Merge pull request #11681 from lucasssvaz/fix/bt_component

fix(ble): Fix BLESecurity and add examples

Author: me-no-dev

libraries/BLE/examples/Client_secure_static_passkey/Client_secure_static_passkey.ino

@@ -0,0 +1,235 @@
+/*
+  Secure client with static passkey
+
+  This example demonstrates how to create a secure BLE client that connects to
+  a secure BLE server using a static passkey without prompting the user.
+  The client will automatically use the same passkey (123456) as the server.
+
+  This client is designed to work with the Server_secure_static_passkey example.
+
+  Note that ESP32 uses Bluedroid by default and the other SoCs use NimBLE.
+  Bluedroid initiates security on-connect, while NimBLE initiates security on-demand.
+  This means that in NimBLE you can read the insecure characteristic without entering
+  the passkey. This is not possible in Bluedroid.
+
+  Also, the SoC stores the authentication info in the NVS memory. After a successful
+  connection it is possible that a passkey change will be ineffective.
+  To avoid this, clear the memory of the SoC's between security tests.
+
+  Based on examples from Neil Kolban and h2zero.
+  Created by lucasssvaz.
+*/
+
+#include "BLEDevice.h"
+#include "BLESecurity.h"
+
+// The remote service we wish to connect to.
+static BLEUUID serviceUUID("4fafc201-1fb5-459e-8fcc-c5c9c331914b");
+// The characteristics of the remote service we are interested in.
+static BLEUUID insecureCharUUID("beb5483e-36e1-4688-b7f5-ea07361b26a8");
+static BLEUUID secureCharUUID("ff1d2614-e2d6-4c87-9154-6625d39ca7f8");
+
+// This must match the server's passkey
+#define CLIENT_PIN 123456
+
+static boolean doConnect = false;
+static boolean connected = false;
+static boolean doScan = false;
+static BLERemoteCharacteristic *pRemoteInsecureCharacteristic;
+static BLERemoteCharacteristic *pRemoteSecureCharacteristic;
+static BLEAdvertisedDevice *myDevice;
+
+// Callback function to handle notifications
+static void notifyCallback(BLERemoteCharacteristic *pBLERemoteCharacteristic, uint8_t *pData, size_t length, bool isNotify) {
+  Serial.print("Notify callback for characteristic ");
+  Serial.print(pBLERemoteCharacteristic->getUUID().toString().c_str());
+  Serial.print(" of data length ");
+  Serial.println(length);
+  Serial.print("data: ");
+  Serial.write(pData, length);
+  Serial.println();
+}
+
+class MyClientCallback : public BLEClientCallbacks {
+  void onConnect(BLEClient *pclient) {
+    Serial.println("Connected to secure server");
+  }
+
+  void onDisconnect(BLEClient *pclient) {
+    connected = false;
+    Serial.println("Disconnected from server");
+  }
+};
+
+bool connectToServer() {
+  Serial.print("Forming a secure connection to ");
+  Serial.println(myDevice->getAddress().toString().c_str());
+
+  BLEClient *pClient = BLEDevice::createClient();
+  Serial.println(" - Created client");
+
+  pClient->setClientCallbacks(new MyClientCallback());
+
+  // Connect to the remote BLE Server.
+  pClient->connect(myDevice);
+  Serial.println(" - Connected to server");
+
+  // Set MTU to maximum for better performance
+  pClient->setMTU(517);
+
