From 3b8fa47f58bd96b59bdcd9a14b36ad2ee9d0d8f0 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Fri, 4 Feb 2022 08:45:28 +0100
Subject: nixos/wireless: don't attempt fallback on WPA3 only networks

---
 nixos/modules/services/networking/wpa_supplicant.nix | 10 +++++++---
 nixos/tests/wpa_supplicant.nix                       | 19 +++++++++++++++++--
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix
index 9989b6df659..c2e1d37e28b 100644
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@@ -11,11 +11,15 @@ let
   opt = options.networking.wireless;
 
   wpa3Protocols = [ "SAE" "FT-SAE" ];
-  hasWPA3 = opts: !mutuallyExclusive opts.authProtocols wpa3Protocols;
+  hasMixedWPA = opts:
+    let
+      hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols;
+      others = subtractLists wpa3Protocols opts.authProtocols;
+    in hasWPA3 && others != [];
 
   # Gives a WPA3 network higher priority
   increaseWPA3Priority = opts:
-    opts // optionalAttrs (hasWPA3 opts)
+    opts // optionalAttrs (hasMixedWPA opts)
       { priority = if opts.priority == null
                      then 1
                      else opts.priority + 1;
@@ -33,7 +37,7 @@ let
   allNetworks =
     if cfg.fallbackToWPA2
       then map increaseWPA3Priority networkList
-           ++ map mkWPA2Fallback (filter hasWPA3 networkList)
+           ++ map mkWPA2Fallback (filter hasMixedWPA networkList)
       else networkList;
 
   # Content of wpa_supplicant.conf
diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix
index 1d669d5016a..40d934b8e1d 100644
--- a/nixos/tests/wpa_supplicant.nix
+++ b/nixos/tests/wpa_supplicant.nix
@@ -27,8 +27,19 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
       enable = lib.mkOverride 0 true;
       userControlled.enable = true;
       interfaces = [ "wlan1" ];
+      fallbackToWPA2 = true;
 
       networks = {
+        # test WPA2 fallback
+        mixed-wpa = {
+          psk = "password";
+          authProtocols = [ "WPA-PSK" "SAE" ];
+        };
+        sae-only = {
+          psk = "password";
+          authProtocols = [ "SAE" ];
+        };
+
         # test network
         nixos-test.psk = "@PSK_NIXOS_TEST@";
 
@@ -64,8 +75,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
           machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
           machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
 
-          # save file for manual inspection
-          machine.copy_from_vm(config_file)
+      with subtest("WPA2 fallbacks have been generated"):
+          assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
+          assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
+
+      # save file for manual inspection
+      machine.copy_from_vm(config_file)
 
       with subtest("Daemon is running and accepting connections"):
           machine.wait_for_unit("wpa_supplicant-wlan1.service")
-- 
cgit 1.4.1