1 /* Bluetooth Mesh */
2
3 /*
4 * Copyright (c) 2017 Intel Corporation
5 *
6 * SPDX-License-Identifier: Apache-2.0
7 */
8
9 #include <string.h>
10 #include <stdbool.h>
11 #include <bt_errno.h>
12 //#include <toolchain.h>
13 #include <ble_os.h>
14 #include <ble_types/types.h>
15 #include <misc/byteorder.h>
16 #include <misc/util.h>
17
18 #ifdef CONFIG_BT_HOST_CRYPTO
19 #include <tinycrypt/constants.h>
20 #include <tinycrypt/utils.h>
21 #include <tinycrypt/aes.h>
22 #include <tinycrypt/cmac_mode.h>
23 #include <tinycrypt/ccm_mode.h>
24 #endif
25
26 #include <api/mesh.h>
27 // #include <bluetooth/crypto.h>
28
29 #define BT_DBG_ENABLED IS_ENABLED(CONFIG_BT_MESH_DEBUG_CRYPTO)
30 #include "common/log.h"
31
32 #include "mesh.h"
33 #include "crypto.h"
34 #include "bt_crypto.h"
35
36 #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4)
37 #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4)
38
bt_mesh_aes_cmac(const u8_t key[16],struct bt_mesh_sg * sg,size_t sg_len,u8_t mac[16])39 int bt_mesh_aes_cmac(const u8_t key[16], struct bt_mesh_sg *sg,
40 size_t sg_len, u8_t mac[16])
41 {
42 return bt_crypto_aes_cmac(key, (struct bt_crypto_sg *)sg, sg_len, mac);
43 }
44
bt_mesh_k1(const u8_t * ikm,size_t ikm_len,const u8_t salt[16],const char * info,u8_t okm[16])45 int bt_mesh_k1(const u8_t *ikm, size_t ikm_len, const u8_t salt[16],
46 const char *info, u8_t okm[16])
47 {
48 int err;
49
50 err = bt_mesh_aes_cmac_one(salt, ikm, ikm_len, okm);
51 if (err < 0) {
52 return err;
53 }
54
55 return bt_mesh_aes_cmac_one(okm, info, strlen(info), okm);
56 }
57
bt_mesh_k2(const u8_t n[16],const u8_t * p,size_t p_len,u8_t net_id[1],u8_t enc_key[16],u8_t priv_key[16])58 int bt_mesh_k2(const u8_t n[16], const u8_t *p, size_t p_len,
59 u8_t net_id[1], u8_t enc_key[16], u8_t priv_key[16])
60 {
61 struct bt_mesh_sg sg[3];
62 u8_t salt[16];
63 u8_t out[16];
64 u8_t t[16];
65 u8_t pad;
66 int err;
67
68 BT_DBG("n %s", bt_hex(n, 16));
69 BT_DBG("p %s", bt_hex(p, p_len));
70
71 err = bt_mesh_s1("smk2", salt);
72 if (err) {
73 return err;
74 }
75
76 err = bt_mesh_aes_cmac_one(salt, n, 16, t);
77 if (err) {
78 return err;
79 }
80
81 pad = 0x01;
82
83 sg[0].data = NULL;
84 sg[0].len = 0;
85 sg[1].data = p;
86 sg[1].len = p_len;
87 sg[2].data = &pad;
88 sg[2].len = sizeof(pad);
89
90 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
91 if (err) {
92 return err;
93 }
94
95 net_id[0] = out[15] & 0x7f;
96
97 sg[0].data = out;
98 sg[0].len = sizeof(out);
99 pad = 0x02;
100
101 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
102 if (err) {
103 return err;
104 }
105
106 memcpy(enc_key, out, 16);
107
108 pad = 0x03;
109
110 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
111 if (err) {
112 return err;
113 }
114
115 memcpy(priv_key, out, 16);
116
117 BT_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, 16));
118 BT_DBG("priv_key %s", bt_hex(priv_key, 16));
119
120 return 0;
121 }
122
bt_mesh_k3(const u8_t n[16],u8_t out[8])123 int bt_mesh_k3(const u8_t n[16], u8_t out[8])
124 {
125 u8_t id64[] = { 'i', 'd', '6', '4', 0x01 };
126 u8_t tmp[16];
127 u8_t t[16];
128 int err;
129
130 err = bt_mesh_s1("smk3", tmp);
131 if (err) {
132 return err;
133 }
134
135 err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
136 if (err) {
137 return err;
138 }
139
140 err = bt_mesh_aes_cmac_one(t, id64, sizeof(id64), tmp);
