libnm-core: Don't allow disabling PMF when using WPA3 key management

Modern WPA3 authentication methods like SAE and WPA-EAP-SUITE-B-192 need to have management frame protection set to required according to the standard. Since the last commit, we enforce this automatically when key-mgmt is set to 'owe', 'sae' or 'wpa-eap-suite-b-192', so disabling it manually should not be possible. Add a check to the pmf property that makes sure it can't be set to 'disabled' or 'optional' when one of those key-mgmt methods is used.
2025-12-27 18:40:09 +01:00 · 2021-04-23 16:39:44 +02:00 · 2021-04-23 16:39:44 +02:00 · a4b95a9fcd
commit a4b95a9fcd
parent 8816cfe736
1 changed files with 16 additions and 0 deletions
--- a/src/libnm-core-impl/nm-setting-wireless-security.c
+++ b/src/libnm-core-impl/nm-setting-wireless-security.c
@ -1117,6 +1117,22 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
        return FALSE;
    }

+    if (NM_IN_STRSET(priv->key_mgmt, "owe", "sae", "wpa-eap-suite-b-192")
+        && !NM_IN_SET(priv->pmf,
+                      NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT,
+                      NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
+        g_set_error(error,
+                    NM_CONNECTION_ERROR,
+                    NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                    _("pmf can only be 'default' or 'required' when using 'owe', 'sae' or "
+                      "'wpa-eap-suite-b-192' key management"));
+        g_prefix_error(error,
+                       "%s.%s: ",
+                       NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
+                       NM_SETTING_WIRELESS_SECURITY_PMF);
+        return FALSE;
+    }
+
    if (!_nm_utils_wps_method_validate(priv->wps_method,
                                       NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
                                       NM_SETTING_WIRELESS_SECURITY_WPS_METHOD,