test: Bluetooth: Mesh: test replay attack on ble mesh rpc

The test checks the resistance of ble mesh stack to replay attack.
Replay protection cache shall store seqAuth last frames.
Device shall filter out such messages on the transport layer.
Power on\off sequence shouldn't impact that
since replay protection cache is stored in settings subsystem.

Signed-off-by: Aleksandr Khromykh <[email protected]>

Author: alxelax

tests/bluetooth/bsim_bt/bsim_test_mesh/CMakeLists.txt

@@ -21,6 +21,7 @@ if(CONFIG_SETTINGS)
  target_sources(app PRIVATE
   src/settings_test_backend.c
   src/test_persistence.c
+  src/test_replay_cache.c
  )
 else()
  target_sources(app PRIVATE

tests/bluetooth/bsim_bt/bsim_test_mesh/prj_pst.conf

@@ -48,5 +48,6 @@ CONFIG_BT_MESH_PROV_DEVICE=y
 CONFIG_BT_MESH_CDB=y
 CONFIG_BT_MESH_CDB_NODE_COUNT=3
 CONFIG_BT_MESH_GATT_PROXY=y
+CONFIG_BT_MESH_TX_SEG_RETRANS_COUNT=1
 
 CONFIG_BT_MESH_DEBUG=y

tests/bluetooth/bsim_bt/bsim_test_mesh/src/main.c

@@ -9,6 +9,7 @@
 
 #if defined(CONFIG_SETTINGS)
 extern struct bst_test_list *test_persistence_install(struct bst_test_list *tests);
+extern struct bst_test_list *test_rpc_install(struct bst_test_list *tests);
 #else
 extern struct bst_test_list *test_transport_install(struct bst_test_list *tests);
 extern struct bst_test_list *test_friendship_install(struct bst_test_list *tests);
@@ -20,6 +21,7 @@ extern struct bst_test_list *test_scanner_install(struct bst_test_list *test);
 bst_test_install_t test_installers[] = {
 #if defined(CONFIG_SETTINGS)
 	test_persistence_install,
+	test_rpc_install,
 #else
 	test_transport_install,
 	test_friendship_install,

tests/bluetooth/bsim_bt/bsim_test_mesh/src/mesh_test.c

@@ -20,11 +20,12 @@ static K_MEM_SLAB_DEFINE(msg_pool, sizeof(struct bt_mesh_test_msg),
 static K_QUEUE_DEFINE(recv);
 struct bt_mesh_test_stats test_stats;
 struct bt_mesh_msg_ctx test_send_ctx;
+static void (*ra_cb)(uint8_t *, size_t);
 
 static int msg_rx(struct bt_mesh_model *mod, struct bt_mesh_msg_ctx *ctx,
 		   struct net_buf_simple *buf)
 {
-	size_t len = buf->len + BT_MESH_MODEL_OP_LEN(TEST_MSG_OP);
+	size_t len = buf->len + BT_MESH_MODEL_OP_LEN(TEST_MSG_OP_1);
 	static uint8_t prev_seq;
 	struct bt_mesh_test_msg *msg;
 	uint8_t seq = 0;
@@ -69,8 +70,25 @@ static int msg_rx(struct bt_mesh_model *mod, struct bt_mesh_msg_ctx *ctx,
 	return 0;
 }
 
+static int ra_rx(struct bt_mesh_model *mod, struct bt_mesh_msg_ctx *ctx,
+		 struct net_buf_simple *buf)
+{
+	LOG_INF("\tlen: %d bytes", buf->len);
+	LOG_INF("\tsrc: 0x%04x", ctx->addr);
+	LOG_INF("\tdst: 0x%04x", ctx->recv_dst);
+	LOG_INF("\tttl: %u", ctx->recv_ttl);
+	LOG_INF("\trssi: %d", ctx->recv_rssi);
+
+	if (ra_cb) {
+		ra_cb(net_buf_simple_pull_mem(buf, buf->len), buf->len);
+	}
+
+	return 0;
+}
+
 static const struct bt_mesh_model_op model_op[] = {
-	{ TEST_MSG_OP, 0, msg_rx },
+	{ TEST_MSG_OP_1, 0, msg_rx },
+	{ TEST_MSG_OP_2, 0, ra_rx },
 };
 
 int __weak test_model_pub_update(struct bt_mesh_model *mod)
@@ -164,8 +182,16 @@ static void bt_enabled(void)
 		return;
 	}
 
