diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2022-04-08 08:34:38 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2022-04-08 15:34:17 +0200 |
commit | 6a82dd184cd9df073f7f07434cef22111be8927f (patch) | |
tree | 1a866068a84b9f5da8d0099c141fbb7b5e06ff39 | |
parent | bb1fe05eec3abe04f184cedbbf4cbc6ae57bce6d (diff) | |
download | NetworkManager-6a82dd184cd9df073f7f07434cef22111be8927f.tar.gz |
wifi: disable FT in AP mode
Currently wpa_supplicant doesn't support FT in AP mode. FT-PSK and
FT-EAP are simply not negotiated with the STA. FT-SAE gets negotiated
but then the key derivation is not supported, leading to a
authentication failure.
Even if support for FT in AP mode is introduced in wpa_supplicant in
the future, it will require additional parameters as the nas
identifier and the mobility domain, which are currently not provided
by NM.
Disable all FT key-mgmts in AP mode since they are useless and cause
issues (FT-SAE).
See-also: https://mail.gnome.org/archives/networkmanager-list/2022-March/msg00016.html
See-also: http://lists.infradead.org/pipermail/hostap/2022-April/040352.html
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1184
(cherry picked from commit 82980f7791660ede5f2982cdfbda266f3f6384a0)
(cherry picked from commit a66e054bd67432673b8cc022c862937b95dae348)
-rw-r--r-- | src/core/devices/wifi/nm-device-wifi.c | 18 | ||||
-rw-r--r-- | src/core/supplicant/nm-supplicant-config.c | 21 | ||||
-rw-r--r-- | src/core/supplicant/nm-supplicant-config.h | 1 | ||||
-rw-r--r-- | src/core/supplicant/tests/test-supplicant-config.c | 1 |
4 files changed, 27 insertions, 14 deletions
diff --git a/src/core/devices/wifi/nm-device-wifi.c b/src/core/devices/wifi/nm-device-wifi.c index 010cee0834..adb390f42d 100644 --- a/src/core/devices/wifi/nm-device-wifi.c +++ b/src/core/devices/wifi/nm-device-wifi.c @@ -2936,14 +2936,16 @@ build_supplicant_config(NMDeviceWifi *self, } s_8021x = nm_connection_get_setting_802_1x(connection); - if (!nm_supplicant_config_add_setting_wireless_security(config, - s_wireless_sec, - s_8021x, - con_uuid, - mtu, - pmf, - fils, - error)) { + if (!nm_supplicant_config_add_setting_wireless_security( + config, + s_wireless_sec, + s_8021x, + con_uuid, + nm_setting_wireless_get_mode(s_wireless), + mtu, + pmf, + fils, + error)) { g_prefix_error(error, "802-11-wireless-security: "); goto error; } diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c index 8626042bb7..f8b1503ec2 100644 --- a/src/core/supplicant/nm-supplicant-config.c +++ b/src/core/supplicant/nm-supplicant-config.c @@ -805,6 +805,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig NMSettingWirelessSecurity *setting, NMSetting8021x *setting_8021x, const char *con_uuid, + const char *mode, guint32 mtu, NMSettingWirelessSecurityPmf pmf, NMSettingWirelessSecurityFils fils, @@ -815,12 +816,20 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig const char *key_mgmt, *auth_alg; const char *psk; gboolean set_pmf, wps_disabled; + gboolean is_ap; g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE); g_return_val_if_fail(setting != NULL, FALSE); g_return_val_if_fail(con_uuid != NULL, FALSE); g_return_val_if_fail(!error || !*error, FALSE); + /* Currently wpa_supplicant doesn't support FT in AP mode. Even + * if it did, it would require additional parameters as the nas + * identifier and the mobility domain. Therefore we disable all + * FT key-mgmts in AP mode. + */ + is_ap = nm_streq0(mode, NM_SETTING_WIRELESS_MODE_AP); + /* Check if we actually support FILS */ if (!_get_capability(priv, NM_SUPPL_CAP_TYPE_FILS)) { if (fils == NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED) { @@ -852,7 +861,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig g_string_append(key_mgmt_conf, "WPA-PSK"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) g_string_append(key_mgmt_conf, " WPA-PSK-SHA256"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) g_string_append(key_mgmt_conf, " FT-PSK"); /* For NM "key-mgmt=wpa-psk" doesn't strictly mean WPA1/wPA2 only, @@ -873,7 +882,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF) && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)) { g_string_append(key_mgmt_conf, " SAE"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) g_string_append(key_mgmt_conf, " FT-SAE"); } @@ -881,13 +890,13 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED; g_string_append(key_mgmt_conf, "SAE"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) g_string_append(key_mgmt_conf, " FT-SAE"); } else if (nm_streq(key_mgmt, "wpa-eap")) { if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) g_string_append(key_mgmt_conf, "WPA-EAP"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) { + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) { g_string_append(key_mgmt_conf, " FT-EAP"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384)) g_string_append(key_mgmt_conf, " FT-EAP-SHA384"); @@ -908,7 +917,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL: if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) { g_string_append(key_mgmt_conf, " FILS-SHA256 FILS-SHA384"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) { + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) { g_string_append(key_mgmt_conf, " FT-FILS-SHA256"); if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384)) g_string_append(key_mgmt_conf, " FT-FILS-SHA384"); @@ -924,7 +933,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED; g_string_append(key_mgmt_conf, "WPA-EAP-SUITE-B-192"); - if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT) + if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT) && _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384)) g_string_append(key_mgmt_conf, " FT-EAP-SHA384"); } diff --git a/src/core/supplicant/nm-supplicant-config.h b/src/core/supplicant/nm-supplicant-config.h index 349c310f18..ee7f4dc868 100644 --- a/src/core/supplicant/nm-supplicant-config.h +++ b/src/core/supplicant/nm-supplicant-config.h @@ -51,6 +51,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig NMSettingWirelessSecurity *setting, NMSetting8021x *setting_8021x, const char *con_uuid, + const char *mode, guint32 mtu, NMSettingWirelessSecurityPmf pmf, NMSettingWirelessSecurityFils fils, diff --git a/src/core/supplicant/tests/test-supplicant-config.c b/src/core/supplicant/tests/test-supplicant-config.c index 53c5f70f3c..237b1a9671 100644 --- a/src/core/supplicant/tests/test-supplicant-config.c +++ b/src/core/supplicant/tests/test-supplicant-config.c @@ -116,6 +116,7 @@ build_supplicant_config(NMConnection *connection, s_wsec, s_8021x, nm_connection_get_uuid(connection), + nm_setting_wireless_get_mode(s_wifi), mtu, pmf, fils, |