1*042d53a7SEvalZero /* Bluetooth Mesh */
2*042d53a7SEvalZero
3*042d53a7SEvalZero /*
4*042d53a7SEvalZero * Copyright (c) 2017 Intel Corporation
5*042d53a7SEvalZero *
6*042d53a7SEvalZero * SPDX-License-Identifier: Apache-2.0
7*042d53a7SEvalZero */
8*042d53a7SEvalZero
9*042d53a7SEvalZero #include <string.h>
10*042d53a7SEvalZero #include <stdbool.h>
11*042d53a7SEvalZero #include <errno.h>
12*042d53a7SEvalZero
13*042d53a7SEvalZero #include <tinycrypt/constants.h>
14*042d53a7SEvalZero #include <tinycrypt/utils.h>
15*042d53a7SEvalZero #include <tinycrypt/aes.h>
16*042d53a7SEvalZero #include <tinycrypt/cmac_mode.h>
17*042d53a7SEvalZero #include <tinycrypt/ccm_mode.h>
18*042d53a7SEvalZero
19*042d53a7SEvalZero #include "syscfg/syscfg.h"
20*042d53a7SEvalZero #define BT_DBG_ENABLED (MYNEWT_VAL(BLE_MESH_DEBUG_CRYPTO))
21*042d53a7SEvalZero #include "host/ble_hs_log.h"
22*042d53a7SEvalZero
23*042d53a7SEvalZero #include "crypto.h"
24*042d53a7SEvalZero
25*042d53a7SEvalZero #define NET_MIC_LEN(pdu) (((pdu)[1] & 0x80) ? 8 : 4)
26*042d53a7SEvalZero #define APP_MIC_LEN(aszmic) ((aszmic) ? 8 : 4)
27*042d53a7SEvalZero
bt_mesh_aes_cmac(const u8_t key[16],struct bt_mesh_sg * sg,size_t sg_len,u8_t mac[16])28*042d53a7SEvalZero int bt_mesh_aes_cmac(const u8_t key[16], struct bt_mesh_sg *sg,
29*042d53a7SEvalZero size_t sg_len, u8_t mac[16])
30*042d53a7SEvalZero {
31*042d53a7SEvalZero struct tc_aes_key_sched_struct sched;
32*042d53a7SEvalZero struct tc_cmac_struct state;
33*042d53a7SEvalZero
34*042d53a7SEvalZero if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
35*042d53a7SEvalZero return -EIO;
36*042d53a7SEvalZero }
37*042d53a7SEvalZero
38*042d53a7SEvalZero for (; sg_len; sg_len--, sg++) {
39*042d53a7SEvalZero if (tc_cmac_update(&state, sg->data,
40*042d53a7SEvalZero sg->len) == TC_CRYPTO_FAIL) {
41*042d53a7SEvalZero return -EIO;
42*042d53a7SEvalZero }
43*042d53a7SEvalZero }
44*042d53a7SEvalZero
45*042d53a7SEvalZero if (tc_cmac_final(mac, &state) == TC_CRYPTO_FAIL) {
46*042d53a7SEvalZero return -EIO;
47*042d53a7SEvalZero }
48*042d53a7SEvalZero
49*042d53a7SEvalZero return 0;
50*042d53a7SEvalZero }
51*042d53a7SEvalZero
bt_mesh_k1(const u8_t * ikm,size_t ikm_len,const u8_t salt[16],const char * info,u8_t okm[16])52*042d53a7SEvalZero int bt_mesh_k1(const u8_t *ikm, size_t ikm_len, const u8_t salt[16],
53*042d53a7SEvalZero const char *info, u8_t okm[16])
54*042d53a7SEvalZero {
55*042d53a7SEvalZero int err;
56*042d53a7SEvalZero
57*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(salt, ikm, ikm_len, okm);
58*042d53a7SEvalZero if (err < 0) {
59*042d53a7SEvalZero return err;
60*042d53a7SEvalZero }
61*042d53a7SEvalZero
62*042d53a7SEvalZero return bt_mesh_aes_cmac_one(okm, info, strlen(info), okm);
63*042d53a7SEvalZero }
64*042d53a7SEvalZero
bt_mesh_k2(const u8_t n[16],const u8_t * p,size_t p_len,u8_t net_id[1],u8_t enc_key[16],u8_t priv_key[16])65*042d53a7SEvalZero int bt_mesh_k2(const u8_t n[16], const u8_t *p, size_t p_len,
66*042d53a7SEvalZero u8_t net_id[1], u8_t enc_key[16], u8_t priv_key[16])
67*042d53a7SEvalZero {
68*042d53a7SEvalZero struct bt_mesh_sg sg[3];
69*042d53a7SEvalZero u8_t salt[16];
70*042d53a7SEvalZero u8_t out[16];
71*042d53a7SEvalZero u8_t t[16];
72*042d53a7SEvalZero u8_t pad;
73*042d53a7SEvalZero int err;
74*042d53a7SEvalZero
75*042d53a7SEvalZero BT_DBG("n %s", bt_hex(n, 16));
76*042d53a7SEvalZero BT_DBG("p %s", bt_hex(p, p_len));
77*042d53a7SEvalZero
78*042d53a7SEvalZero err = bt_mesh_s1("smk2", salt);
79*042d53a7SEvalZero if (err) {
80*042d53a7SEvalZero return err;
81*042d53a7SEvalZero }
82*042d53a7SEvalZero
83*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(salt, n, 16, t);
84*042d53a7SEvalZero if (err) {
85*042d53a7SEvalZero return err;
86*042d53a7SEvalZero }
87*042d53a7SEvalZero
88*042d53a7SEvalZero pad = 0x01;
89*042d53a7SEvalZero
90*042d53a7SEvalZero sg[0].data = NULL;
91*042d53a7SEvalZero sg[0].len = 0;
92*042d53a7SEvalZero sg[1].data = p;
93*042d53a7SEvalZero sg[1].len = p_len;
94*042d53a7SEvalZero sg[2].data = &pad;
95*042d53a7SEvalZero sg[2].len = sizeof(pad);
96*042d53a7SEvalZero
97*042d53a7SEvalZero err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
98*042d53a7SEvalZero if (err) {
99*042d53a7SEvalZero return err;
100*042d53a7SEvalZero }
101*042d53a7SEvalZero
102*042d53a7SEvalZero net_id[0] = out[15] & 0x7f;
103*042d53a7SEvalZero
104*042d53a7SEvalZero sg[0].data = out;
105*042d53a7SEvalZero sg[0].len = sizeof(out);
106*042d53a7SEvalZero pad = 0x02;
107*042d53a7SEvalZero
108*042d53a7SEvalZero err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
109*042d53a7SEvalZero if (err) {
110*042d53a7SEvalZero return err;
111*042d53a7SEvalZero }
112*042d53a7SEvalZero
113*042d53a7SEvalZero memcpy(enc_key, out, 16);
114*042d53a7SEvalZero
115*042d53a7SEvalZero pad = 0x03;
116*042d53a7SEvalZero
