fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-02-15 02:10:32 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

wifi: merge branch 'verdre:better-wifi-auth-selection'

Browse source 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/833
This commit is contained in:
Thomas Haller 2021-05-06 22:26:54 +02:00
commit 51899c3085
No known key found for this signature in database
GPG key ID: 29C2366E4DFC5728
7 changed files with 139 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
src/core/devices/wifi/nm-wifi-utils.c
View file

@ -814,15 +814,24 @@ nm_wifi_utils_complete_connection(GBytes * ap_ssid,
* setting. Since there's so much configuration required for it, there's
* no way it can be automatically completed.
*/
} else if ((key_mgmt && !strcmp(key_mgmt, "sae"))
|| (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE)) {
} else if (nm_streq0(key_mgmt, "wpa-psk")
|| (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE
&& (ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK
|| ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK))) {
g_object_set(s_wsec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT,
"wpa-psk",
NM_SETTING_WIRELESS_SECURITY_AUTH_ALG,
"open",
NULL);
} else if (nm_streq0(key_mgmt, "sae") || (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE)) {
g_object_set(s_wsec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT,
"sae",
NM_SETTING_WIRELESS_SECURITY_AUTH_ALG,
"open",
NULL);
} else if ((key_mgmt && !strcmp(key_mgmt, "owe"))
} else if (nm_streq0(key_mgmt, "owe")
|| NM_FLAGS_ANY(ap_rsn_flags,
NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)) {
g_object_set(s_wsec,
@ -831,9 +840,8 @@ nm_wifi_utils_complete_connection(GBytes * ap_ssid,
NM_SETTING_WIRELESS_SECURITY_AUTH_ALG,
"open",
NULL);
} else if ((key_mgmt && !strcmp(key_mgmt, "wpa-psk"))
|| (ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)
|| (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)) {
} else if (ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK
|| ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK) {
g_object_set(s_wsec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT,
"wpa-psk",
@ -843,7 +851,7 @@ nm_wifi_utils_complete_connection(GBytes * ap_ssid,
/* Leave proto/pairwise/group as client set them; if they are unset the
* supplicant will figure out the best combination at connect time.
*/
} else if ((key_mgmt && !strcmp(key_mgmt, "wpa-eap-suite-b-192"))
} else if (nm_streq0(key_mgmt, "wpa-eap-suite-b-192")
|| (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192)) {
g_object_set(s_wsec,
NM_SETTING_WIRELESS_SECURITY_KEY_MGMT,

