From nobody Fri Apr 3 08:39:29 2026 Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11023128.outbound.protection.outlook.com [40.107.159.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78F8D26B098; Tue, 31 Mar 2026 11:52:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.159.128 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774957939; cv=fail; b=SKXgpalSzfVTXlqlm0K+uBctj6f6lVBO/myS9RRRq1GyKOFdxZ4LJOwsa6I0syNBX3e4OoFFYa6XIx620LNHBVjwGyQXtdhvl3uuotGMXT8/hn107woK8A8OiktdHoM+fWcotS4Iz0wfblePNG89JazUQYh0pj9e5BcnA0DAnRg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774957939; c=relaxed/simple; bh=E3nfjjFRcJ84z0R7W4dcWmnl9pfiAjvIC6zJ9UZy9kc=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=nhlP1PZHWMmjkjOfx22jzuJlnkaTwtuZnaMIs6recNyGnekfcqJilZYJ48XZI7gduWKY5CocDfiprC7deJ9+8wHw7XIR/r7rQQexka/G/C0CxwmaHGZnVGPedOgRycK79PsAi5Nj3CYfrBmQ1ubSeSu4r4ctIZ/+NsTN5J1nsfs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org; spf=pass smtp.mailfrom=1seal.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b=jPNpMJZF; arc=fail smtp.client-ip=40.107.159.128 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=1seal.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b="jPNpMJZF" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=W9FrahTUTykLJqcB9H3f48jnde9pShZNvx1xa0ZjQDO+W84wi4qDKF8IXRhK2wWKM85qlrSTFnMwxB/4ig8A8Sr0IjDKwkopQg2uORk5zOrptfn/knNQCBZeMzBT23HujOTta1UCo2pqKMWsrDWccmBQSobLfa6YQKu7BXHaiHqB+nhFITBs5gkwnZPnEkAznCxeIoN0hMhFhP6NhY9Pj3MhSFSAMsBLu6UxkTv5eErpxGVB3LouNynCO4XtqA9YHk9TGzTijlRNkgJLI8V2D4vH/JgC23/1cOFJyBxOG82Ba+eiREYi54rNU6HouvLHlYMJFFadKhnJaUrbgnOZVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=E3nfjjFRcJ84z0R7W4dcWmnl9pfiAjvIC6zJ9UZy9kc=; b=vzlyUwMZ2ziZGWHYS80xc4dFCVzgrXrdi6eT+Bg5cxWpxRWroasKdOhqOs2hhMa7/VLWL9UNKd0Pr+94fcDawt+RmhhzIbJMY7eMFnleoYgAWEUnyaJ0qhqYb0DUbqQllm8MAk80RfS8pGnXUV2IJhM+XwOU4KH4CmbdjH6EfoI9ha6T2N60nplwbupnpx19+fvsslLk1orZSrUu1alE+hIH62PiTacp223gRFMgDt3eD6ZVWuYwI74i4RDxgphaRibliUfvv4ufClBPG8OSOThL+pUsjl3ze7Cjf3bizeNVbKf7JYz1wM+7AyjXT2ZsQloFOTP5lfbtC00e6tSjZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=1seal.org; dmarc=pass action=none header.from=1seal.org; dkim=pass header.d=1seal.org; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1seal.