BLE: Support encryption with secure connection key.

pan- · pan- · commit 4e5639f5ca42 · 2018-05-02T17:51:48.000+01:00
diff --git a/features/FEATURE_BLE/ble/SecurityManager.h b/features/FEATURE_BLE/ble/SecurityManager.h
@@ -967,15 +967,31 @@ class SecurityManager {
      */
      ble_error_t getLinkSecurity(ble::connection_handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
         ble::link_encryption_t encryption(ble::link_encryption_t::NOT_ENCRYPTED);
-        ble_error_t status = getLinkEncryption(connectionHandle, &encryption);
-        /* legacy support limits the return values */
-        if (encryption.value() == ble::link_encryption_t::ENCRYPTED_WITH_MITM) {
-            *securityStatus = ENCRYPTED;
-        } else {
-            *securityStatus = (LinkSecurityStatus_t)encryption.value();
+        ble_error_t err = getLinkEncryption(connectionHandle, &encryption);
+        if (err) {
+            return err;
+        }
+
+        switch (encryption.value()) {
+            case ble::link_encryption_t::NOT_ENCRYPTED:
+                *securityStatus = NOT_ENCRYPTED;
+                break;
+            case ble::link_encryption_t::ENCRYPTION_IN_PROGRESS:
+                *securityStatus = ENCRYPTION_IN_PROGRESS;
+                break;
+            case ble::link_encryption_t::ENCRYPTED:
+            case ble::link_encryption_t::ENCRYPTED_WITH_MITM:
+            case ble::link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM:
+                *securityStatus = ENCRYPTED;
+                break;
+            default:
+                // should never happen
+                MBED_ASSERT(false);
+                *securityStatus = NOT_ENCRYPTED;
+                break;
         }
 
-        return status;
+        return BLE_ERROR_NONE;
     }
 
     /**
@@ -1079,7 +1095,10 @@ class SecurityManager {
                 SecurityManager::SecurityMode_t securityMode;
                 if (result == ble::link_encryption_t::ENCRYPTED) {
                     securityMode = SECURITY_MODE_ENCRYPTION_NO_MITM;
-                } else if (result == ble::link_encryption_t::ENCRYPTED_WITH_MITM) {
+                } else if (
+                    result == ble::link_encryption_t::ENCRYPTED_WITH_MITM ||
+                    result == ble::link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
+                ) {
                     securityMode = SECURITY_MODE_ENCRYPTION_WITH_MITM;
                 } else {
                     securityMode = SECURITY_MODE_ENCRYPTION_OPEN_LINK;
diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
@@ -369,7 +369,11 @@ ble_error_t GenericSecurityManager::getLinkEncryption(
 
     if (cb->encrypted) {
         if (cb->ltk_mitm_protected  || cb->mitm_performed) {
-            *encryption = link_encryption_t::ENCRYPTED_WITH_MITM;
+            if (cb->secure_connections_paired) {
+                *encryption = link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM;
+            } else {
+                *encryption = link_encryption_t::ENCRYPTED_WITH_MITM;
+            }
         } else {
             *encryption = link_encryption_t::ENCRYPTED;
         }
@@ -408,7 +412,9 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
     } else if (encryption == link_encryption_t::ENCRYPTED) {
 
         /* only change if we're not already encrypted with mitm */
-        if (current_encryption != link_encryption_t::ENCRYPTED_WITH_MITM) {
+        if (current_encryption != link_encryption_t::ENCRYPTED_WITH_MITM ||
+            current_encryption != link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
+        ) {
             cb->encryption_requested = true;
             return enable_encryption(connection);
         }
@@ -423,6 +429,19 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
             return requestAuthentication(connection);
         }
 
+    } else if (encryption == link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM) {
+
+        if (cb->ltk_mitm_protected &&
+            cb->secure_connections_paired && !
+            cb->encrypted
+        ) {
+            cb->encryption_requested = true;
+            return enable_encryption(connection);
+        } else {
+            cb->encryption_requested = true;
+            return requestAuthentication(connection);
+        }
+
     } else {
         return BLE_ERROR_INVALID_PARAM;
     }
@@ -1059,7 +1078,10 @@ void GenericSecurityManager::on_link_encryption_result(
         cb->encryption_failed = false;
         cb->encrypted = true;
 
-    } else if (result == link_encryption_t::ENCRYPTED_WITH_MITM) {
+    } else if (
+        result == link_encryption_t::ENCRYPTED_WITH_MITM ||
+        result == link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
+    ) {
 
         cb->encryption_requested = false;
         cb->encryption_failed = false;
