michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: Classic: Fix LTK cannot be derived issue

Browse source 
The LTK cannot be derived by LK when LK is not weaker than the old LTK.

Improve the function `smp_br_pairing_allowed()` to avoid the LTK be
overwrote when old LTK has MITM protection but new LK has not MITM
protection.

Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
This commit is contained in:
Lyle Zhu 2025-05-23 11:37:45 +08:00 committed by Benjamin Cabé
commit 5f7fbb6c1d
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
subsys/bluetooth/host/smp.c
View file

@ -1263,7 +1263,7 @@ static bool smp_br_pairing_allowed(struct bt_smp_br *smp)
bt_addr_le_t addr;
struct bt_conn *conn;
struct bt_keys_link_key *key;
bool le_bonded;
struct bt_keys *le_keys;
if (!smp->chan.chan.conn) {
return false;
@ -1273,7 +1273,7 @@ static bool smp_br_pairing_allowed(struct bt_smp_br *smp)
addr.type = BT_ADDR_LE_PUBLIC;
bt_addr_copy(&addr.a, &conn->br.dst);
le_bonded = bt_le_bond_exists(BT_ID_DEFAULT, &addr);
le_keys = bt_keys_find_addr(BT_ID_DEFAULT, &addr);
key = bt_keys_find_link_key(&conn->br.dst);
if (!key) {
@ -1287,7 +1287,9 @@ static bool smp_br_pairing_allowed(struct bt_smp_br *smp)
* or MITM protection, then neither device shall generate an LE LTK using cross-transport
* key derivation from a BR/EDR link key.
*/
if (le_bonded && !(key->flags & BT_LINK_KEY_AUTHENTICATED)) {
if ((le_keys != NULL) && ((le_keys->flags & BT_KEYS_AUTHENTICATED) != 0) &&
((key->flags & BT_LINK_KEY_AUTHENTICATED) == 0)) {
LOG_WRN("Stronger LTK (MITM) cannot be overwrote by weaker LK");
return false;
}