diff --git a/examples/C/glib/get-ap-info-libnm.c b/examples/C/glib/get-ap-info-libnm.c
index 6c0a4343d5..16acc5dba7 100644
--- a/examples/C/glib/get-ap-info-libnm.c
+++ b/examples/C/glib/get-ap-info-libnm.c
@@ -33,6 +33,8 @@ ap_wpa_rsn_flags_to_string(guint32 flags)
flags_str[i++] = g_strdup("pair_tkip");
if (flags & NM_802_11_AP_SEC_PAIR_CCMP)
flags_str[i++] = g_strdup("pair_ccmp");
+ if (flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
+ flags_str[i++] = g_strdup("pair_gcmp_256");
if (flags & NM_802_11_AP_SEC_GROUP_WEP40)
flags_str[i++] = g_strdup("group_wpe40");
if (flags & NM_802_11_AP_SEC_GROUP_WEP104)
@@ -41,6 +43,8 @@ ap_wpa_rsn_flags_to_string(guint32 flags)
flags_str[i++] = g_strdup("group_tkip");
if (flags & NM_802_11_AP_SEC_GROUP_CCMP)
flags_str[i++] = g_strdup("group_ccmp");
+ if (flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
+ flags_str[i++] = g_strdup("group_gcmp_256");
if (flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)
flags_str[i++] = g_strdup("psk");
if (flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
diff --git a/src/core/devices/wifi/nm-wifi-ap.c b/src/core/devices/wifi/nm-wifi-ap.c
index 3e7589721b..3d3654f21c 100644
--- a/src/core/devices/wifi/nm-wifi-ap.c
+++ b/src/core/devices/wifi/nm-wifi-ap.c
@@ -466,7 +466,7 @@ add_pair_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
/* If no ciphers are specified, that means "all" WPA ciphers */
if (num == 0) {
- flags |= NM_802_11_AP_SEC_PAIR_TKIP | NM_802_11_AP_SEC_PAIR_CCMP;
+ flags |= NM_802_11_AP_SEC_PAIR_TKIP | NM_802_11_AP_SEC_PAIR_CCMP | NM_802_11_AP_SEC_PAIR_GCMP_256;
} else {
for (i = 0; i < num; i++) {
const char *cipher = nm_setting_wireless_security_get_pairwise(sec, i);
@@ -475,6 +475,8 @@ add_pair_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
flags |= NM_802_11_AP_SEC_PAIR_TKIP;
else if (!strcmp(cipher, "ccmp"))
flags |= NM_802_11_AP_SEC_PAIR_CCMP;
+ else if (!strcmp(cipher, "gcmp-256"))
+ flags |= NM_802_11_AP_SEC_PAIR_GCMP_256;
}
}
@@ -494,7 +496,7 @@ add_group_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
/* If no ciphers are specified, that means "all" WPA ciphers */
if (num == 0) {
- flags |= NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP;
+ flags |= NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP | NM_802_11_AP_SEC_GROUP_GCMP_256;
} else {
for (i = 0; i < num; i++) {
const char *cipher = nm_setting_wireless_security_get_group(sec, i);
@@ -507,6 +509,8 @@ add_group_ciphers(NMWifiAP *ap, NMSettingWirelessSecurity *sec)
flags |= NM_802_11_AP_SEC_GROUP_TKIP;
else if (!strcmp(cipher, "ccmp"))
flags |= NM_802_11_AP_SEC_GROUP_CCMP;
+ else if (!strcmp(cipher, "gcmp-256"))
+ flags |= NM_802_11_AP_SEC_GROUP_GCMP_256;
}
}
@@ -912,7 +916,8 @@ nm_wifi_ap_class_init(NMWifiAPClass *ap_class)
| NM_802_11_AP_SEC_GROUP_WEP104 | NM_802_11_AP_SEC_GROUP_TKIP | NM_802_11_AP_SEC_GROUP_CCMP \
| NM_802_11_AP_SEC_KEY_MGMT_PSK | NM_802_11_AP_SEC_KEY_MGMT_802_1X \
| NM_802_11_AP_SEC_KEY_MGMT_SAE | NM_802_11_AP_SEC_KEY_MGMT_OWE \
- | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM | NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192)
+ | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM | NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192 \
+ | NM_802_11_AP_SEC_PAIR_GCMP_256 | NM_802_11_AP_SEC_GROUP_GCMP_256)
GObjectClass *object_class = G_OBJECT_CLASS(ap_class);
NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS(ap_class);
diff --git a/src/core/devices/wifi/nm-wifi-utils.c b/src/core/devices/wifi/nm-wifi-utils.c
index 3b59170655..39080515dd 100644
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@@ -174,7 +174,7 @@ verify_no_wpa(NMSettingWirelessSecurity *s_wsec, const char *tag, GError **error
const char *pw;
pw = nm_setting_wireless_security_get_pairwise(s_wsec, i);
- if (!strcmp(pw, "tkip") || !strcmp(pw, "ccmp")) {
+ if (!strcmp(pw, "tkip") || !strcmp(pw, "ccmp") || !strcmp(pw, "gcmp-256")) {
g_set_error(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
diff --git a/src/core/platform/nm-fake-platform.c b/src/core/platform/nm-fake-platform.c
index e0d51b7062..7f11681b45 100644