+  // Obtain a reference to the service we are after in the remote BLE server.
+  BLERemoteService *pRemoteService = pClient->getService(serviceUUID);
+  if (pRemoteService == nullptr) {
+    Serial.print("Failed to find our service UUID: ");
+    Serial.println(serviceUUID.toString().c_str());
+    pClient->disconnect();
+    return false;
+  }
+  Serial.println(" - Found our service");
+
+  // Obtain a reference to the insecure characteristic
+  pRemoteInsecureCharacteristic = pRemoteService->getCharacteristic(insecureCharUUID);
+  if (pRemoteInsecureCharacteristic == nullptr) {
+    Serial.print("Failed to find insecure characteristic UUID: ");
+    Serial.println(insecureCharUUID.toString().c_str());
+    pClient->disconnect();
+    return false;
+  }
+  Serial.println(" - Found insecure characteristic");
+
+  // Obtain a reference to the secure characteristic
+  pRemoteSecureCharacteristic = pRemoteService->getCharacteristic(secureCharUUID);
+  if (pRemoteSecureCharacteristic == nullptr) {
+    Serial.print("Failed to find secure characteristic UUID: ");
+    Serial.println(secureCharUUID.toString().c_str());
+    pClient->disconnect();
+    return false;
+  }
+  Serial.println(" - Found secure characteristic");
+
+  // Read the value of the insecure characteristic (should work without authentication)
+  if (pRemoteInsecureCharacteristic->canRead()) {
+    String value = pRemoteInsecureCharacteristic->readValue();
+    Serial.print("Insecure characteristic value: ");
+    Serial.println(value.c_str());
+  }
+
+  // For Bluedroid, we need to set the authentication request type for the secure characteristic
+  // This is not needed for NimBLE and will be ignored.
+  pRemoteSecureCharacteristic->setAuth(ESP_GATT_AUTH_REQ_NO_MITM);
+
+  // Try to read the secure characteristic (this will trigger security negotiation in NimBLE)
+  if (pRemoteSecureCharacteristic->canRead()) {
+    Serial.println("Attempting to read secure characteristic...");
+    String value = pRemoteSecureCharacteristic->readValue();
+    Serial.print("Secure characteristic value: ");
+    Serial.println(value.c_str());
+  }
+
+  // Register for notifications on both characteristics if they support it
+  if (pRemoteInsecureCharacteristic->canNotify()) {
+    pRemoteInsecureCharacteristic->registerForNotify(notifyCallback);
+    Serial.println(" - Registered for insecure characteristic notifications");
+  }
+
+  if (pRemoteSecureCharacteristic->canNotify()) {
+    pRemoteSecureCharacteristic->registerForNotify(notifyCallback);
+    Serial.println(" - Registered for secure characteristic notifications");
+  }
+
+  connected = true;
+  return true;
+}
+
+/**
+ * Scan for BLE servers and find the first one that advertises the service we are looking for.
+ */
+class MyAdvertisedDeviceCallbacks : public BLEAdvertisedDeviceCallbacks {
+  /**
+   * Called for each advertising BLE server.
+   */
+  void onResult(BLEAdvertisedDevice advertisedDevice) {
+    Serial.print("BLE Advertised Device found: ");
+    Serial.println(advertisedDevice.toString().c_str());
+
+    // We have found a device, let us now see if it contains the service we are looking for.
