diff --git a/0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch b/0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch new file mode 100644 index 0000000..0c9aeb8 --- /dev/null +++ b/0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch @@ -0,0 +1,125 @@ +From b82f2d97720bf19e13bdcca5c18ccf5803da19a7 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 20 Aug 2019 15:50:32 +0200 +Subject: [PATCH] wifi: detect FT support per interface and avoid enabling it + +Previously we only cared whether supplicant is build with support for +FT. In that case we would pass FT-PSK to supplicant, like + + Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK' + +Supplicant would then always try FT with preference, regardless whether +the interface/driver support it. That results in a failure to associate, if +the driver does not support it. + + NetworkManager[1356]: [1566296144.9940] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK' + ... + wpa_supplicant[1348]: wlan0: WPA: AP key_mgmt 0x42 network profile key_mgmt 0x142; available key_mgmt 0x42 + wpa_supplicant[1348]: wlan0: WPA: using KEY_MGMT FT/PSK + ... + wpa_supplicant[1348]: * akm=0xfac04 + ... + kernel: ERROR @wl_set_key_mgmt : + kernel: invalid cipher group (1027076) + +Since we pass a list of acceptable "key_mgmt" options to supplicant, +FT-PSK should not be used when supplicant knows it's not supported. +That is a supplicant bug. + +Regardless, work around it by checking the per-interface capability, and +avoid it if support is apparently not present. + +(cherry picked from commit 2f8a4e90f0fd0f900996e3081d49f8799bba4c6f) +--- + src/supplicant/nm-supplicant-interface.c | 35 ++++++++++++++++++------ + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c +index 079afca3b5..a54b770c35 100644 +--- a/src/supplicant/nm-supplicant-interface.c ++++ b/src/supplicant/nm-supplicant-interface.c +@@ -135,7 +135,8 @@ typedef struct { + NMSupplicantFeature p2p_support; + NMSupplicantFeature mesh_support; + NMSupplicantFeature wfd_support; +- NMSupplicantFeature ft_support; ++ NMSupplicantFeature ft_support_global; ++ NMSupplicantFeature ft_support_per_iface; + NMSupplicantFeature sha384_support; + guint32 max_scan_ssids; + guint32 ready_count; +@@ -609,14 +610,25 @@ static void + parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities) + { + NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self); +- gboolean have_active = FALSE, have_p2p = FALSE, have_ssid = FALSE; ++ gboolean have_active = FALSE; ++ gboolean have_ssid = FALSE; ++ gboolean have_p2p = FALSE; ++ gboolean have_ft = FALSE; + gint32 max_scan_ssids = -1; + const char **array; + + g_return_if_fail (capabilities && g_variant_is_of_type (capabilities, G_VARIANT_TYPE_VARDICT)); + +- if ( g_variant_lookup (capabilities, "Modes", "^a&s", &array) +- && array) { ++ if (g_variant_lookup (capabilities, "KeyMgmt", "^a&s", &array)) { ++ have_ft = g_strv_contains (array, "wpa-ft-psk"); ++ g_free (array); ++ } ++ ++ priv->ft_support_per_iface = have_ft ++ ? NM_SUPPLICANT_FEATURE_YES ++ : NM_SUPPLICANT_FEATURE_NO; ++ ++ if (g_variant_lookup (capabilities, "Modes", "^a&s", &array)) { + if (g_strv_contains (array, "p2p")) + have_p2p = TRUE; + g_free (array); +@@ -627,8 +639,7 @@ parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities) + _notify (self, PROP_P2P_AVAILABLE); + } + +- if ( g_variant_lookup (capabilities, "Scan", "^a&s", &array) +- && array) { ++ if (g_variant_lookup (capabilities, "Scan", "^a&s", &array)) { + if (g_strv_contains (array, "active")) + have_active = TRUE; + if (g_strv_contains (array, "ssid")) +@@ -807,7 +818,13 @@ nm_supplicant_interface_get_wfd_support (NMSupplicantInterface *self) + NMSupplicantFeature + nm_supplicant_interface_get_ft_support (NMSupplicantInterface *self) + { +- return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->ft_support; ++ NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self); ++ ++ if (priv->ft_support_global == NM_SUPPLICANT_FEATURE_NO) ++ return NM_SUPPLICANT_FEATURE_NO; ++ if (priv->ft_support_per_iface != NM_SUPPLICANT_FEATURE_UNKNOWN) ++ return priv->ft_support_per_iface; ++ return priv->ft_support_global; + } + + NMSupplicantFeature +@@ -889,7 +906,7 @@ nm_supplicant_interface_set_ft_support (NMSupplicantInterface *self, + { + NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self); + +- priv->ft_support = ft_support; ++ priv->ft_support_global = ft_support; + } + + void +@@ -2801,7 +2818,7 @@ set_property (GObject *object, + break; + case PROP_FT_SUPPORT: + /* construct-only */ +- priv->ft_support = g_value_get_int (value); ++ priv->ft_support_global = g_value_get_int (value); + break; + case PROP_SHA384_SUPPORT: + /* construct-only */ +-- +2.21.0 + diff --git a/NetworkManager.spec b/NetworkManager.spec index ec0fbfb..d8d2caa 100644 --- a/NetworkManager.spec +++ b/NetworkManager.spec @@ -135,6 +135,7 @@ Source5: 20-connectivity-redhat.conf Source6: 70-nm-connectivity.conf #Patch1: 0001-some.patch +Patch1: 0001-wifi-detect-FT-support-per-interface-and-avoid-enabl.patch Requires(post): systemd Requires(post): /usr/sbin/update-alternatives @@ -978,6 +979,7 @@ fi %changelog * Fri Aug 23 2019 Lubomir Rintel - 1:1.20.0-3 - install our dispatcher scripts into /usr/lib/NetworkManager +- wifi: detect FT support per interface and avoid enabling it * Thu Aug 15 2019 Lubomir Rintel - 1:1.20.0-2 - Enable iwd support