Bluetooth: Host: fix aes ccm authentication

alxelax · carlescufi · commit 0aa0913ca5d6 · 2022-05-03T09:37:17.000+02:00
Bluetooth Host calculated authentication value correctly only
for data smaller than 255 bytes. If data is larger then
authentication transformation used wrong flags.
Since the issue was symmetric two Zephyr
based devices were able to understand each other. Hence,
other devices like Android or IOS smartphones weren't able
to authenticate large frames and broke communication.

Signed-off-by: Aleksandr Khromykh &lt;aleksandr.khromykh@nordicsemi.no&gt;
diff --git a/subsys/bluetooth/host/aes_ccm.c b/subsys/bluetooth/host/aes_ccm.c
@@ -35,9 +35,9 @@ static inline void xor16(uint8_t *dst, const uint8_t *a, const uint8_t *b)
 	dst[15] = a[15] ^ b[15];
 }
 
-/* pmsg is assumed to have the nonce already present in bytes 1-13 */
+/* b field is assumed to have the nonce already present in bytes 1-13 */
 static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t aad_len,
-			    size_t mic_size, uint8_t msg_len, uint8_t b[16],
+			    size_t mic_size, uint16_t msg_len, uint8_t b[16],
 			    uint8_t X0[16])
 {
 	int i, j, err;
@@ -95,7 +95,7 @@ static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t a
 }
 
 static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],
-		    const uint8_t *cleartext_msg, size_t msg_len, const uint8_t *aad,
+		    const uint8_t *cleartext_msg, uint16_t msg_len, const uint8_t *aad,
 		    size_t aad_len, uint8_t *mic, size_t mic_size)
 {
 	uint8_t b[16], Xn[16], s0[16];
@@ -148,7 +148,7 @@ static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],
 }
 
 static int ccm_crypt(const uint8_t key[16], const uint8_t nonce[13],
-		     const uint8_t *in_msg, uint8_t *out_msg, size_t msg_len)
+		     const uint8_t *in_msg, uint8_t *out_msg, uint16_t msg_len)
 {
 	uint8_t a_i[16], s_i[16];
 	uint16_t last_blk, blk_cnt;
@@ -192,7 +192,7 @@ int bt_ccm_decrypt(const uint8_t key[16], uint8_t nonce[13],
 {
 	uint8_t mic[16];
 
-	if (aad_len >= 0xff00 || mic_size > sizeof(mic)) {
+	if (aad_len >= 0xff00 || mic_size > sizeof(mic) || len > UINT16_MAX) {
 		return -EINVAL;
 	}
 
@@ -219,7 +219,7 @@ int bt_ccm_encrypt(const uint8_t key[16], uint8_t nonce[13],
 	BT_DBG("aad_len %zu mic_size %zu", aad_len, mic_size);
 
 	/* Unsupported AAD size */
-	if (aad_len >= 0xff00 || mic_size > 16) {
+	if (aad_len >= 0xff00 || mic_size > 16 || len > UINT16_MAX) {
 		return -EINVAL;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -35,9 +35,9 @@ static inline void xor16(uint8_t dst, const uint8_t a, const uint8_t *b)`
`35`	`35`	`dst[15] = a[15] ^ b[15];`
`36`	`36`	`}`
`37`	`37`
`38`		`-/* pmsg is assumed to have the nonce already present in bytes 1-13 */`
	`38`	`+/* b field is assumed to have the nonce already present in bytes 1-13 */`
`39`	`39`	`static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t aad_len,`
`40`		`- size_t mic_size, uint8_t msg_len, uint8_t b[16],`
	`40`	`+ size_t mic_size, uint16_t msg_len, uint8_t b[16],`
`41`	`41`	`uint8_t X0[16])`
`42`	`42`	`{`
`43`	`43`	`int i, j, err;`
`@@ -95,7 +95,7 @@ static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t a`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],`
`98`		`- const uint8_t cleartext_msg, size_t msg_len, const uint8_t aad,`
	`98`	`+ const uint8_t cleartext_msg, uint16_t msg_len, const uint8_t aad,`
`99`	`99`	`size_t aad_len, uint8_t *mic, size_t mic_size)`
`100`	`100`	`{`
`101`	`101`	`uint8_t b[16], Xn[16], s0[16];`
`@@ -148,7 +148,7 @@ static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`static int ccm_crypt(const uint8_t key[16], const uint8_t nonce[13],`
`151`		`- const uint8_t in_msg, uint8_t out_msg, size_t msg_len)`
	`151`	`+ const uint8_t in_msg, uint8_t out_msg, uint16_t msg_len)`
`152`	`152`	`{`
`153`	`153`	`uint8_t a_i[16], s_i[16];`
`154`	`154`	`uint16_t last_blk, blk_cnt;`
`@@ -192,7 +192,7 @@ int bt_ccm_decrypt(const uint8_t key[16], uint8_t nonce[13],`
`192`	`192`	`{`
`193`	`193`	`uint8_t mic[16];`
`194`	`194`
`195`		`- if (aad_len >= 0xff00 \|\| mic_size > sizeof(mic)) {`
	`195`	`+ if (aad_len >= 0xff00 \|\| mic_size > sizeof(mic) \|\| len > UINT16_MAX) {`
`196`	`196`	`return -EINVAL;`
`197`	`197`	`}`
`198`	`198`
`@@ -219,7 +219,7 @@ int bt_ccm_encrypt(const uint8_t key[16], uint8_t nonce[13],`
`219`	`219`	`BT_DBG("aad_len %zu mic_size %zu", aad_len, mic_size);`
`220`	`220`
`221`	`221`	`/* Unsupported AAD size */`
`222`		`- if (aad_len >= 0xff00 \|\| mic_size > 16) {`
	`222`	`+ if (aad_len >= 0xff00 \|\| mic_size > 16 \|\| len > UINT16_MAX) {`
`223`	`223`	`return -EINVAL;`
`224`	`224`	`}`
`225`	`225`