On Sun, 2019-01-06 at 16:49 +0200, Jouni Malinen wrote:
> On Sat, Jan 05, 2019 at 12:39:46PM +0100, Markus Theil wrote:
> > Currently, NetworkManager sends ieee80211w=1 for every connection,
> > if wpa_supplicant has pmf support enabled/compiled in. If the used
> > NIC does not support BIP ciphers, adding the IGTK fails.
>
> That is a bit unfortunate in this context.. The better way of doing
> this
> would have been setting the global pmf=1 parameter and not having
> per-network profile parameters. That combination is already covering
> this case of no driver support, i.e., pmf=1 was designed in a way
> that
> it would fall back to no MFP if there is no driver support.
Perhaps I don't fully understand, but wouldn't pmf=1 try to enable PMF
for all SSIDs if supported by SSID/driver, even if the user does not
actually want to use PMF on that SSID?
Usually NetworkManager tries to have per-SSID switches for things,
because there are times when a network advertises a feature that you
don't actually want to use for whatever reason (it's broken on one side
but still advertised, or has some drawbacks that certain users don't
want to accept, etc).
Dan
> > This patch circumvents this, by ignoring ieee80211w=1 (optional
> > MFP)
> > if hardware support is not given. Making NetworkManager aware of
> > per-interface MFP support would be the cleaner solution of course.
>
> This patch is doing quite a bit more than that, though..
>
> > diff --git a/wpa_supplicant/wpa_supplicant.c
> > b/wpa_supplicant/wpa_supplicant.c
> > @@ -6828,7 +6828,9 @@ int wpas_network_disabled(struct
> > wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
> > int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct
> > wpa_ssid *ssid)
> > {
> > #ifdef CONFIG_IEEE80211W
> > - if (ssid == NULL || ssid->ieee80211w ==
> > MGMT_FRAME_PROTECTION_DEFAULT) {
> > + if (ssid == NULL ||
> > + ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT ||
> > + ssid->ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL) {
> > if (wpa_s->conf->pmf == MGMT_FRAME_PROTECTION_OPTIONAL
> > &&
> > !(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_BIP)) {
> > /*
>
> This first if block ends in "return wpa_s->conf->pmf". In other
> words,
> this patch would end up overriding network profile specific
> ssid->ieee80211w with the global default wpa_s->conf->pmf if
> ieee80211w=1 (optional) is used in the network profile. This applies
> in
> case of all drivers where PMF is supported.
>
> That is not a desired changed since it can result in quite incorrect
> behavior. If the goal is to override ieee80211w=1 in the network
> profile, that would need to be done at the end of this function just
> before return ssid->ieee80211w instead of modifying this special case
> of
> MGMT_FRAME_PROTECTION_DEFAULT (i.e., no explicit ieee80211w parameter
> in
> the network profile).
>
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
