supplicant: set optional PMF using global supplicant property

https://bugzilla.redhat.com/show_bug.cgi?id=1665694

.gitignore

@@ -348,3 +348,5 @@ network-manager-applet-0.8.1.tar.bz2
 /NetworkManager-1.11.90.tar.xz
 /NetworkManager-1.12.0.tar.xz
 /NetworkManager-1.12.2.tar.xz
+/NetworkManager-1.12.4.tar.xz
+/NetworkManager-1.12.6.tar.xz

0001-fix-eth-generate-mac-address-mask-global-default.patch

@@ -0,0 +1,29 @@
+From b259adf62da5e13112d4abe845c2a2a9a6273095 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 14 Nov 2018 16:36:33 +0100
+Subject: [PATCH 1/3] device: fix wrong connection default property
+
+Fixes: 96cabbcbb8f484f74fe69305b425b5109608e9d7
+(cherry picked from commit 218d7687a06e81cbb85849f070d133814a71190e)
+(cherry picked from commit 70cbda40cb8e11266db7b89cf408024f5d336527)
+(cherry picked from commit a3546bb28d437679df0d9bfb5f6747297fe284ca)
+---
+ src/devices/nm-device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
+index f0d747e5c..76c80bd3d 100644
+--- a/src/devices/nm-device.c
++++ b/src/devices/nm-device.c
+@@ -14734,7 +14734,7 @@ _get_generate_mac_address_mask_setting (NMDevice *self, NMConnection *connection
+ 	}
+ 
+ 	a = nm_config_data_get_connection_default (NM_CONFIG_GET_DATA,
+-	                                           is_wifi ? "wifi.generate-mac-address-mask" : "ethernet.generate-mac-mac-address-mask",
++	                                           is_wifi ? "wifi.generate-mac-address-mask" : "ethernet.generate-mac-address-mask",
+ 	                                           self);
+ 	if (!a)
+ 		return NULL;
+-- 
+2.17.1
+

0001-utils-test-don-t-assert-on-debug-level-messages.patch

@@ -1,27 +0,0 @@
-From 9e31748442e081dfb045bffa703afa8693005ad3 Mon Sep 17 00:00:00 2001
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Sat, 11 Aug 2018 11:08:42 +0200
-Subject: [PATCH] utils/test: don't assert on debug level messages
-
-They come and go in GLib core for all sorts of purposes. Don't let that
-break our tests.
----
- shared/nm-utils/nm-test-utils.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/nm-utils/nm-test-utils.h b/shared/nm-utils/nm-test-utils.h
-index 743893f03..03d2f73c8 100644
---- a/shared/nm-utils/nm-test-utils.h
-+++ b/shared/nm-utils/nm-test-utils.h
-@@ -574,7 +574,7 @@ __nmtst_init (int *argc, char ***argv, gboolean assert_logging, const char *log_
- 	} else {
- 		/* We were called not to set logging levels. This means, that the user
- 		 * expects to assert against (all) messages. Any uncought message is fatal. */
--		g_log_set_always_fatal (G_LOG_LEVEL_MASK);
-+		g_log_set_always_fatal (G_LOG_LEVEL_MASK & ~G_LOG_LEVEL_DEBUG);
- 	}
- 
- 	if ((!__nmtst_internal.assert_logging || (__nmtst_internal.assert_logging && __nmtst_internal.no_expect_message)) &&
--- 
-2.17.1
-

