1 /* Bluetooth Mesh */
2
3 /*
4 * Copyright (c) 2017 Intel Corporation
5 *
6 * SPDX-License-Identifier: Apache-2.0
7 */
8
9 #include "syscfg/syscfg.h"
10 #define MESH_LOG_MODULE BLE_MESH_CRYPTO_LOG
11
12 #include <string.h>
13 #include <stdbool.h>
14 #include <errno.h>
15
16 #include <tinycrypt/constants.h>
17 #include <tinycrypt/utils.h>
18 #include <tinycrypt/aes.h>
19 #include <tinycrypt/cmac_mode.h>
20 #include <tinycrypt/ccm_mode.h>
21
22 #include "crypto.h"
23
24 #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4)
25 #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4)
26
bt_mesh_aes_cmac(const u8_t key[16],struct bt_mesh_sg * sg,size_t sg_len,u8_t mac[16])27 int bt_mesh_aes_cmac(const u8_t key[16], struct bt_mesh_sg *sg,
28 size_t sg_len, u8_t mac[16])
29 {
30 size_t sg_len_tmp = sg_len;
31 struct tc_aes_key_sched_struct sched;
32 struct tc_cmac_struct state;
33 struct bt_mesh_sg *sg_tmp = sg;
34
35 if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
36 return -EIO;
37 }
38
39 for (; sg_len_tmp; sg_len_tmp--, sg_tmp++) {
40 if (tc_cmac_update(&state, sg_tmp->data, sg_tmp->len) == TC_CRYPTO_FAIL) {
41 return -EIO;
42 }
43 }
44
45 if (tc_cmac_final(mac, &state) == TC_CRYPTO_FAIL) {
46 return -EIO;
47 }
48
49 return 0;
50 }
51
bt_mesh_k1(const u8_t * ikm,size_t ikm_len,const u8_t salt[16],const char * info,u8_t okm[16])52 int bt_mesh_k1(const u8_t *ikm, size_t ikm_len, const u8_t salt[16],
53 const char *info, u8_t okm[16])
54 {
55 int err;
56 err = bt_mesh_aes_cmac_one(salt, ikm, ikm_len, okm);
57 if (err < 0) {
58 return err;
59 }
60
61 return bt_mesh_aes_cmac_one(okm, info, strlen(info), okm);
62 }
63
bt_mesh_k2(const u8_t n[16],const u8_t * p,size_t p_len,u8_t net_id[1],u8_t enc_key[16],u8_t priv_key[16])64 int bt_mesh_k2(const u8_t n[16], const u8_t *p, size_t p_len,
65 u8_t net_id[1], u8_t enc_key[16], u8_t priv_key[16])
66 {
67 struct bt_mesh_sg sg[3];
68 u8_t salt[16];
69 u8_t out[16];
70 u8_t t[16];
71 u8_t pad;
72 int err;
73 BT_DBG("n %s", bt_hex(n, 16)); // 16:len
74 BT_DBG("p %s", bt_hex(p, p_len));
75 err = bt_mesh_s1("smk2", salt);
76 if (err) {
77 return err;
78 }
79
80 err = bt_mesh_aes_cmac_one(salt, n, 16, t); // 16:len
81 if (err) {
82 return err;
83 }
84
85 pad = 0x01;
86 sg[0].data = NULL;
87 sg[0].len = 0;
88 sg[1].data = p;
89 sg[1].len = p_len;
90 sg[2].data = &pad; // 2:array element
91 sg[2].len = sizeof(pad); // 2:array element
92 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
93 if (err) {
94 return err;
95 }
96
97 net_id[0] = out[15] & 0x7f; // 15:array element
98 sg[0].data = out;
99 sg[0].len = sizeof(out);
100 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
101 if (err) {
102 return err;
103 }
104
105 memcpy(enc_key, out, 16); // 16:len
106 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
107 if (err) {
108 return err;
109 }
110
111 memcpy(priv_key, out, 16); // 16:len
112 BT_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, 16)); // 16:len
113 BT_DBG("priv_key %s", bt_hex(priv_key, 16)); // 16:len
114 return 0;
115 }
116
bt_mesh_k3(const u8_t n[16],u8_t out[8])117 int bt_mesh_k3(const u8_t n[16], u8_t out[8])
118 {
119 u8_t id64[] = { 'i', 'd', '6', '4', 0x01 };
120 u8_t tmp[16]; // 16:array length
121 u8_t t[16]; // 16:array length
122 int err;
