iwd: Match IWD networks to existing OWE and SAE connection

IWD's "open" networks can be either unsecured or use OWE and "psk" networks may be using WPA2 personal or WPA3 personal so when looking for an exsiting NMSettingsConnection matching an IWD KnownNetwork, also check for these connection key_mgmt types. Add explicit checks for AP and ADHOC connection modes to exclude OWE and SAE as they're not supported by IWD in those modes and we don't want to make it appear like a connection of this type was successfully activated. In Infrastructure mode there's won't be any way to know whether IWDxi established an OWE or unsecured connection (or WPA2-PSK vs. SAE) regardless of what was set in the NMConnection and it's not considered to be meaningful (also isn't normally exposed in a GUI) although you could argue OWE vs. unsecured is a big difference.
2025-12-24 21:50:17 +01:00 · 2020-11-19 03:50:51 +01:00 · 2020-11-19 03:50:51 +01:00 · 9fd0f0c4fa
commit 9fd0f0c4fa
parent 4aea512b15
2 changed files with 25 additions and 3 deletions
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@ -798,6 +798,9 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
            return FALSE;
        }
    } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_AP)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
        if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_AP)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -805,13 +808,17 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
            return FALSE;
        }

-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK) || !s_wireless_sec
+            || !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "wpa-psk")) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
                                       "IWD backend only supports PSK authentication in AP mode");
            return FALSE;
        }
    } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_ADHOC)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
        if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_ADHOC)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -819,7 +826,10 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
            return FALSE;
        }

-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)
+            || (s_wireless_sec
+                && !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec),
+                              "wpa-psk"))) {
            nm_utils_error_set_literal(
                error,
                NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -2234,6 +2244,7 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    if (NM_IN_STRSET(mode, NULL, NM_SETTING_WIRELESS_MODE_INFRA)) {
        gs_unref_object GDBusProxy *network_proxy = NULL;
        NMWifiAP *                  ap            = priv->current_ap;
+        NMSettingWirelessSecurity * s_wireless_sec;

        if (!ap) {
            NM_SET_OUT(out_failure_reason, NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
@ -2335,6 +2346,15 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
        if (!priv->cancellable)
            priv->cancellable = g_cancellable_new();

+        s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
+        if (s_wireless_sec
+            && nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "owe")) {
+            _LOGI(LOGD_WIFI,
+                  "An OWE connection is requested but IWD may connect to either an OWE "
+                  "or unsecured network and there won't be any indication of whether "
+                  "encryption is in use -- proceed at your own risk!");
+        }
+
        /* Call Network.Connect.  No timeout because IWD already handles
         * timeouts.
         */
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@ -932,7 +932,9 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection *        connection,

    if (NM_IN_STRSET(key_mgmt, "none", "ieee8021x"))
        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_WEP);
-    else if (nm_streq(key_mgmt, "wpa-psk"))
+    else if (nm_streq(key_mgmt, "owe"))
+        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
+    else if (NM_IN_STRSET(key_mgmt, "wpa-psk", "sae"))
        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_PSK);
    else if (nm_streq(key_mgmt, "wpa-eap"))
        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_8021X);