mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-10-15 12:34:55 +00:00
supplicant: configure PMF for each connection
Now that we have a PMF connection property, get rid of the previous code to globally enable/disable PMF and use the 'ieee80211w' configuration option for each configured network when the supplicant supports it.
This commit is contained in:
parent
53f3113389
commit
acb70d84f9
|
@ -701,6 +701,11 @@ ipv6.ip6-privacy=0
|
|||
<listitem><para>If left unspecified, the default value
|
||||
"<literal>ignore</literal>" will be used.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><varname>wifi-sec.pmf</varname></term>
|
||||
<listitem><para>If left unspecified, the default value
|
||||
"<literal>optional</literal>" will be used.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect2>
|
||||
|
|
|
@ -2348,6 +2348,8 @@ build_supplicant_config (NMDeviceWifi *self,
|
|||
NMSupplicantConfig *config = NULL;
|
||||
NMSettingWireless *s_wireless;
|
||||
NMSettingWirelessSecurity *s_wireless_sec;
|
||||
NMSettingWirelessSecurityPmf pmf;
|
||||
gs_free char *value = NULL;
|
||||
|
||||
g_return_val_if_fail (priv->sup_iface, NULL);
|
||||
|
||||
|
@ -2378,12 +2380,46 @@ build_supplicant_config (NMDeviceWifi *self,
|
|||
nm_device_get_ifindex (NM_DEVICE (self)));
|
||||
|
||||
g_assert (con_uuid);
|
||||
|
||||
/* Configure PMF (802.11w) */
|
||||
pmf = nm_setting_wireless_security_get_pmf (s_wireless_sec);
|
||||
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT) {
|
||||
value = nm_config_data_get_connection_default (NM_CONFIG_GET_DATA,
|
||||
"wifi-sec.pmf",
|
||||
NM_DEVICE (self));
|
||||
pmf = _nm_utils_ascii_str_to_int64 (value, 10,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL);
|
||||
}
|
||||
|
||||
/* Don't try to enable PMF on non-WPA networks */
|
||||
if (!NM_IN_STRSET (nm_setting_wireless_security_get_key_mgmt (s_wireless_sec),
|
||||
"wpa-eap",
|
||||
"wpa-psk"))
|
||||
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE;
|
||||
|
||||
/* Check if we actually support PMF */
|
||||
if (nm_supplicant_interface_get_pmf_support (priv->sup_iface) != NM_SUPPLICANT_FEATURE_YES) {
|
||||
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) {
|
||||
g_set_error_literal (error, NM_SUPPLICANT_ERROR, NM_SUPPLICANT_ERROR_CONFIG,
|
||||
"Supplicant does not support PMF");
|
||||
goto error;
|
||||
} else if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL) {
|
||||
/* To be on the safe side, assume no support if we can't determine
|
||||
* capabilities.
