supplicant: enable stronger AKMs when PMF is enabled

4 files changed, 42 insertions, 1 deletions

diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c
index 1f4c74a5f4..4ff376a5cd 100644
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -1325,3 +1325,31 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error)
 	return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error);
 }
 
+gboolean
+nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, GError **error)
+{
+	NMSupplicantConfigPrivate *priv;
+	ConfigOption *option;
+
+	g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
+	g_return_val_if_fail (!error || !*error, FALSE);
+
+	priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self);
+
+	option = g_hash_table_lookup (priv->config, "key_mgmt");
+	if (!option)
+		return TRUE;
+
+	if (nm_streq0 (option->value, "WPA-PSK")) {
+		g_hash_table_remove (priv->config, "key_mgmt");
+		if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-PSK WPA-PSK-SHA256", -1, NULL, error))
+			return FALSE;
+	} else if (nm_streq0 (option->value, "WPA-EAP")) {
+		g_hash_table_remove (priv->config, "key_mgmt");
+		if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-EAP WPA-EAP-SHA256", -1, NULL, error))
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
diff --git a/src/supplicant/nm-supplicant-config.h b/src/supplicant/nm-supplicant-config.h
index 6acfb7ee14..705833ff5f 100644
--- a/src/supplicant/nm-supplicant-config.h
+++ b/src/supplicant/nm-supplicant-config.h
@@ -76,4 +76,6 @@ gboolean nm_supplicant_config_add_setting_macsec (NMSupplicantConfig *self,
                                                   NMSettingMacsec *setting,
                                                   GError **error);
 
+gboolean nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self,
+                                              GError **error);
 #endif /* __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ */
diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index e92a57ff86..d3efadf15d 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -1424,6 +1424,7 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
 {
 	NMSupplicantInterfacePrivate *priv;
 	AssocData *assoc_data;
+	GError *error = NULL;
 
 	g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self));
 	g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg));
@@ -1440,6 +1441,14 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
 	assoc_data->callback = callback;
 	assoc_data->user_data = user_data;
 
+	if (   priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS
+	    && priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) {
+		if (!nm_supplicant_config_enable_pmf_akm (cfg, &error)) {
+			_LOGW ("could not enable PMF AKMs in config: %s", error->message);
+			g_error_free (error);
+		}
+	}
+
 	_LOGD ("assoc[%p]: starting association...", assoc_data);
 
 	/* Make sure the supplicant supports EAP-FAST before trying to send
diff --git a/src/supplicant/nm-supplicant-settings-verify.c b/src/supplicant/nm-supplicant-settings-verify.c
index ce3e46d8dc..fd5b06eacf 100644
--- a/src/supplicant/nm-supplicant-settings-verify.c
+++ b/src/supplicant/nm-supplicant-settings-verify.c
@@ -71,7 +71,9 @@ static const struct validate_entry validate_table[] = {
 const char * pairwise_allowed[] = { "CCMP", "TKIP", "NONE", NULL };
 const char * group_allowed[] =    { "CCMP", "TKIP", "WEP104", "WEP40", NULL };
 const char * proto_allowed[] =    { "WPA", "RSN", NULL };
-const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-EAP", "IEEE8021X", "WPA-NONE",
+const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-PSK-SHA256",
+                                    "WPA-EAP", "WPA-EAP-SHA256",
+                                    "IEEE8021X", "WPA-NONE",
                                     "NONE", NULL };
 const char * auth_alg_allowed[] = { "OPEN", "SHARED", "LEAP", NULL };
 const char * eap_allowed[] =      { "LEAP", "MD5", "TLS", "PEAP", "TTLS", "SIM",