0001-version-fix-compile-error-due-to-NM_AVAILABLE_IN_1_1.patch

@@ -1,29 +0,0 @@
-From 0a3755c1799d3a4dc1875d4c59c7c568a64c8456 Mon Sep 17 00:00:00 2001
-From: Thomas Haller <thaller@redhat.com>
-Date: Tue, 31 Jul 2018 14:13:57 +0200
-Subject: [PATCH] version: fix compile error due to NM_AVAILABLE_IN_1_12_2
- macro
-
-Fixes: 8d09660481e1ff8b513aa60b2c40a4982ccc57cd
-
-https://mail.gnome.org/archives/networkmanager-list/2018-July/msg00023.html
----
- libnm-core/nm-version.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libnm-core/nm-version.h b/libnm-core/nm-version.h
-index ee6dbc0bd..c24048955 100644
---- a/libnm-core/nm-version.h
-+++ b/libnm-core/nm-version.h
-@@ -161,7 +161,7 @@
- #endif
- 
- #if NM_VERSION_MAX_ALLOWED < NM_VERSION_1_12_2
--# define NM_AVAILABLE_IN_1_12_2          G_UNAVAILABLE(1,12,2)
-+# define NM_AVAILABLE_IN_1_12_2          G_UNAVAILABLE(1,12.2)
- #else
- # define NM_AVAILABLE_IN_1_12_2
- #endif
--- 
-2.17.1
-

0002-man-add-missing-connection-defaults.patch

@@ -0,0 +1,52 @@
+From 4c19b09a356a14a1042d962e3d9e856695479c33 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 14 Nov 2018 16:35:53 +0100
+Subject: [PATCH 2/3] man: add missing connection defaults
+
+(cherry picked from commit a482b27593a757ea534d9a9989d7e409b8b2d4ed)
+(cherry picked from commit 9135603c93db12adbd9a1982ab45bc84d2078780)
+(cherry picked from commit f0890cc83fb5d0ce9c7d4800ab2818666c70dd16)
+---
+ man/NetworkManager.conf.xml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
+index 17bc42f34..f2addce14 100644
+--- a/man/NetworkManager.conf.xml
++++ b/man/NetworkManager.conf.xml
+@@ -642,6 +642,12 @@ ipv6.ip6-privacy=0
+       A default value is only consulted if the corresponding per-connection value
+       explicitly allows for that.
+       <variablelist>
++        <varlistentry>
++          <term><varname>802-1x.auth-timeout</varname></term>
++        </varlistentry>
++        <varlistentry>
++          <term><varname>cdma.mtu</varname></term>
++        </varlistentry>
+         <varlistentry>
+           <term><varname>connection.auth-retries</varname></term>
+           <listitem><para>If left unspecified, the default value is 3 tries before failing the connection.
+@@ -673,6 +679,9 @@ ipv6.ip6-privacy=0
+         <varlistentry>
+           <term><varname>ethernet.wake-on-lan</varname></term>
+         </varlistentry>
++        <varlistentry>
++          <term><varname>gsm.mtu</varname></term>
++        </varlistentry>
+         <varlistentry>
+           <term><varname>infiniband.mtu</varname></term>
+           <listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.</para></listitem>
+@@ -763,6 +772,9 @@ ipv6.ip6-privacy=0
+           <listitem><para>If left unspecified, the default value
+           "<literal>optional</literal>" will be used.</para></listitem>
+         </varlistentry>
++        <varlistentry>
++          <term><varname>wifi.wake-on-wlan</varname></term>
++        </varlistentry>
+       </variablelist>
+     </para>
+     </refsect2>
+-- 
+2.17.1
+

