Re: [PR] host/sm: Add CSIS SIRK encryption [mynewt-nimble]

via GitHub Fri, 06 Oct 2023 11:38:32 -0700


andrzej-kaczmarek commented on code in PR #1635:
URL: https://github.com/apache/mynewt-nimble/pull/1635#discussion_r1349186071



##########
nimble/host/src/ble_sm_alg.c:
##########
@@ -418,6 +418,139 @@ ble_sm_alg_g2(const uint8_t *u, const uint8_t *v, const 
uint8_t *x,
     return 0;
 }
 
+int
+ble_sm_alg_csis_k1(const uint8_t *n, size_t n_len, const uint8_t *salt,
+                   const uint8_t *p, size_t p_len, uint8_t *out)
+{
+    int rc;
+    uint8_t t[16] = {0};
+    uint8_t salt_be[16] = {0};
+    uint8_t n_be[16] = {0};
+
+    /* XXX: Spec does not specify the maximum N and P parameters length.
+     * We assume that 16 bytes is enough and return error if passed len value 
is greater
+     * than that */
+    if ((n_len > 16) || (p_len > 16)) {
+        return BLE_HS_EUNKNOWN;

Review Comment:
   einval



##########
nimble/host/src/ble_sm.c:
##########
@@ -2910,4 +2910,109 @@ ble_sm_create_chan(uint16_t conn_handle)
     return chan;
 }
 
+#if MYNEWT_VAL(BLE_SM_SC)
+int
+ble_sm_csis_decrypt_sirk(const uint8_t *ltk, const uint8_t *enc_sirk, uint8_t 
*out)
+{
+    int rc;
+
+    /* Decrypt SIRK with sdf(K, EncSIRK)  */
+    rc = ble_sm_alg_csis_sdf(ltk, enc_sirk, out);
+
+    return rc;
+}
+
+int
+ble_sm_csis_resolve_rsi(ble_addr_t peer_addr, uint8_t *rsi,
+                        uint8_t *sirk, bool is_encrypted)
+{
+    struct ble_store_key_sec key_sec;
+    struct ble_store_value_sec value_sec;
+
+    uint8_t plaintext_sirk[16] = {0};
+    uint8_t local_hash[3] = {0};
+    uint8_t prand[3] = {0};
+    uint8_t hash[3] = {0};
+    int rc;
+
+    memset(&key_sec, 0, sizeof(key_sec));
+    key_sec.peer_addr.type = peer_addr.type;
+    memcpy(key_sec.peer_addr.val, peer_addr.val, 6);
+
+    rc = ble_store_read_peer_sec(&key_sec, &value_sec);
+    if (rc != 0) {
+        return rc;
+    } else if (!value_sec.ltk_present) {
+        return BLE_HS_ENOENT;
+    }
+
+    memcpy(hash, rsi, 3);
+    memcpy(prand, rsi + 3, 3);
+
+    if (is_encrypted) {
+        rc = ble_sm_csis_decrypt_sirk(value_sec.ltk, sirk, plaintext_sirk);
+        if (rc != 0) {
+            return rc;
+        }
+    } else {
+        memcpy(plaintext_sirk, sirk, 16);
+    }
+
+    rc = ble_sm_alg_csis_sih(plaintext_sirk, prand, local_hash);
+    if (rc != 0) {
+        return rc;
+    }
+
+    if (memcmp(local_hash, hash, 3) == 0) {
+        return 0;
+    } else {
+        return BLE_HS_EAUTHEN;
+    }
+}
+
+int
+ble_sm_csis_encrypt_sirk(const uint8_t *ltk, const uint8_t *plaintext_sirk, 
uint8_t *out)
+{
+    int rc;
+
+    /* Encrypt SIRK with sef(K, SIRK) */
+    rc = ble_sm_alg_csis_sef(ltk, plaintext_sirk, out);
+
+    return rc;
+}
+
+int
+ble_sm_csis_generate_rsi(const uint8_t *sirk, uint8_t *out)
+{
+    const uint8_t prand_check_all_set[3] = {0xff, 0xff, 0xef};
+    const uint8_t prand_check_all_reset[3] = {0x0, 0x0, 0x40};
+    uint8_t prand[3] = {0};
+    uint8_t hash[3] = {0};
+    int rc;
+
+    do {
+        rc = ble_hs_hci_rand(prand, 3);
+        if (rc != 0) {
+            return rc;
+        }
+        /* Two MSBs of prand shall be equal to 0 and 1 */
+        prand[2] &= ~(0x80);