117*042d53a7SEvalZero err = bt_mesh_aes_cmac(t, sg, ARRAY_SIZE(sg), out);
118*042d53a7SEvalZero if (err) {
119*042d53a7SEvalZero return err;
120*042d53a7SEvalZero }
121*042d53a7SEvalZero
122*042d53a7SEvalZero memcpy(priv_key, out, 16);
123*042d53a7SEvalZero
124*042d53a7SEvalZero BT_DBG("NID 0x%02x enc_key %s", net_id[0], bt_hex(enc_key, 16));
125*042d53a7SEvalZero BT_DBG("priv_key %s", bt_hex(priv_key, 16));
126*042d53a7SEvalZero
127*042d53a7SEvalZero return 0;
128*042d53a7SEvalZero }
129*042d53a7SEvalZero
bt_mesh_k3(const u8_t n[16],u8_t out[8])130*042d53a7SEvalZero int bt_mesh_k3(const u8_t n[16], u8_t out[8])
131*042d53a7SEvalZero {
132*042d53a7SEvalZero u8_t id64[] = { 'i', 'd', '6', '4', 0x01 };
133*042d53a7SEvalZero u8_t tmp[16];
134*042d53a7SEvalZero u8_t t[16];
135*042d53a7SEvalZero int err;
136*042d53a7SEvalZero
137*042d53a7SEvalZero err = bt_mesh_s1("smk3", tmp);
138*042d53a7SEvalZero if (err) {
139*042d53a7SEvalZero return err;
140*042d53a7SEvalZero }
141*042d53a7SEvalZero
142*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
143*042d53a7SEvalZero if (err) {
144*042d53a7SEvalZero return err;
145*042d53a7SEvalZero }
146*042d53a7SEvalZero
147*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(t, id64, sizeof(id64), tmp);
148*042d53a7SEvalZero if (err) {
149*042d53a7SEvalZero return err;
150*042d53a7SEvalZero }
151*042d53a7SEvalZero
152*042d53a7SEvalZero memcpy(out, tmp + 8, 8);
153*042d53a7SEvalZero
154*042d53a7SEvalZero return 0;
155*042d53a7SEvalZero }
156*042d53a7SEvalZero
bt_mesh_k4(const u8_t n[16],u8_t out[1])157*042d53a7SEvalZero int bt_mesh_k4(const u8_t n[16], u8_t out[1])
158*042d53a7SEvalZero {
159*042d53a7SEvalZero u8_t id6[] = { 'i', 'd', '6', 0x01 };
160*042d53a7SEvalZero u8_t tmp[16];
161*042d53a7SEvalZero u8_t t[16];
162*042d53a7SEvalZero int err;
163*042d53a7SEvalZero
164*042d53a7SEvalZero err = bt_mesh_s1("smk4", tmp);
165*042d53a7SEvalZero if (err) {
166*042d53a7SEvalZero return err;
167*042d53a7SEvalZero }
168*042d53a7SEvalZero
169*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(tmp, n, 16, t);
170*042d53a7SEvalZero if (err) {
171*042d53a7SEvalZero return err;
172*042d53a7SEvalZero }
173*042d53a7SEvalZero
174*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(t, id6, sizeof(id6), tmp);
175*042d53a7SEvalZero if (err) {
176*042d53a7SEvalZero return err;
177*042d53a7SEvalZero }
178*042d53a7SEvalZero
179*042d53a7SEvalZero out[0] = tmp[15] & BIT_MASK(6);
180*042d53a7SEvalZero
181*042d53a7SEvalZero return 0;
182*042d53a7SEvalZero }
183*042d53a7SEvalZero
bt_mesh_id128(const u8_t n[16],const char * s,u8_t out[16])184*042d53a7SEvalZero int bt_mesh_id128(const u8_t n[16], const char *s, u8_t out[16])
185*042d53a7SEvalZero {
186*042d53a7SEvalZero const char *id128 = "id128\x01";
187*042d53a7SEvalZero u8_t salt[16];
188*042d53a7SEvalZero int err;
189*042d53a7SEvalZero
190*042d53a7SEvalZero err = bt_mesh_s1(s, salt);
191*042d53a7SEvalZero if (err) {
192*042d53a7SEvalZero return err;
193*042d53a7SEvalZero }
194*042d53a7SEvalZero
195*042d53a7SEvalZero return bt_mesh_k1(n, 16, salt, id128, out);
196*042d53a7SEvalZero }
197*042d53a7SEvalZero
bt_mesh_ccm_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t * enc_msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)198*042d53a7SEvalZero static int bt_mesh_ccm_decrypt(const u8_t key[16], u8_t nonce[13],
199*042d53a7SEvalZero const u8_t *enc_msg, size_t msg_len,
200*042d53a7SEvalZero const u8_t *aad, size_t aad_len,
201*042d53a7SEvalZero u8_t *out_msg, size_t mic_size)
202*042d53a7SEvalZero {
203*042d53a7SEvalZero u8_t msg[16], pmsg[16], cmic[16], cmsg[16], Xn[16], mic[16];
204*042d53a7SEvalZero u16_t last_blk, blk_cnt;
205*042d53a7SEvalZero size_t i, j;
206*042d53a7SEvalZero int err;
207*042d53a7SEvalZero
208*042d53a7SEvalZero if (msg_len < 1 || aad_len >= 0xff00) {
209*042d53a7SEvalZero return -EINVAL;
210*042d53a7SEvalZero }
211*042d53a7SEvalZero
212*042d53a7SEvalZero /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
213*042d53a7SEvalZero pmsg[0] = 0x01;
214*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
215*042d53a7SEvalZero sys_put_be16(0x0000, pmsg + 14);
216*042d53a7SEvalZero
217*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmic);
218*042d53a7SEvalZero if (err) {
219*042d53a7SEvalZero return err;
220*042d53a7SEvalZero }
221*042d53a7SEvalZero
222*042d53a7SEvalZero /* X_0 = e(AppKey, 0x09 || nonce || length) */
223*042d53a7SEvalZero if (mic_size == sizeof(u64_t)) {
224*042d53a7SEvalZero pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
225*042d53a7SEvalZero } else {
226*042d53a7SEvalZero pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
227*042d53a7SEvalZero }
228*042d53a7SEvalZero
229*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
230*042d53a7SEvalZero sys_put_be16(msg_len, pmsg + 14);
231*042d53a7SEvalZero
232*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