|
||||
*/
|
||||
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE;
|
||||
}
|
||||
}
|
||||
|
||||
s_8021x = nm_connection_get_setting_802_1x (connection);
|
||||
if (!nm_supplicant_config_add_setting_wireless_security (config,
|
||||
s_wireless_sec,
|
||||
s_8021x,
|
||||
con_uuid,
|
||||
mtu,
|
||||
pmf,
|
||||
error)) {
|
||||
g_prefix_error (error, "802-11-wireless-security: ");
|
||||
goto error;
|
||||
|
|
|
@ -684,9 +684,10 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
|
|||
NMSetting8021x *setting_8021x,
|
||||
const char *con_uuid,
|
||||
guint32 mtu,
|
||||
NMSettingWirelessSecurityPmf pmf,
|
||||
GError **error)
|
||||
{
|
||||
const char *key_mgmt, *auth_alg;
|
||||
const char *key_mgmt, *key_mgmt_conf, *auth_alg;
|
||||
const char *psk;
|
||||
|
||||
g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
|
||||
|
@ -694,8 +695,19 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
|
|||
g_return_val_if_fail (con_uuid != NULL, FALSE);
|
||||
g_return_val_if_fail (!error || !*error, FALSE);
|
||||
|
||||
key_mgmt = nm_setting_wireless_security_get_key_mgmt (setting);
|
||||
if (!add_string_val (self, key_mgmt, "key_mgmt", TRUE, NULL, error))
|
||||
key_mgmt = key_mgmt_conf = nm_setting_wireless_security_get_key_mgmt (setting);
|
||||
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL) {
|
||||
if (nm_streq (key_mgmt_conf, "wpa-psk"))
|
||||
key_mgmt_conf = "wpa-psk wpa-psk-sha256";
|
||||
else if (nm_streq (key_mgmt_conf, "wpa-eap"))
|
||||
key_mgmt_conf = "wpa-eap wpa-eap-sha256";
|
||||
} else if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) {
|
||||
if (nm_streq (key_mgmt_conf, "wpa-psk"))
|
||||
key_mgmt_conf = "wpa-psk-sha256";
|
||||
else if (nm_streq (key_mgmt_conf, "wpa-eap"))
|
||||
key_mgmt_conf = "wpa-eap-sha256";
|
||||
}
|
||||
if (!add_string_val (self, key_mgmt_conf, "key_mgmt", TRUE, NULL, error))
|
||||
return FALSE;
|
||||
|
||||
auth_alg = nm_setting_wireless_security_get_auth_alg (setting);
|
||||
|
@ -750,6 +762,19 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
|
|||
return FALSE;
|
||||
if (!ADD_STRING_LIST_VAL (self, setting, wireless_security, group, groups, "group", ' ', TRUE, NULL, error))
|
||||
return FALSE;
|
||||
|
||||
if ( !nm_streq (key_mgmt, "wpa-none")
|
||||
&& NM_IN_SET (pmf,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
|
||||
if (!nm_supplicant_config_add_option (self,
|
||||
"ieee80211w",
|
||||
pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
|
||||
-1,
|
||||
NULL,
|
||||
error))
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/* WEP keys if required */
|
||||
|
@ -1325,31 +1350,3 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error)
|
|||
return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error);
|
||||
}
|
||||
|
||||
gboolean
|
||||
nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, GError **error)
|
||||
{
|
||||
NMSupplicantConfigPrivate *priv;
|
||||
ConfigOption *option;
|
||||
|
||||
g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
|
||||
g_return_val_if_fail (!error || !*error, FALSE);
|
||||
|
||||
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self);
|
||||
|
||||
option = g_hash_table_lookup (priv->config, "key_mgmt");
|
||||
if (!option)
|
||||
return TRUE;
|
||||
|
||||
if (nm_streq0 (option->value, "WPA-PSK")) {
|
||||
g_hash_table_remove (priv->config, "key_mgmt");
|
||||
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-PSK WPA-PSK-SHA256", -1, NULL, error))
|
||||
return FALSE;
|
||||
} else if (nm_streq0 (option->value, "WPA-EAP")) {
|
||||
g_hash_table_remove (priv->config, "key_mgmt");
|
||||
