From 2d8451f7709eaafa2d54e2ac751082ff7bd55338 Mon Sep 17 00:00:00 2001
From: paul-szczepanek-arm
 <33840200+paul-szczepanek-arm@users.noreply.github.com>
Date: Mon, 22 Jan 2018 16:39:41 +0000
Subject: [PATCH] block legacy pairing when requested

---
 .../source/generic/GenericSecurityManager.cpp | 50 ++++++++++++-------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
index aca4f8352a..8e8c98a3ee 100644
--- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
+++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
@@ -277,32 +277,33 @@ public:
 
     virtual ble_error_t requestPairing(connection_handle_t connection) {
         SecurityEntry_t *entry = db.get_entry(connection);
-        if (entry) {
-            return pal.send_pairing_request(
-                connection,
-                entry->oob,
-                authentication,
-                key_distribution,
-                key_distribution
-            );
-        } else {
+        if (!entry) {
             return BLE_ERROR_INVALID_PARAM;
         }
+        if (!legacy_pairing_allowed && !authentication.get_secure_connections()) {
+            return BLE_ERROR_OPERATION_NOT_PERMITTED;
+        }
+        return pal.send_pairing_request(
+            connection,
+            entry->oob,
+            authentication,
+            key_distribution,
+            key_distribution
+        );
     }
 
     virtual ble_error_t acceptPairingRequest(connection_handle_t connection) {
         SecurityEntry_t *entry = db.get_entry(connection);
-        if (entry) {
-            return pal.send_pairing_response(
-                connection,
-                entry->oob,
-                authentication,
-                key_distribution,
-                key_distribution
-            );
-        } else {
+        if (!entry) {
             return BLE_ERROR_INVALID_PARAM;
         }
+        return pal.send_pairing_response(
+            connection,
+            entry->oob,
+            authentication,
+            key_distribution,
+            key_distribution
+        );
     }
 
     virtual ble_error_t canceltPairingRequest(connection_handle_t connection) {
@@ -422,6 +423,11 @@ public:
         return BLE_ERROR_NONE;
     }
 
+    virtual ble_error_t setHintFutureRoleReversal(bool enable = true) {
+        master_sends_keys = enable;
+        return BLE_ERROR_NONE;
+    }
+
     ////////////////////////////////////////////////////////////////////////////
     // Encryption
     //
@@ -641,7 +647,7 @@ public:
             }
         } else {
             /* don't change the default value of authentication */
-            AuthenticationMask connection_authentication = authentication;
+            AuthenticationMask connection_authentication(authentication);
             connection_authentication.set_mitm(true);
             return pal.send_pairing_request(
                 connection,
@@ -726,6 +732,7 @@ private:
 
     bool pairing_authorisation_required;
     bool legacy_pairing_allowed;
+    bool master_sends_keys;
 
     AuthenticationMask  authentication;
     KeyDistribution     key_distribution;
@@ -744,6 +751,10 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) {
+        /* cancel pairing if secure connection paring is not possible */
+        if (!legacy_pairing_allowed && !authentication.get_secure_connections()) {
+            canceltPairingRequest(connection);
+        }
         set_mitm_performed(connection, false);
 
         if (pairing_authorisation_required) {
@@ -969,6 +980,7 @@ public:
             db.get_entry(connection)->mitm
         );
     }
+
     virtual void on_ltk_request(
         connection_handle_t connection,
         const ediv_t ediv,