supplicant: set optional PMF using global supplicant property

https://bugzilla.redhat.com/show_bug.cgi?id=1665694

.gitignore

@@ -348,86 +348,5 @@ network-manager-applet-0.8.1.tar.bz2
 /NetworkManager-1.11.90.tar.xz
 /NetworkManager-1.12.0.tar.xz
 /NetworkManager-1.12.2.tar.xz
-/NetworkManager-1.14.0.tar.xz
-/NetworkManager-1.14.2.tar.xz
-/NetworkManager-1.14.4.tar.xz
-/NetworkManager-1.15.90.tar.xz
-/NetworkManager-1.15.91.tar.xz
-/NetworkManager-1.16.0.tar.xz
-/NetworkManager-1.18.0.tar.xz
-/NetworkManager-1.19.2.tar.xz
-/NetworkManager-1.19.3.tar.xz
-/NetworkManager-1.19.5.tar.xz
-/NetworkManager-1.19.90.tar.xz
-/NetworkManager-1.20.0.tar.xz
-/NetworkManager-1.20.2.tar.xz
-/NetworkManager-1.20.4.tar.xz
-/NetworkManager-1.21.3.tar.xz
-/NetworkManager-1.21.90.tar.xz
-/NetworkManager-1.22.0.tar.xz
-/NetworkManager-1.22.2.tar.xz
-/NetworkManager-1.22.4.tar.xz
-/NetworkManager-1.22.6.tar.xz
-/NetworkManager-1.22.8.tar.xz
-/NetworkManager-1.22.10.tar.xz
-/NetworkManager-1.23.90.tar.xz
-/NetworkManager-1.23.91.tar.xz
-/NetworkManager-1.24.0.tar.xz
-/NetworkManager-1.24.2.tar.xz
-/NetworkManager-1.25.90.tar.xz
-/NetworkManager-1.26.0.tar.xz
-/NetworkManager-1.26.2.tar.xz
-/NetworkManager-1.27.90.tar.xz
-/NetworkManager-1.27.91.tar.xz
-/NetworkManager-1.28.0.tar.xz
-/NetworkManager-1.29.8.tar.xz
-/NetworkManager-1.29.9.tar.xz
-/NetworkManager-1.29.11.tar.xz
-/NetworkManager-1.29.90.tar.xz
-/NetworkManager-1.30.0.tar.xz
-/NetworkManager-1.30.2.tar.xz
-/NetworkManager-1.31.2.tar.xz
-/NetworkManager-1.31.3.tar.xz
-/NetworkManager-1.31.4.tar.xz
-/NetworkManager-1.31.90.tar.xz
-/NetworkManager-1.32.0.tar.xz
-/NetworkManager-1.32.4.tar.xz
-/NetworkManager-1.32.6.tar.xz
-/NetworkManager-1.32.8.tar.xz
-/NetworkManager-1.32.10.tar.xz
-/NetworkManager-1.32.12.tar.xz
-/NetworkManager-1.35.1.tar.xz
-/NetworkManager-1.35.2.tar.xz
-/NetworkManager-1.35.3.tar.xz
-/NetworkManager-1.35.4.tar.xz
-/NetworkManager-1.35.6.tar.xz
-/NetworkManager-1.35.7.tar.xz
-/NetworkManager-1.35.90.tar.xz
-/NetworkManager-1.35.91.tar.xz
-/NetworkManager-1.35.92.tar.xz
-/NetworkManager-1.36.0.tar.xz
-/NetworkManager-1.36.2.tar.xz
-/NetworkManager-1.36.4.tar.xz
-/NetworkManager-1.37.3.tar.xz
-/NetworkManager-1.37.90.tar.xz
-/NetworkManager-1.37.91.tar.xz
-/NetworkManager-1.37.92.tar.xz
-/NetworkManager-1.38.0.tar.xz
-/NetworkManager-1.39.8.tar.xz
-/NetworkManager-1.39.10.tar.xz
-/NetworkManager-1.39.11.tar.xz
-/NetworkManager-1.39.90.tar.xz
-/NetworkManager-1.40.0.tar.xz
-/NetworkManager-1.41.3.tar.xz
-/NetworkManager-1.41.4.tar.xz
-/NetworkManager-1.41.5.tar.xz
-/NetworkManager-1.41.6.tar.xz
-/NetworkManager-1.41.7.tar.xz
-/NetworkManager-1.41.8.tar.xz
-/NetworkManager-1.41.90.tar.xz
-/NetworkManager-1.41.91.tar.xz
-/NetworkManager-1.42.0.tar.xz
-/NetworkManager-1.43.3.tar.xz
-/NetworkManager-1.43.4.tar.xz
-/NetworkManager-1.43.5.tar.xz
-/NetworkManager-1.43.6.tar.xz
+/NetworkManager-1.12.4.tar.xz
+/NetworkManager-1.12.6.tar.xz

