static void add_pair_ciphers (NMAccessPoint *ap, NMSettingWirelessSecurity *sec) { guint32 num = nm_setting_wireless_security_get_num_pairwise (sec); guint32 flags = NM_802_11_AP_SEC_NONE; guint32 i; /* If no ciphers are specified, that means "all" WPA ciphers */ if (num == 0) { flags |= NM_802_11_AP_SEC_PAIR_TKIP | NM_802_11_AP_SEC_PAIR_CCMP; } else { for (i = 0; i < num; i++) { const char *cipher = nm_setting_wireless_security_get_pairwise (sec, i); if (!strcmp (cipher, "tkip")) flags |= NM_802_11_AP_SEC_PAIR_TKIP; else if (!strcmp (cipher, "ccmp")) flags |= NM_802_11_AP_SEC_PAIR_CCMP; } } if (has_proto (sec, PROTO_WPA)) nm_ap_set_wpa_flags (ap, nm_ap_get_wpa_flags (ap) | flags); if (has_proto (sec, PROTO_RSN)) nm_ap_set_rsn_flags (ap, nm_ap_get_rsn_flags (ap) | flags); }
static gboolean verify_wpa_psk (NMSettingWirelessSecurity *s_wsec, NMSetting8021x *s_8021x, gboolean adhoc, guint32 wpa_flags, guint32 rsn_flags, GError **error) { const char *key_mgmt, *auth_alg, *tmp; int n; key_mgmt = nm_setting_wireless_security_get_key_mgmt (s_wsec); auth_alg = nm_setting_wireless_security_get_auth_alg (s_wsec); if (key_mgmt) { if (!strcmp (key_mgmt, "wpa-psk") || !strcmp (key_mgmt, "wpa-none")) { if (s_8021x) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA-PSK incompatible with 802.1x"); return FALSE; } if (auth_alg && strcmp (auth_alg, "open")) { /* WPA must use "open" authentication */ g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA-PSK requires 'open' authentication"); return FALSE; } } if (!strcmp (key_mgmt, "wpa-none")) { if (!adhoc) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA Ad-Hoc requires an Ad-Hoc mode AP"); return FALSE; } /* Ad-Hoc WPA requires 'wpa' proto, 'none' pairwise, and 'tkip' group */ n = nm_setting_wireless_security_get_num_protos (s_wsec); tmp = (n > 0) ? nm_setting_wireless_security_get_proto (s_wsec, 0) : NULL; if (n > 1 || strcmp (tmp, "wpa")) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA Ad-Hoc requires 'wpa' proto"); return FALSE; } n = nm_setting_wireless_security_get_num_pairwise (s_wsec); tmp = (n > 0) ? nm_setting_wireless_security_get_pairwise (s_wsec, 0) : NULL; if (n > 1 || strcmp (tmp, "none")) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA Ad-Hoc requires 'none' pairwise cipher"); return FALSE; } n = nm_setting_wireless_security_get_num_groups (s_wsec); tmp = (n > 0) ? nm_setting_wireless_security_get_group (s_wsec, 0) : NULL; if (n > 1 || strcmp (tmp, "tkip")) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "WPA Ad-Hoc requires 'tkip' group cipher"); return FALSE; } } if (!strcmp (key_mgmt, "wpa-psk")) { /* Make sure the AP's capabilities support WPA-PSK */ if ( !(wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK) && !(rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)) { g_set_error_literal (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "AP does not support PSK but setting requires it"); return FALSE; } } } return TRUE; }
/** * nm_setting_wireless_ap_security_compatible: * @s_wireless: a #NMSettingWireless * @s_wireless_sec: a #NMSettingWirelessSecurity or %NULL * @ap_flags: the %NM80211ApFlags of the given access point * @ap_wpa: the %NM80211ApSecurityFlags of the given access point's WPA * capabilities * @ap_rsn: the %NM80211ApSecurityFlags of the given access point's WPA2/RSN * capabilities * @ap_mode: the 802.11 mode of the AP, either Ad-Hoc or Infrastructure * * Given a #NMSettingWireless and an optional #NMSettingWirelessSecurity, * determine if the configuration given by the settings is compatible with * the security of an access point using that access point's capability flags * and mode. Useful for clients that wish to filter a set of connections * against a set of access points and determine which connections are * compatible with which access points. * * Returns: %TRUE if the given settings are compatible with the access point's * security flags and mode, %FALSE if they are not. */ gboolean nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless, NMSettingWirelessSecurity *s_wireless_sec, NM80211ApFlags ap_flags, NM80211ApSecurityFlags ap_wpa, NM80211ApSecurityFlags ap_rsn, NM80211Mode ap_mode) { const char *key_mgmt = NULL, *cipher; guint32 num, i; gboolean found = FALSE; g_return_val_if_fail (NM_IS_SETTING_WIRELESS (s_wireless), FALSE); if (!s_wireless_sec) { if ( (ap_flags & NM_802_11_AP_FLAGS_PRIVACY) || (ap_wpa != NM_802_11_AP_SEC_NONE) || (ap_rsn != NM_802_11_AP_SEC_NONE)) return FALSE; return TRUE; } key_mgmt = nm_setting_wireless_security_get_key_mgmt (s_wireless_sec); if (!key_mgmt) return FALSE; /* Static WEP */ if (!strcmp (key_mgmt, "none")) { if ( !(ap_flags & NM_802_11_AP_FLAGS_PRIVACY) || (ap_wpa != NM_802_11_AP_SEC_NONE) || (ap_rsn != NM_802_11_AP_SEC_NONE)) return FALSE; return TRUE; } /* Adhoc WPA */ if (!strcmp (key_mgmt, "wpa-none")) { if (ap_mode != NM_802_11_MODE_ADHOC) return FALSE; /* FIXME: validate ciphers if they're in the beacon */ return TRUE; } /* Adhoc WPA2 (ie, RSN IBSS) */ if (ap_mode == NM_802_11_MODE_ADHOC) { if (strcmp (key_mgmt, "wpa-psk")) return FALSE; /* Ensure the AP has RSN PSK capability */ if (!(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_PSK)) return FALSE; /* Fall through and check ciphers in generic WPA-PSK code */ } /* Dynamic WEP or LEAP */ if (!strcmp (key_mgmt, "ieee8021x")) { if (!