libnm-core: add pmf property to wireless-security setting

Add a 'pmf' property to enable or disable Protected Management Frames
(802.11w) for the connection.

4 files changed, 100 insertions, 0 deletions

diff --git a/clients/common/settings-docs.c.in b/clients/common/settings-docs.c.in
index 0ebddc6185..5710ce73a5 100644
--- a/clients/common/settings-docs.c.in
+++ b/clients/common/settings-docs.c.in
@@ -29,6 +29,7 @@
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME N_("The login username for legacy LEAP connections (ie, key-mgmt = \"ieee8021x\" and auth-alg = \"leap\").")
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_NAME N_("The setting's name, which uniquely identifies the setting within the connection.  Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".")
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PAIRWISE N_("A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty.  Each list element may be one of \"tkip\" or \"ccmp\".")
+#define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PMF N_("Indicates whether Protected Management Frames (802.11w) must be enabled for the connection.  One of NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF), NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the supplicant and the access point support it) or NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail if not supported).  When set to NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default is set, PMF will be optionally enabled.")
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PROTO N_("List of strings specifying the allowed WPA protocol versions to use. Each element may be one \"wpa\" (allow WPA) or \"rsn\" (allow WPA2/RSN).  If not specified, both WPA and RSN connections are allowed.")
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PSK N_("Pre-Shared-Key for WPA networks.  If the key is 64-characters long, it must contain only hexadecimal characters and is interpreted as a hexadecimal WPA key.  Otherwise, the key must be between 8 and 63 ASCII characters (as specified in the 802.11i standard) and is interpreted as a WPA passphrase, and is hashed to derive the actual WPA-PSK used when connecting to the Wi-Fi network.")
 #define DESCRIBE_DOC_NM_SETTING_WIRELESS_SECURITY_PSK_FLAGS N_("Flags indicating how to handle the \"psk\" property.")
diff --git a/libnm-core/nm-setting-wireless-security.c b/libnm-core/nm-setting-wireless-security.c
index 70bdf7541d..977302df02 100644
--- a/libnm-core/nm-setting-wireless-security.c
+++ b/libnm-core/nm-setting-wireless-security.c
@@ -65,6 +65,7 @@ typedef struct {
 	GSList *proto; /* GSList of strings */
 	GSList *pairwise; /* GSList of strings */
 	GSList *group; /* GSList of strings */
+	guint pmf;
 
 	/* LEAP */
 	char *leap_username;
@@ -93,6 +94,7 @@ enum {
 	PROP_PROTO,
 	PROP_PAIRWISE,
 	PROP_GROUP,
+	PROP_PMF,
 	PROP_LEAP_USERNAME,
 	PROP_WEP_KEY0,
 	PROP_WEP_KEY1,
@@ -573,6 +575,22 @@ nm_setting_wireless_security_clear_groups (NMSettingWirelessSecurity *setting)
 	g_object_notify (G_OBJECT (setting), NM_SETTING_WIRELESS_SECURITY_GROUP);
 }
 
+/*
+ * nm_setting_wireless_security_get_pmf:
+ * @setting: the #NMSettingWirelessSecurity
+ *
+ * Returns: the #NMSettingWirelessSecurity:pmf property of the setting
+ *
+ * Since: 1.10
+ **/
+NMSettingWirelessSecurityPmf
+nm_setting_wireless_security_get_pmf (NMSettingWirelessSecurity *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_WIRELESS_SECURITY (setting), 0);
+
+	return NM_SETTING_WIRELESS_SECURITY_GET_PRIVATE (setting)->pmf;
+}
+
 /**
  * nm_setting_wireless_security_get_psk:
  * @setting: the #NMSettingWirelessSecurity
@@ -1013,6 +1031,30 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
 		}
 	}
 
+	if (priv->pmf > NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("property is invalid"));
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_WIRELESS_SECURITY_SETTING_NAME, NM_SETTING_WIRELESS_SECURITY_PMF);
+		return FALSE;
+	}
+
+	if (   NM_IN_SET (priv->pmf,
+	                  NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
+	                  NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)
+	    && !NM_IN_STRSET (priv->key_mgmt, "wpa-eap", "wpa-psk")) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("'%s' can only be used with '%s=%s or '%s=%s'"),
+		             priv->pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "optional" : "required",
+		             NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap",
+		             NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-psk");
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_WIRELESS_SECURITY_SETTING_NAME, NM_SETTING_WIRELESS_SECURITY_PMF);
+		return FALSE;
+	}
+
 	return TRUE;
 }
 