0001-fix-eth-generate-mac-address-mask-global-default.patch

@@ -0,0 +1,29 @@
+From b259adf62da5e13112d4abe845c2a2a9a6273095 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 14 Nov 2018 16:36:33 +0100
+Subject: [PATCH 1/3] device: fix wrong connection default property
+
+Fixes: 96cabbcbb8f484f74fe69305b425b5109608e9d7
+(cherry picked from commit 218d7687a06e81cbb85849f070d133814a71190e)
+(cherry picked from commit 70cbda40cb8e11266db7b89cf408024f5d336527)
+(cherry picked from commit a3546bb28d437679df0d9bfb5f6747297fe284ca)
+---
+ src/devices/nm-device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
+index f0d747e5c..76c80bd3d 100644
+--- a/src/devices/nm-device.c
++++ b/src/devices/nm-device.c
+@@ -14734,7 +14734,7 @@ _get_generate_mac_address_mask_setting (NMDevice *self, NMConnection *connection
+ 	}
+ 
+ 	a = nm_config_data_get_connection_default (NM_CONFIG_GET_DATA,
+-	                                           is_wifi ? "wifi.generate-mac-address-mask" : "ethernet.generate-mac-mac-address-mask",
++	                                           is_wifi ? "wifi.generate-mac-address-mask" : "ethernet.generate-mac-address-mask",
+ 	                                           self);
+ 	if (!a)
+ 		return NULL;
+-- 
+2.17.1
+

0002-man-add-missing-connection-defaults.patch

@@ -0,0 +1,52 @@
+From 4c19b09a356a14a1042d962e3d9e856695479c33 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 14 Nov 2018 16:35:53 +0100
+Subject: [PATCH 2/3] man: add missing connection defaults
+
+(cherry picked from commit a482b27593a757ea534d9a9989d7e409b8b2d4ed)
+(cherry picked from commit 9135603c93db12adbd9a1982ab45bc84d2078780)
+(cherry picked from commit f0890cc83fb5d0ce9c7d4800ab2818666c70dd16)
+---
+ man/NetworkManager.conf.xml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
+index 17bc42f34..f2addce14 100644
+--- a/man/NetworkManager.conf.xml
++++ b/man/NetworkManager.conf.xml
+@@ -642,6 +642,12 @@ ipv6.ip6-privacy=0
+       A default value is only consulted if the corresponding per-connection value
+       explicitly allows for that.
+       <variablelist>
++        <varlistentry>
++          <term><varname>802-1x.auth-timeout</varname></term>
++        </varlistentry>
++        <varlistentry>
++          <term><varname>cdma.mtu</varname></term>
++        </varlistentry>
+         <varlistentry>
+           <term><varname>connection.auth-retries</varname></term>
+           <listitem><para>If left unspecified, the default value is 3 tries before failing the connection.
+@@ -673,6 +679,9 @@ ipv6.ip6-privacy=0
+         <varlistentry>
+           <term><varname>ethernet.wake-on-lan</varname></term>
+         </varlistentry>
++        <varlistentry>
++          <term><varname>gsm.mtu</varname></term>
++        </varlistentry>
+         <varlistentry>
+           <term><varname>infiniband.mtu</varname></term>
+           <listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.</para></listitem>
+@@ -763,6 +772,9 @@ ipv6.ip6-privacy=0
+           <listitem><para>If left unspecified, the default value
+           "<literal>optional</literal>" will be used.</para></listitem>
+         </varlistentry>
++        <varlistentry>
++          <term><varname>wifi.wake-on-wlan</varname></term>
++        </varlistentry>
+       </variablelist>
+     </para>
+     </refsect2>
+-- 
+2.17.1
+

