1 /*
2 * Copyright 2018 Oticon A/S
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #include <stdint.h>
7 #include <string.h>
8 #include <openssl/evp.h>
9 #include "blecrypt.h"
10
11 // Performs simple AES-128 encryption of 128-bit data.
12 // This is the security function e (BT Core v4.2 vol 3 part H section 2.2.1).
13 // This is also the HCI_LE_Encrypt command (BT Core v4.2 vol 1 part E section 7.8.22).
14 // Applications:
15 // * Generating and resolving resolvable random address (via ah function, BT Core v4.2 vol 3 part H section 2.2.2).
16 // * Generating pairing confirm value (via c1 function, BT Core v4.2 vol 3 part H section 2.2.3).
17 // * Generating short term key (via s1 function, BT Core v4.2 vol 3 part H section 2.2.4).
18 // * Generating session key.
blecrypt_aes_128(const uint8_t * key_be,const uint8_t * plaintext_data_be,uint8_t * encrypted_data_be)19 void blecrypt_aes_128(
20 // Inputs
21 const uint8_t *key_be, // Key (KEY_LEN bytes, BIG-ENDIAN)
22 const uint8_t *plaintext_data_be, // Plaintext data (KEY_LEN bytes, BIG-ENDIAN)
23 // Outputs (the pointers themselves are inputs and must point to large enough areas)
24 uint8_t *encrypted_data_be) // Encrypted data (KEY_LEN bytes, BIG-ENDIAN)
25 {
26 // Create OpenSSL cypher context
27 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
28 // Set cipher type to AES-128, mode to ECB ("Electronic Codebook": simple independent encryption of blocks),
29 // and provide encryption key
30 EVP_EncryptInit(ctx, EVP_aes_128_ecb(), key_be, NULL);
31 // Encrypt plaintext data and put result in encrypted_data_be and length in outlen
32 int outlen;
33 EVP_EncryptUpdate(ctx, encrypted_data_be, &outlen, plaintext_data_be, SKD_LEN);
34 // Free cipher context
35 EVP_CIPHER_CTX_free(ctx);
36 }
37
38 // Encrypts payload of one packet and appends MIC.
39 // Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
blecrypt_packet_encrypt(uint8_t packet_1st_header_byte,uint8_t packet_payload_len,const uint8_t * packet_payload,const uint8_t * sk,const uint8_t * ccm_nonce,uint8_t * encrypted_packet_payload_and_mic)40 void blecrypt_packet_encrypt(
41 // Inputs
42 uint8_t packet_1st_header_byte, // First byte of packet header (or just LLID and RFU (RFU=0 for BLE v4.x) - other bits are ignored)
43 uint8_t packet_payload_len, // Packet payload length (not including header and MIC)
44 const uint8_t *packet_payload, // Packet payload to be encrypted (packet_payload_len bytes)
45 const uint8_t *sk, // Session key (KEY_LEN bytes, BIG-ENDIAN)
46 const uint8_t *ccm_nonce, // CCM Nonce (NONCE_LEN bytes, little-endian)
47 // Outputs (the pointers themselves are inputs and must point to large enough areas)
48 uint8_t *encrypted_packet_payload_and_mic) // Resulting encrypted payload with MIC appended (packet_payload_len + MIC_LEN bytes)
49 {
50 // Set additional authenticated data (AAD) to first byte of packet header with NESN = SN = MD = 0
51 uint8_t aad = packet_1st_header_byte & 0xE3;
52 blecrypt_packet_encrypt_v2(aad,
53 packet_payload_len,
54 packet_payload,
55 sk,
56 ccm_nonce,
57 encrypted_packet_payload_and_mic);
58 }
59
60 // Decrypt payload of one packet and checks MIC (if present).