233*042d53a7SEvalZero if (err) {
234*042d53a7SEvalZero return err;
235*042d53a7SEvalZero }
236*042d53a7SEvalZero
237*042d53a7SEvalZero /* If AAD is being used to authenticate, include it here */
238*042d53a7SEvalZero if (aad_len) {
239*042d53a7SEvalZero sys_put_be16(aad_len, pmsg);
240*042d53a7SEvalZero
241*042d53a7SEvalZero for (i = 0; i < sizeof(u16_t); i++) {
242*042d53a7SEvalZero pmsg[i] = Xn[i] ^ pmsg[i];
243*042d53a7SEvalZero }
244*042d53a7SEvalZero
245*042d53a7SEvalZero j = 0;
246*042d53a7SEvalZero aad_len += sizeof(u16_t);
247*042d53a7SEvalZero while (aad_len > 16) {
248*042d53a7SEvalZero do {
249*042d53a7SEvalZero pmsg[i] = Xn[i] ^ aad[j];
250*042d53a7SEvalZero i++, j++;
251*042d53a7SEvalZero } while (i < 16);
252*042d53a7SEvalZero
253*042d53a7SEvalZero aad_len -= 16;
254*042d53a7SEvalZero i = 0;
255*042d53a7SEvalZero
256*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
257*042d53a7SEvalZero if (err) {
258*042d53a7SEvalZero return err;
259*042d53a7SEvalZero }
260*042d53a7SEvalZero }
261*042d53a7SEvalZero
262*042d53a7SEvalZero for (i = 0; i < aad_len; i++, j++) {
263*042d53a7SEvalZero pmsg[i] = Xn[i] ^ aad[j];
264*042d53a7SEvalZero }
265*042d53a7SEvalZero
266*042d53a7SEvalZero for (i = aad_len; i < 16; i++) {
267*042d53a7SEvalZero pmsg[i] = Xn[i];
268*042d53a7SEvalZero }
269*042d53a7SEvalZero
270*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
271*042d53a7SEvalZero if (err) {
272*042d53a7SEvalZero return err;
273*042d53a7SEvalZero }
274*042d53a7SEvalZero }
275*042d53a7SEvalZero
276*042d53a7SEvalZero last_blk = msg_len % 16;
277*042d53a7SEvalZero blk_cnt = (msg_len + 15) / 16;
278*042d53a7SEvalZero if (!last_blk) {
279*042d53a7SEvalZero last_blk = 16;
280*042d53a7SEvalZero }
281*042d53a7SEvalZero
282*042d53a7SEvalZero for (j = 0; j < blk_cnt; j++) {
283*042d53a7SEvalZero if (j + 1 == blk_cnt) {
284*042d53a7SEvalZero /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
285*042d53a7SEvalZero pmsg[0] = 0x01;
286*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
287*042d53a7SEvalZero sys_put_be16(j + 1, pmsg + 14);
288*042d53a7SEvalZero
289*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmsg);
290*042d53a7SEvalZero if (err) {
291*042d53a7SEvalZero return err;
292*042d53a7SEvalZero }
293*042d53a7SEvalZero
294*042d53a7SEvalZero /* Encrypted = Payload[0-15] ^ C_1 */
295*042d53a7SEvalZero for (i = 0; i < last_blk; i++) {
296*042d53a7SEvalZero msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
297*042d53a7SEvalZero }
298*042d53a7SEvalZero
299*042d53a7SEvalZero memcpy(out_msg + (j * 16), msg, last_blk);
300*042d53a7SEvalZero
301*042d53a7SEvalZero /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
302*042d53a7SEvalZero for (i = 0; i < last_blk; i++) {
303*042d53a7SEvalZero pmsg[i] = Xn[i] ^ msg[i];
304*042d53a7SEvalZero }
305*042d53a7SEvalZero
306*042d53a7SEvalZero for (i = last_blk; i < 16; i++) {
307*042d53a7SEvalZero pmsg[i] = Xn[i] ^ 0x00;
308*042d53a7SEvalZero }
309*042d53a7SEvalZero
310*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
311*042d53a7SEvalZero if (err) {
312*042d53a7SEvalZero return err;
313*042d53a7SEvalZero }
314*042d53a7SEvalZero
315*042d53a7SEvalZero /* MIC = C_mic ^ X_1 */
316*042d53a7SEvalZero for (i = 0; i < sizeof(mic); i++) {
317*042d53a7SEvalZero mic[i] = cmic[i] ^ Xn[i];
318*042d53a7SEvalZero }
319*042d53a7SEvalZero } else {
320*042d53a7SEvalZero /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
321*042d53a7SEvalZero pmsg[0] = 0x01;
322*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
323*042d53a7SEvalZero sys_put_be16(j + 1, pmsg + 14);
324*042d53a7SEvalZero
325*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmsg);
326*042d53a7SEvalZero if (err) {
327*042d53a7SEvalZero return err;
328*042d53a7SEvalZero }
329*042d53a7SEvalZero
330*042d53a7SEvalZero /* Encrypted = Payload[0-15] ^ C_1 */
331*042d53a7SEvalZero for (i = 0; i < 16; i++) {
332*042d53a7SEvalZero msg[i] = enc_msg[(j * 16) + i] ^ cmsg[i];
333*042d53a7SEvalZero }
334*042d53a7SEvalZero
335*042d53a7SEvalZero memcpy(out_msg + (j * 16), msg, 16);
336*042d53a7SEvalZero
337*042d53a7SEvalZero /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
338*042d53a7SEvalZero for (i = 0; i < 16; i++) {
339*042d53a7SEvalZero pmsg[i] = Xn[i] ^ msg[i];
340*042d53a7SEvalZero }
341*042d53a7SEvalZero
342*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
343*042d53a7SEvalZero if (err) {
344*042d53a7SEvalZero return err;
345*042d53a7SEvalZero }
346*042d53a7SEvalZero }
347*042d53a7SEvalZero }
348*042d53a7SEvalZero
349*042d53a7SEvalZero if (memcmp(mic, enc_msg + msg_len, mic_size)) {
350*042d53a7SEvalZero return -EBADMSG;
351*042d53a7SEvalZero }
352*042d53a7SEvalZero
353*042d53a7SEvalZero return 0;
354*042d53a7SEvalZero }
355*042d53a7SEvalZero