+    if (advertisedDevice.haveServiceUUID() && advertisedDevice.isAdvertisingService(serviceUUID)) {
+      Serial.println("Found our secure server!");
+      BLEDevice::getScan()->stop();
+      myDevice = new BLEAdvertisedDevice(advertisedDevice);
+      doConnect = true;
+      doScan = true;
+    }
+  }
+};
+
+void setup() {
+  Serial.begin(115200);
+  Serial.println("Starting Secure BLE Client application...");
+
+  BLEDevice::init("Secure BLE Client");
+
+  // Set up security with the same passkey as the server
+  BLESecurity *pSecurity = new BLESecurity();
+
+  // Set security parameters
+  // Default parameters:
+  // - IO capability is set to NONE
+  // - Initiator and responder key distribution flags are set to both encryption and identity keys.
+  // - Passkey is set to BLE_SM_DEFAULT_PASSKEY (123456). It will warn if you don't change it.
+  // - Max key size is set to 16 bytes
+
+  // Set the same static passkey as the server
+  // The first argument defines if the passkey is static or random.
+  // The second argument is the passkey (ignored when using a random passkey).
+  pSecurity->setPassKey(true, CLIENT_PIN);
+
+  // Set authentication mode to match server requirements
+  // Enable secure connection only for this example
+  pSecurity->setAuthenticationMode(false, false, true);
+
+  // Retrieve a Scanner and set the callback we want to use to be informed when we
+  // have detected a new device. Specify that we want active scanning and start the
+  // scan to run for 5 seconds.
+  BLEScan *pBLEScan = BLEDevice::getScan();
+  pBLEScan->setAdvertisedDeviceCallbacks(new MyAdvertisedDeviceCallbacks());
+  pBLEScan->setInterval(1349);
+  pBLEScan->setWindow(449);
+  pBLEScan->setActiveScan(true);
+  pBLEScan->start(5, false);
+}
+
+void loop() {
+  // If the flag "doConnect" is true then we have scanned for and found the desired
+  // BLE Server with which we wish to connect. Now we connect to it.
+  if (doConnect == true) {
+    if (connectToServer()) {
+      Serial.println("We are now connected to the secure BLE Server.");
+    } else {
+      Serial.println("We have failed to connect to the server; there is nothing more we will do.");
+    }
+    doConnect = false;
+  }
+
+  // If we are connected to a peer BLE Server, demonstrate secure communication
+  if (connected) {
+    // Write to the insecure characteristic
+    String insecureValue = "Client time: " + String(millis() / 1000);
+    if (pRemoteInsecureCharacteristic->canWrite()) {
+      pRemoteInsecureCharacteristic->writeValue(insecureValue.c_str(), insecureValue.length());
+      Serial.println("Wrote to insecure characteristic: " + insecureValue);
+    }
+
+    // Write to the secure characteristic
+    String secureValue = "Secure client time: " + String(millis() / 1000);
+    if (pRemoteSecureCharacteristic->canWrite()) {
+      pRemoteSecureCharacteristic->writeValue(secureValue.c_str(), secureValue.length());
+      Serial.println("Wrote to secure characteristic: " + secureValue);
+    }
+  } else if (doScan) {
+    // Restart scanning if we're disconnected
+    BLEDevice::getScan()->start(0);
+  }
+
+  delay(2000);  // Delay 2 seconds between loops
+}