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-EAP WPA-EAP-SHA256", -1, NULL, error))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
|
@ -60,6 +60,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig
|
|||
NMSetting8021x *setting_8021x,
|
||||
const char *con_uuid,
|
||||
guint32 mtu,
|
||||
NMSettingWirelessSecurityPmf pmf,
|
||||
GError **error);
|
||||
|
||||
gboolean nm_supplicant_config_add_no_security (NMSupplicantConfig *self,
|
||||
|
|
|
@ -472,30 +472,6 @@ iface_check_ready (NMSupplicantInterface *self)
|
|||
}
|
||||
}
|
||||
|
||||
static void
|
||||
set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
|
||||
{
|
||||
NMSupplicantInterface *self;
|
||||
NMSupplicantInterfacePrivate *priv;
|
||||
gs_unref_variant GVariant *reply = NULL;
|
||||
gs_free_error GError *error = NULL;
|
||||
|
||||
reply = g_dbus_proxy_call_finish (proxy, result, &error);
|
||||
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
|
||||
return;
|
||||
|
||||
self = NM_SUPPLICANT_INTERFACE (user_data);
|
||||
priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
|
||||
|
||||
if (!reply) {
|
||||
g_dbus_error_strip_remote_error (error);
|
||||
_LOGW ("couldn't enable PMF: %s", error->message);
|
||||
return;
|
||||
}
|
||||
|
||||
_LOGD ("PMF enabled");
|
||||
}
|
||||
|
||||
gboolean
|
||||
nm_supplicant_interface_credentials_reply (NMSupplicantInterface *self,
|
||||
const char *field,
|
||||
|
@ -567,6 +543,12 @@ nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self)
|
|||
return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->ap_support;
|
||||
}
|
||||
|
||||
NMSupplicantFeature
|
||||
nm_supplicant_interface_get_pmf_support (NMSupplicantInterface *self)
|
||||
{
|
||||
return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->pmf_support;
|
||||
}
|
||||
|
||||
void
|
||||
nm_supplicant_interface_set_ap_support (NMSupplicantInterface *self,
|
||||
NMSupplicantFeature ap_support)
|
||||
|
@ -841,21 +823,6 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
|
|||
NULL,
|
||||
NULL);
|
||||
|
||||
if ( priv->pmf_support == NM_SUPPLICANT_FEATURE_YES
|
||||
&& priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS) {
|
||||
g_dbus_proxy_call (priv->iface_proxy,
|
||||
DBUS_INTERFACE_PROPERTIES ".Set",
|
||||
g_variant_new ("(ssv)",
|
||||
WPAS_DBUS_IFACE_INTERFACE,
|
||||
"Pmf",
|
||||
g_variant_new_uint32 (1)),
|
||||
G_DBUS_CALL_FLAGS_NONE,
|
||||
-1,
|
||||
priv->init_cancellable,
|
||||
(GAsyncReadyCallback) set_pmf_cb,
|
||||
self);
|
||||
}
|
||||
|
||||
/* Check whether NetworkReply and AP mode are supported */
|
||||
priv->ready_count = 1;
|
||||
g_dbus_proxy_call (priv->iface_proxy,
|
||||
|
@ -1424,7 +1391,6 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
|
|||
{
|
||||
NMSupplicantInterfacePrivate *priv;
|
||||
AssocData *assoc_data;
|
||||
GError *error = NULL;
|
||||
|
||||
g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self));
|
||||
g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg));
|
||||
|
@ -1441,14 +1407,6 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
|
|||
assoc_data->callback = callback;
|
||||
assoc_data->user_data = user_data;
|
||||
|
||||
if ( priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS
|
||||
&& priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) {
|
||||
if (!nm_supplicant_config_enable_pmf_akm (cfg, &error)) {
|
||||
_LOGW ("could not enable PMF AKMs in config: %s", error->message);
|
||||
g_error_free (error);
|
||||
}
|
||||
}
|
||||
|
||||
_LOGD ("assoc[%p]: starting association...", assoc_data);
|
||||
|
||||
/* Make sure the supplicant supports EAP-FAST before trying to send
