Blob: crypto.c
Blob id: 43d7f7c5c4b7b6d5a29c52bec275f4636842de24
Size: 21.9 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 | // SPDX-License-Identifier: LGPL-2.1-or-later /* * * BlueZ - Bluetooth protocol stack for Linux * * Copyright (C) 2012-2014 Intel Corporation. All rights reserved. * * */ #ifdef HAVE_CONFIG_H #include <config.h> #endif #include <fcntl.h> #include <unistd.h> #include <string.h> #include <sys/socket.h> #include "src/shared/util.h" #include "src/shared/crypto.h" #ifndef HAVE_LINUX_IF_ALG_H #ifndef HAVE_LINUX_TYPES_H typedef uint8_t __u8; typedef uint16_t __u16; typedef uint32_t __u32; #else #include <linux/types.h> #endif struct sockaddr_alg { __u16 salg_family; __u8 salg_type[14]; __u32 salg_feat; __u32 salg_mask; __u8 salg_name[64]; }; struct af_alg_iv { __u32 ivlen; __u8 iv[0]; }; #define ALG_SET_KEY 1 #define ALG_SET_IV 2 #define ALG_SET_OP 3 #define ALG_OP_DECRYPT 0 #define ALG_OP_ENCRYPT 1 #define PF_ALG 38 /* Algorithm sockets. */ #define AF_ALG PF_ALG #else #include <linux/if_alg.h> #endif #ifndef SOL_ALG #define SOL_ALG 279 #endif /* Maximum message length that can be passed to aes_cmac */ #define CMAC_MSG_MAX 80 #define ATT_SIGN_LEN 12 struct bt_crypto { int ref_count; int ecb_aes; int urandom; int cmac_aes; }; static int urandom_setup(void) { int fd; fd = open("/dev/urandom", O_RDONLY); if (fd < 0) return -1; return fd; } static int ecb_aes_setup(void) { struct sockaddr_alg salg; int fd; fd = socket(PF_ALG, SOCK_SEQPACKET | SOCK_CLOEXEC, 0); if (fd < 0) return -1; memset(&salg, 0, sizeof(salg)); salg.salg_family = AF_ALG; strcpy((char *) salg.salg_type, "skcipher"); strcpy((char *) salg.salg_name, "ecb(aes)"); if (bind(fd, (struct sockaddr *) &salg, sizeof(salg)) < 0) { close(fd); return -1; } return fd; } static int cmac_aes_setup(void) { struct sockaddr_alg salg; int fd; fd = socket(PF_ALG, SOCK_SEQPACKET | SOCK_CLOEXEC, 0); if (fd < 0) return -1; memset(&salg, 0, sizeof(salg)); salg.salg_family = AF_ALG; strcpy((char *) salg.salg_type, "hash"); strcpy((char *) salg.salg_name, "cmac(aes)"); if (bind(fd, (struct sockaddr *) &salg, sizeof(salg)) < 0) { close(fd); return -1; } return fd; } static struct bt_crypto *singleton; struct bt_crypto *bt_crypto_new(void) { if (singleton) return bt_crypto_ref(singleton); singleton = new0(struct bt_crypto, 1); singleton->ecb_aes = ecb_aes_setup(); if (singleton->ecb_aes < 0) { free(singleton); singleton = NULL; return NULL; } singleton->urandom = urandom_setup(); if (singleton->urandom < 0) { close(singleton->ecb_aes); free(singleton); singleton = NULL; return NULL; } singleton->cmac_aes = cmac_aes_setup(); if (singleton->cmac_aes < 0) { close(singleton->urandom); close(singleton->ecb_aes); free(singleton); singleton = NULL; return NULL; } return bt_crypto_ref(singleton); } struct bt_crypto *bt_crypto_ref(struct bt_crypto *crypto) { if (!crypto) return NULL; __sync_fetch_and_add(&crypto->ref_count, 1); return crypto; } void bt_crypto_unref(struct bt_crypto *crypto) { if (!crypto) return; if (__sync_sub_and_fetch(&crypto->ref_count, 1)) return; close(crypto->urandom); close(crypto->ecb_aes); close(crypto->cmac_aes); free(crypto); singleton = NULL; } bool bt_crypto_random_bytes(struct bt_crypto *crypto, void *buf, uint8_t num_bytes) { ssize_t len; if (!crypto) return false; len = read(crypto->urandom, buf, num_bytes); if (len < num_bytes) return false; return true; } static int alg_new(int fd, const void *keyval, socklen_t keylen) { if (setsockopt(fd, SOL_ALG, ALG_SET_KEY, keyval, keylen) < 0) return -1; /* FIXME: This should use accept4() with SOCK_CLOEXEC */ return accept(fd, NULL, 0); } static bool alg_encrypt(int fd, const void *inbuf, size_t inlen, void *outbuf, size_t outlen) { __u32 alg_op = ALG_OP_ENCRYPT; char cbuf[CMSG_SPACE(sizeof(alg_op))]; struct cmsghdr *cmsg; struct msghdr msg; struct iovec iov; ssize_t len; memset(cbuf, 0, sizeof(cbuf)); memset(&msg, 0, sizeof(msg)); msg.msg_control = cbuf; msg.msg_controllen = sizeof(cbuf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_ALG; cmsg->cmsg_type = ALG_SET_OP; cmsg->cmsg_len = CMSG_LEN(sizeof(alg_op)); memcpy(CMSG_DATA(cmsg), &alg_op, sizeof(alg_op)); iov.iov_base = (void *) inbuf; iov.iov_len = inlen; msg.msg_iov = &iov; msg.msg_iovlen = 1; len = sendmsg(fd, &msg, 0); if (len < 0) return false; len = read(fd, outbuf, outlen); if (len < 0) return false; return true; } static inline void swap_buf(const uint8_t *src, uint8_t *dst, uint16_t len) { int i; for (i = 0; i < len; i++) dst[len - 1 - i] = src[i]; } bool bt_crypto_sign_att(struct bt_crypto *crypto, const uint8_t key[16], const uint8_t *m, uint16_t m_len, uint32_t sign_cnt, uint8_t signature[ATT_SIGN_LEN]) { int fd; int len; uint8_t tmp[16], out[16]; uint16_t msg_len = m_len + sizeof(uint32_t); uint8_t msg[msg_len]; uint8_t msg_s[msg_len]; if (!crypto) return false; memset(msg, 0, msg_len); memcpy(msg, m, m_len); /* Add sign_counter to the message */ put_le32(sign_cnt, msg + m_len); /* The most significant octet of key corresponds to key[0] */ swap_buf(key, tmp, 16); fd = alg_new(crypto->cmac_aes, tmp, 16); if (fd < 0) return false; /* Swap msg before signing */ swap_buf(msg, msg_s, msg_len); len = send(fd, msg_s, msg_len, 0); if (len < 0) { close(fd); return false; } len = read(fd, out, 16); if (len < 0) { close(fd); return false; } close(fd); /* * As to BT spec. 4.1 Vol[3], Part C, chapter 10.4.1 sign counter should * be placed in the signature */ put_be32(sign_cnt, out + 8); /* * The most significant octet of hash corresponds to out[0] - swap it. * Then truncate in most significant bit first order to a length of * 12 octets */ swap_buf(out, tmp, 16); memcpy(signature, tmp + 4, ATT_SIGN_LEN); return true; } bool bt_crypto_verify_att_sign(struct bt_crypto *crypto, const uint8_t key[16], const uint8_t *pdu, uint16_t pdu_len) { uint8_t generated_sign[ATT_SIGN_LEN]; const uint8_t *sign; uint32_t sign_cnt; if (pdu_len < ATT_SIGN_LEN) return false; sign = pdu + pdu_len - ATT_SIGN_LEN; sign_cnt = get_le32(sign); if (!bt_crypto_sign_att(crypto, key, pdu, pdu_len - ATT_SIGN_LEN, sign_cnt, generated_sign)) return false; return memcmp(generated_sign, sign, ATT_SIGN_LEN) == 0; } /* * Security function e * * Security function e generates 128-bit encryptedData from a 128-bit key * and 128-bit plaintextData using the AES-128-bit block cypher: * * encryptedData = e(key, plaintextData) * * The most significant octet of key corresponds to key[0], the most * significant octet of plaintextData corresponds to in[0] and the * most significant octet of encryptedData corresponds to out[0]. * */ bool bt_crypto_e(struct bt_crypto *crypto, const uint8_t key[16], const uint8_t plaintext[16], uint8_t encrypted[16]) { uint8_t tmp[16], in[16], out[16]; int fd; if (!crypto) return false; /* The most significant octet of key corresponds to key[0] */ swap_buf(key, tmp, 16); fd = alg_new(crypto->ecb_aes, tmp, 16); if (fd < 0) return false; /* Most significant octet of plaintextData corresponds to in[0] */ swap_buf(plaintext, in, 16); if (!alg_encrypt(fd, in, 16, out, 16)) { close(fd); return