nm-supplicant-interface: fix removal of OWE flag from non-transition mode BSSIDs

Commit 37e7fa38c2 ("nm-supplicant-interface: enable OWE security
when transition mode is available") adds the OWE security flag in
case a valid OWE transtition mode IE is present on the beacon.

It also removes the OWE security flag in case the Iinformation elements
of a beacon are updated and a OWE transition mode IE can't be found.

When a pure OWE AP updates it's Information Elements (e.g. BSS Load
Element), the OWE security flag is falsely removed.

Introduce a new NM_802_11_AP_SEC_KEY_MGMT_OWE_TM security flag and use
it exclusively for OWE transition mode. Don't use the
M_802_11_AP_SEC_KEY_MGMT_OWE security flag on transition-mode APs.

Signed-off-by: David Bauer <mail@david-bauer.net>

clients/cli/devices.c

@@ -53,7 +53,7 @@ ap_wpa_rsn_flags_to_string (NM80211ApSecurityFlags flags, NMMetaAccessorGetType
 		flags_str[i++] = "802.1X";
 	if (flags & NM_802_11_AP_SEC_KEY_MGMT_SAE)
 		flags_str[i++] = "sae";
-	if (flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)
+	if (NM_FLAGS_ANY (flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 		flags_str[i++] = "owe";
 
 	/* Make sure you grow flags_str when adding items here. */
@@ -1214,7 +1214,7 @@ fill_output_access_point (gpointer data, gpointer user_data)
 	if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE) {
 		g_string_append (security_str, "WPA3 ");
 	}
-	if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE) {
+	if (NM_FLAGS_ANY (rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)) {
 		g_string_append (security_str, "OWE ");
 	}
 	if (   (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
@@ -3690,8 +3690,12 @@ do_device_wifi_connect (const NMCCommand *cmd, NmCli *nmc, int argc, const char
 
 	/* Set password for WEP or WPA-PSK. */
 	if (   (ap_flags & NM_802_11_AP_FLAGS_PRIVACY)
-	    || (ap_wpa_flags != NM_802_11_AP_SEC_NONE && !(ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE))
-	    || (ap_rsn_flags != NM_802_11_AP_SEC_NONE && !(ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE))) {
+	    || (   ap_wpa_flags != NM_802_11_AP_SEC_NONE
+	        && !NM_FLAGS_ANY (ap_wpa_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                        NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
+	    || (   ap_rsn_flags != NM_802_11_AP_SEC_NONE
+	        && !NM_FLAGS_ANY (ap_rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                        NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))) {
 		const char *con_password = NULL;
 		NMSettingWirelessSecurity *s_wsec = NULL;
 

libnm-core/nm-dbus-interface.h

@@ -351,6 +351,8 @@ typedef enum { /*< underscore_name=nm_802_11_ap_flags, flags >*/
  * supported
  * @NM_802_11_AP_SEC_KEY_MGMT_OWE: WPA/RSN Opportunistic Wireless Encryption is
  * supported
+ * @NM_802_11_AP_SEC_KEY_MGMT_OWE_TM: WPA/RSN Opportunistic Wireless Encryption
+ * transition mode is supported. Since: 1.26.
  *
  * 802.11 access point security and authentication flags.  These flags describe
  * the current security requirements of an access point as determined from the
@@ -370,6 +372,7 @@ typedef enum { /*< underscore_name=nm_802_11_ap_security_flags, flags >*/
 	NM_802_11_AP_SEC_KEY_MGMT_802_1X = 0x00000200,
 	NM_802_11_AP_SEC_KEY_MGMT_SAE    = 0x00000400,
 	NM_802_11_AP_SEC_KEY_MGMT_OWE    = 0x00000800,
+	NM_802_11_AP_SEC_KEY_MGMT_OWE_TM = 0x00001000,
 } NM80211ApSecurityFlags;
 
 /**

libnm-core/nm-setting-wireless.c

@@ -222,8 +222,8 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless,
 			    && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_SAE))
 				return FALSE;
 		} else if (!strcmp (key_mgmt, "owe")) {
-			if (   !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_OWE)
-			    && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE))
+			if (   !NM_FLAGS_ANY (ap_wpa, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)
+			    && !NM_FLAGS_ANY (ap_rsn, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 				return FALSE;
 		}
 

libnm-core/nm-utils.c

@@ -1266,7 +1266,7 @@ nm_utils_security_valid (NMUtilsSecurityType type,
 			return FALSE;
 		if (!have_ap)
 			return TRUE;
-		if (!(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE))
+		if (!NM_FLAGS_ANY (ap_rsn, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 			return FALSE;
 		return TRUE;
 	case NMU_SEC_INVALID:

src/devices/wifi/nm-wifi-ap.c

@@ -913,7 +913,8 @@ nm_wifi_ap_class_init (NMWifiAPClass *ap_class)
 	| NM_802_11_AP_SEC_KEY_MGMT_PSK \
 	| NM_802_11_AP_SEC_KEY_MGMT_802_1X \
 	| NM_802_11_AP_SEC_KEY_MGMT_SAE \
-	| NM_802_11_AP_SEC_KEY_MGMT_OWE )
+	| NM_802_11_AP_SEC_KEY_MGMT_OWE \
+	| NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)
 
 	GObjectClass *object_class = G_OBJECT_CLASS (ap_class);
 	NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS (ap_class);

src/devices/wifi/nm-wifi-utils.c

@@ -760,7 +760,8 @@ nm_wifi_utils_complete_connection (GBytes *ap_ssid,
 		              NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open",
 		              NULL);
 	} else if (   (key_mgmt && !strcmp (key_mgmt, "owe"))
-	           || (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)) {
+	           || NM_FLAGS_ANY (ap_rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                          NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)) {
 		g_object_set (s_wsec,
 		              NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "owe",
 		              NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open",

src/supplicant/nm-supplicant-interface.c

@@ -715,9 +715,9 @@ _bss_info_properties_changed (NMSupplicantInterface *self,
 		g_variant_unref (v_v);
 
 		if (p_owe_transition_mode)
-			bss_info->rsn_flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE;
+			bss_info->rsn_flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE_TM;
 		else
-			bss_info->rsn_flags &= ~NM_802_11_AP_SEC_KEY_MGMT_OWE;
+			bss_info->rsn_flags &= ~NM_802_11_AP_SEC_KEY_MGMT_OWE_TM;
 
 		bss_info->metered = p_metered;
 	}