From 511135f31ccceb8f5c819fbd83e7b19a3b2077cc Mon Sep 17 00:00:00 2001
From: paul-szczepanek-arm
 <33840200+paul-szczepanek-arm@users.noreply.github.com>
Date: Thu, 29 Mar 2018 13:47:22 +0100
Subject: [PATCH] signing only for the slave, unless keys requested to be sent
 by master

---
 .../source/generic/GenericSecurityManager.cpp | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
index 43cccfc6e9..e0974bcc90 100644
--- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
+++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
@@ -140,14 +140,10 @@ ble_error_t GenericSecurityManager::requestPairing(connection_handle_t connectio
      * use when roles are changed */
     if (_master_sends_keys) {
         initiator_distribution = _default_key_distribution;
-    }
-
-    /* override default if requested */
-    if (cb->signing_override_default) {
-        initiator_distribution.set_signing(cb->signing_requested);
-    } else {
-        /* because _master_sends_keys might be false so we need to set this */
-        initiator_distribution.set_signing(_default_key_distribution.get_signing());
+        /* override default if requested */
+        if (cb->signing_override_default) {
+            initiator_distribution.set_signing(cb->signing_requested);
+        }
     }
 
     KeyDistribution responder_distribution(_default_key_distribution);
@@ -312,14 +308,10 @@ ble_error_t GenericSecurityManager::enableSigning(
         return BLE_ERROR_INVALID_PARAM;
     }
 
-    cb->signing_requested = enabled;
     cb->signing_override_default = true;
 
-    if (cb->encrypted) {
-        return BLE_ERROR_INVALID_STATE;
-    }
-
-    if (cb->signing_requested) {
+    if (enabled && !cb->signing_requested && !_default_key_distribution.get_signing()) {
+        cb->signing_requested = true;
         if (cb->csrk_stored) {
             /* used the stored ones when available */
             _db.get_entry_peer_csrk(
@@ -335,6 +327,8 @@ ble_error_t GenericSecurityManager::enableSigning(
                return slave_security_request(connection);
             }
         }
+    } else {
+        cb->signing_requested = enabled;
     }
 
     return BLE_ERROR_NONE;