141 if (err) {
142 return err;
143 }
144
145 memcpy(out, tmp + 8, 8);
146
147 return 0;
148 }
149
bt_mesh_k4(const u8_t n[16],u8_t out[1])150 int bt_mesh_k4(const u8_t n[16], u8_t out[1])
151 {
152 u8_t id6[] = { 'i', 'd', '6', 0x01 };
153 u8_t tmp[16];
154 u8_t t[16];
155 int err;
156
157 err = bt_mesh_s1("smk4", tmp);
158 if (err) {
159 return err;
160 }
161
162 err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
163 if (err) {
164 return err;
165 }
166
167 err = bt_mesh_aes_cmac_one(t, id6, sizeof(id6), tmp);
168 if (err) {
169 return err;
170 }
171
172 out[0] = tmp[15] & BIT_MASK(6);
173
174 return 0;
175 }
176
bt_mesh_id128(const u8_t n[16],const char * s,u8_t out[16])177 int bt_mesh_id128(const u8_t n[16], const char *s, u8_t out[16])
178 {
179 const char *id128 = "id128\x01";
180 u8_t salt[16];
181 int err;
182
183 err = bt_mesh_s1(s, salt);
184 if (err) {
185 return err;
186 }
187
188 return bt_mesh_k1(n, 16, salt, id128, out);
189 }
190
bt_mesh_ccm_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t * enc_msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)191 static int bt_mesh_ccm_decrypt(const u8_t key[16], u8_t nonce[13],
192 const u8_t *enc_msg, size_t msg_len,
193 const u8_t *aad, size_t aad_len,
194 u8_t *out_msg, size_t mic_size)
195 {
196 u8_t msg[16], pmsg[16], cmic[16], cmsg[16], Xn[16], mic[16];
197 u16_t last_blk, blk_cnt;
198 size_t i, j;
199 int err;
200
201 if (msg_len < 1 || aad_len >= 0xff00) {
202 return -EINVAL;
203 }
204
205 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
206 pmsg[0] = 0x01;
207 memcpy(pmsg + 1, nonce, 13);
208 sys_put_be16(0x0000, pmsg + 14);
209
210 err = bt_encrypt_be(key, pmsg, cmic);
211 if (err) {
212 return err;
213 }
214
215 /* X_0 = e(AppKey, 0x09 || nonce || length) */
216 if (mic_size == sizeof(u64_t)) {
217 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
218 } else {
219 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
220 }
221
222 memcpy(pmsg + 1, nonce, 13);
223 sys_put_be16(msg_len, pmsg + 14);
224
225 err = bt_encrypt_be(key, pmsg, Xn);
226 if (err) {
227 return err;
228 }
229
230 /* If AAD is being used to authenticate, include it here */
231 if (aad_len) {
232 sys_put_be16(aad_len, pmsg);
233
234 for (i = 0; i < sizeof(u16_t); i++) {
235 pmsg[i] = Xn[i] ^ pmsg[i];
236 }
237
238 j = 0;
239 aad_len += sizeof(u16_t);
240 while (aad_len > 16) {
241 do {
242 pmsg[i] = Xn[i] ^ aad[j];
243 i++, j++;
244 } while (i < 16);
245
246 aad_len -= 16;
247 i = 0;
248
249 err = bt_encrypt_be(key, pmsg, Xn);
250 if (err) {
251 return err;
252 }
253 }
254
255 for (i = 0; i < aad_len; i++, j++) {
256 pmsg[i] = Xn[i] ^ aad[j];
257 }
258
259 for (i = aad_len; i < 16; i++) {
260 pmsg[i] = Xn[i];
261 }
262
263 err = bt_encrypt_be(key, pmsg, Xn);
264 if (err) {
265 return err;
266 }
267 }
268
269 last_blk = msg_len % 16;
270 blk_cnt = (msg_len + 15) / 16;
271 if (!last_blk) {
272 last_blk = 16;
273 }
274
275 for (j = 0; j < blk_cnt; j++) {
276 if (j + 1 == blk_cnt) {
277 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
278 pmsg[0] = 0x01;
279 memcpy(pmsg + 1, nonce, 13);
280 sys_put_be16(j + 1, pmsg + 14);
281
282 err = bt_encrypt_be(key, pmsg, cmsg);
283 if (err) {
284 return err;
285 }
286
287 /* Encrypted = Payload[0-15] ^ C_1 */
288 for (i = 0; i < last_blk; i++) {
289 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
