crypto.c
1 /* Bluetooth Mesh */ 2 3 /* 4 * Copyright (c) 2017 Intel Corporation 5 * Additional Copyright (c) 2018 Espressif Systems (Shanghai) PTE LTD 6 * 7 * SPDX-License-Identifier: Apache-2.0 8 */ 9 10 #include <string.h> 11 #include <stdbool.h> 12 #include <errno.h> 13 14 #define BT_DBG_ENABLED IS_ENABLED(CONFIG_BLE_MESH_DEBUG_CRYPTO) 15 16 #include <tinycrypt/aes.h> 17 #include <tinycrypt/constants.h> 18 #include <tinycrypt/cmac_mode.h> 19 20 #include "crypto.h" 21 #include "mesh_common.h" 22 #include "mesh_bearer_adapt.h" 23 24 #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4) 25 #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4) 26 27 int bt_mesh_aes_cmac(const u8_t key[16], struct bt_mesh_sg *sg, 28 size_t sg_len, u8_t mac[16]) 29 { 30 struct tc_aes_key_sched_struct sched = {0}; 31 struct tc_cmac_struct state = {0}; 32 33 if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) { 34 return -EIO; 35 } 36 37 for (; sg_len; sg_len--, sg++) { 38 if (tc_cmac_update(&state, sg->data, 39 sg->len) == TC_CRYPTO_FAIL) { 40 return -EIO; 41 } 42 } 43 44 if (tc_cmac_final(mac, &state) == TC_CRYPTO_FAIL) { 45 return -EIO; 46 } 47 48 return 0; 49 } 50 51 int bt_mesh_k1(const u8_t *ikm, size_t ikm_len, const u8_t salt[16], 52 const char *info, u8_t okm[16]) 53 { 54 int err = 0; 55 56 err = bt_mesh_aes_cmac_one(salt, ikm, ikm_len, okm); 57 if (err < 0) { 58 return err; 59 } 60 61 return bt_mesh_aes_cmac_one(okm, info, strlen(info), okm); 62 } 63 64 int bt_mesh_k2(const u8_t n[16], const u8_t *p, size_t p_len, 65 u8_t net_id[1], u8_t enc_key[16], u8_t priv_key[16]) 66 { 67 struct bt_mesh_sg sg[3] = {0}; 68 u8_t salt[16] = {0}; 69 u8_t out[16] = {0}; 70 u8_t t[16] = {0}; 71 u8_t pad = 0U; 72 int err = 0; 73 74 BT_DBG("n %s", bt_hex(n, 16)); 75 BT_DBG("p %s", bt_hex(p, p_len)); 76 77 err = bt_mesh_s1("smk2", salt); 78 if (err) { 79 return err; 80 } 81 82 err = bt_mesh_aes_cmac_one(salt, n, 16, t); 83 if (err) { 84 return err; 85 } 86 87 pad = 0x01; 88 89 sg[0].data = NULL; 90 sg[0].len = 0; 91 sg[1].data = p; 92 sg[1].len = p_len; 93 sg[2].data = &pad; 94 sg[2].len = sizeof(pad); 95 96 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out); 97 if (err) { 98 return err; 99 } 100 101 net_id[0] = out[15] & 0x7f; 102 103 sg[0].data = out; 104 sg[0].len = sizeof(out); 105 pad = 0x02; 106 107 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out); 108 if (err) { 109 return err; 110 } 111 112 memcpy(enc_key, out, 16); 113 114 pad = 0x03; 115 116 err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out); 117 if (err) { 118 return err; 119 } 120 121 memcpy(priv_key, out, 16); 122 123 BT_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, 16)); 124 BT_DBG("priv_key %s", bt_hex(priv_key, 16)); 125 126 return 0; 127 } 128 129 int bt_mesh_k3(const u8_t n[16], u8_t out[8]) 130 { 131 u8_t id64[] = { 'i', 'd', '6', '4', 0x01 }; 132 u8_t tmp[16] = {0}; 133 u8_t t[16] = {0}; 134 int err = 0; 135 136 err = bt_mesh_s1("smk3", tmp); 137 if (err) { 138 return err; 139 } 140 141 err = bt_mesh_aes_cmac_one(tmp, n, 16, t); 142 if (err) { 143 return err; 144 } 145 146 err = bt_mesh_aes_cmac_one(t, id64, sizeof(id64), tmp); 147 if (err) { 148 return err; 149 } 150 151 memcpy(out, tmp + 8, 8); 152 153 return 0; 154 } 155 156 int bt_mesh_k4(const u8_t n[16], u8_t out[1]) 157 { 158 u8_t id6[] = { 'i', 'd', '6', 0x01 }; 159 u8_t tmp[16] = {0}; 160 u8_t t[16] = {0}; 161 int err = 0; 162 163 err = bt_mesh_s1("smk4", tmp); 164 if (err) { 165 return err; 166 } 167 168 err = bt_mesh_aes_cmac_one(tmp, n, 16, t); 169 if (err) { 170 return err; 171 } 172 173 err = bt_mesh_aes_cmac_one(t, id6, sizeof(id6), tmp); 174 if (err) { 175 return err; 176 } 177 178 out[0] = tmp[15] & BIT_MASK(6); 179 180 return 0; 181 } 182 183 int bt_mesh_id128(const u8_t n[16], const char *s, u8_t out[16]) 184 { 185 const char *id128 = "id128\x01"; 186 u8_t salt[16] = {0}; 187 int err = 0; 188 189 err = bt_mesh_s1(s, salt); 190 if (err) { 191 return err; 192 } 193 194 return bt_mesh_k1(n, 16, salt, id128, out); 195 } 196 197 static int bt_mesh_ccm_decrypt(const u8_t key[16], u8_t nonce[13], 198 const u8_t *enc_msg, size_t msg_len, 199 const u8_t *aad, size_t aad_len, 200 u8_t *out_msg, size_t mic_size) 201 { 202 u8_t msg[16] = {0}, pmsg[16] = {0}, cmic[16] = {0}, 203 cmsg[16] = {0}, Xn[16] = {0}, mic[16] = {0}; 204 u16_t last_blk = 0U, blk_cnt = 0U; 205 size_t i = 0U, j = 0U; 206 int err = 0; 207 208 if (msg_len < 1 || aad_len >= 0xff00) { 209 return -EINVAL; 210 } 211 212 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */ 213 pmsg[0] = 0x01; 214 memcpy(pmsg + 1, nonce, 13); 215 sys_put_be16(0x0000, pmsg + 14); 216 217 err = bt_mesh_encrypt_be(key, pmsg, cmic); 218 if (err) { 219 return err; 220 } 221 222 /* X_0 = e(AppKey, 0x09 || nonce || length) */ 223 if (mic_size == sizeof(u64_t)) { 224 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00); 225 } else { 226 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00); 227 } 228 229 memcpy(pmsg + 1, nonce, 13); 230 sys_put_be16(msg_len, pmsg + 14); 231 232 err = bt_mesh_encrypt_be(key, pmsg, Xn); 233 if (err) { 234 return err; 235 } 236 237 /* If AAD is being used to authenticate, include it here */ 238 if (aad_len) { 239 sys_put_be16(aad_len, pmsg); 240 241 for (i = 0; i < sizeof(u16_t); i++) { 242 pmsg[i] = Xn[i] ^ pmsg[i]; 243 } 244 245 j = 0; 246 aad_len += sizeof(u16_t); 247 while (aad_len > 16) { 248 do { 249 pmsg[i] = Xn[i] ^ aad[j]; 250 i++, j++; 251 } while (i < 16); 252 253 aad_len -= 16; 254 i = 0; 255 256 err = bt_mesh_encrypt_be(key, pmsg, Xn); 257 if (err) { 258 return err; 259 } 260 } 261 262 for (; i < aad_len; i++, j++) { 263 pmsg[i] = Xn[i] ^ aad[j]; 264 } 265 266 for (i = aad_len; i < 16; i++) { 267 pmsg[i] = Xn[i]; 268 } 269 270 err = bt_mesh_encrypt_be(key, pmsg, Xn); 271 if (err) { 272 return err; 273 } 274 } 275 276 last_blk = msg_len % 16; 277 blk_cnt = (msg_len + 15) / 16; 278 if (!last_blk) { 279 last_blk = 16U; 280 } 281 282 for (j = 0; j < blk_cnt; j++) { 283 if (j + 1 == blk_cnt) { 284 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */ 285 pmsg[0] = 0x01; 286 memcpy(pmsg + 