--- a/src/core/platform/nm-fake-platform.c
+++ b/src/core/platform/nm-fake-platform.c
@@ -890,7 +890,7 @@ wifi_get_capabilities(NMPlatform *platform, int ifindex, _NMDeviceWifiCapabiliti
*caps = (_NM_WIFI_DEVICE_CAP_CIPHER_WEP40 | _NM_WIFI_DEVICE_CAP_CIPHER_WEP104
| _NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP
| _NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN | _NM_WIFI_DEVICE_CAP_AP
- | _NM_WIFI_DEVICE_CAP_ADHOC);
+ | _NM_WIFI_DEVICE_CAP_ADHOC | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256);
}
return TRUE;
}
diff --git a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index 6312154ccc..0696af8cb5 100644
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -3513,6 +3513,11 @@ fill_wpa_ciphers(shvarFile *ifcfg, NMSettingWirelessSecurity *wsec, gboolean gro
nm_setting_wireless_security_add_group(wsec, "ccmp");
else
nm_setting_wireless_security_add_pairwise(wsec, "ccmp");
+ } else if (!strcmp(*iter, "GCMP-256")) {
+ if (group)
+ nm_setting_wireless_security_add_group(wsec, "gcmp-256");
+ else
+ nm_setting_wireless_security_add_pairwise(wsec, "gcmp-256");
} else if (!strcmp(*iter, "TKIP")) {
if (group)
nm_setting_wireless_security_add_group(wsec, "tkip");
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index ced4d66866..9b88304e1c 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -1562,6 +1562,10 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
g_string_append_printf(phase1, "%stls_disable_tlsv1_3=0", (phase1->len ? " " : ""));
else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE))
g_string_append_printf(phase1, "%stls_disable_tlsv1_3=1", (phase1->len ? " " : ""));
+ if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE))
+ g_string_append_printf(phase1, "%stls_suiteb=0", (phase1->len ? " " : ""));
+ else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE))
+ g_string_append_printf(phase1, "%stls_suiteb=1", (phase1->len ? " " : ""));
if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS))
g_string_append_printf(phase1, "%stls_disable_time_checks=1", (phase1->len ? " " : ""));
diff --git a/src/core/supplicant/nm-supplicant-interface.c b/src/core/supplicant/nm-supplicant-interface.c
index 4476c7015a..1c62412ff4 100644
--- a/src/core/supplicant/nm-supplicant-interface.c
+++ b/src/core/supplicant/nm-supplicant-interface.c
@@ -310,6 +310,8 @@ security_from_vardict(GVariant *security)
flags |= NM_802_11_AP_SEC_PAIR_TKIP;
else if (NM_IN_STRSET(v, "ccmp"))
flags |= NM_802_11_AP_SEC_PAIR_CCMP;
+ else if (NM_IN_STRSET(v, "gcmp-256"))
+ flags |= NM_802_11_AP_SEC_PAIR_GCMP_256;
}
g_free(array);
}
@@ -323,6 +325,8 @@ security_from_vardict(GVariant *security)
flags |= NM_802_11_AP_SEC_GROUP_TKIP;
else if (nm_streq(tmp, "ccmp"))
flags |= NM_802_11_AP_SEC_GROUP_CCMP;
+ else if (nm_streq(tmp, "gcmp-256"))
+ flags |= NM_802_11_AP_SEC_GROUP_GCMP_256;
}
return flags;
diff --git a/src/core/supplicant/nm-supplicant-settings-verify.c b/src/core/supplicant/nm-supplicant-settings-verify.c
index a1f888ec54..547e106ee9 100644
--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@@ -131,7 +131,9 @@ static const struct Opt opt_table[] = {
"tls_disable_tlsv1_3=0",
"tls_disable_tlsv1_3=1",
"tls_disable_time_checks=0",
- "tls_disable_time_checks=1", )),
+ "tls_disable_time_checks=1",
+ "tls_suiteb=0",
+ "tls_suiteb=1", )),
OPT_KEYWORD("phase2",
NM_MAKE_STRV("auth=PAP",
"auth=CHAP",
diff --git a/src/libnm-base/nm-base.h b/src/libnm-base/nm-base.h
index 7806f7e750..0b5ecf49b5 100644
--- a/src/libnm-base/nm-base.h
+++ b/src/libnm-base/nm-base.h
@@ -251,21 +251,22 @@ typedef enum {
typedef enum {
/* Mirrors libnm's NMDeviceWifiCapabilities */
- _NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
- _NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
- _NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
- _NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
- _NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
- _NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
- _NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
- _NM_WIFI_DEVICE_CAP_AP = 0x00000040,
- _NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