bt_mesh_ccm_encrypt(const u8_t key[16],u8_t nonce[13],const u8_t * msg,size_t msg_len,const u8_t * aad,size_t aad_len,u8_t * out_msg,size_t mic_size)356*042d53a7SEvalZero static int bt_mesh_ccm_encrypt(const u8_t key[16], u8_t nonce[13],
357*042d53a7SEvalZero const u8_t *msg, size_t msg_len,
358*042d53a7SEvalZero const u8_t *aad, size_t aad_len,
359*042d53a7SEvalZero u8_t *out_msg, size_t mic_size)
360*042d53a7SEvalZero {
361*042d53a7SEvalZero u8_t pmsg[16], cmic[16], cmsg[16], mic[16], Xn[16];
362*042d53a7SEvalZero u16_t blk_cnt, last_blk;
363*042d53a7SEvalZero size_t i, j;
364*042d53a7SEvalZero int err;
365*042d53a7SEvalZero
366*042d53a7SEvalZero BT_DBG("key %s", bt_hex(key, 16));
367*042d53a7SEvalZero BT_DBG("nonce %s", bt_hex(nonce, 13));
368*042d53a7SEvalZero BT_DBG("msg (len %zu) %s", msg_len, bt_hex(msg, msg_len));
369*042d53a7SEvalZero BT_DBG("aad_len %zu mic_size %zu", aad_len, mic_size);
370*042d53a7SEvalZero
371*042d53a7SEvalZero /* Unsupported AAD size */
372*042d53a7SEvalZero if (aad_len >= 0xff00) {
373*042d53a7SEvalZero return -EINVAL;
374*042d53a7SEvalZero }
375*042d53a7SEvalZero
376*042d53a7SEvalZero /* C_mic = e(AppKey, 0x01 || nonce || 0x0000) */
377*042d53a7SEvalZero pmsg[0] = 0x01;
378*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
379*042d53a7SEvalZero sys_put_be16(0x0000, pmsg + 14);
380*042d53a7SEvalZero
381*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmic);
382*042d53a7SEvalZero if (err) {
383*042d53a7SEvalZero return err;
384*042d53a7SEvalZero }
385*042d53a7SEvalZero
386*042d53a7SEvalZero /* X_0 = e(AppKey, 0x09 || nonce || length) */
387*042d53a7SEvalZero if (mic_size == sizeof(u64_t)) {
388*042d53a7SEvalZero pmsg[0] = 0x19 | (aad_len ? 0x40 : 0x00);
389*042d53a7SEvalZero } else {
390*042d53a7SEvalZero pmsg[0] = 0x09 | (aad_len ? 0x40 : 0x00);
391*042d53a7SEvalZero }
392*042d53a7SEvalZero
393*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
394*042d53a7SEvalZero sys_put_be16(msg_len, pmsg + 14);
395*042d53a7SEvalZero
396*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
397*042d53a7SEvalZero if (err) {
398*042d53a7SEvalZero return err;
399*042d53a7SEvalZero }
400*042d53a7SEvalZero
401*042d53a7SEvalZero /* If AAD is being used to authenticate, include it here */
402*042d53a7SEvalZero if (aad_len) {
403*042d53a7SEvalZero sys_put_be16(aad_len, pmsg);
404*042d53a7SEvalZero
405*042d53a7SEvalZero for (i = 0; i < sizeof(u16_t); i++) {
406*042d53a7SEvalZero pmsg[i] = Xn[i] ^ pmsg[i];
407*042d53a7SEvalZero }
408*042d53a7SEvalZero
409*042d53a7SEvalZero j = 0;
410*042d53a7SEvalZero aad_len += sizeof(u16_t);
411*042d53a7SEvalZero while (aad_len > 16) {
412*042d53a7SEvalZero do {
413*042d53a7SEvalZero pmsg[i] = Xn[i] ^ aad[j];
414*042d53a7SEvalZero i++, j++;
415*042d53a7SEvalZero } while (i < 16);
416*042d53a7SEvalZero
417*042d53a7SEvalZero aad_len -= 16;
418*042d53a7SEvalZero i = 0;
419*042d53a7SEvalZero
420*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
421*042d53a7SEvalZero if (err) {
422*042d53a7SEvalZero return err;
423*042d53a7SEvalZero }
424*042d53a7SEvalZero }
425*042d53a7SEvalZero
426*042d53a7SEvalZero for (i = 0; i < aad_len; i++, j++) {
427*042d53a7SEvalZero pmsg[i] = Xn[i] ^ aad[j];
428*042d53a7SEvalZero }
429*042d53a7SEvalZero
430*042d53a7SEvalZero for (i = aad_len; i < 16; i++) {
431*042d53a7SEvalZero pmsg[i] = Xn[i];
432*042d53a7SEvalZero }
433*042d53a7SEvalZero
434*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
435*042d53a7SEvalZero if (err) {
436*042d53a7SEvalZero return err;
437*042d53a7SEvalZero }
438*042d53a7SEvalZero }
439*042d53a7SEvalZero
440*042d53a7SEvalZero last_blk = msg_len % 16;
441*042d53a7SEvalZero blk_cnt = (msg_len + 15) / 16;
442*042d53a7SEvalZero if (!last_blk) {
443*042d53a7SEvalZero last_blk = 16;
444*042d53a7SEvalZero }
445*042d53a7SEvalZero
446*042d53a7SEvalZero for (j = 0; j < blk_cnt; j++) {
447*042d53a7SEvalZero if (j + 1 == blk_cnt) {
448*042d53a7SEvalZero /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
449*042d53a7SEvalZero for (i = 0; i < last_blk; i++) {
450*042d53a7SEvalZero pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
451*042d53a7SEvalZero }
452*042d53a7SEvalZero for (i = last_blk; i < 16; i++) {
453*042d53a7SEvalZero pmsg[i] = Xn[i] ^ 0x00;
454*042d53a7SEvalZero }
455*042d53a7SEvalZero
456*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
457*042d53a7SEvalZero if (err) {
458*042d53a7SEvalZero return err;
459*042d53a7SEvalZero }
460*042d53a7SEvalZero
461*042d53a7SEvalZero /* MIC = C_mic ^ X_1 */
462*042d53a7SEvalZero for (i = 0; i < sizeof(mic); i++) {
463*042d53a7SEvalZero mic[i] = cmic[i] ^ Xn[i];
464*042d53a7SEvalZero }
465*042d53a7SEvalZero
466*042d53a7SEvalZero /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
467*042d53a7SEvalZero pmsg[0] = 0x01;
468*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
469*042d53a7SEvalZero sys_put_be16(j + 1, pmsg + 14);
