Commit 72cfa1f4 authored by Beniamino Galvani's avatar Beniamino Galvani

supplicant: enable stronger AKMs when PMF is enabled

parent a72ffe23
...@@ -1325,3 +1325,31 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error) ...@@ -1325,3 +1325,31 @@ nm_supplicant_config_add_no_security (NMSupplicantConfig *self, GError **error)
return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error); return nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error);
} }
gboolean
nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self, GError **error)
{
NMSupplicantConfigPrivate *priv;
ConfigOption *option;
g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self);
option = g_hash_table_lookup (priv->config, "key_mgmt");
if (!option)
return TRUE;
if (nm_streq0 (option->value, "WPA-PSK")) {
g_hash_table_remove (priv->config, "key_mgmt");
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-PSK WPA-PSK-SHA256", -1, NULL, error))
return FALSE;
} else if (nm_streq0 (option->value, "WPA-EAP")) {
g_hash_table_remove (priv->config, "key_mgmt");
if (!nm_supplicant_config_add_option (self, "key_mgmt", "WPA-EAP WPA-EAP-SHA256", -1, NULL, error))
return FALSE;
}
return TRUE;
}
...@@ -76,4 +76,6 @@ gboolean nm_supplicant_config_add_setting_macsec (NMSupplicantConfig *self, ...@@ -76,4 +76,6 @@ gboolean nm_supplicant_config_add_setting_macsec (NMSupplicantConfig *self,
NMSettingMacsec *setting, NMSettingMacsec *setting,
GError **error); GError **error);
gboolean nm_supplicant_config_enable_pmf_akm (NMSupplicantConfig *self,
GError **error);
#endif /* __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ */ #endif /* __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ */
...@@ -1424,6 +1424,7 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self, ...@@ -1424,6 +1424,7 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
{ {
NMSupplicantInterfacePrivate *priv; NMSupplicantInterfacePrivate *priv;
AssocData *assoc_data; AssocData *assoc_data;
GError *error = NULL;
g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self)); g_return_if_fail (NM_IS_SUPPLICANT_INTERFACE (self));
g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg)); g_return_if_fail (NM_IS_SUPPLICANT_CONFIG (cfg));
...@@ -1440,6 +1441,14 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self, ...@@ -1440,6 +1441,14 @@ nm_supplicant_interface_assoc (NMSupplicantInterface *self,
assoc_data->callback = callback; assoc_data->callback = callback;
assoc_data->user_data = user_data; assoc_data->user_data = user_data;
if ( priv->driver == NM_SUPPLICANT_DRIVER_WIRELESS
&& priv->pmf_support == NM_SUPPLICANT_FEATURE_YES) {
if (!nm_supplicant_config_enable_pmf_akm (cfg, &error)) {
_LOGW ("could not enable PMF AKMs in config: %s", error->message);
g_error_free (error);
}
}
_LOGD ("assoc[%p]: starting association...", assoc_data); _LOGD ("assoc[%p]: starting association...", assoc_data);
/* Make sure the supplicant supports EAP-FAST before trying to send /* Make sure the supplicant supports EAP-FAST before trying to send
......
...@@ -71,7 +71,9 @@ static const struct validate_entry validate_table[] = { ...@@ -71,7 +71,9 @@ static const struct validate_entry validate_table[] = {
const char * pairwise_allowed[] = { "CCMP", "TKIP", "NONE", NULL }; const char * pairwise_allowed[] = { "CCMP", "TKIP", "NONE", NULL };
const char * group_allowed[] = { "CCMP", "TKIP", "WEP104", "WEP40", NULL }; const char * group_allowed[] = { "CCMP", "TKIP", "WEP104", "WEP40", NULL };
const char * proto_allowed[] = { "WPA", "RSN", NULL }; const char * proto_allowed[] = { "WPA", "RSN", NULL };
const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-EAP", "IEEE8021X", "WPA-NONE", const char * key_mgmt_allowed[] = { "WPA-PSK", "WPA-PSK-SHA256",
"WPA-EAP", "WPA-EAP-SHA256",
"IEEE8021X", "WPA-NONE",
"NONE", NULL }; "NONE", NULL };
const char * auth_alg_allowed[] = { "OPEN", "SHARED", "LEAP", NULL }; const char * auth_alg_allowed[] = { "OPEN", "SHARED", "LEAP", NULL };
const char * eap_allowed[] = { "LEAP", "MD5", "TLS", "PEAP", "TTLS", "SIM", const char * eap_allowed[] = { "LEAP", "MD5", "TLS", "PEAP", "TTLS", "SIM",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment