fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-11 09:18:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

First draft of GCMP-256 and tls_suiteb support

Browse source 
- tests fail
- likely other breakages
This commit is contained in:
X Spielinbox 2026-03-18 22:08:54 +01:00
parent 5580b982ac
commit 9d7acda8fc
No known key found for this signature in database
24 changed files with 136 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
examples/C/glib/get-ap-info-libnm.c
View file

@ -33,6 +33,8 @@ ap_wpa_rsn_flags_to_string(guint32 flags)
flags_str[i++] = g_strdup("pair_tkip");
if (flags & NM_802_11_AP_SEC_PAIR_CCMP)
flags_str[i++] = g_strdup("pair_ccmp");
if (flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
flags_str[i++] = g_strdup("pair_gcmp_256");
if (flags & NM_802_11_AP_SEC_GROUP_WEP40)
flags_str[i++] = g_strdup("group_wpe40");
if (flags & NM_802_11_AP_SEC_GROUP_WEP104)
@ -41,6 +43,8 @@ ap_wpa_rsn_flags_to_string(guint32 flags)
flags_str[i++] = g_strdup("group_tkip");
if (flags & NM_802_11_AP_SEC_GROUP_CCMP)
flags_str[i++] = g_strdup("group_ccmp");
if (flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
flags_str[i++] = g_strdup("group_gcmp_256");
if (flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)
flags_str[i++] = g_strdup("psk");
if (flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)

11
src/core/devices/wifi/nm-wifi-ap.c
View file

@ -466,7 +466,7 @@ add_pair_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
/* If no ciphers are specified, that means "all" WPA ciphers */
if (num == 0) {
flags |= NM_802_11_AP_SEC_PAIR_TKIP | NM_802_11_AP_SEC_PAIR_CCMP;
flags |= NM_802_11_AP_SEC_PAIR_TKIP | NM_802_11_AP_SEC_PAIR_CCMP | NM_802_11_AP_SEC_PAIR_GCMP_256;
} else {
for (i = 0; i < num; i++) {
const char *cipher = nm_setting_wireless_security_get_pairwise(sec, i);
@ -475,6 +475,8 @@ add_pair_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
flags |= NM_802_11_AP_SEC_PAIR_TKIP;
else if (!strcmp(cipher, "ccmp"))
flags |= NM_802_11_AP_SEC_PAIR_CCMP;
else if (!strcmp(cipher, "gcmp-256"))
flags |= NM_802_11_AP_SEC_PAIR_GCMP_256;
}
}
@ -494,7 +496,7 @@ add_group_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
/* If no ciphers are specified, that means "all" WPA ciphers */
if (num == 0) {
flags |= NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP;
flags |= NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP | NM_802_11_AP_SEC_GROUP_GCMP_256;
} else {
for (i = 0; i < num; i++) {
const char *cipher = nm_setting_wireless_security_get_group(sec, i);
@ -507,6 +509,8 @@ add_group_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
flags |= NM_802_11_AP_SEC_GROUP_TKIP;
else if (!strcmp(cipher, "ccmp"))
flags |= NM_802_11_AP_SEC_GROUP_CCMP;
else if (!strcmp(cipher, "gcmp-256"))
flags |= NM_802_11_AP_SEC_GROUP_GCMP_256;
}
}
@ -912,7 +916,8 @@ nm_wifi_ap_class_init(NMWifiAPClass *ap_class)
| NM_802_11_AP_SEC_GROUP_WEP104 | NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP \
| NM_802_11_AP_SEC_KEY_MGMT_PSK | NM_802_11_AP_SEC_KEY_MGMT_802_1X \
| NM_802_11_AP_SEC_KEY_MGMT_SAE | NM_802_11_AP_SEC_KEY_MGMT_OWE \
| NM_802_11_AP_SEC_KEY_MGMT_OWE_TM | NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192)
| NM_802_11_AP_SEC_KEY_MGMT_OWE_TM | NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192 \
| NM_802_11_AP_SEC_PAIR_GCMP_256 | NM_802_11_AP_SEC_GROUP_GCMP_256)
GObjectClass *object_class = G_OBJECT_CLASS(ap_class);
NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS(ap_class);

