Merge pull request #466 from adafruit/develop

implement comprehensive LESC and Legacy pairing

Author: hathach

.github/workflows/githubci.yml

@@ -54,8 +54,8 @@ jobs:
         ln -s $GITHUB_WORKSPACE $HOME/$BSP_PATH/$BSP_VERSION
 
         # Install library dependency
-        arduino-cli lib install "Adafruit AHRS" "Adafruit APDS9960 Library" "Adafruit BMP280 Library" "Adafruit Circuit Playground" "Adafruit EPD" "Adafruit GFX Library" "Adafruit HX8357 Library" "Adafruit ILI9341" "Adafruit LIS3MDL" "Adafruit LSM6DS" "Adafruit NeoPixel" "Adafruit NeoMatrix" "Adafruit Sensor Calibration" "Adafruit SHT31 Library" "Adafruit SSD1306" "Adafruit ST7735 and ST7789 Library" "SdFat - Adafruit Fork"
-
+        arduino-cli lib install "Adafruit AHRS" "Adafruit APDS9960 Library" "Adafruit Arcada Library" "Adafruit BMP280 Library" "Adafruit Circuit Playground" "Adafruit EPD" "Adafruit GFX Library" "Adafruit HX8357 Library" "Adafruit ILI9341" "Adafruit LIS3MDL" "Adafruit LSM6DS" "Adafruit NeoPixel" "Adafruit NeoMatrix" "Adafruit Sensor Calibration" "Adafruit SHT31 Library" "Adafruit SSD1306" "Adafruit ST7735 and ST7789 Library" "SdFat - Adafruit Fork"
+        
         # TODO update to support MIDI version 5 later on
         arduino-cli lib install "MIDI Library"@4.3.1
 

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "cores/nRF5/TinyUSB/Adafruit_TinyUSB_ArduinoCore"]
 	path = cores/nRF5/TinyUSB/Adafruit_TinyUSB_ArduinoCore
 	url = https://github.com/adafruit/Adafruit_TinyUSB_ArduinoCore.git
+[submodule "libraries/Adafruit_nRFCrypto"]
+	path = libraries/Adafruit_nRFCrypto
+	url = https://github.com/adafruit/Adafruit_nRFCrypto.git

README.md

@@ -16,6 +16,7 @@ Following boards are also included but are not officially supported:
 
 - [Nordic nRF52840DK PCA10056](https://www.nordicsemi.com/Software-and-Tools/Development-Kits/nRF52840-DK)
 - [Particle Xenon](https://store.particle.io/products/xenon)
+- [Raytac MDBT50Q-RX Dongle](https://www.raytac.com/product/ins.php?index_id=89)
 
 ## BSP Installation
 
@@ -49,7 +50,7 @@ There are two methods that you can use to install this BSP. We highly recommend
 
 ### Adafruit's nrfutil tools
 
-[adafruit-nrfutil](https://github.com/adafruit/Adafruit_nRF52_nrfutil) (derived from Nordic pc-nrfutil) is needed to upload sketch via serial port.
+[adafruit-nrfutil](https://github.com/adafruit/Adafruit_nRF52_nrfutil) (derived from Nordic [pc-nrfutil](https://github.com/NordicSemiconductor/pc-nrfutil)) is needed to upload sketch via serial port.
 
 - For Windows and macOS, pre-built executable binaries are included in the BSP at `tools/adafruit-nrfutil/`. It should work out of the box.
 - Linux user need to run follow command to install it from PyPi
@@ -117,8 +118,7 @@ which in turn is based on the [Arduino SAMD Core](https://github.com/arduino/Ard
 
 The following libraries are used:
 
