From 75f47a56b57542e61c69d575a170a0a25d8886d9 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri, 10 Jul 2020 10:46:41 -0700
Subject: [PATCH] Bluetooth: Add config option to disable security checks

This adds CONFIG_BT_CONN_DISABLE_SECURITY which can be used to disable
security checks for incoming requests enabling to test accessing GATT
attributes and L2CAP channels that would otherwise require
encryption/authentication in order to be accessed.

It depends on BT_TESTING to indicate to the users that this is a
testing feature which shall not be used in production.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 scripts/kconfig/hardened.csv         |  1 +
 subsys/bluetooth/host/CMakeLists.txt |  8 ++++++++
 subsys/bluetooth/host/Kconfig        | 11 +++++++++++
 subsys/bluetooth/host/gatt.c         |  4 ++++
 subsys/bluetooth/host/l2cap.c        | 14 ++++++++++++--
 5 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/scripts/kconfig/hardened.csv b/scripts/kconfig/hardened.csv
index c062c6153b2..4fe376c54f1 100644
--- a/scripts/kconfig/hardened.csv
+++ b/scripts/kconfig/hardened.csv
@@ -54,6 +54,7 @@ BT_OOB_DATA_FIXED,n
 BT_DEBUG_KEYS,n
 BT_USE_DEBUG_KEYS,n
 BT_STORE_DEBUG_KEYS,n
+BT_CONN_DISABLE_SECURITY,n
 CAN_NET,n,experimental
 CONSOLE_SUBSYS,n,experimental
 CRYPTO,n,experimental
diff --git a/subsys/bluetooth/host/CMakeLists.txt b/subsys/bluetooth/host/CMakeLists.txt
index d36c3f462e1..b4af951fa57 100644
--- a/subsys/bluetooth/host/CMakeLists.txt
+++ b/subsys/bluetooth/host/CMakeLists.txt
@@ -77,3 +77,11 @@ if(CONFIG_BT_USE_DEBUG_KEYS OR CONFIG_BT_STORE_DEBUG_KEYS)
   Do not use in production."
     )
 endif()
+if(CONFIG_BT_CONN_DISABLE_SECURITY)
+  message(WARNING "CONFIG_BT_CONN_DISABLE_SECURITY is enabled.
+  Security is disabled for incoming requests for GATT attributes and L2CAP
+  channels that would otherwise require encryption/authentication in order to
+  be accessed.
+  Do not use in production."
+    )
+endif()
diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig
index 6a05bf2c23e..ca885a5fbc9 100644
--- a/subsys/bluetooth/host/Kconfig
+++ b/subsys/bluetooth/host/Kconfig
@@ -732,6 +732,17 @@ config BT_TESTING
 	  This option enables custom Bluetooth testing interface.
 	  Shall only be used for testing purposes.
 
+config BT_CONN_DISABLE_SECURITY
+	bool "Disable security"
+	depends on BT_TESTING
+	help
+	  This option disables security checks for incoming requests enabling
+	  to test accessing GATT attributes and L2CAP channels that would
+	  otherwise require encryption/authentication in order to be accessed.
+
+	  WARNING: This option enables anyone to snoop on-air traffic.
+	  Use of this feature in production is strongly discouraged.
+
 config BT_BREDR
 	bool "Bluetooth BR/EDR support [EXPERIMENTAL]"
 	depends on BT_HCI_HOST
diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c
index b617b277ca3..08f00d50d24 100644
--- a/subsys/bluetooth/host/gatt.c
+++ b/subsys/bluetooth/host/gatt.c
@@ -2130,6 +2130,10 @@ uint16_t bt_gatt_get_mtu(struct bt_conn *conn)
 uint8_t bt_gatt_check_perm(struct bt_conn *conn, const struct bt_gatt_attr *attr,
 			uint8_t mask)
 {
+	if (IS_ENABLED(CONFIG_BT_CONN_DISABLE_SECURITY)) {
+		return 0;
+	}
+
 	if ((mask & BT_GATT_PERM_READ) &&
 	    (!(attr->perm & BT_GATT_PERM_READ_MASK) || !attr->read)) {
 		return BT_ATT_ERR_READ_NOT_PERMITTED;
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
index ca7c7129bdc..4b61cb6c7f9 100644
--- a/subsys/bluetooth/host/l2cap.c
+++ b/subsys/bluetooth/host/l2cap.c
@@ -981,6 +981,16 @@ static uint16_t l2cap_chan_accept(struct bt_conn *conn,
 	return BT_L2CAP_LE_SUCCESS;
 }
 
+static bool l2cap_check_security(struct bt_conn *conn,
+				 struct bt_l2cap_server *server)
+{
+	if (IS_ENABLED(CONFIG_BT_CONN_DISABLE_SECURITY)) {
+		return true;
+	}
+
+	return conn->sec_level >= server->sec_level;
+}
+
 static void le_conn_req(struct bt_l2cap *l2cap, uint8_t ident,
 			struct net_buf *buf)
 {
@@ -1029,7 +1039,7 @@ static void le_conn_req(struct bt_l2cap *l2cap, uint8_t ident,
 	}
 
 	/* Check if connection has minimum required security level */
-	if (conn->sec_level < server->sec_level) {
+	if (!l2cap_check_security(conn, server)) {
 		rsp->result = sys_cpu_to_le16(BT_L2CAP_LE_ERR_AUTHENTICATION);
 		goto rsp;
 	}
@@ -1095,7 +1105,7 @@ static void le_ecred_conn_req(struct bt_l2cap *l2cap, uint8_t ident,
 	}
 
 	/* Check if connection has minimum required security level */
-	if (conn->sec_level < server->sec_level) {
+	if (!l2cap_check_security(conn, server)) {
 		result = BT_L2CAP_LE_ERR_AUTHENTICATION;
 		goto response;
 	}