470*042d53a7SEvalZero
471*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmsg);
472*042d53a7SEvalZero if (err) {
473*042d53a7SEvalZero return err;
474*042d53a7SEvalZero }
475*042d53a7SEvalZero
476*042d53a7SEvalZero /* Encrypted = Payload[0-15] ^ C_1 */
477*042d53a7SEvalZero for (i = 0; i < last_blk; i++) {
478*042d53a7SEvalZero out_msg[(j * 16) + i] =
479*042d53a7SEvalZero msg[(j * 16) + i] ^ cmsg[i];
480*042d53a7SEvalZero }
481*042d53a7SEvalZero } else {
482*042d53a7SEvalZero /* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
483*042d53a7SEvalZero for (i = 0; i < 16; i++) {
484*042d53a7SEvalZero pmsg[i] = Xn[i] ^ msg[(j * 16) + i];
485*042d53a7SEvalZero }
486*042d53a7SEvalZero
487*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, Xn);
488*042d53a7SEvalZero if (err) {
489*042d53a7SEvalZero return err;
490*042d53a7SEvalZero }
491*042d53a7SEvalZero
492*042d53a7SEvalZero /* C_1 = e(AppKey, 0x01 || nonce || 0x0001) */
493*042d53a7SEvalZero pmsg[0] = 0x01;
494*042d53a7SEvalZero memcpy(pmsg + 1, nonce, 13);
495*042d53a7SEvalZero sys_put_be16(j + 1, pmsg + 14);
496*042d53a7SEvalZero
497*042d53a7SEvalZero err = bt_encrypt_be(key, pmsg, cmsg);
498*042d53a7SEvalZero if (err) {
499*042d53a7SEvalZero return err;
500*042d53a7SEvalZero }
501*042d53a7SEvalZero
502*042d53a7SEvalZero /* Encrypted = Payload[0-15] ^ C_N */
503*042d53a7SEvalZero for (i = 0; i < 16; i++) {
504*042d53a7SEvalZero out_msg[(j * 16) + i] =
505*042d53a7SEvalZero msg[(j * 16) + i] ^ cmsg[i];
506*042d53a7SEvalZero }
507*042d53a7SEvalZero
508*042d53a7SEvalZero }
509*042d53a7SEvalZero }
510*042d53a7SEvalZero
511*042d53a7SEvalZero memcpy(out_msg + msg_len, mic, mic_size);
512*042d53a7SEvalZero
513*042d53a7SEvalZero return 0;
514*042d53a7SEvalZero }
515*042d53a7SEvalZero
516*042d53a7SEvalZero #if (MYNEWT_VAL(BLE_MESH_PROXY))
create_proxy_nonce(u8_t nonce[13],const u8_t * pdu,u32_t iv_index)517*042d53a7SEvalZero static void create_proxy_nonce(u8_t nonce[13], const u8_t *pdu,
518*042d53a7SEvalZero u32_t iv_index)
519*042d53a7SEvalZero {
520*042d53a7SEvalZero /* Nonce Type */
521*042d53a7SEvalZero nonce[0] = 0x03;
522*042d53a7SEvalZero
523*042d53a7SEvalZero /* Pad */
524*042d53a7SEvalZero nonce[1] = 0x00;
525*042d53a7SEvalZero
526*042d53a7SEvalZero /* Sequence Number */
527*042d53a7SEvalZero nonce[2] = pdu[2];
528*042d53a7SEvalZero nonce[3] = pdu[3];
529*042d53a7SEvalZero nonce[4] = pdu[4];
530*042d53a7SEvalZero
531*042d53a7SEvalZero /* Source Address */
532*042d53a7SEvalZero nonce[5] = pdu[5];
533*042d53a7SEvalZero nonce[6] = pdu[6];
534*042d53a7SEvalZero
535*042d53a7SEvalZero /* Pad */
536*042d53a7SEvalZero nonce[7] = 0;
537*042d53a7SEvalZero nonce[8] = 0;
538*042d53a7SEvalZero
539*042d53a7SEvalZero /* IV Index */
540*042d53a7SEvalZero sys_put_be32(iv_index, &nonce[9]);
541*042d53a7SEvalZero }
542*042d53a7SEvalZero #endif /* PROXY */
543*042d53a7SEvalZero
create_net_nonce(u8_t nonce[13],const u8_t * pdu,u32_t iv_index)544*042d53a7SEvalZero static void create_net_nonce(u8_t nonce[13], const u8_t *pdu,
545*042d53a7SEvalZero u32_t iv_index)
546*042d53a7SEvalZero {
547*042d53a7SEvalZero /* Nonce Type */
548*042d53a7SEvalZero nonce[0] = 0x00;
549*042d53a7SEvalZero
550*042d53a7SEvalZero /* FRND + TTL */
551*042d53a7SEvalZero nonce[1] = pdu[1];
552*042d53a7SEvalZero
553*042d53a7SEvalZero /* Sequence Number */
554*042d53a7SEvalZero nonce[2] = pdu[2];
555*042d53a7SEvalZero nonce[3] = pdu[3];
556*042d53a7SEvalZero nonce[4] = pdu[4];
557*042d53a7SEvalZero
558*042d53a7SEvalZero /* Source Address */
559*042d53a7SEvalZero nonce[5] = pdu[5];
560*042d53a7SEvalZero nonce[6] = pdu[6];
561*042d53a7SEvalZero
562*042d53a7SEvalZero /* Pad */
563*042d53a7SEvalZero nonce[7] = 0;
564*042d53a7SEvalZero nonce[8] = 0;
565*042d53a7SEvalZero
566*042d53a7SEvalZero /* IV Index */
567*042d53a7SEvalZero sys_put_be32(iv_index, &nonce[9]);
568*042d53a7SEvalZero }
569*042d53a7SEvalZero
bt_mesh_net_obfuscate(u8_t * pdu,u32_t iv_index,const u8_t privacy_key[16])570*042d53a7SEvalZero int bt_mesh_net_obfuscate(u8_t *pdu, u32_t iv_index,
571*042d53a7SEvalZero const u8_t privacy_key[16])
572*042d53a7SEvalZero {
573*042d53a7SEvalZero u8_t priv_rand[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, };
574*042d53a7SEvalZero u8_t tmp[16];
575*042d53a7SEvalZero int err, i;
576*042d53a7SEvalZero
577*042d53a7SEvalZero BT_DBG("IVIndex %u, PrivacyKey %s", iv_index, bt_hex(privacy_key, 16));
578*042d53a7SEvalZero
579*042d53a7SEvalZero sys_put_be32(iv_index, &priv_rand[5]);
580*042d53a7SEvalZero memcpy(&priv_rand[9], &pdu[7], 7);
581*042d53a7SEvalZero
582*042d53a7SEvalZero BT_DBG("PrivacyRandom %s", bt_hex(priv_rand, 16));
583*042d53a7SEvalZero
584*042d53a7SEvalZero err = bt_encrypt_be(privacy_key, priv_rand, tmp);
585*042d53a7SEvalZero if (err) {
586*042d53a7SEvalZero return err;
587*042d53a7SEvalZero }
588*042d53a7SEvalZero