61 // Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
blecrypt_packet_decrypt(uint8_t packet_1st_header_byte,uint8_t packet_payload_len,const uint8_t * packet_payload_and_mic,const uint8_t * sk,const uint8_t * ccm_nonce,int no_mic,uint8_t * decrypted_packet_payload)62 int blecrypt_packet_decrypt( // Returns 1 if MIC is ok, else 0
63 // Inputs
64 uint8_t packet_1st_header_byte, // First byte of packet header (or just LLID and RFU (RFU=0 for BLE v4.x) - other bits are ignored)
65 uint8_t packet_payload_len, // Packet payload length (not including header and MIC)
66 const uint8_t *packet_payload_and_mic, // Packet payload (with MIC if any) to be decrypted (packet_payload_len (+ MIC_LEN) bytes)
67 const uint8_t *sk, // Session key (KEY_LEN bytes, BIG-ENDIAN)
68 const uint8_t *ccm_nonce, // CCM Nonce (NONCE_LEN bytes, little-endian)
69 int no_mic, // 1 if packet to be decrypted does not include a MIC, otherwise 0
70 // Outputs (the pointers themselves are inputs and must point to large enough areas)
71 uint8_t *decrypted_packet_payload) // Resulting decrypted payload (packet_payload_len bytes)
72 {
73 // Set additional authenticated data (AAD) to first byte of packet header with NESN = SN = MD = 0
74 uint8_t aad = packet_1st_header_byte & 0xE3;
75 return blecrypt_packet_decrypt_v2(aad,
76 packet_payload_len,
77 packet_payload_and_mic,
78 sk,
79 ccm_nonce,
80 no_mic,
81 decrypted_packet_payload);
82 }
83
84 /**
85 * Encrypt a BLE packet payload and append the MIC,
86 * as per Bluetooth Core Specification Version 5.3 | Vol 6, Part E
87 *
88 * In comparison to blecrypt_packet_encrypt()
89 * this version is adapted to not apply the BT 4.2 AAD mask,
90 * but leave it to the caller, to be more transparent as to how the mask is meant to be applied
91 * for newer standard versions.
92 *
93 * \note Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
94 *
95 * \param[in] aad Additional Authentication Data: First byte of packet header after applying the bit mask
96 * Note: For BT 4.2 this is 0xE3. For 5.2 it depends on the packet type.
97 * \param[in] packet_payload_len Input packet payload length (i.e. not including header and MIC)
98 * \param[in] packet_payload Pointer to the packet payload to be encrypted (buffer must contain packet_payload_len bytes)
99 * \param[in] sk Session key (KEY_LEN bytes, BIG-ENDIAN)
100 * \param[in] ccm_nonce CCM Nonce (NONCE_LEN bytes, little-endian)
101 *
102 * \param[out] encrypted_packet_payload_and_mic Pointer to a buffer where the resulting encrypted payload with MIC appended will be stored
103 * (packet_payload_len + MIC_LEN bytes). The caller must allocate it.
104 */
blecrypt_packet_encrypt_v2(uint8_t aad,int packet_payload_len,const uint8_t * packet_payload,const uint8_t * sk,const uint8_t * ccm_nonce,uint8_t * encrypted_packet_payload_and_mic)105 void blecrypt_packet_encrypt_v2(
106 uint8_t aad,
107 int packet_payload_len,
108 const uint8_t *packet_payload,
109 const uint8_t *sk,
110 const uint8_t *ccm_nonce,
111 uint8_t *encrypted_packet_payload_and_mic)
112 {
113 int outlen;
114 // Set plaintext pointer to start of input packet payload
115 const uint8_t *pt = packet_payload;
116 // Set ciphertext pointer to start of encrypted packet payload
117 uint8_t *ct = encrypted_packet_payload_and_mic;
118 const int aad_len = 1; //Length of the Additional Authentication Data as per BT spec
119 // Allocate new cipher context
120 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
121 // Set cipher type to 128-bit AES, and mode to CCM (Counter with CBC-MAC)
122 EVP_EncryptInit_ex(ctx, EVP_aes_128_ccm(), NULL, NULL, NULL);
123 // Set nonce length (because it is different from the 96-bit default)
124 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, NONCE_LEN, NULL);
125 // Set MIC (a.k.a MAC tag) length
126 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, MIC_LEN, NULL);
127 // Set encryption key and initialization vector (nonce)
128 EVP_EncryptInit_ex(ctx, NULL, NULL, sk, ccm_nonce);
129 // Set plaintext length (needed because AAD is used)
130 EVP_EncryptUpdate(ctx, NULL, &outlen, NULL, packet_payload_len);
131 // Provide AAD (addition authenticated data)
132 EVP_EncryptUpdate(ctx, NULL, &outlen, &aad, aad_len);
133 // Encrypt plaintext to cyphertext (and return number of encrypted bytes in outlen)
134 EVP_EncryptUpdate(ctx, ct, &outlen, pt, packet_payload_len);
135 // Get MIC and append it to encrypted data
136 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, MIC_LEN, (ct += outlen));
137 // Free cypher context
138 EVP_CIPHER_CTX_free(ctx);
139 }
140
141 /**
142 * Decrypt a BLE packet payload and check the MIC (if present)
143 * as per Bluetooth Core Specification Version 5.3 | Vol 6, Part E
144 *
145 * In comparison to blecrypt_packet_decrypt()
146 * this version is adapted to not apply the BT 4.2 AAD mask,
147 * but leave it to the caller, to be more transparent as to how the mask is meant to be applied
148 * for newer standard versions.