(ap_flags & NM_802_11_AP_FLAGS_PRIVACY)) return FALSE; /* If the AP is advertising a WPA IE, make sure it supports WEP ciphers */ if (ap_wpa != NM_802_11_AP_SEC_NONE) { if (!(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_802_1X)) return FALSE; /* quick check; can't use AP if it doesn't support at least one * WEP cipher in both pairwise and group suites. */ if ( !(ap_wpa & (NM_802_11_AP_SEC_PAIR_WEP40 | NM_802_11_AP_SEC_PAIR_WEP104)) || !(ap_wpa & (NM_802_11_AP_SEC_GROUP_WEP40 | NM_802_11_AP_SEC_GROUP_WEP104))) return FALSE; /* Match at least one pairwise cipher with AP's capability if the * wireless-security setting explicitly lists pairwise ciphers */ num = nm_setting_wireless_security_get_num_pairwise (s_wireless_sec); for (i = 0, found = FALSE; i < num; i++) { cipher = nm_setting_wireless_security_get_pairwise (s_wireless_sec, i); if ((found = match_cipher (cipher, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP40))) break; if ((found = match_cipher (cipher, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP104))) break; } if (!found && num) return FALSE; /* Match at least one group cipher with AP's capability if the * wireless-security setting explicitly lists group ciphers */ num = nm_setting_wireless_security_get_num_groups (s_wireless_sec); for (i = 0, found = FALSE; i < num; i++) { cipher = nm_setting_wireless_security_get_group (s_wireless_sec, i); if ((found = match_cipher (cipher, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP40))) break; if ((found = match_cipher (cipher, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP104))) break; } if (!found && num) return FALSE; } return TRUE; } /* WPA[2]-PSK and WPA[2] Enterprise */ if ( !strcmp (key_mgmt, "wpa-psk") || !strcmp (key_mgmt, "wpa-eap")) { if (!strcmp (key_mgmt, "wpa-psk")) { if ( !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_PSK) && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_PSK)) return FALSE; } else if (!strcmp (key_mgmt, "wpa-eap")) { if ( !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_802_1X) && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_802_1X)) return FALSE; } // FIXME: should handle WPA and RSN separately here to ensure that // if the Connection only uses WPA we don't match a cipher against // the AP's RSN IE instead /* Match at least one pairwise cipher with AP's capability if the * wireless-security setting explicitly lists pairwise ciphers */ num = nm_setting_wireless_security_get_num_pairwise (s_wireless_sec); for (i = 0, found = FALSE; i < num; i++) { cipher = nm_setting_wireless_security_get_pairwise (s_wireless_sec, i); if ((found = match_cipher (cipher, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_TKIP))) break; if ((found = match_cipher (cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_CCMP))) break; } if (!found && num) return FALSE; /* Match at least one group cipher with AP's capability if the * wireless-security setting explicitly lists group ciphers */ num = nm_setting_wireless_security_get_num_groups (s_wireless_sec); for (i = 0, found = FALSE; i < num; i++) { cipher = nm_setting_wireless_security_get_group (s_wireless_sec, i); if ((found = match_cipher (cipher, "wep40", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP40))) break; if ((found = match_cipher (cipher, "wep104", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP104))) break; if ((found = match_cipher (cipher, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_TKIP))) break; if ((found = match_cipher (cipher, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_CCMP))) break; } if (!found && num) return FALSE; return TRUE; } return FALSE; }
static gboolean verify_no_wpa (NMSettingWirelessSecurity *s_wsec, const char *tag, GError **error) { const char *key_mgmt; int n, i; key_mgmt = nm_setting_wireless_security_get_key_mgmt (s_wsec); if (key_mgmt && !strncmp (key_mgmt, "wpa", 3)) { g_set_error (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "%s incompatible with any WPA key management", tag); return FALSE; } if (nm_setting_wireless_security_get_num_protos (s_wsec)) { g_set_error (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "%s incompatible with any 'proto' setting", tag); return FALSE; } n = nm_setting_wireless_security_get_num_pairwise (s_wsec); for (i = 0; i < n; i++) { const char *pw; pw = nm_setting_wireless_security_get_pairwise (s_wsec, i); if (strcmp (pw, "wep40") && strcmp (pw, "wep104")) { g_set_error (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "%s is incompatible with WPA pairwise ciphers", tag); return FALSE; } } n = nm_setting_wireless_security_get_num_groups (s_wsec); for (i = 0; i < n; i++) { const char *gr; gr = nm_setting_wireless_security_get_group (s_wsec, i); if (strcmp (gr, "wep40") && strcmp (gr, "wep104")) { g_set_error (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "%s is incompatible with WPA group ciphers", tag); return FALSE; } } if (nm_setting_wireless_security_get_psk (s_wsec)) { g_set_error (error, NM_SETTING_WIRELESS_SECURITY_ERROR, NM_SETTING_WIRELESS_SECURITY_ERROR_INVALID_PROPERTY, "%s is incompatible with a WPA Pre-Shared Key", tag); return FALSE; } return TRUE; }