@@ -1198,6 +1240,9 @@ set_property (GObject *object, guint prop_id,
 		g_slist_free_full (priv->group, g_free);
 		priv->group = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
 		break;
+	case PROP_PMF:
+		priv->pmf = g_value_get_uint (value);
+		break;
 	case PROP_LEAP_USERNAME:
 		g_free (priv->leap_username);
 		priv->leap_username = g_value_dup_string (value);
@@ -1270,6 +1315,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_GROUP:
 		g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->group, TRUE));
 		break;
+	case PROP_PMF:
+		g_value_set_uint (value, nm_setting_wireless_security_get_pmf (setting));
+		break;
 	case PROP_LEAP_USERNAME:
 		g_value_set_string (value, priv->leap_username);
 		break;
@@ -1468,6 +1516,29 @@ nm_setting_wireless_security_class_init (NMSettingWirelessSecurityClass *setting
 		                     G_PARAM_STATIC_STRINGS));
 
 	/**
+	 * NMSettingWirelessSecurity:pmf:
+	 *
+	 * Indicates whether Protected Management Frames (802.11w) must be enabled
+	 * for the connection.  One of %NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT
+	 * (use global default value), %NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE
+	 * (disable PMF), %NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (enable PMF if
+	 * the supplicant and the access point support it) or
+	 * %NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (enable PMF and fail if not
+	 * supported).  When set to %NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT and no
+	 * global default is set, PMF will be optionally enabled.
+	 *
+	 * Since: 1.10
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_PMF,
+		 g_param_spec_uint (NM_SETTING_WIRELESS_SECURITY_PMF, "", "",
+		                    0, G_MAXUINT32, 0,
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_CONSTRUCT |
+		                    NM_SETTING_PARAM_FUZZY_IGNORE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
 	 * NMSettingWirelessSecurity:leap-username:
 	 *
 	 * The login username for legacy LEAP connections (ie, key-mgmt =
diff --git a/libnm-core/nm-setting-wireless-security.h b/libnm-core/nm-setting-wireless-security.h
index ae252f1124..2c6dcaad62 100644
--- a/libnm-core/nm-setting-wireless-security.h
+++ b/libnm-core/nm-setting-wireless-security.h
@@ -71,12 +71,31 @@ typedef enum {
 	NM_WEP_KEY_TYPE_LAST = NM_WEP_KEY_TYPE_PASSPHRASE
 } NMWepKeyType;
 
+/**
+ * NMSettingWirelessSecurityPmf:
+ * @NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT: use the default value
+ * @NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE: disable PMF
+ * @NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL: enable PMF if the supplicant and the AP support it
+ * @NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED: require PMF and fail if not available
+ *
+ * These flags indicate whether PMF must be enabled.
+ **/
+typedef enum {
+	NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT       = 0,
+	NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE       = 1,
+	NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL      = 2,
+	NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED      = 3,
+	_NM_SETTING_WIRELESS_SECURITY_PMF_NUM, /*< skip >*/
+	NM_SETTING_WIRELESS_SECURITY_PMF_LAST          =  _NM_SETTING_WIRELESS_SECURITY_PMF_NUM - 1, /*< skip >*/
+} NMSettingWirelessSecurityPmf;
+
 #define NM_SETTING_WIRELESS_SECURITY_KEY_MGMT "key-mgmt"
 #define NM_SETTING_WIRELESS_SECURITY_WEP_TX_KEYIDX "wep-tx-keyidx"
 #define NM_SETTING_WIRELESS_SECURITY_AUTH_ALG "auth-alg"
 #define NM_SETTING_WIRELESS_SECURITY_PROTO "proto"
 #define NM_SETTING_WIRELESS_SECURITY_PAIRWISE "pairwise"
 #define NM_SETTING_WIRELESS_SECURITY_GROUP "group"
+#define NM_SETTING_WIRELESS_SECURITY_PMF "pmf"
 #define NM_SETTING_WIRELESS_SECURITY_LEAP_USERNAME "leap-username"
 #define NM_SETTING_WIRELESS_SECURITY_WEP_KEY0 "wep-key0"
 #define NM_SETTING_WIRELESS_SECURITY_WEP_KEY1 "wep-key1"
@@ -132,6 +151,9 @@ void        nm_setting_wireless_security_remove_group          (NMSettingWireles
 gboolean    nm_setting_wireless_security_remove_group_by_value (NMSettingWirelessSecurity *setting, const char *group);
 void        nm_setting_wireless_security_clear_groups          (NMSettingWirelessSecurity *setting);
 
+NM_AVAILABLE_IN_1_10
+NMSettingWirelessSecurityPmf nm_setting_wireless_security_get_pmf (NMSettingWirelessSecurity *setting);
+
 const char *nm_setting_wireless_security_get_psk           (NMSettingWirelessSecurity *setting);
 NMSettingSecretFlags nm_setting_wireless_security_get_psk_flags (NMSettingWirelessSecurity *setting);
 
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index b767bf83a5..f9d826d831 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -1177,3 +1177,9 @@ global:
 	nm_utils_format_variant_attributes;
 	nm_utils_parse_variant_attributes;
 } libnm_1_6_0;
+
+libnm_1_10_0 {
+global:
+	nm_setting_wireless_security_get_pmf;
+	nm_setting_wireless_security_pmf_get_type;
+} libnm_1_8_0;