From 8b051bb35e38e468d630431f1f5215a71d6049f6 Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Tue, 14 Mar 2017 20:50:26 -0500 Subject: [PATCH 1/4] supplicant: Initial pmf support (a.k.a. MFP, a.k.a. 802.11w) https://bugzilla.gnome.org/show_bug.cgi?id=748367 Signed-off-by: Michael Cronenworth --- src/supplicant/nm-supplicant-config.c | 13 ++++++++ src/supplicant/nm-supplicant-config.h | 2 ++ src/supplicant/nm-supplicant-interface.c | 39 ++++++++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index 1f4c74a5f..0f33f20c5 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -44,6 +44,7 @@ typedef struct { GHashTable *config; GHashTable *blobs; guint32 ap_scan; + guint32 pmf; gboolean fast_required; gboolean dispose_has_run; } NMSupplicantConfigPrivate; @@ -96,6 +97,7 @@ nm_supplicant_config_init (NMSupplicantConfig * self) (GDestroyNotify) blob_free); priv->ap_scan = 1; + priv->pmf = 1; priv->dispose_has_run = FALSE; } @@ -280,6 +282,14 @@ nm_supplicant_config_get_ap_scan (NMSupplicantConfig * self) return NM_SUPPLICANT_CONFIG_GET_PRIVATE (self)->ap_scan; } +guint32 +nm_supplicant_config_get_pmf (NMSupplicantConfig * self) +{ + g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), 1); + + return NM_SUPPLICANT_CONFIG_GET_PRIVATE (self)->pmf; +} + gboolean nm_supplicant_config_fast_required (NMSupplicantConfig *self) { @@ -467,6 +477,8 @@ nm_supplicant_config_add_setting_wireless (NMSupplicantConfig * self, else priv->ap_scan = 1; + priv->pmf = 1; + ssid = nm_setting_wireless_get_ssid (setting); if (!nm_supplicant_config_add_option (self, "ssid", (char *) g_bytes_get_data (ssid, NULL), @@ -931,6 +943,7 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, if (!add_string_val (self, "0", "eapol_flags", FALSE, NULL, error)) return FALSE; priv->ap_scan = 0; + priv->pmf = 0; } if (!ADD_STRING_LIST_VAL (self, setting, 802_1x, eap_method, eap_methods, "eap", ' ', TRUE, NULL, error)) diff --git a/src/supplicant/nm-supplicant-config.h b/src/supplicant/nm-supplicant-config.h index 6acfb7ee1..8f67eb3fa 100644 --- a/src/supplicant/nm-supplicant-config.h +++ b/src/supplicant/nm-supplicant-config.h @@ -44,6 +44,8 @@ NMSupplicantConfig *nm_supplicant_config_new (void); guint32 nm_supplicant_config_get_ap_scan (NMSupplicantConfig *self); +guint32 nm_supplicant_config_get_pmf (NMSupplicantConfig *self); + gboolean nm_supplicant_config_fast_required (NMSupplicantConfig *self); GVariant *nm_supplicant_config_to_variant (NMSupplicantConfig *self); diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c index 71f1f9aa8..fc25a414d 100644 --- a/src/supplicant/nm-supplicant-interface.c +++ b/src/supplicant/nm-supplicant-interface.c @@ -470,6 +470,34 @@ iface_check_ready (NMSupplicantInterface *self) } } +static void +set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data) +{ + NMSupplicantInterface *self; + NMSupplicantInterfacePrivate *priv; + gs_unref_variant GVariant *reply = NULL; + gs_free_error GError *error = NULL; + + reply = g_dbus_proxy_call_finish (proxy, result, &error); + if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) + return; + + self = NM_SUPPLICANT_INTERFACE (user_data); + priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self); + + if (!reply) { + g_dbus_error_strip_remote_error (error); + _LOGW ("couldn't send PMF mode to the supplicant interface: %s", + error->message); + emit_error_helper (self, error); + return; + } + + _LOGI ("config: set interface pmf to %d", + nm_supplicant_config_get_pmf (priv->cfg)); + +} + gboolean nm_supplicant_interface_credentials_reply (NMSupplicantInterface *self, const char *field, @@ -835,6 +863,17 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ priv->init_cancellable, (GAsyncReadyCallback) iface_introspect_cb, self); + g_dbus_proxy_call (priv->iface_proxy, + DBUS_INTERFACE_PROPERTIES ".Set", + g_variant_new ("(ssv)", + WPAS_DBUS_IFACE_INTERFACE, + "Pmf", + g_variant_new_uint32 (nm_supplicant_config_get_pmf (priv->cfg))), + G_DBUS_CALL_FLAGS_NONE, + -1, + priv->assoc_cancellable, + (GAsyncReadyCallback) set_pmf_cb, + self); } } From d38eadd9907b216da12b2dc5bafe7a1b4ad07003 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Sat, 18 Mar 2017 14:45:35 +0100 Subject: [PATCH 2/4] supplicant: enable PMF based on driver type Instead of adding a new flag to configuration based on connection type, use the driver-type field directly in the supplicant-interface. --- src/supplicant/nm-supplicant-config.c | 13 --------- src/supplicant/nm-supplicant-config.h | 2 -- src/supplicant/nm-supplicant-interface.c | 37 ++++++++++++------------ 3 files changed, 18 insertions(+), 34 deletions(-) diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index 0f33f20c5..1f4c74a5f 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -44,7 +44,6 @@ typedef struct { GHashTable *config; GHashTable *blobs; guint32 ap_scan; - guint32 pmf; gboolean fast_required; gboolean dispose_has_run; } NMSupplicantConfigPrivate; @@ -97,7 +96,6 @@ nm_supplicant_config_init (NMSupplicantConfig * self) (GDestroyNotify) blob_free); priv->ap_scan = 1; - priv->pmf = 1; priv->dispose_has_run = FALSE; } @@ -282,14 +280,6 @@ nm_supplicant_config_get_ap_scan (NMSupplicantConfig * self) return NM_SUPPLICANT_CONFIG_GET_PRIVATE (self)->ap_scan; } -guint32 -nm_supplicant_config_get_pmf (NMSupplicantConfig * self) -{ - g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), 1); - - return NM_SUPPLICANT_CONFIG_GET_PRIVATE (self)->pmf; -} - gboolean nm_supplicant_config_fast_required (NMSupplicantConfig *self) { @@ -477,8 +467,6 @@ nm_supplicant_config_add_setting_wireless (NMSupplicantConfig * self, else priv->ap_scan = 1; - priv->pmf = 1; - ssid = nm_setting_wireless_get_ssid (setting); if (!nm_supplicant_config_add_option (self, "ssid", (char *) g_bytes_get_data (ssid, NULL), @@ -943,7 +931,6 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, if (!add_string_val (self, "0", "eapol_flags", FALSE, NULL, error)) return FALSE; priv->ap_scan = 0; - priv->pmf = 0; } if (!ADD_STRING_LIST_VAL (self, setting, 802_1x, eap_method, eap_methods, "eap", ' ', TRUE, NULL, error)) diff --git a/src/supplicant/nm-supplicant-config.h b/src/supplicant/nm-supplicant-config.h index 8f67eb3fa..6acfb7ee1 100644 --- a/src/supplicant/nm-supplicant-config.h +++ b/src/supplicant/nm-supplicant-config.h @@ -44,8 +44,6 @@ NMSupplicantConfig *nm_supplicant_config_new (void); guint32 nm_supplicant_config_get_ap_scan (NMSupplicantConfig *self); -guint32 nm_supplicant_config_get_pmf (NMSupplicantConfig *self); - gboolean nm_supplicant_config_fast_required (NMSupplicantConfig *self); GVariant *nm_supplicant_config_to_variant (NMSupplicantConfig *self); diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c index fc25a414d..dbdee193d 100644 --- a/src/supplicant/nm-supplicant-interface.c +++ b/src/supplicant/nm-supplicant-interface.c @@ -487,15 +487,11 @@ set_pmf_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data) if (!reply) { g_dbus_error_strip_remote_error (error); - _LOGW ("couldn't send PMF mode to the supplicant interface: %s", - error->message); - emit_error_helper (self, error); + _LOGW ("couldn't enable PMF: %s", error->message); return; } - _LOGI ("config: set interface pmf to %d", - nm_supplicant_config_get_pmf (priv->cfg)); - + _LOGD ("PMF enabled"); } gboolean @@ -812,7 +808,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ /* Scan result aging parameters */ g_dbus_proxy_call (priv->iface_proxy, - "org.freedesktop.DBus.Properties.Set", + DBUS_INTERFACE_PROPERTIES ".Set", g_variant_new ("(ssv)", WPAS_DBUS_IFACE_INTERFACE, "BSSExpireAge", @@ -823,7 +819,7 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ NULL, NULL); g_dbus_proxy_call (priv->iface_proxy, - "org.freedesktop.DBus.Properties.Set", + DBUS_INTERFACE_PROPERTIES ".Set", g_variant_new ("(ssv)", WPAS_DBUS_IFACE_INTERFACE, "BSSExpireCount", @@ -834,6 +830,20 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ NULL, NULL); + if (priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS) { + g_dbus_proxy_call (priv->iface_proxy, + DBUS_INTERFACE_PROPERTIES ".Set", + g_variant_new ("(ssv)", + WPAS_DBUS_IFACE_INTERFACE, + "Pmf", + g_variant_new_uint32 (1)), + G_DBUS_CALL_FLAGS_NONE, + -1, + priv->init_cancellable, + (GAsyncReadyCallback) set_pmf_cb, + self); + } + /* Check whether NetworkReply and AP mode are supported */ priv->ready_count = 1; g_dbus_proxy_call (priv->iface_proxy, @@ -863,17 +873,6 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ priv->init_cancellable, (GAsyncReadyCallback) iface_introspect_cb, self); - g_dbus_proxy_call (priv->iface_proxy, - DBUS_INTERFACE_PROPERTIES ".Set", - g_variant_new ("(ssv)", - WPAS_DBUS_IFACE_INTERFACE, - "Pmf", - g_variant_new_uint32 (nm_supplicant_config_get_pmf (priv->cfg))), - G_DBUS_CALL_FLAGS_NONE, - -1, - priv->assoc_cancellable, - (GAsyncReadyCallback) set_pmf_cb, - self); } } From a72ffe230bce1486fcd6bbaea8e111a9e77f33ed Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Sat, 18 Mar 2017 14:56:38 +0100 Subject: [PATCH 3/4] supplicant: enable PMF only when wpa_supplicant supports it --- src/supplicant/nm-supplicant-interface.c | 30 ++++++++++++++++++++++-- src/supplicant/nm-supplicant-interface.h | 6 ++++- src/supplicant/nm-supplicant-manager.c | 18 +++++++++++--- 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c index dbdee193d..e92a57ff8 100644 --- a/src/supplicant/nm-supplicant-interface.c +++ b/src/supplicant/nm-supplicant-interface.c @@ -80,6 +80,7 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSupplicantInterface, PROP_DRIVER, PROP_FAST_SUPPORT, PROP_AP_SUPPORT, + PROP_PMF_SUPPORT, ); typedef struct { @@ -88,6 +89,7 @@ typedef struct { gboolean has_credreq; /* Whether querying 802.1x credentials is supported */ NMSupplicantFeature fast_support; NMSupplicantFeature ap_support; /* Lightweight AP mode support */ + NMSupplicantFeature pmf_support; guint32 max_scan_ssids; guint32 ready_count; @@ -587,6 +589,15 @@ nm_supplicant_interface_set_fast_support (NMSupplicantInterface *self, priv->fast_support = fast_support; } +void +nm_supplicant_interface_set_pmf_support (NMSupplicantInterface *self, + NMSupplicantFeature pmf_support) +{ + NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self); + + priv->pmf_support = pmf_support; +} + static void iface_introspect_cb (GDBusProxy *proxy, GAsyncResult *result, gpointer user_data) { @@ -830,7 +841,8 @@ on_iface_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_ NULL, NULL); - if (priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS) { + if ( priv->pmf_support + && priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS) { g_dbus_proxy_call (priv->iface_proxy, DBUS_INTERFACE_PROPERTIES ".Set", g_variant_new ("(ssv)", @@ -1597,6 +1609,10 @@ set_property (GObject *object, /* construct-only */ priv->ap_support = g_value_get_int (value); break; + case PROP_PMF_SUPPORT: + /* construct-only */ + priv->pmf_support = g_value_get_int (value); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; @@ -1616,7 +1632,8 @@ NMSupplicantInterface * nm_supplicant_interface_new (const char *ifname, NMSupplicantDriver driver, NMSupplicantFeature fast_support, - NMSupplicantFeature ap_support) + NMSupplicantFeature ap_support, + NMSupplicantFeature pmf_support) { g_return_val_if_fail (ifname != NULL, NULL); @@ -1625,6 +1642,7 @@ nm_supplicant_interface_new (const char *ifname, NM_SUPPLICANT_INTERFACE_DRIVER, (guint) driver, NM_SUPPLICANT_INTERFACE_FAST_SUPPORT, (int) fast_support, NM_SUPPLICANT_INTERFACE_AP_SUPPORT, (int) ap_support, + NM_SUPPLICANT_INTERFACE_PMF_SUPPORT, (int) pmf_support, NULL); } @@ -1706,6 +1724,14 @@ nm_supplicant_interface_class_init (NMSupplicantInterfaceClass *klass) G_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_PMF_SUPPORT] = + g_param_spec_int (NM_SUPPLICANT_INTERFACE_PMF_SUPPORT, "", "", + NM_SUPPLICANT_FEATURE_UNKNOWN, + NM_SUPPLICANT_FEATURE_YES, + NM_SUPPLICANT_FEATURE_UNKNOWN, + G_PARAM_WRITABLE | + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS); g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); diff --git a/src/supplicant/nm-supplicant-interface.h b/src/supplicant/nm-supplicant-interface.h index d60d4a544..a881ede23 100644 --- a/src/supplicant/nm-supplicant-interface.h +++ b/src/supplicant/nm-supplicant-interface.h @@ -60,6 +60,7 @@ typedef enum { #define NM_SUPPLICANT_INTERFACE_DRIVER "driver" #define NM_SUPPLICANT_INTERFACE_FAST_SUPPORT "fast-support" #define NM_SUPPLICANT_INTERFACE_AP_SUPPORT "ap-support" +#define NM_SUPPLICANT_INTERFACE_PMF_SUPPORT "pmf-support" /* Signals */ #define NM_SUPPLICANT_INTERFACE_STATE "state" @@ -76,7 +77,8 @@ GType nm_supplicant_interface_get_type (void); NMSupplicantInterface * nm_supplicant_interface_new (const char *ifname, NMSupplicantDriver driver, NMSupplicantFeature fast_support, - NMSupplicantFeature ap_support); + NMSupplicantFeature ap_support, + NMSupplicantFeature pmf_support); void nm_supplicant_interface_set_supplicant_available (NMSupplicantInterface *self, gboolean available); @@ -126,4 +128,6 @@ void nm_supplicant_interface_set_ap_support (NMSupplicantInterface *self, void nm_supplicant_interface_set_fast_support (NMSupplicantInterface *self, NMSupplicantFeature fast_support); +void nm_supplicant_interface_set_pmf_support (NMSupplicantInterface *self, + NMSupplicantFeature pmf_support); #endif /* __NM_SUPPLICANT_INTERFACE_H__ */ diff --git a/src/supplicant/nm-supplicant-manager.c b/src/supplicant/nm-supplicant-manager.c index 49650ab71..0f2eb63a6 100644 --- a/src/supplicant/nm-supplicant-manager.c +++ b/src/supplicant/nm-supplicant-manager.c @@ -39,6 +39,7 @@ typedef struct { GSList *ifaces; NMSupplicantFeature fast_support; NMSupplicantFeature ap_support; + NMSupplicantFeature pmf_support; guint die_count_reset_id; guint die_count; } NMSupplicantManagerPrivate; @@ -159,7 +160,8 @@ nm_supplicant_manager_create_interface (NMSupplicantManager *self, iface = nm_supplicant_interface_new (ifname, driver, priv->fast_support, - priv->ap_support); + priv->ap_support, + priv->pmf_support); priv->ifaces = g_slist_prepend (priv->ifaces, iface); g_object_add_toggle_ref ((GObject *) iface, _sup_iface_last_ref, self); @@ -193,28 +195,37 @@ update_capabilities (NMSupplicantManager *self) * dbus: Add global capabilities property */ priv->ap_support = NM_SUPPLICANT_FEATURE_UNKNOWN; + priv->pmf_support = NM_SUPPLICANT_FEATURE_UNKNOWN; value = g_dbus_proxy_get_cached_property (priv->proxy, "Capabilities"); if (value) { if (g_variant_is_of_type (value, G_VARIANT_TYPE_STRING_ARRAY)) { array = g_variant_get_strv (value, NULL); priv->ap_support = NM_SUPPLICANT_FEATURE_NO; + priv->pmf_support = NM_SUPPLICANT_FEATURE_NO; if (array) { if (g_strv_contains (array, "ap")) priv->ap_support = NM_SUPPLICANT_FEATURE_YES; + if (g_strv_contains (array, "pmf")) + priv->pmf_support = NM_SUPPLICANT_FEATURE_YES; g_free (array); } } g_variant_unref (value); } - /* Tell all interfaces about results of the AP check */ - for (ifaces = priv->ifaces; ifaces; ifaces = ifaces->next) + /* Tell all interfaces about results of the AP/PMF check */ + for (ifaces = priv->ifaces; ifaces; ifaces = ifaces->next) { nm_supplicant_interface_set_ap_support (ifaces->data, priv->ap_support); + nm_supplicant_interface_set_pmf_support (ifaces->data, priv->pmf_support); + } _LOGD ("AP mode is %ssupported", (priv->ap_support == NM_SUPPLICANT_FEATURE_YES) ? "" : (priv->ap_support == NM_SUPPLICANT_FEATURE_NO) ? "not " : "possibly "); + _LOGD ("PMF is %ssupported", + (priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) ? "" : + (priv->pmf_support == NM_SUPPLICANT_FEATURE_NO) ? "not " : "possibly "); /* EAP-FAST */ priv->fast_support = NM_SUPPLICANT_FEATURE_NO; @@ -337,6 +348,7 @@ name_owner_cb (GDBusProxy *proxy, GParamSpec *pspec, gpointer user_data) priv->ap_support = NM_SUPPLICANT_FEATURE_UNKNOWN; priv->fast_support = NM_SUPPLICANT_FEATURE_UNKNOWN; + priv->pmf_support = NM_SUPPLICANT_FEATURE_UNKNOWN; set_running (self, FALSE); } From 