search

zephyrproject-rtos / zephyr

Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures.
https://docs.zephyrproject.org
Apache License 2.0
10.86k stars 6.62k forks source link

Bluetooth LESC debug keys support (BT_USE_DEBUG_KEYS) is broken #9867

Closed aescolar closed 6 years ago

aescolar commented 6 years ago

Configuring CONFIG_BT_USE_DEBUG_KEYS=y will lead to failure during pairing.

d_00: @00:00:00.000000 Booting Zephyr OS v1.9.0-7108-g19845a7 d_01: @00:00:00.000000 Booting Zephyr OS v1.9.0-7108-g19845a7 d_01: @00:00:00.000000 [bt] [INF] hci_vs_init: HW Platform: Nordic Semiconductor (0x0002) d_01: @00:00:00.000000 [bt] [INF] hci_vs_init: HW Variant: nRF52x (0x0002) d_01: @00:00:00.000000 [bt] [INF] hci_vs_init: Firmware: Standard Bluetooth controller (0x00) Version 1.13 Build 0 d_01: @00:00:00.000000 [bt] [WRN] bt_setup_id_addr: No static addresses stored in controller d_00: @00:00:00.000000 [bt] [INF] hci_vs_init: HW Platform: Nordic Semiconductor (0x0002) d_00: @00:00:00.000000 [bt] [INF] hci_vs_init: HW Variant: nRF52x (0x0002) d_00: @00:00:00.000000 [bt] [INF] hci_vs_init: Firmware: Standard Bluetooth controller (0x00) Version 1.13 Build 0 d_00: @00:00:00.000000 [bt] [WRN] bt_setup_id_addr: No static addresses stored in controller d_01: @00:00:00.002528 [bt] [INF] bt_dev_show_info: Identity: f7:38:e5:75:02:d8 (random) d_01: @00:00:00.002528 [bt] [INF] bt_dev_show_info: HCI: version 5.0 (0x09) revision 0x0000, manufacturer 0x05f1 d_01: @00:00:00.002528 [bt] [INF] bt_dev_show_info: LMP: version 5.0 (0x09) subver 0xffff d_01: @00:00:00.002528 [bt] [DBG] bt_smp_init: (0x080af060) LE SC enabled d_01: @00:00:00.002528 [bt] [DBG] bt_smp_pkey_ready: (0x080aff40) d_00: @00:00:00.002528 [bt] [INF] bt_dev_show_info: Identity: fa:dd:f6:49:f2:51 (random) d_00: @00:00:00.002528 [bt] [INF] bt_dev_show_info: HCI: version 5.0 (0x09) revision 0x0000, manufacturer 0x05f1 d_00: @00:00:00.002528 [bt] [INF] bt_dev_show_info: LMP: version 5.0 (0x09) subver 0xffff d_00: @00:00:00.002528 [bt] [DBG] bt_smp_init: (0x080af3b0) LE SC enabled d_00: @00:00:00.002528 [bt] [DBG] bt_smp_pkey_ready: (0x080a7720) d_01: @00:00:00.004448 [bt] [WRN] irk_init: Using temporary IRK d_01: @00:00:00.004448 Bluetooth initialized d_00: @00:00:00.004448 [bt] [WRN] irk_init: Using temporary IRK d_00: @00:00:00.004448 Bluetooth initialized d_01: @00:00:00.005048 Scanning successfully started d_00: @00:00:00.005048 Advertising successfully started d_01: @00:00:00.007010 [bt] [DBG] bt_keys_find_irk: (0x080b7b80) 78:18:63:8a:e4:cc (random) d_01: @00:00:00.007010 [bt] [DBG] bt_keys_find_irk: (0x080b7b80) No IRK for 78:18:63:8a:e4:cc (random) d_01: @00:00:00.007010 [DEVICE]: 78:18:63:8a:e4:cc (random), AD evt type 0, AD data len 29, RSSI -35 d_01: @00:00:00.007010 [AD]: 1 data_len 1 d_01: @00:00:00.007010 [AD]: 3 data_len 6 d_01: @00:00:00.116389 [bt] [DBG] bt_smp_accept: (0x080b7b80) conn 0x080b00c0 handle 0 d_01: @00:00:00.116389 [bt] [DBG] bt_smp_connected: (0x080b7b80) chan 0x080b03e0 cid 0x0006 d_01: @00:00:00.116389 Connected: 78:18:63:8a:e4:cc (random) d_00: @00:00:00.116891 [bt] [DBG] bt_smp_accept: (0x080af240) conn 0x080a78a0 handle 0 d_00: @00:00:00.116891 [bt] [DBG] bt_smp_connected: (0x080af240) chan 0x080a7b80 cid 0x0006 d_00: @00:00:00.116891 Connected d_01: @00:00:00.618713 [bt] [DBG] bt_keys_find: (0x080b7b80) type 32 78:18:63:8a:e4:cc (random) d_01: @00:00:00.618713 [bt] [DBG] bt_keys_find: (0x080b7b80) type 4 78:18:63:8a:e4:cc (random) d_01: @00:00:00.618713 [bt] [DBG] bt_smp_send_pairing_req: (0x080b7b80) d_01: @00:00:00.620281 [bt] [DBG] smp_init: (0x080b7b80) prnd 68c662a92d46b300fc6122061aaeb841 d_00: @00:00:00.668932 [bt] [DBG] bt_smp_recv: (0x080af240) Received SMP code 0x01 len 7 d_00: @00:00:00.668932 [bt] [DBG] smp_pairing_req: (0x080af240) d_00: @00:00:00.670500 [bt] [DBG] smp_init: (0x080af240) prnd 8bfc7e952bc1ddee0e489e57afb492ce d_01: @00:00:00.718630 [bt] [DBG] bt_smp_recv: (0x080b7b80) Received SMP code 0x02 len 7 d_01: @00:00:00.718630 [bt] [DBG] smp_pairing_rsp: (0x080b7b80) d_01: @00:00:00.719910 [ATTRIBUTE] handle 10 d_00: @00:00:00.768360 [bt] [DBG] bt_smp_recv: (0x080af240) Received SMP code 0x0c len 65 d_00: @00:00:00.768360 [bt] [DBG] smp_public_key: (0x080af240) d_00: @00:00:00.768360 [bt] [DBG] smp_f4: (0x080af240) u 20b003d2f297be2c5e2c83a7e9f9a5b9eff49111acf4fddbcc0301480e359de6 d_00: @00:00:00.768360 [bt] [DBG] smp_f4: (0x080af240) v 20b003d2f297be2c5e2c83a7e9f9a5b9eff49111acf4fddbcc0301480e359de6 d_00: @00:00:00.768360 [bt] [DBG] smp_f4: (0x080af240) x 8bfc7e952bc1ddee0e489e57afb492ce z 0x0 d_00: @00:00:00.768360 [bt] [DBG] smp_f4: (0x080af240) res 20286648419abac6ac131a8700d165ca d_00: @00:00:00.768360 [bt] [ERR] emulate_le_generate_dhkey: public key is not valid (ret -3) d_00: @00:00:00.768360 [bt] [DBG] bt_smp_dhkey_ready: (0x080a7720) 0x00000000 d_00: @00:00:00.768360 [bt] [DBG] smp_pairing_complete: (0x080a7720) status 0xb d_01: @00:00:00.868590 [bt] [DBG] bt_smp_recv: (0x080b7b80) Received SMP code 0x0c len 65 d_01: @00:00:00.868590 [bt] [DBG] smp_public_key: (0x080b7b80) d_01: @00:00:00.868590 [bt] [ERR] emulate_le_generate_dhkey: public key is not valid (ret -3) d_01: @00:00:00.868590 [bt] [DBG] bt_smp_dhkey_ready: (0x080aff40) 0x00000000 d_01: @00:00:00.868590 [bt] [DBG] smp_pairing_complete: (0x080aff40) status 0xb d_00: @00:00:00.918288 [bt] [DBG] bt_smp_recv: (0x080af240) Received SMP code 0x05 len 2 d_00: @00:00:00.918288 [bt] [WRN] bt_smp_recv: Unexpected SMP code 0x05 d_01: @00:00:00.918686 [bt] [DBG] bt_smp_recv: (0x080b7b80) Received SMP code 0x03 len 17 d_01: @00:00:00.918686 [bt] [WRN] bt_smp_recv: Unexpected SMP code 0x03 d_01: @00:00:00.918686 [bt] [DBG] smp_pairing_complete: (0x080b7b80) status 0x8 d_00: @00:00:00.968288 [bt] [DBG] bt_smp_recv: (0x080af240) Received SMP code 0x05 len 2 d_00: @00:00:00.968288 [bt] [WRN] bt_smp_recv: Unexpected SMP code 0x05 d_01: @00:00:00.968566 [bt] [DBG] bt_smp_recv: (0x080b7b80) Received SMP code 0x05 len 2 d_01: @00:00:00.968566 [bt] [WRN] bt_smp_recv: Unexpected SMP code 0x05

How to reproduce:

Modify the central_hr as follows:

@@ static void connected(struct bt_conn *conn, u8_t conn_err)
        printk("Connected: %s\n", addr);

        if (conn == default_conn) {
+               k_sleep(500);
+               bt_conn_auth_cb_register(NULL);
+               err = bt_conn_security(conn, BT_SECURITY_MEDIUM);
+               if (err) {
+                       printk("bt_conn_security failed (err %d)\n", err);
+                       return;
+               }
                memcpy(&uuid, BT_UUID_HRS, sizeof(uuid));
                discover_params.uuid = &uuid.uuid;

Set in the central_hr and peripheral_hr project files CONFIG_BT_USE_DEBUG_KEYS=y

Run in one device this central_hr app, against another with this peripheral_hr app.

jhedberg commented 6 years ago

From a quick look it seems likely that the hci_ecc.c values are not in the correct byte order (little endian instead of big endian). E.g. smp.c has the same public key value, but that's compared against little endian data, whereas the hci_ecc.c values are passed to the crypto API which expects big endian.