From ba299d0d0c89eb1ae3996f98a0b23ebc8cf010a1 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:15:38 +0100 Subject: [PATCH 01/12] libnm-core: add OWE support flag --- libnm-core/nm-dbus-interface.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libnm-core/nm-dbus-interface.h b/libnm-core/nm-dbus-interface.h index 35f2335f56..6f7bf4c95f 100644 --- a/libnm-core/nm-dbus-interface.h +++ b/libnm-core/nm-dbus-interface.h @@ -342,6 +342,8 @@ typedef enum { /*< underscore_name=nm_802_11_ap_flags, flags >*/ * is supported * @NM_802_11_AP_SEC_KEY_MGMT_SAE: WPA/RSN Simultaneous Authentication of Equals is * supported + * @NM_802_11_AP_SEC_KEY_MGMT_OWE: WPA/RSN Opportunistic Wireless Encryption is + * supported * * 802.11 access point security and authentication flags. These flags describe * the current security requirements of an access point as determined from the @@ -360,6 +362,7 @@ typedef enum { /*< underscore_name=nm_802_11_ap_security_flags, flags >*/ NM_802_11_AP_SEC_KEY_MGMT_PSK = 0x00000100, NM_802_11_AP_SEC_KEY_MGMT_802_1X = 0x00000200, NM_802_11_AP_SEC_KEY_MGMT_SAE = 0x00000400, + NM_802_11_AP_SEC_KEY_MGMT_OWE = 0x00000800, } NM80211ApSecurityFlags; /** From 1bae844facb34fb14e8ec57318854af1fdcfc79f Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:16:33 +0100 Subject: [PATCH 02/12] wifi/ap: expose OWE capability --- src/devices/wifi/nm-wifi-ap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/devices/wifi/nm-wifi-ap.c b/src/devices/wifi/nm-wifi-ap.c index ee7dc2360e..b4e07ff9be 100644 --- a/src/devices/wifi/nm-wifi-ap.c +++ b/src/devices/wifi/nm-wifi-ap.c @@ -422,6 +422,8 @@ security_from_vardict (GVariant *security) flags |= NM_802_11_AP_SEC_KEY_MGMT_802_1X; if (g_strv_contains (array, "sae")) flags |= NM_802_11_AP_SEC_KEY_MGMT_SAE; + if (g_strv_contains (array, "owe")) + flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE; g_free (array); } @@ -1394,7 +1396,8 @@ nm_wifi_ap_class_init (NMWifiAPClass *ap_class) | NM_802_11_AP_SEC_GROUP_CCMP \ | NM_802_11_AP_SEC_KEY_MGMT_PSK \ | NM_802_11_AP_SEC_KEY_MGMT_802_1X \ - | NM_802_11_AP_SEC_KEY_MGMT_SAE ) + | NM_802_11_AP_SEC_KEY_MGMT_SAE \ + | NM_802_11_AP_SEC_KEY_MGMT_OWE ) GObjectClass *object_class = G_OBJECT_CLASS (ap_class); NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS (ap_class); From 85c4a757ada39ccbd705ab76723511716d41aa0e Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:17:56 +0100 Subject: [PATCH 03/12] libnm-core/setting-wireless-security: add support for OWE key-management --- clients/common/settings-docs.h.in | 2 +- libnm-core/nm-setting-wireless-security.c | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in index f696ca826c..616b0c15d4 100644 --- a/clients/common/settings-docs.h.in +++ b/clients/common/settings-docs.h.in @@ -24,7 +24,7 @@ #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_AUTH_ALG N_("When WEP is used (ie, key-mgmt = \"none\" or \"ieee8021x\") indicate the 802.11 authentication algorithm required by the AP here. One of \"open\" for Open System, \"shared\" for Shared Key, or \"leap\" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\") the \"leap-username\" and \"leap-password\" properties must be specified.") #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_FILS N_("Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for the connection. One of NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS if the supplicant and the access point support it) or NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and fail if not supported). When set to NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default is set, FILS will be optionally enabled.") #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", or \"ccmp\".") -#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP), \"ieee8021x\" (Dynamic WEP), \"wpa-psk\" (infrastructure WPA-PSK), \"sae\" (SAE) or \"wpa-eap\" (WPA-Enterprise). This property must be set for any Wi-Fi connection that uses security.") +#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP), \"ieee8021x\" (Dynamic WEP), \"wpa-psk\" (infrastructure WPA-PSK), \"sae\" (SAE), \"owe\" (Opportunistic Wireless Encryption) or \"wpa-eap\" (WPA-Enterprise). This property must be set for any Wi-Fi connection that uses security.") #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD N_("The login password for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").") #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD_FLAGS N_("Flags indicating how to handle the \"leap-password\" property.") #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME N_("The login username for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").") diff --git a/libnm-core/nm-setting-wireless-security.c b/libnm-core/nm-setting-wireless-security.c index a634546ded..b0b96f9957 100644 --- a/libnm-core/nm-setting-wireless-security.c +++ b/libnm-core/nm-setting-wireless-security.c @@ -865,7 +865,8 @@ need_secrets (NMSetting *setting) } if ( (strcmp (priv->key_mgmt, "ieee8021x") == 0) - || (strcmp (priv->key_mgmt, "wpa-eap") == 0)) { + || (strcmp (priv->key_mgmt, "wpa-eap") == 0) + || (strcmp (priv->key_mgmt, "owe") == 0)) { /* Let caller check the 802.1x setting for secrets */ goto no_secrets; } @@ -884,7 +885,7 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) { NMSettingWirelessSecurity *self = NM_SETTING_WIRELESS_SECURITY (setting); NMSettingWirelessSecurityPrivate *priv = NM_SETTING_WIRELESS_SECURITY_GET_PRIVATE (self); - const char *valid_key_mgmt[] = { "none", "ieee8021x", "wpa-psk", "wpa-eap", "sae", NULL }; + const char *valid_key_mgmt[] = { "none", "ieee8021x", "wpa-psk", "wpa-eap", "sae", "owe", NULL }; const char *valid_auth_algs[] = { "open", "shared", "leap", NULL }; const char *valid_protos[] = { "wpa", "rsn", NULL }; const char *valid_pairwise[] = { "tkip", "ccmp", NULL }; @@ -1054,7 +1055,7 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) if ( NM_IN_SET (priv->pmf, NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL, NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) - && !NM_IN_STRSET (priv->key_mgmt, "wpa-eap", "wpa-psk", "sae")) { + && !NM_IN_STRSET (priv->key_mgmt, "wpa-eap", "wpa-psk", "sae", "owe")) { g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, @@ -1429,7 +1430,8 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *klass) * * Key management used for the connection. One of "none" (WEP), * "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK), "sae" - * (SAE) or "wpa-eap" (WPA-Enterprise). This property must be set for + * (SAE), "owe" (Opportunistic Wireless Encryption) or "wpa-eap" + * (WPA-Enterprise). This property must be set for * any Wi-Fi connection that uses security. **/ /* ---ifcfg-rh--- From 1e55eff49872d65a75b4923c2fb4d13a5f2d9bd4 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:19:44 +0100 Subject: [PATCH 04/12] supplicant: add support for OWE key management --- src/supplicant/nm-supplicant-config.c | 7 ++++--- src/supplicant/nm-supplicant-settings-verify.c | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index dec4556d1c..8b9c0ceb40 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -867,8 +867,8 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self, } } - /* Don't try to enable PMF on non-WPA/SAE networks */ - if (!NM_IN_STRSET (key_mgmt, "wpa-eap", "wpa-psk", "sae")) + /* Don't try to enable PMF on non-WPA/SAE/OWE networks */ + if (!NM_IN_STRSET (key_mgmt, "wpa-eap", "wpa-psk", "sae", "owe")) pmf = NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE; /* Check if we actually support PMF */ @@ -885,7 +885,8 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self, /* Only WPA-specific things when using WPA */ if ( !strcmp (key_mgmt, "wpa-psk") || !strcmp (key_mgmt, "wpa-eap") - || !strcmp (key_mgmt, "sae")) { + || !strcmp (key_mgmt, "sae") + || !strcmp (key_mgmt, "owe")) { if (!ADD_STRING_LIST_VAL (self, setting, wireless_security, proto, protos, "proto", ' ', TRUE, NULL, error)) return FALSE; if (!ADD_STRING_LIST_VAL (self, setting, wireless_security, pairwise, pairwise, "pairwise", ' ', TRUE, NULL, error)) diff --git a/src/supplicant/nm-supplicant-settings-verify.c b/src/supplicant/nm-supplicant-settings-verify.c index bea17ede24..20287b8ca6 100644 --- a/src/supplicant/nm-supplicant-settings-verify.c +++ b/src/supplicant/nm-supplicant-settings-verify.c @@ -56,7 +56,7 @@ static const char *const key_mgmt_allowed[] = { "WPA-PSK", "WPA-PSK-SHA256", "FT "WPA-EAP", "WPA-EAP-SHA256", "FT-EAP", "FT-EAP-SHA384", "FILS-SHA256", "FILS-SHA384", "IEEE8021X", "SAE", "FT-SAE", - "NONE", NULL }; + "OWE", "NONE", NULL }; static const char *const auth_alg_allowed[] = { "OPEN", "SHARED", "LEAP", NULL }; static const char *const eap_allowed[] = { "LEAP", "MD5", "TLS", "PEAP", "TTLS", "SIM", "PSK", "FAST", "PWD", NULL }; From 235cb4a5d310e207d4751c651d3e672481aa30dd Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:20:56 +0100 Subject: [PATCH 05/12] settings/ifcfg: add support for KEY_MGMT=OWE --- Makefile.am | 1 + .../plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 25 +++++++----- .../plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 4 ++ .../tests/network-scripts/ifcfg-test-wifi-owe | 5 +++ .../plugins/ifcfg-rh/tests/test-ifcfg-rh.c | 40 +++++++++++++++++++ 5 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-owe diff --git a/Makefile.am b/Makefile.am index 089af41726..ecacf568e6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3073,6 +3073,7 @@ EXTRA_DIST += \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-open-ssid-long-hex \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-open-ssid-long-quoted \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-open-ssid-quoted \ + src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-owe \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-sae \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wep \ src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wep-104-ascii \ diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c index a1d3236e9b..8fc72822de 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c @@ -3643,7 +3643,7 @@ make_wpa_setting (shvarFile *ifcfg, gs_unref_object NMSettingWirelessSecurity *wsec = NULL; gs_free char *value = NULL; const char *v; - gboolean wpa_psk = FALSE, wpa_sae = FALSE, wpa_eap = FALSE, ieee8021x = FALSE; + gboolean wpa_psk = FALSE, wpa_sae = FALSE, wpa_owe = FALSE, wpa_eap = FALSE, ieee8021x = FALSE; int i_val; GError *local = NULL; @@ -3652,10 +3652,12 @@ make_wpa_setting (shvarFile *ifcfg, v = svGetValueStr (ifcfg, "KEY_MGMT", &value); wpa_psk = nm_streq0 (v, "WPA-PSK"); wpa_sae = nm_streq0 (v, "SAE"); + wpa_owe = nm_streq0 (v, "OWE"); wpa_eap = nm_streq0 (v, "WPA-EAP"); ieee8021x = nm_streq0 (v, "IEEE8021X"); if ( !wpa_psk && !wpa_sae + && !wpa_owe && !wpa_eap && !ieee8021x) return NULL; /* Not WPA or Dynamic WEP */ @@ -3671,7 +3673,7 @@ make_wpa_setting (shvarFile *ifcfg, NULL); /* Pairwise and Group ciphers (only relevant for WPA/RSN) */ - if (wpa_psk || wpa_sae || wpa_eap) { + if (wpa_psk || wpa_sae || wpa_owe || wpa_eap) { fill_wpa_ciphers (ifcfg, wsec, FALSE, adhoc); fill_wpa_ciphers (ifcfg, wsec, TRUE, adhoc); } @@ -3720,7 +3722,7 @@ make_wpa_setting (shvarFile *ifcfg, g_object_set (wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "sae", NULL); } } else { - nm_assert (wpa_eap || ieee8021x); + nm_assert (wpa_eap || ieee8021x || wpa_owe); /* Adhoc mode is mutually exclusive with any 802.1x-based authentication */ if (adhoc) { @@ -3729,14 +3731,17 @@ make_wpa_setting (shvarFile *ifcfg, return NULL; } - *s_8021x = fill_8021x (ifcfg, file, v, TRUE, error); - if (!*s_8021x) - return NULL; + if (wpa_owe) { + g_object_set (wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "owe", NULL); + } else { + *s_8021x = fill_8021x (ifcfg, file, v, TRUE, error); + if (!*s_8021x) + return NULL; - { - gs_free char *lower = g_ascii_strdown (v, -1); - - g_object_set (wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, lower, NULL); + { + gs_free char *lower = g_ascii_strdown (v, -1); + g_object_set (wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, lower, NULL); + } } } diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c index d33845c28c..415242512e 100644 --- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c @@ -583,6 +583,10 @@ write_wireless_security_setting (NMConnection *connection, svSetValueStr (ifcfg, "KEY_MGMT", "SAE"); wpa = TRUE; *no_8021x = TRUE; + } else if (!strcmp (key_mgmt, "owe")) { + svSetValueStr (ifcfg, "KEY_MGMT", "OWE"); + wpa = FALSE; + *no_8021x = TRUE; } else if (!strcmp (key_mgmt, "ieee8021x")) { svSetValueStr (ifcfg, "KEY_MGMT", "IEEE8021X"); dynamic_wep = TRUE; diff --git a/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-owe b/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-owe new file mode 100644 index 0000000000..354046ad08 --- /dev/null +++ b/src/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-owe @@ -0,0 +1,5 @@ +TYPE=Wireless +DEVICE=wlan1 +ESSID=blahblah_owe +MODE=Managed +KEY_MGMT=OWE diff --git a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c index 675421d3c8..74f8afc907 100644 --- a/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c +++ b/src/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c @@ -3034,6 +3034,45 @@ test_read_wifi_sae (void) g_assert (!nm_setting_wireless_security_get_auth_alg (s_wsec)); } +static void +test_read_wifi_owe (void) +{ + gs_unref_object NMConnection *connection = NULL; + NMSettingConnection *s_con; + NMSettingWireless *s_wireless; + NMSettingWirelessSecurity *s_wsec; + GBytes *ssid; + const char *expected_ssid = "blahblah_owe"; + + connection = _connection_from_file (TEST_IFCFG_DIR"/ifcfg-test-wifi-owe", + NULL, TYPE_WIRELESS, NULL); + + s_con = nm_connection_get_setting_connection (connection); + g_assert (s_con); + g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "System blahblah_owe (test-wifi-owe)"); + + g_assert_cmpint (nm_setting_connection_get_timestamp (s_con), ==, 0); + g_assert (nm_setting_connection_get_autoconnect (s_con)); + + s_wireless = nm_connection_get_setting_wireless (connection); + g_assert (s_wireless); + + g_assert_cmpint (nm_setting_wireless_get_mtu (s_wireless), ==, 0); + + ssid = nm_setting_wireless_get_ssid (s_wireless); + g_assert (ssid); + g_assert_cmpmem (g_bytes_get_data (ssid, NULL), g_bytes_get_size (ssid), expected_ssid, strlen (expected_ssid)); + + g_assert (!nm_setting_wireless_get_bssid (s_wireless)); + g_assert_cmpstr (nm_setting_wireless_get_mode (s_wireless), ==, "infrastructure"); + + s_wsec = nm_connection_get_setting_wireless_security (connection); + g_assert (s_wsec); + g_assert_cmpstr (nm_setting_wireless_security_get_key_mgmt (s_wsec), ==, "owe"); + g_assert (!nm_setting_wireless_security_get_psk (s_wsec)); + g_assert (!nm_setting_wireless_security_get_auth_alg (s_wsec)); +} + static void test_read_wifi_wpa_psk_2 (void) { @@ -10322,6 +10361,7 @@ int main (int argc, char **argv) g_test_add_func (TPATH "wifi/read/wpa-psk/adhoc", test_read_wifi_wpa_psk_adhoc); g_test_add_func (TPATH "wifi/read/wpa-psk/hex", test_read_wifi_wpa_psk_hex); g_test_add_func (TPATH "wifi/read/sae", test_read_wifi_sae); + g_test_add_func (TPATH "wifi/read/owe", test_read_wifi_owe); g_test_add_func (TPATH "wifi/read/dynamic-wep/leap", test_read_wifi_dynamic_wep_leap); g_test_add_func (TPATH "wifi/read/wpa/eap/tls", test_read_wifi_wpa_eap_tls); g_test_add_func (TPATH "wifi/read/wpa/eap/ttls/tls", test_read_wifi_wpa_eap_ttls_tls); From 9a2bbbbc7afa3cf30ebf12430fd17a81b77889e0 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:21:33 +0100 Subject: [PATCH 06/12] wifi/utils: complete key-mgmt=owe for OWE capable APs --- src/devices/wifi/nm-wifi-utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/devices/wifi/nm-wifi-utils.c b/src/devices/wifi/nm-wifi-utils.c index b9b7ec42e5..7cb5f85bdd 100644 --- a/src/devices/wifi/nm-wifi-utils.c +++ b/src/devices/wifi/nm-wifi-utils.c @@ -759,6 +759,12 @@ nm_wifi_utils_complete_connection (GBytes *ap_ssid, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "sae", NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open", NULL); + } else if ( (key_mgmt && !strcmp (key_mgmt, "owe")) + || (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)) { + g_object_set (s_wsec, + NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "owe", + NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open", + NULL); } else if ( (key_mgmt && !strcmp (key_mgmt, "wpa-psk")) || (ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK) || (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)) { From 046f6f7227142f2fbf614bef28170e25c30043f8 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:22:03 +0100 Subject: [PATCH 07/12] clients/meta-setting-desc: allow setting wifi-sec.key-mgmt to OWE --- clients/common/nm-meta-setting-desc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c index 8e05c9bc5d..d28efa0753 100644 --- a/clients/common/nm-meta-setting-desc.c +++ b/clients/common/nm-meta-setting-desc.c @@ -7325,7 +7325,7 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = { PROPERTY_INFO_WITH_DESC (NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, .property_type = &_pt_gobject_string, .property_typ_data = DEFINE_PROPERTY_TYP_DATA ( - .values_static = NM_MAKE_STRV ("none", "ieee8021x", "wpa-psk", "wpa-eap", "sae"), + .values_static = NM_MAKE_STRV ("none", "ieee8021x", "wpa-psk", "wpa-eap", "sae", "owe"), ), ), PROPERTY_INFO_WITH_DESC (NM_SETTING_WIRELESS_SECURITY_WEP_TX_KEYIDX, From f7aa5b3a3696972f70f7854195a747b6c9436e0c Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:23:30 +0100 Subject: [PATCH 08/12] clients/secret-agent: don't require secrets for OWE connections --- clients/common/nm-secret-agent-simple.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clients/common/nm-secret-agent-simple.c b/clients/common/nm-secret-agent-simple.c index 2bf69b20ae..ca9250ca6f 100644 --- a/clients/common/nm-secret-agent-simple.c +++ b/clients/common/nm-secret-agent-simple.c @@ -302,7 +302,7 @@ add_wireless_secrets (RequestData *request, const char *key_mgmt = nm_setting_wireless_security_get_key_mgmt (s_wsec); NMSecretAgentSimpleSecret *secret; - if (!key_mgmt) + if (!key_mgmt || nm_streq (key_mgmt, "owe")) return FALSE; if (NM_IN_STRSET (key_mgmt, "wpa-psk", "sae")) { From 977c0c23875f7275ed68ba7595d44078d151af16 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 22:24:19 +0100 Subject: [PATCH 09/12] client/cli: add support for OWE key management flag --- clients/cli/devices.