589*042d53a7SEvalZero for (i = 0; i < 6; i++) {
590*042d53a7SEvalZero pdu[1 + i] ^= tmp[i];
591*042d53a7SEvalZero }
592*042d53a7SEvalZero
593*042d53a7SEvalZero return 0;
594*042d53a7SEvalZero }
595*042d53a7SEvalZero
bt_mesh_net_encrypt(const u8_t key[16],struct os_mbuf * buf,u32_t iv_index,bool proxy)596*042d53a7SEvalZero int bt_mesh_net_encrypt(const u8_t key[16], struct os_mbuf *buf,
597*042d53a7SEvalZero u32_t iv_index, bool proxy)
598*042d53a7SEvalZero {
599*042d53a7SEvalZero u8_t mic_len = NET_MIC_LEN(buf->om_data);
600*042d53a7SEvalZero u8_t nonce[13];
601*042d53a7SEvalZero int err;
602*042d53a7SEvalZero
603*042d53a7SEvalZero BT_DBG("IVIndex %u EncKey %s mic_len %u", iv_index, bt_hex(key, 16),
604*042d53a7SEvalZero mic_len);
605*042d53a7SEvalZero BT_DBG("PDU (len %u) %s", buf->om_len, bt_hex(buf->om_data, buf->om_len));
606*042d53a7SEvalZero
607*042d53a7SEvalZero #if (MYNEWT_VAL(BLE_MESH_PROXY))
608*042d53a7SEvalZero if (proxy) {
609*042d53a7SEvalZero create_proxy_nonce(nonce, buf->om_data, iv_index);
610*042d53a7SEvalZero } else {
611*042d53a7SEvalZero create_net_nonce(nonce, buf->om_data, iv_index);
612*042d53a7SEvalZero }
613*042d53a7SEvalZero #else
614*042d53a7SEvalZero create_net_nonce(nonce, buf->om_data, iv_index);
615*042d53a7SEvalZero #endif
616*042d53a7SEvalZero
617*042d53a7SEvalZero BT_DBG("Nonce %s", bt_hex(nonce, 13));
618*042d53a7SEvalZero
619*042d53a7SEvalZero err = bt_mesh_ccm_encrypt(key, nonce, &buf->om_data[7], buf->om_len - 7,
620*042d53a7SEvalZero NULL, 0, &buf->om_data[7], mic_len);
621*042d53a7SEvalZero if (!err) {
622*042d53a7SEvalZero net_buf_simple_add(buf, mic_len);
623*042d53a7SEvalZero }
624*042d53a7SEvalZero
625*042d53a7SEvalZero return err;
626*042d53a7SEvalZero }
627*042d53a7SEvalZero
bt_mesh_net_decrypt(const u8_t key[16],struct os_mbuf * buf,u32_t iv_index,bool proxy)628*042d53a7SEvalZero int bt_mesh_net_decrypt(const u8_t key[16], struct os_mbuf *buf,
629*042d53a7SEvalZero u32_t iv_index, bool proxy)
630*042d53a7SEvalZero {
631*042d53a7SEvalZero u8_t mic_len = NET_MIC_LEN(buf->om_data);
632*042d53a7SEvalZero u8_t nonce[13];
633*042d53a7SEvalZero
634*042d53a7SEvalZero BT_DBG("PDU (%u bytes) %s", buf->om_len, bt_hex(buf->om_data, buf->om_len));
635*042d53a7SEvalZero BT_DBG("iv_index %u, key %s mic_len %u", iv_index, bt_hex(key, 16),
636*042d53a7SEvalZero mic_len);
637*042d53a7SEvalZero
638*042d53a7SEvalZero #if (MYNEWT_VAL(BLE_MESH_PROXY))
639*042d53a7SEvalZero if (proxy) {
640*042d53a7SEvalZero create_proxy_nonce(nonce, buf->om_data, iv_index);
641*042d53a7SEvalZero } else {
642*042d53a7SEvalZero create_net_nonce(nonce, buf->om_data, iv_index);
643*042d53a7SEvalZero }
644*042d53a7SEvalZero #else
645*042d53a7SEvalZero create_net_nonce(nonce, buf->om_data, iv_index);
646*042d53a7SEvalZero #endif
647*042d53a7SEvalZero
648*042d53a7SEvalZero BT_DBG("Nonce %s", bt_hex(nonce, 13));
649*042d53a7SEvalZero
650*042d53a7SEvalZero buf->om_len -= mic_len;
651*042d53a7SEvalZero
652*042d53a7SEvalZero return bt_mesh_ccm_decrypt(key, nonce, &buf->om_data[7], buf->om_len - 7,
653*042d53a7SEvalZero NULL, 0, &buf->om_data[7], mic_len);
654*042d53a7SEvalZero }
655*042d53a7SEvalZero
create_app_nonce(u8_t nonce[13],bool dev_key,u8_t aszmic,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)656*042d53a7SEvalZero static void create_app_nonce(u8_t nonce[13], bool dev_key, u8_t aszmic,
657*042d53a7SEvalZero u16_t src, u16_t dst, u32_t seq_num,
658*042d53a7SEvalZero u32_t iv_index)
659*042d53a7SEvalZero {
660*042d53a7SEvalZero if (dev_key) {
661*042d53a7SEvalZero nonce[0] = 0x02;
662*042d53a7SEvalZero } else {
663*042d53a7SEvalZero nonce[0] = 0x01;
664*042d53a7SEvalZero }
665*042d53a7SEvalZero
666*042d53a7SEvalZero sys_put_be32((seq_num | ((u32_t)aszmic << 31)), &nonce[1]);
667*042d53a7SEvalZero
668*042d53a7SEvalZero sys_put_be16(src, &nonce[5]);
669*042d53a7SEvalZero sys_put_be16(dst, &nonce[7]);
670*042d53a7SEvalZero
671*042d53a7SEvalZero sys_put_be32(iv_index, &nonce[9]);
672*042d53a7SEvalZero }
673*042d53a7SEvalZero
bt_mesh_app_encrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)674*042d53a7SEvalZero int bt_mesh_app_encrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
675*042d53a7SEvalZero struct os_mbuf *buf, const u8_t *ad,
676*042d53a7SEvalZero u16_t src, u16_t dst, u32_t seq_num, u32_t iv_index)
677*042d53a7SEvalZero {
678*042d53a7SEvalZero u8_t nonce[13];
679*042d53a7SEvalZero int err;
680*042d53a7SEvalZero
681*042d53a7SEvalZero BT_DBG("AppKey %s", bt_hex(key, 16));
682*042d53a7SEvalZero BT_DBG("dev_key %u src 0x%04x dst 0x%04x", dev_key, src, dst);
683*042d53a7SEvalZero BT_DBG("seq_num 0x%08x iv_index 0x%08x", seq_num, iv_index);
684*042d53a7SEvalZero BT_DBG("Clear: %s", bt_hex(buf->om_data, buf->om_len));
685*042d53a7SEvalZero
686*042d53a7SEvalZero create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