- _NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
- _NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
- _NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
- _NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
- _NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
- _NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
+ _NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
+ _NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
+ _NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
+ _NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
+ _NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
+ _NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
+ _NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
+ _NM_WIFI_DEVICE_CAP_AP = 0x00000040,
+ _NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
+ _NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
+ _NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
+ _NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
+ _NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
+ _NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
+ _NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
+ _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 = 0x00004000,
} _NMDeviceWifiCapabilities;
typedef enum {
diff --git a/src/libnm-client-impl/nm-device-wifi.c b/src/libnm-client-impl/nm-device-wifi.c
index 616aca5008..d78b512e6d 100644
--- a/src/libnm-client-impl/nm-device-wifi.c
+++ b/src/libnm-client-impl/nm-device-wifi.c
@@ -434,9 +434,10 @@ nm_device_wifi_request_scan_finish(NMDeviceWifi *device, GAsyncResult *result, G
#define WPA_CAPS \
(NM_WIFI_DEVICE_CAP_CIPHER_TKIP | NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_WPA \
- | NM_WIFI_DEVICE_CAP_RSN)
+ | NM_WIFI_DEVICE_CAP_RSN | NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
-#define RSN_CAPS (NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_RSN)
+#define RSN_CAPS (NM_WIFI_DEVICE_CAP_CIPHER_CCMP | NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 \
+ | NM_WIFI_DEVICE_CAP_RSN)
static gboolean
has_proto(NMSettingWirelessSecurity *s_wsec, const char *proto)
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c
index f933380333..b54c4cbe63 100644
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@@ -2945,7 +2945,10 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
| NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE)
|| NM_FLAGS_ALL(priv->phase1_auth_flags,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE
- | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE)) {
+ | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE)
+ || NM_FLAGS_ALL(priv->phase1_auth_flags,
+ NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE
+ | NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE)) {
g_set_error_literal(
error,
NM_CONNECTION_ERROR,
diff --git a/src/libnm-core-impl/nm-setting-wireless-security.c b/src/libnm-core-impl/nm-setting-wireless-security.c
index e420b32b71..6972b13321 100644
--- a/src/libnm-core-impl/nm-setting-wireless-security.c
+++ b/src/libnm-core-impl/nm-setting-wireless-security.c
@@ -303,7 +303,7 @@ nm_setting_wireless_security_get_pairwise(NMSettingWirelessSecurity *setting, gu
/**
* nm_setting_wireless_security_add_pairwise:
* @setting: the #NMSettingWirelessSecurity
- * @pairwise: the encryption algorithm to add, one of "tkip" or "ccmp"
+ * @pairwise: the encryption algorithm to add, one of "tkip", "ccmp" or "gcmp-256"
*
* Adds an encryption algorithm to the list of allowed pairwise encryption
* algorithms. If the list is not empty, then only access points that support
@@ -361,7 +361,7 @@ nm_setting_wireless_security_remove_pairwise(NMSettingWirelessSecurity *setting,
/**
* nm_setting_wireless_security_remove_pairwise_by_value:
* @setting: the #NMSettingWirelessSecurity
- * @pairwise: the encryption algorithm to remove, one of "tkip" or "ccmp"
+ * @pairwise: the encryption algorithm to remove, one of "tkip", "ccmp" or "gcmp-256"
*
* Removes an encryption algorithm from the allowed pairwise encryption
* algorithm list.