93
src/core/supplicant/nm-supplicant-config.c
View file

@ -834,55 +834,82 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig *
}
key_mgmt = nm_setting_wireless_security_get_key_mgmt(setting);
key_mgmt_conf = g_string_new(key_mgmt);
if (nm_streq(key_mgmt, "wpa-psk")) {
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
g_string_append(key_mgmt_conf, " wpa-psk-sha256");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " ft-psk");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SAE)) {
g_string_append(key_mgmt_conf, " sae");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " ft-sae");
}
} else if (nm_streq(key_mgmt, "wpa-eap")) {
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) {
g_string_append(key_mgmt_conf, " wpa-eap-sha256");
key_mgmt_conf = g_string_new("");
if (nm_streq(key_mgmt, "none")) {
g_string_append(key_mgmt_conf, "NONE");
} else if (nm_streq(key_mgmt, "ieee8021x")) {
g_string_append(key_mgmt_conf, "IEEE8021X");
} else if (nm_streq(key_mgmt, "owe")) {
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
g_string_append(key_mgmt_conf, "OWE");
} else if (nm_streq(key_mgmt, "wpa-psk")) {
if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
g_string_append(key_mgmt_conf, "WPA-PSK");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
g_string_append(key_mgmt_conf, " WPA-PSK-SHA256");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " FT-PSK");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SAE)) {
g_string_append(key_mgmt_conf, " SAE");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " FT-SAE");
}
} else if (nm_streq(key_mgmt, "sae")) {
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
g_string_append(key_mgmt_conf, "SAE");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " FT-SAE");
} else if (nm_streq(key_mgmt, "wpa-eap")) {
if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
g_string_append(key_mgmt_conf, "WPA-EAP");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
g_string_append(key_mgmt_conf, " FT-EAP");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
}
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) {
g_string_append(key_mgmt_conf, " WPA-EAP-SHA256");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SUITEB192)
&& pmf == NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
g_string_append(key_mgmt_conf, " wpa-eap-suite-b-192");
g_string_append(key_mgmt_conf, " WPA-EAP-SUITE-B-192");
}
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " ft-eap");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
&& _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
g_string_append(key_mgmt_conf, " ft-eap-sha384");
switch (fils) {
case NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED:
g_string_truncate(key_mgmt_conf, 0);
if (!_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
g_string_assign(key_mgmt_conf, "fils-sha256 fils-sha384");
g_string_assign(key_mgmt_conf, "FILS-SHA256 FILS-SHA384");
/* fall-through */
case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
g_string_append(key_mgmt_conf, " fils-sha256 fils-sha384");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
&& _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " ft-fils-sha256");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
&& _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
&& _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
g_string_append(key_mgmt_conf, " ft-fils-sha384");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) {
g_string_append(key_mgmt_conf, " FILS-SHA256 FILS-SHA384");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
g_string_append(key_mgmt_conf, " FT-FILS-SHA256");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
g_string_append(key_mgmt_conf, " FT-FILS-SHA384");
}
}
break;
default:
break;
}
} else if (nm_streq(key_mgmt, "sae")) {
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
g_string_append(key_mgmt_conf, " ft-sae");
} else if (nm_streq(key_mgmt, "wpa-eap-suite-b-192")) {
pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
g_string_append(key_mgmt_conf, "WPA-EAP-SUITE-B-192");
if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
&& _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
}
if (!add_string_val(self, key_mgmt_conf->str, "key_mgmt", TRUE, NULL, error))

16
src/core/supplicant/nm-supplicant-interface.c
View file

@ -271,17 +271,21 @@ security_from_vardict(GVariant *security)
nm_assert(g_variant_is_of_type(security, G_VARIANT_TYPE_VARDICT));
if (g_variant_lookup(security, "KeyMgmt", "^a&s", &array)) {
if (g_strv_contains(array, "wpa-psk") || g_strv_contains(array, "wpa-ft-psk"))
if (g_strv_contains(array, "wpa-psk") || g_strv_contains(array, "wpa-psk-sha256")
|| g_strv_contains(array, "wpa-ft-psk"))
flags |= NM_802_11_AP_SEC_KEY_MGMT_PSK;
if (g_strv_contains(array, "wpa-eap") || g_strv_contains(array, "wpa-ft-eap")
|| g_strv_contains(array, "wpa-fils-sha256")
|| g_strv_contains(array, "wpa-fils-sha384"))
if (g_strv_contains(array, "wpa-eap") || g_strv_contains(array, "wpa-eap-sha256")
|| g_strv_contains(array, "wpa-ft-eap") || g_strv_contains(array, "wpa-fils-sha256")
|| g_strv_contains(array, "wpa-fils-sha384")
|| g_strv_contains(array, "wpa-fils-ft-sha256")
|| g_strv_contains(array, "wpa-fils-ft-sha384"))
flags |= NM_802_11_AP_SEC_KEY_MGMT_802_1X;
if (g_strv_contains(array, "sae"))
if (g_strv_contains(array, "sae") || g_strv_contains(array, "ft-sae"))
flags |= NM_802_11_AP_SEC_KEY_MGMT_SAE;
if (g_strv_contains(array, "owe"))
flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE;
if (g_strv_contains(array, "wpa-eap-suite-b-192"))
if (g_strv_contains(array, "wpa-eap-suite-b-192")
|| g_strv_contains(array, "wpa-ft-eap-sha384"))
flags |= NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192;
g_free(array);
}