0003-wifi-take-down-device-when-changing-mac.patch

@@ -0,0 +1,52 @@
+From 77c31234bcd84faad81d0e33c1662c834a4f616d Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Thu, 6 Dec 2018 16:56:47 +0100
+Subject: [PATCH 3/3] device: always take device down when changing MAC for
+ wifi devices
+
+If the device is not taken down wpa_supplicant does not detect that
+the MAC changed and the authentication can fail due to wrong key
+derivation.
+
+Fixes: e206a3473249be4c92c5d71214a33e90db301127
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1656157
+(cherry picked from commit 29e8f6d5a17c3dbfd11655338cd0ffc61e1fc91b)
+(cherry picked from commit b2686110ef9cfcd87470d65872abf4adb9dab37c)
+(cherry picked from commit 0624814af17fb66826fda0e901c3d73a292ff37e)
+---
+ src/devices/nm-device.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
+index 76c80bd3d..3df5b28dc 100644
+--- a/src/devices/nm-device.c
++++ b/src/devices/nm-device.c
+@@ -14775,7 +14775,7 @@ _hw_addr_set (NMDevice *self,
+ 	NMPlatformError plerr;
+ 	guint8 addr_bytes[NM_UTILS_HWADDR_LEN_MAX];
+ 	gsize addr_len;
+-	gboolean was_taken_down;
++	gboolean was_taken_down = FALSE;
+ 	gboolean retry_down;
+ 
+ 	nm_assert (NM_IS_DEVICE (self));
+@@ -14799,7 +14799,14 @@ _hw_addr_set (NMDevice *self,
+ 
+ 	_LOGT (LOGD_DEVICE, "set-hw-addr: setting MAC address to '%s' (%s, %s)...", addr, operation, detail);
+ 
+-	was_taken_down = FALSE;
++	if (nm_device_get_device_type (self) == NM_DEVICE_TYPE_WIFI) {
++		/* Always take the device down for Wi-Fi because
++		 * wpa_supplicant needs it to properly detect the MAC
++		 * change. */
++		retry_down = FALSE;
++		was_taken_down = TRUE;
++		nm_device_take_down (self, FALSE);
++	}
+ 
+ again:
+ 	plerr = nm_platform_link_set_address (nm_device_get_platform (self), nm_device_get_ip_ifindex (self), addr_bytes, addr_len);
+-- 
+2.17.1
+