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E3nfjjFRcJ84z0R7W4dcWmnl9pfiAjvIC6zJ9UZy9kc=; b=jPNpMJZF83w+IfJuzpXamFXyNG2aDOylacSn2BRxTA06dyAhaob/gZSQPMF2lC0t8s/rx0dGXBbnp0jxgMkQpTEH2LHZC7aciDPHaxF+mPpasNbuBmVUE70LJQKTUUXu5S9Ty+42UxHk1PyVrRR354E2qwOXyMPjTIfva7Yc46oX1/L1GupQwkb3oQPl2HfttvAjY/R2m/i9vS1SWB/sS26enbY4b0cJslXRAcvX6+fbulzJ3FnCLUiLD1JueTgtTk8u3f6z0fiQoUswJ0s6/blA5gOOFvh/sCLHfRGwFEw31w25B5/nlL/2st8KRy4irdoH881dxy/KdvlAE4fPBA== Received: from DBBPR04MB7673.eurprd04.prod.outlook.com (2603:10a6:10:202::5) by VI2PR04MB11219.eurprd04.prod.outlook.com (2603:10a6:800:29a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.15; Tue, 31 Mar 2026 11:52:13 +0000 Received: from DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419]) by DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419%3]) with mapi id 15.20.9745.027; Tue, 31 Mar 2026 11:52:13 +0000 From: Oleh Konko To: "linux-bluetooth@vger.kernel.org" CC: "marcel@holtmann.org" , "luiz.dentz@gmail.com" , "linux-kernel@vger.kernel.org" Subject: [PATCH v4 1/2] Bluetooth: SMP: force responder MITM requirements before building the pairing response Thread-Topic: [PATCH v4 1/2] Bluetooth: SMP: force responder MITM requirements before building the pairing response Thread-Index: AQHcwQTPYongjHdz3kKpQ7jmWPAf/A== Date: Tue, 31 Mar 2026 11:52:12 +0000 Message-ID: <8f03334a700549ac8c712032f8ea8a3c.security@1seal.org> References: In-Reply-To: Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=1seal.org; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DBBPR04MB7673:EE_|VI2PR04MB11219:EE_ x-ms-office365-filtering-correlation-id: a164f035-6b80-44bd-9a86-08de8f1bf2c1 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700021|7055299006|18002099003|22082099003|56012099003; x-microsoft-antispam-message-info: RAapRlFkyp2lS0n719hr+Yvo46kPiPDm0I2dZMyoKEM84qHbBLqzpEfdcc6HB3/F8TFiOwH8lF4DP5Zd71QVeQQPN2+DxrjSgLdJ6AXw2MYC4IWATeCGFFa1wEmqEQp0blq27oDhkHkXlE9isqgulD6aRfe/Pe6jzvilY6HHql2hTGe/zGrDK80TvLTnafBC0mbEoV9uIAjz/Xepf/HnXrV9ZLLbAx+vJQ3LgrHeZf/sd26P16XDDbeSC9AwZ7eHReRMI+8cA5Q/oM+3m2OhRU7+VsNTpwBk2j2umyr/Sye34eEaEiss95Z+CacXkHPb8Ipr3B4Qa+redzSDjAzZuh2+z5HZeYiirvb0awrG3x+2qMWsDkc6xg0yhpvfLIRrcsh9EqXWF2F1YoXY3tUF49375qzOuU0ARk9fGAICNpy0BIpLaZUrD3TmUmRsLkrQlTcWEDOv7JXcQUClDkZeeUNhFTOLorbGM5F2xgAuAceTzNZaUR6Dhvgl5bTr/38TSZVuaD/gTdEI5wHdo4a758FRr394e0NG9MrW33SmNONtp0rg3h5IkRF3VX6El5YPR5b7c7p/77PX5m3+NaTMe6YkVXPxUT0LQu6ruHSeOtDNjXAcdEO167HgxOJvheLGLcDAQ1XlXPBOc+nXEf+naPAuEGxAZrnIoxDN37IIHrZzsaNF396V3uxTfkrIw6k3NdW4uxPsr3qDq/y+zhK0LxAPngm7IFB8cxphOMk9FFRDW2TmTJ0IErZ/bjvVzckOFEojqfCCb/+SL3UJrFu2Rw9UQBOWG6C2bjPNYmzYoKvGIpXVV1oV4Bu0DR/7O2BN x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBPR04MB7673.