system/NetworkManager
system/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager synced 2024-10-15 12:34:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

supplicant: configure PMF for each connection

Browse source 
Now that we have a PMF connection property, get rid of the previous
code to globally enable/disable PMF and use the 'ieee80211w'
configuration option for each configured network when the supplicant
supports it.
This commit is contained in:
Beniamino Galvani 2017-04-18 13:39:43 +02:00
parent 53f3113389
commit acb70d84f9
8 changed files with 86 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
man/NetworkManager.conf.xml
View file

@ -701,6 +701,11 @@ ipv6.ip6-privacy=0
<listitem><para>If left unspecified, the default value
"<literal>ignore</literal>" will be used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi-sec.pmf</varname></term>
<listitem><para>If left unspecified, the default value
"<literal>optional</literal>" will be used.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>

36
src/devices/wifi/nm-device-wifi.c
View file

@ -2348,6 +2348,8 @@ build_supplicant_config (NMDeviceWifi *self,
NMSupplicantConfig *config = NULL;
NMSettingWireless *s_wireless;
NMSettingWirelessSecurity *s_wireless_sec;
NMSettingWirelessSecurityPmf pmf;
gs_free char *value = NULL;
g_return_val_if_fail (priv->sup_iface, NULL);
@ -2378,12 +2380,46 @@ build_supplicant_config (NMDeviceWifi *self,
nm_device_get_ifindex (NM_DEVICE (self)));
g_assert (con_uuid);
/* Configure PMF (802.11w) */
pmf = nm_setting_wireless_security_get_pmf (s_wireless_sec);
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT) {
value = nm_config_data_get_connection_default (NM_CONFIG_GET_DATA,
"wifi-sec.pmf",
NM_DEVICE (self));
pmf = _nm_utils_ascii_str_to_int64 (value, 10,
NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED,
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL);
}
/* Don't try to enable PMF on non-WPA networks */
if (!NM_IN_STRSET (nm_setting_wireless_security_get_key_mgmt (s_wireless_sec),
"wpa-eap",
"wpa-psk"))
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE;
/* Check if we actually support PMF */
if (nm_supplicant_interface_get_pmf_support (priv->sup_iface) != NM_SUPPLICANT_FEATURE_YES) {
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) {
g_set_error_literal (error, NM_SUPPLICANT_ERROR, NM_SUPPLICANT_ERROR_CONFIG,
"Supplicant does not support PMF");
goto error;
} else if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL) {
/* To be on the safe side, assume no support if we can't determine
* capabilities.
*/
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE;
}
}
s_8021x = nm_connection_get_setting_802_1x (connection);
if (!nm_supplicant_config_add_setting_wireless_security (config,
s_wireless_sec,
s_8021x,
con_uuid,
mtu,
pmf,
error)) {
g_prefix_error (error, "802-11-wireless-security: ");
goto error;