false; } /* Most significant octet of encryptedData corresponds to out[0] */ swap_buf(out, encrypted, 16); close(fd); return true; } /* * Random Address Hash function ah * * The random address hash function ah is used to generate a hash value * that is used in resolvable private addresses. * * The following are inputs to the random address hash function ah: * * k is 128 bits * r is 24 bits * padding is 104 bits * * r is concatenated with padding to generate r' which is used as the * 128-bit input parameter plaintextData to security function e: * * r' = padding || r * * The least significant octet of r becomes the least significant octet * of r’ and the most significant octet of padding becomes the most * significant octet of r'. * * For example, if the 24-bit value r is 0x423456 then r' is * 0x00000000000000000000000000423456. * * The output of the random address function ah is: * * ah(k, r) = e(k, r') mod 2^24 * * The output of the security function e is then truncated to 24 bits by * taking the least significant 24 bits of the output of e as the result * of ah. */ bool bt_crypto_ah(struct bt_crypto *crypto, const uint8_t k[16], const uint8_t r[3], uint8_t hash[3]) { uint8_t rp[16]; uint8_t encrypted[16]; if (!crypto) return false; /* r' = padding || r */ memcpy(rp, r, 3); memset(rp + 3, 0, 13); /* e(k, r') */ if (!bt_crypto_e(crypto, k, rp, encrypted)) return false; /* ah(k, r) = e(k, r') mod 2^24 */ memcpy(hash, encrypted, 3); return true; } typedef struct { uint64_t a, b; } u128; static inline void u128_xor(const uint8_t p[16], const uint8_t q[16], uint8_t r[16]) { u128 pp, qq, rr; memcpy(&pp, p, 16); memcpy(&qq, q, 16); rr.a = pp.a ^ qq.a; rr.b = pp.b ^ qq.b; memcpy(r, &rr, 16); } /* * Confirm value generation function c1 * * During the pairing process confirm values are exchanged. This confirm * value generation function c1 is used to generate the confirm values. * * The following are inputs to the confirm value generation function c1: * * k is 128 bits * r is 128 bits * pres is 56 bits * preq is 56 bits * iat is 1 bit * ia is 48 bits * rat is 1 bit * ra is 48 bits * padding is 32 bits of 0 * * iat is concatenated with 7-bits of 0 to create iat' which is 8 bits * in length. iat is the least significant bit of iat' * * rat is concatenated with 7-bits of 0 to create rat' which is 8 bits * in length. rat is the least significant bit of rat' * * pres, preq, rat' and iat' are concatenated to generate p1 which is * XORed with r and used as 128-bit input parameter plaintextData to * security function e: * * p1 = pres || preq || rat' || iat' * * The octet of iat' becomes the least significant octet of p1 and the * most significant octet of pres becomes the most significant octet of * p1. * * ra is concatenated with ia and padding to generate p2 which is XORed * with the result of the security function e using p1 as the input * parameter plaintextData and is then used as the 128-bit input * parameter plaintextData to security function e: * * p2 = padding || ia || ra * * The least significant octet of ra becomes the least significant octet * of p2 and the most significant octet of padding becomes the most * significant octet of p2. * * The output of the confirm value generation function c1 is: * * c1(k, r, preq, pres, iat, rat, ia, ra) = e(k, e(k, r XOR p1) XOR p2) * * The 128-bit output of the security function e is used as the result * of confirm value generation function c1. */ bool bt_crypto_c1(struct bt_crypto *crypto, const uint8_t k[16], const uint8_t r[16], const