1, nonce, 13); 287 sys_put_be16(j + 1, pmsg + 14); 288 289 err = bt_mesh_encrypt_be(key, pmsg, cmsg); 290 if (err) { 291 return err; 292 } 293 294 /* Encrypted = Payload[0-15] ^ C_1 */ 295 for (i = 0; i < last_blk; i++) { 296 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i]; 297 } 298 299 memcpy(out_msg + (j * 16), msg, last_blk); 300 301 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */ 302 for (i = 0; i < last_blk; i++) { 303 pmsg[i] = Xn[i] ^ msg[i]; 304 } 305 306 for (i = last_blk; i < 16; i++) { 307 pmsg[i] = Xn[i] ^ 0x00; 308 } 309 310 err = bt_mesh_encrypt_be(key, pmsg, Xn); 311 if (err) { 312 return err; 313 } 314 315 /* MIC = C_mic ^ X_1 */ 316 for (i = 0; i < sizeof(mic); i++) { 317 mic[i] = cmic[i] ^ Xn[i]; 318 } 319 } else { 320 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */ 321 pmsg[0] = 0x01; 322 memcpy(pmsg + 1, nonce, 13); 323 sys_put_be16(j + 1, pmsg + 14); 324 325 err = bt_mesh_encrypt_be(key, pmsg, cmsg); 326 if (err) { 327 return err; 328 } 329 330 /* Encrypted = Payload[0-15] ^ C_1 */ 331 for (i = 0; i < 16; i++) { 332 msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i]; 333 } 334 335 memcpy(out_msg + (j * 16), msg, 16); 336 337 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */ 338 for (i = 0; i < 16; i++) { 339 pmsg[i] = Xn[i] ^ msg[i]; 340 } 341 342 err = bt_mesh_encrypt_be(key, pmsg, Xn); 343 if (err) { 344 return err; 345 } 346 } 347 } 348 349 if (memcmp(mic, enc_msg + msg_len, mic_size)) { 350 return -EBADMSG; 351 } 352 353 return 0; 354 } 355 356 static int bt_mesh_ccm_encrypt(const u8_t key[16], u8_t nonce[13], 357 const u8_t *msg, size_t msg_len, 358 const u8_t *aad, size_t aad_len, 359 u8_t *out_msg, size_t mic_size) 360 { 361 u8_t pmsg[16] = {0}, cmic[16] = {0}, cmsg[16] = {0}, 362 mic[16] = {0}, Xn[16] = {0}; 363 u16_t blk_cnt = 0U, last_blk = 0U; 364 size_t i = 0U, j = 0U; 365 int err = 0; 366 367 BT_DBG("key %s", bt_hex(key, 16)); 368 BT_DBG("nonce %s", bt_hex(nonce, 13)); 369 BT_DBG("msg (len %u) %s", msg_len, bt_hex(msg, msg_len)); 370 BT_DBG("aad_len %u mic_size %u", aad_len, mic_size); 371 372 /* Unsupported AAD size */ 373 if (aad_len >= 0xff00) { 374 return -EINVAL; 375 } 376 377 /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */ 378 pmsg[0] = 0x01; 379 memcpy(pmsg + 1, nonce, 13); 380 sys_put_be16(0x0000, pmsg + 14); 381 382 err = bt_mesh_encrypt_be(key, pmsg, cmic); 383 if (err) { 384 return err; 385 } 386 387 /* X_0 = e(AppKey, 0x09 || nonce || length) */ 388 if (mic_size == sizeof(u64_t)) { 389 pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00); 390 } else { 391 pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00); 392 } 393 394 memcpy(pmsg + 1, nonce, 13); 395 sys_put_be16(msg_len, pmsg + 14); 396 397 err = bt_mesh_encrypt_be(key, pmsg, Xn); 398 if (err) { 399 return err; 400 } 401 402 /* If AAD is being used to authenticate, include it here */ 403 if (aad_len) { 404 sys_put_be16(aad_len, pmsg); 405 406 for (i = 0; i < sizeof(u16_t); i++) { 407 pmsg[i] = Xn[i] ^ pmsg[i]; 408 } 409 410 j = 0; 411 aad_len += sizeof(u16_t); 