2
src/core/devices/wifi/nm-wifi-utils.c
View file

@ -174,7 +174,7 @@ verify_no_wpa(NMSettingWirelessSecurity *s_wsec, const char *tag, GError **error
const char *pw;
pw = nm_setting_wireless_security_get_pairwise(s_wsec, i);
if (!strcmp(pw, "tkip") || !strcmp(pw, "ccmp")) {
if (!strcmp(pw, "tkip") || !strcmp(pw, "ccmp") || !strcmp(pw, "gcmp-256")) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,

2
src/core/platform/nm-fake-platform.c
View file

@ -890,7 +890,7 @@ wifi_get_capabilities(NMPlatform *platform, int ifindex, _NMDeviceWifiCapabiliti
*caps = (_NM_WIFI_DEVICE_CAP_CIPHER_WEP40 | _NM_WIFI_DEVICE_CAP_CIPHER_WEP104
| _NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP
| _NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN | _NM_WIFI_DEVICE_CAP_AP
| _NM_WIFI_DEVICE_CAP_ADHOC);
| _NM_WIFI_DEVICE_CAP_ADHOC | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256);
}
return TRUE;
}

5
src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
View file

@ -3513,6 +3513,11 @@ fill_wpa_ciphers(shvarFile *ifcfg, NMSettingWirelessSecurity *wsec, gboolean gro
nm_setting_wireless_security_add_group(wsec, "ccmp");
else
nm_setting_wireless_security_add_pairwise(wsec, "ccmp");
} else if (!strcmp(*iter, "GCMP-256")) {
if (group)
nm_setting_wireless_security_add_group(wsec, "gcmp-256");
else
nm_setting_wireless_security_add_pairwise(wsec, "gcmp-256");
} else if (!strcmp(*iter, "TKIP")) {
if (group)
nm_setting_wireless_security_add_group(wsec, "tkip");

4
src/core/supplicant/nm-supplicant-config.c
View file

@ -1562,6 +1562,10 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
g_string_append_printf(phase1, "%stls_disable_tlsv1_3=0", (phase1->len ? " " : ""));
else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE))
g_string_append_printf(phase1, "%stls_disable_tlsv1_3=1", (phase1->len ? " " : ""));
if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE))
g_string_append_printf(phase1, "%stls_suiteb=0", (phase1->len ? " " : ""));
else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE))
g_string_append_printf(phase1, "%stls_suiteb=1", (phase1->len ? " " : ""));
if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS))
g_string_append_printf(phase1, "%stls_disable_time_checks=1", (phase1->len ? " " : ""));

4
src/core/supplicant/nm-supplicant-interface.c
View file

@ -310,6 +310,8 @@ security_from_vardict(GVariant *security)
flags |= NM_802_11_AP_SEC_PAIR_TKIP;
else if (NM_IN_STRSET(v, "ccmp"))
flags |= NM_802_11_AP_SEC_PAIR_CCMP;
else if (NM_IN_STRSET(v, "gcmp-256"))
flags |= NM_802_11_AP_SEC_PAIR_GCMP_256;
}
g_free(array);
}
@ -323,6 +325,8 @@ security_from_vardict(GVariant *security)
flags |= NM_802_11_AP_SEC_GROUP_TKIP;
else if (nm_streq(tmp, "ccmp"))
flags |= NM_802_11_AP_SEC_GROUP_CCMP;
else if (nm_streq(tmp, "gcmp-256"))
flags |= NM_802_11_AP_SEC_GROUP_GCMP_256;
}
return flags;

4
src/core/supplicant/nm-supplicant-settings-verify.c
View file

@ -131,7 +131,9 @@ static const struct Opt opt_table[] = {
"tls_disable_tlsv1_3=0",
"tls_disable_tlsv1_3=1",
"tls_disable_time_checks=0",
"tls_disable_time_checks=1", )),
"tls_disable_time_checks=1",
"tls_suiteb=0",
"tls_suiteb=1", )),
OPT_KEYWORD("phase2",
NM_MAKE_STRV("auth=PAP",
"auth=CHAP",

