fix(ble): Fix typos and security start

Author: lucasssvaz

libraries/BLE/examples/Client_secure_static_passkey/Client_secure_static_passkey.ino

@@ -9,7 +9,7 @@
 
  Note that ESP32 uses Bluedroid by default and the other SoCs use NimBLE.
  Bluedroid initiates security on-connect, while NimBLE initiates security on-demand.
- This means that in NimBLE you can read the unsecure characteristic without entering
+ This means that in NimBLE you can read the insecure characteristic without entering
  the passkey. This is not possible in Bluedroid.
 
  Also, the SoC stores the authentication info in the NVS memory. After a successful
@@ -26,7 +26,7 @@
 // The remote service we wish to connect to.
 static BLEUUID serviceUUID("4fafc201-1fb5-459e-8fcc-c5c9c331914b");
 // The characteristics of the remote service we are interested in.
-static BLEUUID unsecureCharUUID("beb5483e-36e1-4688-b7f5-ea07361b26a8");
+static BLEUUID insecureCharUUID("beb5483e-36e1-4688-b7f5-ea07361b26a8");
 static BLEUUID secureCharUUID("ff1d2614-e2d6-4c87-9154-6625d39ca7f8");
 
 // This must match the server's passkey
@@ -35,7 +35,7 @@ static BLEUUID secureCharUUID("ff1d2614-e2d6-4c87-9154-6625d39ca7f8");
 static boolean doConnect = false;
 static boolean connected = false;
 static boolean doScan = false;
-static BLERemoteCharacteristic *pRemoteUnsecureCharacteristic;
+static BLERemoteCharacteristic *pRemoteInsecureCharacteristic;
 static BLERemoteCharacteristic *pRemoteSecureCharacteristic;
 static BLEAdvertisedDevice *myDevice;
 
@@ -87,15 +87,15 @@ bool connectToServer() {
  }
  Serial.println(" - Found our service");
 
- // Obtain a reference to the unsecure characteristic
- pRemoteUnsecureCharacteristic = pRemoteService->getCharacteristic(unsecureCharUUID);
- if (pRemoteUnsecureCharacteristic == nullptr) {
- Serial.print("Failed to find unsecure characteristic UUID: ");
- Serial.println(unsecureCharUUID.toString().c_str());
+ // Obtain a reference to the insecure characteristic
+ pRemoteInsecureCharacteristic = pRemoteService->getCharacteristic(insecureCharUUID);
+ if (pRemoteInsecureCharacteristic == nullptr) {
+ Serial.print("Failed to find insecure characteristic UUID: ");
+ Serial.println(insecureCharUUID.toString().c_str());
  pClient->disconnect();
  return false;
  }
- Serial.println(" - Found unsecure characteristic");
+ Serial.println(" - Found insecure characteristic");
 
  // Obtain a reference to the secure characteristic
  pRemoteSecureCharacteristic = pRemoteService->getCharacteristic(secureCharUUID);
@@ -107,10 +107,10 @@ bool connectToServer() {
  }
  Serial.println(" - Found secure characteristic");
 
- // Read the value of the unsecure characteristic (should work without authentication)
- if (pRemoteUnsecureCharacteristic->canRead()) {
- String value = pRemoteUnsecureCharacteristic->readValue();
- Serial.print("Unsecure characteristic value: ");
+ // Read the value of the insecure characteristic (should work without authentication)
+ if (pRemoteInsecureCharacteristic->canRead()) {
+ String value = pRemoteInsecureCharacteristic->readValue();
+ Serial.print("Insecure characteristic value: ");
  Serial.println(value.c_str());
  }
 