+	if (IS_ENABLED(CONFIG_BT_SETTINGS)) {
+		LOG_INF("Loading stored settings");
+		settings_load();
+	}
+
 	err = bt_mesh_provision(test_net_key, 0, 0, 0, cfg->addr, cfg->dev_key);
-	if (err) {
+	if (err == -EALREADY) {
+		LOG_INF("Using stored settings");
+		return;
+	} else if (err) {
 		FAIL("Provisioning failed (err %d)", err);
 		return;
 	}
@@ -327,15 +353,15 @@ int bt_mesh_test_send_async(uint16_t addr, size_t len,
 	test_send_ctx.send_rel = (flags & FORCE_SEGMENTATION);
 	test_send_ctx.send_ttl = BT_MESH_TTL_DEFAULT;
 
-	BT_MESH_MODEL_BUF_DEFINE(buf, TEST_MSG_OP, BT_MESH_TX_SDU_MAX);
-	bt_mesh_model_msg_init(&buf, TEST_MSG_OP);
+	BT_MESH_MODEL_BUF_DEFINE(buf, TEST_MSG_OP_1, BT_MESH_TX_SDU_MAX);
+	bt_mesh_model_msg_init(&buf, TEST_MSG_OP_1);
 
-	if (len > BT_MESH_MODEL_OP_LEN(TEST_MSG_OP)) {
+	if (len > BT_MESH_MODEL_OP_LEN(TEST_MSG_OP_1)) {
 		net_buf_simple_add_u8(&buf, count);
 	}
 
 	/* Subtract the length of the opcode and the sequence ID */
-	for (int i = 1; i < len - BT_MESH_MODEL_OP_LEN(TEST_MSG_OP); i++) {
+	for (int i = 1; i < len - BT_MESH_MODEL_OP_LEN(TEST_MSG_OP_1); i++) {
 		net_buf_simple_add_u8(&buf, i);
 	}
 
@@ -395,3 +421,32 @@ int bt_mesh_test_send(uint16_t addr, size_t len,
 
 	return 0;
 }
+
+int bt_mesh_test_send_ra(uint16_t addr, uint8_t *data, size_t len,
+			 const struct bt_mesh_send_cb *send_cb,
+			 void *cb_data)
+{
+	int err;
+
+	test_send_ctx.addr = addr;
+	test_send_ctx.send_rel = 0;
+	test_send_ctx.send_ttl = BT_MESH_TTL_DEFAULT;
+
+	BT_MESH_MODEL_BUF_DEFINE(buf, TEST_MSG_OP_2, BT_MESH_TX_SDU_MAX);
+	bt_mesh_model_msg_init(&buf, TEST_MSG_OP_2);
+
+	net_buf_simple_add_mem(&buf, data, len);
+
+	err = bt_mesh_model_send(test_model, &test_send_ctx, &buf, send_cb, cb_data);
+	if (err) {
+		LOG_ERR("bt_mesh_model_send failed (err: %d)", err);
+		return err;
+	}
+
+	return 0;
+}
+
+void bt_mesh_test_ra_cb_setup(void (*cb)(uint8_t *, size_t))
+{
+	ra_cb = cb;
+}

tests/bluetooth/bsim_bt/bsim_test_mesh/src/mesh_test.h

@@ -26,7 +26,8 @@
 #include <bluetooth/mesh.h>
 
 #define TEST_MOD_ID 0x8888
-#define TEST_MSG_OP BT_MESH_MODEL_OP_1(0x0f)
+#define TEST_MSG_OP_1  BT_MESH_MODEL_OP_1(0x0f)
+#define TEST_MSG_OP_2  BT_MESH_MODEL_OP_1(0x10)
 