123 err = bt_mesh_s1("smk3", tmp);
124 if (err) {
125 return err;
126 }
127
128 err = bt_mesh_aes_cmac_one(tmp, n, 16, t); // 16:len
129 if (err) {
130 return err;
131 }
132
133 err = bt_mesh_aes_cmac_one(t, id64, sizeof(id64), tmp);
134 if (err) {
135 return err;
136 }
137
138 memcpy(out, tmp + 8, 8); // 8:len
139 return 0;
140 }
141
bt_mesh_k4(const u8_t n[16],u8_t out[1])142 int bt_mesh_k4(const u8_t n[16], u8_t out[1])
143 {
144 u8_t id6[] = { 'i', 'd', '6', 0x01 };
145 u8_t tmp[16];
146 u8_t t[16];
147 int err;
148 err = bt_mesh_s1("smk4", tmp);
149 if (err) {
150 return err;
151 }
152
153 err = bt_mesh_aes_cmac_one(tmp, n, 16, t); // 16:len
154 if (err) {
155 return err;
156 }
157
158 err = bt_mesh_aes_cmac_one(t, id6, sizeof(id6), tmp);
159 if (err) {
160 return err;
161 }
162
163 out[0] = tmp[15] & BIT_MASK(6); // 16:len
164 return 0;
165 }
166
bt_mesh_id128(const u8_t n[16],const char * s,u8_t out[16])167 int bt_mesh_id128(const u8_t n[16], const char *s, u8_t out[16])
168 {
169 const char *id128 = "id128\x01";
170 u8_t salt[16]; // 16:array length
171 int err;
172 err = bt_mesh_s1(s, salt);
173 if (err) {
174 return err;
175 }
176
177 return bt_mesh_k1(n, 16, salt, id128, out); // 16:len
178 }
179
bt_mesh_ccm_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t * enc_msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)180 static int bt_mesh_ccm_decrypt(const u8_t key[16], u8_t nonce[13],
181 const u8_t *enc_msg, size_t msg_len,
182 const u8_t *aad, size_t aad_len,
183 u8_t *out_msg, size_t mic_size)
184 {
185 u8_t msg[16], pmsg[16], cmic[16], cmsg[16], Xn[16], mic[16]; // 16:array length
186 u16_t last_blk, blk_cnt;
187 size_t i, j;
188 int err;
189
190 size_t aad_len_tmp = aad_len;
191 if (msg_len < 1 || aad_len_tmp >= 0xff00) {
192 return -EINVAL;
193 }
194
195 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
196 pmsg[0] = 0x01;
197 memcpy(pmsg + 1, nonce, 13); // 13:len
198 sys_put_be16(0x0000, pmsg + 14); // 14:byte alignment
199 err = bt_encrypt_be(key, pmsg, cmic);
200 if (err) {
201 return err;
202 }
203
204 /* X_0 = e(AppKey, 0x09 || nonce || length) */
205 if (mic_size == sizeof(u64_t)) {
206 pmsg[0] = 0x19 | (aad_len_tmp ? 0x40 : 0x00);
207 } else {
208 pmsg[0] = 0x09 | (aad_len_tmp ? 0x40 : 0x00);
209 }
210
211 memcpy(pmsg + 1, nonce, 13); // 13:len
212 sys_put_be16(msg_len, pmsg + 14); // 14:byte alignment
213 err = bt_encrypt_be(key, pmsg, Xn);
214 if (err) {
215 return err;
216 }
217
218 /* If AAD is being used to authenticate, include it here */
219 if (aad_len_tmp) {
220 sys_put_be16(aad_len_tmp, pmsg);
221
222 for (i = 0; i < sizeof(u16_t); i++) {
223 pmsg[i] = Xn[i] ^ pmsg[i];
224 }
225
226 j = 0;
227 aad_len_tmp += sizeof(u16_t);
228
229 while (aad_len_tmp > 16) { // 16:Analyzing conditions
230 do {
231 pmsg[i] = Xn[i] ^ aad[j];
232 i++, j++;
233 } while (i < 16); // 16:Analyzing conditions
234
235 aad_len_tmp -= 16; // 16:byte alignment
236 i = 0;
237 err = bt_encrypt_be(key, pmsg, Xn);
238 if (err) {
239 return err;
240 }
241 }
242
243 for (; i < aad_len_tmp; i++, j++) {
244 pmsg[i] = Xn[i] ^ aad[j];
245 }
246
247 for (i = aad_len_tmp; i < 16; i++) { // 16:Analyzing conditions
248 pmsg[i] = Xn[i];
249 }
250
251 err = bt_encrypt_be(key, pmsg, Xn);
252 if (err) {