0004-connectivity-check-rh1619873.patch

@@ -0,0 +1,186 @@
+From 3ce03f15d9c51f07f2811d0a387488d5d7a4ef3b Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 3 Dec 2018 10:27:06 +0100
+Subject: [PATCH 1/2] libnm: add nm_connectivity_state_cmp() helper
+
+(cherry picked from commit 487ee687d5bba82ee1054d74961afe122260811f)
+(cherry picked from commit 51b7b10d3dc81d2837aba14ebf0e92f6ccd2db11)
+(cherry picked from commit c155f776fd38eb8acfff3ac03d2e648fbb92930b)
+---
+ src/nm-connectivity.h    | 15 +++++++++++
+ src/tests/test-general.c | 58 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 73 insertions(+)
+
+diff --git a/src/nm-connectivity.h b/src/nm-connectivity.h
+index 178f27ad9..99333cede 100644
+--- a/src/nm-connectivity.h
++++ b/src/nm-connectivity.h
+@@ -24,6 +24,21 @@
+ 
+ #include "nm-dbus-interface.h"
+ 
++/*****************************************************************************/
++
++static inline int
++nm_connectivity_state_cmp (NMConnectivityState a, NMConnectivityState b)
++{
++	if (a == NM_CONNECTIVITY_PORTAL && b == NM_CONNECTIVITY_LIMITED)
++		return 1;
++	if (b == NM_CONNECTIVITY_PORTAL && a == NM_CONNECTIVITY_LIMITED)
++		return -1;
++	NM_CMP_DIRECT (a, b);
++	return 0;
++}
++
++/*****************************************************************************/
++
+ #define NM_CONNECTIVITY_ERROR     ((NMConnectivityState) -1)
+ #define NM_CONNECTIVITY_FAKE      ((NMConnectivityState) -2)
+ #define NM_CONNECTIVITY_CANCELLED ((NMConnectivityState) -3)
+diff --git a/src/tests/test-general.c b/src/tests/test-general.c
+index 4db05ac84..56e18571c 100644
+--- a/src/tests/test-general.c
++++ b/src/tests/test-general.c
+@@ -29,6 +29,8 @@
+ #include "NetworkManagerUtils.h"
+ #include "nm-core-internal.h"
+ 
++#include "nm-connectivity.h"
++
+ #include "nm-test-utils-core.h"
+ 
+ /* Reference implementation for nm_utils_ip6_address_clear_host_address.
+@@ -1733,6 +1735,60 @@ test_nm_utils_exp10 (void)
+ 
+ /*****************************************************************************/
+ 
++static void
++test_connectivity_state_cmp (void)
++{
++	NMConnectivityState a;
++
++#define _cmp(a, b, cmp) \
++	G_STMT_START { \
++		const NMConnectivityState _a = (a); \
++		const NMConnectivityState _b = (b); \
++		const int _cmp = (cmp); \
++		\
++		g_assert (NM_IN_SET (_cmp, -1, 0, 1)); \
++		g_assert_cmpint (nm_connectivity_state_cmp (_a, _b), ==, _cmp); \
++		g_assert_cmpint (nm_connectivity_state_cmp (_b, _a), ==, -_cmp); \
++	} G_STMT_END
++
++	for (a = NM_CONNECTIVITY_UNKNOWN; a <= NM_CONNECTIVITY_FULL; a++)
++		_cmp (a, a, 0);
++
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_UNKNOWN,  0);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_NONE,    -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_LIMITED, -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_UNKNOWN, NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_NONE,     0);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_LIMITED, -1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_NONE,    NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_LIMITED,  0);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_PORTAL,  -1);
++	_cmp (NM_CONNECTIVITY_LIMITED, NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_LIMITED,  1);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_PORTAL,   0);
++	_cmp (NM_CONNECTIVITY_PORTAL,  NM_CONNECTIVITY_FULL,    -1);
++
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_UNKNOWN,  1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_NONE,     1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_LIMITED,  1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_PORTAL,   1);
++	_cmp (NM_CONNECTIVITY_FULL,    NM_CONNECTIVITY_FULL,     0);
++
++#undef _cmp
++}
++
++/*****************************************************************************/
++
+ NMTST_DEFINE ();
+ 
+ int
+@@ -1777,6 +1833,8 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/general/stable-id/parse", test_stable_id_parse);
+ 	g_test_add_func ("/general/stable-id/generated-complete", test_stable_id_generated_complete);
+ 
++	g_test_add_func ("/core/general/test_connectivity_state_cmp", test_connectivity_state_cmp);
++
+ 	return g_test_run ();
+ }
+ 
+-- 
+2.19.2
+
+
+From b3b90479be4593c2d9e94b6805973c69ad9f9851 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 3 Dec 2018 10:31:51 +0100
+Subject: [PATCH 2/2] connectivity: fix determining the global connectivity
+ state
+
+Since we determine the connectivity state of each device individually,
+the global connectivity state is an aggregate of all these states.
+
+I am not sure about considering here devices that don't have the (best)
+default route for their respective address family. But anyway.
+
+When we aggregate the best connectivity, we chose the numerical largest
+value. That is wrong, because PORTAL is numerically smaller than
+LIMITED.
+
+That means, if you have two devices, one with connectivity LIMITED and
+one with connectivity PORTAL, then LIMITED wrongly wins.
+
+Fixes: 6b7e9f9b225e81d365fd95901a88a7bc59c1eb39
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1619873
+(cherry picked from commit ade753d06f4d8cac3a9c374fc1d9a409e2bce904)
+(cherry picked from commit d1e98e334dd71b8fafa2512911b737adffddf569)
+(cherry picked from commit 18103b00d8dd6dd99c9ff17d03cdf568a56d6720)
+---
+ src/nm-manager.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/nm-manager.c b/src/nm-manager.c
+index ad906169f..d5c849386 100644
+--- a/src/nm-manager.c
++++ b/src/nm-manager.c
+@@ -2741,18 +2741,21 @@ device_connectivity_changed (NMDevice *device,
+ 
+ 	best_state = nm_device_get_connectivity_state (device);
+ 	if (best_state < NM_CONNECTIVITY_FULL) {
++		/* FIXME: is this really correct, to considere devices that don't have
++		 * (the best) default route for connectivity checking? */
+ 		c_list_for_each_entry (dev, &priv->devices_lst_head, devices_lst) {
+ 			state = nm_device_get_connectivity_state (dev);
+-			if (state <= best_state)
++			if (nm_connectivity_state_cmp (state, best_state) <= 0)
+ 				continue;
+ 			best_state = state;
+-			if (best_state >= NM_CONNECTIVITY_FULL) {
++			if (nm_connectivity_state_cmp (best_state, NM_CONNECTIVITY_FULL) >= 0) {
+ 				/* it doesn't get better than this. */
+ 				break;
+ 			}
+ 		}
+ 	}
+ 	nm_assert (best_state <= NM_CONNECTIVITY_FULL);
++	nm_assert (nm_connectivity_state_cmp (best_state, NM_CONNECTIVITY_FULL) <= 0);
+ 
+ 	if (best_state != priv->connectivity_state) {
+ 		priv->connectivity_state = best_state;
+-- 
+2.19.2
+