uint8_t pres[7], const uint8_t preq[7], uint8_t iat, const uint8_t ia[6], uint8_t rat, const uint8_t ra[6], uint8_t res[16]) { uint8_t p1[16], p2[16]; /* p1 = pres || preq || _rat || _iat */ p1[0] = iat; p1[1] = rat; memcpy(p1 + 2, preq, 7); memcpy(p1 + 9, pres, 7); /* p2 = padding || ia || ra */ memcpy(p2, ra, 6); memcpy(p2 + 6, ia, 6); memset(p2 + 12, 0, 4); /* res = r XOR p1 */ u128_xor(r, p1, res); /* res = e(k, res) */ if (!bt_crypto_e(crypto, k, res, res)) return false; /* res = res XOR p2 */ u128_xor(res, p2, res); /* res = e(k, res) */ return bt_crypto_e(crypto, k, res, res); } /* * Key generation function s1 * * The key generation function s1 is used to generate the STK during the * pairing process. * * The following are inputs to the key generation function s1: * * k is 128 bits * r1 is 128 bits * r2 is 128 bits * * The most significant 64-bits of r1 are discarded to generate r1' and * the most significant 64-bits of r2 are discarded to generate r2'. * * r1' is concatenated with r2' to generate r' which is used as the * 128-bit input parameter plaintextData to security function e: * * r' = r1' || r2' * * The least significant octet of r2' becomes the least significant * octet of r' and the most significant octet of r1' becomes the most * significant octet of r'. * * The output of the key generation function s1 is: * * s1(k, r1, r2) = e(k, r') * * The 128-bit output of the security function e is used as the result * of key generation function s1. */ bool bt_crypto_s1(struct bt_crypto *crypto, const uint8_t k[16], const uint8_t r1[16], const uint8_t r2[16], uint8_t res[16]) { memcpy(res, r2, 8); memcpy(res + 8, r1, 8); return bt_crypto_e(crypto, k, res, res); } static bool aes_cmac_be(struct bt_crypto *crypto, const uint8_t key[16], const uint8_t *msg, size_t msg_len, uint8_t res[16]) { ssize_t len; int fd; if (msg_len > CMAC_MSG_MAX) return false; fd = alg_new(crypto->cmac_aes, key, 16); if (fd < 0) return false; len = send(fd, msg, msg_len, 0); if (len < 0) { close(fd); return false; } len = read(fd, res, 16); if (len < 0) { close(fd); return false; } close(fd); return true; } static bool aes_cmac(struct bt_crypto *crypto, const uint8_t key[16], const uint8_t *msg, size_t msg_len, uint8_t res[16]) { uint8_t key_msb[16], out[16], msg_msb[CMAC_MSG_MAX]; if (msg_len > CMAC_MSG_MAX) return false; swap_buf(key, key_msb, 16); swap_buf(msg, msg_msb, msg_len); if (!aes_cmac_be(crypto, key_msb, msg_msb, msg_len, out)) return false; swap_buf(out, res, 16); return true; } bool bt_crypto_f4(struct bt_crypto *crypto, uint8_t u[32], uint8_t v[32], uint8_t x[16], uint8_t z, uint8_t res[16]) { uint8_t m[65]; if (!crypto) return false; m[0] = z; memcpy(&m[1], v, 32); memcpy(&m[33], u, 32); return aes_cmac(crypto, x, m, sizeof(m), res); } bool bt_crypto_f5(struct bt_crypto *crypto, uint8_t w[32], uint8_t n1[16], uint8_t n2[16], uint8_t a1[7], uint8_t a2[7], uint8_t mackey[16], uint8_t ltk[16]) { uint8_t btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; uint8_t salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; uint8_t length[2] = { 0x00, 0x01 }; uint8_t m[53], t[16]; if (!aes_cmac(crypto, salt, w, 32, t)) return false; memcpy(&m[0], length, 2); memcpy(&m[2], a2, 7); memcpy(&m[9], a1, 7); memcpy(&m[16], n2, 16); memcpy(&m[32], n1, 16); memcpy(&m[48], btle, 4); m[52] = 0; /* Counter */ if (!aes_cmac(crypto, t, m, sizeof(m), mackey)) return false; m[52] = 1; /* Counter */ return aes_cmac(crypto, t, m, sizeof(m), ltk); } bool bt_crypto_f6(struct bt_crypto *crypto, uint8_t