253 return err;
254 }
255 }
256
257 last_blk = msg_len % 16; // 16:byte alignment
258 blk_cnt = (msg_len + 15) / 16; // 16:byte alignment, 15:byte alignment
259
260 if (!last_blk) {
261 last_blk = 16; // 16:byte alignment
262 }
263
264 for (j = 0; j < blk_cnt; j++) {
265 if (j + 1 == blk_cnt) {
266 pmsg[0] = 0x01;
267 memcpy(pmsg + 1, nonce, 13); // 13:len
268 sys_put_be16(j + 1, pmsg + 14); // 14:byte alignment
269 err = bt_encrypt_be(key, pmsg, cmsg);
270 if (err) {
271 return err;
272 }
273 for (i = 0; i < last_blk; i++) {
274 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i]; // 16:byte alignment
275 }
276
277 memcpy(out_msg + (j * 16), msg, last_blk); // 16:byte alignment
278
279 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
280 for (i = 0; i < last_blk; i++) {
281 pmsg[i] = Xn[i] ^ msg[i];
282 }
283
284 for (i = last_blk; i < 16; i++) { // 16:Analyzing conditions
285 pmsg[i] = Xn[i] ^ 0x00;
286 }
287
288 err = bt_encrypt_be(key, pmsg, Xn);
289 if (err) {
290 return err;
291 }
292
293 /* MIC = C_mic ^ X_1 */
294 for (i = 0; i < sizeof(mic); i++) {
295 mic[i] = cmic[i] ^ Xn[i];
296 }
297 } else {
298 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
299 pmsg[0] = 0x01;
300 memcpy(pmsg + 1, nonce, 13); // 13:len
301 sys_put_be16(j + 1, pmsg + 14); // 14:byte alignment
302 err = bt_encrypt_be(key, pmsg, cmsg);
303 if (err) {
304 return err;
305 }
306
307 /* Encrypted = Payload[0-15] ^ C_1 */
308 for (i = 0; i < 16; i++) { // 16:Analyzing conditions
309 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i]; // 16:byte alignment
310 }
311
312 memcpy(out_msg + (j * 16), msg, 16); // 16:byte alignment
313
314 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
315 for (i = 0; i < 16; i++) { // 16:Analyzing conditions
316 pmsg[i] = Xn[i] ^ msg[i];
317 }
318
319 err = bt_encrypt_be(key, pmsg, Xn);
320 if (err) {
321 return err;
322 }
323 }
324 }
325
326 if (memcmp(mic, enc_msg + msg_len, mic_size)) {
327 return -EBADMSG;
328 }
329
330 return 0;
331 }
332
bt_mesh_ccm_encrypt(const u8_t key[16],u8_t nonce[13],const u8_t * msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)333 static int bt_mesh_ccm_encrypt(const u8_t key[16], u8_t nonce[13],
334 const u8_t *msg, size_t msg_len,
335 const u8_t *aad, size_t aad_len,
336 u8_t *out_msg, size_t mic_size)
337 {
338 u8_t pmsg[16], cmic[16], cmsg[16], mic[16], Xn[16]; // 16:array length
339 u16_t blk_cnt, last_blk;
340 size_t i, j;
341 int err;
342 size_t aad_len_tmp = aad_len;
343 BT_DBG("key %s", bt_hex(key, 16)); // 16:len
344 BT_DBG("nonce %s", bt_hex(nonce, 13)); // 13:len
345 BT_DBG("msg (len %zu) %s", msg_len, bt_hex(msg, msg_len));
346 BT_DBG("aad_len %zu mic_size %zu", aad_len_tmp, mic_size);
347
348 /* Unsupported AAD size */
349 if (aad_len_tmp >= 0xff00) {
350 return -EINVAL;
351 }
352 pmsg[0] = 0x01;
353 memcpy(pmsg + 1, nonce, 13); // 13:len
354 sys_put_be16(0x0000, pmsg + 14); // 14:byte alignment
355 err = bt_encrypt_be(key, pmsg, cmic);
356 if (err) {
357 return err;
358 }
359 if (mic_size == sizeof(u64_t)) {
360 pmsg[0] = 0x19 | (aad_len_tmp ? 0x40 : 0x00);
361 } else {
362 pmsg[0] = 0x09 | (aad_len_tmp ? 0x40 : 0x00);
363 }
364
365 memcpy(pmsg + 1, nonce, 13); // 13:len
366 sys_put_be16(msg_len, pmsg + 14); // 14:byte alignment
