From 2ee0e38929430d8bf481910490a8cb2d59a85f26 Mon Sep 17 00:00:00 2001 From: Sergey Korotkov Date: Thu, 23 May 2024 14:18:45 +0200 Subject: [PATCH] Bluetooth: Host: more secure defaults for key size and legacy pairing Default the Minimum encryption key size to 16. Key with reduced size is easier to brut force. Disable LE legacy pairing by default since it's not secure. These defaults should suite majority of newly developed applications. It's better to use sensible more secure defaults, so applications that really need less secure option consciously change it, not the other way around. This may help to prevent downgrade attacks. Signed-off-by: Sergey Korotkov --- doc/releases/migration-guide-4.1.rst | 4 ++++ .../peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf | 2 ++ subsys/bluetooth/host/Kconfig | 4 ++-- tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf | 1 + tests/bluetooth/tester/prj.conf | 2 ++ .../bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf | 1 + .../bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf | 1 + tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf | 1 + tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf | 1 + .../boards/nrf5340bsim_nrf5340_cpuapp.conf | 2 ++ 10 files changed, 17 insertions(+), 2 deletions(-) diff --git a/doc/releases/migration-guide-4.1.rst b/doc/releases/migration-guide-4.1.rst index fa5cc2ed95f..d14d547b39d 100644 --- a/doc/releases/migration-guide-4.1.rst +++ b/doc/releases/migration-guide-4.1.rst @@ -243,6 +243,10 @@ Bluetooth Host The default value of :kconfig:option:`CONFIG_BT_BUF_ACL_RX_COUNT` has been set to 0. +* LE legacy pairing is no longer enabled by default since it's not secure. Leaving it enabled + makes a device vulnerable for downgrade attacks. If an application still needs to use LE legacy + pairing, it should disable :kconfig:option:`CONFIG_BT_SMP_SC_PAIR_ONLY` manually. + Bluetooth Crypto ================ diff --git a/samples/bluetooth/peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf b/samples/bluetooth/peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf index 7ffe275701c..47108c0aec4 100644 --- a/samples/bluetooth/peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf +++ b/samples/bluetooth/peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf @@ -1,3 +1,5 @@ # Set same the ACL RX buffer size as in hci_ipc on netcore so that # HCI Controller to Host Flowcontrol is supported. CONFIG_BT_BUF_ACL_RX_SIZE=255 + +CONFIG_BT_SMP_SC_PAIR_ONLY=n diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index 0478de2f45a..8094e3ae67f 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -549,6 +549,7 @@ config BT_SMP_APP_PAIRING_ACCEPT config BT_SMP_SC_PAIR_ONLY bool "Disable legacy pairing" + default y help This option disables LE legacy pairing and forces LE secure connection pairing. All Security Mode 1 levels can be used with legacy pairing @@ -744,8 +745,7 @@ config BT_SMP_MIN_ENC_KEY_SIZE int prompt "Minimum encryption key size accepted in octets" if !BT_SMP_SC_ONLY range 7 16 - default 16 if BT_SMP_SC_ONLY - default 7 + default 16 help This option sets the minimum encryption key size accepted during pairing. diff --git a/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf b/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf index 7041a2b047e..e390d293d14 100644 --- a/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf +++ b/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf @@ -3,6 +3,7 @@ CONFIG_BT=y CONFIG_BT_CENTRAL=y CONFIG_BT_EXT_ADV=y CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n CONFIG_BT_ID_MAX=4 CONFIG_ASSERT=y CONFIG_ASSERT_LEVEL=2 diff --git a/tests/bluetooth/tester/prj.conf b/tests/bluetooth/tester/prj.conf index a5ad5cb5787..3edea64b22c 100644 --- a/tests/bluetooth/tester/prj.conf +++ b/tests/bluetooth/tester/prj.conf @@ -8,6 +8,8 @@ CONFIG_BT_CENTRAL=y CONFIG_BT_PERIPHERAL=y CONFIG_BT_PRIVACY=n CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n +CONFIG_BT_SMP_MIN_ENC_KEY_SIZE=7 CONFIG_BT_SMP_ENFORCE_MITM=n CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y CONFIG_BT_SMP_APP_PAIRING_ACCEPT=y diff --git a/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf b/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf index 32e911d4396..e4d047b494e 100644 --- a/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf +++ b/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf @@ -4,6 +4,7 @@ CONFIG_BT=y CONFIG_BT_CENTRAL=y CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n CONFIG_BT_GATT_CLIENT=y CONFIG_BT_ATT_RETRY_ON_SEC_ERR=y diff --git a/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf b/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf index 1b3a186979e..5529c897bdf 100644 --- a/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf +++ b/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf @@ -6,6 +6,7 @@ CONFIG_BT_PERIPHERAL=y CONFIG_BT_DEVICE_NAME_DYNAMIC=y CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n CONFIG_BT_EXT_ADV=y diff --git a/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf b/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf index 326cb04c468..f97b14c88a7 100644 --- a/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf +++ b/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf @@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y CONFIG_BT_PERIPHERAL=y CONFIG_BT_PRIVACY=y CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n CONFIG_BT_SIGNING=y CONFIG_BT_BAS=y CONFIG_BT_HRS=y diff --git a/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf b/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf index 7c490964fbe..1147e89ada6 100644 --- a/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf +++ b/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf @@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y CONFIG_BT_PERIPHERAL=y CONFIG_BT_PRIVACY=y CONFIG_BT_SMP=y +CONFIG_BT_SMP_SC_PAIR_ONLY=n CONFIG_BT_SIGNING=y CONFIG_BT_BAS=y CONFIG_BT_HRS=y diff --git a/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf b/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf index 4d2c3afd09e..2565323d6c6 100644 --- a/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf +++ b/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf @@ -1 +1,3 @@ CONFIG_BT_BUF_ACL_RX_SIZE=255 + +CONFIG_BT_SMP_SC_PAIR_ONLY=n