412 while (aad_len > 16) { 413 do { 414 pmsg[i] = Xn[i] ^ aad[j]; 415 i++, j++; 416 } while (i < 16); 417 418 aad_len -= 16; 419 i = 0; 420 421 err = bt_mesh_encrypt_be(key, pmsg, Xn); 422 if (err) { 423 return err; 424 } 425 } 426 427 for (; i < aad_len; i++, j++) { 428 pmsg[i] = Xn[i] ^ aad[j]; 429 } 430 431 for (i = aad_len; i < 16; i++) { 432 pmsg[i] = Xn[i]; 433 } 434 435 err = bt_mesh_encrypt_be(key, pmsg, Xn); 436 if (err) { 437 return err; 438 } 439 } 440 441 last_blk = msg_len % 16; 442 blk_cnt = (msg_len + 15) / 16; 443 if (!last_blk) { 444 last_blk = 16U; 445 } 446 447 for (j = 0; j < blk_cnt; j++) { 448 if (j + 1 == blk_cnt) { 449 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */ 450 for (i = 0; i < last_blk; i++) { 451 pmsg[i] = Xn[i] ^ msg[(j * 16) + i]; 452 } 453 for (i = last_blk; i < 16; i++) { 454 pmsg[i] = Xn[i] ^ 0x00; 455 } 456 457 err = bt_mesh_encrypt_be(key, pmsg, Xn); 458 if (err) { 459 return err; 460 } 461 462 /* MIC = C_mic ^ X_1 */ 463 for (i = 0; i < sizeof(mic); i++) { 464 mic[i] = cmic[i] ^ Xn[i]; 465 } 466 467 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */ 468 pmsg[0] = 0x01; 469 memcpy(pmsg + 1, nonce, 13); 470 sys_put_be16(j + 1, pmsg + 14); 471 472 err = bt_mesh_encrypt_be(key, pmsg, cmsg); 473 if (err) { 474 return err; 475 } 476 477 /* Encrypted = Payload[0-15] ^ C_1 */ 478 for (i = 0; i < last_blk; i++) { 479 out_msg[(j * 16) + i] = 480 msg[(j * 16) + i] ^ cmsg[i]; 481 } 482 } else { 483 /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */ 484 for (i = 0; i < 16; i++) { 485 pmsg[i] = Xn[i] ^ msg[(j * 16) + i]; 486 } 487 488 err = bt_mesh_encrypt_be(key, pmsg, Xn); 489 if (err) { 490 return err; 491 } 492 493 /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */ 494 pmsg[0] = 0x01; 495 memcpy(pmsg + 1, nonce, 13); 496 sys_put_be16(j + 1, pmsg + 14); 497 498 err = bt_mesh_encrypt_be(key, pmsg, cmsg); 499 if (err) { 500 return err; 501 } 502 503 /* Encrypted = Payload[0-15] ^ C_N */ 504 for (i = 0; i < 16; i++) { 505 out_msg[(j * 16) + i] = 506 msg[(j * 16) + i] ^ cmsg[i]; 507 } 508 509 } 510 } 511 512 memcpy(out_msg + msg_len, mic, mic_size); 513 514 return 0; 515 } 516 517 #if defined(CONFIG_BLE_MESH_PROXY) 518 static void create_proxy_nonce(u8_t nonce[13], const u8_t *pdu, 519 u32_t iv_index) 520 { 521 /* Nonce Type */ 522 nonce[0] = 0x03; 523 524 /* Pad */ 525 nonce[1] = 0x00; 526 527 /* Sequence Number */ 528 nonce[2] = pdu[2]; 529 nonce[3] = pdu[3]; 530 nonce[4] = pdu[4]; 531 532 /* Source Address */ 533 nonce[5] = pdu[5]; 534 nonce[6] = pdu[6]; 535 536 /* Pad */ 537 nonce[7] = 0U; 538 nonce[8] = 0U; 539 540 /* IV Index */ 541 sys_put_be32(iv_index, &nonce[9]); 542 } 543 #endif /* PROXY */ 544 545 static void create_net_nonce(u8_t nonce[13], const u8_t *pdu, 546 u32_t iv_index) 547 { 548 /* Nonce Type */ 549 nonce[0] = 0x00; 550 551 /* FRND + TTL */ 552 nonce[1] = pdu[1]; 553 554 /* Sequence Number */ 555 nonce[2] = pdu[2]; 556 nonce[3] = pdu[3]; 557 nonce[4] = pdu[4]; 558 559 /* Source Address */ 560 nonce[5] = pdu[5]; 561 nonce[6] = pdu[6]; 562 