@@ -450,7 +450,7 @@ nm_setting_wireless_security_get_group(NMSettingWirelessSecurity *setting, guint
* nm_setting_wireless_security_add_group:
* @setting: the #NMSettingWirelessSecurity
* @group: the encryption algorithm to add, one of "wep40", "wep104",
- * "tkip", or "ccmp"
+ * "tkip", "ccmp", or "gcmp-256"
*
* Adds an encryption algorithm to the list of allowed groupwise encryption
* algorithms. If the list is not empty, then only access points that support
@@ -509,7 +509,7 @@ nm_setting_wireless_security_remove_group(NMSettingWirelessSecurity *setting, gu
* nm_setting_wireless_security_remove_group_by_value:
* @setting: the #NMSettingWirelessSecurity
* @group: the encryption algorithm to remove, one of "wep40", "wep104",
- * "tkip", or "ccmp"
+ * "tkip", "ccmp", or "gcmp-256"
*
* Removes an encryption algorithm from the allowed groupwise encryption
* algorithm list.
@@ -897,8 +897,8 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
{"none", "ieee8021x", "wpa-psk", "wpa-eap", "wpa-eap-suite-b-192", "sae", "owe", NULL};
const char *valid_auth_algs[] = {"open", "shared", "leap", NULL};
const char *valid_protos[] = {"wpa", "rsn", NULL};
- const char *valid_pairwise[] = {"tkip", "ccmp", NULL};
- const char *valid_groups[] = {"wep40", "wep104", "tkip", "ccmp", NULL};
+ const char *valid_pairwise[] = {"tkip", "ccmp", "gcmp-256", NULL};
+ const char *valid_groups[] = {"wep40", "wep104", "tkip", "ccmp", "gcmp-256", NULL};
NMSettingWireless *s_wifi;
const char *wifi_mode;
@@ -1504,12 +1504,12 @@ nm_setting_wireless_security_class_init(NMSettingWirelessSecurityClass *klass)
* A list of pairwise encryption algorithms which prevents connections to
* Wi-Fi networks that do not utilize one of the algorithms in the list.
* For maximum compatibility leave this property empty. Each list element
- * may be one of "tkip" or "ccmp".
+ * may be one of "tkip", "ccmp" or "gcmp-256".
**/
/* ---ifcfg-rh---
* property: pairwise
* variable: CIPHER_PAIRWISE(+)
- * values: CCMP, TKIP
+ * values: CCMP, TKIP, GCMP-256
* description: Restrict pairwise encryption algorithms, specified as a space
* separated list.
* ---end---
@@ -1526,12 +1526,12 @@ nm_setting_wireless_security_class_init(NMSettingWirelessSecurityClass *klass)
* A list of group/broadcast encryption algorithms which prevents
* connections to Wi-Fi networks that do not utilize one of the algorithms
* in the list. For maximum compatibility leave this property empty. Each
- * list element may be one of "wep40", "wep104", "tkip", or "ccmp".
+ * list element may be one of "wep40", "wep104", "tkip", "ccmp" or "gcmp-256".
**/
/* ---ifcfg-rh---
* property: group
* variable: CIPHER_GROUP(+)
- * values: CCMP, TKIP, WEP40, WEP104
+ * values: CCMP, TKIP, WEP40, WEP104, GCMP-256
* description: Restrict group/broadcast encryption algorithms, specified as a space
* separated list.