687*042d53a7SEvalZero
688*042d53a7SEvalZero BT_DBG("Nonce %s", bt_hex(nonce, 13));
689*042d53a7SEvalZero
690*042d53a7SEvalZero err = bt_mesh_ccm_encrypt(key, nonce, buf->om_data, buf->om_len, ad,
691*042d53a7SEvalZero ad ? 16 : 0, buf->om_data, APP_MIC_LEN(aszmic));
692*042d53a7SEvalZero if (!err) {
693*042d53a7SEvalZero net_buf_simple_add(buf, APP_MIC_LEN(aszmic));
694*042d53a7SEvalZero BT_DBG("Encr: %s", bt_hex(buf->om_data, buf->om_len));
695*042d53a7SEvalZero }
696*042d53a7SEvalZero
697*042d53a7SEvalZero return err;
698*042d53a7SEvalZero }
699*042d53a7SEvalZero
bt_mesh_app_decrypt(const u8_t key[16],bool dev_key,u8_t aszmic,struct os_mbuf * buf,struct os_mbuf * out,const u8_t * ad,u16_t src,u16_t dst,u32_t seq_num,u32_t iv_index)700*042d53a7SEvalZero int bt_mesh_app_decrypt(const u8_t key[16], bool dev_key, u8_t aszmic,
701*042d53a7SEvalZero struct os_mbuf *buf, struct os_mbuf *out,
702*042d53a7SEvalZero const u8_t *ad, u16_t src, u16_t dst, u32_t seq_num,
703*042d53a7SEvalZero u32_t iv_index)
704*042d53a7SEvalZero {
705*042d53a7SEvalZero u8_t nonce[13];
706*042d53a7SEvalZero int err;
707*042d53a7SEvalZero
708*042d53a7SEvalZero BT_DBG("EncData (len %u) %s", buf->om_len, bt_hex(buf->om_data, buf->om_len));
709*042d53a7SEvalZero
710*042d53a7SEvalZero create_app_nonce(nonce, dev_key, aszmic, src, dst, seq_num, iv_index);
711*042d53a7SEvalZero
712*042d53a7SEvalZero BT_DBG("AppKey %s", bt_hex(key, 16));
713*042d53a7SEvalZero BT_DBG("Nonce %s", bt_hex(nonce, 13));
714*042d53a7SEvalZero
715*042d53a7SEvalZero err = bt_mesh_ccm_decrypt(key, nonce, buf->om_data, buf->om_len, ad,
716*042d53a7SEvalZero ad ? 16 : 0, out->om_data, APP_MIC_LEN(aszmic));
717*042d53a7SEvalZero if (!err) {
718*042d53a7SEvalZero net_buf_simple_add(out, buf->om_len);
719*042d53a7SEvalZero }
720*042d53a7SEvalZero
721*042d53a7SEvalZero return err;
722*042d53a7SEvalZero }
723*042d53a7SEvalZero
724*042d53a7SEvalZero /* reversed, 8-bit, poly=0x07 */
725*042d53a7SEvalZero static const u8_t crc_table[256] = {
726*042d53a7SEvalZero 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
727*042d53a7SEvalZero 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
728*042d53a7SEvalZero 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
729*042d53a7SEvalZero 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
730*042d53a7SEvalZero
731*042d53a7SEvalZero 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
732*042d53a7SEvalZero 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
733*042d53a7SEvalZero 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
734*042d53a7SEvalZero 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
735*042d53a7SEvalZero
736*042d53a7SEvalZero 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
737*042d53a7SEvalZero 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
738*042d53a7SEvalZero 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
739*042d53a7SEvalZero 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
740*042d53a7SEvalZero
741*042d53a7SEvalZero 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
742*042d53a7SEvalZero 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
743*042d53a7SEvalZero 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
744*042d53a7SEvalZero 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
745*042d53a7SEvalZero
746*042d53a7SEvalZero 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
747*042d53a7SEvalZero 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
748*042d53a7SEvalZero 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
749*042d53a7SEvalZero 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
750*042d53a7SEvalZero
751*042d53a7SEvalZero 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
752*042d53a7SEvalZero 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
753*042d53a7SEvalZero 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
754*042d53a7SEvalZero 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
755*042d53a7SEvalZero
756*042d53a7SEvalZero 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
757*042d53a7SEvalZero 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
758*042d53a7SEvalZero 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
759*042d53a7SEvalZero 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
760*042d53a7SEvalZero
761*042d53a7SEvalZero 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
762*042d53a7SEvalZero 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
763*042d53a7SEvalZero 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
764*042d53a7SEvalZero 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
765*042d53a7SEvalZero };
766*042d53a7SEvalZero
bt_mesh_fcs_calc(const u8_t * data,u8_t data_len)767*042d53a7SEvalZero u8_t bt_mesh_fcs_calc(const u8_t *data, u8_t data_len)
768*042d53a7SEvalZero {
769*042d53a7SEvalZero u8_t fcs = 0xff;
