Merge branch 'bugfix/AuthValue_leak_v4.2' into 'release/v4.2'

ble_mesh: stack: Fix AuthValue Leak and Predictable AuthValue in Bluetooth... (v4.2)

See merge request espressif/esp-idf!14023
This commit is contained in:
Island 2021-06-21 03:08:53 +00:00
commit ea7b487807
3 changed files with 30 additions and 0 deletions

View File

@ -324,6 +324,11 @@ esp_err_t esp_ble_mesh_provisioner_set_prov_data_info(esp_ble_mesh_prov_data_inf
/** /**
* @brief This function is called by Provisioner to set static oob value used for provisioning. * @brief This function is called by Provisioner to set static oob value used for provisioning.
* *
* @note The Bluetooth SIG recommends that mesh implementations enforce a randomly selected
* AuthValue using all of the available bits, where permitted by the implementation.
* A large entropy helps ensure that a brute-force of the AuthValue, even a static
* AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
*
* @param[in] value: Pointer to the static oob value. * @param[in] value: Pointer to the static oob value.
* @param[in] length: Length of the static oob value. * @param[in] length: Length of the static oob value.
* *

View File

@ -582,6 +582,10 @@ typedef struct {
/** Out of Band information field. */ /** Out of Band information field. */
esp_ble_mesh_prov_oob_info_t oob_info; esp_ble_mesh_prov_oob_info_t oob_info;
/* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh node
* support an out-of-band mechanism to exchange the public keys.
*/
/** Flag indicates whether unprovisioned devices support OOB public key */ /** Flag indicates whether unprovisioned devices support OOB public key */
bool oob_pub_key; bool oob_pub_key;
@ -635,12 +639,21 @@ typedef struct {
/** Provisioning Algorithm for the Provisioner */ /** Provisioning Algorithm for the Provisioner */
uint8_t prov_algorithm; uint8_t prov_algorithm;
/* NOTE: In order to avoid suffering brute-forcing attack(CVE-2020-26559).
* The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
* use an out-of-band mechanism to exchange the public keys.
*/
/** Provisioner public key oob */ /** Provisioner public key oob */
uint8_t prov_pub_key_oob; uint8_t prov_pub_key_oob;
/** Callback used to notify to set device OOB Public Key. Initialized by the stack. */ /** Callback used to notify to set device OOB Public Key. Initialized by the stack. */
esp_ble_mesh_cb_t provisioner_prov_read_oob_pub_key; esp_ble_mesh_cb_t provisioner_prov_read_oob_pub_key;
/* NOTE: The Bluetooth SIG recommends that mesh implementations enforce a randomly
* selected AuthValue using all of the available bits, where permitted by the
* implementation. A large entropy helps ensure that a brute-force of the AuthValue,
* even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
*/
/** Provisioner static oob value */ /** Provisioner static oob value */
uint8_t *prov_static_oob_val; uint8_t *prov_static_oob_val;
/** Provisioner static oob value length */ /** Provisioner static oob value length */

View File

@ -2312,6 +2312,12 @@ static void prov_confirm(const uint8_t idx, const uint8_t *data)
BT_DBG("Remote Confirm: %s", bt_hex(data, 16)); BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
/* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
* provisioners restrict the authentication procedure and not accept
* provisioning random and provisioning confirmation numbers from a remote
* peer that are the same as those selected by the local device (CVE-2020-26556
* & CVE-2020-26560).
* */
if (!memcmp(data, link[idx].local_conf, 16)) { if (!memcmp(data, link[idx].local_conf, 16)) {
BT_ERR("Confirmation value is identical to ours, rejecting."); BT_ERR("Confirmation value is identical to ours, rejecting.");
close_link(idx, CLOSE_REASON_FAILED); close_link(idx, CLOSE_REASON_FAILED);
@ -2528,6 +2534,12 @@ static void prov_random(const uint8_t idx, const uint8_t *data)
BT_DBG("Remote Random: %s", bt_hex(data, 16)); BT_DBG("Remote Random: %s", bt_hex(data, 16));
/* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
* provisioners restrict the authentication procedure and not accept
* provisioning random and provisioning confirmation numbers from a remote
* peer that are the same as those selected by the local device (CVE-2020-26556
* & CVE-2020-26560).
* */
if (!memcmp(data, link[idx].rand, 16)) { if (!memcmp(data, link[idx].rand, 16)) {
BT_ERR("Random value is identical to ours, rejecting."); BT_ERR("Random value is identical to ours, rejecting.");
goto fail; goto fail;