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700021)(7055299006)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?SUp1bjRTeFRqUXhYQm9JYVFzcnBPejhlWEFBblpWQ2pDRFVMRU1EZWhNcnhj?= =?utf-8?B?UkNGNnNtRHRsaVJ2S1ExZVhDWXd5SnQ3UlRKY2lKaGRNZmE2VVJoMU9OdXJL?= =?utf-8?B?aTdsUURYdWp3Rk51V2t1TkRyeFMwcXZuS2M3RDNDZU1PNzBPM3ZOVk0vWGlH?= =?utf-8?B?SmdGNWt1dURHK3p3MGJSMUF2VzE1VDR2OVZYQW13eHdsb2FsTHVLVjNWTWZT?= =?utf-8?B?VWJJQnNvMG9SVHFudTQxK2lRd2ZDWHpRTGtiUmJsMzZONy9vY2F2WnJGb1h3?= =?utf-8?B?aXJwYkp5UWcwWVdPN3R6TTFmQ21aaXd1Q1JaMXlKQWZ6YVpCOEVGeUFnd2NJ?= =?utf-8?B?b1lCb1ZYdUppSTRNejBsQ2UwbDc4NGdWenpCZi9PL0UvY0tyUzFjeEZtUVFM?= =?utf-8?B?OSsrOFRwMEk5MWQ5cG9EV0FjUlNEQ3RGK2pQaXBiQ2hYa0JrK1VVckRGclhN?= =?utf-8?B?UnJZNmJUdXlMYmlNVjZBYkV1QmxaVzNJcFZ0OHNnTG43MWMxZEt0VWVadGRU?= =?utf-8?B?ZjdBWE9JZndDNjhpUThsZmp6SWpKMWlrcmROS3N1RDBnTjdaSkFaTDBVWnB2?= =?utf-8?B?ZG40bVpuZk1XU2s5L1Y1b2ErTFpzbTFqd0ZQMVB4SlZ0VkRlRXVLQU9nTUVZ?= =?utf-8?B?c1lTTTVKa3hiVi9UaEFRWFB6eTh4ZWFKaDhrWHZkY1FhSXJwaXZJZHU2Zm9h?= =?utf-8?B?MmhyQ2NHRTIrRlorRUJRbzROM3p4eVdESkdTTWk3YWZlUWhXeWx0aUtwRTJE?= =?utf-8?B?OExtYi90a0ZvQndxZU9VZjIzdk1tRzMzNWdEY3pINFhtdENwM0FJQW8yUGp1?= =?utf-8?B?ZFJtSjY4T3Q3czAwZm15RGIxRFVzREVrKzN6OTduSGhISURZbWpJSnhMODBH?= =?utf-8?B?bGk2dGludjNFUk01bWFDUTVLN05RMjVXR0tMcTl2d3VLNjZTcjF3bEtoQml5?= =?utf-8?B?Y01QemtYYnhRWjFkVFAzbXJ6K0lkNEwrWUdUN2c5SkJpb0dsN095QlFXQ2JY?= =?utf-8?B?cmErOVl1OTdYdkNOajdPaS83ci9FY2lpeURBV21wV1hHZjZ3ZlNkTTNRKzdx?= =?utf-8?B?bytnWE1IY1BHQnZMc0x6TDE1dHhzVHNuNmJrUWJIb0NKbElEUWY4c2lKU2Rt?= =?utf-8?B?d2p2NGJVdEdqRGQvUlJCOUM1YWtzMlowRHo5T0VtbEoyMThkekpnd1g4TmZV?= =?utf-8?B?RlVZaFhjNnRUVEZYZTJzNWgrUC9IWm1JeXRZVGZhaFNwbmhmSXdUNXV1aG13?= =?utf-8?B?YmFnVWlqazBSVHRGZXBnOWthSGVROVhmcUJ3Zm5MbXVkdC9ySDlQdTNjUVNV?= =?utf-8?B?VGxOditLd21XRzZDUWVvNWU0SndhQ05xdCtTS1pCbjRaRG1ub09HakFUdzNE?= =?utf-8?B?bkVXUlJhTkFqWDRhYktYWll5Mi93U3FCVkloMEQ4bHp6NEw4eXd0N1VXRlRC?= =?utf-8?B?WHZIWmlURGQxMEdocC9vVGFORzJRZzNtZE95OTA4eGQ3Z3YyZDFMNEZOZXdt?= =?utf-8?B?UXYwdjRYUCtqa0FMQXlCb09SOC9XZTJJU1d5Qkh2Rmpzb0NTbm9JdlpFSHlt?= =?utf-8?B?dmx2TzZId1RnWk1pRHBQRmZqSERlOFlYdFNrV2w2QjkvczVNRGcxNmc5eHBR?= =?utf-8?B?ZUJHMmNncThuViswMHBVbUVpbkpFaU92dUExa01WUjBRL1dxbnpXOUN5aXVl?= =?utf-8?B?YTJ6d283RFBCWFhIajZ1KzZJZ0pJSDZaczQ2cVgvZ0dmakFVRENUamNuOGlD?= =?utf-8?B?c3ZRVEFhcFh6VjllWjArdDBGL09FZGczMEJVTmpPWFZCTHNiNEp2Ry9idmZm?= =?utf-8?B?RUhSbkRFcXY1dlZhVGU3b1lQcVpBYi80OVhBVU85REtCV3F4WDhKeDhsOTVl?