59
src/supplicant/nm-supplicant-config.c
View file

@ -684,9 +684,10 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
NMSetting8021x *setting_8021x,
const char *con_uuid,
guint32 mtu,
NMSettingWirelessSecurityPmf pmf,
GError **error)
{
const char *key_mgmt, *auth_alg;
const char *key_mgmt, *key_mgmt_conf, *auth_alg;
const char *psk;
g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
@ -694,8 +695,19 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
g_return_val_if_fail (con_uuid != NULL, FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
key_mgmt = nm_setting_wireless_security_get_key_mgmt (setting);
if (!add_string_val (self, key_mgmt, "key_mgmt", TRUE, NULL, error))
key_mgmt = key_mgmt_conf = nm_setting_wireless_security_get_key_mgmt (setting);
if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL) {
if (nm_streq (key_mgmt_conf, "wpa-psk"))
key_mgmt_conf = "wpa-psk wpa-psk-sha256";
else if (nm_streq (key_mgmt_conf, "wpa-eap"))
key_mgmt_conf = "wpa-eap wpa-eap-sha256";
} else if (pmf == NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) {
if (nm_streq (key_mgmt_conf, "wpa-psk"))
key_mgmt_conf = "wpa-psk-sha256";
else if (nm_streq (key_mgmt_conf, "wpa-eap"))
key_mgmt_conf = "wpa-eap-sha256";
}
if (!add_string_val (self, key_mgmt_conf, "key_mgmt", TRUE, NULL, error))
return FALSE;
auth_alg = nm_setting_wireless_security_get_auth_alg (setting);
@ -750,6 +762,19 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
return FALSE;
if (!ADD_STRING_LIST_VAL (self, setting, wireless_security, group, groups, "group", ' ', TRUE, NULL, error))
return FALSE;
if ( !nm_streq (key_mgmt, "wpa-none")
&& NM_IN_SET (pmf,
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
if (!nm_supplicant_config_add_option (self,
"ieee80211w",
pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
-1,
NULL,
error))
return FALSE;
}
}
/* WEP keys if required */
@ -1325,31 +1350,3 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error)
return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error);
}
gboolean
nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, GError **error)
{
NMSupplicantConfigPrivate *priv;
ConfigOption *option;
g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self);
option = g_hash_table_lookup (priv->config, "key_mgmt");
if (!option)
return TRUE;
if (nm_streq0 (option->value, "WPA-PSK")) {
g_hash_table_remove (priv->config, "key_mgmt");
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-PSK WPA-PSK-SHA256", -1, NULL, error))
return FALSE;
} else if (nm_streq0 (option->value, "WPA-EAP")) {
g_hash_table_remove (priv->config, "key_mgmt");
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-EAP WPA-EAP-SHA256", -1, NULL, error))
return FALSE;
}
return TRUE;
}

1
src/supplicant/nm-supplicant-config.h
View file

@ -60,6 +60,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig
NMSetting8021x *setting_8021x,
const char *con_uuid,
guint32 mtu,
NMSettingWirelessSecurityPmf pmf,
GError **error);
gboolean nm_supplicant_config_add_no_security (NMSupplicantConfig *self,

54
src/supplicant/nm-supplicant-interface.c
View file

@ -472,30 +472,6 @@ iface_check_ready (NMSupplicantInterface *self)
}
}
static void
set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
{
NMSupplicantInterface *self;
NMSupplicantInterfacePrivate *priv;
gs_unref_variant GVariant *reply = NULL;
gs_free_error GError *error = NULL;
reply = g_dbus_proxy_call_finish (proxy, result, &error);
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
return;
self = NM_SUPPLICANT_INTERFACE (user_data);
priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
if (!reply) {
g_dbus_error_strip_remote_error (error);
_LOGW ("couldn't enable PMF: %s", error->message);
return;
}
_LOGD ("PMF enabled");
}
gboolean
nm_supplicant_interface_credentials_reply (NMSupplicantInterface *self,
const char *field,
@ -567,6 +543,12 @@ nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self)
return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->ap_support;
}
NMSupplicantFeature
nm_supplicant_interface_get_pmf_support (NMSupplicantInterface *self)
{
return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->pmf_support;
}
void
nm_supplicant_interface_set_ap_support (NMSupplicantInterface *self,
NMSupplicantFeature ap_support)
@ -841,21 +823,6 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
NULL,
NULL);
if ( priv->pmf_support == NM_SUPPLICANT_FEATURE_YES
&& priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS) {
g_dbus_proxy_call (priv->iface_proxy,
DBUS_INTERFACE_PROPERTIES ".Set",
g_variant_new ("(ssv)",
WPAS_DBUS_IFACE_INTERFACE,
"Pmf",
g_variant_new_uint32 (1)),
G_DBUS_CALL_FLAGS_NONE,
-1,
priv->init_cancellable,
(GAsyncReadyCallback) set_pmf_cb,
self);
}
/* Check whether NetworkReply and AP mode are supported */
priv->ready_count = 1;
g_dbus_proxy_call (priv->iface_proxy,
@ -1424,7 +1391,6 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
{
NMSupplicantInterfacePrivate *priv;
AssocData *assoc_data;
GError *error = NULL;
g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self));
g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg));
@ -1441,14 +1407,6 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
assoc_data->callback = callback;
assoc_data->user_data = user_data;
if ( priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS
&& priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) {
if (!nm_supplicant_config_enable_pmf_akm (cfg, &error)) {
_LOGW ("could not enable PMF AKMs in config: %s", error->message);
g_error_free (error);
}
}
_LOGD ("assoc[%p]: starting association...", assoc_data);
/* Make sure the supplicant supports EAP-FAST before trying to send

