pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

RE: pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

tesc — Tue, 04 Feb 2020 17:58:00 GMT

Hi,

I am happy to see that you got there in the end. Thanks for sharing your solution, it is highly appreciated!

Regards,
Terje

RE: pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

frostp — Mon, 03 Feb 2020 12:06:45 GMT

Hi again,

I did manage to get it all implemented in the end. It looks like the python bindings for the pc-ble-driver just doesn't have support for LE Secure pairing, or atleast it's only half implemented? There isn't any callback implemented for the BLE_GAP_EVT_LESC_DHKEY_REQUEST for example.

Fortunately the guy who answered https://devzone.nordicsemi.com/f/nordic-q-a/57036/pc-ble-driver-py---blegapsecstatus-dhkey_failure had implemented pretty much all of it, apart from his was in python 2 and I'm using python 3 so I had to make some changes there. Also he uses pyelliptic which has been deprecated for some time, so that's not great but it's sort of ok just for the testing I'm doing.

So in the end the authentication function looks like:

        kdist_own   = BLEGapSecKDist(enc  = 1,
                                     id   = 1,
                                     sign = 0,
                                     link = 0)
                                     
        kdist_peer  = BLEGapSecKDist(enc  = 1,
                                     id   = 1,
                                     sign = 0,
                                     link = 0)
        
        sec_params  = BLEGapSecParams(bond          = True,
                                      mitm          = True,
                                      lesc          = True,
                                      oob           = False,
                                      keypress      = False,
                                      io_caps       = BLEGapIOCaps.keyboard_display,
                                      min_key_size  = 7,
                                      max_key_size  = 16,
                                      kdist_own     = kdist_own,
                                      kdist_peer    = kdist_peer)
        
        self.adapter.driver.ble_gap_authenticate(self.conn_handle, sec_params)
        
        # Wait for gap_evt_sec_params_request
        self.adapter.evt_sync[self.conn_handle].wait(BLEEvtID.gap_evt_sec_params_request)

        pub_key = BLEGapLESCp256pk(pk = self.adapter.driver.ecc_create_keys())
        self.adapter.driver.ble_gap_sec_params_reply(self.conn_handle,
                                                     BLEGapSecStatus.success,
                                                     sec_params = None,
                                                     own_keys = pub_key)

        # Wait for gap_evt_lesc_dhkey_request
        result = self.adapter.evt_sync[self.conn_handle].wait(BLEEvtID.gap_evt_lesc_dhkey_request)

        dhkey = BLEGapLESCdhkey(key = self.adapter.driver.ecc_get_dhkey(result['p_pk_peer'].pk))
        self.adapter.driver.ble_gap_lesc_dhkey_reply(self.conn_handle, dhkey)

        # Wait for gap_evt_auth_status
        result = self.adapter.evt_sync[self.conn_handle].wait(BLEEvtID.gap_evt_auth_status)

        if result['auth_status'] ==  BLEGapSecStatus.success:
            self.keyset = adapter.db_conns[self.conn_handle]._keyset
            return True

But you have to make some changes in the ble_driver.py and the ble_adapter.py to get to that point.

devzone.nordicsemi.com/.../4503.ble_5F00_adapter.patch

devzone.nordicsemi.com/.../3513.ble_5F00_driver.patch

Thanks,

Peter

RE: pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

tesc — Wed, 29 Jan 2020 16:01:34 GMT

Hi,

There are multiple keys involved here, so one can easily get confused. As the logged error message include "BLEGapSecStatus.dhkey_failure", dhkey related issues is the prime suspect. Computation of the dhkey is the responsibility of the application, so you must perform the computation that in the SDK is performed by nrf_crypto_shared_secret_compute(). I am looking forward to hear how it went.

Regards,
Terje

RE: pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

frostp — Tue, 28 Jan 2020 15:47:54 GMT

Hi,

Thanks for the reply, I did wonder if the BLE_GAP_EVT_LESC_DHKEY_REQUEST was the issue but that sequence diagram shows it coming after the SMP Pairing Public Key is sent so I assumed it couldn't be the problem. I'll put in an implementation for the DHKEY_REQUEST and let you know how it goes.

Many thanks,

Peter

RE: pc-ble-driver-py - BLEGapSecStatus.dhkey_failure

tesc — Tue, 28 Jan 2020 14:19:26 GMT

Hi,

Your implementation sets the lesc flag in sec_params, but you seem to still follow legacy pairing and not LE Secure Connections pairing for the pairing procedure. Note as part of "LESC Authentication Stage 1" you must answer to the event BLE_GAP_EVT_LESC_DHKEY_REQUEST with a call to sd_ble_gap_lesc_dhkey_reply(). As reference, here is the implementation used in nRF5 SDK v12.3, for the ble_app_multirole_lesc example (main.c, lines 677 through 685):

 677         case BLE_GAP_EVT_LESC_DHKEY_REQUEST:
 678             NRF_LOG_INFO("%s: BLE_GAP_EVT_LESC_DHKEY_REQUEST\r\n", nrf_log_push(roles_str[role]));
 679             peer_pk.p_le_data = &p_ble_evt->evt.gap_evt.params.lesc_dhkey_request.p_pk_peer->pk[0];
 680             peer_pk.len = BLE_GAP_LESC_P256_PK_LEN;
 681             err_code = nrf_crypto_shared_secret_compute(NRF_CRYPTO_CURVE_SECP256R1, &m_crypto_key_sk, &peer_pk, &m_crypto_key_dhkey);
 682             APP_ERROR_CHECK(err_code);
 683             err_code = sd_ble_gap_lesc_dhkey_reply(conn_handle, &m_lesc_dhkey);
 684             APP_ERROR_CHECK(err_code);
 685             break;

Regards,
Terje