= =?utf-8?B?UG1YNWZOYTJhR0xnNURGd09FZDdENm1EVDgwdnl0L29nazdMcGU0VndEcWFS?= =?utf-8?B?WlVhSDlZSTdESVFmTzhyR1JtbVo3SFdoOEprS05wa2tQOFZIYSt4YzFjdWJP?= =?utf-8?B?OWt5d0tlYUwwd1lJRjB4TXNQZXdZNVlMQ1JIOFBMQUxjRkVVcFIvaU5rSFJF?= =?utf-8?B?U2Q5clA2akFRTG5LV2ZkV3NaUjNscGovOGprVHVmRjlPK0lyNEhtL0taVG5D?= =?utf-8?B?UEdHcXE1V3hUWXZnUTJER0ZSYVg3UUNiZ2VUUEVUa0RvdE9Sb1AvR3lXaGp1?= =?utf-8?B?UzN5V0lmcjNXd2VPbk1LV1NQNzU4b0RsbWxsU0dyYS9DRWZpcW5Xb0FnajhB?= =?utf-8?B?ZGZ1S3J2dXg1UFF5TjBiQiswZkVVMHdnT25sNjhKdXJNK1FQc3lveHZzcFlz?= =?utf-8?Q?FajqU1Z//3CtvNDTeT?= Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: 1seal.org X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DBBPR04MB7673.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a164f035-6b80-44bd-9a86-08de8f1bf2c1 X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2026 11:52:12.7509 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: e701d992-0f02-433e-a019-4256abe96ea1 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ZqPKI6pGvFX1fV1rOqKAQElIBIcGJvodzxyzKXTpdpZXXqVNeDGuFBQjZ1XVyCK81yi1iE2t9cdBkBP+ON/YCw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI2PR04MB11219 smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response before build_pairing_cmd(). This keeps the responder auth bits and later method selection aligned. Fixes: 2b64d153a0cc ("Bluetooth: Add MITM mechanism to LE-SMP") Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz Signed-off-by: Oleh Konko --- net/bluetooth/smp.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index e67bf7b34ea..4eaadbe0d2f 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -1809,6 +1809,19 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *con= n, struct sk_buff *skb) return 0; } =20 + /* If we need MITM check that it can be achieved. */ + if (conn->hcon->pending_sec_level >=3D BT_SECURITY_HIGH) { + u8 method; + + method =3D get_auth_method(smp, conn->hcon->io_capability, + req->io_capability); + if (method =3D=3D JUST_WORKS || method =3D=3D JUST_CFM) + return SMP_AUTH_REQUIREMENTS; + + /* Force MITM bit if it isn't set by the initiator. */ + auth |=3D SMP_AUTH_MITM; + } + build_pairing_cmd(conn, req, &rsp, auth); =20 if (rsp.auth_req & SMP_AUTH_SC) { @@ -1826,16 +1839,6 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *con= n, struct sk_buff *skb) if (sec_level > conn->hcon->pending_sec_level) conn->hcon->pending_sec_level =3D sec_level; =20 - /* If we need MITM check