149 *
150 * \note Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
151 *
152 * \param[in] aad Additional Authentication Data: First byte of packet header after applying the bit mask
153 * Note: For BT 4.2 this is 0xE3. For 5.2 it depends on the packet type.
154 * \param[in] packet_payload_len Unencrypted packet payload length (i.e. *not* including header and MIC)
155 * \param[in] packet_payload_and mic Pointer to the packet payload (with MIC if any) to be decrypted (packet_payload_len (+ MIC_LEN) bytes)
156 * \param[in] sk Session key (KEY_LEN bytes, BIG-ENDIAN)
157 * \param[in] ccm_nonce CCM Nonce (NONCE_LEN bytes, little-endian)
158 * \param[in] no_mic Set to 1 if packet to be decrypted does not include a MIC, otherwise 0
159 *
160 * \param[out] decrypted_packet_payload Pointer to a buffer where the resulting decrypted payload will be stored
161 * (packet_payload_len bytes). The caller must allocate it.
162 *
163 * \return Returns 1 if MIC is ok, else 0
164 */
blecrypt_packet_decrypt_v2(uint8_t aad,int packet_payload_len,const uint8_t * packet_payload_and_mic,const uint8_t * sk,const uint8_t * ccm_nonce,int no_mic,uint8_t * decrypted_packet_payload)165 int blecrypt_packet_decrypt_v2(
166 uint8_t aad,
167 int packet_payload_len,
168 const uint8_t *packet_payload_and_mic,
169 const uint8_t *sk,
170 const uint8_t *ccm_nonce,
171 int no_mic,
172 uint8_t *decrypted_packet_payload)
173 {
174 int outlen, ok;
175 // Set ciphertext pointer to start of input packet payload
176 const uint8_t *ct = packet_payload_and_mic;
177 // Set plaintext pointer to start of decrypted packet payload
178 uint8_t *pt = decrypted_packet_payload;
179 const int aad_len = 1; //Length of the Additional Authentication Data as per BT spec
180 // Allocate new cipher context
181 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
182 // Set cipher type to 128-bit AES, and mode to CCM (Counter with CBC-MAC)
183 EVP_DecryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL);
184 // Set nonce length (because it is different from the 96-bit default)
185 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, NONCE_LEN, NULL);
186 // Set hack flag indicating whether packet has MIC (standard BLE) or not
187 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_IGNORE_TAG, no_mic, NULL);
188
189 if (no_mic)
190 {
191 /* Set dummy MIC (a.k.a. tag) value to prevent complaints from OpenSSL */
192 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, MIC_LEN, (uint8_t[MIC_LEN]){0});
193 }
194 else
195 {
196 /* Set expected MIC (a.k.a. tag) value (located at ct + packet_payload_len) */
197 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, MIC_LEN, (uint8_t *) ct + packet_payload_len);
198 }
199 // Set decryption key and initialization vector (nonce)
200 EVP_DecryptInit(ctx, NULL, sk, ccm_nonce);
201 // Set ciphertext length (needed because AAD is used)
202 EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, packet_payload_len);
203 // Provide AAD (addition authenticated data)
204 EVP_DecryptUpdate(ctx, NULL, &outlen, &aad, aad_len);
205 // Decrypt ciphertext to plaintext and verify MIC (also return number of decrypted bytes in outlen)
206 ok = EVP_DecryptUpdate(ctx, pt, &outlen, ct, packet_payload_len);
207 // Free cipher context
208 EVP_CIPHER_CTX_free(ctx);
209 return ok;
210 }
211
212
213 /**
214 * CCM encrypt a packet payload and append the MAC/MIC,
215 *
216 * In comparison to blecrypt_packet_encrypt_v2()
217 * this version accepts variable sized AAD, and variable sized MAC/MIC
218 * to support 802.15.4 usecases.