290 }
291
292 memcpy(out_msg + (j * 16), msg, last_blk);
293
294 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
295 for (i = 0; i < last_blk; i++) {
296 pmsg[i] = Xn[i] ^ msg[i];
297 }
298
299 for (i = last_blk; i < 16; i++) {
300 pmsg[i] = Xn[i] ^ 0x00;
301 }
302
303 err = bt_encrypt_be(key, pmsg, Xn);
304 if (err) {
305 return err;
306 }
307
308 /* MIC = C_mic ^ X_1 */
309 for (i = 0; i < sizeof(mic); i++) {
310 mic[i] = cmic[i] ^ Xn[i];
311 }
312 } else {
313 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
314 pmsg[0] = 0x01;
315 memcpy(pmsg + 1, nonce, 13);
316 sys_put_be16(j + 1, pmsg + 14);
317
318 err = bt_encrypt_be(key, pmsg, cmsg);
319 if (err) {
320 return err;
321 }
322
323 /* Encrypted = Payload[0-15] ^ C_1 */
324 for (i = 0; i < 16; i++) {
325 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
326 }
327
328 memcpy(out_msg + (j * 16), msg, 16);
329
330 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
331 for (i = 0; i < 16; i++) {
332 pmsg[i] = Xn[i] ^ msg[i];
333 }
334
335 err = bt_encrypt_be(key, pmsg, Xn);
336 if (err) {
337 return err;
338 }
339 }
340 }
341
342 if (memcmp(mic, enc_msg + msg_len, mic_size)) {
343 return -EBADMSG;
344 }
345
346 return 0;
347 }
348
bt_mesh_ccm_encrypt(const u8_t key[16],u8_t nonce[13],const u8_t * msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)349 static int bt_mesh_ccm_encrypt(const u8_t key[16], u8_t nonce[13],
350 const u8_t *msg, size_t msg_len,
351 const u8_t *aad, size_t aad_len,
352 u8_t *out_msg, size_t mic_size)
353 {
354 u8_t pmsg[16], cmic[16], cmsg[16], mic[16], Xn[16];
355 u16_t blk_cnt, last_blk;
356 size_t i, j;
357 int err;
358
359 BT_DBG("key %s", bt_hex(key, 16));
360 BT_DBG("nonce %s", bt_hex(nonce, 13));
361 BT_DBG("msg (len %zu) %s", msg_len, bt_hex(msg, msg_len));
362 BT_DBG("aad_len %zu mic_size %zu", aad_len, mic_size);
363
364 /* Unsupported AAD size */
365 if (aad_len >= 0xff00) {
366 return -EINVAL;
367 }
368
369 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
370 pmsg[0] = 0x01;
371 memcpy(pmsg + 1, nonce, 13);
372 sys_put_be16(0x0000, pmsg + 14);
373
374 err = bt_encrypt_be(key, pmsg, cmic);
375 if (err) {
376 return err;
377 }
378
379 /* X_0 = e(AppKey, 0x09 || nonce || length) */
380 if (mic_size == sizeof(u64_t)) {
381 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
382 } else {
383 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
384 }
385
386 memcpy(pmsg + 1, nonce, 13);
387 sys_put_be16(msg_len, pmsg + 14);
388
389 err = bt_encrypt_be(key, pmsg, Xn);
390 if (err) {
391 return err;
392 }
393
394 /* If AAD is being used to authenticate, include it here */
395 if (aad_len) {
396 sys_put_be16(aad_len, pmsg);
397
398 for (i = 0; i < sizeof(u16_t); i++) {
399 pmsg[i] = Xn[i] ^ pmsg[i];
400 }
401
402 j = 0;
403 aad_len += sizeof(u16_t);
404 while (aad_len > 16) {
405 do {
406 pmsg[i] = Xn[i] ^ aad[j];
407 i++, j++;
408 } while (i < 16);
409
410 aad_len -= 16;
411 i = 0;
412
413 err = bt_encrypt_be(key, pmsg, Xn);
414 if (err) {
415 return err;
416 }
417 }
418
419 for (i = 0; i < aad_len; i++, j++) {
420 pmsg[i] = Xn[i] ^ aad[j];
421 }
422
423 for (i = aad_len; i < 16; i++) {
424 pmsg[i] = Xn[i];
425 }
426
427 err = bt_encrypt_be(key, pmsg, Xn);
428 if (err) {
429 return err;
430 }
431 }
432
433 last_blk = msg_len % 16;
434 blk_cnt = (msg_len + 15) / 16;
435 if (!last_blk) {