that it can be achieved */ - if (conn->hcon->pending_sec_level >=3D BT_SECURITY_HIGH) { - u8 method; - - method =3D get_auth_method(smp, conn->hcon->io_capability, - req->io_capability); - if (method =3D=3D JUST_WORKS || method =3D=3D JUST_CFM) - return SMP_AUTH_REQUIREMENTS; - } - key_size =3D min(req->max_key_size, rsp.max_key_size); if (check_enc_key_size(conn, key_size)) return SMP_ENC_KEY_SIZE; --=20 2.50.0 From nobody Fri Apr 3 08:39:29 2026 Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11023128.outbound.protection.outlook.com [40.107.159.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4979D3DD501; Tue, 31 Mar 2026 11:52:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.159.128 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774957940; cv=fail; b=g8fSKpTy+USdCK7aquLTBFcNq9Xg6KA09xFFEa+W0rLQQCYDA1YS0RhWnxYHblLaysiCSTQ9sJtTq1q7o5liVa9N/pAL26v8IqR5kgEATLjyeNp358OOztMY2b58EFH1tKxDla0tBDARt60o5JQef83uwB3ssKvb9fO6akZvblE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774957940; c=relaxed/simple; bh=WEfVexNHEVaNfW1o/iRZHOp5ebP/Ic8sSAe+f7OeGDY=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=ChT7HdIgmIPreZR3/a3VAmCjh8sGtpHM7P1TR6GD+1tyRVT7VQFsOAIWdHw6vfxfbwn4y4xBdQ+QzuscEx5zGZ6Ll/ZNpbElrwPB8xvvBp+paA7xgMgXpmTMmPPtlnamJnjd7rSmJ5o4rlMG6jGLHxIUNREPv3d2uYvA8IikT/s= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org; spf=pass smtp.mailfrom=1seal.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b=Mi5pP7cR; arc=fail smtp.client-ip=40.107.159.128 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=1seal.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b="Mi5pP7cR" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uejrFhQMCxpGni1snheAtPmjEBH3MUdcHcTkmIR7abPbpFOw+dt6h+qVtyb9lv2Ts4I7dSSxRWQWoClEJIkxBEBK6XERBZn6TAqoWS08k5C8qU34ZTNb3uV27bGfshQaVtbE5vQ9QRwyVI07CTzzIgwyzr9JdaxELETm/ZGhvB6BMZgGBn074xX0h7yzlLUDXhivFqC6BmSXLuxZAtQj30N8NzKwiFB8uuL7KgmTXSIcpTwplZlfa1r8CQJCL3N3eNbCyNyM48DHn/26SYkILIGEuPpA52aCNJ2vU7GHkbyT4/k9y7lOtxggEe1auD2ZiLo4+tgMebYrf1MyOeatVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WEfVexNHEVaNfW1o/iRZHOp5ebP/Ic8sSAe+f7OeGDY=; b=fcqJXg4LSJFQSYsBw36SCYzNvVEuKL+HyUpiyEPieVFmjyoXDCkTByTL2PgGPzjr4MMN6HqIqTlDWResP60FPkxjQZz4/CfuHrtWstZuP87Qz/ZpP/yZWGpiBcISaD3+yToDACRKxnbz7RiNSr6gIvHSko8uo/xBi/d+LFVYIgGPKaueJogfYEG7yvFyW7SN6k6njdloPBYOcJJExzp/IzIFwiURiS2whcQntpe2pxEMjehEYEE+oPnpJe1B1GZzRmKzveK5EggbHmMTJEM9UX6bUE4IrNuzCaYU0FDz4ru1gP1p/i7f9ITjbXu+xm+Jf85tYZ+ngPq6lRXc5pMIQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=1seal.org; dmarc=pass action=none header.from=1seal.org; dkim=pass header.d=1seal.org; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1seal.