31
src/libnm-base/nm-base.h
View file

@ -251,21 +251,22 @@ typedef enum {
typedef enum {
/* Mirrors libnm's NMDeviceWifiCapabilities */
_NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
_NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
_NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
_NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
_NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
_NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
_NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
_NM_WIFI_DEVICE_CAP_AP = 0x00000040,
_NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
_NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
_NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
_NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
_NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
_NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
_NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
_NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
_NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
_NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
_NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
_NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
_NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
_NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
_NM_WIFI_DEVICE_CAP_AP = 0x00000040,
_NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
_NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
_NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
_NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
_NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
_NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
_NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
_NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 = 0x00004000,
} _NMDeviceWifiCapabilities;
typedef enum {

5
src/libnm-client-impl/nm-device-wifi.c
View file

@ -434,9 +434,10 @@ nm_device_wifi_request_scan_finish(NMDeviceWifi *device, GAsyncResult *result, G
#define WPA_CAPS \
(NM_WIFI_DEVICE_CAP_CIPHER_TKIP | NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_WPA \
| NM_WIFI_DEVICE_CAP_RSN)
| NM_WIFI_DEVICE_CAP_RSN | NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
#define RSN_CAPS (NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_RSN)
#define RSN_CAPS (NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 \
| NM_WIFI_DEVICE_CAP_RSN)
static gboolean
has_proto(NMSettingWirelessSecurity *s_wsec, const char *proto)

5
src/libnm-core-impl/nm-setting-8021x.c
View file

@ -2945,7 +2945,10 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
| NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE)
|| NM_FLAGS_ALL(priv->phase1_auth_flags,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE
| NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE)) {
| NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE)
|| NM_FLAGS_ALL(priv->phase1_auth_flags,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE
| NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE)) {
g_set_error_literal(
error,
NM_CONNECTION_ERROR,

20
src/libnm-core-impl/nm-setting-wireless-security.c
View file

@ -303,7 +303,7 @@ nm_setting_wireless_security_get_pairwise(NMSettingWirelessSecurity *setting, gu
/**
* nm_setting_wireless_security_add_pairwise:
* @setting: the #NMSettingWirelessSecurity
* @pairwise: the encryption algorithm to add, one of "tkip" or "ccmp"
* @pairwise: the encryption algorithm to add, one of "tkip", "ccmp" or "gcmp-256"
*
* Adds an encryption algorithm to the list of allowed pairwise encryption
* algorithms. If the list is not empty, then only access points that support
@ -361,7 +361,7 @@ nm_setting_wireless_security_remove_pairwise(NMSettingWirelessSecurity *setting,
/**
* nm_setting_wireless_security_remove_pairwise_by_value:
* @setting: the #NMSettingWirelessSecurity
* @pairwise: the encryption algorithm to remove, one of "tkip" or "ccmp"
* @pairwise: the encryption algorithm to remove, one of "tkip", "ccmp" or "gcmp-256"
*
* Removes an encryption algorithm from the allowed pairwise encryption
* algorithm list.
@ -450,7 +450,7 @@ nm_setting_wireless_security_get_group(NMSettingWirelessSecurity *setting, guint
* nm_setting_wireless_security_add_group:
* @setting: the #NMSettingWirelessSecurity
* @group: the encryption algorithm to add, one of "wep40", "wep104",
* "tkip", or "ccmp"
* "tkip", "ccmp", or "gcmp-256"
*
* Adds an encryption algorithm to the list of allowed groupwise encryption
* algorithms. If the list is not empty, then only access points that support
@ -509,7 +509,7 @@ nm_setting_wireless_security_remove_group(NMSettingWirelessSecurity *setting, gu
* nm_setting_wireless_security_remove_group_by_value:
* @setting: the #NMSettingWirelessSecurity
* @group: the encryption algorithm to remove, one of "wep40", "wep104",
* "tkip", or "ccmp"
* "tkip", "ccmp", or "gcmp-256"
*
* Removes an encryption algorithm from the allowed groupwise encryption
* algorithm list.
@ -897,8 +897,8 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
{"none", "ieee8021x", "wpa-psk", "wpa-eap", "wpa-eap-suite-b-192", "sae", "owe", NULL};
const char *valid_auth_algs[] = {"open", "shared", "leap", NULL};
const char *valid_protos[] = {"wpa", "rsn", NULL};
const char *valid_pairwise[] = {"tkip", "ccmp", NULL};
const char *valid_groups[] = {"wep40", "wep104", "tkip", "ccmp", NULL};
const char *valid_pairwise[] = {"tkip", "ccmp", "gcmp-256", NULL};
const char *valid_groups[] = {"wep40", "wep104", "tkip", "ccmp", "gcmp-256", NULL};
NMSettingWireless *s_wifi;
const char *wifi_mode;
@ -1504,12 +1504,12 @@ nm_setting_wireless_security_class_init(NMSettingWirelessSecurityClass *klass)
* A list of pairwise encryption algorithms which prevents connections to
* Wi-Fi networks that do not utilize one of the algorithms in the list.
* For maximum compatibility leave this property empty. Each list element
* may be one of "tkip" or "ccmp".
* may be one of "tkip", "ccmp" or "gcmp-256".
**/
/* ---ifcfg-rh---
* property: pairwise
* variable: CIPHER_PAIRWISE(+)
* values: CCMP, TKIP
* values: CCMP, TKIP, GCMP-256
* description: Restrict pairwise encryption algorithms, specified as a space
* separated list.
* ---end---
@ -1526,12 +1526,12 @@ nm_setting_wireless_security_class_init(NMSettingWirelessSecurityClass *klass)
* A list of group/broadcast encryption algorithms which prevents
* connections to Wi-Fi networks that do not utilize one of the algorithms
* in the list. For maximum compatibility leave this property empty. Each
* list element may be one of "wep40", "wep104", "tkip", or "ccmp".
* list element may be one of "wep40", "wep104", "tkip", "ccmp" or "gcmp-256".
**/
/* ---ifcfg-rh---
* property: group
* variable: CIPHER_GROUP(+)
* values: CCMP, TKIP, WEP40, WEP104
* values: CCMP, TKIP, WEP40, WEP104, GCMP-256
* description: Restrict group/broadcast encryption algorithms, specified as a space
* separated list.
* ---end---