436 last_blk = 16;
437 }
438
439 for (j = 0; j < blk_cnt; j++) {
440 if (j + 1 == blk_cnt) {
441 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
442 for (i = 0; i < last_blk; i++) {
443 pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
444 }
445 for (i = last_blk; i < 16; i++) {
446 pmsg[i] = Xn[i] ^ 0x00;
447 }
448
449 err = bt_encrypt_be(key, pmsg, Xn);
450 if (err) {
451 return err;
452 }
453
454 /* MIC = C_mic ^ X_1 */
455 for (i = 0; i < sizeof(mic); i++) {
456 mic[i] = cmic[i] ^ Xn[i];
457 }
458
459 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
460 pmsg[0] = 0x01;
461 memcpy(pmsg + 1, nonce, 13);
462 sys_put_be16(j + 1, pmsg + 14);
463
464 err = bt_encrypt_be(key, pmsg, cmsg);
465 if (err) {
466 return err;
467 }
468
469 /* Encrypted = Payload[0-15] ^ C_1 */
470 for (i = 0; i < last_blk; i++) {
471 out_msg[(j * 16) + i] =
472 msg[(j * 16) + i] ^ cmsg[i];
473 }
474 } else {
475 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
476 for (i = 0; i < 16; i++) {
477 pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
478 }
479
480 err = bt_encrypt_be(key, pmsg, Xn);
481 if (err) {
482 return err;
483 }
484
485 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
486 pmsg[0] = 0x01;
487 memcpy(pmsg + 1, nonce, 13);
488 sys_put_be16(j + 1, pmsg + 14);
489
490 err = bt_encrypt_be(key, pmsg, cmsg);
491 if (err) {
492 return err;
493 }
494
495 /* Encrypted = Payload[0-15] ^ C_N */
496 for (i = 0; i < 16; i++) {
497 out_msg[(j * 16) + i] =
498 msg[(j * 16) + i] ^ cmsg[i];
499 }
500
501 }
502 }
503
504 memcpy(out_msg + msg_len, mic, mic_size);
505
506 return 0;
507 }
508
509 #if defined(CONFIG_BT_MESH_PROXY)
create_proxy_nonce(u8_t nonce[13],const u8_t * pdu,bt_u32_t iv_index)510 static void create_proxy_nonce(u8_t nonce[13], const u8_t *pdu,
511 bt_u32_t iv_index)
512 {
513 /* Nonce Type */
514 nonce[0] = 0x03;
515
516 /* Pad */
517 nonce[1] = 0x00;
518
519 /* Sequence Number */
520 nonce[2] = pdu[2];
521 nonce[3] = pdu[3];
522 nonce[4] = pdu[4];
523
524 /* Source Address */
525 nonce[5] = pdu[5];
526 nonce[6] = pdu[6];
527
528 /* Pad */
529 nonce[7] = 0;
530 nonce[8] = 0;
531
532 /* IV Index */
533 sys_put_be32(iv_index, &nonce[9]);
534 }
535 #endif /* PROXY */
536
create_net_nonce(u8_t nonce[13],const u8_t * pdu,bt_u32_t iv_index)537 static void create_net_nonce(u8_t nonce[13], const u8_t *pdu,
538 bt_u32_t iv_index)
539 {
540 /* Nonce Type */
541 nonce[0] = 0x00;
542
543 /* FRND + TTL */
544 nonce[1] = pdu[1];
545
546 /* Sequence Number */
547 nonce[2] = pdu[2];
548 nonce[3] = pdu[3];
549 nonce[4] = pdu[4];
550
551 /* Source Address */
552 nonce[5] = pdu[5];
553 nonce[6] = pdu[6];
554
555 /* Pad */
556 nonce[7] = 0;
557 nonce[8] = 0;
558
559 /* IV Index */
560 sys_put_be32(iv_index, &nonce[9]);
561 }
562
bt_mesh_net_obfuscate(u8_t * pdu,bt_u32_t iv_index,const u8_t privacy_key[16])563 int bt_mesh_net_obfuscate(u8_t *pdu, bt_u32_t iv_index,
564 const u8_t privacy_key[16])
565 {
566 u8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, };
567 u8_t tmp[16];
568 int err, i;
569
570 BT_DBG("IVIndex %u, PrivacyKey %s", iv_index, bt_hex(privacy_key, 16));
571 if (!pdu)
572 {
573 return -EINVAL;
574 }
575
576 sys_put_be32(iv_index, &priv_rand[5]);
577 memcpy(&priv_rand[9], &pdu[7], 7);
578
579 BT_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16));
580