* ---end---
diff --git a/src/libnm-core-impl/nm-setting-wireless.c b/src/libnm-core-impl/nm-setting-wireless.c
index 318e864bd2..e8d4593906 100644
--- a/src/libnm-core-impl/nm-setting-wireless.c
+++ b/src/libnm-core-impl/nm-setting-wireless.c
@@ -277,6 +277,8 @@ nm_setting_wireless_ap_security_compatible(NMSettingWireless *s_wireless
break;
if ((found = match_cipher(cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_CCMP)))
break;
+ if ((found = match_cipher(cipher, "gcmp-256", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_GCMP_256)))
+ break;
}
if (!found && num)
return FALSE;
@@ -298,6 +300,8 @@ nm_setting_wireless_ap_security_compatible(NMSettingWireless *s_wireless
break;
if ((found = match_cipher(cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_CCMP)))
break;
+ if ((found = match_cipher(cipher, "gcmp-256", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_GCMP_256)))
+ break;
}
if (!found && num)
return FALSE;
diff --git a/src/libnm-core-impl/nm-utils.c b/src/libnm-core-impl/nm-utils.c
index ad7eea438b..98d509ebd2 100644
--- a/src/libnm-core-impl/nm-utils.c
+++ b/src/libnm-core-impl/nm-utils.c
@@ -933,6 +933,9 @@ device_supports_ap_ciphers(guint32 dev_caps, guint32 ap_flags, gboolean static_w
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_CCMP)
if (ap_flags & NM_802_11_AP_SEC_PAIR_CCMP)
have_pair = TRUE;
+ if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
+ if (ap_flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
+ have_pair = TRUE;
}
/* Group */
@@ -949,6 +952,9 @@ device_supports_ap_ciphers(guint32 dev_caps, guint32 ap_flags, gboolean static_w
if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_CCMP)
if (ap_flags & NM_802_11_AP_SEC_GROUP_CCMP)
have_group = TRUE;
+ if (dev_caps & NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
+ if (ap_flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
+ have_group = TRUE;
}
return (have_pair && have_group);
diff --git a/src/libnm-core-public/nm-dbus-interface.h b/src/libnm-core-public/nm-dbus-interface.h
index c16a115a08..0be88e1d34 100644
--- a/src/libnm-core-public/nm-dbus-interface.h
+++ b/src/libnm-core-public/nm-dbus-interface.h
@@ -330,25 +330,27 @@ typedef enum /*< flags >*/ {
* @NM_WIFI_DEVICE_CAP_FREQ_6GHZ: device supports 6GHz frequencies. Since: 1.46.
* @NM_WIFI_DEVICE_CAP_MESH: device supports acting as a mesh point. Since: 1.20.
* @NM_WIFI_DEVICE_CAP_IBSS_RSN: device supports WPA2/RSN in an IBSS network. Since: 1.22.
+ * @NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256: device supports AES/GCMP-256 encryption. Since: 1.58.
*
* 802.11 specific device encryption and authentication capabilities.
**/
typedef enum /*< flags >*/ {
- NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
- NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
- NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
- NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
- NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
- NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
- NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
- NM_WIFI_DEVICE_CAP_AP = 0x00000040,
- NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
- NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
- NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
- NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
- NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
- NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
- NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
+ NM_WIFI_DEVICE_CAP_NONE = 0x00000000,
+ NM_WIFI_DEVICE_CAP_CIPHER_WEP40 = 0x00000001,
+ NM_WIFI_DEVICE_CAP_CIPHER_WEP104 = 0x00000002,
+ NM_WIFI_DEVICE_CAP_CIPHER_TKIP = 0x00000004,
+ NM_WIFI_DEVICE_CAP_CIPHER_CCMP = 0x00000008,
+ NM_WIFI_DEVICE_CAP_WPA = 0x00000010,
+ NM_WIFI_DEVICE_CAP_RSN = 0x00000020,
+ NM_WIFI_DEVICE_CAP_AP = 0x00000040,
+ NM_WIFI_DEVICE_CAP_ADHOC = 0x00000080,
+ NM_WIFI_DEVICE_CAP_FREQ_VALID = 0x00000100,
+ NM_WIFI_DEVICE_CAP_FREQ_2GHZ = 0x00000200,
+ NM_WIFI_DEVICE_CAP_FREQ_5GHZ = 0x00000400,
+ NM_WIFI_DEVICE_CAP_FREQ_6GHZ = 0x00000800,
+ NM_WIFI_DEVICE_CAP_MESH = 0x00001000,
+ NM_WIFI_DEVICE_CAP_IBSS_RSN = 0x00002000,
+ NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 = 0x00004000,
} NMDeviceWifiCapabilities;
/**
@@ -398,6 +400,10 @@ typedef enum /*< underscore_name=nm_802_11_ap_flags, flags >*/ {
* transition mode is supported. Since: 1.26.
* @NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192: WPA3 Enterprise Suite-B 192 bit mode
* is supported. Since: 1.30.