-- adafruit-nrfutil is based on Nordic Semiconductor ASA's [pc-nrfutil](https://github.com/NordicSemiconductor/pc-nrfutil)
-- [freeRTOS](https://www.freertos.org/) as operating system
-- [tinyusb](https://github.com/hathach/tinyusb) as usb stack
+- [FreeRTOS](https://www.freertos.org/) as operating system
+- [LittleFS](https://github.com/ARMmbed/littlefs) for internal file system
 - [nrfx](https://github.com/NordicSemiconductor/nrfx) for peripherals driver
-- [littlefs](https://github.com/ARMmbed/littlefs) for internal file system
+- [TinyUSB](https://github.com/hathach/tinyusb) as usb stack

changelog.md

@@ -1,5 +1,55 @@
 # Adafruit nRF52 Arduino Core Changelog
 
+## 0.22.0 - WIP
+
+This version implement comprehensive LESC and Legacy pairing using dynamic & static Passkey.
+
+- Support static passkey (Legacy only)
+- Support LESC on nRF52840 using hardware-accelerated ARM CryptoCell CC310 provided by [Adafruit_nRFCypto](https://github.com/adafruit/Adafruit_nRFCrypto). The library is included as submodule and released together with the BSP.
+- Rework bonding mechanism to use IRK for peer finding. It is advisable to run `clearbonds` example to clean up bond files of previous version
+
+### BLESecurity
+
+A new class BLESecurity (access with Bluefruit.Security) is added to handle security and pairing.
+
+- **setPIN()** to set static passkey, this will force to use Legacy Pairing
+- **setIOCaps()** to congiure IO capacities
+- **setMITM()** to enable/disable Man in The Middle protection (passkey), it is auto-enabled when using passkey
+- **setPairPasskeyCallback()** to register callback for displaying pairing passkey to user
+- **setPairCompleteCallback()** to register callback for the result of pairing procedure (succeeded or failed)
+- **setSecuredCallback()** to register callback which invoked when connection is secured. This happens after he pairing procedure is complete, or we re-connect with preivously bonded peer device
+
+### Other Changes
+
+**BLECentral** 
+
+- will automatically use stored Long Term Key to secure connection if paired/bonded with device previously
+
+**Bluefruit**
+
+- Bluefruit::requestPairing() is removed, please use the BLEConnection::requestPairing() instead
+- Bluefruit::connPaired() is removed, please use BLEConnection::secure() instead
+- Default Device name is USB_PRODUCT if available e.g CLUE, Circuit Playground Bluefruit, Feather nRF52840 Express etc ...
+
+**BLEService**
+
+- Added setPermission()
+
+**BLEConnection**
+
+- BLEConnection::requestPairing() is now non-blocking, it will return right after sending request to peer device. Previously it is blocked until the pairing process is complete.
+- Added BLEConnection::secured() to check if the connection is secured/encrypted
+- Added BLEConnection::bonded() to check if we store Longterm Key with current peer
+- Removed BLEConnection:paried(), user should either use secured() or bonded() depending on the context
+- If bonded, getPeerAddr() will return peer public address instead of random address. 
+
+**New Example Sketches**
+
+- **pairing_pin** to use static PIN for peripheral role
+- **pairing_passkey** to use dyanmic Passkey for pairing. On Arcada compatible device such as `CLUE` or `Circuit Playground Bluefruit`, TFT display will also be used to display passkey.
+- **cental_pairing** similar to pairing_passkey but for nRF running central role
+- **ancs_arcada** for displaying ancs on arcada such CLUE and/or CPB.
+
 ## 0.21.0 - 2020.08.31
 
 Special thanks to @henrygab, @pyro9, @Nenik, @orrmany, @thaanstad, @kevinfrei for contributing and helping with this release.
@@ -21,15 +71,15 @@ Special thanks to @henrygab, @pyro9, @Nenik, @orrmany, @thaanstad, @kevinfrei fo
 
