3:03 a.m.
This allows auth protos to get notified when the chandef has been
set. Since netdev sets chandef already there is no arguments.
---
src/auth-proto.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/auth-proto.h b/src/auth-proto.h
index 33a74291..9f8da604 100644
--- a/src/auth-proto.h
+++ b/src/auth-proto.h
@@ -44,6 +44,7 @@ struct auth_proto {
const uint8_t *frame, size_t len);
int (*rx_associate)(struct auth_proto *driver,
const uint8_t *frame, size_t len);
+ int (*rx_oci)(struct auth_proto *driver);
bool (*auth_timeout)(struct auth_proto *ap);
bool (*assoc_timeout)(struct auth_proto *ap);
uint8_t prev_bssid[6];
@@ -98,3 +99,11 @@ static inline bool auth_proto_assoc_timeout(struct auth_proto *ap)
return false;
}
+
+static inline int auth_proto_rx_oci(struct auth_proto *ap)
+{
+ if (ap && ap->rx_oci)
+ return ap->rx_oci(ap);
+
+ return -ENOTSUP;
+}
--
2.31.1
3:03 a.m.
New subject: [PATCH 2/9] ie: add OCI support in build_fast_bss_transition
---
src/ie.c | 7 +++++++
src/ie.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/src/ie.c b/src/ie.c
index 7d5222ae..11746c5c 100644
--- a/src/ie.c
+++ b/src/ie.c
@@ -1870,6 +1870,13 @@ bool ie_build_fast_bss_transition(const struct ie_ft_info *info,
L_WARN_ON(info->igtk_len); /* Not implemented */
+ if (info->oci_present) {
+ to[0] = 5;
+ to[1] = 3;
+ memcpy(to + 2, info->oci, sizeof(info->oci));
+ *len += 5;
+ }
+
return true;
}
diff --git a/src/ie.h b/src/ie.h
index c912d6c3..f6b15abb 100644
--- a/src/ie.h
+++ b/src/ie.h
@@ -435,6 +435,8 @@ struct ie_ft_info {
uint8_t igtk_ipn[6];
uint8_t igtk_len;
uint8_t igtk[24];
+ bool oci_present:1;
+ uint8_t oci[3];
};
/* See chapter 8.4.2.47 for radio measurement capability details */
--
2.31.1
3:03 a.m.
New subject: [PATCH 3/9] eapol: send OCI in handshake 2/4
---
src/eapol.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/eapol.c b/src/eapol.c
index 370ead7e..8498fdb6 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -43,6 +43,7 @@
#include "src/watchlist.h"
#include "src/erp.h"
#include "src/iwd.h"
+#include "src/band.h"
static struct l_queue *state_machines;
static struct l_queue *preauths;
@@ -1244,6 +1245,21 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
ies[ies_len++] = 0x01;
}
+ /*
+ * IEEE 802.11-2020 Section 12.7.6.3
+ * "Additionally, contains an OCI KDE when
+ * dot11RSNAOperatingChannelValidationActivated is true on the
+ * Supplicant."
+ */
+ if (sm->handshake->supplicant_ocvc && sm->handshake->chandef) {
+ ies[ies_len++] = IE_TYPE_VENDOR_SPECIFIC;
+ ies[ies_len++] = 4 + 3;
+ l_put_be32(HANDSHAKE_KDE_OCI, ies + ies_len);
+ ies_len += 4;
+ oci_from_chandef(sm->handshake->chandef, ies + ies_len++);
+ ies_len += 3;
+ }
+
/*
* 802.11-2020, Section 12.7.6.3:
* "The RSNXE that the Supplicant sent in its (Re)Association Request
--
2.31.1
3:03 a.m.
New subject: [PATCH 4/9] ft: sent OCI in Reassociate
---
src/ft.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/ft.c b/src/ft.c
index cff1d759..6897f6d7 100644
--- a/src/ft.c
+++ b/src/ft.c
@@ -32,6 +32,7 @@
#include "src/ft.h"
#include "src/mpdu.h"
#include "src/auth-proto.h"
+#include "src/band.h"
struct ft_sm {
struct auth_proto ap;
@@ -273,6 +274,22 @@ static int ft_tx_reassociate(struct ft_sm *ft)
memcpy(ft_info.anonce, hs->anonce, 32);
memcpy(ft_info.snonce, hs->snonce, 32);
+ /*
+ * IEEE 802.11-2020 Section 13.7.1 FT reassociation in an RSN
+ *
+ * "If dot11RSNAOperatingChannelValidationActivated is true and
+ * the FTO indicates OCVC capability, the target AP shall
+ * ensure that OCI subelement of the FTE matches by ensuring
+ * that all of the following are true:
+ * - OCI subelement is present
+ * - Channel information in the OCI matches current
+ * operating channel parameters (see 12.2.9)"
+ */
+ if (hs->supplicant_ocvc && hs->chandef) {
+ oci_from_chandef(hs->chandef, ft_info.oci);
+ ft_info.oci_present = true;
+ }
+
fte = alloca(256);
ie_build_fast_bss_transition(&ft_info, kck_len, fte);
--
2.31.1
3:04 a.m.