Review Comment:
   nitpick: `&= ~0xc0` -> we want to change 2 bits so clear 2 bits, we write it 
like this in code that calculates rpa



##########
nimble/host/include/host/ble_sm.h:
##########
@@ -111,6 +113,8 @@ struct ble_sm_io {
 };
 
 int ble_sm_sc_oob_generate_data(struct ble_sm_sc_oob_data *oob_data);
+int ble_sm_csis_resolve_rsi(ble_addr_t peer_addr, uint8_t *rsi,

Review Comment:
   ble_addr_t *peer_addr
   const uint8_t *rsi
   const uint8_t *sirk



##########
nimble/host/src/ble_sm.c:
##########
@@ -2910,4 +2910,109 @@ ble_sm_create_chan(uint16_t conn_handle)
     return chan;
 }
 
+#if MYNEWT_VAL(BLE_SM_SC)
+int
+ble_sm_csis_decrypt_sirk(const uint8_t *ltk, const uint8_t *enc_sirk, uint8_t 
*out)
+{
+    int rc;
+
+    /* Decrypt SIRK with sdf(K, EncSIRK)  */
+    rc = ble_sm_alg_csis_sdf(ltk, enc_sirk, out);
+
+    return rc;
+}
+
+int
+ble_sm_csis_resolve_rsi(ble_addr_t peer_addr, uint8_t *rsi,
+                        uint8_t *sirk, bool is_encrypted)
+{
+    struct ble_store_key_sec key_sec;
+    struct ble_store_value_sec value_sec;
+
+    uint8_t plaintext_sirk[16] = {0};
+    uint8_t local_hash[3] = {0};
+    uint8_t prand[3] = {0};
+    uint8_t hash[3] = {0};
+    int rc;
+
+    memset(&key_sec, 0, sizeof(key_sec));
+    key_sec.peer_addr.type = peer_addr.type;
+    memcpy(key_sec.peer_addr.val, peer_addr.val, 6);

Review Comment:
   `key_sec.peer_addr = peer_addr`



##########
nimble/host/src/ble_sm.c:
##########
@@ -2910,4 +2910,109 @@ ble_sm_create_chan(uint16_t conn_handle)
     return chan;
 }
 
+#if MYNEWT_VAL(BLE_SM_SC)
+int
+ble_sm_csis_decrypt_sirk(const uint8_t *ltk, const uint8_t *enc_sirk, uint8_t 
*out)
+{
+    int rc;
+
+    /* Decrypt SIRK with sdf(K, EncSIRK)  */
+    rc = ble_sm_alg_csis_sdf(ltk, enc_sirk, out);
+
+    return rc;
+}
+
+int
+ble_sm_csis_resolve_rsi(ble_addr_t peer_addr, uint8_t *rsi,
+                        uint8_t *sirk, bool is_encrypted)
+{
+    struct ble_store_key_sec key_sec;
+    struct ble_store_value_sec value_sec;
+
+    uint8_t plaintext_sirk[16] = {0};
+    uint8_t local_hash[3] = {0};
+    uint8_t prand[3] = {0};
+    uint8_t hash[3] = {0};
+    int rc;
+
+    memset(&key_sec, 0, sizeof(key_sec));
+    key_sec.peer_addr.type = peer_addr.type;
+    memcpy(key_sec.peer_addr.val, peer_addr.val, 6);
+
+    rc = ble_store_read_peer_sec(&key_sec, &value_sec);
+    if (rc != 0) {
+        return rc;
+    } else if (!value_sec.ltk_present) {
+        return BLE_HS_ENOENT;
+    }
+
+    memcpy(hash, rsi, 3);
+    memcpy(prand, rsi + 3, 3);
+
+    if (is_encrypted) {
+        rc = ble_sm_csis_decrypt_sirk(value_sec.ltk, sirk, plaintext_sirk);
+        if (rc != 0) {
+            return rc;
+        }
+    } else {
+        memcpy(plaintext_sirk, sirk, 16);
+    }
+
+    rc = ble_sm_alg_csis_sih(plaintext_sirk, prand, local_hash);
+    if (rc != 0) {
+        return rc;
+    }
+
+    if (memcmp(local_hash, hash, 3) == 0) {