72cfa1f45829f70840b8581f8e6d8cb0f057f2de Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Sat, 18 Mar 2017 15:05:03 +0100 Subject: [PATCH 4/4] supplicant: enable stronger AKMs when PMF is enabled --- src/supplicant/nm-supplicant-config.c | 28 +++++++++++++++++++ src/supplicant/nm-supplicant-config.h | 2 ++ src/supplicant/nm-supplicant-interface.c | 9 ++++++ .../nm-supplicant-settings-verify.c | 4 ++- 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index 1f4c74a5f..4ff376a5c 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -1325,3 +1325,31 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error) return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error); } +gboolean +nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, GError **error) +{ + NMSupplicantConfigPrivate *priv; + ConfigOption *option; + + g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE); + g_return_val_if_fail (!error || !*error, FALSE); + + priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self); + + option = g_hash_table_lookup (priv->config, "key_mgmt"); + if (!option) + return TRUE; + + if (nm_streq0 (option->value, "WPA-PSK")) { + g_hash_table_remove (priv->config, "key_mgmt"); + if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-PSK WPA-PSK-SHA256", -1, NULL, error)) + return FALSE; + } else if (nm_streq0 (option->value, "WPA-EAP")) { + g_hash_table_remove (priv->config, "key_mgmt"); + if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-EAP WPA-EAP-SHA256", -1, NULL, error)) + return FALSE; + } + + return TRUE; +} + diff --git a/src/supplicant/nm-supplicant-config.h b/src/supplicant/nm-supplicant-config.h index 6acfb7ee1..705833ff5 100644 --- a/src/supplicant/nm-supplicant-config.h +++ b/src/supplicant/nm-supplicant-config.h @@ -76,4 +76,6 @@ gboolean nm_supplicant_config_add_setting_macsec (NMSupplicantConfig *self, NMSettingMacsec *setting, GError **error); +gboolean nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, + GError **error); #endif /* __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ */ diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c index e92a57ff8..d3efadf15 100644 --- a/src/supplicant/nm-supplicant-interface.c +++ b/src/supplicant/nm-supplicant-interface.c @@ -1424,6 +1424,7 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self, { NMSupplicantInterfacePrivate *priv; AssocData *assoc_data; + GError *error = NULL; g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self)); g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg)); @@ -1440,6 +1441,14 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self, assoc_data->callback = callback; assoc_data->user_data = user_data; + if ( priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS + && priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) { + if (!nm_supplicant_config_enable_pmf_akm (cfg, &error)) { + _LOGW ("could not enable PMF AKMs in config: %s", error->message); + g_error_free (error); + } + } + _LOGD ("assoc[%p]: starting association...", assoc_data); /* Make sure the supplicant supports EAP-FAST before trying to send diff --git a/src/supplicant/nm-supplicant-settings-verify.c b/src/supplicant/nm-supplicant-settings-verify.c index ce3e46d8d..fd5b06eac 100644 --- a/src/supplicant/nm-supplicant-settings-verify.c +++ b/src/supplicant/nm-supplicant-settings-verify.c @@ -71,7 +71,9 @@ static const struct validate_entry validate_table[] = { const char * pairwise_allowed[] = { "CCMP", "TKIP", "NONE", NULL }; const char * group_allowed[] = { "CCMP", "TKIP", "WEP104", "WEP40", NULL }; const char * proto_allowed[] = { "WPA", "RSN", NULL }; -const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-EAP", "IEEE8021X", "WPA-NONE", +const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-PSK-SHA256", + "WPA-EAP", "WPA-EAP-SHA256", + "IEEE8021X", "WPA-NONE", "NONE", NULL }; const char * auth_alg_allowed[] = { "OPEN", "SHARED", "LEAP", NULL }; const char * eap_allowed[] = { "LEAP", "MD5", "TLS", "PEAP", "TTLS", "SIM",