From 7bcff3e30a5aa5b98b4a73f0c091c7c7ca68efef Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Mon, 14 Jan 2019 14:14:37 +0100 Subject: [PATCH] supplicant: set optional PMF using global supplicant property https://bugzilla.redhat.com/show_bug.cgi?id=1665694 --- 0007-supplicant-global-pmf.patch | 159 +++++++++++++++++++++++++++++++ NetworkManager.spec | 7 +- 2 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 0007-supplicant-global-pmf.patch diff --git a/0007-supplicant-global-pmf.patch b/0007-supplicant-global-pmf.patch new file mode 100644 index 0000000..ec3e276 --- /dev/null +++ b/0007-supplicant-global-pmf.patch @@ -0,0 +1,159 @@ +From 2c3014d60d8ec868fd889a906ef8c8ca9b6e8d17 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Wed, 9 Jan 2019 11:36:52 +0100 +Subject: [PATCH 1/2] supplicant: set optional PMF using global supplicant + property + +wpa_supplicant is going to change the global default for PMF from 0 +(disabled) to 1 (optional) [1], so NM code needs to be adjusted to +work with all wpa_supplicant versions. Furthermore, it is better to +set optional PMF using the 'Pmf' property instead of the 'ieee80211w' +configuration option because the former better handles missing support +in driver [2]. + +Note that each interface in wpa_supplicant has its own copy of global +configuration and so 'global' options must still be set on each +interface. So, let's set Pmf=1 when each interface gets created and +override it with ieee80211w={0,2} if needed during association. + +[1] http://lists.infradead.org/pipermail/hostap/2018-November/039009.html +[2] http://lists.infradead.org/pipermail/hostap/2019-January/039215.html + +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/104 +(cherry picked from commit a9ab50efb10dfb50cfe897c58afa300f8b07f6ba) +(cherry picked from commit 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a) +(cherry picked from commit 40adc98a6db593009dc7d92f39af9f4854a61b2a) +--- + src/supplicant/nm-supplicant-config.c | 4 +-- + src/supplicant/nm-supplicant-interface.c | 34 +++++++++++++++++++ + src/supplicant/tests/test-supplicant-config.c | 4 +-- + 3 files changed, 38 insertions(+), 4 deletions(-) + +diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c +index 22f9a3c02..e3dd55a84 100644 +--- a/src/supplicant/nm-supplicant-config.c ++++ b/src/supplicant/nm-supplicant-config.c +@@ -864,11 +864,11 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self, + + if ( !nm_streq (key_mgmt, "wpa-none") + && NM_IN_SET (pmf, +- NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL, ++ NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE, + NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) { + if (!nm_supplicant_config_add_option (self, + "ieee80211w", +- pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2", ++ pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE ? "0" : "2", + -1, + NULL, + error)) +diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c +index e16e3130e..b816722d0 100644 +--- a/src/supplicant/nm-supplicant-interface.c ++++ b/src/supplicant/nm-supplicant-interface.c +@@ -555,6 +555,26 @@ iface_check_netreply_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ + iface_check_ready (self); + } + ++static void ++iface_set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data) ++{ ++ NMSupplicantInterface *self; ++ gs_unref_variant GVariant *variant = NULL; ++ gs_free_error GError *error = NULL; ++ ++ variant = g_dbus_proxy_call_finish (proxy, result, &error); ++ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) ++ return; ++ ++ self = NM_SUPPLICANT_INTERFACE (user_data); ++ ++ /* This can fail if the supplicant doesn't support PMF */ ++ if (error) ++ _LOGD ("failed to set Pmf=1: %s", error->message); ++ ++ iface_check_ready (self); ++} ++ + NMSupplicantFeature + nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self) + { +@@ -1155,6 +1175,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ + NULL, + NULL); + ++ /* Initialize global PMF setting to 'optional' */ ++ priv->ready_count++; ++ g_dbus_proxy_call (priv->iface_proxy, ++ DBUS_INTERFACE_PROPERTIES ".Set", ++ g_variant_new ("(ssv)", ++ WPAS_DBUS_IFACE_INTERFACE, ++ "Pmf", ++ g_variant_new_string ("1")), ++ G_DBUS_CALL_FLAGS_NONE, ++ -1, ++ priv->init_cancellable, ++ (GAsyncReadyCallback) iface_set_pmf_cb, ++ self); ++ + /* Check whether NetworkReply and AP mode are supported */ + priv->ready_count = 1; + g_dbus_proxy_call (priv->iface_proxy, +diff --git a/src/supplicant/tests/test-supplicant-config.c b/src/supplicant/tests/test-supplicant-config.c +index 36831e676..d7ec1fe22 100644 +--- a/src/supplicant/tests/test-supplicant-config.c ++++ b/src/supplicant/tests/test-supplicant-config.c +@@ -359,8 +359,8 @@ test_wifi_wpa_psk (const char *detail, + NMTST_EXPECT_NM_INFO ("Config: added 'pairwise' value 'TKIP CCMP'"); + NMTST_EXPECT_NM_INFO ("Config: added 'group' value 'TKIP CCMP'"); + switch (pmf) { +- case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL: +- NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '1'"); ++ case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE: ++ NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '0'"); + break; + case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED: + NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '2'"); +-- +2.20.1 + + +From 5d0bf9db73fc552fc311d58dd51f0825aa883937 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Mon, 14 Jan 2019 15:16:09 +0100 +Subject: [PATCH 2/2] supplicant: fix ready_count assignment + +Fix a wrong backport. + +Fixes: 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a +(cherry picked from commit d0dd120ab4b5716eec87d65f2a1424718addf600) +(cherry picked from commit e511f724584e32cd3e618c47b8a779e7093da6bc) +--- + src/supplicant/nm-supplicant-interface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c +index b816722d0..7450fb823 100644 +--- a/src/supplicant/nm-supplicant-interface.c ++++ b/src/supplicant/nm-supplicant-interface.c +@@ -1176,7 +1176,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ + NULL); + + /* Initialize global PMF setting to 'optional' */ +- priv->ready_count++; ++ priv->ready_count = 1; + g_dbus_proxy_call (priv->iface_proxy, + DBUS_INTERFACE_PROPERTIES ".Set", + g_variant_new ("(ssv)", +@@ -1190,7 +1190,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ + self); + + /* Check whether NetworkReply and AP mode are supported */ +- priv->ready_count = 1; ++ priv->ready_count++; + g_dbus_proxy_call (priv->iface_proxy, + "NetworkReply", + g_variant_new ("(oss)", +-- +2.20.1 + diff --git a/NetworkManager.spec b/NetworkManager.spec index 490a3ac..eaac852 100644 --- a/NetworkManager.spec +++ b/NetworkManager.spec @@ -10,7 +10,7 @@ %global epoch_version 1 %global rpm_version 1.12.6 %global real_version 1.12.6 -%global release_version 4 +%global release_version 5 %global snapshot %{nil} %global git_sha %{nil} @@ -115,6 +115,7 @@ Patch3: 0003-wifi-take-down-device-when-changing-mac.patch Patch4: 0004-connectivity-check-rh1619873.patch Patch5: 0005-fix-saving-agent-owned-secrets.patch Patch6: 0006-cli-fix-cleanup-after-activation-from-editor.patch +Patch7: 0007-supplicant-global-pmf.patch Requires(post): systemd Requires(post): /usr/sbin/update-alternatives @@ -447,6 +448,7 @@ by nm-connection-editor and nm-applet in a non-graphical environment. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build %if %{with regen_docs} @@ -863,6 +865,9 @@ fi %changelog +* Mon Jan 14 2019 Beniamino Galvani - 1:1.12.6-5 +- improve Wi-Fi PMF support (rh #1665694) + * Wed Jan 2 2019 Beniamino Galvani - 1:1.12.6-4 - fix saving agent-owned secrets - cli: fix cleanup after activation from editor (rh #1662766)