 ## 0.20.5 - 2020.07.05
 
-Special thanks to @henrygab, @pyro9, @geeksville for contributing and helping with this release.
-
 - Updated toolchain from gcc 7-2017q4 to 9-2019q4
 - Fixed GPIOTE channel conflict between libraries
 - Added type-safe for arrcount() macros
 - Added truncate() and rename() to Internal Filesystem (LittleFS).
 - Update CMSIS from v4 to v5 to build with TensorFlow
 - Update TinyUSB core to commit 0749077
 
+Special thanks to @henrygab, @pyro9, @geeksville for contributing and helping with this release.
+
 ## 0.20.1 - 2020.04.23
 
 - Update TinyUSB to commit c59fa77 due to a bug in the stack

cores/nRF5/Arduino.h

@@ -134,9 +134,9 @@ void resumeLoop(void);
 #define bit(b) (1UL << (b))
 
 #ifdef NRF_P1
-#define digitalPinToPort(P)        ( (g_ADigitalPinMap[P] < 32) ? NRF_P0 : NRF_P1 )
+  #define digitalPinToPort(P)        ( (g_ADigitalPinMap[P] < 32) ? NRF_P0 : NRF_P1 )
 #else
-#define digitalPinToPort(P)        ( NRF_P0 )
+  #define digitalPinToPort(P)        ( NRF_P0 )
 #endif
 
 #define digitalPinToBitMask(P)     ( 1UL << ( g_ADigitalPinMap[P] < 32 ? g_ADigitalPinMap[P] : (g_ADigitalPinMap[P]-32) ) )

cores/nRF5/common_func.h

@@ -157,19 +157,19 @@ const char* dbg_err_str(int32_t err_id); // TODO move to other place
 
 
 #if CFG_DEBUG
-#define LOG_LV1(...)          ADALOG(__VA_ARGS__)
-#define LOG_LV1_BUFFER(...)   ADALOG_BUFFER(__VA_ARGS__)
+  #define LOG_LV1(...)          ADALOG(__VA_ARGS__)
+  #define LOG_LV1_BUFFER(...)   ADALOG_BUFFER(__VA_ARGS__)
 #else
-#define LOG_LV1(...)
-#define LOG_LV1_BUFFER(...)
+  #define LOG_LV1(...)
+  #define LOG_LV1_BUFFER(...)
 #endif
 
 #if CFG_DEBUG >= 2
-#define LOG_LV2(...)          ADALOG(__VA_ARGS__)
-#define LOG_LV2_BUFFER(...)   ADALOG_BUFFER(__VA_ARGS__)
+  #define LOG_LV2(...)          ADALOG(__VA_ARGS__)
+  #define LOG_LV2_BUFFER(...)   ADALOG_BUFFER(__VA_ARGS__)
 #else
-#define LOG_LV2(...)
-#define LOG_LV2_BUFFER(...)
+  #define LOG_LV2(...)
+  #define LOG_LV2_BUFFER(...)
 #endif
 
 #if CFG_DEBUG
@@ -193,7 +193,10 @@ const char* dbg_err_str(int32_t err_id); // TODO move to other place
   do {\
     uint8_t const* p8 = (uint8_t const*) (buf);\
     PRINTF(#buf ": ");\
-    for(uint32_t i=0; i<(n); i++) PRINTF("%02x ", p8[i]);\
+    for(uint32_t i=0; i<(n); i++) {\
+      if (i%16 == 0) PRINTF("\n"); \
+      PRINTF("%02x ", p8[i]); \
+    }\
     PRINTF("\n");\
   }while(0)
 
@@ -213,15 +216,15 @@ const char* dbg_err_str(int32_t err_id); // TODO move to other place
 
 #else
 
-#define PRINT_LOCATION()
-#define PRINT_MESS(x)
-#define PRINT_HEAP()
-#define PRINT_STR(x)
-#define PRINT_INT(x)
-#define PRINT_HEX(x)
-#define PRINT_FLOAT(x)
-#define PRINT_BUFFER(buf, n)
-#define ADALOG(...)
+  #define PRINT_LOCATION()
+  #define PRINT_MESS(x)
+  #define PRTNT_HEAP()
+  #define PRINT_STR(x)
+  #define PRINT_INT(x)
+  #define PRINT_HEX(x)
+  #define PRINT_FLOAT(x)
+  #define PRINT_BUFFER(buf, n)
+  #define ADALOG(...)
 