0003-wifi-take-down-device-when-changing-mac.patch

@@ -0,0 +1,52 @@
+From 77c31234bcd84faad81d0e33c1662c834a4f616d Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Thu, 6 Dec 2018 16:56:47 +0100
+Subject: [PATCH 3/3] device: always take device down when changing MAC for
+ wifi devices
+
+If the device is not taken down wpa_supplicant does not detect that
+the MAC changed and the authentication can fail due to wrong key
+derivation.
+
+Fixes: e206a3473249be4c92c5d71214a33e90db301127
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1656157
+(cherry picked from commit 29e8f6d5a17c3dbfd11655338cd0ffc61e1fc91b)
+(cherry picked from commit b2686110ef9cfcd87470d65872abf4adb9dab37c)
+(cherry picked from commit 0624814af17fb66826fda0e901c3d73a292ff37e)
+---
+ src/devices/nm-device.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
+index 76c80bd3d..3df5b28dc 100644
+--- a/src/devices/nm-device.c
++++ b/src/devices/nm-device.c
+@@ -14775,7 +14775,7 @@ _hw_addr_set (NMDevice *self,
+ 	NMPlatformError plerr;
+ 	guint8 addr_bytes[NM_UTILS_HWADDR_LEN_MAX];
+ 	gsize addr_len;
+-	gboolean was_taken_down;
++	gboolean was_taken_down = FALSE;
+ 	gboolean retry_down;
+ 
+ 	nm_assert (NM_IS_DEVICE (self));
+@@ -14799,7 +14799,14 @@ _hw_addr_set (NMDevice *self,
+ 
+ 	_LOGT (LOGD_DEVICE, "set-hw-addr: setting MAC address to '%s' (%s, %s)...", addr, operation, detail);
+ 
+-	was_taken_down = FALSE;
++	if (nm_device_get_device_type (self) == NM_DEVICE_TYPE_WIFI) {
++		/* Always take the device down for Wi-Fi because
++		 * wpa_supplicant needs it to properly detect the MAC
++		 * change. */
++		retry_down = FALSE;
++		was_taken_down = TRUE;
++		nm_device_take_down (self, FALSE);
++	}
+ 
+ again:
+ 	plerr = nm_platform_link_set_address (nm_device_get_platform (self), nm_device_get_ip_ifindex (self), addr_bytes, addr_len);
+-- 
+2.17.1
+

0004-connectivity-check-rh1619873.patch

@@ -0,0 +1,186 @@
+From 3ce03f15d9c51f07f2811d0a387488d5d7a4ef3b Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 3 Dec 2018 10:27:06 +0100
+Subject: [PATCH 1/2] libnm: add nm_connectivity_state_cmp() helper
+
+(cherry picked from commit 487ee687d5bba82ee1054d74961afe122260811f)
+(cherry picked from commit 51b7b10d3dc81d2837aba14ebf0e92f6ccd2db11)
+(cherry picked from commit c155f776fd38eb8acfff3ac03d2e648fbb92930b)
+---
+ src/nm-connectivity.h    | 15 +++++++++++
+ src/tests/test-general.c | 58 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 73 insertions(+)
+
+diff --git a/src/nm-connectivity.h b/src/nm-connectivity.h
+index 178f27ad9..99333cede 100644
+--- a/src/nm-connectivity.h
++++ b/src/nm-connectivity.h
+@@ -24,6 +24,21 @@
+ 
+ #include "nm-dbus-interface.h"
+ 
++/*****************************************************************************/
++
++static inline int
++nm_connectivity_state_cmp (NMConnectivityState a, NMConnectivityState b)
++{
++	if (a == NM_CONNECTIVITY_PORTAL && b == NM_CONNECTIVITY_LIMITED)
++		return 1;
++	if (b == NM_CONNECTIVITY_PORTAL && a == NM_CONNECTIVITY_LIMITED)
++		return -1;
++	NM_CMP_DIRECT (a, b);
++	return 0;
++}
++
++/*****************************************************************************/
++
+ #define NM_CONNECTIVITY_ERROR     ((NMConnectivityState) -1)
+ #define NM_CONNECTIVITY_FAKE      ((NMConnectivityState) -2)
+ #define NM_CONNECTIVITY_CANCELLED ((NMConnectivityState) -3)
+diff --git a/src/tests/test-general.c b/src/tests/test-general.c
+index 4db05ac84..56e18571c 100644
+--- a/src/tests/test-general.c
++++ b/src/tests/test-general.c
+@@ -29,6 +29,8 @@
+ #include "NetworkManagerUtils.h"
+ #include "nm-core-internal.h"
+ 
++#include "nm-connectivity.h"
++
+ #include "nm-test-utils-core.h"
+ 
+ /* Reference implementation for nm_utils_ip6_address_clear_host_address.
+@@ -1733,6 +1735,60 @@ test_nm_utils_exp10 (void)
+ 
+ /*****************************************************************************/
+ 
++static void
++test_connectivity_state_cmp (void)
++{
++	NMConnectivityState a;
++
++#define _cmp(a, b, cmp) \
++	G_STMT_START { \
++		const NMConnectivityState _a = (a); \
++		const NMConnectivityState _b = (b); \
++		const int _cmp = (cmp); \
++		\
++		g_assert (NM_IN_SET (_cmp, -1, 0, 1)); \
++		g_assert_cmpint (nm_connectivity_state_cmp (_a, _b), ==, _cmp); \
++		g_assert_cmpint (nm_connectivity_state_cmp (_b, _a), ==, -_cmp); \
++	} G_STMT_END
++
++	for (a = NM_CONNECTIVITY_UNKNOWN; a <= NM_CONNECTIVITY_FULL; a++)
++		_cmp (a, a, 0);
++
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_UNKNOWN,  0);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_NONE,    -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_LIMITED, -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_NONE,     0);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_LIMITED, -1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_LIMITED,  0);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_LIMITED,  1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_PORTAL,   0);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_LIMITED,  1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_PORTAL,   1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_FULL,     0);
++
++#undef _cmp
++}
++
++/*****************************************************************************/
++
+ NMTST_DEFINE ();
+ 
+ int
+@@ -1777,6 +1833,8 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/general/stable-id/parse", test_stable_id_parse);
+ 	g_test_add_func ("/general/stable-id/generated-complete", test_stable_id_generated_complete);
+ 
++	g_test_add_func ("/core/general/test_connectivity_state_cmp", test_connectivity_state_cmp);
++
+ 	return g_test_run ();
+ }
+ 
+-- 
+2.19.2
+
+
+From b3b90479be4593c2d9e94b6805973c69ad9f9851 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 3 Dec 2018 10:31:51 +0100
+Subject: [PATCH 2/2] connectivity: fix determining the global connectivity
+ state
+
+Since we determine the connectivity state of each device individually,
+the global connectivity state is an aggregate of all these states.
+
+I am not sure about considering here devices that don't have the (best)
+default route for their respective address family. But anyway.
+
+When we aggregate the best connectivity, we chose the numerical largest
+value. That is wrong, because PORTAL is numerically smaller than
+LIMITED.
+
+That means, if you have two devices, one with connectivity LIMITED and
+one with connectivity PORTAL, then LIMITED wrongly wins.
+
+Fixes: 6b7e9f9b225e81d365fd95901a88a7bc59c1eb39
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1619873
+(cherry picked from commit ade753d06f4d8cac3a9c374fc1d9a409e2bce904)
+(cherry picked from commit d1e98e334dd71b8fafa2512911b737adffddf569)
+(cherry picked from commit 18103b00d8dd6dd99c9ff17d03cdf568a56d6720)
+---
+ src/nm-manager.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/nm-manager.c b/src/nm-manager.c
+index ad906169f..d5c849386 100644
+--- a/src/nm-manager.c
++++ b/src/nm-manager.c
+@@ -2741,18 +2741,21 @@ device_connectivity_changed (NMDevice *device,
+ 
+ 	best_state = nm_device_get_connectivity_state (device);
+ 	if (best_state < NM_CONNECTIVITY_FULL) {
++		/* FIXME: is this really correct, to considere devices that don't have
++		 * (the best) default route for connectivity checking? */
+ 		c_list_for_each_entry (dev, &priv->devices_lst_head, devices_lst) {
+ 			state = nm_device_get_connectivity_state (dev);
+-			if (state <= best_state)
++			if (nm_connectivity_state_cmp (state, best_state) <= 0)
+ 				continue;
+ 			best_state = state;
+-			if (best_state >= NM_CONNECTIVITY_FULL) {
++			if (nm_connectivity_state_cmp (best_state, NM_CONNECTIVITY_FULL) >= 0) {
+ 				/* it doesn't get better than this. */
+ 				break;
+ 			}
+ 		}
+ 	}
+ 	nm_assert (best_state <= NM_CONNECTIVITY_FULL);
++	nm_assert (nm_connectivity_state_cmp (best_state, NM_CONNECTIVITY_FULL) <= 0);
+ 
+ 	if (best_state != priv->connectivity_state) {
+ 		priv->connectivity_state = best_state;
+-- 
+2.19.2
+