581 err = bt_encrypt_be(privacy_key, priv_rand, tmp);
582 if (err) {
583 return err;
584 }
585
586 for (i = 0; i < 6; i++) {
587 pdu[1 + i] ^= tmp[i];
588 }
589
590 return 0;
591 }
592
bt_mesh_net_encrypt(const u8_t key[16],struct net_buf_simple * buf,bt_u32_t iv_index,bool proxy)593 int bt_mesh_net_encrypt(const u8_t key[16], struct net_buf_simple *buf,
594 bt_u32_t iv_index, bool proxy)
595 {
596 u8_t mic_len = NET_MIC_LEN(buf->data);
597 u8_t nonce[13];
598 int err;
599
600 BT_DBG("IVIndex %u EncKey %s mic_len %u", iv_index, bt_hex(key, 16),
601 mic_len);
602 BT_DBG("PDU (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
603
604 if (!buf || !buf->data)
605 {
606 return -EINVAL;
607 }
608
609 #if defined(CONFIG_BT_MESH_PROXY)
610 if (proxy) {
611 create_proxy_nonce(nonce, buf->data, iv_index);
612 } else {
613 create_net_nonce(nonce, buf->data, iv_index);
614 }
615 #else
616 create_net_nonce(nonce, buf->data, iv_index);
617 #endif
618
619 BT_DBG("Nonce %s", bt_hex(nonce, 13));
620
621 err = bt_mesh_ccm_encrypt(key, nonce, &buf->data[7], buf->len - 7,
622 NULL, 0, &buf->data[7], mic_len);
623 if (!err) {
624 net_buf_simple_add(buf, mic_len);
625 }
626
627 return err;
628 }
629
bt_mesh_net_decrypt(const u8_t key[16],struct net_buf_simple * buf,bt_u32_t iv_index,bool proxy)630 int bt_mesh_net_decrypt(const u8_t key[16], struct net_buf_simple *buf,
631 bt_u32_t iv_index, bool proxy)
632 {
633 u8_t mic_len = NET_MIC_LEN(buf->data);
634 u8_t nonce[13];
635
636 BT_DBG("PDU (%u bytes) %s", buf->len, bt_hex(buf->data, buf->len));
637 BT_DBG("iv_index %u, key %s mic_len %u", iv_index, bt_hex(key, 16),
638 mic_len);
639
640 if (!buf || !buf->data)
641 {
642 return -EINVAL;
643 }
644 #if defined(CONFIG_BT_MESH_PROXY)
645 if (proxy) {
646 create_proxy_nonce(nonce, buf->data, iv_index);
647 } else {
648 create_net_nonce(nonce, buf->data, iv_index);
649 }
650 #else
651 create_net_nonce(nonce, buf->data, iv_index);
652 #endif
653
654 BT_DBG("Nonce %s", bt_hex(nonce, 13));
655
656 buf->len -= mic_len;
657
658 return bt_mesh_ccm_decrypt(key, nonce, &buf->data[7], buf->len - 7,
659 NULL, 0, &buf->data[7], mic_len);
660 }
661
create_app_nonce(u8_t nonce[13],bool dev_key,u8_t aszmic,u16_t src,u16_t dst,bt_u32_t seq_num,bt_u32_t iv_index)662 static void create_app_nonce(u8_t nonce[13], bool dev_key, u8_t aszmic,
663 u16_t src, u16_t dst, bt_u32_t seq_num,
664 bt_u32_t iv_index)
665 {
666 if (dev_key) {
667 nonce[0] = 0x02;
668 } else {
669 nonce[0] = 0x01;
670 }
671
672 sys_put_be32((seq_num | ((bt_u32_t)aszmic << 31)), &nonce[1]);
673
674 sys_put_be16(src, &nonce[5]);
675 sys_put_be16(dst, &nonce[7]);
676
677 sys_put_be32(iv_index, &nonce[9]);
678 }
679
bt_mesh_app_encrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct net_buf_simple * buf,const u8_t * ad,u16_t src,u16_t dst,bt_u32_t seq_num,bt_u32_t iv_index)680 int bt_mesh_app_encrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
681 struct net_buf_simple *buf, const u8_t *ad,
682 u16_t src, u16_t dst, bt_u32_t seq_num, bt_u32_t iv_index)
683 {
684 u8_t nonce[13];
685 int err;
686
687 BT_DBG("AppKey %s", bt_hex(key, 16));
688 BT_DBG("dev_key %u src 0x%04x dst 0x%04x", dev_key, src, dst);
689 BT_DBG("seq_num 0x%08x iv_index 0x%08x", seq_num, iv_index);
690 BT_DBG("Clear: %s", bt_hex(buf->data, buf->len));
691
692 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