34
src/core/supplicant/tests/test-supplicant-config.c
View file

@ -394,7 +394,17 @@ test_wifi_wpa_psk(const char * detail,
NMTST_EXPECT_NM_INFO("Config: added 'scan_ssid' value '1'*");
NMTST_EXPECT_NM_INFO("Config: added 'bssid' value '11:22:33:44:55:66'*");
NMTST_EXPECT_NM_INFO("Config: added 'freq_list' value *");
NMTST_EXPECT_NM_INFO("Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256'");
switch (pmf) {
case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
NMTST_EXPECT_NM_INFO("Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256'");
break;
case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
NMTST_EXPECT_NM_INFO("Config: added 'key_mgmt' value ' WPA-PSK-SHA256'");
break;
default:
break;
}
NMTST_EXPECT_NM_INFO("Config: added 'psk' value *");
NMTST_EXPECT_NM_INFO("Config: added 'proto' value 'WPA RSN'");
NMTST_EXPECT_NM_INFO("Config: added 'pairwise' value 'TKIP CCMP'");
@ -421,11 +431,22 @@ test_wifi_wpa_psk(const char * detail,
validate_opt(detail, config_dict, "scan_ssid", NM_SUPPL_OPT_TYPE_INT, GINT_TO_POINTER(1));
validate_opt(detail, config_dict, "ssid", NM_SUPPL_OPT_TYPE_BYTES, ssid);
validate_opt(detail, config_dict, "bssid", NM_SUPPL_OPT_TYPE_KEYWORD, bssid_str);
validate_opt(detail,
config_dict,
"key_mgmt",
NM_SUPPL_OPT_TYPE_KEYWORD,
"WPA-PSK WPA-PSK-SHA256");
switch (pmf) {
case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
validate_opt(detail,
config_dict,
"key_mgmt",
NM_SUPPL_OPT_TYPE_KEYWORD,
"WPA-PSK WPA-PSK-SHA256");
break;
case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
validate_opt(detail, config_dict, "key_mgmt", NM_SUPPL_OPT_TYPE_KEYWORD, " WPA-PSK-SHA256");
break;
default:
break;
}
validate_opt(detail, config_dict, "proto", NM_SUPPL_OPT_TYPE_KEYWORD, "WPA RSN");
validate_opt(detail, config_dict, "pairwise", NM_SUPPL_OPT_TYPE_KEYWORD, "TKIP CCMP");
validate_opt(detail, config_dict, "group", NM_SUPPL_OPT_TYPE_KEYWORD, "TKIP CCMP");
@ -483,6 +504,7 @@ test_wifi_sae_psk(const char *psk)
NMTST_EXPECT_NM_INFO("Config: added 'proto' value 'RSN'");
NMTST_EXPECT_NM_INFO("Config: added 'pairwise' value 'TKIP CCMP'");
NMTST_EXPECT_NM_INFO("Config: added 'group' value 'TKIP CCMP'");
NMTST_EXPECT_NM_INFO("Config: added 'ieee80211w' value '2'");
config_dict =
build_supplicant_config(connection,
1500,

30
src/libnm-core-impl/nm-setting-wireless-security.c
View file

@ -1117,6 +1117,22 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
return FALSE;
}
if (NM_IN_STRSET(priv->key_mgmt, "owe", "sae", "wpa-eap-suite-b-192")
&& !NM_IN_SET(priv->pmf,
NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT,
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("pmf can only be 'default' or 'required' when using 'owe', 'sae' or "
"'wpa-eap-suite-b-192' key management"));
g_prefix_error(error,
"%s.%s: ",
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
NM_SETTING_WIRELESS_SECURITY_PMF);
return FALSE;
}
if (!_nm_utils_wps_method_validate(priv->wps_method,
NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
NM_SETTING_WIRELESS_SECURITY_WPS_METHOD,
@ -1498,17 +1514,19 @@ nm_setting_wireless_security_class_init(NMSettingWirelessSecurityClass *klass)
/**
* NMSettingWirelessSecurity:key-mgmt:
*
* Key management used for the connection. One of "none" (WEP),
* "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK), "sae"
* (SAE), "owe" (Opportunistic Wireless Encryption), "wpa-eap"
* (WPA-Enterprise) or "wpa-eap-suite-b-192" (WPA3-Enterprise Suite B).
* Key management used for the connection. One of "none" (WEP or no
* password protection), "ieee8021x" (Dynamic WEP), "owe" (Opportunistic
* Wireless Encryption), "wpa-psk" (WPA2 + WPA3 personal), "sae" (WPA3
* personal only), "wpa-eap" (WPA2 + WPA3 enterprise) or
* "wpa-eap-suite-b-192" (WPA3 enterprise only).
*
* This property must be set for any Wi-Fi connection that uses security.
**/
/* ---ifcfg-rh---
* property: key-mgmt
* variable: KEY_MGMT(+)
* values: IEEE8021X, WPA-PSK, WPA-EAP, WPA-EAP-SUITE-B-192
* description: Key management menthod.
* values: none, ieee8021x, owe, wpa-psk, sae, wpa-eap, wpa-eap-suite-b-192
* description: Key management method.
* ---end---
*/
obj_properties[PROP_KEY_MGMT] =