4
src/libnm-core-impl/nm-setting-wireless.c
View file

@ -277,6 +277,8 @@ nm_setting_wireless_ap_security_compatible(NMSettingWireless *s_wireless
break;
if ((found = match_cipher(cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_CCMP)))
break;
if ((found = match_cipher(cipher, "gcmp-256", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_GCMP_256)))
break;
}
if (!found && num)
return FALSE;
@ -298,6 +300,8 @@ nm_setting_wireless_ap_security_compatible(NMSettingWireless *s_wireless
break;
if ((found = match_cipher(cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_CCMP)))
break;
if ((found = match_cipher(cipher, "gcmp-256", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_GCMP_256)))
break;
}
if (!found && num)
return FALSE;

6
src/libnm-core-impl/nm-utils.c
View file

@ -933,6 +933,9 @@ device_supports_ap_ciphers(guint32 dev_caps, guint32 ap_flags, gboolean static_w
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_CCMP)
if (ap_flags & NM_802_11_AP_SEC_PAIR_CCMP)
have_pair = TRUE;
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
if (ap_flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
have_pair = TRUE;
}
/* Group */
@ -949,6 +952,9 @@ device_supports_ap_ciphers(guint32 dev_caps, guint32 ap_flags, gboolean static_w
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_CCMP)
if (ap_flags & NM_802_11_AP_SEC_GROUP_CCMP)
have_group = TRUE;
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
if (ap_flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
have_group = TRUE;
}
return (have_pair && have_group);

