wifi: disable FT in AP mode

Currently wpa_supplicant doesn't support FT in AP mode. FT-PSK and FT-EAP are simply not negotiated with the STA. FT-SAE gets negotiated but then the key derivation is not supported, leading to a authentication failure. Even if support for FT in AP mode is introduced in wpa_supplicant in the future, it will require additional parameters as the nas identifier and the mobility domain, which are currently not provided by NM. Disable all FT key-mgmts in AP mode since they are useless and cause issues (FT-SAE). See-also: https://mail.gnome.org/archives/networkmanager-list/2022-March/msg00016.html See-also: http://lists.infradead.org/pipermail/hostap/2022-April/040352.html https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1184 (cherry picked from commit 82980f7791)
2025-12-29 03:20:11 +01:00 · 2022-04-08 08:34:38 +02:00 · 2022-04-08 08:34:38 +02:00 · a66e054bd6
commit a66e054bd6
parent 2ed877049b
4 changed files with 27 additions and 14 deletions
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -2952,14 +2952,16 @@ build_supplicant_config(NMDeviceWifi *self,
        }

        s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_wireless_security(config,
-                                                                s_wireless_sec,
-                                                                s_8021x,
-                                                                con_uuid,
-                                                                mtu,
-                                                                pmf,
-                                                                fils,
-                                                                error)) {
+        if (!nm_supplicant_config_add_setting_wireless_security(
+                config,
+                s_wireless_sec,
+                s_8021x,
+                con_uuid,
+                nm_setting_wireless_get_mode(s_wireless),
+                mtu,
+                pmf,
+                fils,
+                error)) {
            g_prefix_error(error, "802-11-wireless-security: ");
            goto error;
        }
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -805,6 +805,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                   NMSettingWirelessSecurity    *setting,
                                                   NMSetting8021x               *setting_8021x,
                                                   const char                   *con_uuid,
+                                                   const char                   *mode,
                                                   guint32                       mtu,
                                                   NMSettingWirelessSecurityPmf  pmf,
                                                   NMSettingWirelessSecurityFils fils,
@ -815,12 +816,20 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
    const char                   *key_mgmt, *auth_alg;
    const char                   *psk;
    gboolean                      set_pmf, wps_disabled;
+    gboolean                      is_ap;

    g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
    g_return_val_if_fail(setting != NULL, FALSE);
    g_return_val_if_fail(con_uuid != NULL, FALSE);
    g_return_val_if_fail(!error || !*error, FALSE);

+    /* Currently wpa_supplicant doesn't support FT in AP mode. Even
+     * if it did, it  would require additional parameters as the nas
+     * identifier and the mobility domain. Therefore we disable all
+     * FT key-mgmts in AP mode.
+     */
+    is_ap = nm_streq0(mode, NM_SETTING_WIRELESS_MODE_AP);
+
    /* Check if we actually support FILS */
    if (!_get_capability(priv, NM_SUPPL_CAP_TYPE_FILS)) {
        if (fils == NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED) {
@ -852,7 +861,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
            g_string_append(key_mgmt_conf, "WPA-PSK");
        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
            g_string_append(key_mgmt_conf, " WPA-PSK-SHA256");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
            g_string_append(key_mgmt_conf, " FT-PSK");

        /* For NM "key-mgmt=wpa-psk" doesn't strictly mean WPA1/wPA2 only,
@ -873,7 +882,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)) {
            g_string_append(key_mgmt_conf, " SAE");
-            if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+            if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
                g_string_append(key_mgmt_conf, " FT-SAE");
        }

@ -881,13 +890,13 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
        pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;

        g_string_append(key_mgmt_conf, "SAE");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
            g_string_append(key_mgmt_conf, " FT-SAE");

    } else if (nm_streq(key_mgmt, "wpa-eap")) {
        if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
            g_string_append(key_mgmt_conf, "WPA-EAP");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
            g_string_append(key_mgmt_conf, " FT-EAP");
            if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
                g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
@ -908,7 +917,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
        case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
            if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) {
                g_string_append(key_mgmt_conf, " FILS-SHA256 FILS-SHA384");
-                if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
+                if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
                    g_string_append(key_mgmt_conf, " FT-FILS-SHA256");
                    if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
                        g_string_append(key_mgmt_conf, " FT-FILS-SHA384");
@ -924,7 +933,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
        pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;

        g_string_append(key_mgmt_conf, "WPA-EAP-SUITE-B-192");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
            g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
    }
--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@ -51,6 +51,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                            NMSettingWirelessSecurity *setting,
                                                            NMSetting8021x *setting_8021x,
                                                            const char     *con_uuid,
+                                                            const char     *mode,
                                                            guint32         mtu,
                                                            NMSettingWirelessSecurityPmf  pmf,
                                                            NMSettingWirelessSecurityFils fils,
--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@ -116,6 +116,7 @@ build_supplicant_config(NMConnection  *connection,
                                                               s_wsec,
                                                               s_8021x,
                                                               nm_connection_get_uuid(connection),
+                                                               nm_setting_wireless_get_mode(s_wifi),
                                                               mtu,
                                                               pmf,
                                                               fils,