This introduces SecureConnections option to main.conf that can be used to
configure this on adapter initialization.
This is useful for:
- disable for adapters that have a problems with SecureConnections enabled
- if you want to disable CTKD (cross transport key derivation)
- add option to enable only SecureConnections
---
src/adapter.c | 2 +-
src/btd.h | 7 +++++++
src/main.c | 15 +++++++++++++++
src/main.conf | 11 +++++++++++
4 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/src/adapter.c b/src/adapter.c
index 8fb2acdc8..747f8f8ca 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -10146,7 +10146,7 @@ static void read_info_complete(uint8_t status, uint16_t length,
}
if (missing_settings & MGMT_SETTING_SECURE_CONN)
- set_mode(adapter, MGMT_OP_SET_SECURE_CONN, 0x01);
+ set_mode(adapter, MGMT_OP_SET_SECURE_CONN, btd_opts.secure_conn);
if (adapter->supported_settings & MGMT_SETTING_PRIVACY)
set_privacy(adapter, btd_opts.privacy);
diff --git a/src/btd.h b/src/btd.h
index 63be6d8d4..42cffcde4 100644
--- a/src/btd.h
+++ b/src/btd.h
@@ -36,6 +36,12 @@ enum mps_mode_t {
MPS_MULTIPLE,
};
+enum sc_mode_t {
+ SC_OFF,
+ SC_ON,
+ SC_ONLY,
+};
+
struct btd_br_defaults {
uint16_t page_scan_type;
uint16_t page_scan_interval;
@@ -105,6 +111,7 @@ struct btd_opts {
uint8_t privacy;
bool device_privacy;
uint32_t name_request_retry_delay;
+ uint8_t secure_conn;
struct btd_defaults defaults;
diff --git a/src/main.c b/src/main.c
index 1d357161f..99d9c508f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -80,6 +80,7 @@ static const char *supported_options[] = {
"MaxControllers"
"MultiProfile",
"FastConnectable",
+ "SecureConnections",
"Privacy",
"JustWorksRepairing",
"TemporaryTimeout",
@@ -881,6 +882,19 @@ static void parse_config(GKeyFile *config)
btd_opts.name_request_retry_delay = val;
}
+ str = g_key_file_get_string(config, "General",
+ "SecureConnections", &err);
+ if (err)
+ g_clear_error(&err);
+ else {
+ if (!strcmp(str, "off"))
+ btd_opts.secure_conn = SC_OFF;
+ else if (!strcmp(str, "on"))
+ btd_opts.secure_conn = SC_ON;
+ else if (!strcmp(str, "only"))
+ btd_opts.secure_conn = SC_ONLY;
+ }
+
str = g_key_file_get_string(config, "GATT", "Cache", &err);
if (err) {
DBG("%s", err->message);
@@ -993,6 +1007,7 @@ static void init_defaults(void)
btd_opts.debug_keys = FALSE;
btd_opts.refresh_discovery = TRUE;
btd_opts.name_request_retry_delay = DEFAULT_NAME_REQUEST_RETRY_DELAY;
+ btd_opts.secure_conn = SC_ON;
btd_opts.defaults.num_entries = 0;
btd_opts.defaults.br.page_scan_type = 0xFFFF;
diff --git a/src/main.conf b/src/main.conf
index 2796f155e..f187c9aaa 100644
--- a/src/main.conf
+++ b/src/main.conf
@@ -111,6 +111,17 @@
# profile is connected. Defaults to true.
#RefreshDiscovery = true
+# Default Secure Connections setting.
+# Enables the Secure Connections setting for adapters that support it. It
+# provides better crypto algorithms for BT links and also enables CTKD (cross
+# transport key derivation) during pairing on any link.
+# Possible values: "off", "on", "only"
+# - "off": Secure Connections are disabled
+# - "on": Secure Connections are enabled when peer device supports them
+# - "only": we allow only Secure Connections
+# Defaults to "on"
+#SecureConnections = on
+
# Enables D-Bus experimental interfaces
# Possible values: true or false
#Experimental = false
--
2.34.1
