BTDevice::processL2CAPSetup(..): Restrict sec_level setting to (1) user set, (2) ...

Only set sec_level other than NONE:
- (1) user set
- (2) ( responder_SMP_request || LE_Encryption LEFeature set ) && SMPIOCapability::UNSET != io_cap_conn

This intrinsic automatic sec_level setup has to be most conservative.

Having the (new) BTManager default SMPIOCapability::NO_INPUT_NO_OUTPUT,
the default encryption setting if requested or LEFeature bit set would be BTSecurityLevel::ENC_ONLY for JUST_WORKS.

1 files changed, 6 insertions, 6 deletions

diff --git a/src/direct_bt/BTDevice.cpp b/src/direct_bt/BTDevice.cpp
index 54ad22f4..2bb0b8f7 100644
--- a/src/direct_bt/BTDevice.cpp
+++ b/src/direct_bt/BTDevice.cpp
@@ -453,16 +453,16 @@ void BTDevice::processL2CAPSetup(std::shared_ptr<BTDevice> sthis) {
         const bool responderLikesEncryption = pairing_data.res_requested_sec || isLEFeaturesBitSet(le_features, LEFeatures::LE_Encryption);
         if( BTSecurityLevel::UNSET != sec_level_user ) {
             sec_level = sec_level_user;
-        } else if( SMPIOCapability::NO_INPUT_NO_OUTPUT == io_cap_conn ) {
-            sec_level = BTSecurityLevel::ENC_ONLY; // no auth w/o I/O
-        } else {
-            if( responderLikesEncryption && adapter.hasSecureConnections() ) {
+        } else if( responderLikesEncryption && SMPIOCapability::UNSET != io_cap_conn ) {
+            if( SMPIOCapability::NO_INPUT_NO_OUTPUT == io_cap_conn ) {
+                sec_level = BTSecurityLevel::ENC_ONLY; // no auth w/o I/O
+            } else if( adapter.hasSecureConnections() ) {
                 sec_level = BTSecurityLevel::ENC_AUTH_FIPS;
             } else if( responderLikesEncryption ) {
                 sec_level = BTSecurityLevel::ENC_AUTH;
-            } else {
-                sec_level = BTSecurityLevel::NONE;
             }
+        } else {
+            sec_level = BTSecurityLevel::NONE;
         }
 
         pairing_data.sec_level_conn = sec_level;