0005-fix-saving-agent-owned-secrets.patch

@@ -0,0 +1,77 @@
+From 886493a8f0640d6de8dbc7014df419316eae5784 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 5 Dec 2018 11:46:45 +0100
+Subject: [PATCH 1/2] settings: apply agent-owned secrets from the new
+ connection on update
+
+When updating a connection passing agent-owned secret, they are lost
+from @reread_connection after the settings-plugin persists the
+connection. Therefore we need to cache and reapply them separately to
+the connection so that they can be saved to secret agents later.
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/82
+(cherry picked from commit a3383726dce09255b5413a6230be580856ab212c)
+(cherry picked from commit 95d9fd387bcdd22e11cca98b540bb68fbd8744a0)
+(cherry picked from commit 5420456cf1104a792938089aefcd4f043217edb5)
+---
+ src/settings/nm-settings-connection.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
+index c09f68040..ccdaddb50 100644
+--- a/src/settings/nm-settings-connection.c
++++ b/src/settings/nm-settings-connection.c
+@@ -611,7 +611,9 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 	gboolean replaced = FALSE;
+ 	gs_free char *logmsg_change = NULL;
+ 	GError *local = NULL;
++	gs_unref_object NMConnection *simple = NULL;
+ 	gs_unref_variant GVariant *con_agent_secrets = NULL;
++	gs_unref_variant GVariant *new_agent_secrets = NULL;
+ 
+ 	g_return_val_if_fail (NM_IS_SETTINGS_CONNECTION (self), FALSE);
+ 
+@@ -652,6 +654,16 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 
+ 	replace_connection = reread_connection ?: new_connection;
+ 
++	/* Save agent-owned secrets from the new connection for later use */
++	if (new_connection) {
++		simple = nm_simple_connection_new_clone (new_connection);
++		nm_connection_clear_secrets_with_flags (simple,
++		                                        secrets_filter_cb,
++		                                        GUINT_TO_POINTER (NM_SETTING_SECRET_FLAG_AGENT_OWNED));
++		new_agent_secrets = nm_connection_to_dbus (simple, NM_CONNECTION_SERIALIZE_ONLY_SECRETS);
++		g_clear_object (&simple);
++	}
++
+ 	/* Disconnect the changed signal to ensure we don't set Unsaved when
+ 	 * it's not required.
+ 	 */
+@@ -662,7 +674,6 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 	    && !nm_connection_compare (NM_CONNECTION (self),
+ 	                               replace_connection,
+ 	                               NM_SETTING_COMPARE_FLAG_EXACT)) {
+-		gs_unref_object NMConnection *simple = NULL;
+ 
+ 		if (log_diff_name) {
+ 			nm_utils_log_connection_diff (replace_connection, NM_CONNECTION (self), LOGL_DEBUG, LOGD_CORE, log_diff_name, "++ ",
+@@ -709,6 +720,15 @@ nm_settings_connection_update (NMSettingsConnection *self,
+ 			(void) nm_connection_update_secrets (NM_CONNECTION (self), NULL, con_agent_secrets, NULL);
+ 	}
+ 
++	/* Apply agent-owned secrets from the new connection so that
++	 * they can be sent to agents */
++	if (new_agent_secrets) {
++		(void) nm_connection_update_secrets (NM_CONNECTION (self),
++		                                     NULL,
++		                                     new_agent_secrets,
++		                                     NULL);
++	}
++
+ 	nm_settings_connection_recheck_visibility (self);
+ 
+ 	if (   replaced
+-- 
+2.20.1
+

0006-cli-fix-cleanup-after-activation-from-editor.patch

@@ -0,0 +1,52 @@
+From 0c581081fa18aa412885a700b6d5fc017a53a463 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 8 Oct 2018 21:43:18 +0200
+Subject: [PATCH 2/2] cli: fix cleanup after activation from editor
+
+progress_activation_editor_cb() is called multiple times every 120
+milliseconds and it must free resources only the last time.
+
+Fixes: f0a26865458a42dd35975efd9bf6fdd2d9445c08
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/51
+(cherry picked from commit d091cbdc2fb2c953da226b92c461ae3ede2cece0)
+(cherry picked from commit fd3658e25f5c18d9d53d3f580cfce68ed416848b)
+(cherry picked from commit 09d8eca1c26fe96731182df096804e8421dbdd7c)
+---
+ clients/cli/connections.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/clients/cli/connections.c b/clients/cli/connections.c
+index b547e34ca..f6066b87d 100644
+--- a/clients/cli/connections.c
++++ b/clients/cli/connections.c
+@@ -6523,8 +6523,8 @@ static gboolean
+ progress_activation_editor_cb (gpointer user_data)
+ {
+ 	MonitorACInfo *info = (MonitorACInfo *) user_data;
+-	gs_unref_object NMDevice *device = info->device;
+-	gs_unref_object NMActiveConnection *ac = info->ac;
++	NMDevice *device = info->device;
++	NMActiveConnection *ac = info->ac;
+ 	NMActiveConnectionState ac_state;
+ 	NMDeviceState dev_state;
+ 
+@@ -6557,11 +6557,13 @@ progress_activation_editor_cb (gpointer user_data)
+ 		                               nm_object_get_path (NM_OBJECT (connection)));
+ 	}
+ 
+-	return TRUE;
++	return G_SOURCE_CONTINUE;
+ 
+ finish:
++	nm_g_object_unref (device);
++	nm_g_object_unref (ac);
+ 	info->monitor_id = 0;
+-	return FALSE;
++	return G_SOURCE_REMOVE;
+ }
+ 
+ static void
+-- 
+2.20.1
+