219 * As such the "blecrypt_" prefix remains only due to the component it belongs to
220 *
221 * \note Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
222 *
223 * \param[in] adata Additional Authentication Data. Note, for BLE any possible bitmask must be applied by the caller
224 * \param[in] alen Length of adata
225 * \param[in] mlen Unencrypted packet payload length (i.e. *not* including header and MAC/MIC)
226 * \param[in] maclen Size of the MAC/MIC in bytes
227 * \param[in] noncelen Size of the nonce in bytes
228 * \param[in] mdata Unencrypted/input packet payload
229 * \param[in] sk Session key (KEY_LEN bytes)
230 * \param[in] ccm_nonce CCM Nonce (noncelen bytes)
231 *
232 * \param[out] encrypted_packet_payload_and_mac Pointer to a buffer where the resulting encrypted payload with MAC appended will be stored
233 * (mlen + maclen bytes). The caller must allocate it.
234 */
blecrypt_packet_encrypt_v3(uint8_t * adata,int alen,int mlen,int maclen,int noncelen,const uint8_t * mdata,const uint8_t * sk,const uint8_t * ccm_nonce,uint8_t * encrypted_packet_payload_and_mac)235 void blecrypt_packet_encrypt_v3(
236 uint8_t *adata,
237 int alen,
238 int mlen,
239 int maclen,
240 int noncelen,
241 const uint8_t *mdata,
242 const uint8_t *sk,
243 const uint8_t *ccm_nonce,
244 uint8_t *encrypted_packet_payload_and_mac)
245 {
246 int outlen;
247 // Set plaintext pointer to start of input packet payload
248 const uint8_t *pt = mdata;
249 // Set cyphertext pointer to start of encrypted packet payload
250 uint8_t *ct = encrypted_packet_payload_and_mac;
251
252 // Allocate new cypher context
253 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
254 // Set cipher type to 128-bit AES, and mode to CCM (Counter with CBC-MAC)
255 EVP_EncryptInit_ex(ctx, EVP_aes_128_ccm(), NULL, NULL, NULL);
256 // Set nonce length (because it is different from the 96-bit default)
257 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, noncelen, NULL);
258 // Set MAC (a.k.a MAC tag) length
259 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, maclen, NULL);
260 // Set encryption key and initialization vector (nonce)
261 EVP_EncryptInit_ex(ctx, NULL, NULL, sk, ccm_nonce);
262 // Set plaintext length (needed because AAD is used)
263 EVP_EncryptUpdate(ctx, NULL, &outlen, NULL, mlen);
264 // Provide AAD (addition authenticated data)
265 EVP_EncryptUpdate(ctx, NULL, &outlen, adata, alen);
266 // Encrypt plaintext to cyphertext (and return number of encrypted bytes in outlen)
267 EVP_EncryptUpdate(ctx, ct, &outlen, pt, mlen);
268 // Get MAC and append it to encrypted data
269 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, maclen, (ct += outlen));
270 // Free cypher context
271 EVP_CIPHER_CTX_free(ctx);
272 }
273
274
275 /*
276 * CCM decrypt a packet payload and check the MAC/MIC (if present)
277 *
278 * In comparison to blecrypt_packet_decrypt_v2()
279 * this version accepts variable sized AAD, and variable sized MAC/MIC
280 * to support 802.15.4 usecases.
