blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-04-02 21:00:10 -04:00
Code Issues Projects Releases Wiki Activity

ble_mesh: Update the SIG recommendations for CVE issues

Browse Source
This commit is contained in:
lly 2021-08-17 19:32:48 +08:00
parent fce11704f0
commit 06196f347a
3 changed files with 53 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h
View File

@ -69,6 +69,12 @@ esp_err_t esp_ble_mesh_node_prov_disable(esp_ble_mesh_prov_bearer_t bearers);
/** /**
* @brief Unprovisioned device set own oob public key & private key pair. * @brief Unprovisioned device set own oob public key & private key pair.
* *
* @note In order to avoid suffering brute-forcing attack (CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* use an out-of-band mechanism to exchange the public keys.
* So as an unprovisioned device, it should use this function to input
* the Public Key exchanged through the out-of-band mechanism.
*
* @param[in] pub_key_x: Unprovisioned device's Public Key X * @param[in] pub_key_x: Unprovisioned device's Public Key X
* @param[in] pub_key_y: Unprovisioned device's Public Key Y * @param[in] pub_key_y: Unprovisioned device's Public Key Y
* @param[in] private_key: Unprovisioned device's Private Key * @param[in] private_key: Unprovisioned device's Private Key
@ -121,6 +127,10 @@ esp_err_t esp_ble_mesh_set_unprovisioned_device_name(const char *name);
/** /**
* @brief Provisioner inputs unprovisioned device's oob public key. * @brief Provisioner inputs unprovisioned device's oob public key.
* *
* @note In order to avoid suffering brute-forcing attack (CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* use an out-of-band mechanism to exchange the public keys.
*
* @param[in] link_idx: The provisioning link index * @param[in] link_idx: The provisioning link index
* @param[in] pub_key_x: Unprovisioned device's Public Key X * @param[in] pub_key_x: Unprovisioned device's Public Key X
* @param[in] pub_key_y: Unprovisioned device's Public Key Y * @param[in] pub_key_y: Unprovisioned device's Public Key Y
@ -329,6 +339,14 @@ esp_err_t esp_ble_mesh_provisioner_set_prov_data_info(esp_ble_mesh_prov_data_inf
* A large entropy helps ensure that a brute-force of the AuthValue, even a static * A large entropy helps ensure that a brute-force of the AuthValue, even a static
* AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557). * AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
* *
* AuthValues selected using a cryptographically secure random or pseudorandom number
* generator and having the maximum permitted entropy (128-bits) will be most difficult
* to brute-force. AuthValues with reduced entropy or generated in a predictable manner
* will not grant the same level of protection against this vulnerability. Selecting a
* new AuthValue with each provisioning attempt can also make it more difficult to launch
* a brute-force attack by requiring the attacker to restart the search with each
* provisioning attempt (CVE-2020-26556).
*
* @param[in] value: Pointer to the static oob value. * @param[in] value: Pointer to the static oob value.
* @param[in] length: Length of the static oob value. * @param[in] length: Length of the static oob value.
* *

14
components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h
View File

@ -583,8 +583,10 @@ typedef struct {
esp_ble_mesh_prov_oob_info_t oob_info; esp_ble_mesh_prov_oob_info_t oob_info;
/* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559). /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh node * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* support an out-of-band mechanism to exchange the public keys. * support an out-of-band mechanism to exchange the public keys.
* So as an unprovisioned device, it should enable this flag to support
* using an out-of-band mechanism to exchange Public Key.
*/ */
/** Flag indicates whether unprovisioned devices support OOB public key */ /** Flag indicates whether unprovisioned devices support OOB public key */
bool oob_pub_key; bool oob_pub_key;
@ -639,7 +641,7 @@ typedef struct {
/** Provisioning Algorithm for the Provisioner */ /** Provisioning Algorithm for the Provisioner */
uint8_t prov_algorithm; uint8_t prov_algorithm;
/* NOTE: In order to avoid suffering brute-forcing attack(CVE-2020-26559). /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh provisioners * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* use an out-of-band mechanism to exchange the public keys. * use an out-of-band mechanism to exchange the public keys.
*/ */
@ -653,6 +655,14 @@ typedef struct {
* selected AuthValue using all of the available bits, where permitted by the * selected AuthValue using all of the available bits, where permitted by the
* implementation. A large entropy helps ensure that a brute-force of the AuthValue, * implementation. A large entropy helps ensure that a brute-force of the AuthValue,
* even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557). * even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
*
* AuthValues selected using a cryptographically secure random or pseudorandom number
* generator and having the maximum permitted entropy (128-bits) will be most difficult
* to brute-force. AuthValues with reduced entropy or generated in a predictable manner
* will not grant the same level of protection against this vulnerability. Selecting a
* new AuthValue with each provisioning attempt can also make it more difficult to launch
* a brute-force attack by requiring the attacker to restart the search with each
* provisioning attempt (CVE-2020-26556).
*/ */
/** Provisioner static oob value */ /** Provisioner static oob value */
uint8_t *prov_static_oob_val; uint8_t *prov_static_oob_val;