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WEfVexNHEVaNfW1o/iRZHOp5ebP/Ic8sSAe+f7OeGDY=; b=Mi5pP7cRhTmATPBkzvD+3YjrpeocksnyOmm1ej9S/Xu/yNNcQxqQg/NLxGIY4+IwIdetBzHInZaBBrFIJd6Za1p/sGKV6vxwKC3dOnXdFol2dFAuxEpEBC5r79CUH8xoDv/zHUmDsZnNauhG/bzPZ2bBcWTEjrmqkwphJ6fPgdk8pW5iHg9jEE5wSgCRh/KvQUOWabQGmRYW4eaKjLO8hnylv6+LVozZ/HIfN+FePu6898VkMGh/8nL/jJKz1lU8P9VJ2p/L5Ywet1p1toq4Ywo0rZ0CQT+oJdSFRgOZZz2/8Syi7971bpkS+got60bUeDPIBSyQ1ihVh61AQiKxcQ== Received: from DBBPR04MB7673.eurprd04.prod.outlook.com (2603:10a6:10:202::5) by VI2PR04MB11219.eurprd04.prod.outlook.com (2603:10a6:800:29a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.15; Tue, 31 Mar 2026 11:52:13 +0000 Received: from DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419]) by DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419%3]) with mapi id 15.20.9745.027; Tue, 31 Mar 2026 11:52:13 +0000 From: Oleh Konko To: "linux-bluetooth@vger.kernel.org" CC: "marcel@holtmann.org" , "luiz.dentz@gmail.com" , "linux-kernel@vger.kernel.org" Subject: [PATCH v4 2/2] Bluetooth: SMP: derive legacy responder STK authentication from MITM state Thread-Topic: [PATCH v4 2/2] Bluetooth: SMP: derive legacy responder STK authentication from MITM state Thread-Index: AQHcwQTQBPWzq9TR0EaHRBcDdug2Yw== Date: Tue, 31 Mar 2026 11:52:13 +0000 Message-ID: <5fd853078b1a4880b9c598a8e964d357.security@1seal.org> References: In-Reply-To: Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=1seal.org; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DBBPR04MB7673:EE_|VI2PR04MB11219:EE_ x-ms-office365-filtering-correlation-id: 63f00e0c-dead-4a83-fda1-08de8f1bf2fe x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700021|7055299006|18002099003|22082099003|56012099003; x-microsoft-antispam-message-info: u3ERQpsOrhupkfxMBkwKJQd6uM5ibqV37XZfkoJw8bjOmizUec94I3NrdKKuVbrac1VWE8hH8ZMVdAYeXwpFMtGdVm5HGppbVfQCV8xfJ5xALk4tACV5WHtvaNY2n+CFsoqDPoEE+m1q+U9C6Qsm382EZWPfAan3SsD3KA6k6kDBvQObQ7iDnLBAImhZnds561z+mtUu1Q/tfqubk4R0HDztaak53f0XSZovz9idRVGlpgeJhI7L0m31JgUjYFAKfxRAQpfUwIDqx0zRkKRN4o6YPSJ+rIzryfkV8J1iLRS9RXLZvkMS68+eG36xOBryZTtViQLs776ruYi2Aq+8sEoaFTkEaXUeKJ5m4PC5oqbFadUvXa/b7x5Fu810ZHgc/pHi3+pNYNc1H63mGrP3l2U2VY1cvQvJsX0HttccKnN4M0kwBE2ArbHqSXHAf8Sv04kJXbLbJFYHyiofNOOfHlnPWg2wqUlSCpvtNmdI0tvz4xv8Wi7HAkfxnBTgteykc0nyO6fdPh5Lo8QXApPTF9nknbrmTV7PqPE5CFqsFcQiezI0lG3hcmFOfH+Mi7A4vorfzYnO8H7DGldfvMQr/dzPQIgQsZc9J+8GGE1/KTfL9smvZWEKGm/50te8h5ioWq+V0abY3AnIW0VhpavH3m/kZF26eSOFUvu08uvBHfsTcXjxGOOCNQ0AgxZ4XeT4/Jq5u4xPS87p6rf5XIK9sVcJthM2AN00Zlbh409+K1009tTB9fW8RbnQyvMlUqoAIJbjqi8BGEvcJSybJMApUdUVyKA329KqwTe2+TkpoJKvEvfz7NvC4En4NBemt7yS x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBPR04MB7673.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700021)(7055299006)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?TytneWZIRDlzSU5Oc3IraGlrWlgrV3FqZ1ZTQ1RPeEhqeWlrZFQ1d21yWDBq?= =?utf-8?B?VmJZSFN5aGNKL2x2bWRiZnJtWUFMUUo1MUdBbjJURFVFVjBxOXJ6UE9ubjQy?= =?utf-8?B?cUNhRENXSk13TFpxYnI1bGZmeUdiMnE0dFFNUFdqZ0gzM0pGdFdBZ21QOE5x?= =?utf-8?B?VlJMdnNsRjJzRXdvZnBjTUwrNFRIRHZOVThSZDl5RENIVEcyUldoaVJhQnMz?= =?utf-8?B?YkVwWFErektxQWFGc3dxZHk4eEZoV1RoNXNiUmNTalplT3B5SDVRTG10bDM2?= =?utf-8?B?NXNyREhyVDdRc1Q4OVZ4cUhodU1MYXB3VTdLUnZNNG1WR0tIL1FBREZEN0g2?= =?utf-8?B?c1JBejdqK3o5c21uejJzeEZOcEFVYVp5WDBBVWk5SGZFWnRoazVNTTB5SDRy?= =?utf-8?B?SzBrRnBMY200Y3lPUTNjaENMc0s4UVV2U0d3Vnh6a1h1cmptU0M1S2l1aDBL?= =?utf-8?B?Z09rMWFYNXZmTVdpVm1wWUliVW1ybUJ0ejBYdDlKYjNVTUp4ZUNXTUlCeDdI?= =?utf-8?B?b01UeFl4Uk9uMVl3eGNXdkk5SjRGSjdXcU9kVTRGU2tLMVpNTUYwS3l3L2dT?= =?utf-8?B?WTFUTjArWVYxWmUxZzhpQmN6Qy9yL2thZElZYlAraDU0T09FVE9XcVN2ZExI?= =?utf-8?B?anp1cVpjYnhKOSticld3WjNjcUpvdWJQeTVQVEpWcjdOaHE1aFVxNEFKWTZr?= =?utf-8?B?cWxHWkVBMGoyQ1lTanI5WEpRV1g1dWd4cUdmUk9KVnBkZDZOTTVkZFRKeVQr?= =?utf-8?B?Z0pNU09MbVdEQzV6OE55ZDlXNFEyMEoxbFhhbDVuM0IyNXBHcmh3b1Nrak5t?= =?utf-8?B?bUI1TVBOYjgxcU9yR1ZhVGtqNzhha0U5UWh6N1pMbk9HQTRUS0dJVU03cGox?= =?utf-8?B?S2wzQkpDNUpLYnZRT01xWSt3VXJUdThINjB1QSs3c2htRHpNMXA0R2hhM0ZX?= =?utf-8?B?Z1liSHFoVnl5bmNtdWFvamk0WC9JTDYwSEtoVEo4c0hVRlVXVG5halo2Y1dr?= =?utf-8?B?cFJvZmwvSUZtOVpMandDM0xFVWZMN1U3bFhObWx5RXlSTWsvQzlyekliYVY5?= =?utf-8?B?VXBIYkwxaEc0VkJZWWNpZEp3elc3c3BjckZKV2Y5a1VYNmJyTHh5bnZEM0Y0?= =?utf-8?B?L0hWc3hPclQrNVNMaklJd3VQb0JlVDlhMk8yMDFpbE1OaDk3TVN0bzJlTHo5?= =?utf-8?B?T2F2QStvcEdwbzJOaHoxTlBMV0Radjc2WkdGUXpRTTRwS0F4VjN1WUlTbE40?= =?utf-8?B?aG4wSDJ6cFYzMFhjcFpzM3ROcy9KaTZkLzROS05XNU9GUGJSUEt3bVA0bitZ?= =?utf-8?B?ODMxL08rcE5IOUNrbUhxUlVBTHdJMFI3dGl4T05aMTZ2bXFVSDdZTmgydTNK?= =?utf-8?B?d2FkRlp3bG0vc0FHTEN2S3ovOVhwblVvK0lBdDFheXcyQ1pOYnpmVGNJb0cr?= =?utf-8?B?Z1MxL3c4WVVrVzA5aDdKdWpPUzRabkErdEJJRnpMMGZ4cXQySUY5Ty9Fcnpk?= =?utf-8?B?VjdVcFVqWjlYbTZ4Z0taY2xjd1dlVWJROXNxK0FVdTJEQ3hiQ3F6TUF4d0l5?