0005-fix-saving-agent-owned-secrets.patch

@@ -0,0 +1,77 @@
+From 886493a8f0640d6de8dbc7014df419316eae5784 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 5 Dec 2018 11:46:45 +0100
+Subject: [PATCH 1/2] settings: apply agent-owned secrets from the new
+ connection on update
+
+When updating a connection passing agent-owned secret, they are lost
+from @reread_connection after the settings-plugin persists the
+connection. Therefore we need to cache and reapply them separately to
+the connection so that they can be saved to secret agents later.
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/82
+(cherry picked from commit a3383726dce09255b5413a6230be580856ab212c)
+(cherry picked from commit 95d9fd387bcdd22e11cca98b540bb68fbd8744a0)
+(cherry picked from commit 5420456cf1104a792938089aefcd4f043217edb5)
+---
+ src/settings/nm-settings-connection.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
+index c09f68040..ccdaddb50 100644
+--- a/src/settings/nm-settings-connection.c
++++ b/src/settings/nm-settings-connection.c
+@@ -611,7 +611,9 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 	gboolean replaced = FALSE;
+ 	gs_free char *logmsg_change = NULL;
+ 	GError *local = NULL;
++	gs_unref_object NMConnection *simple = NULL;
+ 	gs_unref_variant GVariant *con_agent_secrets = NULL;
++	gs_unref_variant GVariant *new_agent_secrets = NULL;
+ 
+ 	g_return_val_if_fail (NM_IS_SETTINGS_CONNECTION (self), FALSE);
+ 
+@@ -652,6 +654,16 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 
+ 	replace_connection = reread_connection ?: new_connection;
+ 
++	/* Save agent-owned secrets from the new connection for later use */
++	if (new_connection) {
++		simple = nm_simple_connection_new_clone (new_connection);
++		nm_connection_clear_secrets_with_flags (simple,
++		                                        secrets_filter_cb,
++		                                        GUINT_TO_POINTER (NM_SETTING_SECRET_FLAG_AGENT_OWNED));
++		new_agent_secrets = nm_connection_to_dbus (simple, NM_CONNECTION_SERIALIZE_ONLY_SECRETS);
++		g_clear_object (&simple);
++	}
++
+ 	/* Disconnect the changed signal to ensure we don't set Unsaved when
+ 	 * it's not required.
+ 	 */
+@@ -662,7 +674,6 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 	    && !nm_connection_compare (NM_CONNECTION (self),
+ 	                               replace_connection,
+ 	                               NM_SETTING_COMPARE_FLAG_EXACT)) {
+-		gs_unref_object NMConnection *simple = NULL;
+ 
+ 		if (log_diff_name) {
+ 			nm_utils_log_connection_diff (replace_connection, NM_CONNECTION (self), LOGL_DEBUG, LOGD_CORE, log_diff_name, "++ ",
+@@ -709,6 +720,15 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 			(void) nm_connection_update_secrets (NM_CONNECTION (self), NULL, con_agent_secrets, NULL);
+ 	}
+ 
++	/* Apply agent-owned secrets from the new connection so that
++	 * they can be sent to agents */
++	if (new_agent_secrets) {
++		(void) nm_connection_update_secrets (NM_CONNECTION (self),
++		                                     NULL,
++		                                     new_agent_secrets,
++		                                     NULL);
++	}
++
+ 	nm_settings_connection_recheck_visibility (self);
+ 
+ 	if (   replaced
+-- 
+2.20.1
+