0007-supplicant-global-pmf.patch

@@ -0,0 +1,159 @@
+From 2c3014d60d8ec868fd889a906ef8c8ca9b6e8d17 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 9 Jan 2019 11:36:52 +0100
+Subject: [PATCH 1/2] supplicant: set optional PMF using global supplicant
+ property
+
+wpa_supplicant is going to change the global default for PMF from 0
+(disabled) to 1 (optional) [1], so NM code needs to be adjusted to
+work with all wpa_supplicant versions. Furthermore, it is better to
+set optional PMF using the 'Pmf' property instead of the 'ieee80211w'
+configuration option because the former better handles missing support
+in driver [2].
+
+Note that each interface in wpa_supplicant has its own copy of global
+configuration and so 'global' options must still be set on each
+interface. So, let's set Pmf=1 when each interface gets created and
+override it with ieee80211w={0,2} if needed during association.
+
+[1] http://lists.infradead.org/pipermail/hostap/2018-November/039009.html
+[2] http://lists.infradead.org/pipermail/hostap/2019-January/039215.html
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/104
+(cherry picked from commit a9ab50efb10dfb50cfe897c58afa300f8b07f6ba)
+(cherry picked from commit 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a)
+(cherry picked from commit 40adc98a6db593009dc7d92f39af9f4854a61b2a)
+---
+ src/supplicant/nm-supplicant-config.c         |  4 +--
+ src/supplicant/nm-supplicant-interface.c      | 34 +++++++++++++++++++
+ src/supplicant/tests/test-supplicant-config.c |  4 +--
+ 3 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c
+index 22f9a3c02..e3dd55a84 100644
+--- a/src/supplicant/nm-supplicant-config.c
++++ b/src/supplicant/nm-supplicant-config.c
+@@ -864,11 +864,11 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
+ 
+ 		if (   !nm_streq (key_mgmt, "wpa-none")
+ 		    && NM_IN_SET (pmf,
+-		                  NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL,
++		                  NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE,
+ 		                  NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED)) {
+ 			if (!nm_supplicant_config_add_option (self,
+ 			                                      "ieee80211w",
+-			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL ? "1" : "2",
++			                                      pmf == NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE ? "0" : "2",
+ 			                                      -1,
+ 			                                      NULL,
+ 			                                      error))
+diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
+index e16e3130e..b816722d0 100644
+--- a/src/supplicant/nm-supplicant-interface.c
++++ b/src/supplicant/nm-supplicant-interface.c
+@@ -555,6 +555,26 @@ iface_check_netreply_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	iface_check_ready (self);
+ }
+ 
++static void
++iface_set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data)
++{
++	NMSupplicantInterface *self;
++	gs_unref_variant GVariant *variant = NULL;
++	gs_free_error GError *error = NULL;
++
++	variant = g_dbus_proxy_call_finish (proxy, result, &error);
++	if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
++		return;
++
++	self = NM_SUPPLICANT_INTERFACE (user_data);
++
++	/* This can fail if the supplicant doesn't support PMF */
++	if (error)
++		_LOGD ("failed to set Pmf=1: %s", error->message);
++
++	iface_check_ready (self);
++}
++
+ NMSupplicantFeature
+ nm_supplicant_interface_get_ap_support (NMSupplicantInterface *self)
+ {
+@@ -1155,6 +1175,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   NULL,
+ 	                   NULL);
+ 
++	/* Initialize global PMF setting to 'optional' */
++	priv->ready_count++;
++	g_dbus_proxy_call (priv->iface_proxy,
++	                   DBUS_INTERFACE_PROPERTIES ".Set",
++	                   g_variant_new ("(ssv)",
++	                                  WPAS_DBUS_IFACE_INTERFACE,
++	                                  "Pmf",
++	                                  g_variant_new_string ("1")),
++	                   G_DBUS_CALL_FLAGS_NONE,
++	                   -1,
++	                   priv->init_cancellable,
++	                   (GAsyncReadyCallback) iface_set_pmf_cb,
++	                   self);
++
+ 	/* Check whether NetworkReply and AP mode are supported */
+ 	priv->ready_count = 1;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+diff --git a/src/supplicant/tests/test-supplicant-config.c b/src/supplicant/tests/test-supplicant-config.c
+index 36831e676..d7ec1fe22 100644
+--- a/src/supplicant/tests/test-supplicant-config.c
++++ b/src/supplicant/tests/test-supplicant-config.c
+@@ -359,8 +359,8 @@ test_wifi_wpa_psk (const char *detail,
+ 	NMTST_EXPECT_NM_INFO ("Config: added 'pairwise' value 'TKIP CCMP'");
+ 	NMTST_EXPECT_NM_INFO ("Config: added 'group' value 'TKIP CCMP'");
+ 	switch (pmf) {
+-	case NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL:
+-		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '1'");
++	case NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE:
++		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '0'");
+ 		break;
+ 	case NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED:
+ 		NMTST_EXPECT_NM_INFO ("Config: added 'ieee80211w' value '2'");
+-- 
+2.20.1
+
+
+From 5d0bf9db73fc552fc311d58dd51f0825aa883937 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 14 Jan 2019 15:16:09 +0100
+Subject: [PATCH 2/2] supplicant: fix ready_count assignment
+
+Fix a wrong backport.
+
+Fixes: 1110e0bcae7ab5a4fa9df0f8bf9ec62e7ea4a17a
+(cherry picked from commit d0dd120ab4b5716eec87d65f2a1424718addf600)
+(cherry picked from commit e511f724584e32cd3e618c47b8a779e7093da6bc)
+---
+ src/supplicant/nm-supplicant-interface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
+index b816722d0..7450fb823 100644
+--- a/src/supplicant/nm-supplicant-interface.c
++++ b/src/supplicant/nm-supplicant-interface.c
+@@ -1176,7 +1176,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   NULL);
+ 
+ 	/* Initialize global PMF setting to 'optional' */
+-	priv->ready_count++;
++	priv->ready_count = 1;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+ 	                   DBUS_INTERFACE_PROPERTIES ".Set",
+ 	                   g_variant_new ("(ssv)",
+@@ -1190,7 +1190,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_
+ 	                   self);
+ 
+ 	/* Check whether NetworkReply and AP mode are supported */
+-	priv->ready_count = 1;
++	priv->ready_count++;
+ 	g_dbus_proxy_call (priv->iface_proxy,
+ 	                   "NetworkReply",
+ 	                   g_variant_new ("(oss)",
+-- 
+2.20.1
+