 #endif
 

cores/nRF5/common_inc.h

@@ -38,6 +38,7 @@
 
 #include <stdint.h>
 #include <stdbool.h>
+#include <stddef.h>
 
 #include "compiler_macro.h"
 #include "common_func.h"

cores/nRF5/linker/nrf52840_s140_v6.ld

@@ -7,7 +7,7 @@ MEMORY
 {
   FLASH (rx)     : ORIGIN = 0x26000, LENGTH = 0xED000 - 0x26000
 
-  /* SRAM required by S132 depend on
+  /* SRAM required by Softdevice depend on
    * - Attribute Table Size (Number of Services and Characteristics)
    * - Vendor UUID count
    * - Max ATT MTU

cores/nRF5/rtos.h

@@ -50,7 +50,10 @@
 #include "queue.h"
 #include "semphr.h"
 
+#define DEBUG_MALLOC    1
+
 #define DELAY_FOREVER   portMAX_DELAY
+
 enum
 {
   TASK_PRIO_LOWEST  = 0, // Idle task, should not be used
@@ -65,8 +68,11 @@ enum
 #define tick2ms(tck)         ( ( ((uint64_t)(tck)) * 1000) / configTICK_RATE_HZ )
 #define tick2us(tck)         ( ( ((uint64_t)(tck)) * 1000000) / configTICK_RATE_HZ )
 
-#define malloc_type(type)    rtos_malloc( sizeof(type) )
-#define rtos_malloc_type(_type)   (_type*) rtos_malloc(sizeof(_type))
+#if DEBUG_MALLOC
+  #define rtos_malloc_type(_type)   ({ LOG_LV2("MALLOC", #_type " = %d bytes", sizeof(_type)); ((_type*) rtos_malloc(sizeof(_type))); })
+#else
+  #define rtos_malloc_type(_type)   ((_type*) rtos_malloc(sizeof(_type)))
+#endif
 
 static inline void* rtos_malloc(size_t _size)
 {

cores/nRF5/verify.h

@@ -61,13 +61,13 @@ extern "C"
   static inline void VERIFY_MESS_impl(int32_t _status, const char* (*_fstr)(int32_t), const char* func_name, int line_number)
   {
       PRINTF("%s: %d: verify failed, error = ", func_name, line_number);
-      if (_fstr)
+      if (_fstr && _fstr(_status))
       {
         PRINTF(_fstr(_status));
       }
       else
       {
-        PRINTF("%ld", _status);
+        PRINTF("0x%lX (%ld)", _status, _status);
       }
       PRINTF("\n");
   }
@@ -107,9 +107,15 @@ extern "C"
  * - status value if called with 1 parameter e.g VERIFY_STATUS(status)
  * - 2 parameter if called with 2 parameters e.g VERIFY_STATUS(status, errorcode)
  */
-#define VERIFY_STATUS(...)  _GET_3RD_ARG(__VA_ARGS__, VERIFY_ERR_2ARGS, VERIFY_ERR_1ARGS)(__VA_ARGS__, dbg_err_str)
+#define VERIFY_STATUS(...)      _GET_3RD_ARG(__VA_ARGS__, VERIFY_ERR_2ARGS, VERIFY_ERR_1ARGS)(__VA_ARGS__, dbg_err_str)
 
-#define VERIFY_ERROR(...)   _GET_3RD_ARG(__VA_ARGS__, VERIFY_ERR_2ARGS, VERIFY_ERR_1ARGS)(__VA_ARGS__, NULL)
+#define PRINT_STATUS(_exp) do                            \
+{                                                        \
+  int32_t _status = (int32_t) _exp;                      \
+  if ( 0 != _status ) VERIFY_MESS(_status, dbg_err_str); \
+} while(0)                                               \
+
+#define VERIFY_ERROR(...)       _GET_3RD_ARG(__VA_ARGS__, VERIFY_ERR_2ARGS, VERIFY_ERR_1ARGS)(__VA_ARGS__, NULL)
 