libraries/BLE/examples/Client_secure_static_passkey/ci.json

@@ -0,0 +1,6 @@
+{
+  "fqbn_append": "PartitionScheme=huge_app",
+  "requires": [
+    "CONFIG_SOC_BLE_SUPPORTED=y"
+  ]
+}

libraries/BLE/examples/Server_secure_static_passkey/Server_secure_static_passkey.ino

@@ -0,0 +1,112 @@
+/*
+  Secure server with static passkey
+
+  This example demonstrates how to create a secure BLE server with no
+  IO capability using a static passkey.
+  The server will accept connections from devices that have the same passkey set.
+  The example passkey is set to 123456.
+  The server will create a service and a secure and an insecure characteristic
+  to be used as example.
+
+  This server is designed to be used with the Client_secure_static_passkey example.
+
+  Note that ESP32 uses Bluedroid by default and the other SoCs use NimBLE.
+  Bluedroid initiates security on-connect, while NimBLE initiates security on-demand.
+  This means that in NimBLE you can read the insecure characteristic without entering
+  the passkey. This is not possible in Bluedroid.
+
+  Also, the SoC stores the authentication info in the NVS memory. After a successful
+  connection it is possible that a passkey change will be ineffective.
+  To avoid this, clear the memory of the SoC's between security tests.
+
+  Based on examples from Neil Kolban and h2zero.
+  Created by lucasssvaz.
+*/
+
+#include <BLEDevice.h>
+#include <BLEUtils.h>
+#include <BLEServer.h>
+#include <BLESecurity.h>
+#include <string>
+
+// See the following for generating UUIDs:
+// https://www.uuidgenerator.net/
+
+#define SERVICE_UUID                 "4fafc201-1fb5-459e-8fcc-c5c9c331914b"
+#define Insecure_CHARACTERISTIC_UUID "beb5483e-36e1-4688-b7f5-ea07361b26a8"
+#define SECURE_CHARACTERISTIC_UUID   "ff1d2614-e2d6-4c87-9154-6625d39ca7f8"
+
+// This is an example passkey. You should use a different or random passkey.
+#define SERVER_PIN 123456
+
+void setup() {
+  Serial.begin(115200);
+  Serial.println("Starting BLE work!");
+
+  Serial.print("Using BLE stack: ");
+  Serial.println(BLEDevice::getBLEStackString());
+
+  BLEDevice::init("Secure BLE Server");
+
+  BLESecurity *pSecurity = new BLESecurity();
+
+  // Set security parameters
+  // Default parameters:
+  // - IO capability is set to NONE
+  // - Initiator and responder key distribution flags are set to both encryption and identity keys.
+  // - Passkey is set to BLE_SM_DEFAULT_PASSKEY (123456). It will warn if you don't change it.
+  // - Max key size is set to 16 bytes
+
+  // Set static passkey
+  // The first argument defines if the passkey is static or random.
+  // The second argument is the passkey (ignored when using a random passkey).
+  pSecurity->setPassKey(true, SERVER_PIN);
+
+  // Set authentication mode
+  // Require secure connection only for this example
+  pSecurity->setAuthenticationMode(false, false, true);
+
+  BLEServer *pServer = BLEDevice::createServer();
+  pServer->advertiseOnDisconnect(true);
+
+  BLEService *pService = pServer->createService(SERVICE_UUID);
+
+  uint32_t insecure_properties = BLECharacteristic::PROPERTY_READ | BLECharacteristic::PROPERTY_WRITE;
+  uint32_t secure_properties = insecure_properties;
+
+  // NimBLE uses properties to secure characteristics.
+  // These special permission properties are not supported by Bluedroid and will be ignored.
+  // This can be removed if only using Bluedroid (ESP32).
+  // Check the BLECharacteristic.h file for more information.
+  secure_properties |= BLECharacteristic::PROPERTY_READ_ENC | BLECharacteristic::PROPERTY_WRITE_ENC;
+
+  BLECharacteristic *pSecureCharacteristic = pService->createCharacteristic(SECURE_CHARACTERISTIC_UUID, secure_properties);
+  BLECharacteristic *pInsecureCharacteristic = pService->createCharacteristic(Insecure_CHARACTERISTIC_UUID, insecure_properties);
+
+  // Bluedroid uses permissions to secure characteristics.
+  // This is the same as using the properties above.
+  // NimBLE does not use permissions and will ignore these calls.
+  // This can be removed if only using NimBLE (any SoC except ESP32).
+  pSecureCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ_ENCRYPTED | ESP_GATT_PERM_WRITE_ENCRYPTED);
+  pInsecureCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ | ESP_GATT_PERM_WRITE);
+
+  // Set value for secure characteristic
+  pSecureCharacteristic->setValue("Secure Hello World!");
+
+  // Set value for insecure characteristic
+  // When using NimBLE you will be able to read this characteristic without entering the passkey.
+  pInsecureCharacteristic->setValue("Insecure Hello World!");
+
+  pService->start();
+  BLEAdvertising *pAdvertising = BLEDevice::getAdvertising();
+  pAdvertising->addServiceUUID(SERVICE_UUID);
+  pAdvertising->setScanResponse(true);
+  pAdvertising->setMinPreferred(0x06);  // functions that help with iPhone connections issue
+  pAdvertising->setMinPreferred(0x12);
+  BLEDevice::startAdvertising();
+  Serial.println("Characteristic defined! Now you can read it in your phone!");
+}
+
+void loop() {
+  delay(2000);
+}

libraries/BLE/examples/Server_secure_static_passkey/ci.json

@@ -0,0 +1,6 @@
+{
+  "fqbn_append": "PartitionScheme=huge_app",
+  "requires": [
+    "CONFIG_SOC_BLE_SUPPORTED=y"
+  ]
+}