693
694 BT_DBG("Nonce %s", bt_hex(nonce, 13));
695
696 err = bt_mesh_ccm_encrypt(key, nonce, buf->data, buf->len, ad,
697 ad ? 16 : 0, buf->data, APP_MIC_LEN(aszmic));
698 if (!err) {
699 net_buf_simple_add(buf, APP_MIC_LEN(aszmic));
700 BT_DBG("Encr: %s", bt_hex(buf->data, buf->len));
701 }
702
703 return err;
704 }
705
bt_mesh_app_decrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct net_buf_simple * buf,struct net_buf_simple * out,const u8_t * ad,u16_t src,u16_t dst,bt_u32_t seq_num,bt_u32_t iv_index)706 int bt_mesh_app_decrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
707 struct net_buf_simple *buf, struct net_buf_simple *out,
708 const u8_t *ad, u16_t src, u16_t dst, bt_u32_t seq_num,
709 bt_u32_t iv_index)
710 {
711 u8_t nonce[13];
712 int err;
713
714 BT_DBG("EncData (len %u) %s", buf->len, bt_hex(buf->data, buf->len));
715
716 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
717
718 BT_DBG("AppKey %s", bt_hex(key, 16));
719 BT_DBG("Nonce %s", bt_hex(nonce, 13));
720
721 err = bt_mesh_ccm_decrypt(key, nonce, buf->data, buf->len, ad,
722 ad ? 16 : 0, out->data, APP_MIC_LEN(aszmic));
723 if (!err) {
724 net_buf_simple_add(out, buf->len);
725 }
726
727 return err;
728 }
729
730 /* reversed, 8-bit, poly=0x07 */
731 static const u8_t crc_table[256] = {
732 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
733 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
734 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
735 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
736
737 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
738 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
739 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
740 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
741
742 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
743 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
744 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
745 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
746
747 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
748 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
749 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
750 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
751
752 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
753 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
754 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
755 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
756
757 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
758 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
759 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
760 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
761
762 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
763 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
764 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
765 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
766
767 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
768 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
769 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
770 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
771 };
772
bt_mesh_fcs_calc(const u8_t * data,u8_t data_len)773 u8_t bt_mesh_fcs_calc(const u8_t *data, u8_t data_len)
774 {
775 u8_t fcs = 0xff;
776
777 while (data_len--) {