+ * @NM_802_11_AP_SEC_PAIR_GCMP_256: AES/GCMP-256 is supported for pairwise/unicast
+ * encryption. Since: 1.58.
+ * @NM_802_11_AP_SEC_GROUP_GCMP_256: AES/GCMP-256 is supported for group/broadcast
+ * encryption. Since: 1.58.
*
* 802.11 access point security and authentication flags. These flags describe
* the current security requirements of an access point as determined from the
@@ -419,6 +425,8 @@ typedef enum /*< underscore_name=nm_802_11_ap_security_flags, flags >*/ {
NM_802_11_AP_SEC_KEY_MGMT_OWE = 0x00000800,
NM_802_11_AP_SEC_KEY_MGMT_OWE_TM = 0x00001000,
NM_802_11_AP_SEC_KEY_MGMT_EAP_SUITE_B_192 = 0x00002000,
+ NM_802_11_AP_SEC_PAIR_GCMP_256 = 0x00004000,
+ NM_802_11_AP_SEC_GROUP_GCMP_256 = 0x00008000,
} NM80211ApSecurityFlags;
/**
diff --git a/src/libnm-core-public/nm-setting-8021x.h b/src/libnm-core-public/nm-setting-8021x.h
index f22a6ee5f3..0aa40ca257 100644
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@@ -71,6 +71,8 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE: Disable TLSv1.3. Since 1.42.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE: Enable TLSv1.3. Since 1.42.
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS: Disable TLS time checks. Since 1.42.
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE: Disable Suite B 192-bit constraints on TLS. Since 1.58.
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE: Enable Suite B 192-bit constraints on TLS. Since 1.58.
* @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
*
* #NMSetting8021xAuthFlags values indicate which authentication settings
@@ -92,8 +94,10 @@ typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE = 0x40,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE = 0x80,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE = 0x100,
+ NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_DISABLE = 0x200,
+ NM_SETTING_802_1X_AUTH_FLAGS_TLS_SUITE_B_ENABLE = 0x400,
- NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x1FF,
+ NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7FF,
} NMSetting8021xAuthFlags;
#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
diff --git a/src/libnm-platform/wifi/nm-wifi-utils-nl80211.c b/src/libnm-platform/wifi/nm-wifi-utils-nl80211.c
index 020c054b17..565b53b0a0 100644
--- a/src/libnm-platform/wifi/nm-wifi-utils-nl80211.c
+++ b/src/libnm-platform/wifi/nm-wifi-utils-nl80211.c
@@ -584,6 +584,9 @@ struct nl80211_device_info {
#define WLAN_CIPHER_SUITE_WEP104 0x000FAC05
#define WLAN_CIPHER_SUITE_AES_CMAC 0x000FAC06
#define WLAN_CIPHER_SUITE_GCMP 0x000FAC08
+#define WLAN_CIPHER_SUITE_GCMP_256 0x000FAC09
+#define WLAN_CIPHER_SUITE_GMAC_128 0x000FAC11
+#define WLAN_CIPHER_SUITE_GMAC_256 0x000FAC12
#define WLAN_CIPHER_SUITE_SMS4 0x00147201
static int
@@ -729,8 +732,13 @@ nl80211_wiphy_info_handler(const struct nl_msg *msg, void *arg)
case WLAN_CIPHER_SUITE_CCMP:
info->caps |= (_NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_RSN);
break;
+ case WLAN_CIPHER_SUITE_GCMP_256:
+ info->caps |= (_NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256 | _NM_WIFI_DEVICE_CAP_RSN);
+ break;
case WLAN_CIPHER_SUITE_AES_CMAC:
case WLAN_CIPHER_SUITE_GCMP:
+ case WLAN_CIPHER_SUITE_GMAC_128:
+ case WLAN_CIPHER_SUITE_GMAC_256:
case WLAN_CIPHER_SUITE_SMS4:
break;
default:
diff --git a/src/libnm-platform/wifi/nm-wifi-utils-wext.c b/src/libnm-platform/wifi/nm-wifi-utils-wext.c
index 16503430bc..45a27fdf79 100644
--- a/src/libnm-platform/wifi/nm-wifi-utils-wext.c
+++ b/src/libnm-platform/wifi/nm-wifi-utils-wext.c
@@ -639,7 +639,7 @@ wext_get_range_ifname(NMWifiUtilsWext *wext,
#define WPA_CAPS \
(_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_WPA \
- | _NM_WIFI_DEVICE_CAP_RSN)
+ | _NM_WIFI_DEVICE_CAP_RSN | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256)
static guint32
wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
@@ -658,6 +658,9 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
