Bluetooth: Host: more secure defaults for key size and legacy pairing

Default the Minimum encryption key size to 16. Key with reduced size is easier to brut force. Disable LE legacy pairing by default since it's not secure. These defaults should suite majority of newly developed applications. It's better to use sensible more secure defaults, so applications that really need less secure option consciously change it, not the other way around. This may help to prevent downgrade attacks. Signed-off-by: Sergey Korotkov <sergey.korotkov@nordicsemi.no>
2024-05-23 14:18:45 +02:00 · 2024-05-23 14:18:45 +02:00 · 2ee0e38929
commit 2ee0e38929
parent 9a6fea353c
10 changed files with 17 additions and 2 deletions
--- a/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf
+++ b/tests/bluetooth/host/id/bt_le_oob_set_legacy_tk/prj.conf
@ -3,6 +3,7 @@ CONFIG_BT=y
 CONFIG_BT_CENTRAL=y
 CONFIG_BT_EXT_ADV=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_ID_MAX=4
 CONFIG_ASSERT=y
 CONFIG_ASSERT_LEVEL=2
--- a/tests/bluetooth/tester/prj.conf
+++ b/tests/bluetooth/tester/prj.conf
@ -8,6 +8,8 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=n
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
+CONFIG_BT_SMP_MIN_ENC_KEY_SIZE=7
 CONFIG_BT_SMP_ENFORCE_MITM=n
 CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=y
 CONFIG_BT_SMP_APP_PAIRING_ACCEPT=y
--- a/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf
+++ b/tests/bsim/bluetooth/host/att/retry_on_sec_err/client/prj.conf
@ -4,6 +4,7 @@ CONFIG_BT=y
 CONFIG_BT_CENTRAL=y

 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n

 CONFIG_BT_GATT_CLIENT=y
 CONFIG_BT_ATT_RETRY_ON_SEC_ERR=y
--- a/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf
+++ b/tests/bsim/bluetooth/host/att/retry_on_sec_err/server/prj.conf
@ -6,6 +6,7 @@ CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_DEVICE_NAME_DYNAMIC=y

 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n

 CONFIG_BT_EXT_ADV=y

--- a/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf
+++ b/tests/bsim/bluetooth/ll/conn/prj_split_hci_uart.conf
@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_SIGNING=y
 CONFIG_BT_BAS=y
 CONFIG_BT_HRS=y
--- a/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf
+++ b/tests/bsim/bluetooth/ll/conn/prj_split_privacy.conf
@ -4,6 +4,7 @@ CONFIG_BT_CENTRAL=y
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_PRIVACY=y
 CONFIG_BT_SMP=y
+CONFIG_BT_SMP_SC_PAIR_ONLY=n
 CONFIG_BT_SIGNING=y
 CONFIG_BT_BAS=y
 CONFIG_BT_HRS=y
--- a/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf
+++ b/tests/bsim/bluetooth/samples/central_hr_peripheral_hr/boards/nrf5340bsim_nrf5340_cpuapp.conf
@ -1 +1,3 @@
 CONFIG_BT_BUF_ACL_RX_SIZE=255
+
+CONFIG_BT_SMP_SC_PAIR_ONLY=n