778 fcs = crc_table[fcs ^ *data++];
779 }
780
781 BT_DBG("fcs 0x%02x", 0xff - fcs);
782
783 return 0xff - fcs;
784 }
785
bt_mesh_fcs_check(struct net_buf_simple * buf,u8_t received_fcs)786 bool bt_mesh_fcs_check(struct net_buf_simple *buf, u8_t received_fcs)
787 {
788 const u8_t *data = buf->data;
789 u16_t data_len = buf->len;
790 u8_t fcs = 0xff;
791
792 while (data_len--) {
793 fcs = crc_table[fcs ^ *data++];
794 }
795
796 return crc_table[fcs ^ received_fcs] == 0xcf;
797 }
798
bt_mesh_virtual_addr(const u8_t virtual_label[16],u16_t * addr)799 int bt_mesh_virtual_addr(const u8_t virtual_label[16], u16_t *addr)
800 {
801 u8_t salt[16];
802 u8_t tmp[16];
803 int err;
804
805 err = bt_mesh_s1("vtad", salt);
806 if (err) {
807 return err;
808 }
809
810 err = bt_mesh_aes_cmac_one(salt, virtual_label, 16, tmp);
811 if (err) {
812 return err;
813 }
814
815 *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000;
816
817 return 0;
818 }
819
bt_mesh_prov_conf_salt(const u8_t conf_inputs[145],u8_t salt[16])820 int bt_mesh_prov_conf_salt(const u8_t conf_inputs[145], u8_t salt[16])
821 {
822 const u8_t conf_salt_key[16] = { 0 };
823
824 return bt_mesh_aes_cmac_one(conf_salt_key, conf_inputs, 145, salt);
825 }
826
bt_mesh_prov_conf_key(const u8_t dhkey[32],const u8_t conf_salt[16],u8_t conf_key[16])827 int bt_mesh_prov_conf_key(const u8_t dhkey[32], const u8_t conf_salt[16],
828 u8_t conf_key[16])
829 {
830 return bt_mesh_k1(dhkey, 32, conf_salt, "prck", conf_key);
831 }
832
bt_mesh_prov_conf(const u8_t conf_key[16],const u8_t rand[16],const u8_t auth[16],u8_t conf[16])833 int bt_mesh_prov_conf(const u8_t conf_key[16], const u8_t rand[16],
834 const u8_t auth[16], u8_t conf[16])
835 {
836 struct bt_mesh_sg sg[] = { { rand, 16 }, { auth, 16 } };
837
838 BT_DBG("ConfirmationKey %s", bt_hex(conf_key, 16));
839 BT_DBG("RandomDevice %s", bt_hex(rand, 16));
840 BT_DBG("AuthValue %s", bt_hex(auth, 16));
841
842 return bt_mesh_aes_cmac(conf_key, sg, ARRAY_SIZE(sg), conf);
843 }
844
bt_mesh_prov_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t data[25+8],u8_t out[25])845 int bt_mesh_prov_decrypt(const u8_t key[16], u8_t nonce[13],
846 const u8_t data[25 + 8], u8_t out[25])
847 {
848 return bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8);
849 }
850
851 #ifdef CONFIG_BT_MESH_PROVISIONER
bt_mesh_prov_encrypt(const u8_t key[16],u8_t nonce[13],const u8_t data[25],u8_t out[33])852 int bt_mesh_prov_encrypt(const u8_t key[16], u8_t nonce[13],
853 const u8_t data[25], u8_t out[33])
854 {
855 return bt_mesh_ccm_encrypt(key, nonce, data, 25, NULL, 0, out, 8);
856 }
857 #endif
858
bt_mesh_beacon_auth(const u8_t beacon_key[16],u8_t flags,const u8_t net_id[8],bt_u32_t iv_index,u8_t auth[8])859 int bt_mesh_beacon_auth(const u8_t beacon_key[16], u8_t flags,
860 const u8_t net_id[8], bt_u32_t iv_index,
861 u8_t auth[8])
862 {
863 u8_t msg[13], tmp[16];
864 int err;
865
866 BT_DBG("BeaconKey %s", bt_hex(beacon_key, 16));
867 BT_DBG("NetId %s", bt_hex(net_id, 8));
868 BT_DBG("IV Index 0x%08x", iv_index);
869
870 msg[0] = flags;
871 memcpy(&msg[1], net_id, 8);
872 sys_put_be32(iv_index, &msg[9]);
873
874 BT_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg)));
875
876 err = bt_mesh_aes_cmac_one(beacon_key, msg, sizeof(msg), tmp);
877 if (!err) {
878 memcpy(auth, tmp, 8);
879 }
880
881 return err;
882 }
883