }
1576 
1577     if (link.rx.buf->len > link.rx.buf->size) {
1578         BT_ERR("Too large provisioning PDU (%u bytes)",
1579                 link.rx.buf->len);
1580         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1581         return;
1582     }
1583 
1584     if (START_LAST_SEG(rx->gpc) > 0 && link.rx.buf->len <= 20U) {
1585         BT_ERR("Too small total length for multi-segment PDU");
1586         prov_send_fail_msg(PROV_ERR_NVAL_FMT);
1587         return;
1588     }
1589 
1590     link.rx.seg = (1 << (START_LAST_SEG(rx->gpc) + 1)) - 1;
1591     link.rx.last_seg = START_LAST_SEG(rx->gpc);
1592     memcpy(link.rx.buf->data, buf->data, buf->len);
1593     XACT_SEG_RECV(0);
1594 
1595     if (!link.rx.seg) {
1596         prov_msg_recv();
1597     }
1598 }
1599 
1600 static const struct {
1601     void (*func)(struct prov_rx *rx, struct net_buf_simple *buf);
1602     bool require_link;
1603     uint8_t min_len;
1604 } gen_prov[] = {
1605     { gen_prov_start, true, 3 },
1606     { gen_prov_ack, true, 0 },
1607     { gen_prov_cont, true, 0 },
1608     { gen_prov_ctl, false, 0 },
1609 };
1610 
gen_prov_recv(struct prov_rx * rx,struct net_buf_simple * buf)1611 static void gen_prov_recv(struct prov_rx *rx, struct net_buf_simple *buf)
1612 {
1613     if (buf->len < gen_prov[GPCF(rx->gpc)].min_len) {
1614         BT_ERR("Too short GPC message type %u", GPCF(rx->gpc));
1615         return;
1616     }
1617 
1618     if (!bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE) &&
1619             gen_prov[GPCF(rx->gpc)].require_link) {
1620         BT_DBG("Ignoring message that requires active link");
1621         return;
1622     }
1623 
1624     gen_prov[GPCF(rx->gpc)].func(rx, buf);
1625 }
1626 
bt_mesh_pb_adv_recv(struct net_buf_simple * buf)1627 void bt_mesh_pb_adv_recv(struct net_buf_simple *buf)
1628 {
1629     struct prov_rx rx = {0};
1630 
1631     if (!bt_prov_active() && bt_mesh_is_provisioned()) {
1632         BT_DBG("Ignoring provisioning PDU - already provisioned");
1633         return;
1634     }
1635 
1636     if (buf->len < 6) {
1637         BT_WARN("Too short provisioning packet (len %u)", buf->len);
1638         return;
1639     }
1640 
1641     rx.link_id = net_buf_simple_pull_be32(buf);
1642     rx.xact_id = net_buf_simple_pull_u8(buf);
1643     rx.gpc = net_buf_simple_pull_u8(buf);
1644 
1645     BT_DBG("link_id 0x%08x xact_id %u", rx.link_id, rx.xact_id);
1646 
1647     if (bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE) && link.id != rx.link_id) {
1648         BT_DBG("Ignoring mesh beacon for unknown link");
1649         return;
1650     }
1651 
1652     gen_prov_recv(&rx, buf);
1653 }
1654 #endif /* CONFIG_BLE_MESH_PB_ADV */
1655 
1656 #if defined(CONFIG_BLE_MESH_PB_GATT)
bt_mesh_pb_gatt_recv(struct bt_mesh_conn * conn,struct net_buf_simple * buf)1657 int bt_mesh_pb_gatt_recv(struct bt_mesh_conn *conn, struct net_buf_simple *buf)
1658 {
1659     uint8_t type = 0U;
1660 
1661     BT_DBG("%u bytes: %s", buf->len, bt_hex(buf->data, buf->len));
1662 
1663     if (link.conn != conn) {
1664         BT_WARN("Data for unexpected connection");
1665         return -ENOTCONN;
1666     }
1667 
1668     if (buf->len < 1) {
1669         BT_WARN("Too short provisioning packet (len %u)", buf->len);
1670         return -EINVAL;
1671     }
1672 
1673     /* For case MESH/NODE/PROV/BI-03-C, if the link is closed, when the node receive
1674      * a Provisioning PDU , it will send a Provisioning Failed PDU with the Error Code
1675      * field set to Unexpected PDU(0x03).