 #define TEST_VND_COMPANY_ID 0x1234
 #define TEST_VND_MOD_ID   0x5678
@@ -120,4 +121,8 @@ int bt_mesh_test_send_async(uint16_t addr, size_t len,
 			    enum bt_mesh_test_send_flags flags,
 			    const struct bt_mesh_send_cb *send_cb,
 			    void *cb_data);
+int bt_mesh_test_send_ra(uint16_t addr, uint8_t *data, size_t len,
+			 const struct bt_mesh_send_cb *send_cb,
+			 void *cb_data);
+void bt_mesh_test_ra_cb_setup(void (*cb)(uint8_t *, size_t));
 #endif /* ZEPHYR_TESTS_BLUETOOTH_BSIM_BT_BSIM_TEST_MESH_MESH_TEST_H_ */

tests/bluetooth/bsim_bt/bsim_test_mesh/src/test_persistence.c

@@ -207,7 +207,7 @@ static void test_args_parse(int argc, char *argv[])
 		},
 	};
 
-	bs_args_parse_all_cmd_line(argc, argv, &args_struct);
+	bs_args_parse_all_cmd_line(argc, argv, args_struct);
 }
 
 static void check_mod_pub_params(struct bt_mesh_cfg_mod_pub *expected,

tests/bluetooth/bsim_bt/bsim_test_mesh/src/test_replay_cache.c

@@ -0,0 +1,217 @@
+/*
+ * Copyright (c) 2021 Nordic Semiconductor
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#include "mesh_test.h"
+#include "settings_test_backend.h"
+#include "mesh/mesh.h"
+#include "mesh/net.h"
+
+#define LOG_MODULE_NAME test_rpc
+
+#include <logging/log.h>
+LOG_MODULE_REGISTER(LOG_MODULE_NAME, LOG_LEVEL_INF);
+
+#define WAIT_TIME 60 /*seconds*/
+#define TEST_DATA_WAITING_TIME 5 /* seconds */
+#define TEST_DATA_SIZE 20
+
+static const struct bt_mesh_test_cfg tx_cfg = {
+	.addr = 0x0001,
+	.dev_key = { 0x01 },
+};
+static const struct bt_mesh_test_cfg rx_cfg = {
+	.addr = 0x0002,
+	.dev_key = { 0x02 },
+};
+
+static uint8_t test_data[TEST_DATA_SIZE];
+static uint8_t rx_cnt;
+static bool is_tx_succeeded;
+
+static void test_tx_init(void)
+{
+	bt_mesh_test_cfg_set(&tx_cfg, WAIT_TIME);
+}
+
+static void test_rx_init(void)
+{
+	bt_mesh_test_cfg_set(&rx_cfg, WAIT_TIME);
+}
+
+static void tx_started(uint16_t dur, int err, void *data)
+{
+	if (err) {
+		FAIL("Couldn't start sending (err: %d)", err);
+	}
+
+	LOG_INF("Sending started");
+}
+
+static void tx_ended(int err, void *data)
+{
+	struct k_sem *sem = data;
+
+	if (err) {
+		is_tx_succeeded = false;
+		LOG_INF("Sending failed (%d)", err);
+	} else {
+		is_tx_succeeded = true;
+		LOG_INF("Sending succeeded");
+	}
+
+	k_sem_give(sem);
+}
+
+static void rx_ended(uint8_t *data, size_t len)
+{
+	memset(test_data, rx_cnt++, sizeof(test_data));
+
+	if (memcmp(test_data, data, len)) {
+		FAIL("Unexpected rx data");
+	}
+
+	LOG_INF("Receiving succeeded");
+}
+
+static void test_tx_immediate_replay_attack(void)
+{
+	settings_test_backend_clear();
+	bt_mesh_test_setup();
+
+	static const struct bt_mesh_send_cb send_cb = {
+		.start = tx_started,
+		.end = tx_ended,
+	};
+	struct k_sem sem;
+
+	k_sem_init(&sem, 0, 1);
+
+	uint32_t seq = bt_mesh.seq;
+
+	for (int i = 0; i < 3; i++) {
+		is_tx_succeeded = false;
+
+		memset(test_data, i, sizeof(test_data));
+		ASSERT_OK(bt_mesh_test_send_ra(rx_cfg.addr, test_data,
+			sizeof(test_data), &send_cb, &sem));