20-connectivity-fedora.conf

@@ -1,10 +1,4 @@
-# Enable connectivity checking for NetworkManager.
-# See `man NetworkManager.conf`.
-#
-# Note that connectivity checking works badly with rp_filter set to
-# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
 [connectivity]
-enabled=true
 uri=http://fedoraproject.org/static/hotspot.txt
 response=OK
 interval=300

20-connectivity-redhat.conf

@@ -1,10 +1,4 @@
-# Enable connectivity checking for NetworkManager.
-# See `man NetworkManager.conf`.
-#
-# Note that connectivity checking works badly with rp_filter set to
-# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
 [connectivity]
-enabled=true
 uri=http://static.redhat.com/test/rhel-networkmanager.txt
 response=OK
 interval=300

70-nm-connectivity.conf

@@ -1,15 +0,0 @@
-# The Strict mode of RFC3704 Reverse Path filtering breaks some pretty
-# common and reasonable use cases.
-#
-# Notably, it makes it impossible for NetworkManager to do connectivity
-# check on a newly arriving default route (it starts with a higher metric
-# and is bumped lower if there's connectivity).
-#
-# Kernel's default is 0 (no filter), systemd configures a Loose filter since
-# commit 230450d4e4f1 ('sysctl.d: switch net.ipv4.conf.all.rp_filter from 1
-# to 2'). However, RHEL systemd package happens to default to Strict mode
-# for historic reasons. Let's override it if we're doing connectivity
-# checking.
-
-# Source route verification
-net.ipv4.conf.all.rp_filter = 0

