This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

LESC and higher security options doesn't work

Hi!

I am using SDK15, my application is based on app_ble_uart. I have added my proprietary characteristic to NUS next to RX and TX Characteristic with quite a success. Now I am trying to add some level of security and permissions to my characteristic. These are the options I chose from:

/**@defgroup BLE_GAP_CONN_SEC_MODE_SET_MACROS GAP attribute security requirement setters
*
* See @ref ble_gap_conn_sec_mode_t.
* @{ */
/**@brief Set sec_mode pointed to by ptr to have no access rights.*/
#define BLE_GAP_CONN_SEC_MODE_SET_NO_ACCESS(ptr)          do {(ptr)->sm = 0; (ptr)->lv = 0;} while(0)
/**@brief Set sec_mode pointed to by ptr to require no protection, open link.*/
#define BLE_GAP_CONN_SEC_MODE_SET_OPEN(ptr)               do {(ptr)->sm = 1; (ptr)->lv = 1;} while(0)
/**@brief Set sec_mode pointed to by ptr to require encryption, but no MITM protection.*/
#define BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(ptr)        do {(ptr)->sm = 1; (ptr)->lv = 2;} while(0)
/**@brief Set sec_mode pointed to by ptr to require encryption and MITM protection.*/
#define BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(ptr)      do {(ptr)->sm = 1; (ptr)->lv = 3;} while(0)
/**@brief Set sec_mode pointed to by ptr to require LESC encryption and MITM protection.*/
#define BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM(ptr) do {(ptr)->sm = 1; (ptr)->lv = 4;} while(0)
/**@brief Set sec_mode pointed to by ptr to require signing or encryption, no MITM protection needed.*/
#define BLE_GAP_CONN_SEC_MODE_SET_SIGNED_NO_MITM(ptr)     do {(ptr)->sm = 2; (ptr)->lv = 1;} while(0)
/**@brief Set sec_mode pointed to by ptr to require signing or encryption with MITM protection.*/
#define BLE_GAP_CONN_SEC_MODE_SET_SIGNED_WITH_MITM(ptr)   do {(ptr)->sm = 2; (ptr)->lv = 2;} while(0)

NO_ACCESS, OPEN, ENC_NO_MITM and ENC_WITH_MITM work. For some of them when I try to write some data to my characteristic my smartphone gets popup notification asking for passcode for pairing. That's okay, that's how want it working.

LESC_ENC_WITH_MITM asks me for passcode but I don't receive sent values, I don't receive trash values either, just none. Application doesn't crash, disconnect or so. Meanwhile my other characteristic that has OPEN settings works fine, so there is no halting or something. Tested with Xiaomi Mi6 and Huawei P10.

SIGNED_NO_MITM and SIGNED_WITH_MITM don't work. Program crashes after start, as I noticed sd_ble_gatts_characteristic_add inside my dt_char_add function returns code 0x06 which I suppose refers to NRF_ERROR_NOT_SUPPORTED but documentation for:

SVCALL(SD_BLE_GATTS_CHARACTERISTIC_ADD, uint32_t, sd_ble_gatts_characteristic_add(uint16_t service_handle, ble_gatts_char_md_t const *p_char_md, ble_gatts_attr_t const *p_attr_char_value, ble_gatts_char_handles_t *p_handles));

doesn't mention that type of error.

This is my Peer Manager setting from main.c:

        BOND = true;        
        MITM = true;        
        LESC = 0;        
        KEYPRESS = 0;
        IO_CAPS = BLE_GAP_IO_CAPS_DISPLAY_ONLY;        
        OOB = false;        
        MIN_KEY_SIZE = 7;        
        MAX_KEY_SIZE = 16;
        K_OWN_ENC = 1;        
        K_OWN_ID = 1;        
        K_PEER_ENC = 1;        
        K_PEER_INC = 1;

I would like highest possible level of security in my application and I don't know why can't I use at least the 5th level of security.

  • More questions:

    1. Do I need to #define BLE_LESC_ENABLED 1 in sdk_config.h? It is not defined by default.

    2. Why are there:

    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&sec_mode); 

    inside gap_params_init() in main.c

    and

    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.read_perm)
    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.write_perm)

    // in my case: BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&attr_md.read_perm);
    //                    BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&attr_md.write_perm);

    inside anycharacteristic_char_add(ble_nus_t * p_nus, const ble_nus_init_t * p_nus_init) in ble_anyservice.c? What's the difference between those calls? As I understand call inside service file refers to access to given characteristic, but what is the call in main.c for?

    3. When I set sec_param.lesc =1 in main.c and try to pair with my smartphone I get PM event: PM_EVT_ERROR_UNEXPECTED and crash with:

    <error> app: ERROR 16 [NRF_ERROR_INVALID_ADDR] at C:\repo\multiperipheral\main.c:1124
    PC at: 0x00031449

  • Hi,

     

    In addition to handling the LESC procedures, you'll also need to add micro-ecc to your project, which needs to be manually built (there's a build_all.bat or build_all.sh script you can run as long as you have GCC and make installed).

    For setting up LESC with numerical comparison, you could have a look at this example (project-wise and firmware-wise):

    ../nRF5_SDK_15.0.0_a53641a/examples/ble_central_and_peripheral/experimental/ble_app_multirole_lesc

     

    Kind regards,

    Håkon

     

  • Hi! 

    Thanks for response, I have added the module to the ble_app_multirole_lesc example the way you have provided and it works :)

     

Related