mirror of
https://github.com/bluekitchen/btstack.git
synced 2025-03-02 22:13:36 +00:00
gap: consider OOB data on both sides when evaluation possible security level
This commit is contained in:
parent
ebde8a6099
commit
61298c1c4f
37
src/hci.c
37
src/hci.c
@ -2831,9 +2831,40 @@ static void event_handler(uint8_t *packet, uint16_t size){
|
||||
|
||||
// assess security based on io capabilities
|
||||
if (conn->authentication_flags & AUTH_FLAG_RECV_IO_CAPABILITIES_RESPONSE){
|
||||
// responder: fully validate io caps of both sides
|
||||
if (!hci_ssp_security_level_possible_for_io_cap(conn->requested_security_level, hci_stack->ssp_io_capability, conn->io_cap_response_io)){
|
||||
log_info("IOCap insufficient for level %u -> abort", conn->requested_security_level);
|
||||
// get requested security level
|
||||
gap_security_level_t requested_security_level = conn->requested_security_level;
|
||||
if (hci_stack->gap_secure_connections_only_mode){
|
||||
requested_security_level = LEVEL_4;
|
||||
}
|
||||
|
||||
// responder: fully validate io caps of both sides as well as OOB data
|
||||
bool security_possible = false;
|
||||
security_possible = hci_ssp_security_level_possible_for_io_cap(requested_security_level, hci_stack->ssp_io_capability, conn->io_cap_response_io);
|
||||
|
||||
#ifdef ENABLE_CLASSIC_PAIRING_OOB
|
||||
// We assume that both Controller can reach LEVEL 4, if one side has received P-192 and the other has received P-256,
|
||||
// so we merge the OOB data availability
|
||||
uint8_t have_oob_data = conn->io_cap_response_oob_data;
|
||||
if (conn->classic_oob_c_192 != NULL){
|
||||
have_oob_data |= 1;
|
||||
}
|
||||
if (conn->classic_oob_c_256 != NULL){
|
||||
have_oob_data |= 2;
|
||||
}
|
||||
// for up to Level 3, either P-192 as well as P-256 will do
|
||||
// if we don't support SC, then a) conn->classic_oob_c_256 will be NULL and b) remote should not report P-256 available
|
||||
// if remote does not SC, we should not receive P-256 data either
|
||||
if ((requested_security_level <= LEVEL_3) && (have_oob_data != 0)){
|
||||
security_possible = true;
|
||||
}
|
||||
// for Level 4, P-256 is needed
|
||||
if ((requested_security_level == LEVEL_4 && ((have_oob_data & 2) != 0))){
|
||||
security_possible = true;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (security_possible == false){
|
||||
log_info("IOCap/OOB insufficient for level %u -> abort", conn->requested_security_level);
|
||||
hci_pairing_complete(conn, ERROR_CODE_INSUFFICIENT_SECURITY);
|
||||
connectionSetAuthenticationFlags(conn, AUTH_FLAG_SEND_IO_CAPABILITIES_NEGATIVE_REPLY);
|
||||
break;
|
||||
|
Loading…
x
Reference in New Issue
Block a user