supplicant/config: Make sure PMF gets enabled with wpa-eap-suite-b-192

wpa-eap-suite-b-192 key-mgmt method uses special values for "pairwise" and "group" ciphers, we can also handle that a few lines underneath where those are set to make this a bit easier to read. We currently set the supplicants PMF config (ieee80211w) inside an if block that tries to detect whether WPA is used. That if-block doesn't include the "wpa-eap-suite-b-192" case because we want special "pairwise" and "group" handling for wpa-eap-suite-b-192. This means we're currently missing to enable PMF in the "wpa-eap-suite-b-192" case, even though it's set to REQUIRED. Fix it by moving the "pairwise" and "group" special-casing down a bit so we can include "wpa-eap-suite-b-192" in the "Only WPA-specific things when using WPA" check, that will make sure ieee80211w gets set in the wpa-eap-suite-b-192 case.
2026-01-05 03:20:18 +01:00 · 2021-04-23 17:10:43 +02:00 · 2021-04-23 17:10:43 +02:00 · b876e76518
commit b876e76518
parent aab56adeea
2 changed files with 33 additions and 27 deletions
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -883,9 +883,6 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig *
            g_string_append(key_mgmt_conf, " ft-sae");
    } else if (nm_streq(key_mgmt, "wpa-eap-suite-b-192")) {
        pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
-        if (!nm_supplicant_config_add_option(self, "pairwise", "GCMP-256", -1, NULL, error)
-            || !nm_supplicant_config_add_option(self, "group", "GCMP-256", -1, NULL, error))
-            return FALSE;
    }

    if (!add_string_val(self, key_mgmt_conf->str, "key_mgmt", TRUE, NULL, error))
@ -968,7 +965,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig *
    }

    /* Only WPA-specific things when using WPA */
-    if (NM_IN_STRSET(key_mgmt, "wpa-psk", "wpa-eap", "sae", "owe")) {
+    if (NM_IN_STRSET(key_mgmt, "owe", "wpa-psk", "sae", "wpa-eap", "wpa-eap-suite-b-192")) {
        if (!ADD_STRING_LIST_VAL(self,
                                 setting,
                                 wireless_security,
@ -980,28 +977,36 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig *
                                 NULL,
                                 error))
            return FALSE;
-        if (!ADD_STRING_LIST_VAL(self,
-                                 setting,
-                                 wireless_security,
-                                 pairwise,
-                                 pairwise,
-                                 "pairwise",
-                                 ' ',
-                                 TRUE,
-                                 NULL,
-                                 error))
-            return FALSE;
-        if (!ADD_STRING_LIST_VAL(self,
-                                 setting,
-                                 wireless_security,
-                                 group,
-                                 groups,
-                                 "group",
-                                 ' ',
-                                 TRUE,
-                                 NULL,
-                                 error))
-            return FALSE;
+
+        if (nm_streq(key_mgmt, "wpa-eap-suite-b-192")) {
+            if (!nm_supplicant_config_add_option(self, "pairwise", "GCMP-256", -1, NULL, error))
+                return FALSE;
+            if (!nm_supplicant_config_add_option(self, "group", "GCMP-256", -1, NULL, error))
+                return FALSE;
+        } else {
+            if (!ADD_STRING_LIST_VAL(self,
+                                     setting,
+                                     wireless_security,
+                                     pairwise,
+                                     pairwise,
+                                     "pairwise",
+                                     ' ',
+                                     TRUE,
+                                     NULL,
+                                     error))
+                return FALSE;
+            if (!ADD_STRING_LIST_VAL(self,
+                                     setting,
+                                     wireless_security,
+                                     group,
+                                     groups,
+                                     "group",
+                                     ' ',
+                                     TRUE,
+                                     NULL,
+                                     error))
+                return FALSE;
+        }

        /* We set the supplicants global "pmf" config value to "1" (optional),
         * so no need to set it network-specific again if PMF_OPTIONAL is set.
--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@ -815,9 +815,10 @@ test_wifi_eap_suite_b_generation(void)
    NMTST_EXPECT_NM_INFO("Config: added 'scan_ssid' value '1'*");
    NMTST_EXPECT_NM_INFO("Config: added 'bssid' value '11:22:33:44:55:66'*");
    NMTST_EXPECT_NM_INFO("Config: added 'freq_list' value *");
+    NMTST_EXPECT_NM_INFO("Config: added 'key_mgmt' value 'WPA-EAP-SUITE-B-192'");
    NMTST_EXPECT_NM_INFO("Config: added 'pairwise' value 'GCMP-256'");
    NMTST_EXPECT_NM_INFO("Config: added 'group' value 'GCMP-256'");
-    NMTST_EXPECT_NM_INFO("Config: added 'key_mgmt' value 'WPA-EAP-SUITE-B-192'");
+    NMTST_EXPECT_NM_INFO("Config: added 'ieee80211w' value '2'");
    NMTST_EXPECT_NM_INFO("Config: added 'eap' value 'TLS'");
    NMTST_EXPECT_NM_INFO("Config: added 'fragment_size' value '1086'");
    NMTST_EXPECT_NM_INFO("Config: added 'ca_cert' value '*/test-ca-cert.pem'");