35
components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
View File

@ -1930,6 +1930,19 @@ static int prov_auth(const uint8_t idx, uint8_t method, uint8_t action, uint8_t
/* Provisioner ouput number/string and wait for device's Provisioning Input Complete PDU */ /* Provisioner ouput number/string and wait for device's Provisioning Input Complete PDU */
link[idx].expect = PROV_INPUT_COMPLETE; link[idx].expect = PROV_INPUT_COMPLETE;
/* NOTE: The Bluetooth SIG recommends that mesh implementations enforce a randomly
* selected AuthValue using all of the available bits, where permitted by the
* implementation. A large entropy helps ensure that a brute-force of the AuthValue,
* even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
*
* AuthValues selected using a cryptographically secure random or pseudorandom number
* generator and having the maximum permitted entropy (128-bits) will be most difficult
* to brute-force. AuthValues with reduced entropy or generated in a predictable manner
* will not grant the same level of protection against this vulnerability. Selecting a
* new AuthValue with each provisioning attempt can also make it more difficult to launch
* a brute-force attack by requiring the attacker to restart the search with each
* provisioning attempt (CVE-2020-26556).
*/
if (input == BLE_MESH_ENTER_STRING) { if (input == BLE_MESH_ENTER_STRING) {
unsigned char str[9] = {'\0'}; unsigned char str[9] = {'\0'};
uint8_t j = 0U; uint8_t j = 0U;
@ -2312,12 +2325,11 @@ static void prov_confirm(const uint8_t idx, const uint8_t *data)
BT_DBG("Remote Confirm: %s", bt_hex(data, 16)); BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
/* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* provisioners restrict the authentication procedure and not accept * restrict the authentication procedure and not accept provisioning random and
* provisioning random and provisioning confirmation numbers from a remote * provisioning confirmation numbers from a remote peer that are the same as those
* peer that are the same as those selected by the local device (CVE-2020-26556 * selected by the local device (CVE-2020-26560).
* & CVE-2020-26560). */
* */
if (!memcmp(data, link[idx].local_conf, 16)) { if (!memcmp(data, link[idx].local_conf, 16)) {
BT_ERR("Confirmation value is identical to ours, rejecting."); BT_ERR("Confirmation value is identical to ours, rejecting.");
close_link(idx, CLOSE_REASON_FAILED); close_link(idx, CLOSE_REASON_FAILED);
@ -2534,12 +2546,11 @@ static void prov_random(const uint8_t idx, const uint8_t *data)
BT_DBG("Remote Random: %s", bt_hex(data, 16)); BT_DBG("Remote Random: %s", bt_hex(data, 16));
/* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* provisioners restrict the authentication procedure and not accept * restrict the authentication procedure and not accept provisioning random and
* provisioning random and provisioning confirmation numbers from a remote * provisioning confirmation numbers from a remote peer that are the same as those
* peer that are the same as those selected by the local device (CVE-2020-26556 * selected by the local device (CVE-2020-26560).
* & CVE-2020-26560). */
* */
if (!memcmp(data, link[idx].rand, 16)) { if (!memcmp(data, link[idx].rand, 16)) {
BT_ERR("Random value is identical to ours, rejecting."); BT_ERR("Random value is identical to ours, rejecting.");
goto fail; goto fail;