367 err = bt_encrypt_be(key, pmsg, Xn);
368 if (err) {
369 return err;
370 }
371
372 /* If AAD is being used to authenticate, include it here */
373 if (aad_len_tmp) {
374 sys_put_be16(aad_len_tmp, pmsg);
375
376 for (i = 0; i < sizeof(u16_t); i++) {
377 pmsg[i] = Xn[i] ^ pmsg[i];
378 }
379
380 j = 0;
381 aad_len_tmp += sizeof(u16_t);
382
383 while (aad_len_tmp > 16) { // 16:Analyzing conditions
384 do {
385 pmsg[i] = Xn[i] ^ aad[j];
386 i++, j++;
387 } while (i < 16); // 16:Analyzing conditions
388
389 aad_len_tmp -= 16; // 16:byte alignment
390 i = 0;
391 err = bt_encrypt_be(key, pmsg, Xn);
392 if (err) {
393 return err;
394 }
395 }
396
397 for (; i < aad_len_tmp; i++, j++) {
398 pmsg[i] = Xn[i] ^ aad[j];
399 }
400
401 for (i = aad_len_tmp; i < 16; i++) { // 16:Analyzing conditions
402 pmsg[i] = Xn[i];
403 }
404
405 err = bt_encrypt_be(key, pmsg, Xn);
406 if (err) {
407 return err;
408 }
409 }
410
411 last_blk = msg_len % 16; // 16:byte alignment
412 blk_cnt = (msg_len + 15) / 16; // 16:byte alignment, 15:byte alignment
413
414 if (!last_blk) {
415 last_blk = 16; // 16:byte alignment
416 }
417
418 for (j = 0; j < blk_cnt; j++) {
419 if (j + 1 == blk_cnt) {
420 for (i = 0; i < last_blk; i++) {
421 pmsg[i] = Xn[i] ^ msg[(j * 16) + i]; // 16:byte alignment
422 }
423
424 for (i = last_blk; i < 16; i++) { // 16:Analyzing conditions
425 pmsg[i] = Xn[i] ^ 0x00;
426 }
427
428 err = bt_encrypt_be(key, pmsg, Xn);
429 if (err) {
430 return err;
431 }
432 for (i = 0; i < sizeof(mic); i++) {
433 mic[i] = cmic[i] ^ Xn[i];
434 }
435 pmsg[0] = 0x01;
436 memcpy(pmsg + 1, nonce, 13); // 13:len
437 sys_put_be16(j + 1, pmsg + 14); // 14:Analyzing conditions
438 err = bt_encrypt_be(key, pmsg, cmsg);
439 if (err) {
440 return err;
441 }
442 for (i = 0; i < last_blk; i++) {
443 out_msg[(j * 16) + i] = // 16:byte alignment
444 msg[(j * 16) + i] ^ cmsg[i]; // 16:byte alignment
445 }
446 } else {
447 for (i = 0; i < 16; i++) { // 16:Analyzing conditions
448 pmsg[i] = Xn[i] ^ msg[(j * 16) + i]; // 16:byte alignment
449 }
450
451 err = bt_encrypt_be(key, pmsg, Xn);
452 if (err) {
453 return err;
454 }
455 pmsg[0] = 0x01;
456 memcpy(pmsg + 1, nonce, 13); // 13:len
457 sys_put_be16(j + 1, pmsg + 14); // 14:Analyzing conditions
458 err = bt_encrypt_be(key, pmsg, cmsg);
459 if (err) {
460 return err;
461 }
462 for (i = 0; i < 16; i++) { // 16:Analyzing conditions
463 out_msg[(j * 16) + i] = // 16:byte alignment
464 msg[(j * 16) + i] ^ cmsg[i]; // 16:byte alignment
465 }
466 }
467 }
468
469 memcpy(out_msg + msg_len, mic, mic_size);
470 return 0;
471 }
472
create_proxy_nonce(u8_t nonce[13],const u8_t * pdu,u32_t iv_index)473 static void create_proxy_nonce(u8_t nonce[13], const u8_t *pdu,
474 u32_t iv_index)
475 {
476 /* Nonce Type */
477 nonce[0] = 0x03;
478 /* Pad */
479 nonce[1] = 0x00;
480 /* Sequence Number */
481 nonce[2] = pdu[2]; // 2:array element
482 nonce[3] = pdu[3]; // 3:array element
483 nonce[4] = pdu[4]; // 4:array element
484 /* Source Address */
485 nonce[5] = pdu[5]; // 5:array element
486 nonce[6] = pdu[6]; // 6:array element
487 /* Pad */
488 nonce[7] = 0; // 7:array element
489 nonce[8] = 0; // 8:array element
490 /* IV Index */
491 sys_put_be32(iv_index, &nonce[9]); // 9:array element
492 }
493