1676      */
1677     if (bt_mesh_atomic_test_bit(link.flags, LINK_INVALID)) {
1678         BT_WARN("Unexpected msg 0x%02x on invalid link", type);
1679         prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
1680         return -EINVAL;
1681     }
1682 
1683     /* For case MESH/NODE/PROV/BI-15-C, when the node receive a Provisioning PDU
1684      * with the Type field set to the lowest unsupported or RFU value, it sends a
1685      * Provisioning Failed PDU with the Error Code field set to Invalid PDU(0x01).
1686      */
1687     type = net_buf_simple_pull_u8(buf);
1688     if (type >= ARRAY_SIZE(prov_handlers)) {
1689         BT_ERR("Unknown provisioning PDU type 0x%02x", type);
1690         prov_send_fail_msg(PROV_ERR_NVAL_PDU);
1691         return -EINVAL;
1692     }
1693 
1694     if (type != PROV_FAILED && type != link.expect) {
1695         BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
1696         prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
1697         return -EINVAL;
1698     }
1699 
1700     if (prov_handlers[type].len != buf->len) {
1701         BT_ERR("Invalid length %u for type 0x%02x", buf->len, type);
1702         return -EINVAL;
1703     }
1704 
1705     /* Changed by Espressif, add provisioning timeout timer operations.
1706      * When received a provisioning PDU, restart the 60s timer.
1707      */
1708     k_delayed_work_submit(&link.prot_timer, PROTOCOL_TIMEOUT);
1709 
1710     prov_handlers[type].func(buf->data);
1711 
1712     return 0;
1713 }
1714 
bt_mesh_pb_gatt_open(struct bt_mesh_conn * conn)1715 int bt_mesh_pb_gatt_open(struct bt_mesh_conn *conn)
1716 {
1717     BT_DBG("conn %p", conn);
1718 
1719     if (bt_mesh_atomic_test_and_set_bit(link.flags, LINK_ACTIVE)) {
1720         return -EBUSY;
1721     }
1722 
1723     link.conn = bt_mesh_conn_ref(conn);
1724     link.expect = PROV_INVITE;
1725 
1726     if (prov->link_open) {
1727         prov->link_open(BLE_MESH_PROV_GATT);
1728     }
1729 
1730     return 0;
1731 }
1732 
bt_mesh_pb_gatt_close(struct bt_mesh_conn * conn)1733 int bt_mesh_pb_gatt_close(struct bt_mesh_conn *conn)
1734 {
1735     BT_DBG("conn %p", conn);
1736 
1737     if (link.conn != conn) {
1738         BT_ERR("Not connected");
1739         return -ENOTCONN;
1740     }
1741 
1742     if (prov->link_close) {
1743         prov->link_close(BLE_MESH_PROV_GATT);
1744     }
1745 
1746     reset_state();
1747 
1748     return 0;
1749 }
1750 #endif /* CONFIG_BLE_MESH_PB_GATT */
1751 
bt_mesh_prov_get(void)1752 const struct bt_mesh_prov *bt_mesh_prov_get(void)
1753 {
1754     return prov;
1755 }
1756 
bt_prov_active(void)1757 bool bt_prov_active(void)
1758 {
1759     return bt_mesh_atomic_test_bit(link.flags, LINK_ACTIVE);
1760 }
1761 
protocol_timeout(struct k_work * work)1762 static void protocol_timeout(struct k_work *work)
1763 {
1764     BT_WARN("Protocol timeout");
1765 
1766 #if defined(CONFIG_BLE_MESH_PB_GATT)
1767     if (link.conn) {
1768         bt_mesh_pb_gatt_close(link.conn);
1769         return;
1770     }
1771 #endif
1772 
1773 #if defined(CONFIG_BLE_MESH_PB_ADV)
1774     uint8_t reason = CLOSE_REASON_TIMEOUT;