NetworkManager.conf

@@ -2,25 +2,27 @@
 #
 # See "man 5 NetworkManager.conf" for details.
 #
-# The directories /usr/lib/NetworkManager/conf.d/ and /run/NetworkManager/conf.d/
-# can contain additional .conf snippets installed by packages. These files are
+# The directories /usr/lib/NetworkManager/conf.d/ and /var/run/NetworkManager/conf.d/
+# can contain additional configuration snippets installed by packages. These files are
 # read before NetworkManager.conf and have thus lowest priority.
-# The directory /etc/NetworkManager/conf.d/ can contain additional .conf
+# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
 # snippets. Those snippets are merged last and overwrite the settings from this main
 # file.
 #
 # The files within one conf.d/ directory are read in asciibetical order.
 #
-# You can prevent loading a file /usr/lib/NetworkManager/conf.d/NAME.conf
-# by having a file NAME.conf in either /run/NetworkManager/conf.d/ or /etc/NetworkManager/conf.d/.
-# Likewise, snippets from /run can be prevented from loading by placing
-# a file with the same name in /etc/NetworkManager/conf.d/.
+# If /etc/NetworkManager/conf.d/ contains a file with the same name as
+# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored.
+# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can
+# put an empty file to /etc with the same name. The same applies with respect
+# to the directory /var/run/NetworkManager/conf.d where files in /var/run shadow
+# /usr/lib and are themselves shadowed by files under /etc.
 #
 # If two files define the same key, the one that is read afterwards will overwrite
 # the previous one.
 
 [main]
-#plugins=keyfile,ifcfg-rh
+#plugins=ifcfg-rh,ibft
 
 
 [logging]
@@ -28,7 +30,8 @@
 #
 # Logfiles contain no passwords and little sensitive information. But please
 # check before posting the file online. You can also personally hand over the
-# logfile to a NM developer to treat it confidential. Meet us on #nm on Libera.Chat.
+# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode.
+# Please post full logfiles except minimal modifications of private data.
 #
 # You can also change the log-level at runtime via
 #   $ nmcli general logging level TRACE domains ALL
@@ -39,14 +42,9 @@
 # You will find the logfiles in syslog, for example via
 #   $ journalctl -u NetworkManager
 #
-# Please post full logfiles for bug reports without pre-filtering or truncation.
-# Also, for debugging the entire `journalctl` output can be interesting. Don't
-# limit unnecessarily with `journalctl -u`. Exceptions are if you are worried
-# about private data. Check before posting logfiles!
-#
 # Note that debug logging of NetworkManager can be quite verbose. Some messages
 # might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
-# in man journald.conf). Please disable rate-limiting before collecting debug logs!
+# in man journald.conf).
 #
 #level=TRACE
 #domains=ALL

readme-ifcfg-rh.txt

@@ -1,31 +0,0 @@
-NetworkManager stores new network profiles in keyfile format in the
-/etc/NetworkManager/system-connections/ directory.
-
-Previously, NetworkManager stored network profiles in ifcfg format
-in this directory (/etc/sysconfig/network-scripts/). However, the ifcfg
-format is deprecated. By default, NetworkManager no longer creates
-new profiles in this format.
-
-Connection profiles in keyfile format have many benefits. For example,
-this format is INI file-based and can easily be parsed and generated.
-
-Each section in NetworkManager keyfiles corresponds to a NetworkManager
-setting name as described in the nm-settings(5) and nm-settings-keyfile(5)
-man pages. Each key-value-pair in a section is one of the properties
-listed in the settings specification of the man page.
-
-If you still use network profiles in ifcfg format, consider migrating
-them to keyfile format. To migrate all profiles at once, enter:
-
-# nmcli connection migrate
-
-This command migrates all profiles from ifcfg format to keyfile
-format and stores them in /etc/NetworkManager/system-connections/.
-
-Alternatively, to migrate only a specific profile, enter:
-
-# nmcli connection migrate <profile_name|UUID|D-Bus_path>
-
-For further details, see:
-* nm-settings-keyfile(5)
-* nmcli(1)

sources

@@ -1 +1 @@
-SHA512 (NetworkManager-1.43.6.tar.xz) = e1d898d3e6154018defcf189bc017a962ed93b9f5d7bafd90642cd70f9bbd4885874b24f716d524e52cf9e44c7ba338e3c416e78bd7b6ec6eaa1cb5066244504
+SHA512 (NetworkManager-1.12.6.tar.xz) = b2117bdd9978ea18a7015c285abc684b7bc31ff0b4b1956194b23cbb85c2bc75bec5fc50a37493c3d717810fe683a72ef186816eb4eca889af8ea35bd1095e94