From: Oleh Konko <security@1seal.org>
To: "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>
Cc: "marcel@holtmann.org" <marcel@holtmann.org>,
"luiz.dentz@gmail.com" <luiz.dentz@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [PATCH v3 2/2] Bluetooth: SMP: derive legacy responder STK authentication from MITM state
Date: Mon, 30 Mar 2026 15:33:19 +0000 [thread overview]
Message-ID: <d96e58df403e416988e4a742cf2267a2.security@1seal.org> (raw)
In-Reply-To: <bt-smp-v3-b13a5d5f53ed4efaba74be7539453366@1seal.org>
The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.
For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.
This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication information for SMP STK")
Cc: stable@vger.kernel.org
Signed-off-by: Oleh Konko <security@1seal.org>
---
net/bluetooth/smp.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index a9fb9b513d6..0e20497988e 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1019,10 +1019,7 @@ static u8 smp_random(struct smp_chan *smp)
smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
- if (hcon->pending_sec_level == BT_SECURITY_HIGH)
- auth = 1;
- else
- auth = 0;
+ auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0;
/* Even though there's no _RESPONDER suffix this is the
* responder STK we're adding for later lookup (the initiator
--
2.50.0
prev parent reply other threads:[~2026-03-30 15:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 15:33 [PATCH v3 0/2] Bluetooth: SMP: honor local MITM requirements for legacy pairing Oleh Konko
2026-03-30 15:33 ` [PATCH v3 1/2] Bluetooth: SMP: honor local HIGH security when selecting legacy pairing method Oleh Konko
2026-03-30 16:25 ` Bluetooth: SMP: honor local MITM requirements for legacy pairing bluez.test.bot
2026-03-30 16:27 ` [PATCH v3 1/2] Bluetooth: SMP: honor local HIGH security when selecting legacy pairing method Luiz Augusto von Dentz
2026-03-30 19:36 ` Luiz Augusto von Dentz
2026-03-30 15:33 ` Oleh Konko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d96e58df403e416988e4a742cf2267a2.security@1seal.org \
--to=security@1seal.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox