From 9cedbfc8ad01bb43cc32ab5fb96ab8c40fd51b44 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Thu, 23 Apr 2026 09:04:43 +0200 Subject: [PATCH] wifi: iwd: Reuse stored agent-owned PSK secrets When activating a known PSK network, the iwd backend requested new secrets whenever the connection had a timestamp. That is appropriate when iwd asks again after a failed attempt, but it also affects PSKs stored as agent-owned secrets. For agent-owned PSKs, NetworkManager intentionally does not mirror the secret into the iwd profile. The secret may only be available from a secret agent, for example from Secret Service. Forcing REQUEST_NEW makes the agent prompt instead of returning the stored value, causing activation to fail with no-secrets if the prompt is cancelled. Avoid REQUEST_NEW for saved agent-owned PSKs. This lets the secret agent return the stored PSK while keeping the PSK out of NetworkManager's system connection profile. --- src/core/devices/wifi/nm-device-iwd.c | 28 +++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/core/devices/wifi/nm-device-iwd.c b/src/core/devices/wifi/nm-device-iwd.c index 94b9a7d703..d344e5ca92 100644 --- a/src/core/devices/wifi/nm-device-iwd.c +++ b/src/core/devices/wifi/nm-device-iwd.c @@ -1466,6 +1466,22 @@ static void wifi_secrets_get_one(NMDeviceIwd *self, const char *setting_key, GDBusMethodInvocation *invocation); +static gboolean +psk_uses_saved_agent_secret(NMConnection *connection) +{ + NMSettingWirelessSecurity *s_wireless_sec; + NMSettingSecretFlags psk_flags; + + s_wireless_sec = nm_connection_get_setting_wireless_security(connection); + if (!s_wireless_sec) + return FALSE; + + psk_flags = nm_setting_wireless_security_get_psk_flags(s_wireless_sec); + + return NM_FLAGS_HAS(psk_flags, NM_SETTING_SECRET_FLAG_AGENT_OWNED) + && !NM_FLAGS_HAS(psk_flags, NM_SETTING_SECRET_FLAG_NOT_SAVED); +} + static void wifi_secrets_cb(NMActRequest *req, NMActRequestGetSecretsCallId *call_id, @@ -1520,7 +1536,8 @@ wifi_secrets_cb(NMActRequest *req, if (nm_wifi_connection_get_iwd_ssid_and_security(connection, NULL, &security) && security == NM_IWD_NETWORK_SECURITY_PSK) { - if (nm_settings_connection_get_timestamp(nm_device_get_settings_connection(device), NULL)) + if (nm_settings_connection_get_timestamp(nm_device_get_settings_connection(device), NULL) + && !psk_uses_saved_agent_secret(connection)) get_secret_flags |= NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW; } @@ -3395,8 +3412,10 @@ nm_device_iwd_agent_query(NMDeviceIwd *self, GDBusMethodInvocation *invocation) * fresh value. It doesn't know about agent-owned secrets so whenever * possible, the PSK is saved and not asked from NM. However if this * is a new connection it may include all of the needed settings already - * so allow using these, too. Connection timestamp is set after - * activation or after first activation failure (to 0). + * so allow using these, too. Also allow using stored agent-owned secrets: + * they are intentionally not mirrored to IWD, and requesting a new secret + * would bypass the agent's persistent storage. Connection timestamp is set + * after activation or after first activation failure (to 0). * * For 802.1x, since IWD assumes the network is pre-provisioned by an * admin and tested, there's no reason for IWD to save secrets in @@ -3410,7 +3429,8 @@ nm_device_iwd_agent_query(NMDeviceIwd *self, GDBusMethodInvocation *invocation) if (nm_wifi_connection_get_iwd_ssid_and_security(connection, NULL, &security) && security == NM_IWD_NETWORK_SECURITY_PSK) { - if (nm_settings_connection_get_timestamp(nm_device_get_settings_connection(device), NULL)) + if (nm_settings_connection_get_timestamp(nm_device_get_settings_connection(device), NULL) + && !psk_uses_saved_agent_secret(connection)) get_secret_flags |= NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW; else allow_existing = TRUE;