Bluetooth: Host: more secure defaults for key size and legacy pairing

Default the Minimum encryption key size to 16.
Key with reduced size is easier to brut force.
Disable LE legacy pairing by default since it's not secure.

These defaults should suite majority of newly developed applications.
It's better to use sensible more secure defaults,
so applications that really need less secure option consciously change it,
not the other way around.
This may help to prevent downgrade attacks.

Signed-off-by: Sergey Korotkov <sergey.korotkov@nordicsemi.no>

doc/releases/migration-guide-4.1.rst

@@ -243,6 +243,10 @@ Bluetooth Host
 
    The default value of :kconfig:option:`CONFIG_BT_BUF_ACL_RX_COUNT` has been set to 0.
 
+* LE legacy pairing is no longer enabled by default since it's not secure. Leaving it enabled
+  makes a device vulnerable for downgrade attacks. If an application still needs to use LE legacy
+  pairing, it should disable :kconfig:option:`CONFIG_BT_SMP_SC_PAIR_ONLY` manually.
+
 Bluetooth Crypto
 ================
 

samples/bluetooth/peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf

@@ -1,3 +1,5 @@
 # Set same the ACL RX buffer size as in hci_ipc on netcore so that
 # HCI Controller to Host Flowcontrol is supported.
 CONFIG_BT_BUF_ACL_RX_SIZE=255
+
+CONFIG_BT_SMP_SC_PAIR_ONLY=n

subsys/bluetooth/host/Kconfig

@@ -549,6 +549,7 @@ config BT_SMP_APP_PAIRING_ACCEPT
 
 config BT_SMP_SC_PAIR_ONLY
 	bool "Disable legacy pairing"
+	default y
 	help
 	  This option disables LE legacy pairing and forces LE secure connection
 	  pairing. All Security Mode 1 levels can be used with legacy pairing
@@ -744,8 +745,7 @@ config BT_SMP_MIN_ENC_KEY_SIZE
 	int
 	prompt "Minimum encryption key size accepted in octets" if !BT_SMP_SC_ONLY
 	range 7 16
-	default 16 if BT_SMP_SC_ONLY
-	default 7
+	default 16
 	help
 	  This option sets the minimum encryption key size accepted during pairing.
 

tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf

@@ -3,6 +3,7 @@ CONFIG_BT=y
 CONFIG_BT_CENTRAL=y
 CONFIG_BT_EXT_ADV=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_ID_MAX=4
 CONFIG_ASSERT=y
 CONFIG_ASSERT_LEVEL=2

tests/bluetooth/tester/prj.conf

@@ -8,6 +8,8 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=n
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
+CONFIG_BT_SMP_MIN_ENC_KEY_SIZE=7
 CONFIG_BT_SMP_ENFORCE_MITM=n
 CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y
 CONFIG_BT_SMP_APP_PAIRING_ACCEPT=y

tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf

@@ -4,6 +4,7 @@ CONFIG_BT=y
 CONFIG_BT_CENTRAL=y
 
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 
 CONFIG_BT_GATT_CLIENT=y
 CONFIG_BT_ATT_RETRY_ON_SEC_ERR=y

tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf

@@ -6,6 +6,7 @@ CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_DEVICE_NAME_DYNAMIC=y
 
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 
 CONFIG_BT_EXT_ADV=y
 

tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf

@@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_SIGNING=y
 CONFIG_BT_BAS=y
 CONFIG_BT_HRS=y

tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf

@@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_SIGNING=y
 CONFIG_BT_BAS=y
 CONFIG_BT_HRS=y

tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf

@@ -1 +1,3 @@
 CONFIG_BT_BUF_ACL_RX_SIZE=255
+
+CONFIG_BT_SMP_SC_PAIR_ONLY=n