create_net_nonce(u8_t nonce[13],const u8_t * pdu,u32_t iv_index)494 static void create_net_nonce(u8_t nonce[13], const u8_t *pdu,
495 u32_t iv_index)
496 {
497 /* Nonce Type */
498 nonce[0] = 0x00;
499 /* FRND + TTL */
500 nonce[1] = pdu[1];
501 /* Sequence Number */
502 nonce[2] = pdu[2]; // 2:array element
503 nonce[3] = pdu[3]; // 3:array element
504 nonce[4] = pdu[4]; // 4:array element
505 /* Source Address */
506 nonce[5] = pdu[5]; // 5:array element
507 nonce[6] = pdu[6]; // 6:array element
508 /* Pad */
509 nonce[7] = 0; // 7:array element
510 nonce[8] = 0; // 8:array element
511 /* IV Index */
512 sys_put_be32(iv_index, &nonce[9]); // 9:array element
513 }
514
bt_mesh_net_obfuscate(u8_t * pdu,u32_t iv_index,const u8_t privacy_key[16])515 int bt_mesh_net_obfuscate(u8_t *pdu, u32_t iv_index,
516 const u8_t privacy_key[16])
517 {
518 u8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, };
519 u8_t tmp[16]; // 16:array length
520 int err, i;
521 BT_DBG("IVIndex %u, PrivacyKey %s", (unsigned) iv_index,
522 bt_hex(privacy_key, 16)); // 16:len
523 sys_put_be32(iv_index, &priv_rand[5]); // 5:array element
524 memcpy(&priv_rand[9], &pdu[7], 7); // 9:array element, 7:array element
525 BT_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16)); // 16:len
526 err = bt_encrypt_be(privacy_key, priv_rand, tmp);
527 if (err) {
528 return err;
529 }
530
531 for (i = 0; i < 6; i++) {
532 pdu[1 + i] ^= tmp[i];
533 }
534
535 return 0;
536 }
537
bt_mesh_net_encrypt(const u8_t key[16],struct os_mbuf * buf,u32_t iv_index,bool proxy)538 int bt_mesh_net_encrypt(const u8_t key[16], struct os_mbuf *buf,
539 u32_t iv_index, bool proxy)
540 {
541 u8_t mic_len = NET_MIC_LEN(buf->om_data);
542 u8_t nonce[13]; // 13:array length
543 int err;
544 BT_DBG("IVIndex %u EncKey %s mic_len %u", (unsigned) iv_index,
545 bt_hex(key, 16), mic_len); // 16:len
546 BT_DBG("PDU (len %u) %s", buf->om_len, bt_hex(buf->om_data, buf->om_len));
547
548 if (IS_ENABLED(CONFIG_BT_MESH_PROXY) && proxy) {
549 create_proxy_nonce(nonce, buf->om_data, iv_index);
550 } else {
551 create_net_nonce(nonce, buf->om_data, iv_index);
552 }
553
554 BT_DBG("Nonce %s", bt_hex(nonce, 13)); // 13:len
555 err = bt_mesh_ccm_encrypt(key, nonce, &buf->om_data[7], buf->om_len - 7, // 7:byte alignment
556 NULL, 0, &buf->om_data[7], mic_len); // 7:array element
557 if (!err) {
558 net_buf_simple_add(buf, mic_len);
559 }
560
561 return err;
562 }
563
bt_mesh_net_decrypt(const u8_t key[16],struct os_mbuf * buf,u32_t iv_index,bool proxy)564 int bt_mesh_net_decrypt(const u8_t key[16], struct os_mbuf *buf,
565 u32_t iv_index, bool proxy)
566 {
567 u8_t mic_len = NET_MIC_LEN(buf->om_data);
568 u8_t nonce[13]; // 13:array length
569 BT_DBG("PDU (%u bytes) %s", buf->om_len, bt_hex(buf->om_data, buf->om_len));
570 BT_DBG("iv_index %u, key %s mic_len %u", (unsigned) iv_index,
571 bt_hex(key, 16), mic_len); // 16:len
572
573 if (IS_ENABLED(CONFIG_BT_MESH_PROXY) && proxy) {
574 create_proxy_nonce(nonce, buf->om_data, iv_index);
575 } else {
576 create_net_nonce(nonce, buf->om_data, iv_index);
577 }
578
579 BT_DBG("Nonce %s", bt_hex(nonce, 13)); // 13:len
580 buf->om_len -= mic_len;
581 return bt_mesh_ccm_decrypt(key, nonce, &buf->om_data[7], buf->om_len - 7, // 7:byte alignment
582 NULL, 0, &buf->om_data[7], mic_len);
583 }
584
