Bluetooth: ISO: Guard sec_level with CONFIG_BT_SMP
The ISO security implementation works by verifying
against the acl (bt_conn) sec_level field. The
bt_conn sec_level field is only available
if CONFIG_BT_SMP is enabled, so this commit
adds guards for all ISO security checks as well.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
diff --git a/include/zephyr/bluetooth/iso.h b/include/zephyr/bluetooth/iso.h
index 9138cef..75baa57 100644
--- a/include/zephyr/bluetooth/iso.h
+++ b/include/zephyr/bluetooth/iso.h
@@ -121,6 +121,7 @@
/** Channel QoS reference */
struct bt_iso_chan_qos *qos;
enum bt_iso_state state;
+#if defined(CONFIG_BT_SMP)
/** @brief The required security level of the channel
*
* This value can be set as the central before connecting a CIS
@@ -129,6 +130,7 @@
* peripheral once a channel has been accepted.
*/
bt_security_t required_sec_level;
+#endif /* CONFIG_BT_SMP */
/** Node used internally by the stack */
sys_snode_t node;
};
@@ -503,8 +505,10 @@
/** @brief ISO Server structure. */
struct bt_iso_server {
+#if defined(CONFIG_BT_SMP)
/** Required minimum security level */
bt_security_t sec_level;
+#endif /* CONFIG_BT_SMP */
/** @brief Server accept callback
*
diff --git a/samples/bluetooth/iso_connected_benchmark/src/main.c b/samples/bluetooth/iso_connected_benchmark/src/main.c
index e4c558d..3f8ae53 100644
--- a/samples/bluetooth/iso_connected_benchmark/src/main.c
+++ b/samples/bluetooth/iso_connected_benchmark/src/main.c
@@ -338,7 +338,9 @@
}
static struct bt_iso_server iso_server = {
+#if defined(CONFIG_BT_SMP)
.sec_level = DEFAULT_CIS_SEC_LEVEL,
+#endif /* CONFIG_BT_SMP */
.accept = iso_accept,
};
diff --git a/samples/bluetooth/peripheral_iso/src/main.c b/samples/bluetooth/peripheral_iso/src/main.c
index 01cbd58..5cf4013 100644
--- a/samples/bluetooth/peripheral_iso/src/main.c
+++ b/samples/bluetooth/peripheral_iso/src/main.c
@@ -141,7 +141,9 @@
}
static struct bt_iso_server iso_server = {
+#if defined(CONFIG_BT_SMP)
.sec_level = BT_SECURITY_L1,
+#endif /* CONFIG_BT_SMP */
.accept = iso_accept,
};
diff --git a/subsys/bluetooth/host/iso.c b/subsys/bluetooth/host/iso.c
index f90a465..8bb449e 100644
--- a/subsys/bluetooth/host/iso.c
+++ b/subsys/bluetooth/host/iso.c
@@ -927,12 +927,14 @@
return -EINVAL;
}
+#if defined(CONFIG_BT_SMP)
if (server->sec_level > BT_SECURITY_L3) {
return -EINVAL;
} else if (server->sec_level < BT_SECURITY_L1) {
/* Level 0 is only applicable for BR/EDR */
server->sec_level = BT_SECURITY_L1;
}
+#endif /* CONFIG_BT_SMP */
BT_DBG("%p", server);
@@ -969,7 +971,9 @@
return err;
}
+#if defined(CONFIG_BT_SMP)
chan->required_sec_level = iso_server->sec_level;
+#endif /* CONFIG_BT_SMP */
bt_iso_chan_add(iso, chan);
bt_iso_chan_set_state(chan, BT_ISO_STATE_CONNECTING);
@@ -1028,11 +1032,15 @@
return BT_HCI_ERR_SUCCESS;
}
+#if defined(CONFIG_BT_SMP)
if (conn->sec_level >= iso_server->sec_level) {
return BT_HCI_ERR_SUCCESS;
}
return BT_HCI_ERR_INSUFFICIENT_SECURITY;
+#else
+ return BT_HCI_ERR_SUCCESS;
+#endif /* CONFIG_BT_SMP */
}
void hci_le_cis_req(struct net_buf *buf)
@@ -1815,6 +1823,7 @@
return bt_hci_cmd_send_sync(BT_HCI_OP_LE_CREATE_CIS, buf, NULL);
}
+#if defined(CONFIG_BT_SMP)
static int iso_chan_connect_security(const struct bt_iso_connect_param *param,
size_t count)
{
@@ -1863,6 +1872,7 @@
return 0;
}
+#endif /* CONFIG_BT_SMP */
int bt_iso_chan_connect(const struct bt_iso_connect_param *param, size_t count)
{
@@ -1913,6 +1923,7 @@
}
}
+#if defined(CONFIG_BT_SMP)
/* Check for and initiate security for all channels that have
* requested encryption if the ACL link is not already secured
*/
@@ -1921,6 +1932,7 @@
BT_DBG("Failed to initate security for all CIS: %d", err);
return err;
}
+#endif /* CONFIG_BT_SMP */
err = hci_le_create_cis(param, count);
if (err == -ECANCELED) {
diff --git a/subsys/bluetooth/shell/iso.c b/subsys/bluetooth/shell/iso.c
index 804f467..59779e4 100644
--- a/subsys/bluetooth/shell/iso.c
+++ b/subsys/bluetooth/shell/iso.c
@@ -206,6 +206,12 @@
return 0;
}
+#if defined(CONFIG_BT_SMP)
+ if (argc > 1) {
+ iso_chan.required_sec_level = *argv[1] - '0';
+ }
+#endif /* CONFIG_BT_SMP */
+
err = bt_iso_chan_connect(&connect_param, 1);
if (err) {
shell_error(sh, "Unable to connect (err %d)", err);
@@ -237,7 +243,9 @@
}
struct bt_iso_server iso_server = {
+#if defined(CONFIG_BT_SMP)
.sec_level = BT_SECURITY_L1,
+#endif /* CONFIG_BT_SMP */
.accept = iso_accept,
};
@@ -260,9 +268,11 @@
return -ENOEXEC;
}
+#if defined(CONFIG_BT_SMP)
if (argc > 2) {
iso_server.sec_level = *argv[2] - '0';
}
+#endif /* CONFIG_BT_SMP */
err = bt_iso_server_register(&iso_server);
if (err) {
@@ -540,7 +550,11 @@
SHELL_CMD_ARG(connect, NULL, "Connect ISO Channel", cmd_connect, 1, 0),
#endif /* CONFIG_BT_ISO_CENTRAL */
#if defined(CONFIG_BT_ISO_PERIPHERAL)
+#if defined(CONFIG_BT_SMP)
SHELL_CMD_ARG(listen, NULL, "<dir=tx,rx,txrx> [security level]", cmd_listen, 2, 1),
+#else
+ SHELL_CMD_ARG(listen, NULL, "<dir=tx,rx,txrx>", cmd_listen, 2, 0),
+#endif /* CONFIG_BT_SMP */
#endif /* CONFIG_BT_ISO_PERIPHERAL */
SHELL_CMD_ARG(send, NULL, "Send to ISO Channel [count]",
cmd_send, 1, 1),