770*042d53a7SEvalZero
771*042d53a7SEvalZero while (data_len--) {
772*042d53a7SEvalZero fcs = crc_table[fcs ^ *data++];
773*042d53a7SEvalZero }
774*042d53a7SEvalZero
775*042d53a7SEvalZero BT_DBG("fcs 0x%02x", 0xff - fcs);
776*042d53a7SEvalZero
777*042d53a7SEvalZero return 0xff - fcs;
778*042d53a7SEvalZero }
779*042d53a7SEvalZero
bt_mesh_fcs_check(struct os_mbuf * buf,u8_t received_fcs)780*042d53a7SEvalZero bool bt_mesh_fcs_check(struct os_mbuf *buf, u8_t received_fcs)
781*042d53a7SEvalZero {
782*042d53a7SEvalZero const u8_t *data = buf->om_data;
783*042d53a7SEvalZero u16_t data_len = buf->om_len;
784*042d53a7SEvalZero u8_t fcs = 0xff;
785*042d53a7SEvalZero
786*042d53a7SEvalZero while (data_len--) {
787*042d53a7SEvalZero fcs = crc_table[fcs ^ *data++];
788*042d53a7SEvalZero }
789*042d53a7SEvalZero
790*042d53a7SEvalZero return crc_table[fcs ^ received_fcs] == 0xcf;
791*042d53a7SEvalZero }
792*042d53a7SEvalZero
bt_mesh_virtual_addr(const u8_t virtual_label[16],u16_t * addr)793*042d53a7SEvalZero int bt_mesh_virtual_addr(const u8_t virtual_label[16], u16_t *addr)
794*042d53a7SEvalZero {
795*042d53a7SEvalZero u8_t salt[16];
796*042d53a7SEvalZero u8_t tmp[16];
797*042d53a7SEvalZero int err;
798*042d53a7SEvalZero
799*042d53a7SEvalZero err = bt_mesh_s1("vtad", salt);
800*042d53a7SEvalZero if (err) {
801*042d53a7SEvalZero return err;
802*042d53a7SEvalZero }
803*042d53a7SEvalZero
804*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(salt, virtual_label, 16, tmp);
805*042d53a7SEvalZero if (err) {
806*042d53a7SEvalZero return err;
807*042d53a7SEvalZero }
808*042d53a7SEvalZero
809*042d53a7SEvalZero *addr = (sys_get_be16(&tmp[14]) & 0x3fff) | 0x8000;
810*042d53a7SEvalZero
811*042d53a7SEvalZero return 0;
812*042d53a7SEvalZero }
813*042d53a7SEvalZero
bt_mesh_prov_conf_salt(const u8_t conf_inputs[145],u8_t salt[16])814*042d53a7SEvalZero int bt_mesh_prov_conf_salt(const u8_t conf_inputs[145], u8_t salt[16])
815*042d53a7SEvalZero {
816*042d53a7SEvalZero const u8_t conf_salt_key[16] = { 0 };
817*042d53a7SEvalZero
818*042d53a7SEvalZero return bt_mesh_aes_cmac_one(conf_salt_key, conf_inputs, 145, salt);
819*042d53a7SEvalZero }
820*042d53a7SEvalZero
bt_mesh_prov_conf_key(const u8_t dhkey[32],const u8_t conf_salt[16],u8_t conf_key[16])821*042d53a7SEvalZero int bt_mesh_prov_conf_key(const u8_t dhkey[32], const u8_t conf_salt[16],
822*042d53a7SEvalZero u8_t conf_key[16])
823*042d53a7SEvalZero {
824*042d53a7SEvalZero return bt_mesh_k1(dhkey, 32, conf_salt, "prck", conf_key);
825*042d53a7SEvalZero }
826*042d53a7SEvalZero
bt_mesh_prov_conf(const u8_t conf_key[16],const u8_t rand[16],const u8_t auth[16],u8_t conf[16])827*042d53a7SEvalZero int bt_mesh_prov_conf(const u8_t conf_key[16], const u8_t rand[16],
828*042d53a7SEvalZero const u8_t auth[16], u8_t conf[16])
829*042d53a7SEvalZero {
830*042d53a7SEvalZero struct bt_mesh_sg sg[] = { { rand, 16 }, { auth, 16 } };
831*042d53a7SEvalZero
832*042d53a7SEvalZero BT_DBG("ConfirmationKey %s", bt_hex(conf_key, 16));
833*042d53a7SEvalZero BT_DBG("RandomDevice %s", bt_hex(rand, 16));
834*042d53a7SEvalZero BT_DBG("AuthValue %s", bt_hex(auth, 16));
835*042d53a7SEvalZero
836*042d53a7SEvalZero return bt_mesh_aes_cmac(conf_key, sg, ARRAY_SIZE(sg), conf);
837*042d53a7SEvalZero }
838*042d53a7SEvalZero
bt_mesh_prov_decrypt(const u8_t key[16],u8_t nonce[13],const u8_t data[25+8],u8_t out[25])839*042d53a7SEvalZero int bt_mesh_prov_decrypt(const u8_t key[16], u8_t nonce[13],
840*042d53a7SEvalZero const u8_t data[25 + 8], u8_t out[25])
841*042d53a7SEvalZero {
842*042d53a7SEvalZero return bt_mesh_ccm_decrypt(key, nonce, data, 25, NULL, 0, out, 8);
843*042d53a7SEvalZero }
844*042d53a7SEvalZero
bt_mesh_beacon_auth(const u8_t beacon_key[16],u8_t flags,const u8_t net_id[8],u32_t iv_index,u8_t auth[8])845*042d53a7SEvalZero int bt_mesh_beacon_auth(const u8_t beacon_key[16], u8_t flags,
846*042d53a7SEvalZero const u8_t net_id[8], u32_t iv_index,
847*042d53a7SEvalZero u8_t auth[8])
848*042d53a7SEvalZero {
849*042d53a7SEvalZero u8_t msg[13], tmp[16];
850*042d53a7SEvalZero int err;
851*042d53a7SEvalZero
852*042d53a7SEvalZero BT_DBG("BeaconKey %s", bt_hex(beacon_key, 16));
853*042d53a7SEvalZero BT_DBG("NetId %s", bt_hex(net_id, 8));
854*042d53a7SEvalZero BT_DBG("IV Index 0x%08x", iv_index);
855*042d53a7SEvalZero
856*042d53a7SEvalZero msg[0] = flags;
857*042d53a7SEvalZero memcpy(&msg[1], net_id, 8);
858*042d53a7SEvalZero sys_put_be32(iv_index, &msg[9]);
859*042d53a7SEvalZero
860*042d53a7SEvalZero BT_DBG("BeaconMsg %s", bt_hex(msg, sizeof(msg)));
861*042d53a7SEvalZero
862*042d53a7SEvalZero err = bt_mesh_aes_cmac_one(beacon_key, msg, sizeof(msg), tmp);
863*042d53a7SEvalZero if (!err) {
864*042d53a7SEvalZero memcpy(auth, tmp, 8);
865*042d53a7SEvalZero }
866*042d53a7SEvalZero
867*042d53a7SEvalZero return err;
868*042d53a7SEvalZero }
869