create_app_nonce(u8_t nonce[13],bool dev_key,u8_t aszmic,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)585 static void create_app_nonce(u8_t nonce[13], bool dev_key, u8_t aszmic, // 13:array element
586 u16_t src, u16_t dst, u32_t seq_num,
587 u32_t iv_index)
588 {
589 if (dev_key) {
590 nonce[0] = 0x02;
591 } else {
592 nonce[0] = 0x01;
593 }
594
595 sys_put_be32((seq_num | ((u32_t)aszmic << 31)), &nonce[1]);
596 sys_put_be16(src, &nonce[5]); // 5:array element
597 sys_put_be16(dst, &nonce[7]); // 7:array element
598 sys_put_be32(iv_index, &nonce[9]); // 9:array element
599 }
600
mesh_app_encrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)601 static int mesh_app_encrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
602 struct os_mbuf *buf, const u8_t *ad,
603 u16_t src, u16_t dst, u32_t seq_num, u32_t iv_index)
604 {
605 u8_t nonce[13]; // 13:array length
606 BT_DBG("AppKey %s", bt_hex(key, 16)); // 16:len
607 BT_DBG("dev_key %u src 0x%04x dst 0x%04x", dev_key, src, dst);
608 BT_DBG("seq_num 0x%08x iv_index 0x%08x", (unsigned) seq_num,
609 (unsigned) iv_index);
610 BT_DBG("Clear: %s", bt_hex(buf->om_data, buf->om_len));
611 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
612 BT_DBG("Nonce %s", bt_hex(nonce, 13)); // 13:len
613 return bt_mesh_ccm_encrypt(key, nonce, buf->om_data, buf->om_len, ad,
614 ad ? 16 : 0, buf->om_data, // 16:byte alignment
615 APP_MIC_LEN(aszmic));
616 }
617
bt_mesh_app_encrypt_in_place(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)618 int bt_mesh_app_encrypt_in_place(const u8_t key[16], bool dev_key, u8_t aszmic,
619 struct os_mbuf *buf, const u8_t *ad, u16_t src,
620 u16_t dst, u32_t seq_num, u32_t iv_index)
621 {
622 int err;
623 err = mesh_app_encrypt(key, dev_key, aszmic, buf, ad, src, dst,
624 seq_num, iv_index);
625 if (!err) {
626 BT_DBG("Encr: %s", bt_hex(buf->om_data, buf->om_len));
627 }
628
629 return err;
630 }
631
bt_mesh_app_encrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)632 int bt_mesh_app_encrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
633 struct os_mbuf *buf, const u8_t *ad,
634 u16_t src, u16_t dst, u32_t seq_num, u32_t iv_index)
635 {
636 int err;
637 err = mesh_app_encrypt(key, dev_key, aszmic, buf, ad, src, dst,
638 seq_num, iv_index);
639 if (!err) {
640 net_buf_simple_add(buf, APP_MIC_LEN(aszmic));
641 BT_DBG("Encr: %s", bt_hex(buf->om_data, buf->om_len));
642 }
643
644 return err;
645 }
646
mesh_app_decrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,struct os_mbuf * out,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)647 static int mesh_app_decrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
648 struct os_mbuf *buf, struct os_mbuf *out,
649 const u8_t *ad, u16_t src, u16_t dst,
650 u32_t seq_num, u32_t iv_index)
651 {
652 u8_t nonce[13]; // 13:array length
653 BT_DBG("EncData (len %u) %s", buf->om_len,
654 bt_hex(buf->om_data, buf->om_len));
655 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
656 BT_DBG("AppKey %s", bt_hex(key, 16)); // 16:len
657 BT_DBG("Nonce %s", bt_hex(nonce, 13)); // 13:len
658 return bt_mesh_ccm_decrypt(key, nonce, buf->om_data, buf->om_len, ad,
659 ad ? 16 : 0, out->om_data, // 16:byte alignment
660 APP_MIC_LEN(aszmic));
661 }
662