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/clients/cli/devices.c b/clients/cli/devices.c index 4908d1808a..a3c3ba8dae 100644 --- a/clients/cli/devices.c +++ b/clients/cli/devices.c @@ -28,7 +28,7 @@ static char * ap_wpa_rsn_flags_to_string (NM80211ApSecurityFlags flags) { - char *flags_str[13]; + char *flags_str[14]; int i = 0; if (flags & NM_802_11_AP_SEC_PAIR_WEP40) @@ -53,6 +53,8 @@ ap_wpa_rsn_flags_to_string (NM80211ApSecurityFlags flags) flags_str[i++] = "802.1X"; if (flags & NM_802_11_AP_SEC_KEY_MGMT_SAE) flags_str[i++] = "sae"; + if (flags & NM_802_11_AP_SEC_KEY_MGMT_OWE) + flags_str[i++] = "owe"; /* Make sure you grow flags_str when adding items here. */ if (i == 0) @@ -1204,6 +1206,9 @@ fill_output_access_point (gpointer data, gpointer user_data) if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE) { g_string_append (security_str, "WPA3 "); } + if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE) { + g_string_append (security_str, "OWE "); + } if ( (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X) || (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)) { g_string_append (security_str, "802.1X "); @@ -3558,8 +3563,8 @@ do_device_wifi_connect (NmCli *nmc, int argc, char **argv) /* Set password for WEP or WPA-PSK. */ if ( (ap_flags & NM_802_11_AP_FLAGS_PRIVACY) - || ap_wpa_flags != NM_802_11_AP_SEC_NONE - || ap_rsn_flags != NM_802_11_AP_SEC_NONE) { + || (ap_wpa_flags != NM_802_11_AP_SEC_NONE && !(ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)) + || (ap_rsn_flags != NM_802_11_AP_SEC_NONE && !(ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE))) { const char *con_password = NULL; NMSettingWirelessSecurity *s_wsec = NULL; @@ -4231,6 +4236,9 @@ print_wifi_connection (const NmcConfig *nmc_config, NMConnection *connection) || strcmp (key_mgmt, "sae") == 0) { type = "WPA"; g_print ("%s: WPA\n", _("Security")); + } else if ( strcmp (key_mgmt, "owe") == 0) { + type = "nopass"; + g_print ("%s: OWE\n", _("Security")); } if (psk) From a8d5fef607c2a2f6259ba4c2697ac9a7f94fdc31 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 23:55:07 +0100 Subject: [PATCH 10/12] client/tui: add OWE support --- clients/tui/nm-editor-bindings.c | 9 +++++++++ clients/tui/nmt-page-wifi.c | 1 + 2 files changed, 10 insertions(+) diff --git a/clients/tui/nm-editor-bindings.c b/clients/tui/nm-editor-bindings.c index 00a34fbfbf..8e6c9600d7 100644 --- a/clients/tui/nm-editor-bindings.c +++ b/clients/tui/nm-editor-bindings.c @@ -595,6 +595,9 @@ get_security_type (NMEditorWirelessSecurityMethodBinding *binding) if (!strcmp (key_mgmt, "sae")) return "wpa3-personal"; + if (!strcmp (key_mgmt, "owe")) + return "owe"; + if (!strcmp (key_mgmt, "wpa-eap")) return "wpa-enterprise"; @@ -705,6 +708,12 @@ wireless_security_target_changed (GObject *object, NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, NULL, NM_SETTING_WIRELESS_SECURITY_WEP_KEY_TYPE, NM_WEP_KEY_TYPE_UNKNOWN, NULL); + } else if (!strcmp (method, "owe")) { + g_object_set (binding->s_wsec, + NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "owe", + NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, NULL, + NM_SETTING_WIRELESS_SECURITY_WEP_KEY_TYPE, NM_WEP_KEY_TYPE_UNKNOWN, + NULL); } else if (!strcmp (method, "wpa-enterprise")) { g_object_set (binding->s_wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", diff --git a/clients/tui/nmt-page-wifi.c b/clients/tui/nmt-page-wifi.c index 2e738ac695..9494423b77 100644 --- a/clients/tui/nmt-page-wifi.c +++ b/clients/tui/nmt-page-wifi.c @@ -72,6 +72,7 @@ static NmtNewtPopupEntry wifi_security[] = { { N_("WEP 128-bit Passphrase"), "wep-passphrase" }, { N_("Dynamic WEP (802.1x)"), "dynamic-wep" }, { N_("LEAP"), "leap" }, + { N_("Enhanced Open (OWE)"), "owe" }, { NULL, NULL } }; From cb33a27f96a4c8ea6d2bda3839540058fe5a6f27 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 23:57:15 +0100 Subject: [PATCH 11/12] libnm/utils: add OWE security type --- libnm-core/nm-utils.c | 11 +++++++++++ libnm-core/nm-utils.h | 2 ++ 2 files changed, 13 insertions(+) diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c index 4659734b6b..bb79476fa1 100644 --- a/libnm-core/nm-utils.c +++ b/libnm-core/nm-utils.c @@ -1120,6 +1120,7 @@ nm_utils_ap_mode_security_valid (NMUtilsSecurityType type, case NMU_SEC_WPA_PSK: case NMU_SEC_WPA2_PSK: case NMU_SEC_SAE: + case NMU_SEC_OWE: return TRUE; default: break; @@ -1300,6 +1301,16 @@ nm_utils_security_valid (NMUtilsSecurityType type, return FALSE; } break; + case NMU_SEC_OWE: + if (adhoc) + return FALSE; + if (!(wifi_caps & NM_WIFI_DEVICE_CAP_RSN)) + return FALSE; + if (have_ap) { + if (!(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE)) + return FALSE; + } + break; default: good = FALSE; break; diff --git a/libnm-core/nm-utils.h b/libnm-core/nm-utils.h index 5418a1e69d..4cbf24abad 100644 --- a/libnm-core/nm-utils.h +++ b/libnm-core/nm-utils.h @@ -51,6 +51,7 @@ char * nm_utils_ssid_to_utf8 (const guint8 *ssid, gsize len); * @NMU_SEC_WPA2_PSK: WPA2/RSN is used with Pre-Shared Keys (PSK) * @NMU_SEC_WPA2_ENTERPRISE: WPA2 is used with 802.1x authentication * @NMU_SEC_SAE: is used with WPA3 Enterprise + * @NMU_SEC_OWE: is used with Enhanced Open * * Describes generic security mechanisms that 802.11 access points may offer. * Used with nm_utils_security_valid() for checking whether a given access @@ -67,6 +68,7 @@ typedef enum { NMU_SEC_WPA2_PSK, NMU_SEC_WPA2_ENTERPRISE, NMU_SEC_SAE, + NMU_SEC_OWE, } NMUtilsSecurityType; gboolean nm_utils_security_valid (NMUtilsSecurityType type, From fc42a74ece08958a0194ee96d94c4102dd1681a6 Mon Sep 17 00:00:00 2001 From: David Bauer Date: Sun, 17 Nov 2019 23:57:38 +0100 Subject: [PATCH 12/12] libnm-core: support OWE when determining AP compatibility --- libnm-core/nm-setting-wireless.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libnm-core/nm-setting-wireless.c b/libnm-core/nm-setting-wireless.c index 1731673f9d..373a1a3b63 100644 --- a/libnm-core/nm-setting-wireless.c +++ b/libnm-core/nm-setting-wireless.c @@ -206,7 +206,8 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless, /* WPA[2]-PSK and WPA[2] Enterprise */ if ( !strcmp (key_mgmt, "wpa-psk") || !strcmp (key_mgmt, "wpa-eap") - || !strcmp (key_mgmt, "sae")) { + || !strcmp (key_mgmt, "sae") + || !strcmp (key_mgmt, "owe")) { if (!strcmp (key_mgmt, "wpa-psk")) { if ( !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_PSK) @@ -220,6 +221,10 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless, if ( !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_SAE) && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_SAE)) return FALSE; + } else if (!strcmp (key_mgmt, "owe")) { + if ( !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_OWE) + && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE)) + return FALSE; } // FIXME: should handle WPA and RSN separately here to ensure that