563 /* Pad */ 564 nonce[7] = 0U; 565 nonce[8] = 0U; 566 567 /* IV Index */ 568 sys_put_be32(iv_index, &nonce[9]); 569 } 570 571 int bt_mesh_net_obfuscate(u8_t *pdu, u32_t iv_index, 572 const u8_t privacy_key[16]) 573 { 574 u8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, }; 575 u8_t tmp[16] = {0}; 576 int err = 0, i; 577 578 BT_DBG("IVIndex %u, PrivacyKey %s", iv_index, bt_hex(privacy_key, 16)); 579 580 sys_put_be32(iv_index, &priv_rand[5]); 581 memcpy(&priv_rand[9], &pdu[7], 7); 582 583 BT_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16)); 584 585 err = bt_mesh_encrypt_be(privacy_key, priv_rand, tmp); 586 if (err) { 587 return err; 588 } 589 590 for (i = 0; i < 6; i++) { 591 pdu[1 + i] ^= tmp[i]; 592 } 593 594 return 0; 595 } 596 597 int bt_mesh_net_encrypt(const u8_t key[16], struct net_buf_simple *buf, 598 u32_t iv_index, bool proxy) 599 { 600 u8_t mic_len = NET_MIC_LEN(buf->data); 601 u8_t nonce[13] = {0}; 602 int err = 0; 603 604 BT_DBG("IVIndex %u EncKey %s mic_len %u", iv_index, bt_hex(key, 16), 605 mic_len); 606 BT_DBG("PDU (len %u) %s", buf->len, bt_hex(buf->data, buf->len)); 607 608 #if defined(CONFIG_BLE_MESH_PROXY) 609 if (proxy) { 610 create_proxy_nonce(nonce, buf->data, iv_index); 611 } else { 612 create_net_nonce(nonce, buf->data, iv_index); 613 } 614 #else 615 create_net_nonce(nonce, buf->data, iv_index); 616 #endif 617 618 BT_DBG("Nonce %s", bt_hex(nonce, 13)); 619 620 err = bt_mesh_ccm_encrypt(key, nonce, &buf->data[7], buf->len - 7, 621 NULL, 0, &buf->data[7], mic_len); 622 if (!err) { 623 net_buf_simple_add(buf, mic_len); 624 } 625 626 return err; 627 } 628 629 int bt_mesh_net_decrypt(const u8_t key[16], struct net_buf_simple *buf, 630 u32_t iv_index, bool proxy) 631 { 632 u8_t mic_len = NET_MIC_LEN(buf->data); 633 u8_t nonce[13] = {0}; 634 635 BT_DBG("PDU (%u bytes) %s", buf->len, bt_hex(buf->data, buf->len)); 636 BT_DBG("iv_index %u, key %s mic_len %u", iv_index, bt_hex(key, 16), 637 mic_len); 638 639 #if defined(CONFIG_BLE_MESH_PROXY) 640 if (proxy) { 641 create_proxy_nonce(nonce, buf->data, iv_index); 642 } else { 643 create_net_nonce(nonce, buf->data, iv_index); 644 } 645 #else 646 create_net_nonce(nonce, buf->data, iv_index); 647 #endif 648 649 BT_DBG("Nonce %s", bt_hex(nonce, 13)); 650 651 buf->len -= mic_len; 652 653 return bt_mesh_ccm_decrypt(key, nonce, &buf->data[7], buf->len - 7, 654 NULL, 0, &buf->data[7], mic_len); 655 } 656 657 static void create_app_nonce(u8_t nonce[13], bool dev_key, u8_t aszmic, 658 u16_t src, u16_t dst, u32_t seq_num, 659 u32_t iv_index) 660 { 661 if (dev_key) { 662 nonce[0] = 0x02; 663 } else { 664 nonce[0] = 0x01; 665 } 666 667 sys_put_be32((seq_num | ((u32_t)aszmic << 31)), &nonce[1]); 668 669 sys_put_be16(src, &nonce[5]); 670 sys_put_be16(dst, &nonce[7]); 671 672 sys_put_be32(iv_index, &nonce[9]); 673 } 674 675 int bt_mesh_app_encrypt(const u8_t key[16], bool dev_key, u8_t aszmic, 676 struct net_buf_simple *buf, const u8_t *ad, 677 u16_t src, u16_t dst, u32_t seq_num, u32_t iv_index) 678 { 679 u8_t nonce[13] = {0}; 680 int err = 0; 681 682 BT_DBG("AppKey %s", bt_hex(key, 16)); 683 BT_DBG("dev_key %u src 0x%04x dst 0x%04x", dev_key, src, dst); 684 BT_DBG("seq_num 0x%08x iv_index 0x%08x", seq_num, iv_index); 685 BT_DBG("Clear: %s", bt_hex(buf->data, buf->len)); 686 687 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index); 688 689 BT_DBG("Nonce %s", bt_hex(nonce, 13)); 690 691 err = bt_mesh_ccm_encrypt(key, nonce, buf->data, buf->len, ad, 692 ad ? 