Bluetooth: Fix endianness of cryptographic toolbox function h8

cvinayak · aescolar · commit cc1f937d6192 · 2023-01-26T13:25:11.000+01:00
Convert endianness of supplied parameters before calculating the AES-CMAC. Bluetooth stores values in little-endian and crypto traditionally operates on big-endian storage. Relates to commit e9c542a ("Bluetooth: Add the cryptographic toolbox function h8"). Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
diff --git a/subsys/bluetooth/crypto/bt_crypto.c b/subsys/bluetooth/crypto/bt_crypto.c
@@ -261,18 +261,34 @@ int bt_crypto_h7(const uint8_t salt[16], const uint8_t w[16], uint8_t res[16])
 
 int bt_crypto_h8(const uint8_t k[16], const uint8_t s[16], const uint8_t key_id[4], uint8_t res[16])
 {
+	uint8_t key_id_s[4];
+	uint8_t iks[16];
+	uint8_t ks[16];
+	uint8_t ss[16];
 	int err;
-	uint8_t ik[16];
 
-	err = bt_crypto_aes_cmac(s, k, 16, ik);
+	LOG_DBG("k %s", bt_hex(k, 16));
+	LOG_DBG("s %s", bt_hex(s, 16));
+	LOG_DBG("key_id %s", bt_hex(key_id, 4));
+
+	sys_memcpy_swap(ks, k, 16);
+	sys_memcpy_swap(ss, s, 16);
+
+	err = bt_crypto_aes_cmac(ss, ks, 16, iks);
 	if (err) {
 		return err;
 	}
 
-	err = bt_crypto_aes_cmac(ik, key_id, 4, res);
+	sys_memcpy_swap(key_id_s, key_id, 4);
+
+	err = bt_crypto_aes_cmac(iks, key_id_s, 4, res);
 	if (err) {
 		return err;
 	}
 
+	LOG_DBG("res %s", bt_hex(res, 16));
+
+	sys_mem_swap(res, 16);
+
 	return 0;
 }
diff --git a/tests/bluetooth/bt_crypto/src/test_bt_crypto.c b/tests/bluetooth/bt_crypto/src/test_bt_crypto.c
@@ -162,14 +162,14 @@ ZTEST(bt_crypto, test_result_h7)
 
 ZTEST(bt_crypto, test_result_h8)
 {
-	uint8_t k[16] = {0xec, 0x02, 0x34, 0xa3, 0x57, 0xc8, 0xad, 0x05,
-			 0x34, 0x10, 0x10, 0xa6, 0x0a, 0x39, 0x7d, 0x9b};
-	uint8_t s[16] = {0x15, 0x36, 0xd1, 0x8d, 0xe3, 0xd2, 0x0d, 0xf9,
-			 0x9b, 0x70, 0x44, 0xc1, 0x2f, 0x9e, 0xd5, 0xba};
-	uint8_t key_id[4] = {0xcc, 0x03, 0x01, 0x48};
-
-	uint8_t exp_res[16] = {0xe5, 0xe5, 0xbe, 0xba, 0xae, 0x72, 0x28, 0xe7,
-			       0x22, 0xa3, 0x89, 0x04, 0xed, 0x35, 0x0f, 0x6d};
+	uint8_t k[16] = {0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
+			 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec};
+	uint8_t s[16] = {0xba, 0xd5, 0x9e, 0x2f, 0xc1, 0x44, 0x70, 0x9b,
+			 0xf9, 0x0d, 0xd2, 0xe3, 0x8d, 0xd1, 0x36, 0x15};
+	uint8_t key_id[4] = {0x48, 0x01, 0x03, 0xcc};
+
+	uint8_t exp_res[16] = {0x6d, 0x0f, 0x35, 0xed, 0x04, 0x89, 0xa3, 0x22,
+			       0xe7, 0x28, 0x72, 0xae, 0xba, 0xbe, 0xe5, 0xe5};
 	uint8_t res[16];
 
 	bt_crypto_h8(k, s, key_id, res);
