Don't follow remote MITM if local IO capability is NoInputNoOutput

In order to test buggy implementations (such as older BlueZ versions)
this patch makes it possible to not require MITM in the case if the
local IO capability is NoInputNoOutput.
diff --git a/src/dbus-hci.c b/src/dbus-hci.c
index ed95df8..678b8e2 100644
--- a/src/dbus-hci.c
+++ b/src/dbus-hci.c
@@ -879,6 +879,7 @@
 	struct btd_adapter *adapter;
 	struct btd_device *device;
 	struct agent *agent = NULL;
+	uint8_t agent_cap;
 
 	if (!get_adapter_and_device(local, remote, &adapter, &device, TRUE))
 		return -ENODEV;
@@ -935,11 +936,12 @@
 		return -1;
 	}
 
+	agent_cap = agent_get_io_capability(agent);
+
 	if (*auth == 0x00 || *auth == 0x04) {
 		/* If remote requests dedicated bonding follow that lead */
 		if (device_get_auth(device) == 0x02 ||
 				device_get_auth(device) == 0x03) {
-			uint8_t agent_cap = agent_get_io_capability(agent);
 
 			/* If both remote and local IO capabilities allow MITM
 			 * then require it, otherwise don't */
@@ -957,9 +959,12 @@
 					device_get_auth(device) == 0x01)
 			*auth = 0x00;
 
-		/* If remote requires MITM then also require it */
+		/* If remote requires MITM then also require it, unless
+		 * our IO capability is NoInputNoOutput (so some
+		 * just-works security cases can be tested) */
 		if (device_get_auth(device) != 0xff &&
-					(device_get_auth(device) & 0x01))
+					(device_get_auth(device) & 0x01) &&
+					agent_cap != 0x03)
 			*auth |= 0x01;
 	}