38
src/libnm-core-public/nm-dbus-interface.h
View file

@ -330,25 +330,27 @@ typedef enum /*< flags >*/ {
* @NM_WIFI_DEVICE_CAP_FREQ_6GHZ: device supports 6GHz frequencies. Since: 1.46.
* @NM_WIFI_DEVICE_CAP_MESH: device supports acting as a mesh point. Since: 1.20.
* @NM_WIFI_DEVICE_CAP_IBSS_RSN: device supports WPA2/RSN in an IBSS network. Since: 1.22.
* @NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256: device supports AES/GCMP-256 encryption. Since: 1.58.
*
* 802.11 specific device encryption and authentication capabilities.
**/
typedef enum /*< flags >*/ {
NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
NM_WIFI_DEVICE_CAP_AP = 0x00000040,
NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
NM_WIFI_DEVICE_CAP_AP = 0x00000040,
NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 = 0x00004000,
} NMDeviceWifiCapabilities;
/**
@ -398,6 +400,10 @@ typedef enum /*< underscore_name=nm_802_11_ap_flags, flags >*/ {
* transition mode is supported. Since: 1.26.
* @NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192: WPA3 Enterprise Suite-B 192 bit mode
* is supported. Since: 1.30.
* @NM_802_11_AP_SEC_PAIR_GCMP_256: AES/GCMP-256 is supported for pairwise/unicast
* encryption. Since: 1.58.
* @NM_802_11_AP_SEC_GROUP_GCMP_256: AES/GCMP-256 is supported for group/broadcast
* encryption. Since: 1.58.
*
* 802.11 access point security and authentication flags. These flags describe
* the current security requirements of an access point as determined from the
@ -419,6 +425,8 @@ typedef enum /*< underscore_name=nm_802_11_ap_security_flags, flags >*/ {
NM_802_11_AP_SEC_KEY_MGMT_OWE = 0x00000800,
NM_802_11_AP_SEC_KEY_MGMT_OWE_TM = 0x00001000,
NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192 = 0x00002000,
NM_802_11_AP_SEC_PAIR_GCMP_256 = 0x00004000,
NM_802_11_AP_SEC_GROUP_GCMP_256 = 0x00008000,
} NM80211ApSecurityFlags;
/**

6
src/libnm-core-public/nm-setting-8021x.h
View file

@ -71,6 +71,8 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE: Disable TLSv1.3. Since 1.42.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE: Enable TLSv1.3. Since 1.42.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS: Disable TLS time checks. Since 1.42.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE: Disable Suite B 192-bit constraints on TLS. Since 1.58.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE: Enable Suite B 192-bit constraints on TLS. Since 1.58.
* @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
*
* #NMSetting8021xAuthFlags values indicate which authentication settings
@ -92,8 +94,10 @@ typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE = 0x40,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE = 0x80,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE = 0x100,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE = 0x200,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE = 0x400,
NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x1FF,
NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7FF,
} NMSetting8021xAuthFlags;
#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())

8
src/libnm-platform/wifi/nm-wifi-utils-nl80211.c
View file

@ -584,6 +584,9 @@ struct nl80211_device_info {
#define WLAN_CIPHER_SUITE_WEP104 0x000FAC05
#define WLAN_CIPHER_SUITE_AES_CMAC 0x000FAC06
#define WLAN_CIPHER_SUITE_GCMP 0x000FAC08
#define WLAN_CIPHER_SUITE_GCMP_256 0x000FAC09
#define WLAN_CIPHER_SUITE_GMAC_128 0x000FAC11
#define WLAN_CIPHER_SUITE_GMAC_256 0x000FAC12
#define WLAN_CIPHER_SUITE_SMS4 0x00147201
static int
@ -729,8 +732,13 @@ nl80211_wiphy_info_handler(const struct nl_msg *msg, void *arg)
case WLAN_CIPHER_SUITE_CCMP:
info->caps |= (_NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_RSN);
break;
case WLAN_CIPHER_SUITE_GCMP_256:
info->caps |= (_NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 | _NM_WIFI_DEVICE_CAP_RSN);
break;
case WLAN_CIPHER_SUITE_AES_CMAC:
case WLAN_CIPHER_SUITE_GCMP:
case WLAN_CIPHER_SUITE_GMAC_128:
case WLAN_CIPHER_SUITE_GMAC_256:
case WLAN_CIPHER_SUITE_SMS4:
break;
default:

9
src/libnm-platform/wifi/nm-wifi-utils-wext.c
View file

@ -639,7 +639,7 @@ wext_get_range_ifname(NMWifiUtilsWext *wext,
#define WPA_CAPS \
(_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_WPA \
| _NM_WIFI_DEVICE_CAP_RSN)
| _NM_WIFI_DEVICE_CAP_RSN | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
static guint32
wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
@ -658,6 +658,9 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
if (range->enc_capa & IW_ENC_CAPA_CIPHER_CCMP)
caps |= _NM_WIFI_DEVICE_CAP_CIPHER_CCMP;
if (range->enc_capa & IW_ENC_CAPA_CIPHER_GCMP_256)
caps |= _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256;
if (range->enc_capa & IW_ENC_CAPA_WPA)
caps |= _NM_WIFI_DEVICE_CAP_WPA;
@ -665,7 +668,7 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
caps |= _NM_WIFI_DEVICE_CAP_RSN;
/* Check for cipher support but not WPA support */
if ((caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP))
if ((caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256))
&& !(caps & (_NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN))) {
_LOGW(LOGD_WIFI,
"%s: device supports WPA ciphers but not WPA protocol; WPA unavailable.",
@ -675,7 +678,7 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
/* Check for WPA support but not cipher support */
if ((caps & (_NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN))
&& !(caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP))) {
&& !(caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256))) {
_LOGW(LOGD_WIFI,
"%s: device supports WPA protocol but not WPA ciphers; WPA unavailable.",
ifname);

4
src/libnmc-setting/nm-meta-setting-desc.c
View file

@ -8750,7 +8750,7 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = {
.remove_by_value_fcn = MULTILIST_REMOVE_BY_VALUE_FCN (NMSettingWirelessSecurity, nm_setting_wireless_security_remove_pairwise_by_value),
.strsplit_plain = TRUE,
),
.values_static = NM_MAKE_STRV ("tkip", "ccmp"),
.values_static = NM_MAKE_STRV ("tkip", "ccmp", "gcmp-256"),
.list_items_doc_format = NM_META_PROPERTY_TYPE_FORMAT_STRING,
),
),
@ -8764,7 +8764,7 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = {
.remove_by_value_fcn = MULTILIST_REMOVE_BY_VALUE_FCN (NMSettingWirelessSecurity, nm_setting_wireless_security_remove_group_by_value),
.strsplit_plain = TRUE,
),
.values_static = NM_MAKE_STRV ("wep40", "wep104", "tkip", "ccmp"),
.values_static = NM_MAKE_STRV ("wep40", "wep104", "tkip", "ccmp", "gcmp-256"),
.list_items_doc_format = NM_META_PROPERTY_TYPE_FORMAT_STRING,
),
),

4
src/libnmc-setting/settings-docs.h.in
View file

@ -474,12 +474,12 @@
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_WAKE_ON_WLAN N_("The NMSettingWirelessWakeOnWLan options to enable. Not all devices support all options. May be any combination of \"any\" (0x2), \"disconnect\" (0x4), \"magic\" (0x8), \"gtk-rekey-failure\" (0x10), \"eap-identity-request\" (0x20), \"4way-handshake\" (0x40), \"rfkill-release\" (0x80), \"tcp\" (0x100) or the special values \"default\" (0x1) (to use global settings) and \"ignore\" (0x8000) (to disable management of Wake-on-LAN in NetworkManager).")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_AUTH_ALG N_("When WEP is used (ie, key-mgmt = \"none\" or \"ieee8021x\") indicate the 802.11 authentication algorithm required by the AP here. One of \"open\" for Open System, \"shared\" for Shared Key, or \"leap\" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\") the \"leap-username\" and \"leap-password\" properties must be specified.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_FILS N_("Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for the connection. One of \"default\" (0) (use global default value), \"disable\" (1) (disable FILS), \"optional\" (2) (enable FILS if the supplicant and the access point support it) or \"required\" (3) (enable FILS and fail if not supported). When set to \"default\" (0) and no global default is set, FILS will be optionally enabled.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", or \"ccmp\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", \"ccmp\", or \"gcmp-256\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP or no password protection), \"ieee8021x\" (Dynamic WEP), \"owe\" (Opportunistic Wireless Encryption), \"wpa-psk\" (WPA2 + WPA3 personal), \"sae\" (WPA3 personal only), \"wpa-eap\" (WPA2 + WPA3 enterprise) or \"wpa-eap-suite-b-192\" (WPA3 enterprise only). This property must be set for any Wi-Fi connection that uses security.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD N_("The login password for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD_FLAGS N_("Flags indicating how to handle the \"leap-password\" property.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME N_("The login username for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PAIRWISE N_("A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"tkip\" or \"ccmp\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PAIRWISE N_("A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"tkip\", \"ccmp\" or \"gcmp-256\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PMF N_("Indicates whether Protected Management Frames (802.11w) must be enabled for the connection. One of \"default\" (0) (use global default value), \"disable\" (1) (disable PMF), \"optional\" (2) (enable PMF if the supplicant and the access point support it) or \"required\" (3) (enable PMF and fail if not supported). When set to \"default\" (0) and no global default is set, PMF will be optionally enabled.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PROTO N_("List of strings specifying the allowed WPA protocol versions to use. Each element may be one \"wpa\" (allow WPA) or \"rsn\" (allow WPA2/RSN). If not specified, both WPA and RSN connections are allowed.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PSK N_("Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII passphrase of 8 to 63 characters that is (as specified in the 802.11i standard) hashed to derive the actual key, or the key in form of 64 hexadecimal character. The WPA3-Personal networks use a passphrase of any length for SAE authentication.")