0006-cli-fix-cleanup-after-activation-from-editor.patch

@@ -0,0 +1,52 @@
+From 0c581081fa18aa412885a700b6d5fc017a53a463 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 8 Oct 2018 21:43:18 +0200
+Subject: [PATCH 2/2] cli: fix cleanup after activation from editor
+
+progress_activation_editor_cb() is called multiple times every 120
+milliseconds and it must free resources only the last time.
+
+Fixes: f0a26865458a42dd35975efd9bf6fdd2d9445c08
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/51
+(cherry picked from commit d091cbdc2fb2c953da226b92c461ae3ede2cece0)
+(cherry picked from commit fd3658e25f5c18d9d53d3f580cfce68ed416848b)
+(cherry picked from commit 09d8eca1c26fe96731182df096804e8421dbdd7c)
+---
+ clients/cli/connections.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/clients/cli/connections.c b/clients/cli/connections.c
+index b547e34ca..f6066b87d 100644
+--- a/clients/cli/connections.c
++++ b/clients/cli/connections.c
+@@ -6523,8 +6523,8 @@ static gboolean
+ progress_activation_editor_cb (gpointer user_data)
+ {
+ 	MonitorACInfo *info = (MonitorACInfo *) user_data;
+-	gs_unref_object NMDevice *device = info->device;
+-	gs_unref_object NMActiveConnection *ac = info->ac;
++	NMDevice *device = info->device;
++	NMActiveConnection *ac = info->ac;
+ 	NMActiveConnectionState ac_state;
+ 	NMDeviceState dev_state;
+ 
+@@ -6557,11 +6557,13 @@ progress_activation_editor_cb (gpointer user_data)
+ 		                               nm_object_get_path (NM_OBJECT (connection)));
+ 	}
+ 
+-	return TRUE;
++	return G_SOURCE_CONTINUE;
+ 
+ finish:
++	nm_g_object_unref (device);
++	nm_g_object_unref (ac);
+ 	info->monitor_id = 0;
+-	return FALSE;
++	return G_SOURCE_REMOVE;
+ }
+ 
+ static void
+-- 
+2.20.1
+

