From 482885e6e914f0647ad49c1ac3cac624a1195c8f Mon Sep 17 00:00:00 2001 From: David Bauer Date: Thu, 16 Jun 2022 03:13:37 +0200 Subject: supplicant/config: supplicant: prevent OWE downgrade Prevent downgrade of Enhanced Open / OWE connection profiles to unencrypted connections by forcing wpa_supplicant to use OWE. Signed-off-by: David Bauer --- src/core/supplicant/nm-supplicant-config.c | 8 ++++++++ src/core/supplicant/nm-supplicant-settings-verify.c | 1 + 2 files changed, 9 insertions(+) diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c index 3b67c86bd4..7e089ecf93 100644 --- a/src/core/supplicant/nm-supplicant-config.c +++ b/src/core/supplicant/nm-supplicant-config.c @@ -1088,6 +1088,14 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig error)) return FALSE; } + + /* In case the connection is saved as OWE / Enhanced Open, prevent + * unencrypted downgrade + */ + if (nm_streq(key_mgmt, "owe")) { + if (!nm_supplicant_config_add_option(self, "owe_only", "1", -1, NULL, error)) + return FALSE; + } } /* WEP keys if required */ diff --git a/src/core/supplicant/nm-supplicant-settings-verify.c b/src/core/supplicant/nm-supplicant-settings-verify.c index 566173af75..9881c552dc 100644 --- a/src/core/supplicant/nm-supplicant-settings-verify.c +++ b/src/core/supplicant/nm-supplicant-settings-verify.c @@ -92,6 +92,7 @@ static const struct Opt opt_table[] = { OPT_BYTES("mka_cak", 65536), OPT_BYTES("mka_ckn", 65536), OPT_BYTES("nai", 0), + OPT_INT("owe_only", 0, 1), OPT_BYTES("pac_file", 0), OPT_KEYWORD("pairwise", NM_MAKE_STRV("CCMP", "TKIP", "GCMP-256", "NONE", )), OPT_UTF8("password", 0), -- cgit v1.2.1