Review Comment:
   better write this as:
   ```c
   if (memcmp(local_hash, hash, 3)) {
       return BLE_HS_EAUTHEN;
   }
   
   return 0;
   ```
   
   this way return value in case of success is at the very end of function as 
expected



##########
nimble/host/src/ble_sm.c:
##########
@@ -2910,4 +2910,109 @@ ble_sm_create_chan(uint16_t conn_handle)
     return chan;
 }
 
+#if MYNEWT_VAL(BLE_SM_SC)

Review Comment:
   I'd add `BLE_SM_CSIS_SIRK` to enable everything related to handling CSIS 
SIRK and move this to `ble_sm_csis.c`
   
   also mark syscfg as experimental since we may want to move it to some place 
more appropriate and rename in future with addition of le audio code.



##########
nimble/host/src/ble_sm_alg.c:
##########
@@ -418,6 +418,139 @@ ble_sm_alg_g2(const uint8_t *u, const uint8_t *v, const 
uint8_t *x,
     return 0;
 }
 
+int
+ble_sm_alg_csis_k1(const uint8_t *n, size_t n_len, const uint8_t *salt,
+                   const uint8_t *p, size_t p_len, uint8_t *out)
+{
+    int rc;
+    uint8_t t[16] = {0};
+    uint8_t salt_be[16] = {0};
+    uint8_t n_be[16] = {0};
+
+    /* XXX: Spec does not specify the maximum N and P parameters length.
+     * We assume that 16 bytes is enough and return error if passed len value 
is greater
+     * than that */
+    if ((n_len > 16) || (p_len > 16)) {
+        return BLE_HS_EUNKNOWN;
+    }
+
+    swap_buf(salt_be, salt, 16);
+    swap_buf(n_be, n, n_len);
+
+    /* T = AES-CMAC_SALT (N) */
+    rc = ble_sm_alg_aes_cmac(salt_be, n_be, n_len, t);
+    if (rc != 0) {
+        return rc;
+    }
+
+    /* AES-CMAC_T (P) */
+    rc = ble_sm_alg_aes_cmac(t, p, p_len, out);
+    if (rc != 0) {
+        return rc;
+    }
+
+    swap_in_place(out, 16);
+
+    return 0;
+}
+
+int
+ble_sm_alg_csis_s1(const uint8_t *m, size_t m_len, uint8_t *out)
+{
+    int rc;
+    uint8_t k_zero[16] = {0};
+
+    /* XXX: Spec does not specify the maximum M parameter length.
+     * We assume that 16 bytes is enough and return error if passed len value 
is greater
+     * than that */
+    if (m_len > 16) {
+        return BLE_HS_EUNKNOWN;

Review Comment:
   einval



##########
nimble/host/src/ble_sm.c:
##########
@@ -2910,4 +2910,109 @@ ble_sm_create_chan(uint16_t conn_handle)
     return chan;
 }
 
+#if MYNEWT_VAL(BLE_SM_SC)
+int
+ble_sm_csis_decrypt_sirk(const uint8_t *ltk, const uint8_t *enc_sirk, uint8_t 
*out)
+{
+    int rc;
+
+    /* Decrypt SIRK with sdf(K, EncSIRK)  */
+    rc = ble_sm_alg_csis_sdf(ltk, enc_sirk, out);
+
+    return rc;
+}
+
+int
+ble_sm_csis_resolve_rsi(ble_addr_t peer_addr, uint8_t *rsi,
+                        uint8_t *sirk, bool is_encrypted)
+{
+    struct ble_store_key_sec key_sec;
+    struct ble_store_value_sec value_sec;
+
+    uint8_t plaintext_sirk[16] = {0};
+    uint8_t local_hash[3] = {0};
+    uint8_t prand[3] = {0};
+    uint8_t hash[3] = {0};
+    int rc;
+
+    memset(&key_sec, 0, sizeof(key_sec));
+    key_sec.peer_addr.type = peer_addr.type;
+    memcpy(key_sec.peer_addr.val, peer_addr.val, 6);
+
+    rc = ble_store_read_peer_sec(&key_sec, &value_sec);
+    if (rc != 0) {
+        return rc;
+    } else if (!value_sec.ltk_present) {
+        return BLE_HS_ENOENT;
+    }

Review Comment:
   this should be only done if sirk is encrypted



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@mynewt.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] host/sm: Add CSIS SIRK encryption [mynewt-nimble]

Reply via email to