0007-supplicant-global-pmf.patch

@@ -0,0 +1,159 @@
+From 2c3014d60d8ec868fd889a906ef8c8ca9b6e8d17 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 9 Jan 2019 11:36:52 +0100
+Subject: [PATCH 1/2] supplicant: set optional PMF using global supplicant
+ property
+
+wpa_supplicant is going to change the global default for PMF from 0
+(disabled) to 1 (optional) [1], so NM code needs to be adjusted to
+work with all wpa_supplicant versions. Furthermore, it is better to
+set optional PMF using the 'Pmf' property instead of the 'ieee80211w'
+configuration option because the former better handles missing support
+in driver [2].
+
+Note that each interface in wpa_supplicant has its own copy of global
+configuration and so 'global' options must still be set on each
+interface. So, let's set Pmf=1 when each interface gets created and
+override it with ieee80211w={0,2} if needed during association.
+
+[1] http://lists.infradead.org/pipermail/hostap/2018-November/039009.html
+[2] http://lists.infradead.org/pipermail/hostap/2019-January/039215.html
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/104
+(cherry picked from commit a9ab50efb10dfb50cfe897c58afa300f8b07f6ba)
+(cherry picked from commit 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a)
+(cherry picked from commit 40adc98a6db593009dc7d92f39af9f4854a61b2a)
+---
+ src/supplicant/nm-supplicant-config.c         |  4 +--
+ src/supplicant/nm-supplicant-interface.c      | 34 +++++++++++++++++++
+ src/supplicant/tests/test-supplicant-config.c |  4 +--
+ 3 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c
+index 22f9a3c02..e3dd55a84 100644
+--- a/src/supplicant/nm-supplicant-config.c
++++ b/src/supplicant/nm-supplicant-config.c
+@@ -864,11 +864,11 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
+ 
+ 		if (   !nm_streq (key_mgmt, "wpa-none")
+ 		    && NM_IN_SET (pmf,
+-		                  NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
++		                  NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
+ 		                  NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
+ 			if (!nm_supplicant_config_add_option (self,
+ 			                                      "ieee80211w",
+-			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
++			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE ? "0" : "2",
+ 			                                      -1,
+ 			                                      NULL,
+ 			                                      error))
+diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
+index e16e3130e..b816722d0 100644
+--- a/src/supplicant/nm-supplicant-interface.c
++++ b/src/supplicant/nm-supplicant-interface.c
+@@ -555,6 +555,26 @@ iface_check_netreply_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	iface_check_ready (self);
+ }
+ 
++static void
++iface_set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
++{
++	NMSupplicantInterface *self;
++	gs_unref_variant GVariant *variant = NULL;
++	gs_free_error GError *error = NULL;
++
++	variant = g_dbus_proxy_call_finish (proxy, result, &error);
++	if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
++		return;
++
++	self = NM_SUPPLICANT_INTERFACE (user_data);
++
++	/* This can fail if the supplicant doesn't support PMF */
++	if (error)
++		_LOGD ("failed to set Pmf=1: %s", error->message);
++
++	iface_check_ready (self);
++}
++
+ NMSupplicantFeature
+ nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self)
+ {
+@@ -1155,6 +1175,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   NULL,
+ 	                   NULL);
+ 
++	/* Initialize global PMF setting to 'optional' */
++	priv->ready_count++;
++	g_dbus_proxy_call (priv->iface_proxy,
++	                   DBUS_INTERFACE_PROPERTIES ".Set",
++	                   g_variant_new ("(ssv)",
++	                                  WPAS_DBUS_IFACE_INTERFACE,
++	                                  "Pmf",
++	                                  g_variant_new_string ("1")),
++	                   G_DBUS_CALL_FLAGS_NONE,
++	                   -1,
++	                   priv->init_cancellable,
++	                   (GAsyncReadyCallback) iface_set_pmf_cb,
++	                   self);
++
+ 	/* Check whether NetworkReply and AP mode are supported */
+ 	priv->ready_count = 1;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+diff --git a/src/supplicant/tests/test-supplicant-config.c b/src/supplicant/tests/test-supplicant-config.c
+index 36831e676..d7ec1fe22 100644
+--- a/src/supplicant/tests/test-supplicant-config.c
++++ b/src/supplicant/tests/test-supplicant-config.c
+@@ -359,8 +359,8 @@ test_wifi_wpa_psk (const char *detail,
+ 	NMTST_EXPECT_NM_INFO ("Config: added 'pairwise' value 'TKIP CCMP'");
+ 	NMTST_EXPECT_NM_INFO ("Config: added 'group' value 'TKIP CCMP'");
+ 	switch (pmf) {
+-	case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
+-		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '1'");
++	case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
++		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '0'");
+ 		break;
+ 	case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
+ 		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '2'");
+-- 
+2.20.1
+
+
+From 5d0bf9db73fc552fc311d58dd51f0825aa883937 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 14 Jan 2019 15:16:09 +0100
+Subject: [PATCH 2/2] supplicant: fix ready_count assignment
+
+Fix a wrong backport.
+
+Fixes: 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a
+(cherry picked from commit d0dd120ab4b5716eec87d65f2a1424718addf600)
+(cherry picked from commit e511f724584e32cd3e618c47b8a779e7093da6bc)
+---
+ src/supplicant/nm-supplicant-interface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
+index b816722d0..7450fb823 100644
+--- a/src/supplicant/nm-supplicant-interface.c
++++ b/src/supplicant/nm-supplicant-interface.c
+@@ -1176,7 +1176,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   NULL);
+ 
+ 	/* Initialize global PMF setting to 'optional' */
+-	priv->ready_count++;
++	priv->ready_count = 1;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+ 	                   DBUS_INTERFACE_PROPERTIES ".Set",
+ 	                   g_variant_new ("(ssv)",
+@@ -1190,7 +1190,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   self);
+ 
+ 	/* Check whether NetworkReply and AP mode are supported */
+-	priv->ready_count = 1;
++	priv->ready_count++;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+ 	                   "NetworkReply",
+ 	                   g_variant_new ("(oss)",
+-- 
+2.20.1
+

NetworkManager.spec

@@ -8,9 +8,9 @@
 %global glib2_version %(pkg-config --modversion glib-2.0 2>/dev/null || echo bad)
 
 %global epoch_version 1
-%global rpm_version 1.12.2
-%global real_version 1.12.2
-%global release_version 2
+%global rpm_version 1.12.6
+%global real_version 1.12.6
+%global release_version 5
 %global snapshot %{nil}
 %global git_sha %{nil}
 
@@ -109,8 +109,13 @@ Source2: 00-server.conf
 Source3: 20-connectivity-fedora.conf
 Source4: 20-connectivity-redhat.conf
 
-Patch0: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/0a3755c179.patch#/0001-version-fix-compile-error-due-to-NM_AVAILABLE_IN_1_1.patch
-Patch1: 0001-utils-test-don-t-assert-on-debug-level-messages.patch
+Patch1: 0001-fix-eth-generate-mac-address-mask-global-default.patch
+Patch2: 0002-man-add-missing-connection-defaults.patch
+Patch3: 0003-wifi-take-down-device-when-changing-mac.patch
+Patch4: 0004-connectivity-check-rh1619873.patch
+Patch5: 0005-fix-saving-agent-owned-secrets.patch
+Patch6: 0006-cli-fix-cleanup-after-activation-from-editor.patch
+Patch7: 0007-supplicant-global-pmf.patch
 
 Requires(post): systemd
 Requires(post): /usr/sbin/update-alternatives
@@ -436,9 +441,14 @@ by nm-connection-editor and nm-applet in a non-graphical environment.
 
 %prep
 %setup -q -n NetworkManager-%{real_version}
-%patch0 -p1
-%patch1 -p1
 
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 %if %{with regen_docs}
@@ -667,9 +677,9 @@ fi
 %config(noreplace) %{_sysconfdir}/%{name}/NetworkManager.conf
 %{_bindir}/nm-online
 %{_libexecdir}/nm-ifup
-%ghost %{_sbindir}/ifup
+%ghost %attr(755, root, root) %{_sbindir}/ifup
 %{_libexecdir}/nm-ifdown
-%ghost %{_sbindir}/ifdown
+%ghost %attr(755, root, root) %{_sbindir}/ifdown
 %{_libexecdir}/nm-dhcp-helper
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-iface-helper
@@ -853,7 +863,31 @@ fi
 %{_mandir}/man1/nmtui*
 %endif
 
+
 %changelog
+* Mon Jan 14 2019 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.6-5
+- improve Wi-Fi PMF support (rh #1665694)
+
+* Wed Jan  2 2019 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.6-4
+- fix saving agent-owned secrets
+- cli: fix cleanup after activation from editor (rh #1662766)
+
+* Tue Dec 11 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.6-3
+- connectivity: fix portal detection with multiple devices (rh #1619873)
+
+* Mon Dec 10 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.6-2
+- fix connection failure with some Wi-Fi adapters (rh #1656157)
+- import other minor upstream fixes after 1.12.6
+
+* Sat Dec  1 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.6-1
+- Update to 1.12.6 release
+
+* Mon Oct 29 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.4-2
+- dhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688)
+
+* Tue Sep 18 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.4-1
+- Update to 1.12.4 release
+
 * Sat Aug 11 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:1.12.2-2
 - fix compile error due to NM_AVAILABLE_IN_1_12_2
 
@@ -3292,4 +3326,3 @@ fi
 
 * Fri Aug 20 2004 Dan Williams <dcbw@redhat.com> 0.1-3
 - First public release
-

sources

@@ -1 +1 @@
-SHA512 (NetworkManager-1.12.2.tar.xz) = cf5dae6ca8b6d3819a79485082f959907213d43413d15c41b79eb7da40edb913a41e7c18586b14bbf84f30ac493e2d9d466f5e66130c636f041ce939aaf49f35
+SHA512 (NetworkManager-1.12.6.tar.xz) = b2117bdd9978ea18a7015c285abc684b7bc31ff0b4b1956194b23cbb85c2bc75bec5fc50a37493c3d717810fe683a72ef186816eb4eca889af8ea35bd1095e94