From 3212d62b2bf5bbfb7d399762770e872478c7ecdd Mon Sep 17 00:00:00 2001
From: wangjialiang <wangjialiang@espressif.com>
Date: Wed, 9 Jun 2021 16:19:31 +0800
Subject: [PATCH] ble_mesh: stack: Fix AuthValue Leak and Predictable AuthValue
 in Bluetooth Mesh Provisioning Leads to MITM

---
 .../core/include/esp_ble_mesh_provisioning_api.h    |  5 +++++
 components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h  | 13 +++++++++++++
 .../bt/esp_ble_mesh/mesh_core/provisioner_prov.c    | 12 ++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h b/components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h
index bf51a618bf..efa3dc0851 100644
--- a/components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h
+++ b/components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h
@@ -324,6 +324,11 @@ esp_err_t esp_ble_mesh_provisioner_set_prov_data_info(esp_ble_mesh_prov_data_inf
 /**
  * @brief         This function is called by Provisioner to set static oob value used for provisioning.
  *
+ * @note          The Bluetooth SIG recommends that mesh implementations enforce a randomly selected
+ *                AuthValue using all of the available bits, where permitted by the implementation.
+ *                A large entropy helps ensure that a brute-force of the AuthValue, even a static
+ *                AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+ *
  * @param[in]     value:  Pointer to the static oob value.
  * @param[in]     length: Length of the static oob value.
  *
diff --git a/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h b/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h
index 78b52a9687..4be2189ea6 100644
--- a/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h
+++ b/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h
@@ -582,6 +582,10 @@ typedef struct {
     /** Out of Band information field. */
     esp_ble_mesh_prov_oob_info_t oob_info;
 
+    /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
+     * The Bluetooth SIG recommends that potentially vulnerable mesh node
+     * support an out-of-band mechanism to exchange the public keys.
+     */
     /** Flag indicates whether unprovisioned devices support OOB public key */
     bool oob_pub_key;
 
@@ -635,12 +639,21 @@ typedef struct {
     /** Provisioning Algorithm for the Provisioner */
     uint8_t        prov_algorithm;
 
+    /* NOTE: In order to avoid suffering brute-forcing attack(CVE-2020-26559).
+     * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+     * use an out-of-band mechanism to exchange the public keys.
+     */
     /** Provisioner public key oob */
     uint8_t        prov_pub_key_oob;
 
     /** Callback used to notify to set device OOB Public Key. Initialized by the stack. */
     esp_ble_mesh_cb_t provisioner_prov_read_oob_pub_key;
 
+    /* NOTE: The Bluetooth SIG recommends that mesh implementations enforce a randomly
+     * selected AuthValue using all of the available bits, where permitted by the
+     * implementation. A large entropy helps ensure that a brute-force of the AuthValue,
+     * even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+     */
     /** Provisioner static oob value */
     uint8_t        *prov_static_oob_val;
     /** Provisioner static oob value length */
diff --git a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
index 3ac99bde93..8cc406a0f0 100644
--- a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
+++ b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
@@ -2312,6 +2312,12 @@ static void prov_confirm(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
 
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
+     * provisioners restrict the authentication procedure and not accept
+     * provisioning random and provisioning confirmation numbers from a remote
+     * peer that are the same as those selected by the local device (CVE-2020-26556
+     * & CVE-2020-26560).
+     * */
     if (!memcmp(data, link[idx].local_conf, 16)) {
         BT_ERR("Confirmation value is identical to ours, rejecting.");
         close_link(idx, CLOSE_REASON_FAILED);
@@ -2528,6 +2534,12 @@ static void prov_random(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Random: %s", bt_hex(data, 16));
 
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
+     * provisioners restrict the authentication procedure and not accept
+     * provisioning random and provisioning confirmation numbers from a remote
+     * peer that are the same as those selected by the local device (CVE-2020-26556
+     * & CVE-2020-26560).
+     * */
     if (!memcmp(data, link[idx].rand, 16)) {
         BT_ERR("Random value is identical to ours, rejecting.");
         goto fail;