= =?utf-8?B?cWpqNkhWRDhiclpSV2hUZ2lBT21PNEdkYnJOMGcwUTVkZnRUOW5EYzVUOGhX?= =?utf-8?B?aENuemlJRmFFOXpSa3U4WFZYWFZaOWp6dGswWFU5bkZLRGFZMXdsZ25iSnpk?= =?utf-8?B?QTNFMURPeEdqZjZKTzMvTFgrNVRhWXR6bExISEUvOEcxMDRXaStGNFFTQVJj?= =?utf-8?B?TW0xRlp0REpjakEyYWtxSmJxdE0xOVd1Z3FaemtDYzJyZlMzWExVTVdwVWJR?= =?utf-8?B?Nk9nQ2tja2NrZDJtaEVlUWRvc2xaOElTSDFFRUxzc0s1RVlSVmllMzQ3UUJ5?= =?utf-8?B?dk0vY254ajE0T3lqMjFTZTY2MEJoMkFDN2ZvS09yYnZ3UmhUZG1FVjgrMWF3?= =?utf-8?B?ME5OZkZyblQ4R2pEelF3a2tJeWpRczNpOERvNkRwWEh1R0tHNnRCYllSZnBw?= =?utf-8?B?c1UycVFZczh0c3BxV3A1U3RPeFhod2M5ZVdwTWNuazg1VFJiUVFYS1FuWW9T?= =?utf-8?B?cGxDWEs4MGNRRmk5WVRoczBlSFplVmNaRE43SG53VHJRWUtxc1BUem9zVU5W?= =?utf-8?B?S3JvRUI1SmxFeGRsNDRHejVBY1NFZ1BuZG04MW5pWnJnRXZDbzJNRWxOcm5x?= =?utf-8?B?V1IyK1Q5T2RJSVBXVXNXTS9xWEdYMUdMUGtGZ0NSVmJFWE0rOTdQWkFocWc5?= =?utf-8?B?SjIvdU9vY0Yxa3Y5MVhEeVVrUHRxSmZpQVduYys5Sk5HbFRZRjhudkwxekRD?= =?utf-8?Q?rNx2E6iBRiEUyKpngj?= Content-Type: text/plain; charset="utf-8" Content-ID: <7E5D33AECB46894C9E2A8D9A635DEB7D@eurprd04.prod.outlook.com> Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: 1seal.org X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DBBPR04MB7673.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 63f00e0c-dead-4a83-fda1-08de8f1bf2fe X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2026 11:52:13.1664 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: e701d992-0f02-433e-a019-4256abe96ea1 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: tgLkT2jDZyZ/hkpdiZloyfACFI7zD9ecsEwtkD9L1XjCHXnutOfLVSd8/hnu9+7Ocnht6kqPFS7di88ONMDIiw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI2PR04MB11219 The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated. Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication informa= tion for SMP STK") Cc: stable@vger.kernel.org Signed-off-by: Oleh Konko --- net/bluetooth/smp.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 4eaadbe0d2f..e504ccd745a 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -1018,10 +1018,7 @@ static u8 smp_random(struct smp_chan *smp) =20 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); =20 - if (hcon->pending_sec_level =3D=3D BT_SECURITY_HIGH) - auth =3D 1; - else - auth =3D 0; + auth =3D test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0; =20 /* Even though there's no _RESPONDER suffix this is the * responder STK we're adding for later lookup (the initiator --=20 2.50.0