wifi: disable FT in AP mode

Currently wpa_supplicant doesn't support FT in AP mode. FT-PSK and FT-EAP are simply not negotiated with the STA. FT-SAE gets negotiated but then the key derivation is not supported, leading to a authentication failure. Even if support for FT in AP mode is introduced in wpa_supplicant in the future, it will require additional parameters as the nas identifier and the mobility domain, which are currently not provided by NM. Disable all FT key-mgmts in AP mode since they are useless and cause issues (FT-SAE). See-also: https://mail.gnome.org/archives/networkmanager-list/2022-March/msg00016.html See-also: http://lists.infradead.org/pipermail/hostap/2022-April/040352.html https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1184 (cherry picked from commit 82980f7791660ede5f2982cdfbda266f3f6384a0) (cherry picked from commit a66e054bd67432673b8cc022c862937b95dae348)
author: Beniamino Galvani <bgalvani@redhat.com> 2022-04-08 08:34:38 +0200
committer: Beniamino Galvani <bgalvani@redhat.com> 2022-04-08 15:34:17 +0200
commit: 6a82dd184cd9df073f7f07434cef22111be8927f (patch)
tree: 1a866068a84b9f5da8d0099c141fbb7b5e06ff39
parent: bb1fe05eec3abe04f184cedbbf4cbc6ae57bce6d (diff)
download: NetworkManager-6a82dd184cd9df073f7f07434cef22111be8927f.tar.gz
4 files changed, 27 insertions, 14 deletions
diff --git a/src/core/devices/wifi/nm-device-wifi.c b/src/core/devices/wifi/nm-device-wifi.c
index 010cee0834..adb390f42d 100644
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@@ -2936,14 +2936,16 @@ build_supplicant_config(NMDeviceWifi *self,
         }
 
         s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_wireless_security(config,
-                                                                s_wireless_sec,
-                                                                s_8021x,
-                                                                con_uuid,
-                                                                mtu,
-                                                                pmf,
-                                                                fils,
-                                                                error)) {
+        if (!nm_supplicant_config_add_setting_wireless_security(
+                config,
+                s_wireless_sec,
+                s_8021x,
+                con_uuid,
+                nm_setting_wireless_get_mode(s_wireless),
+                mtu,
+                pmf,
+                fils,
+                error)) {
             g_prefix_error(error, "802-11-wireless-security: ");
             goto error;
         }
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 8626042bb7..f8b1503ec2 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -805,6 +805,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                    NMSettingWirelessSecurity    *setting,
                                                    NMSetting8021x               *setting_8021x,
                                                    const char                   *con_uuid,
+                                                   const char                   *mode,
                                                    guint32                       mtu,
                                                    NMSettingWirelessSecurityPmf  pmf,
                                                    NMSettingWirelessSecurityFils fils,
@@ -815,12 +816,20 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
     const char                   *key_mgmt, *auth_alg;
     const char                   *psk;
     gboolean                      set_pmf, wps_disabled;
+    gboolean                      is_ap;
 
     g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
     g_return_val_if_fail(setting != NULL, FALSE);
     g_return_val_if_fail(con_uuid != NULL, FALSE);
     g_return_val_if_fail(!error || !*error, FALSE);
 
+    /* Currently wpa_supplicant doesn't support FT in AP mode. Even
+     * if it did, it  would require additional parameters as the nas
+     * identifier and the mobility domain. Therefore we disable all
+     * FT key-mgmts in AP mode.
+     */
+    is_ap = nm_streq0(mode, NM_SETTING_WIRELESS_MODE_AP);
+
     /* Check if we actually support FILS */
     if (!_get_capability(priv, NM_SUPPL_CAP_TYPE_FILS)) {
         if (fils == NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED) {
@@ -852,7 +861,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
             g_string_append(key_mgmt_conf, "WPA-PSK");
         if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF))
             g_string_append(key_mgmt_conf, " WPA-PSK-SHA256");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
             g_string_append(key_mgmt_conf, " FT-PSK");
 
         /* For NM "key-mgmt=wpa-psk" doesn't strictly mean WPA1/wPA2 only,
@@ -873,7 +882,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
             && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
             && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)) {
             g_string_append(key_mgmt_conf, " SAE");
-            if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+            if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
                 g_string_append(key_mgmt_conf, " FT-SAE");
         }
 
@@ -881,13 +890,13 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
         pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
 
         g_string_append(key_mgmt_conf, "SAE");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
             g_string_append(key_mgmt_conf, " FT-SAE");
 
     } else if (nm_streq(key_mgmt, "wpa-eap")) {
         if (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
             g_string_append(key_mgmt_conf, "WPA-EAP");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
             g_string_append(key_mgmt_conf, " FT-EAP");
             if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
                 g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
@@ -908,7 +917,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
         case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
             if (_get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)) {
                 g_string_append(key_mgmt_conf, " FILS-SHA256 FILS-SHA384");
-                if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
+                if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)) {
                     g_string_append(key_mgmt_conf, " FT-FILS-SHA256");
                     if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
                         g_string_append(key_mgmt_conf, " FT-FILS-SHA384");
@@ -924,7 +933,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
         pmf = NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED;
 
         g_string_append(key_mgmt_conf, "WPA-EAP-SUITE-B-192");
-        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
+        if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT)
             && _get_capability(priv, NM_SUPPL_CAP_TYPE_SHA384))
             g_string_append(key_mgmt_conf, " FT-EAP-SHA384");
     }
diff --git a/src/core/supplicant/nm-supplicant-config.h b/src/core/supplicant/nm-supplicant-config.h
index 349c310f18..ee7f4dc868 100644
--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@@ -51,6 +51,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                             NMSettingWirelessSecurity *setting,
                                                             NMSetting8021x *setting_8021x,
                                                             const char     *con_uuid,
+                                                            const char     *mode,
                                                             guint32         mtu,
                                                             NMSettingWirelessSecurityPmf  pmf,
                                                             NMSettingWirelessSecurityFils fils,
diff --git a/src/core/supplicant/tests/test-supplicant-config.c b/src/core/supplicant/tests/test-supplicant-config.c
index 53c5f70f3c..237b1a9671 100644
--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@@ -116,6 +116,7 @@ build_supplicant_config(NMConnection  *connection,
                                                                s_wsec,
                                                                s_8021x,
                                                                nm_connection_get_uuid(connection),
+                                                               nm_setting_wireless_get_mode(s_wifi),
                                                                mtu,
                                                                pmf,
                                                                fils,
author	Beniamino Galvani <bgalvani@redhat.com>	2022-04-08 08:34:38 +0200
committer	Beniamino Galvani <bgalvani@redhat.com>	2022-04-08 15:34:17 +0200
commit	6a82dd184cd9df073f7f07434cef22111be8927f (patch)
tree	1a866068a84b9f5da8d0099c141fbb7b5e06ff39
parent	bb1fe05eec3abe04f184cedbbf4cbc6ae57bce6d (diff)
download	NetworkManager-6a82dd184cd9df073f7f07434cef22111be8927f.tar.gz