From 2bc3cf0cb81e30bf8d485d8293c19d8694937fbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= Date: Fri, 23 Apr 2021 18:04:36 +0200 Subject: [PATCH] supplicant/config: Disallow SHA1 ciphers when using required PMF As mentioned in the wpa_supplicant reference config, when setting PMF to required with WPA2 (personal or enterprise) authentication, we want to only enable SHA256 and upwards as HMAC. So enforce that by not passing WPA-PSK and WPA-EAP to the config in case pmf is set to REQUIRED. --- src/core/supplicant/nm-supplicant-config.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c index 16fdd1eb8d..40efc6c593 100644 --- a/src/core/supplicant/nm-supplicant-config.c +++ b/src/core/supplicant/nm-supplicant-config.c @@ -848,7 +848,8 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig * g_string_append(key_mgmt_conf, "OWE"); } else if (nm_streq(key_mgmt, "wpa-psk")) { - g_string_append(key_mgmt_conf, "WPA-PSK"); + if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) + g_string_append(key_mgmt_conf, "WPA-PSK"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) g_string_append(key_mgmt_conf, " WPA-PSK-SHA256"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) @@ -867,7 +868,8 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig * g_string_append(key_mgmt_conf, " FT-SAE"); } else if (nm_streq(key_mgmt, "wpa-eap")) { - g_string_append(key_mgmt_conf, "WPA-EAP"); + if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) + g_string_append(key_mgmt_conf, "WPA-EAP"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) { g_string_append(key_mgmt_conf, " FT-EAP"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))