wifi: detect FT support per interface and avoid enabling it

2019-08-23 08:58:55 +02:00 · 2019-08-23 08:58:55 +02:00 · f3de64e64d
commit f3de64e64d
parent 231f1105ed
2 changed files with 127 additions and 0 deletions
--- a/0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch
+++ b/0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch
@ -0,0 +1,125 @@
 From b82f2d97720bf19e13bdcca5c18ccf5803da19a7 Mon Sep 17 00:00:00 2001
 From: Thomas Haller <thaller@redhat.com>
 Date: Tue, 20 Aug 2019 15:50:32 +0200
 Subject: [PATCH] wifi: detect FT support per interface and avoid enabling it
 Previously we only cared whether supplicant is build with support for
 FT. In that case we would pass FT-PSK to supplicant, like
  Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK'
 Supplicant would then always try FT with preference, regardless whether
 the interface/driver support it. That results in a failure to associate, if
 the driver does not support it.
  NetworkManager[1356]: <info>  [1566296144.9940] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK'
  ...
  wpa_supplicant[1348]: wlan0: WPA: AP key_mgmt 0x42 network profile key_mgmt 0x142; available key_mgmt 0x42
  wpa_supplicant[1348]: wlan0: WPA: using KEY_MGMT FT/PSK
  ...
  wpa_supplicant[1348]:   * akm=0xfac04
  ...
  kernel: ERROR @wl_set_key_mgmt :
  kernel: invalid cipher group (1027076)
 Since we pass a list of acceptable "key_mgmt" options to supplicant,
 FT-PSK should not be used when supplicant knows it's not supported.
 That is a supplicant bug.
 Regardless, work around it by checking the per-interface capability, and
 avoid it if support is apparently not present.
 (cherry picked from commit 2f8a4e90f0fd0f900996e3081d49f8799bba4c6f)
 ---
 src/supplicant/nm-supplicant-interface.c | 35 ++++++++++++++++++------
 1 file changed, 26 insertions(+), 9 deletions(-)
 diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
 index 079afca3b5..a54b770c35 100644
 --- a/src/supplicant/nm-supplicant-interface.c
 +++ b/src/supplicant/nm-supplicant-interface.c
@@ -135,7 +135,8 @@ typedef struct {
 	NMSupplicantFeature p2p_support;
 	NMSupplicantFeature mesh_support;
 	NMSupplicantFeature wfd_support;
 -	NMSupplicantFeature ft_support;
 +	NMSupplicantFeature ft_support_global;
 +	NMSupplicantFeature ft_support_per_iface;
 	NMSupplicantFeature sha384_support;
 	guint32        max_scan_ssids;
 	guint32        ready_count;
@@ -609,14 +610,25 @@ static void
 parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities)
 {
 	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
 -	gboolean have_active = FALSE, have_p2p = FALSE, have_ssid = FALSE;
 +	gboolean have_active = FALSE;
 +	gboolean have_ssid = FALSE;
 +	gboolean have_p2p = FALSE;
 +	gboolean have_ft = FALSE;
 	gint32 max_scan_ssids = -1;
 	const char **array;
 	g_return_if_fail (capabilities && g_variant_is_of_type (capabilities, G_VARIANT_TYPE_VARDICT));
 -	if (   g_variant_lookup (capabilities, "Modes", "^a&s", &array)
 -	    && array) {
 +	if (g_variant_lookup (capabilities, "KeyMgmt", "^a&s", &array)) {
 +		have_ft = g_strv_contains (array, "wpa-ft-psk");
 +		g_free (array);
 +	}
 +
 +	priv->ft_support_per_iface =   have_ft
 +	                             ? NM_SUPPLICANT_FEATURE_YES
 +	                             : NM_SUPPLICANT_FEATURE_NO;
 +
 +	if (g_variant_lookup (capabilities, "Modes", "^a&s", &array)) {
 		if (g_strv_contains (array, "p2p"))
 			have_p2p = TRUE;
 		g_free (array);
@@ -627,8 +639,7 @@ parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities)
 		_notify (self, PROP_P2P_AVAILABLE);
 	}
 -	if (   g_variant_lookup (capabilities, "Scan", "^a&s", &array)
 -	    && array) {
 +	if (g_variant_lookup (capabilities, "Scan", "^a&s", &array)) {
 		if (g_strv_contains (array, "active"))
 			have_active = TRUE;
 		if (g_strv_contains (array, "ssid"))
@@ -807,7 +818,13 @@ nm_supplicant_interface_get_wfd_support (NMSupplicantInterface *self)
 NMSupplicantFeature
 nm_supplicant_interface_get_ft_support (NMSupplicantInterface *self)
 {
 -	return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->ft_support;
 +	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
 +
 +	if (priv->ft_support_global == NM_SUPPLICANT_FEATURE_NO)
 +		return NM_SUPPLICANT_FEATURE_NO;
 +	if (priv->ft_support_per_iface != NM_SUPPLICANT_FEATURE_UNKNOWN)
 +		return priv->ft_support_per_iface;
 +	return priv->ft_support_global;
 }
 NMSupplicantFeature
@@ -889,7 +906,7 @@ nm_supplicant_interface_set_ft_support (NMSupplicantInterface *self,
 {
 	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
 -	priv->ft_support = ft_support;
 +	priv->ft_support_global = ft_support;
 }
 void
@@ -2801,7 +2818,7 @@ set_property (GObject *object,
 		break;
 	case PROP_FT_SUPPORT:
 		/* construct-only */
 -		priv->ft_support = g_value_get_int (value);
 +		priv->ft_support_global = g_value_get_int (value);
 		break;
 	case PROP_SHA384_SUPPORT:
 		/* construct-only */
 -- 
 2.21.0
--- a/NetworkManager.spec
+++ b/NetworkManager.spec
@ -135,6 +135,7 @@ Source5: 20-connectivity-redhat.conf
 Source6: 70-nm-connectivity.conf
 #Patch1: 0001-some.patch
 Patch1: 0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch
 Requires(post): systemd
 Requires(post): /usr/sbin/update-alternatives
@ -978,6 +979,7 @@ fi
 %changelog
 * Fri Aug 23 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:1.20.0-3
 - install our dispatcher scripts into /usr/lib/NetworkManager
 - wifi: detect FT support per interface and avoid enabling it
 * Thu Aug 15 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:1.20.0-2
 - Enable iwd support