rpms
/
NetworkManager
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

supplicant: set optional PMF using global supplicant property 

https://bugzilla.redhat.com/show_bug.cgi?id=1665694
This commit is contained in:
Beniamino Galvani 2019-01-14 14:14:37 +01:00
parent 3b04eccd44
commit 7bcff3e30a
2 changed files with 165 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
0007-supplicant-global-pmf.patch Normal file
View File

@ -0,0 +1,159 @@
From 2c3014d60d8ec868fd889a906ef8c8ca9b6e8d17 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 9 Jan 2019 11:36:52 +0100
Subject: [PATCH 1/2] supplicant: set optional PMF using global supplicant
property
wpa_supplicant is going to change the global default for PMF from 0
(disabled) to 1 (optional) [1], so NM code needs to be adjusted to
work with all wpa_supplicant versions. Furthermore, it is better to
set optional PMF using the 'Pmf' property instead of the 'ieee80211w'
configuration option because the former better handles missing support
in driver [2].
Note that each interface in wpa_supplicant has its own copy of global
configuration and so 'global' options must still be set on each
interface. So, let's set Pmf=1 when each interface gets created and
override it with ieee80211w={0,2} if needed during association.
[1] http://lists.infradead.org/pipermail/hostap/2018-November/039009.html
[2] http://lists.infradead.org/pipermail/hostap/2019-January/039215.html
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/104
(cherry picked from commit a9ab50efb10dfb50cfe897c58afa300f8b07f6ba)
(cherry picked from commit 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a)
(cherry picked from commit 40adc98a6db593009dc7d92f39af9f4854a61b2a)
---
src/supplicant/nm-supplicant-config.c | 4 +--
src/supplicant/nm-supplicant-interface.c | 34 +++++++++++++++++++
src/supplicant/tests/test-supplicant-config.c | 4 +--
3 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c
index 22f9a3c02..e3dd55a84 100644
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -864,11 +864,11 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
if ( !nm_streq (key_mgmt, "wpa-none")
&& NM_IN_SET (pmf,
- NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
+ NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
if (!nm_supplicant_config_add_option (self,
"ieee80211w",
- pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
+ pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE ? "0" : "2",
-1,
NULL,
error))
diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index e16e3130e..b816722d0 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -555,6 +555,26 @@ iface_check_netreply_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
iface_check_ready (self);
}
+static void
+iface_set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
+{
+ NMSupplicantInterface *self;
+ gs_unref_variant GVariant *variant = NULL;
+ gs_free_error GError *error = NULL;
+
+ variant = g_dbus_proxy_call_finish (proxy, result, &error);
+ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
+ return;
+
+ self = NM_SUPPLICANT_INTERFACE (user_data);
+
+ /* This can fail if the supplicant doesn't support PMF */
+ if (error)
+ _LOGD ("failed to set Pmf=1: %s", error->message);
+
+ iface_check_ready (self);
+}
+
NMSupplicantFeature
nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self)
{
@@ -1155,6 +1175,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
NULL,
NULL);
+ /* Initialize global PMF setting to 'optional' */
+ priv->ready_count++;
+ g_dbus_proxy_call (priv->iface_proxy,
+ DBUS_INTERFACE_PROPERTIES ".Set",
+ g_variant_new ("(ssv)",
+ WPAS_DBUS_IFACE_INTERFACE,
+ "Pmf",
+ g_variant_new_string ("1")),
+ G_DBUS_CALL_FLAGS_NONE,
+ -1,
+ priv->init_cancellable,
+ (GAsyncReadyCallback) iface_set_pmf_cb,
+ self);
+
/* Check whether NetworkReply and AP mode are supported */
priv->ready_count = 1;
g_dbus_proxy_call (priv->iface_proxy,
diff --git a/src/supplicant/tests/test-supplicant-config.c b/src/supplicant/tests/test-supplicant-config.c
index 36831e676..d7ec1fe22 100644
--- a/src/supplicant/tests/test-supplicant-config.c
+++ b/src/supplicant/tests/test-supplicant-config.c
@@ -359,8 +359,8 @@ test_wifi_wpa_psk (const char *detail,
NMTST_EXPECT_NM_INFO ("Config: added 'pairwise' value 'TKIP CCMP'");
NMTST_EXPECT_NM_INFO ("Config: added 'group' value 'TKIP CCMP'");
switch (pmf) {
- case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
- NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '1'");
+ case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
+ NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '0'");
break;
case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '2'");
--
2.20.1
From 5d0bf9db73fc552fc311d58dd51f0825aa883937 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 14 Jan 2019 15:16:09 +0100
Subject: [PATCH 2/2] supplicant: fix ready_count assignment
Fix a wrong backport.
Fixes: 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a
(cherry picked from commit d0dd120ab4b5716eec87d65f2a1424718addf600)
(cherry picked from commit e511f724584e32cd3e618c47b8a779e7093da6bc)
---
src/supplicant/nm-supplicant-interface.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index b816722d0..7450fb823 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -1176,7 +1176,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
NULL);
/* Initialize global PMF setting to 'optional' */
- priv->ready_count++;
+ priv->ready_count = 1;
g_dbus_proxy_call (priv->iface_proxy,
DBUS_INTERFACE_PROPERTIES ".Set",
g_variant_new ("(ssv)",
@@ -1190,7 +1190,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
self);
/* Check whether NetworkReply and AP mode are supported */
- priv->ready_count = 1;
+ priv->ready_count++;
g_dbus_proxy_call (priv->iface_proxy,
"NetworkReply",
g_variant_new ("(oss)",
--
2.20.1

7
NetworkManager.spec
View File

@ -10,7 +10,7 @@
%global epoch_version 1
%global rpm_version 1.12.6
%global real_version 1.12.6
%global release_version 4
%global release_version 5
%global snapshot %{nil}
%global git_sha %{nil}
@ -115,6 +115,7 @@ Patch3: 0003-wifi-take-down-device-when-changing-mac.patch
Patch4: 0004-connectivity-check-rh1619873.patch
Patch5: 0005-fix-saving-agent-owned-secrets.patch
Patch6: 0006-cli-fix-cleanup-after-activation-from-editor.patch
Patch7: 0007-supplicant-global-pmf.patch
Requires(post): systemd
Requires(post): /usr/sbin/update-alternatives
@ -447,6 +448,7 @@ by nm-connection-editor and nm-applet in a non-graphical environment.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
%if %{with regen_docs}
@ -863,6 +865,9 @@ fi
%changelog
* Mon Jan 14 2019 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.6-5
- improve Wi-Fi PMF support (rh #1665694)
* Wed Jan 2 2019 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.6-4
- fix saving agent-owned secrets
- cli: fix cleanup after activation from editor (rh #1662766)