w[16], uint8_t n1[16], uint8_t n2[16], uint8_t r[16], uint8_t io_cap[3], uint8_t a1[7], uint8_t a2[7], uint8_t res[16]) { uint8_t m[65]; memcpy(&m[0], a2, 7); memcpy(&m[7], a1, 7); memcpy(&m[14], io_cap, 3); memcpy(&m[17], r, 16); memcpy(&m[33], n2, 16); memcpy(&m[49], n1, 16); return aes_cmac(crypto, w, m, sizeof(m), res); } bool bt_crypto_g2(struct bt_crypto *crypto, uint8_t u[32], uint8_t v[32], uint8_t x[16], uint8_t y[16], uint32_t *val) { uint8_t m[80], tmp[16]; memcpy(&m[0], y, 16); memcpy(&m[16], v, 32); memcpy(&m[48], u, 32); if (!aes_cmac(crypto, x, m, sizeof(m), tmp)) return false; *val = get_le32(tmp); *val %= 1000000; return true; } bool bt_crypto_h6(struct bt_crypto *crypto, const uint8_t w[16], const uint8_t keyid[4], uint8_t res[16]) { if (!aes_cmac(crypto, w, keyid, 4, res)) return false; return true; } bool bt_crypto_gatt_hash(struct bt_crypto *crypto, struct iovec *iov, size_t iov_len, uint8_t res[16]) { const uint8_t key[16] = {}; ssize_t len; int fd; if (!crypto) return false; fd = alg_new(crypto->cmac_aes, key, 16); if (fd < 0) return false; len = writev(fd, iov, iov_len); if (len < 0) { close(fd); return false; } len = read(fd, res, 16); if (len < 0) { close(fd); return false; } close(fd); return true; } /* * Resolvable Set Identifier hash function sih * * The RSI hash function sih is used to generate a hash value that is used in * RSIs. * * The following variables are the inputs to the RSI hash function sih: * * k is 128 bits * r is 24 bits * padding is 104 bits, all set to 0 * * r is concatenated with padding to generate r', which is used as the 128-bit * input parameter plaintextData to security function e: * * r'=padding||r * * The LSO of r becomes the LSO of r', and the MSO of padding becomes the MSO * of r'. * * For example, if the 24-bit value r is 0x3A98B5, then r' is * 0x000000000000000000000000003A98B5. * * The output of the Resolvable Set Identifier function sih is: * * sih(k, r)=e(k, r') mod 2^24 * * The output of the security function e is truncated to 24 bits by taking the * least significant 24 bits of the output of e as the result of sih. */ bool bt_crypto_sih(struct bt_crypto *crypto, const uint8_t k[16], const uint8_t r[3], uint8_t hash[3]) { return bt_crypto_ah(crypto, k, r, hash); } static bool aes_cmac_zero(struct bt_crypto *crypto, const uint8_t *msg, size_t msg_len, uint8_t res[16]) { const uint8_t zero[16] = {}; return aes_cmac_be(crypto, zero, msg, msg_len, res); } /* The inputs to function s1 are: * * M is a non-zero length octet array or ASCII encoded string * * If M is an ASCII encoded string, M shall be converted into an integer number * by replacing each string character with its ASCII code preserving the order. * For example, if M is the string “CSIS”, M is converted into the integer * number: 0x4353 4953. * * ZERO is the 128-bit value: * * 0x0000 0000 0000 0000 0000 0000 0000 0000 * * The output of the salt generation function s1 shall be calculated as follows: * * s1(M)=AES‐CMACZERO(M) * * Where AES-CMACZERO is the CMAC function defined in Section 4.2. */ static bool sef_s1(struct bt_crypto *crypto, const uint8_t *m, size_t m_len, uint8_t res[16]) { /* s1(M)=AES‐CMACZERO(M) */ return aes_cmac_zero(crypto, m, m_len, res); } /* The key derivation function k1 is used to derive a key. The derived key is * used to encrypt and decrypt the value of the Set Identity Resolving Key * characteristic (see Section 5.1). * * The definition of this key generation function uses the MAC function * AES-CMACT with a 128-bit key T. * * The