supplicant: set optional PMF using global supplicant propertybg/pmf-global

wpa_supplicant is going to change the global default for PMF from 0 (disabled) to 1 (optional) [1], so NM code needs to be adjusted to work with all wpa_supplicant versions. Furthermore, it is better to set optional PMF using the 'Pmf' property instead of the 'ieee80211w' configuration option because the former better handles missing support in driver [2]. Note that each interface in wpa_supplicant has its own copy of global configuration and so 'global' options must still be set on each interface. So, let's set Pmf=1 when each interface gets created and override it with ieee80211w={0,2} if needed during association. [1] http://lists.infradead.org/pipermail/hostap/2018-November/039009.html [2] http://lists.infradead.org/pipermail/hostap/2019-January/039215.html
author: Beniamino Galvani <bgalvani@redhat.com> 2019-01-09 11:36:52 +0100
committer: Beniamino Galvani <bgalvani@redhat.com> 2019-01-09 12:54:27 +0100
commit: 6583edba2afeb78937d2912a3cd7a354a86c2ed4 (patch)
tree: fb223396bf52c63325f3a80dfbf0e61a5871442e
parent: e844984a344566a1016c7336b82f6ebec1d77cbf (diff)
download: NetworkManager-bg/pmf-global.tar.gz
3 files changed, 38 insertions, 4 deletions
diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c
index 55936ed048..57adc8c133 100644
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -869,11 +869,11 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
 
 		if (   !nm_streq (key_mgmt, "wpa-none")
 		    && NM_IN_SET (pmf,
-		                  NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
+		                  NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
 		                  NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
 			if (!nm_supplicant_config_add_option (self,
 			                                      "ieee80211w",
-			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
+			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE ? "0" : "2",
 			                                      -1,
 			                                      NULL,
 			                                      error))
diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index 6e4d178a05..c30adc58f9 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -716,6 +716,26 @@ iface_check_netreply_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
 	iface_check_ready (self);
 }
 
+static void
+iface_set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
+{
+	NMSupplicantInterface *self;
+	gs_unref_variant GVariant *variant = NULL;
+	gs_free_error GError *error = NULL;
+
+	variant = g_dbus_proxy_call_finish (proxy, result, &error);
+	if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
+		return;
+
+	self = NM_SUPPLICANT_INTERFACE (user_data);
+
+	/* This can fail if the supplicant doesn't support PMF */
+	if (error)
+		_LOGD ("failed to set Pmf=1: %s", error->message);
+
+	iface_check_ready (self);
+}
+
 gboolean
 nm_supplicant_interface_get_p2p_group_joined (NMSupplicantInterface *self)
 {
@@ -1619,6 +1639,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
 	                   NULL,
 	                   NULL);
 
+	/* Initialize global PMF setting to 'optional' */
+	priv->ready_count++;
+	g_dbus_proxy_call (priv->iface_proxy,
+	                   DBUS_INTERFACE_PROPERTIES ".Set",
+	                   g_variant_new ("(ssv)",
+	                                  WPAS_DBUS_IFACE_INTERFACE,
+	                                  "Pmf",
+	                                  g_variant_new_string ("1")),
+	                   G_DBUS_CALL_FLAGS_NONE,
+	                   -1,
+	                   priv->init_cancellable,
+	                   (GAsyncReadyCallback) iface_set_pmf_cb,
+	                   self);
+
 	/* Check whether NetworkReply and AP mode are supported */
 	g_dbus_proxy_call (priv->iface_proxy,
 	                   "NetworkReply",
diff --git a/src/supplicant/tests/test-supplicant-config.c b/src/supplicant/tests/test-supplicant-config.c
index 36831e6767..d7ec1fe22f 100644
--- a/src/supplicant/tests/test-supplicant-config.c
+++ b/src/supplicant/tests/test-supplicant-config.c
@@ -359,8 +359,8 @@ test_wifi_wpa_psk (const char *detail,
 	NMTST_EXPECT_NM_INFO ("Config: added 'pairwise' value 'TKIP CCMP'");
 	NMTST_EXPECT_NM_INFO ("Config: added 'group' value 'TKIP CCMP'");
 	switch (pmf) {
-	case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
-		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '1'");
+	case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
+		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '0'");
 		break;
 	case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
 		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '2'");
author	Beniamino Galvani <bgalvani@redhat.com>	2019-01-09 11:36:52 +0100
committer	Beniamino Galvani <bgalvani@redhat.com>	2019-01-09 12:54:27 +0100
commit	6583edba2afeb78937d2912a3cd7a354a86c2ed4 (patch)
tree	fb223396bf52c63325f3a80dfbf0e61a5871442e
parent	e844984a344566a1016c7336b82f6ebec1d77cbf (diff)
download	NetworkManager-bg/pmf-global.tar.gz