1
src/supplicant/nm-supplicant-interface.h
View file

@ -121,6 +121,7 @@ gboolean nm_supplicant_interface_credentials_reply (NMSupplicantInterface *self,
GError **error);
NMSupplicantFeature nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self);
NMSupplicantFeature nm_supplicant_interface_get_pmf_support (NMSupplicantInterface *self);
void nm_supplicant_interface_set_ap_support (NMSupplicantInterface *self,
NMSupplicantFeature apmode);

1
src/supplicant/nm-supplicant-settings-verify.c
View file

@ -151,6 +151,7 @@ static const struct Opt opt_table[] = {
{ "mka_cak", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "mka_ckn", TYPE_BYTES, 0, 65536, FALSE, NULL },
{ "macsec_port", TYPE_INT, 1, 65534, FALSE, NULL },
{ "ieee80211w", TYPE_INT, 0, 2, FALSE, NULL },
};

10
src/supplicant/tests/test-supplicant-config.c
View file

@ -278,6 +278,7 @@ test_wifi_wep_key (const char *detail,
NULL,
"376aced7-b28c-46be-9a62-fcdf072571da",
1500,
0,
&error));
g_assert_no_error (error);
g_test_assert_expected_messages ();
@ -374,6 +375,7 @@ test_wifi_wpa_psk (const char *detail,
g_object_set (s_wsec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-psk",
NM_SETTING_WIRELESS_SECURITY_PSK, key_data,
NM_SETTING_WIRELESS_SECURITY_PMF, NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
NULL);
nm_setting_wireless_security_add_proto (s_wsec, "wpa");
@ -411,7 +413,7 @@ test_wifi_wpa_psk (const char *detail,
g_test_assert_expected_messages ();
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
"*added 'key_mgmt' value 'WPA-PSK'");
"*added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256'");
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
"*added 'psk' value *");
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
@ -420,11 +422,14 @@ test_wifi_wpa_psk (const char *detail,
"*added 'pairwise' value 'TKIP CCMP'");
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
"*added 'group' value 'TKIP CCMP'");
g_test_expect_message ("NetworkManager", G_LOG_LEVEL_INFO,
"*added 'ieee80211w' value '1'");
g_assert (nm_supplicant_config_add_setting_wireless_security (config,
s_wsec,
NULL,
"376aced7-b28c-46be-9a62-fcdf072571da",
1500,
NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
&error));
g_assert_no_error (error);
g_test_assert_expected_messages ();
@ -435,7 +440,7 @@ test_wifi_wpa_psk (const char *detail,
validate_opt (detail, config_dict, "scan_ssid", TYPE_INT, GINT_TO_POINTER (1), -1);
validate_opt (detail, config_dict, "ssid", TYPE_BYTES, ssid_data, sizeof (ssid_data));
validate_opt (detail, config_dict, "bssid", TYPE_KEYWORD, bssid_str, -1);
validate_opt (detail, config_dict, "key_mgmt", TYPE_KEYWORD, "WPA-PSK", -1);
validate_opt (detail, config_dict, "key_mgmt", TYPE_KEYWORD, "WPA-PSK WPA-PSK-SHA256", -1);
validate_opt (detail, config_dict, "proto", TYPE_KEYWORD, "WPA RSN", -1);
validate_opt (detail, config_dict, "pairwise", TYPE_KEYWORD, "TKIP CCMP", -1);
validate_opt (detail, config_dict, "group", TYPE_KEYWORD, "TKIP CCMP", -1);
@ -580,6 +585,7 @@ test_wifi_eap (void)
s_8021x,
"d5b488af-9cab-41ed-bad4-97709c58430f",
mtu,
NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
&error));
g_assert_no_error (error);
g_test_assert_expected_messages ();