From c23275e6ca0eb04623e499b88e06486e8c91477c Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 20 Aug 2019 15:50:32 +0200
Subject: [PATCH 1/1] wifi: detect FT support per interface and avoid enabling
 it

Previously we only cared whether supplicant is build with support for
FT. In that case we would pass FT-PSK to supplicant, like

  Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK'

Supplicant would then always try FT with preference, regardless whether
the interface/driver support it. That results in a failure to associate, if
the driver does not support it.

  NetworkManager[1356]: <info>  [1566296144.9940] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK'
  ...
  wpa_supplicant[1348]: wlan0: WPA: AP key_mgmt 0x42 network profile key_mgmt 0x142; available key_mgmt 0x42
  wpa_supplicant[1348]: wlan0: WPA: using KEY_MGMT FT/PSK
  ...
  wpa_supplicant[1348]:   * akm=0xfac04
  ...
  kernel: ERROR @wl_set_key_mgmt :
  kernel: invalid cipher group (1027076)

Since we pass a list of acceptable "key_mgmt" options to supplicant,
FT-PSK should not be used when supplicant knows it's not supported.
That is a supplicant bug.

Regardless, work around it by checking the per-interface capability, and
avoid it if support is apparently not present.

(cherry picked from commit 2f8a4e90f0fd0f900996e3081d49f8799bba4c6f)
(cherry picked from commit b82f2d97720bf19e13bdcca5c18ccf5803da19a7)
---
 src/supplicant/nm-supplicant-interface.c | 35 ++++++++++++++++++------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index 079afca3b5d7..a54b770c355b 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -135,7 +135,8 @@ typedef struct {
 	NMSupplicantFeature p2p_support;
 	NMSupplicantFeature mesh_support;
 	NMSupplicantFeature wfd_support;
-	NMSupplicantFeature ft_support;
+	NMSupplicantFeature ft_support_global;
+	NMSupplicantFeature ft_support_per_iface;
 	NMSupplicantFeature sha384_support;
 	guint32        max_scan_ssids;
 	guint32        ready_count;
@@ -609,14 +610,25 @@ static void
 parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities)
 {
 	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
-	gboolean have_active = FALSE, have_p2p = FALSE, have_ssid = FALSE;
+	gboolean have_active = FALSE;
+	gboolean have_ssid = FALSE;
+	gboolean have_p2p = FALSE;
+	gboolean have_ft = FALSE;
 	gint32 max_scan_ssids = -1;
 	const char **array;
 
 	g_return_if_fail (capabilities && g_variant_is_of_type (capabilities, G_VARIANT_TYPE_VARDICT));
 
-	if (   g_variant_lookup (capabilities, "Modes", "^a&s", &array)
-	    && array) {
+	if (g_variant_lookup (capabilities, "KeyMgmt", "^a&s", &array)) {
+		have_ft = g_strv_contains (array, "wpa-ft-psk");
+		g_free (array);
+	}
+
+	priv->ft_support_per_iface =   have_ft
+	                             ? NM_SUPPLICANT_FEATURE_YES
+	                             : NM_SUPPLICANT_FEATURE_NO;
+
+	if (g_variant_lookup (capabilities, "Modes", "^a&s", &array)) {
 		if (g_strv_contains (array, "p2p"))
 			have_p2p = TRUE;
 		g_free (array);
@@ -627,8 +639,7 @@ parse_capabilities (NMSupplicantInterface *self, GVariant *capabilities)
 		_notify (self, PROP_P2P_AVAILABLE);
 	}
 
-	if (   g_variant_lookup (capabilities, "Scan", "^a&s", &array)
-	    && array) {
+	if (g_variant_lookup (capabilities, "Scan", "^a&s", &array)) {
 		if (g_strv_contains (array, "active"))
 			have_active = TRUE;
 		if (g_strv_contains (array, "ssid"))
@@ -807,7 +818,13 @@ nm_supplicant_interface_get_wfd_support (NMSupplicantInterface *self)
 NMSupplicantFeature
 nm_supplicant_interface_get_ft_support (NMSupplicantInterface *self)
 {
-	return NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self)->ft_support;
+	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
+
+	if (priv->ft_support_global == NM_SUPPLICANT_FEATURE_NO)
+		return NM_SUPPLICANT_FEATURE_NO;
+	if (priv->ft_support_per_iface != NM_SUPPLICANT_FEATURE_UNKNOWN)
+		return priv->ft_support_per_iface;
+	return priv->ft_support_global;
 }
 
 NMSupplicantFeature
@@ -889,7 +906,7 @@ nm_supplicant_interface_set_ft_support (NMSupplicantInterface *self,
 {
 	NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE (self);
 
-	priv->ft_support = ft_support;
+	priv->ft_support_global = ft_support;
 }
 
 void
@@ -2801,7 +2818,7 @@ set_property (GObject *object,
 		break;
 	case PROP_FT_SUPPORT:
 		/* construct-only */
-		priv->ft_support = g_value_get_int (value);
+		priv->ft_support_global = g_value_get_int (value);
 		break;
 	case PROP_SHA384_SUPPORT:
 		/* construct-only */
-- 
2.21.0