16 : 0, buf->data, APP_MIC_LEN(aszmic)); 693 if (!err) { 694 net_buf_simple_add(buf, APP_MIC_LEN(aszmic)); 695 BT_DBG("Encr: %s", bt_hex(buf->data, buf->len)); 696 } 697 698 return err; 699 } 700 701 int bt_mesh_app_decrypt(const u8_t key[16], bool dev_key, u8_t aszmic, 702 struct net_buf_simple *buf, struct net_buf_simple *out, 703 const u8_t *ad, u16_t src, u16_t dst, u32_t seq_num, 704 u32_t iv_index) 705 { 706 u8_t nonce[13] = {0}; 707 int err = 0; 708 709 BT_DBG("EncData (len %u) %s", buf->len, bt_hex(buf->data, buf->len)); 710 711 create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index); 712 713 BT_DBG("AppKey %s", bt_hex(key, 16)); 714 BT_DBG("Nonce %s", bt_hex(nonce, 13)); 715 716 err = bt_mesh_ccm_decrypt(key, nonce, buf->data, buf->len, ad, 717 ad ? 16 : 0, out->data, APP_MIC_LEN(aszmic)); 718 if (!err) { 719 net_buf_simple_add(out, buf->len); 720 } 721 722 return err; 723 } 724 725 /* reversed, 8-bit, poly=0x07 */ 726 static const u8_t crc_table[256] = { 727 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 728 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 729 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 730 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 731 732 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 733 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 734 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 735 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 736 737 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 738 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 739 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 740 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 741 742 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 743 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 744 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 745 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 746 747 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 748 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 749 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 750 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 751 752 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 753 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 754 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 755 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 756 757 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 758 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 759 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 760 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 761 