From: Oleh Konko <security@1seal.org>
To: "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>
Cc: "marcel@holtmann.org" <marcel@holtmann.org>,
"luiz.dentz@gmail.com" <luiz.dentz@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [PATCH v3 1/2] Bluetooth: SMP: honor local HIGH security when selecting legacy pairing method
Date: Mon, 30 Mar 2026 15:33:19 +0000 [thread overview]
Message-ID: <78570f37f1da48f38336480ba61e29d9.security@1seal.org> (raw)
In-Reply-To: <bt-smp-v3-b13a5d5f53ed4efaba74be7539453366@1seal.org>
tk_request() currently forces JUST_CFM whenever the remote auth_req
omits SMP_AUTH_MITM. That ignores the local pending_sec_level, even
though the responder may still require BT_SECURITY_HIGH.
The pairing-request path already rejects JUST_WORKS/JUST_CFM when
pending_sec_level >= BT_SECURITY_HIGH, so letting tk_request() ignore the
local MITM requirement can make method selection inconsistent with the
policy the stack already enforces.
Only select JUST_CFM when the remote does not request MITM and the local
side does not require HIGH security. Otherwise, derive the method from
the IO capability table.
Fixes: 2b64d153a0cc ("Bluetooth: Add MITM mechanism to LE-SMP")
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: Oleh Konko <security@1seal.org>
---
net/bluetooth/smp.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index e67bf7b34ea..a9fb9b513d6 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -863,13 +863,14 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
remote_io);
- /* If neither side wants MITM, either "just" confirm an incoming
- * request or use just-works for outgoing ones. The JUST_CFM
- * will be converted to JUST_WORKS if necessary later in this
- * function. If either side has MITM look up the method from the
- * table.
+ /* If the remote doesn't request MITM and the local side doesn't
+ * require HIGH security, either "just" confirm an incoming request
+ * or use just-works for outgoing ones. The JUST_CFM will be
+ * converted to JUST_WORKS if necessary later in this function.
+ * Otherwise, look up the method from the table.
*/
- if (!(auth & SMP_AUTH_MITM))
+ if (!(auth & SMP_AUTH_MITM) &&
+ hcon->pending_sec_level < BT_SECURITY_HIGH)
smp->method = JUST_CFM;
else
smp->method = get_auth_method(smp, local_io, remote_io);
--
2.50.0
next prev parent reply other threads:[~2026-03-30 15:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 15:33 [PATCH v3 0/2] Bluetooth: SMP: honor local MITM requirements for legacy pairing Oleh Konko
2026-03-30 15:33 ` [PATCH v3 2/2] Bluetooth: SMP: derive legacy responder STK authentication from MITM state Oleh Konko
2026-03-30 15:33 ` Oleh Konko [this message]
2026-03-30 16:25 ` Bluetooth: SMP: honor local MITM requirements for legacy pairing bluez.test.bot
2026-03-30 16:27 ` [PATCH v3 1/2] Bluetooth: SMP: honor local HIGH security when selecting legacy pairing method Luiz Augusto von Dentz
2026-03-30 19:36 ` Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=78570f37f1da48f38336480ba61e29d9.security@1seal.org \
--to=security@1seal.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox