att_db: validate if connection encrypted is based on SC if requested

2025-02-04 15:39:59 +00:00 · 2019-03-06 15:42:14 +01:00 · 2019-03-06 15:42:14 +01:00 · 2ea28401b3
commit 2ea28401b3
parent 96304e9342
1 changed files with 24 additions and 15 deletions
--- a/src/ble/att_db.c
+++ b/src/ble/att_db.c
@ -321,22 +321,31 @@ static uint8_t att_validate_security(att_connection_t * att_connection, att_oper
    int required_encryption_size = it->flags >> 12;
    if (required_encryption_size) required_encryption_size++;   // store -1 to fit into 4 bit

-    log_debug("att_validate_security. flags 0x%04x (=> security level %u, key size %u) authorized %u, authenticated %u, encryption_key_size %u",
-        it->flags, required_security_level, required_encryption_size, att_connection->authorized, att_connection->authenticated, att_connection->encryption_key_size);
+    log_debug("att_validate_security. flags 0x%04x (=> security level %u, key size %u) authorized %u, authenticated %u, encryption_key_size %u, secure connection %u",
+        it->flags, required_security_level, required_encryption_size, att_connection->authorized, att_connection->authenticated, att_connection->encryption_key_size, att_connection->secure_connection);

-    if ((required_security_level >= ATT_SECURITY_AUTHORIZED) && (att_connection->authorized == 0)) {
-        return ATT_ERROR_INSUFFICIENT_AUTHORIZATION;
-    }
-    if ((required_security_level >= ATT_SECURITY_AUTHENTICATED) && (att_connection->authenticated == 0)) {
-        return ATT_ERROR_INSUFFICIENT_AUTHENTICATION;
-    }
-    if (required_security_level >= ATT_SECURITY_ENCRYPTED) {
-        if ((required_encryption_size > 0) && (att_connection->encryption_key_size == 0)){
-            return ATT_ERROR_INSUFFICIENT_ENCRYPTION;
-        }
-        if (required_encryption_size > att_connection->encryption_key_size){
-            return ATT_ERROR_INSUFFICIENT_ENCRYPTION_KEY_SIZE;
-        }
+    int sc_missing = requires_secure_connection && att_connection->secure_connection == 0;
+    switch (required_security_level){
+        case ATT_SECURITY_AUTHORIZED:
+            if ((att_connection->authorized == 0) || sc_missing){
+                return ATT_ERROR_INSUFFICIENT_AUTHORIZATION;
+            }
+            /* explicit fall through */
+        case ATT_SECURITY_AUTHENTICATED:
+            if ((att_connection->authenticated == 0) || sc_missing){
+                return ATT_ERROR_INSUFFICIENT_AUTHENTICATION;
+            }
+            /* explicit fall through */
+        case ATT_SECURITY_ENCRYPTED:
+            if ((required_encryption_size > 0) && ((att_connection->encryption_key_size == 0) || sc_missing)){
+                return ATT_ERROR_INSUFFICIENT_ENCRYPTION;
+            }
+            if (required_encryption_size > att_connection->encryption_key_size){
+                return ATT_ERROR_INSUFFICIENT_ENCRYPTION_KEY_SIZE;
+            }
+            break;
+        default:
+            break;
    }
    return 0;
 }