762 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 763 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 764 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 765 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 766 }; 767 768 u8_t bt_mesh_fcs_calc(const u8_t *data, u8_t data_len) 769 { 770 u8_t fcs = 0xff; 771 772 while (data_len--) { 773 fcs = crc_table[fcs ^ *data++]; 774 } 775 776 BT_DBG("fcs 0x%02x", 0xff - fcs); 777 778 return 0xff - fcs; 779 } 780 781 bool bt_mesh_fcs_check(struct net_buf_simple *buf, u8_t received_fcs) 782 { 783 const u8_t *data = buf->data; 784 u16_t data_len = buf->len; 785 u8_t fcs = 0xff; 786 787 while (data_len--) { 788 fcs = crc_table[fcs ^ *data++]; 789 } 790 791 return crc_table[fcs ^ received_fcs] == 0xcf; 792 } 793 794 int bt_mesh_virtual_addr(const u8_t virtual_label[16], u16_t *addr) 795 { 796 u8_t salt[16] = {0}; 797 u8_t tmp[16] = {0}; 798 int err = 0; 799 800 err = bt_mesh_s1("vtad", salt); 801 if (err) { 802 return err; 803 } 804 805 err = bt_mesh_aes_cmac_one(salt, virtual_label, 16, tmp); 806 if (err) { 807 return err; 808 } 809 810 *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000; 811 812 return 0; 813 } 814 815 int bt_mesh_prov_conf_salt(const u8_t conf_inputs[145], u8_t salt[16]) 816 { 817 const u8_t conf_salt_key[16] = { 0 }; 818 819 return bt_mesh_aes_cmac_one(conf_salt_key, conf_inputs, 145, salt); 820 } 821 822 int bt_mesh_prov_conf_key(const u8_t dhkey[32], const u8_t conf_salt[16], 823 u8_t conf_key[16]) 824 { 825 return bt_mesh_k1(dhkey, 32, conf_salt, "prck", conf_key); 826 } 827 828 int bt_mesh_prov_conf(const u8_t conf_key[16], const u8_t rand[16], 829 const u8_t auth[16], u8_t conf[16]) 830 { 831 struct bt_mesh_sg sg[] = { { rand, 16 }, { auth, 16 } }; 832 833 BT_DBG("ConfirmationKey %s", bt_hex(conf_key, 16)); 834 BT_DBG("RandomDevice %s", bt_hex(rand, 16)); 835 BT_DBG("AuthValue %s", bt_hex(auth, 16)); 836 837 return bt_mesh_aes_cmac(conf_key, sg, ARRAY_SIZE(sg), conf); 838 } 839 840 int bt_mesh_prov_decrypt(const u8_t key[16], u8_t nonce[13], 841 const u8_t data[25 + 8], u8_t out[25]) 842 { 843 return bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8); 844 } 845 846 #if CONFIG_BLE_MESH_PROVISIONER 847 int bt_mesh_prov_encrypt(const u8_t key[16], u8_t nonce[13], 848 const u8_t data[25], u8_t out[33]) 849 { 850 return bt_mesh_ccm_encrypt(key, nonce, data, 25, NULL, 0, out, 8); 851 } 852 #endif 853 854 int bt_mesh_beacon_auth(const u8_t beacon_key[16], u8_t flags, 855 const u8_t net_id[8], u32_t iv_index, 856 u8_t auth[8]) 857 { 858 u8_t msg[13] = {0}, tmp[16] = {0}; 859 int err = 0; 860 861 BT_DBG("BeaconKey %s", bt_hex(beacon_key, 16)); 862 BT_DBG("NetId %s", bt_hex(net_id, 8)); 863 BT_DBG("IV Index 0x%08x", iv_index); 864 865 msg[0] = flags; 866 memcpy(&msg[1], net_id, 8); 867 sys_put_be32(iv_index, &msg[9]); 868 869 BT_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg))); 870 871 err = bt_mesh_aes_cmac_one(beacon_key, msg, sizeof(msg), tmp); 872 if (!err) { 873 memcpy(auth, tmp, 8); 874 } 875 876 return err; 877 }