281 * As such the "blecrypt_" prefix remains only due to the component it belongs to
282 *
283 * \note Encrypted and unencrypted packet payloads must reside at different (non-overlapping) locations.
284 *
285 * \param[in] adata Additional Authentication Data. Note, for BLE any possible bitmask must be applied by the caller
286 * \param[in] alen Length of adata
287 * \param[in] mlen Unencrypted packet payload length (i.e. *not* including header and MAC/MIC)
288 * \param[in] maclen Size of the MAC/MIC in bytes
289 * \param[in] noncelen Size of the nonce in bytes
290 * \param[in] mdata_and_mac Pointer to the packet payload (with MAC if any) to be decrypted (packet_payload_len (+ MIC_LEN) bytes)
291 * \param[in] sk Session key (KEY_LEN bytes)
292 * \param[in] ccm_nonce CCM Nonce (noncelen bytes)
293 * \param[in] no_mac Set to 1 if packet to be decrypted does not include a MAC, otherwise 0
294 *
295 * \param[out] decrypted_packet_payload Pointer to a buffer where the resulting decrypted payload will be stored
296 * (mlen bytes). The caller must allocate it.
297 *
298 * \return Returns 1 if MIC is ok, else 0
299 */
blecrypt_packet_decrypt_v3(uint8_t * adata,int alen,int mlen,int maclen,int noncelen,const uint8_t * mdata_and_mac,const uint8_t * sk,const uint8_t * ccm_nonce,int no_mac,uint8_t * decrypted_packet_payload)300 int blecrypt_packet_decrypt_v3(
301 uint8_t *adata,
302 int alen,
303 int mlen,
304 int maclen,
305 int noncelen,
306 const uint8_t *mdata_and_mac,
307 const uint8_t *sk,
308 const uint8_t *ccm_nonce,
309 int no_mac,
310 uint8_t *decrypted_packet_payload)
311 {
312 int outlen, ok;
313 // Set cyphertext pointer to start of input packet payload
314 const uint8_t *ct = mdata_and_mac;
315 // Set plaintext pointer to start of decrypted packet payload
316 uint8_t *pt = decrypted_packet_payload;
317 // Allocate new cypher context
318 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
319 // Set cipher type to 128-bit AES, and mode to CCM (Counter with CBC-MAC)
320 EVP_DecryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL);
321 // Set nonce length (because it is different from the 96-bit default)
322 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, noncelen, NULL);
323 // Set hack flag indicating whether packet has MAC or not
324 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_IGNORE_TAG, no_mac, NULL);
325
326 if (no_mac) {
327 #define DUMMY_MAC_LEN 4
328 /* Set dummy MAC (a.k.a. tag) value to prevent complaints from OpenSSL */
329 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, DUMMY_MAC_LEN, (uint8_t[DUMMY_MAC_LEN]){0});
330 } else {
331 /* Set expected MAC (a.k.a. tag) value (located at ct + mlen) */
332 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, maclen, (uint8_t *)ct + mlen);
333 }
334 // Set decryption key and initialization vector (nonce)
335 EVP_DecryptInit(ctx, NULL, sk, ccm_nonce);
336 // Set cyphertext length (needed because AAD is used)
337 EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, mlen);
338 // Provide AAD (addition authenticated data)
339 // Mask the first byte of adata
340 EVP_DecryptUpdate(ctx, NULL, &outlen, adata, alen);
341 // Decrypt cyphertext to plaintext and verify MAC (also return number of decrypted bytes in outlen)
342 ok = EVP_DecryptUpdate(ctx, pt, &outlen, ct, mlen);
343 // Free cypher context
344 EVP_CIPHER_CTX_free(ctx);
345 return ok;
346 }
347
348 // Reverses byte order of data
blecrypt_reverse_byte_order(const uint8_t * in_data,uint8_t * out_data,int len)349 void blecrypt_reverse_byte_order(const uint8_t *in_data, uint8_t *out_data, int len)
350 {
351 int i;
352 in_data += len - 1;
353 for (i = 0; i < len; i++)
354 {
355 *out_data++ = *in_data--;
356 }
357 }
358