fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-03 18:40:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

wifi: merge branch 'balrog-kun:write-iwd-configs' (part 1)

Browse source 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/695
This commit is contained in:
Thomas Haller 2021-02-09 17:09:43 +01:00
commit b9756df2c6
No known key found for this signature in database
GPG key ID: 29C2366E4DFC5728
7 changed files with 54 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
clients/cli/generate-docs-nm-settings-nmcli.xml.in
View file

@ -145,9 +145,9 @@
<property name="phase1-auth-flags"
description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
<property name="phase2-auth"
description="Specifies the allowed &quot;phase 2&quot; inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property. Recognized non-EAP &quot;phase 2&quot; methods are &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot;, &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property. For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method. For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
<property name="phase2-autheap"
description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property. Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when TTLS is specified in the &quot;eap&quot; property. Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
<property name="phase2-ca-cert"
description="Contains the &quot;phase 2&quot; CA certificate if used by the EAP method specified in the &quot;phase2-auth&quot; or &quot;phase2-autheap&quot; properties. Certificate data is specified using a &quot;scheme&quot;; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate&apos;s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string &quot;file://&quot; and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory." />
<property name="phase2-ca-cert-password"

4
clients/common/settings-docs.h.in
View file

@ -67,8 +67,8 @@
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to \"1\" to force use of the new PEAP label. See the wpa_supplicant documentation for more details.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property. For TTLS this property selects one of the supported non-EAP inner methods: \"pap\", \"chap\", \"mschap\", \"mschapv2\" while \"phase2-autheap\" selects an EAP inner method. For PEAP this selects an inner EAP method, one of: \"gtc\", \"otp\", \"md5\" and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both \"phase2-auth\" and \"phase2-autheap\" cannot be specified.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when TTLS is specified in the \"eap\" property. Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.")

27
libnm-core/nm-setting-8021x.c
View file

@ -3998,19 +3998,24 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
/**
* NMSetting8021x:phase2-auth:
*
* Specifies the allowed "phase 2" inner non-EAP authentication method when
* an EAP method that uses an inner TLS tunnel is specified in the
* #NMSetting8021x:eap property. Recognized non-EAP "phase 2" methods are
* "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
* Specifies the allowed "phase 2" inner authentication method when an EAP
* method that uses an inner TLS tunnel is specified in the #NMSetting8021x:eap
* property. For TTLS this property selects one of the supported non-EAP
* inner methods: "pap", "chap", "mschap", "mschapv2" while
* #NMSetting8021x:phase2-autheap selects an EAP inner method. For PEAP
* this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls".
* Each "phase 2" inner method requires specific parameters for successful
* authentication; see the wpa_supplicant documentation for more details.
* Both #NMSetting8021x:phase2-auth and #NMSetting8021x:phase2-autheap cannot
* be specified.
**/
/* ---ifcfg-rh---
* property: phase2-auth
* variable: IEEE_8021X_INNER_AUTH_METHODS(+)
* values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
* description: Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS
* can contain values both for 'phase2-auth' and 'phase2-autheap' properties.
* description: Inner non-EAP authentication methods for TTLS or the inner EAP
* authentication method for PEAP. IEEE_8021X_INNER_AUTH_METHODS can contain
* values both for 'phase2-auth' and 'phase2-autheap' properties.
* example: IEEE_8021X_INNER_AUTH_METHODS=PAP
* ---end---
*/
@ -4025,11 +4030,11 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
* NMSetting8021x:phase2-autheap:
*
* Specifies the allowed "phase 2" inner EAP-based authentication method
* when an EAP method that uses an inner TLS tunnel is specified in the
* #NMSetting8021x:eap property. Recognized EAP-based "phase 2" methods are
* "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method
* requires specific parameters for successful authentication; see the
* wpa_supplicant documentation for more details.
* when TTLS is specified in the #NMSetting8021x:eap property. Recognized
* EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and
* "tls". Each "phase 2" inner method requires specific parameters for
* successful authentication; see the wpa_supplicant documentation for
* more details.
**/
/* ---ifcfg-rh---
* property: phase2-autheap

