supplicant/config: supplicant: prevent OWE downgrade

Prevent downgrade of Enhanced Open / OWE connection profiles
to unencrypted connections by forcing wpa_supplicant to use OWE.

Signed-off-by: David Bauer <mail@david-bauer.net>

2 files changed, 9 insertions, 0 deletions

diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 3b67c86bd4..7e089ecf93 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -1088,6 +1088,14 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                     error))
                 return FALSE;
         }
+
+        /* In case the connection is saved as OWE / Enhanced Open, prevent
+         * unencrypted downgrade
+         */
+        if (nm_streq(key_mgmt, "owe")) {
+            if (!nm_supplicant_config_add_option(self, "owe_only", "1", -1, NULL, error))
+                return FALSE;
+        }
     }
 
     /* WEP keys if required */
diff --git a/src/core/supplicant/nm-supplicant-settings-verify.c b/src/core/supplicant/nm-supplicant-settings-verify.c
index 566173af75..9881c552dc 100644
--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@@ -92,6 +92,7 @@ static const struct Opt opt_table[] = {
     OPT_BYTES("mka_cak", 65536),
     OPT_BYTES("mka_ckn", 65536),
     OPT_BYTES("nai", 0),
+    OPT_INT("owe_only", 0, 1),
     OPT_BYTES("pac_file", 0),
     OPT_KEYWORD("pairwise", NM_MAKE_STRV("CCMP", "TKIP", "GCMP-256", "NONE", )),
     OPT_UTF8("password", 0),