+
+		if (k_sem_take(&sem, K_SECONDS(TEST_DATA_WAITING_TIME))) {
+			LOG_ERR("Send timed out");
+		}
+
+		ASSERT_TRUE(is_tx_succeeded);
+	}
+
+	bt_mesh.seq = seq;
+
+	for (int i = 0; i < 3; i++) {
+		is_tx_succeeded = true;
+
+		memset(test_data, i, sizeof(test_data));
+		ASSERT_OK(bt_mesh_test_send_ra(rx_cfg.addr, test_data,
+			sizeof(test_data), &send_cb, &sem));
+
+		if (k_sem_take(&sem, K_SECONDS(TEST_DATA_WAITING_TIME))) {
+			LOG_ERR("Send timed out");
+		}
+
+		ASSERT_TRUE(!is_tx_succeeded);
+	}
+
+	PASS();
+}
+
+static void test_rx_immediate_replay_attack(void)
+{
+	settings_test_backend_clear();
+	bt_mesh_test_setup();
+	bt_mesh_test_ra_cb_setup(rx_ended);
+
+	k_sleep(K_SECONDS(6 * TEST_DATA_WAITING_TIME));
+
+	ASSERT_TRUE(rx_cnt == 3, "Device didn't receive expected data");
+
+	PASS();
+}
+
+static void test_tx_power_replay_attack(void)
+{
+	settings_test_backend_clear();
+	bt_mesh_test_setup();
+
+	static const struct bt_mesh_send_cb send_cb = {
+		.start = tx_started,
+		.end = tx_ended,
+	};
+	struct k_sem sem;
+
+	k_sem_init(&sem, 0, 1);
+
+	for (int i = 0; i < 3; i++) {
+		is_tx_succeeded = true;
+
+		memset(test_data, i, sizeof(test_data));
+		ASSERT_OK(bt_mesh_test_send_ra(rx_cfg.addr, test_data,
+			sizeof(test_data), &send_cb, &sem));
+
+		if (k_sem_take(&sem, K_SECONDS(TEST_DATA_WAITING_TIME))) {
+			LOG_ERR("Send timed out");
+		}
+
+		ASSERT_TRUE(!is_tx_succeeded);
+	}
+
+	for (int i = 0; i < 3; i++) {
+		is_tx_succeeded = false;
+
+		memset(test_data, i, sizeof(test_data));
+		ASSERT_OK(bt_mesh_test_send_ra(rx_cfg.addr, test_data,
+			sizeof(test_data), &send_cb, &sem));
+
+		if (k_sem_take(&sem, K_SECONDS(TEST_DATA_WAITING_TIME))) {
+			LOG_ERR("Send timed out");
+		}
+
+		ASSERT_TRUE(is_tx_succeeded);
+	}
+
+	PASS();
+}
+
+static void test_rx_power_replay_attack(void)
+{
+	bt_mesh_test_setup();
+	bt_mesh_test_ra_cb_setup(rx_ended);
+
+	k_sleep(K_SECONDS(6 * TEST_DATA_WAITING_TIME));
+
+	ASSERT_TRUE(rx_cnt == 3, "Device didn't receive expected data");
+
+	PASS();
+}
+
+#define TEST_CASE(role, name, description)                     \
+	{                                                      \
+		.test_id = "rpc_" #role "_" #name,             \
+		.test_descr = description,                     \
+		.test_post_init_f = test_##role##_init,        \
+		.test_tick_f = bt_mesh_test_timeout,           \
+		.test_main_f = test_##role##_##name,           \
+	}
+
+static const struct bst_test_instance test_rpc[] = {
+	TEST_CASE(tx, immediate_replay_attack, "RPC: perform replay attack immediately"),
+	TEST_CASE(tx, power_replay_attack,     "RPC: perform replay attack after power cycle"),
+
+	TEST_CASE(rx, immediate_replay_attack, "RPC: device under immediate attack"),
+	TEST_CASE(rx, power_replay_attack,     "RPC: device under power cycle reply attack"),
+	BSTEST_END_MARKER
+};
+
+struct bst_test_list *test_rpc_install(struct bst_test_list *tests)
+{
+	tests = bst_add_tests(tests, test_rpc);
+	return tests;
+}