|
||||
|
|
|
@ -121,6 +121,7 @@ gboolean nm_supplicant_interface_credentials_reply (NMSupplicantInterface *self,
|
|||
GError **error);
|
||||
|
||||
NMSupplicantFeature nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self);
|
||||
NMSupplicantFeature nm_supplicant_interface_get_pmf_support (NMSupplicantInterface *self);
|
||||
|
||||
void nm_supplicant_interface_set_ap_support (NMSupplicantInterface *self,
|
||||
NMSupplicantFeature apmode);
|
||||
|
|
|
@ -151,6 +151,7 @@ static const struct Opt opt_table[] = {
|
|||
{ "mka_cak", TYPE_BYTES, 0, 65536, FALSE, NULL },
|
||||
{ "mka_ckn", TYPE_BYTES, 0, 65536, FALSE, NULL },
|
||||
{ "macsec_port", TYPE_INT, 1, 65534, FALSE, NULL },
|
||||
{ "ieee80211w", TYPE_INT, 0, 2, FALSE, NULL },
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -278,6 +278,7 @@ test_wifi_wep_key (const char *detail,
|
|||
NULL,
|
||||
"376aced7-b28c-46be-9a62-fcdf072571da",
|
||||
1500,
|
||||
0,
|
||||
&error));
|
||||
g_assert_no_error (error);
|
||||
g_test_assert_expected_messages ();
|
||||
|
@ -374,6 +375,7 @@ test_wifi_wpa_psk (const char *detail,
|
|||
g_object_set (s_wsec,
|
||||
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-psk",
|
||||
NM_SETTING_WIRELESS_SECURITY_PSK, key_data,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF, NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
|
||||
NULL);
|
||||
|
||||
nm_setting_wireless_security_add_proto (s_wsec, "wpa");
|
||||
|
@ -411,7 +413,7 @@ test_wifi_wpa_psk (const char *detail,
|
|||
g_test_assert_expected_messages ();
|
||||
|
||||
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
|
||||
"*added 'key_mgmt' value 'WPA-PSK'");
|
||||
"*added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256'");
|
||||
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
|
||||
"*added 'psk' value *");
|
||||
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
|
||||
|
@ -420,11 +422,14 @@ test_wifi_wpa_psk (const char *detail,
|
|||
"*added 'pairwise' value 'TKIP CCMP'");
|
||||
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
|
||||
"*added 'group' value 'TKIP CCMP'");
|
||||
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
|
||||
"*added 'ieee80211w' value '1'");
|
||||
g_assert (nm_supplicant_config_add_setting_wireless_security (config,
|
||||
s_wsec,
|
||||
NULL,
|
||||
"376aced7-b28c-46be-9a62-fcdf072571da",
|
||||
1500,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
|
||||
&error));
|
||||
g_assert_no_error (error);
|
||||
g_test_assert_expected_messages ();
|
||||
|
@ -435,7 +440,7 @@ test_wifi_wpa_psk (const char *detail,
|
|||
validate_opt (detail, config_dict, "scan_ssid", TYPE_INT, GINT_TO_POINTER (1), -1);
|
||||
validate_opt (detail, config_dict, "ssid", TYPE_BYTES, ssid_data, sizeof (ssid_data));
|
||||
validate_opt (detail, config_dict, "bssid", TYPE_KEYWORD, bssid_str, -1);
|
||||
validate_opt (detail, config_dict, "key_mgmt", TYPE_KEYWORD, "WPA-PSK", -1);
|
||||
validate_opt (detail, config_dict, "key_mgmt", TYPE_KEYWORD, "WPA-PSK WPA-PSK-SHA256", -1);
|
||||
validate_opt (detail, config_dict, "proto", TYPE_KEYWORD, "WPA RSN", -1);
|
||||
validate_opt (detail, config_dict, "pairwise", TYPE_KEYWORD, "TKIP CCMP", -1);
|
||||
validate_opt (detail, config_dict, "group", TYPE_KEYWORD, "TKIP CCMP", -1);
|
||||
|
@ -580,6 +585,7 @@ test_wifi_eap (void)
|
|||
s_8021x,
|
||||
"d5b488af-9cab-41ed-bad4-97709c58430f",
|
||||
mtu,
|
||||
NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
|
||||
&error));
|
||||
g_assert_no_error (error);
|
||||
g_test_assert_expected_messages ();
|
||||
|
|
Loading…
Reference in a new issue