10
src/nmcli/devices.c
View file

@ -63,6 +63,10 @@ ap_wpa_rsn_flags_to_string(NM80211ApSecurityFlags flags, NMMetaAccessorGetType g
flags_str[i++] = "wpa-eap-suite-b-192";
if (NM_FLAGS_ANY(flags, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
flags_str[i++] = "owe";
if (flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
flags_str[i++] = "pair_gcmp_256";
if (flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
flags_str[i++] = "group_gcmp_256";
/* Make sure you grow flags_str when adding items here. */
nm_assert(i < G_N_ELEMENTS(flags_str));
@ -581,6 +585,9 @@ _metagen_device_detail_wifi_properties_get_fcn(NMC_META_GENERIC_INFO_GET_FCN_ARG
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_CCMP:
return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_CIPHER_CCMP),
get_type);
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_GCMP_256:
return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256),
get_type);
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_AP:
return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_AP), get_type);
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_ADHOC:
@ -637,6 +644,9 @@ const NmcMetaGenericInfo *const
_METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_CCMP,
"CCMP"),
_METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_GCMP_256,
"GCMP-256"),
_METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_AP,
"AP"),

8
src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
View file

@ -113,13 +113,13 @@
format="list of strings"
values="wpa, rsn" />
<property name="pairwise"
nmcli-description="A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of &quot;tkip&quot; or &quot;ccmp&quot;."
nmcli-description="A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of &quot;tkip&quot;, &quot;ccmp&quot; or &quot;gcmp-256&quot;."
format="list of strings"
values="tkip, ccmp" />
values="tkip, ccmp, gcmp-256" />
<property name="group"
nmcli-description="A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of &quot;wep40&quot;, &quot;wep104&quot;, &quot;tkip&quot;, or &quot;ccmp&quot;."
nmcli-description="A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of &quot;wep40&quot;, &quot;wep104&quot;, &quot;tkip&quot;, &quot;ccmp&quot;, or &quot;gcmp-256&quot;."
format="list of strings"
values="wep40, wep104, tkip, ccmp" />
values="wep40, wep104, tkip, ccmp, gcmp-256" />
<property name="pmf"
nmcli-description="Indicates whether Protected Management Frames (802.11w) must be enabled for the connection. One of &quot;default&quot; (0) (use global default value), &quot;disable&quot; (1) (disable PMF), &quot;optional&quot; (2) (enable PMF if the supplicant and the access point support it) or &quot;required&quot; (3) (enable PMF and fail if not supported). When set to &quot;default&quot; (0) and no global default is set, PMF will be optionally enabled."
format="choice (NMSettingWirelessSecurityPmf)"

1
src/nmcli/utils.h
View file

@ -235,6 +235,7 @@ typedef enum {
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_6GHZ,
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_MESH,
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_IBSS_RSN,
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_GCMP_256,
_NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_NUM,
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_INTERFACE_FLAGS_UP = 0,

2
tools/test-networkmanager-service.py
View file

@ -1301,6 +1301,8 @@ class WifiAp(ExportedObj):
rsnf = rsnf | NM_AP_FLAGS.GROUP_TKIP
rsnf = rsnf | NM_AP_FLAGS.GROUP_CCMP
rsnf = rsnf | NM_AP_FLAGS.KEY_MGMT_PSK
rsnf = rsnf | NM_AP_FLAGS.PAIR_GCMP_256
rsnf = rsnf | NM_AP_FLAGS.GROUP_GCMP_256
if freq is None:
freq = 2412
if bssid is None: