ble_mesh: stack: Fix AuthValue Leak and Predictable AuthValue in Bluetooth Mesh Provisioning Leads to MITM

components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h

@@ -324,6 +324,11 @@ esp_err_t esp_ble_mesh_provisioner_set_prov_data_info(esp_ble_mesh_prov_data_inf
 /**
  * @brief         This function is called by Provisioner to set static oob value used for provisioning.
  *
+ * @note          The Bluetooth SIG recommends that mesh implementations enforce a randomly selected
+ *                AuthValue using all of the available bits, where permitted by the implementation.
+ *                A large entropy helps ensure that a brute-force of the AuthValue, even a static
+ *                AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+ *
  * @param[in]     value:  Pointer to the static oob value.
  * @param[in]     length: Length of the static oob value.
  *

components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h

@@ -582,6 +582,10 @@ typedef struct {
     /** Out of Band information field. */
     esp_ble_mesh_prov_oob_info_t oob_info;
 
+    /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
+     * The Bluetooth SIG recommends that potentially vulnerable mesh node
+     * support an out-of-band mechanism to exchange the public keys.
+     */
     /** Flag indicates whether unprovisioned devices support OOB public key */
     bool oob_pub_key;
 
@@ -635,12 +639,21 @@ typedef struct {
     /** Provisioning Algorithm for the Provisioner */
     uint8_t        prov_algorithm;
 
+    /* NOTE: In order to avoid suffering brute-forcing attack(CVE-2020-26559).
+     * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+     * use an out-of-band mechanism to exchange the public keys.
+     */
     /** Provisioner public key oob */
     uint8_t        prov_pub_key_oob;
 
     /** Callback used to notify to set device OOB Public Key. Initialized by the stack. */
     esp_ble_mesh_cb_t provisioner_prov_read_oob_pub_key;
 
+    /* NOTE: The Bluetooth SIG recommends that mesh implementations enforce a randomly
+     * selected AuthValue using all of the available bits, where permitted by the
+     * implementation. A large entropy helps ensure that a brute-force of the AuthValue,
+     * even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+     */
     /** Provisioner static oob value */
     uint8_t        *prov_static_oob_val;
     /** Provisioner static oob value length */

components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c

@@ -2312,6 +2312,12 @@ static void prov_confirm(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
 
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
+     * provisioners restrict the authentication procedure and not accept
+     * provisioning random and provisioning confirmation numbers from a remote
+     * peer that are the same as those selected by the local device (CVE-2020-26556
+     * & CVE-2020-26560).
+     * */
     if (!memcmp(data, link[idx].local_conf, 16)) {
         BT_ERR("Confirmation value is identical to ours, rejecting.");
         close_link(idx, CLOSE_REASON_FAILED);
@@ -2528,6 +2534,12 @@ static void prov_random(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Random: %s", bt_hex(data, 16));
 
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
+     * provisioners restrict the authentication procedure and not accept
+     * provisioning random and provisioning confirmation numbers from a remote
+     * peer that are the same as those selected by the local device (CVE-2020-26556
+     * & CVE-2020-26560).
+     * */
     if (!memcmp(data, link[idx].rand, 16)) {
         BT_ERR("Random value is identical to ours, rejecting.");
         goto fail;