Merge branch 'bugfix/ble_mesh_cve_recommendation' into 'master'

ble_mesh: Update the SIG recommendations for CVE issues

See merge request espressif/esp-idf!14832

components/bt/esp_ble_mesh/api/core/include/esp_ble_mesh_provisioning_api.h

@@ -69,6 +69,12 @@ esp_err_t esp_ble_mesh_node_prov_disable(esp_ble_mesh_prov_bearer_t bearers);
 /**
  * @brief        Unprovisioned device set own oob public key & private key pair.
  *
+ * @note         In order to avoid suffering brute-forcing attack (CVE-2020-26559).
+ *               The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+ *               use an out-of-band mechanism to exchange the public keys.
+ *               So as an unprovisioned device, it should use this function to input
+ *               the Public Key exchanged through the out-of-band mechanism.
+ *
  * @param[in]    pub_key_x:   Unprovisioned device's Public Key X
  * @param[in]    pub_key_y:   Unprovisioned device's Public Key Y
  * @param[in]    private_key: Unprovisioned device's Private Key
@@ -121,6 +127,10 @@ esp_err_t esp_ble_mesh_set_unprovisioned_device_name(const char *name);
 /**
  * @brief        Provisioner inputs unprovisioned device's oob public key.
  *
+ * @note         In order to avoid suffering brute-forcing attack (CVE-2020-26559).
+ *               The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+ *               use an out-of-band mechanism to exchange the public keys.
+ *
  * @param[in]    link_idx:   The provisioning link index
  * @param[in]    pub_key_x:  Unprovisioned device's Public Key X
  * @param[in]    pub_key_y:  Unprovisioned device's Public Key Y
@@ -329,6 +339,14 @@ esp_err_t esp_ble_mesh_provisioner_set_prov_data_info(esp_ble_mesh_prov_data_inf
  *                A large entropy helps ensure that a brute-force of the AuthValue, even a static
  *                AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
  *
+ *                AuthValues selected using a cryptographically secure random or pseudorandom number
+ *                generator and having the maximum permitted entropy (128-bits) will be most difficult
+ *                to brute-force. AuthValues with reduced entropy or generated in a predictable manner
+ *                will not grant the same level of protection against this vulnerability. Selecting a
+ *                new AuthValue with each provisioning attempt can also make it more difficult to launch
+ *                a brute-force attack by requiring the attacker to restart the search with each
+ *                provisioning attempt (CVE-2020-26556).
+ *
  * @param[in]     value:  Pointer to the static oob value.
  * @param[in]     length: Length of the static oob value.
  *

components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h

@@ -573,8 +573,10 @@ typedef struct {
     esp_ble_mesh_prov_oob_info_t oob_info;
 
     /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
-     * The Bluetooth SIG recommends that potentially vulnerable mesh node
+     * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
      * support an out-of-band mechanism to exchange the public keys.
+     * So as an unprovisioned device, it should enable this flag to support
+     * using an out-of-band mechanism to exchange Public Key.
      */
     /** Flag indicates whether unprovisioned devices support OOB public key */
     bool oob_pub_key;
@@ -629,7 +631,7 @@ typedef struct {
     /** Provisioning Algorithm for the Provisioner */
     uint8_t        prov_algorithm;
 
-    /* NOTE: In order to avoid suffering brute-forcing attack(CVE-2020-26559).
+    /* NOTE: In order to avoid suffering brute-forcing attack (CVE-2020-26559).
      * The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
      * use an out-of-band mechanism to exchange the public keys.
      */
@@ -643,6 +645,14 @@ typedef struct {
      * selected AuthValue using all of the available bits, where permitted by the
      * implementation. A large entropy helps ensure that a brute-force of the AuthValue,
      * even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+     *
+     * AuthValues selected using a cryptographically secure random or pseudorandom number
+     * generator and having the maximum permitted entropy (128-bits) will be most difficult
+     * to brute-force. AuthValues with reduced entropy or generated in a predictable manner
+     * will not grant the same level of protection against this vulnerability. Selecting a
+     * new AuthValue with each provisioning attempt can also make it more difficult to launch
+     * a brute-force attack by requiring the attacker to restart the search with each
+     * provisioning attempt (CVE-2020-26556).
      */
     /** Provisioner static oob value */
     uint8_t        *prov_static_oob_val;

components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c

@@ -1930,6 +1930,19 @@ static int prov_auth(const uint8_t idx, uint8_t method, uint8_t action, uint8_t
         /* Provisioner ouput number/string and wait for device's Provisioning Input Complete PDU */
         link[idx].expect = PROV_INPUT_COMPLETE;
 
+        /* NOTE: The Bluetooth SIG recommends that mesh implementations enforce a randomly
+         * selected AuthValue using all of the available bits, where permitted by the
+         * implementation. A large entropy helps ensure that a brute-force of the AuthValue,
+         * even a static AuthValue, cannot normally be completed in a reasonable time (CVE-2020-26557).
+         *
+         * AuthValues selected using a cryptographically secure random or pseudorandom number
+         * generator and having the maximum permitted entropy (128-bits) will be most difficult
+         * to brute-force. AuthValues with reduced entropy or generated in a predictable manner
+         * will not grant the same level of protection against this vulnerability. Selecting a
+         * new AuthValue with each provisioning attempt can also make it more difficult to launch
+         * a brute-force attack by requiring the attacker to restart the search with each
+         * provisioning attempt (CVE-2020-26556).
+         */
         if (input == BLE_MESH_ENTER_STRING) {
             unsigned char str[9] = {'\0'};
             uint8_t j = 0U;
@@ -2312,12 +2325,11 @@ static void prov_confirm(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
 
-    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
-     * provisioners restrict the authentication procedure and not accept
-     * provisioning random and provisioning confirmation numbers from a remote
-     * peer that are the same as those selected by the local device (CVE-2020-26556
-     * & CVE-2020-26560).
-     * */
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+     * restrict the authentication procedure and not accept provisioning random and
+     * provisioning confirmation numbers from a remote peer that are the same as those
+     * selected by the local device (CVE-2020-26560).
+     */
     if (!memcmp(data, link[idx].local_conf, 16)) {
         BT_ERR("Confirmation value is identical to ours, rejecting.");
         close_link(idx, CLOSE_REASON_FAILED);
@@ -2534,12 +2546,11 @@ static void prov_random(const uint8_t idx, const uint8_t *data)
 
     BT_DBG("Remote Random: %s", bt_hex(data, 16));
 
-    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh
-     * provisioners restrict the authentication procedure and not accept
-     * provisioning random and provisioning confirmation numbers from a remote
-     * peer that are the same as those selected by the local device (CVE-2020-26556
-     * & CVE-2020-26560).
-     * */
+    /* NOTE: The Bluetooth SIG recommends that potentially vulnerable mesh provisioners
+     * restrict the authentication procedure and not accept provisioning random and
+     * provisioning confirmation numbers from a remote peer that are the same as those
+     * selected by the local device (CVE-2020-26560).
+     */
     if (!memcmp(data, link[idx].rand, 16)) {
         BT_ERR("Random value is identical to ours, rejecting.");
         goto fail;