if (range->enc_capa & IW_ENC_CAPA_CIPHER_CCMP)
caps |= _NM_WIFI_DEVICE_CAP_CIPHER_CCMP;
+ if (range->enc_capa & IW_ENC_CAPA_CIPHER_GCMP_256)
+ caps |= _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256;
+
if (range->enc_capa & IW_ENC_CAPA_WPA)
caps |= _NM_WIFI_DEVICE_CAP_WPA;
@@ -665,7 +668,7 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
caps |= _NM_WIFI_DEVICE_CAP_RSN;
/* Check for cipher support but not WPA support */
- if ((caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP))
+ if ((caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256))
&& !(caps & (_NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN))) {
_LOGW(LOGD_WIFI,
"%s: device supports WPA ciphers but not WPA protocol; WPA unavailable.",
@@ -675,7 +678,7 @@ wext_get_caps(NMWifiUtilsWext *wext, const char *ifname, struct iw_range *range)
/* Check for WPA support but not cipher support */
if ((caps & (_NM_WIFI_DEVICE_CAP_WPA | _NM_WIFI_DEVICE_CAP_RSN))
- && !(caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP))) {
+ && !(caps & (_NM_WIFI_DEVICE_CAP_CIPHER_TKIP | _NM_WIFI_DEVICE_CAP_CIPHER_CCMP | _NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256))) {
_LOGW(LOGD_WIFI,
"%s: device supports WPA protocol but not WPA ciphers; WPA unavailable.",
ifname);
diff --git a/src/libnmc-setting/nm-meta-setting-desc.c b/src/libnmc-setting/nm-meta-setting-desc.c
index 6c9a5c0c1b..3717095573 100644
--- a/src/libnmc-setting/nm-meta-setting-desc.c
+++ b/src/libnmc-setting/nm-meta-setting-desc.c
@@ -8750,7 +8750,7 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = {
.remove_by_value_fcn = MULTILIST_REMOVE_BY_VALUE_FCN (NMSettingWirelessSecurity, nm_setting_wireless_security_remove_pairwise_by_value),
.strsplit_plain = TRUE,
),
- .values_static = NM_MAKE_STRV ("tkip", "ccmp"),
+ .values_static = NM_MAKE_STRV ("tkip", "ccmp", "gcmp-256"),
.list_items_doc_format = NM_META_PROPERTY_TYPE_FORMAT_STRING,
),
),
@@ -8764,7 +8764,7 @@ static const NMMetaPropertyInfo *const property_infos_WIRELESS_SECURITY[] = {
.remove_by_value_fcn = MULTILIST_REMOVE_BY_VALUE_FCN (NMSettingWirelessSecurity, nm_setting_wireless_security_remove_group_by_value),
.strsplit_plain = TRUE,
),
- .values_static = NM_MAKE_STRV ("wep40", "wep104", "tkip", "ccmp"),
+ .values_static = NM_MAKE_STRV ("wep40", "wep104", "tkip", "ccmp", "gcmp-256"),
.list_items_doc_format = NM_META_PROPERTY_TYPE_FORMAT_STRING,
),
),
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 97848c8a67..0f8a777f41 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -474,12 +474,12 @@
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_WAKE_ON_WLAN N_("The NMSettingWirelessWakeOnWLan options to enable. Not all devices support all options. May be any combination of \"any\" (0x2), \"disconnect\" (0x4), \"magic\" (0x8), \"gtk-rekey-failure\" (0x10), \"eap-identity-request\" (0x20), \"4way-handshake\" (0x40), \"rfkill-release\" (0x80), \"tcp\" (0x100) or the special values \"default\" (0x1) (to use global settings) and \"ignore\" (0x8000) (to disable management of Wake-on-LAN in NetworkManager).")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_AUTH_ALG N_("When WEP is used (ie, key-mgmt = \"none\" or \"ieee8021x\") indicate the 802.11 authentication algorithm required by the AP here. One of \"open\" for Open System, \"shared\" for Shared Key, or \"leap\" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\") the \"leap-username\" and \"leap-password\" properties must be specified.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_FILS N_("Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for the connection. One of \"default\" (0) (use global default value), \"disable\" (1) (disable FILS), \"optional\" (2) (enable FILS if the supplicant and the access point support it) or \"required\" (3) (enable FILS and fail if not supported). When set to \"default\" (0) and no global default is set, FILS will be optionally enabled.")
