Bluetooth: Controller: Missing LL_ENC_RSP after HCI LTK Negative Reply #19917
Description
Describe the bug
In the Encryption Start Procedure, for the case when the host does not provide an LTK, the controller is supposed to send an LL_ENC_RSP before sending LL_REJECT_IND or LL_REJECT_EXT_IND.
To Reproduce
- Modify hci_core.c,
le_ltk_request()to always callle_ltk_neg_reply():
// if (bt_smp_request_ltk(conn, evt->rand, evt->ediv, ltk)) {
// le_ltk_reply(handle, ltk);
// } else {
le_ltk_neg_reply(handle);
// }
- Build the peripheral_hr sample
- Connect and try bonding, expect it to fail.
- Observe the sniffer log.
Expected behavior
Send LL_ENC_RSP before LL_REJECT_IND. See the MSC in Bluetooth Core Specification v5.1, Vol 6, Part D, Section 6.7, or Part B Section 5.1.3.1.
If encryption is not supported by the Link Layer of the slave, the Link Layer of
the slave shall send an LL_REJECT_IND or LL_REJECT_EXT_IND PDU with
the ErrorCode set to Unsupported Remote Feature / Unsupported LMP
Feature (0x1A).
…
The Link Layer of the slave shall then send an LL_ENC_RSP PDU. The Link
Layer of the slave shall then notify the Host with the Rand and EDIV fields.
Impact
Possible showstopper. Peer devices may cache that the controller does not support encryption, thereby leaving the link unencrypted.
Screenshots or console output
Environment (please complete the following information):
f79fbac
The issue is present in both the legacy and split controller. The issue is also present in Zephyr v.2.0.0