mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-01-30 15:32:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

gap: reject iocap request if capabilities insufficient and OOB not supported

Browse Source
This commit is contained in:
Matthias Ringwald 2021-08-25 14:16:42 +02:00
parent 204e8f1db1
commit ebde8a6099
1 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/hci.c
View File

@ -2821,7 +2821,7 @@ static void event_handler(uint8_t *packet, uint16_t size){
hci_pairing_started(conn, true);
// assess security
// assess security: LEVEL 4 requires SC
if ((hci_stack->gap_secure_connections_only_mode || (conn->requested_security_level == LEVEL_4)) && !hci_remote_sc_enabled(conn)){
log_info("Level 4 required, but SC not supported -> abort");
hci_pairing_complete(conn, ERROR_CODE_INSUFFICIENT_SECURITY);
@ -2829,6 +2829,27 @@ static void event_handler(uint8_t *packet, uint16_t size){
break;
}
// assess security based on io capabilities
if (conn->authentication_flags & AUTH_FLAG_RECV_IO_CAPABILITIES_RESPONSE){
// responder: fully validate io caps of both sides
if (!hci_ssp_security_level_possible_for_io_cap(conn->requested_security_level, hci_stack->ssp_io_capability, conn->io_cap_response_io)){
log_info("IOCap insufficient for level %u -> abort", conn->requested_security_level);
hci_pairing_complete(conn, ERROR_CODE_INSUFFICIENT_SECURITY);
connectionSetAuthenticationFlags(conn, AUTH_FLAG_SEND_IO_CAPABILITIES_NEGATIVE_REPLY);
break;
}
} else {
// initiator: remote io cap not yet, only check if we have ability for MITM protection if requested and OOB is not supported
#ifdef ENABLE_CLASSIC_PAIRING_OOB
if ((conn->requested_security_level >= LEVEL_3) && (hci_stack->ssp_io_capability >= SSP_IO_CAPABILITY_NO_INPUT_NO_OUTPUT)){
log_info("Level 3+ required, but no input/output -> abort");
hci_pairing_complete(conn, ERROR_CODE_INSUFFICIENT_SECURITY);
connectionSetAuthenticationFlags(conn, AUTH_FLAG_SEND_IO_CAPABILITIES_NEGATIVE_REPLY);
break;
}
#endif
}
#ifndef ENABLE_EXPLICIT_IO_CAPABILITIES_REPLY
if (hci_stack->ssp_io_capability != SSP_IO_CAPABILITY_UNKNOWN){
connectionSetAuthenticationFlags(conn, AUTH_FLAG_SEND_IO_CAPABILITIES_REPLY);