2
src/libnmc-setting/settings-docs.h.in
View file

@ -25,7 +25,7 @@
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_AUTH_ALG N_("When WEP is used (ie, key-mgmt = \"none\" or \"ieee8021x\") indicate the 802.11 authentication algorithm required by the AP here. One of \"open\" for Open System, \"shared\" for Shared Key, or \"leap\" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\") the \"leap-username\" and \"leap-password\" properties must be specified.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_FILS N_("Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for the connection. One of NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS if the supplicant and the access point support it) or NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and fail if not supported). When set to NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default is set, FILS will be optionally enabled.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", or \"ccmp\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP), \"ieee8021x\" (Dynamic WEP), \"wpa-psk\" (infrastructure WPA-PSK), \"sae\" (SAE), \"owe\" (Opportunistic Wireless Encryption), \"wpa-eap\" (WPA-Enterprise) or \"wpa-eap-suite-b-192\" (WPA3-Enterprise Suite B). This property must be set for any Wi-Fi connection that uses security.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP or no password protection), \"ieee8021x\" (Dynamic WEP), \"owe\" (Opportunistic Wireless Encryption), \"wpa-psk\" (WPA2 + WPA3 personal), \"sae\" (WPA3 personal only), \"wpa-eap\" (WPA2 + WPA3 enterprise) or \"wpa-eap-suite-b-192\" (WPA3 enterprise only). This property must be set for any Wi-Fi connection that uses security.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD N_("The login password for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD_FLAGS N_("Flags indicating how to handle the \"leap-password\" property.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME N_("The login username for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")

2
src/nmcli/generate-docs-nm-settings-nmcli.xml.in
View file

@ -63,7 +63,7 @@
<setting name="802-11-wireless-security"
alias="wifi-sec" >
<property name="key-mgmt"
description="Key management used for the connection. One of &quot;none&quot; (WEP), &quot;ieee8021x&quot; (Dynamic WEP), &quot;wpa-psk&quot; (infrastructure WPA-PSK), &quot;sae&quot; (SAE), &quot;owe&quot; (Opportunistic Wireless Encryption), &quot;wpa-eap&quot; (WPA-Enterprise) or &quot;wpa-eap-suite-b-192&quot; (WPA3-Enterprise Suite B). This property must be set for any Wi-Fi connection that uses security." />
description="Key management used for the connection. One of &quot;none&quot; (WEP or no password protection), &quot;ieee8021x&quot; (Dynamic WEP), &quot;owe&quot; (Opportunistic Wireless Encryption), &quot;wpa-psk&quot; (WPA2 + WPA3 personal), &quot;sae&quot; (WPA3 personal only), &quot;wpa-eap&quot; (WPA2 + WPA3 enterprise) or &quot;wpa-eap-suite-b-192&quot; (WPA3 enterprise only). This property must be set for any Wi-Fi connection that uses security." />
<property name="wep-tx-keyidx"
description="When static WEP is used (ie, key-mgmt = &quot;none&quot;) and a non-default WEP key index is used by the AP, put that WEP key index here. Valid values are 0 (default key) through 3. Note that some consumer access points (like the Linksys WRT54G) number the keys 1 - 4." />
<property name="auth-alg"