[PATCH BlueZ] main.conf: Add SecureConnections option

[Simon Mikuda <simon.mikuda@streamunlimited.com>]

This introduces SecureConnections option to main.conf that can be used to
configure this on adapter initialization.

This is useful for:
- disable for adapters that have a problems with SecureConnections enabled
- if you want to disable CTKD (cross transport key derivation)
- add option to enable only SecureConnections
---
 src/adapter.c |  2 +-
 src/btd.h     |  7 +++++++
 src/main.c    | 15 +++++++++++++++
 src/main.conf | 11 +++++++++++
 4 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/adapter.c b/src/adapter.c
index 8fb2acdc8..747f8f8ca 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -10146,7 +10146,7 @@ static void read_info_complete(uint8_t status, uint16_t length,
 	}
 
 	if (missing_settings & MGMT_SETTING_SECURE_CONN)
-		set_mode(adapter, MGMT_OP_SET_SECURE_CONN, 0x01);
+		set_mode(adapter, MGMT_OP_SET_SECURE_CONN, btd_opts.secure_conn);
 
 	if (adapter->supported_settings & MGMT_SETTING_PRIVACY)
 		set_privacy(adapter, btd_opts.privacy);
diff --git a/src/btd.h b/src/btd.h
index 63be6d8d4..42cffcde4 100644
--- a/src/btd.h
+++ b/src/btd.h
@@ -36,6 +36,12 @@ enum mps_mode_t {
 	MPS_MULTIPLE,
 };
 
+enum sc_mode_t {
+	SC_OFF,
+	SC_ON,
+	SC_ONLY,
+};
+
 struct btd_br_defaults {
 	uint16_t	page_scan_type;
 	uint16_t	page_scan_interval;
@@ -105,6 +111,7 @@ struct btd_opts {
 	uint8_t		privacy;
 	bool		device_privacy;
 	uint32_t	name_request_retry_delay;
+	uint8_t		secure_conn;
 
 	struct btd_defaults defaults;
 
diff --git a/src/main.c b/src/main.c
index 1d357161f..99d9c508f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -80,6 +80,7 @@ static const char *supported_options[] = {
 	"MaxControllers"
 	"MultiProfile",
 	"FastConnectable",
+	"SecureConnections",
 	"Privacy",
 	"JustWorksRepairing",
 	"TemporaryTimeout",
@@ -881,6 +882,19 @@ static void parse_config(GKeyFile *config)
 		btd_opts.name_request_retry_delay = val;
 	}
 
+	str = g_key_file_get_string(config, "General",
+						"SecureConnections", &err);
+	if (err)
+		g_clear_error(&err);
+	else {
+		if (!strcmp(str, "off"))
+			btd_opts.secure_conn = SC_OFF;
+		else if (!strcmp(str, "on"))
+			btd_opts.secure_conn = SC_ON;
+		else if (!strcmp(str, "only"))
+			btd_opts.secure_conn = SC_ONLY;
+	}
+
 	str = g_key_file_get_string(config, "GATT", "Cache", &err);
 	if (err) {
 		DBG("%s", err->message);
@@ -993,6 +1007,7 @@ static void init_defaults(void)
 	btd_opts.debug_keys = FALSE;
 	btd_opts.refresh_discovery = TRUE;
 	btd_opts.name_request_retry_delay = DEFAULT_NAME_REQUEST_RETRY_DELAY;
+	btd_opts.secure_conn = SC_ON;
 
 	btd_opts.defaults.num_entries = 0;
 	btd_opts.defaults.br.page_scan_type = 0xFFFF;
diff --git a/src/main.conf b/src/main.conf
index 2796f155e..f187c9aaa 100644
--- a/src/main.conf
+++ b/src/main.conf
@@ -111,6 +111,17 @@
 # profile is connected. Defaults to true.
 #RefreshDiscovery = true
 
+# Default Secure Connections setting.
+# Enables the Secure Connections setting for adapters that support it. It
+# provides better crypto algorithms for BT links and also enables CTKD (cross
+# transport key derivation) during pairing on any link.
+# Possible values: "off", "on", "only"
+# - "off": Secure Connections are disabled
+# - "on": Secure Connections are enabled when peer device supports them
+# - "only": we allow only Secure Connections
+# Defaults to "on"
+#SecureConnections = on
+
 # Enables D-Bus experimental interfaces
 # Possible values: true or false
 #Experimental = false
-- 
2.34.1