-#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", or \"ccmp\".")
+#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_GROUP N_("A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"wep40\", \"wep104\", \"tkip\", \"ccmp\", or \"gcmp-256\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_KEY_MGMT N_("Key management used for the connection. One of \"none\" (WEP or no password protection), \"ieee8021x\" (Dynamic WEP), \"owe\" (Opportunistic Wireless Encryption), \"wpa-psk\" (WPA2 + WPA3 personal), \"sae\" (WPA3 personal only), \"wpa-eap\" (WPA2 + WPA3 enterprise) or \"wpa-eap-suite-b-192\" (WPA3 enterprise only). This property must be set for any Wi-Fi connection that uses security.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD N_("The login password for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD_FLAGS N_("Flags indicating how to handle the \"leap-password\" property.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME N_("The login username for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
-#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PAIRWISE N_("A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"tkip\" or \"ccmp\".")
+#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PAIRWISE N_("A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of \"tkip\", \"ccmp\" or \"gcmp-256\".")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PMF N_("Indicates whether Protected Management Frames (802.11w) must be enabled for the connection. One of \"default\" (0) (use global default value), \"disable\" (1) (disable PMF), \"optional\" (2) (enable PMF if the supplicant and the access point support it) or \"required\" (3) (enable PMF and fail if not supported). When set to \"default\" (0) and no global default is set, PMF will be optionally enabled.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PROTO N_("List of strings specifying the allowed WPA protocol versions to use. Each element may be one \"wpa\" (allow WPA) or \"rsn\" (allow WPA2/RSN). If not specified, both WPA and RSN connections are allowed.")
#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PSK N_("Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII passphrase of 8 to 63 characters that is (as specified in the 802.11i standard) hashed to derive the actual key, or the key in form of 64 hexadecimal character. The WPA3-Personal networks use a passphrase of any length for SAE authentication.")
diff --git a/src/nmcli/devices.c b/src/nmcli/devices.c
index 524e08b4a9..dfaf1c07e7 100644
--- a/src/nmcli/devices.c
+++ b/src/nmcli/devices.c
@@ -63,6 +63,10 @@ ap_wpa_rsn_flags_to_string(NM80211ApSecurityFlags flags, NMMetaAccessorGetType g
flags_str[i++] = "wpa-eap-suite-b-192";
if (NM_FLAGS_ANY(flags, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
flags_str[i++] = "owe";
+ if (flags & NM_802_11_AP_SEC_PAIR_GCMP_256)
+ flags_str[i++] = "pair_gcmp_256";
+ if (flags & NM_802_11_AP_SEC_GROUP_GCMP_256)
+ flags_str[i++] = "group_gcmp_256";
/* Make sure you grow flags_str when adding items here. */
nm_assert(i < G_N_ELEMENTS(flags_str));
@@ -581,6 +585,9 @@ _metagen_device_detail_wifi_properties_get_fcn(NMC_META_GENERIC_INFO_GET_FCN_ARG
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_CCMP:
return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_CIPHER_CCMP),
get_type);
+ case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_GCMP_256:
+ return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_CIPHER_GCMP_256),
+ get_type);
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_AP:
return nmc_meta_generic_get_bool(NM_FLAGS_HAS(wcaps, NM_WIFI_DEVICE_CAP_AP), get_type);
case NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_ADHOC:
@@ -637,6 +644,9 @@ const NmcMetaGenericInfo *const
_METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_CCMP,
"CCMP"),
+ _METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
+ NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_GCMP_256,
+ "GCMP-256"),
_METAGEN_DEVICE_DETAIL_WIFI_PROPERTIES(
NMC_GENERIC_INFO_TYPE_DEVICE_DETAIL_WIFI_PROPERTIES_AP,
"AP"),
diff --git a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
index 8b98e95e24..d0917d22d4 100644
--- a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
+++ b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
@@ -113,13 +113,13 @@
format="list of strings"
values="wpa, rsn" />
+ values="tkip, ccmp, gcmp-256" />
+ values="wep40, wep104, tkip, ccmp, gcmp-256" />