@@ -127,9 +127,9 @@ bool connectToServer() {
  }
 
  // Register for notifications on both characteristics if they support it
- if (pRemoteUnsecureCharacteristic->canNotify()) {
- pRemoteUnsecureCharacteristic->registerForNotify(notifyCallback);
- Serial.println(" - Registered for unsecure characteristic notifications");
+ if (pRemoteInsecureCharacteristic->canNotify()) {
+ pRemoteInsecureCharacteristic->registerForNotify(notifyCallback);
+ Serial.println(" - Registered for insecure characteristic notifications");
  }
 
  if (pRemoteSecureCharacteristic->canNotify()) {
@@ -173,7 +173,7 @@ void setup() {
  BLESecurity *pSecurity = new BLESecurity();
 
  // Set security parameters
- // Deafult parameters:
+ // Default parameters:
  // - IO capability is set to NONE
  // - Initiator and responder key distribution flags are set to both encryption and identity keys.
  // - Passkey is set to BLE_SM_DEFAULT_PASSKEY (123456). It will warn if you don't change it.
@@ -213,11 +213,11 @@ void loop() {
 
  // If we are connected to a peer BLE Server, demonstrate secure communication
  if (connected) {
- // Write to the unsecure characteristic
- String unsecureValue = "Client time: " + String(millis() / 1000);
- if (pRemoteUnsecureCharacteristic->canWrite()) {
- pRemoteUnsecureCharacteristic->writeValue(unsecureValue.c_str(), unsecureValue.length());
- Serial.println("Wrote to unsecure characteristic: " + unsecureValue);
+ // Write to the insecure characteristic
+ String insecureValue = "Client time: " + String(millis() / 1000);
+ if (pRemoteInsecureCharacteristic->canWrite()) {
+ pRemoteInsecureCharacteristic->writeValue(insecureValue.c_str(), insecureValue.length());
+ Serial.println("Wrote to insecure characteristic: " + insecureValue);
  }
 
  // Write to the secure characteristic

libraries/BLE/examples/Server_secure_static_passkey/Server_secure_static_passkey.ino

@@ -5,14 +5,14 @@
  IO capability using a static passkey.
  The server will accept connections from devices that have the same passkey set.
  The example passkey is set to 123456.
- The server will create a service and a secure and an unsecure characteristic
+ The server will create a service and a secure and an insecure characteristic
  to be used as example.
 
  This server is designed to be used with the Client_secure_static_passkey example.
 
  Note that ESP32 uses Bluedroid by default and the other SoCs use NimBLE.
  Bluedroid initiates security on-connect, while NimBLE initiates security on-demand.
- This means that in NimBLE you can read the unsecure characteristic without entering
+ This means that in NimBLE you can read the insecure characteristic without entering
  the passkey. This is not possible in Bluedroid.
 
  Also, the SoC stores the authentication info in the NVS memory. After a successful
@@ -33,7 +33,7 @@
 // https://www.uuidgenerator.net/
 
 #define SERVICE_UUID "4fafc201-1fb5-459e-8fcc-c5c9c331914b"
-#define UNSECURE_CHARACTERISTIC_UUID "beb5483e-36e1-4688-b7f5-ea07361b26a8"
+#define Insecure_CHARACTERISTIC_UUID "beb5483e-36e1-4688-b7f5-ea07361b26a8"
 #define SECURE_CHARACTERISTIC_UUID "ff1d2614-e2d6-4c87-9154-6625d39ca7f8"
 
 // This is an example passkey. You should use a different or random passkey.
@@ -51,7 +51,7 @@ void setup() {
  BLESecurity *pSecurity = new BLESecurity();
 
  // Set security parameters
- // Deafult parameters:
+ // Default parameters:
  // - IO capability is set to NONE
  // - Initiator and responder key distribution flags are set to both encryption and identity keys.
  // - Passkey is set to BLE_SM_DEFAULT_PASSKEY (123456). It will warn if you don't change it.
@@ -71,8 +71,8 @@ void setup() {
 
  BLEService *pService = pServer->createService(SERVICE_UUID);
 
- uint32_t unsecure_properties = BLECharacteristic::PROPERTY_READ | BLECharacteristic::PROPERTY_WRITE;
- uint32_t secure_properties = unsecure_properties;
+ uint32_t insecure_properties = BLECharacteristic::PROPERTY_READ | BLECharacteristic::PROPERTY_WRITE;
+ uint32_t secure_properties = insecure_properties;
 
  // NimBLE uses properties to secure characteristics.
  // These special permission properties are not supported by Bluedroid and will be ignored.
@@ -81,21 +81,21 @@ void setup() {
  secure_properties |= BLECharacteristic::PROPERTY_READ_ENC | BLECharacteristic::PROPERTY_WRITE_ENC;
 
  BLECharacteristic *pSecureCharacteristic = pService->createCharacteristic(SECURE_CHARACTERISTIC_UUID, secure_properties);
- BLECharacteristic *pUnsecureCharacteristic = pService->createCharacteristic(UNSECURE_CHARACTERISTIC_UUID, unsecure_properties);
+ BLECharacteristic *pInsecureCharacteristic = pService->createCharacteristic(Insecure_CHARACTERISTIC_UUID, insecure_properties);
 
  // Bluedroid uses permissions to secure characteristics.
  // This is the same as using the properties above.
  // NimBLE does not use permissions and will ignore these calls.
  // This can be removed if only using NimBLE (any SoC except ESP32).
  pSecureCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ_ENCRYPTED | ESP_GATT_PERM_WRITE_ENCRYPTED);
- pUnsecureCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ | ESP_GATT_PERM_WRITE);
+ pInsecureCharacteristic->setAccessPermissions(ESP_GATT_PERM_READ | ESP_GATT_PERM_WRITE);
 
  // Set value for secure characteristic
  pSecureCharacteristic->setValue("Secure Hello World!");
 
- // Set value for unsecure characteristic
+ // Set value for insecure characteristic
  // When using NimBLE you will be able to read this characteristic without entering the passkey.
- pUnsecureCharacteristic->setValue("Unsecure Hello World!");
+ pInsecureCharacteristic->setValue("Insecure Hello World!");
 
  pService->start();
  BLEAdvertising *pAdvertising = BLEDevice::getAdvertising();

libraries/BLE/src/BLESecurity.cpp

@@ -59,7 +59,7 @@ uint32_t BLESecurity::m_passkey = BLE_SM_DEFAULT_PASSKEY;
 
 #if defined(CONFIG_BLUEDROID_ENABLED)
 uint8_t BLESecurity::m_keySize = 16;
-esp_ble_sec_act_t BLESecurity::m_securityLevel = (esp_ble_sec_act_t)0;
+esp_ble_sec_act_t BLESecurity::m_securityLevel;
 #endif
 
 /***************************************************************************
@@ -216,7 +216,7 @@ void BLESecurity::setAuthenticationMode(bool bonding, bool mitm, bool sc) {
 // It should return the passkey that the peer device is showing on its output.
 // This might not be called if the client has a static passkey set.
 uint32_t BLESecurityCallbacks::onPassKeyRequest() {
- Serial.println("BLESecurityCallbacks: *ATTENTION* Using unsecure onPassKeyRequest.");
+ Serial.println("BLESecurityCallbacks: *ATTENTION* Using insecure onPassKeyRequest.");
  Serial.println("BLESecurityCallbacks: *ATTENTION* Please implement onPassKeyRequest with a suitable passkey in your BLESecurityCallbacks class");
  Serial.printf("BLESecurityCallbacks: Default passkey: %06d\n", BLE_SM_DEFAULT_PASSKEY);
  return BLE_SM_DEFAULT_PASSKEY;
@@ -239,7 +239,7 @@ bool BLESecurityCallbacks::onSecurityRequest() {
 // This callback is called by both devices when both have the DisplayYesNo capability.
 // It should return true if both devices display the same passkey.
 bool BLESecurityCallbacks::onConfirmPIN(uint32_t pin) {
- Serial.println("BLESecurityCallbacks: *ATTENTION* Using unsecure onConfirmPIN. It will accept any passkey.");
+ Serial.println("BLESecurityCallbacks: *ATTENTION* Using insecure onConfirmPIN. It will accept any passkey.");
  Serial.println("BLESecurityCallbacks: *ATTENTION* Please implement onConfirmPIN with a suitable confirmation logic in your BLESecurityCallbacks class");
  return true;
 }
@@ -251,7 +251,7 @@ bool BLESecurityCallbacks::onConfirmPIN(uint32_t pin) {
 // otherwise it is requesting to write.
 // It should return true if the authorization is granted, false otherwise.
 bool BLESecurityCallbacks::onAuthorizationRequest(uint16_t connHandle, uint16_t attrHandle, bool isRead) {
- Serial.println("BLESecurityCallbacks: *ATTENTION* Using unsecure onAuthorizationRequest. It will accept any authorization request.");
+ Serial.println("BLESecurityCallbacks: *ATTENTION* Using insecure onAuthorizationRequest. It will accept any authorization request.");
  Serial.println(
  "BLESecurityCallbacks: *ATTENTION* Please implement onAuthorizationRequest with a suitable authorization logic in your BLESecurityCallbacks class"
  );
@@ -272,17 +272,28 @@ bool BLESecurity::startSecurity(esp_bd_addr_t bd_addr, int *rcPtr) {
 #ifdef CONFIG_BLE_SMP_ENABLE
  if (m_securityStarted) {
  log_w("Security already started for bd_addr=%s", BLEAddress(bd_addr).toString().c_str());
+ if (rcPtr) {
+ *rcPtr = ESP_OK;
+ }
  return true;
  }
 
- int rc = esp_ble_set_encryption(bd_addr, m_securityLevel);
- if (rc != ESP_OK) {
- log_e("esp_ble_set_encryption: rc=%d %s", rc, GeneralUtils::errorToString(rc));
- }
- if (rcPtr) {
- *rcPtr = rc;
+ if (m_securityEnabled) {
+ int rc = esp_ble_set_encryption(bd_addr, m_securityLevel);
+ if (rc != ESP_OK) {
+ log_e("esp_ble_set_encryption: rc=%d %s", rc, GeneralUtils::errorToString(rc));
+ }
+ if (rcPtr) {
+ *rcPtr = rc;
+ }
+ m_securityStarted = (rc == ESP_OK);
+ } else {
+ log_e("Security is not enabled. Can't start security.");
+ if (rcPtr) {
+ *rcPtr = ESP_FAIL;
+ }
+ return false;
  }
- m_securityStarted = (rc == ESP_OK);
  return m_securityStarted;
 #else
  log_e("Bluedroid SMP is not enabled. Can't start security.");
@@ -324,17 +335,28 @@ void BLESecurityCallbacks::onAuthenticationComplete(esp_ble_auth_cmpl_t param) {
 bool BLESecurity::startSecurity(uint16_t connHandle, int *rcPtr) {
  if (m_securityStarted) {
  log_w("Security already started for connHandle=%d", connHandle);
+ if (rcPtr) {
+ *rcPtr = 0;
+ }
  return true;
  }
 
- int rc = ble_gap_security_initiate(connHandle);
- if (rc != 0) {
- log_e("ble_gap_security_initiate: rc=%d %s", rc, BLEUtils::returnCodeToString(rc));
- }
- if (rcPtr) {
- *rcPtr = rc;
+ if (m_securityEnabled) {
+ int rc = ble_gap_security_initiate(connHandle);
+ if (rc != 0) {
+ log_e("ble_gap_security_initiate: rc=%d %s", rc, BLEUtils::returnCodeToString(rc));
+ }
+ if (rcPtr) {
+ *rcPtr = rc;
+ }
+ m_securityStarted = (rc == 0 || rc == BLE_HS_EALREADY);
+ } else {
+ log_e("Security is not enabled. Can't start security.");
+ if (rcPtr) {
+ *rcPtr = ESP_FAIL;
+ }
+ return false;
  }
- m_securityStarted = (rc == 0 || rc == BLE_HS_EALREADY);
  return m_securityStarted;
 }