bt_mesh_app_decrypt_in_place(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)663 int bt_mesh_app_decrypt_in_place(const u8_t key[16], bool dev_key, u8_t aszmic,
664 struct os_mbuf *buf, const u8_t *ad, u16_t src,
665 u16_t dst, u32_t seq_num, u32_t iv_index)
666 {
667 return mesh_app_decrypt(key, dev_key, aszmic, buf, buf,
668 ad, src, dst, seq_num, iv_index);
669 }
670
bt_mesh_app_decrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,struct os_mbuf * out,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)671 int bt_mesh_app_decrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
672 struct os_mbuf *buf, struct os_mbuf *out,
673 const u8_t *ad, u16_t src, u16_t dst, u32_t seq_num,
674 u32_t iv_index)
675 {
676 int err;
677 err = mesh_app_decrypt(key, dev_key, aszmic, buf, out,
678 ad, src, dst, seq_num, iv_index);
679 if (!err) {
680 net_buf_simple_add(out, buf->om_len);
681 }
682
683 return err;
684 }
685
686 /* reversed, 8-bit, poly=0x07 */
687 static const u8_t crc_table[256] = {
688 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
689 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
690 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
691 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
692
693 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
694 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
695 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
696 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
697
698 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
699 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
700 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
701 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
702
703 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
704 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
705 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
706 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
707
708 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
709 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
710 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
711 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
712
713 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
714 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
715 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
716 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
717
718 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
719 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
720 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
721 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
722
723 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
724 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
725 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
726 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
727 };
728
bt_mesh_fcs_calc(const u8_t * data,u8_t data_len)729 u8_t bt_mesh_fcs_calc(const u8_t *data, u8_t data_len)
730 {
731 u8_t fcs = 0xff;
732
733 while (data_len--) {
734 fcs = crc_table[fcs ^ *data++];
735 }
736
737 BT_DBG("fcs 0x%02x", 0xff - fcs);
738 return 0xff - fcs;
739 }
740
bt_mesh_fcs_check(struct os_mbuf * buf,u8_t received_fcs)741 bool bt_mesh_fcs_check(struct os_mbuf *buf, u8_t received_fcs)