28
src/core/devices/wifi/nm-device-iwd.c
View file

@ -789,7 +789,7 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
return FALSE;
}
} else if (!NM_IN_SET(security,
NM_IWD_NETWORK_SECURITY_NONE,
NM_IWD_NETWORK_SECURITY_OPEN,
NM_IWD_NETWORK_SECURITY_PSK)) {
nm_utils_error_set_literal(error,
NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -798,6 +798,9 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
return FALSE;
}
} else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_AP)) {
NMSettingWirelessSecurity *s_wireless_sec =
nm_connection_get_setting_wireless_security(connection);
if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_AP)) {
nm_utils_error_set_literal(error,
NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -805,13 +808,17 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
return FALSE;
}
if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK)) {
if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK) || !s_wireless_sec
|| !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "wpa-psk")) {
nm_utils_error_set_literal(error,
NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
"IWD backend only supports PSK authentication in AP mode");
return FALSE;
}
} else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_ADHOC)) {
NMSettingWirelessSecurity *s_wireless_sec =
nm_connection_get_setting_wireless_security(connection);
if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_ADHOC)) {
nm_utils_error_set_literal(error,
NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -819,7 +826,10 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
return FALSE;
}
if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_NONE, NM_IWD_NETWORK_SECURITY_PSK)) {
if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)
|| (s_wireless_sec
&& !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec),
"wpa-psk"))) {
nm_utils_error_set_literal(
error,
NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@ -1740,7 +1750,7 @@ act_check_interface(NMDeviceIwd *self)
&security))
goto failed;
if (security == NM_IWD_NETWORK_SECURITY_NONE) {
if (security == NM_IWD_NETWORK_SECURITY_OPEN) {
g_dbus_proxy_call(proxy,
"StartOpen",
g_variant_new("(s)", ssid),
@ -2234,6 +2244,7 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
if (NM_IN_STRSET(mode, NULL, NM_SETTING_WIRELESS_MODE_INFRA)) {
gs_unref_object GDBusProxy *network_proxy = NULL;
NMWifiAP * ap = priv->current_ap;
NMSettingWirelessSecurity * s_wireless_sec;
if (!ap) {
NM_SET_OUT(out_failure_reason, NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
@ -2335,6 +2346,15 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
if (!priv->cancellable)
priv->cancellable = g_cancellable_new();
s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
if (s_wireless_sec
&& nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "owe")) {
_LOGI(LOGD_WIFI,
"An OWE connection is requested but IWD may connect to either an OWE "
"or unsecured network and there won't be any indication of whether "
"encryption is in use -- proceed at your own risk!");
}
/* Call Network.Connect. No timeout because IWD already handles
* timeouts.
*/

10
src/core/devices/wifi/nm-iwd-manager.c
View file

@ -533,7 +533,7 @@ mirror_connection(NMIwdManager * self,
switch (id->security) {
case NM_IWD_NETWORK_SECURITY_WEP:
case NM_IWD_NETWORK_SECURITY_NONE:
case NM_IWD_NETWORK_SECURITY_OPEN:
case NM_IWD_NETWORK_SECURITY_PSK:
break;
case NM_IWD_NETWORK_SECURITY_8021X:
@ -642,7 +642,7 @@ mirror_connection(NMIwdManager * self,
case NM_IWD_NETWORK_SECURITY_WEP:
key_mgmt = "none";
break;
case NM_IWD_NETWORK_SECURITY_NONE:
case NM_IWD_NETWORK_SECURITY_OPEN:
key_mgmt = NULL;
break;
case NM_IWD_NETWORK_SECURITY_PSK:
@ -758,7 +758,7 @@ interface_added(GDBusObjectManager *object_manager,
return;
if (nm_streq(type_str, "open"))
security = NM_IWD_NETWORK_SECURITY_NONE;
security = NM_IWD_NETWORK_SECURITY_OPEN;
else if (nm_streq(type_str, "psk"))
security = NM_IWD_NETWORK_SECURITY_PSK;
else if (nm_streq(type_str, "8021x"))
@ -840,7 +840,7 @@ interface_removed(GDBusObjectManager *object_manager,
return;
if (nm_streq(type_str, "open"))
id.security = NM_IWD_NETWORK_SECURITY_NONE;
id.security = NM_IWD_NETWORK_SECURITY_OPEN;
else if (nm_streq(type_str, "psk"))
id.security = NM_IWD_NETWORK_SECURITY_PSK;
else if (nm_streq(type_str, "8021x"))
@ -1242,7 +1242,7 @@ nm_iwd_manager_get_ap_mirror_connection(NMIwdManager *self, NMWifiAP *ap)
NMIwdManagerPrivate * priv = NM_IWD_MANAGER_GET_PRIVATE(self);
KnownNetworkData * data;
char name_buf[33];
KnownNetworkId kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_NONE};
KnownNetworkId kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_OPEN};
const guint8 * ssid_bytes;
gsize ssid_len;
NM80211ApFlags flags = nm_wifi_ap_get_flags(ap);

6
src/core/devices/wifi/nm-wifi-utils.c
View file

@ -923,7 +923,7 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection * connection,
s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
if (!s_wireless_sec) {
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_NONE);
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
return TRUE;
}
@ -932,7 +932,9 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection * connection,
if (NM_IN_STRSET(key_mgmt, "none", "ieee8021x"))
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_WEP);
else if (nm_streq(key_mgmt, "wpa-psk"))
else if (nm_streq(key_mgmt, "owe"))
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
else if (NM_IN_STRSET(key_mgmt, "wpa-psk", "sae"))
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_PSK);
else if (nm_streq(key_mgmt, "wpa-eap"))
NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_8021X);

2
src/core/devices/wifi/nm-wifi-utils.h
View file

@ -13,7 +13,7 @@
#include "nm-setting-8021x.h"
typedef enum {
NM_IWD_NETWORK_SECURITY_NONE,
NM_IWD_NETWORK_SECURITY_OPEN,
NM_IWD_NETWORK_SECURITY_WEP,
NM_IWD_NETWORK_SECURITY_PSK,
NM_IWD_NETWORK_SECURITY_8021X,