 /*------------------------------------------------------------------*/
 /* VERIFY

libraries/Adafruit_nRFCrypto

@@ -25,7 +25,7 @@ BLEClientUart clientUart; // bleuart client
 void setup()
 {
   Serial.begin(115200);
-  while ( !Serial ) delay(10);   // for nrf52840 with native usb
+//  while ( !Serial ) delay(10);   // for nrf52840 with native usb
 
   Serial.println("Bluefruit52 Central BLEUART Example");
   Serial.println("-----------------------------------\n");

libraries/Bluefruit52Lib/examples/Central/central_bleuart/central_bleuart.ino

@@ -30,7 +30,7 @@ hid_mouse_report_t last_mse_report = { 0 };
 void setup()
 {
   Serial.begin(115200);
-  while ( !Serial ) delay(10);   // for nrf52840 with native usb
+//  while ( !Serial ) delay(10);   // for nrf52840 with native usb
 
   Serial.println("Bluefruit52 Central HID (Keyboard + Mouse) Example");
   Serial.println("--------------------------------------------------\n");
@@ -55,6 +55,9 @@ void setup()
   Bluefruit.Central.setConnectCallback(connect_callback);
   Bluefruit.Central.setDisconnectCallback(disconnect_callback);
 
+  // Set connection secured callback, invoked when connection is encrypted
+  Bluefruit.Security.setSecuredCallback(connection_secured_callback);
+
   /* Start Central Scanning
    * - Enable auto scan if disconnected
    * - Interval = 100 ms, window = 80 ms
@@ -88,6 +91,8 @@ void scan_callback(ble_gap_evt_adv_report_t* report)
  */
 void connect_callback(uint16_t conn_handle)
 {
+  BLEConnection* conn = Bluefruit.Connection(conn_handle);
+
   Serial.println("Connected");
 
   Serial.print("Discovering HID  Service ... ");
@@ -97,11 +102,31 @@ void connect_callback(uint16_t conn_handle)
     Serial.println("Found it");
 
     // HID device mostly require pairing/bonding
-    if ( !Bluefruit.requestPairing(conn_handle) )
-    {
-      Serial.print("Failed to paired");
-      return;
-    }
+    conn->requestPairing();
+  }else
+  {
+    Serial.println("Found NONE");
+    
+    // disconnect since we couldn't find blehid service
+    conn->disconnect();
+  }
+}
+
+void connection_secured_callback(uint16_t conn_handle)
+{
+  BLEConnection* conn = Bluefruit.Connection(conn_handle);
+
+  if ( !conn->secured() )
+  {
+    // It is possible that connection is still not secured by this time.
+    // This happens (central only) when we try to encrypt connection using stored bond keys
+    // but peer reject it (probably it remove its stored key).
+    // Therefore we will request an pairing again --> callback again when encrypted
+    conn->requestPairing();
+  }
+  else
+  {
+    Serial.println("Secured");
 
     // https://www.bluetooth.com/specifications/gatt/viewer?attributeXmlFile=org.bluetooth.characteristic.hid_information.xml
     uint8_t hidInfo[4];
@@ -120,15 +145,9 @@ void connect_callback(uint16_t conn_handle)
 
     // Enable Mouse report notification if present on prph
     if ( hid.mousePresent() ) hid.enableMouse();
-    
+
     Serial.println("Ready to receive from peripheral");
-  }else
-  {
-    Serial.println("Found NONE");
-    
-    // disconnect since we couldn't find blehid service
-    Bluefruit.disconnect(conn_handle);
-  }  
+  }
 }
 
 /**