Merge branch 'bugfix/a2dp_can_not_connect_after_ble_connected' into '…

…master' fixed the issue iOS devices cannot initiate connection Closes IDFGH-4754 and AUD-4085 See merge request espressif/esp-idf!20703
espressif · Nov 11, 2022 · 35faecc · 35faecc
2 parents 6435a3e + 042fd5f
commit 35faecc
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/components/bt/host/bluedroid/stack/btm/btm_acl.c b/components/bt/host/bluedroid/stack/btm/btm_acl.c
@@ -819,22 +819,6 @@ void btm_acl_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
         }
 #endif
     }
-#if (CLASSIC_BT_INCLUDED == TRUE)
-    /* If authentication is done through legacy authentication and esp32 has
-     * not authenticated peer deivce yet, do not proceed for encrytion and
-     * first authenticate it. */
-    else if ((BTM_BothEndsSupportSecureConnections(p->remote_addr) == 0) &&
-            ((p->legacy_auth_state & BTM_ACL_LEGACY_AUTH_SELF) == 0)) {
-        if ((p_dev_rec = btm_find_dev (p->remote_addr)) != NULL) {
-            if (btm_sec_legacy_authentication_mutual(p_dev_rec)) {
-                btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_SELF);
-            } else {
-                BTM_TRACE_ERROR("%s failed, Resources not available for Authentication procedure", __FUNCTION__);
-            }
-        }
-    }
-#endif
-
 }
 /*******************************************************************************
 **

diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c
@@ -5191,6 +5191,22 @@ static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
         return (BTM_CMD_STARTED);
     }
 
+#if (CLASSIC_BT_INCLUDED == TRUE)
+    tACL_CONN *p_acl_cb = btm_handle_to_acl(p_dev_rec->hci_handle);
+    /*
+     * To prevent a remote device from doing a Bluetooth Impersonation Attack, a suggested fix by SIG is:
+     *
+     * "Hosts performing legacy (non-mutual) authentication must ensure a remote device is authenticated
+     *  prior to proceeding with encryption establishment, regardless of role."
+     *
+     * As an implementation, we enforce mutual authentication when devices use Legacy Authentication.
+     */
+    if ((p_acl_cb != NULL) && (BTM_BothEndsSupportSecureConnections(p_acl_cb->remote_addr) == 0) &&
+        ((p_acl_cb->legacy_auth_state & BTM_ACL_LEGACY_AUTH_SELF) == 0)) {
+        p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
+    }
+#endif
+
     /* If connection is not authenticated and authentication is required */
     /* start authentication and return PENDING to the caller */
     if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))