inputs to function k1 are: * * N is 0 or more octets * * SALT is 128 bits * * P is 0 or more octets * * The key (T) shall be computed as follows: * * T=AES‐CMACSALT(N) * * Where AES-CMACSALT is the CMAC function defined in Section 4.2. * * The output of the key generation function k1 shall be calculated as follows: * * k1(N, SALT, P)=AES‐CMACT(P) * * Where AES-CMACT is the CMAC function defined in Section 4.2. */ static bool sef_k1(struct bt_crypto *crypto, const uint8_t n[16], uint8_t salt[16], const uint8_t *p, size_t p_len, uint8_t res[16]) { uint8_t res1[16]; /* T=AES‐CMACSALT(N) */ if (!aes_cmac_be(crypto, salt, n, 16, res1)) return false; /* k1(N, SALT, P)=AES‐CMACT(P) */ return aes_cmac_be(crypto, res1, p, p_len, res); } /* * SIRK encryption function sef * * The SIRK encryption function sef shall be used by the server to encrypt the * SIRK with a key K. The value of K depends on the transport on which the Set * Identity Resolving Key characteristic is read or notified. * * If the Set Identity Resolving Key characteristic is read or notified on the * Basic Rate/Enhanced Data Rate (BR/EDR) transport, K shall be equal to the * Link Key shared by the server and the client. * * K=LinkKey * * If the Set Identity Resolving Key characteristic is read or notified on the * Bluetooth Low Energy (LE) transport, K shall be equal to the LTK shared by * the server and client. That is, * * K=LTK * * The inputs to the function sef are: * * K is the key defined above in this section * * SIRK is the value of the SIRK to be encrypted * * The output of the SIRK encryption function sef is as follows: * * sef(K, SIRK)=k1(K, s1(“SIRKenc”), “csis”)^SIRK * * Where ^ is the bitwise exclusive or operation. */ bool bt_crypto_sef(struct bt_crypto *crypto, const uint8_t k[16], const uint8_t sirk[16], uint8_t out[16]) { const uint8_t m[] = {'S', 'I', 'R', 'K', 'e', 'n', 'c'}; const uint8_t p[] = {'c', 's', 'i', 's'}; uint8_t k_msb[16]; uint8_t salt[16]; uint8_t res_msb[16]; uint8_t res[16]; if (!crypto) return false; /* salt = s1(“SIRKenc”) */ if (!sef_s1(crypto, m, sizeof(m), salt)) return false; /* Convert K to MSB/BE format */ swap_buf(k, k_msb, 16); /* res_msb = k1(K, salt, “csis”) */ if (!sef_k1(crypto, k_msb, salt, p, sizeof(p), res_msb)) return false; /* Convert back to LSB/LE format */ swap_buf(res_msb, res, 16); /* res^SIRK */ u128_xor(res, sirk, out); return true; } /* Generates a SIRK from a string using the following steps: * - Generate a hash (k) using the str as input * - Generate a hash (sirk) using vendor, product, version and source as input * - Encrypt sirk using k as LTK with sef function. */ bool bt_crypto_sirk(struct bt_crypto *crypto, const char *str, uint16_t vendor, uint16_t product, uint16_t version, uint16_t source, uint8_t sirk[16]) { struct iovec iov[4]; uint8_t k[16]; uint8_t sirk_plaintext[16]; if (!crypto) return false; iov[0].iov_base = (void *)str; iov[0].iov_len = strlen(str); /* Generate a k using the str as input */ if (!bt_crypto_gatt_hash(crypto, iov, 1, k)) return false; iov[0].iov_base = &vendor; iov[0].iov_len = sizeof(vendor); iov[1].iov_base = &product; iov[1].iov_len = sizeof(product); iov[2].iov_base = &version; iov[2].iov_len = sizeof(version); iov[3].iov_base = &source; iov[3].iov_len = sizeof(source); /* Generate a sirk using vendor, product, version and source as input */ if (!bt_crypto_gatt_hash(crypto, iov, 4, sirk_plaintext)) return false; /* Encrypt sirk using k as LTK with sef function */ return bt_crypto_sef(crypto, k, sirk_plaintext, sirk); } |