diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2016-10-19 15:55:42 +0300 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2016-10-21 07:47:31 +0300 |
commit | 7beb70906ec6ebda9218738735910fe08b26a558 (patch) | |
tree | 655ed9e372839319815a8c95152b2137e8a86aec /net | |
parent | 148b0a2d35c38864b59af6ae1a40009b709e905c (diff) |
Bluetooth: ATT: Fix handling of insufficient authentication
Insufficient authentication can be used with almost any security level to
indicate the security need to be escalated not only to high but to medium
and fips depending on the current security level.
Jira: ZEP-1074
Change-Id: Iea261f2814caf5b290997beedcbb0aa7f5a9e890
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/att.c | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/net/bluetooth/att.c b/net/bluetooth/att.c index d605425cf..27310871d 100644 --- a/net/bluetooth/att.c +++ b/net/bluetooth/att.c @@ -1466,9 +1466,47 @@ static int att_change_security(struct bt_conn *conn, uint8_t err) sec = BT_SECURITY_MEDIUM; break; case BT_ATT_ERR_AUTHENTICATION: - if (conn->sec_level >= BT_SECURITY_HIGH) + if (conn->sec_level < BT_SECURITY_MEDIUM) { + /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] + * page 375: + * + * If an LTK is not available, the service request + * shall be rejected with the error code “Insufficient + * Authentication”. + * Note: When the link is not encrypted, the error code + * "Insufficient Authentication" does not indicate that + * MITM protection is required. + */ + sec = BT_SECURITY_MEDIUM; + } else if (conn->sec_level < BT_SECURITY_HIGH) { + /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] + * page 375: + * + * If an authenticated pairing is required but only an + * unauthenticated pairing has occurred and the link is + * currently encrypted, the service request shall be + * rejected with the error code “Insufficient + * Authentication.” + * Note: When unauthenticated pairing has occurred and + * the link is currently encrypted, the error code + * “Insufficient Authentication” indicates that MITM + * protection is required. + */ + sec = BT_SECURITY_HIGH; + } else if (conn->sec_level < BT_SECURITY_FIPS) { + /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part C] + * page 375: + * + * If LE Secure Connections authenticated pairing is + * required but LE legacy pairing has occurred and the + * link is currently encrypted, the service request + * shall be rejected with the error code “Insufficient + * Authentication”. + */ + sec = BT_SECURITY_FIPS; + } else { return -EALREADY; - sec = BT_SECURITY_HIGH; + } break; default: return -EINVAL; |