1775 
1776     link.rx.seg = 0U;
1777     bearer_ctl_send(LINK_CLOSE, &reason, sizeof(reason));
1778 
1779     reset_state();
1780 #endif
1781 }
1782 
bt_mesh_prov_init(const struct bt_mesh_prov * prov_info)1783 int bt_mesh_prov_init(const struct bt_mesh_prov *prov_info)
1784 {
1785     const uint8_t *key = NULL;
1786 
1787     if (!prov_info) {
1788         BT_ERR("No provisioning context provided");
1789         return -EINVAL;
1790     }
1791 
1792     if (prov_info->static_val_len > BLE_MESH_PROV_STATIC_OOB_MAX_LEN ||
1793         prov_info->output_size > BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN ||
1794         prov_info->input_size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
1795         BT_ERR("Invalid authentication oob length");
1796         return -EINVAL;
1797     }
1798 
1799     __ASSERT(prov_info->uuid, "Device UUID not initialized");
1800 
1801     /* Changed by Espressif. Use micro-ecc to generate public key now. */
1802     key = bt_mesh_pub_key_get();
1803     if (!key) {
1804         BT_ERR("Failed to generate public key");
1805         return -EIO;
1806     }
1807 
1808     k_delayed_work_init(&link.prot_timer, protocol_timeout);
1809 
1810     prov = prov_info;
1811 
1812 #if defined(CONFIG_BLE_MESH_PB_ADV)
1813     k_delayed_work_init(&link.tx.retransmit, prov_retransmit);
1814 #endif
1815 
1816     reset_state();
1817 
1818 #if defined(CONFIG_BLE_MESH_PB_ADV)
1819     bt_mesh_pb_buf_mutex_new();
1820 #endif
1821 
1822     return 0;
1823 }
1824 
1825 #if CONFIG_BLE_MESH_DEINIT
bt_mesh_prov_deinit(void)1826 int bt_mesh_prov_deinit(void)
1827 {
1828     if (prov == NULL) {
1829         BT_ERR("No provisioning context provided");
1830         return -EINVAL;
1831     }
1832 
1833     k_delayed_work_free(&link.prot_timer);
1834 
1835 #if defined(CONFIG_BLE_MESH_PB_ADV)
1836     prov_clear_tx();
1837     k_delayed_work_free(&link.tx.retransmit);
1838 #if defined(CONFIG_BLE_MESH_USE_DUPLICATE_SCAN)
1839     /* Remove the link id from exceptional list */
1840     bt_mesh_update_exceptional_list(BLE_MESH_EXCEP_LIST_SUB_CODE_REMOVE,
1841                                     BLE_MESH_EXCEP_LIST_TYPE_MESH_LINK_ID, &link.id);
1842 #endif /* CONFIG_BLE_MESH_USE_DUPLICATE_SCAN */
1843 #endif /* CONFIG_BLE_MESH_PB_ADV */
1844 
1845     (void)memset(&link, 0, sizeof(link));
1846 
1847 #if defined(CONFIG_BLE_MESH_PB_ADV)
1848     bt_mesh_pb_buf_mutex_free();
1849 #endif
1850 
1851     prov = NULL;
1852 
1853     return 0;
1854 }
1855 #endif /* CONFIG_BLE_MESH_DEINIT */
1856 
bt_mesh_prov_complete(uint16_t net_idx,const uint8_t net_key[16],uint16_t addr,uint8_t flags,uint32_t iv_index)1857 void bt_mesh_prov_complete(uint16_t net_idx, const uint8_t net_key[16],
1858                            uint16_t addr, uint8_t flags, uint32_t iv_index)
1859 {
1860     if (prov->complete) {
1861         prov->complete(net_idx, net_key, addr, flags, iv_index);
1862     }
1863 }
1864 
bt_mesh_prov_reset(void)1865 void bt_mesh_prov_reset(void)
1866 {
1867     if (prov->reset) {
1868         prov->reset();
1869     }
1870 }
1871 
1872 #endif /* CONFIG_BLE_MESH_NODE */
1873