742 {
743 const u8_t *data = buf->om_data;
744 u16_t data_len = buf->om_len;
745 u8_t fcs = 0xff;
746
747 while (data_len--) {
748 fcs = crc_table[fcs ^ *data++];
749 }
750
751 return crc_table[fcs ^ received_fcs] == 0xcf;
752 }
753
bt_mesh_virtual_addr(const u8_t virtual_label[16],u16_t * addr)754 int bt_mesh_virtual_addr(const u8_t virtual_label[16], u16_t *addr)
755 {
756 u8_t salt[16]; // 16:array length
757 u8_t tmp[16]; // 16:array length
758 int err;
759 err = bt_mesh_s1("vtad", salt);
760 if (err) {
761 return err;
762 }
763
764 err = bt_mesh_aes_cmac_one(salt, virtual_label, 16, tmp); // 16:len
765 if (err) {
766 return err;
767 }
768
769 *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000; // 14:array element
770 return 0;
771 }
772
bt_mesh_prov_conf_salt(const u8_t conf_inputs[145],u8_t salt[16])773 int bt_mesh_prov_conf_salt(const u8_t conf_inputs[145], u8_t salt[16])
774 {
775 const u8_t conf_salt_key[16] = { 0 }; // 16:array length
776 return bt_mesh_aes_cmac_one(conf_salt_key, conf_inputs, 145, salt); // 145:len
777 }
778
bt_mesh_prov_conf_key(const u8_t dhkey[32],const u8_t conf_salt[16],u8_t conf_key[16])779 int bt_mesh_prov_conf_key(const u8_t dhkey[32], const u8_t conf_salt[16],
780 u8_t conf_key[16])
781 {
782 return bt_mesh_k1(dhkey, 32, conf_salt, "prck", conf_key); // 32:len
783 }
784
bt_mesh_prov_conf(const u8_t conf_key[16],const u8_t rand[16],const u8_t auth[16],u8_t conf[16])785 int bt_mesh_prov_conf(const u8_t conf_key[16], const u8_t rand[16],
786 const u8_t auth[16], u8_t conf[16])
787 {
788 struct bt_mesh_sg sg[] = { { rand, 16 }, { auth, 16 } };
789 BT_DBG("ConfirmationKey %s", bt_hex(conf_key, 16)); // 16:len
790 BT_DBG("RandomDevice %s", bt_hex(rand, 16)); // 16:len
791 BT_DBG("AuthValue %s", bt_hex(auth, 16)); // 16:len
792 return bt_mesh_aes_cmac(conf_key, sg, ARRAY_SIZE(sg), conf);
793 }
794
bt_mesh_prov_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t data[25+8],u8_t out[25])795 int bt_mesh_prov_decrypt(const u8_t key[16], u8_t nonce[13],
796 const u8_t data[25 + 8], u8_t out[25])
797 {
798 return bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8);
799 }
800
bt_mesh_prov_encrypt(const u8_t key[16],u8_t nonce[13],const u8_t data[25],u8_t out[25+8])801 int bt_mesh_prov_encrypt(const u8_t key[16], u8_t nonce[13],
802 const u8_t data[25], u8_t out[25 + 8])
803 {
804 return bt_mesh_ccm_encrypt(key, nonce, data, 25, NULL, 0, out, 8);
805 }
806
bt_mesh_beacon_auth(const u8_t beacon_key[16],u8_t flags,const u8_t net_id[8],u32_t iv_index,u8_t auth[8])807 int bt_mesh_beacon_auth(const u8_t beacon_key[16], u8_t flags,
808 const u8_t net_id[8], u32_t iv_index,
809 u8_t auth[8])
810 {
811 u8_t msg[13], tmp[16]; // 13:array length, 16:array length
812 int err;
813 BT_DBG("BeaconKey %s", bt_hex(beacon_key, 16)); // 16:len
814 BT_DBG("NetId %s", bt_hex(net_id, 8)); // 8:len
815 BT_DBG("IV Index 0x%08x", (unsigned) iv_index);
816 msg[0] = flags;
817 memcpy(&msg[1], net_id, 8); // 8:len
818 sys_put_be32(iv_index, &msg[9]); // 9:array element
819 BT_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg)));
820 err = bt_mesh_aes_cmac_one(beacon_key, msg, sizeof(msg), tmp);
821 if (!err) {
822 memcpy_s(auth, sizeof(auth), tmp, 8); // 8:len
823 }
824
825 return err;
826 }