New subject: [PATCH 5/9] netdev: change netdev_get_oci to be used as a callback
This can be reused to be called from ft.c
---
src/netdev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/netdev.c b/src/netdev.c
index d69962d1..5a44895d 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2077,8 +2077,9 @@ done:
L_WARN_ON(!eapol_start(netdev->sm));
}
-static int netdev_get_oci(struct netdev *netdev)
+static int netdev_get_oci(void *user_data)
{
+ struct netdev *netdev = user_data;
struct l_genl_msg *msg =
l_genl_msg_new_sized(NL80211_CMD_GET_INTERFACE, 64);
--
2.31.1
3:04 a.m.
New subject: [PATCH 6/9] ft: get OCI prior to reassociation
This modifies the FT logic to fist call get_oci() before
reassociation. This allows the OCI to be included in reassociation
and in the 4-way handshake later on.
---
src/ft.c | 13 ++++++++++++-
src/ft.h | 2 ++
src/netdev.c | 20 +++++++++++++++++++-
3 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/ft.c b/src/ft.c
index 6897f6d7..40e29341 100644
--- a/src/ft.c
+++ b/src/ft.c
@@ -40,6 +40,7 @@ struct ft_sm {
ft_tx_authenticate_func_t tx_auth;
ft_tx_associate_func_t tx_assoc;
+ ft_get_oci get_oci;
void *user_data;
};
@@ -640,7 +641,7 @@ static int ft_rx_authenticate(struct auth_proto *ap, const uint8_t
*frame,
if (ret < 0)
goto auth_error;
- return ft_tx_reassociate(ft);
+ return ft->get_oci(ft->user_data);
auth_error:
return (int)status_code;
@@ -783,6 +784,13 @@ static int ft_rx_associate(struct auth_proto *ap, const uint8_t
*frame,
return 0;
}
+static int ft_rx_oci(struct auth_proto *ap)
+{
+ struct ft_sm *ft = l_container_of(ap, struct ft_sm, ap);
+
+ return ft_tx_reassociate(ft);
+}
+
static void ft_sm_free(struct auth_proto *ap)
{
struct ft_sm *ft = l_container_of(ap, struct ft_sm, ap);
@@ -890,12 +898,14 @@ static bool ft_start(struct auth_proto *ap)
struct auth_proto *ft_over_air_sm_new(struct handshake_state *hs,
ft_tx_authenticate_func_t tx_auth,
ft_tx_associate_func_t tx_assoc,
+ ft_get_oci get_oci,
void *user_data)
{
struct ft_sm *ft = l_new(struct ft_sm, 1);
ft->tx_auth = tx_auth;
ft->tx_assoc = tx_assoc;
+ ft->get_oci = get_oci;
ft->hs = hs;
ft->user_data = user_data;
@@ -903,6 +913,7 @@ struct auth_proto *ft_over_air_sm_new(struct handshake_state *hs,
ft->ap.rx_associate = ft_rx_associate;
ft->ap.start = ft_start;
ft->ap.free = ft_sm_free;
+ ft->ap.rx_oci = ft_rx_oci;
return &ft->ap;
}
diff --git a/src/ft.h b/src/ft.h
index 6167e0d7..cc25463f 100644
--- a/src/ft.h
+++ b/src/ft.h
@@ -26,6 +26,7 @@ typedef void (*ft_tx_authenticate_func_t)(struct iovec *iov, size_t
iov_len,
void *user_data);
typedef int (*ft_tx_associate_func_t)(struct iovec *ie_iov, size_t iov_len,
void *user_data);
+typedef int (*ft_get_oci)(void *user_data);
typedef void (*ft_ds_free_func_t)(void *user_data);
@@ -60,6 +61,7 @@ bool ft_over_ds_parse_action_ies(struct ft_ds_info *info,
struct auth_proto *ft_over_air_sm_new(struct handshake_state *hs,
ft_tx_authenticate_func_t tx_auth,
ft_tx_associate_func_t tx_assoc,
+ ft_get_oci get_oci,
void *user_data);
struct auth_proto *ft_over_ds_sm_new(struct handshake_state *hs,
diff --git a/src/netdev.c b/src/netdev.c
index 5a44895d..91d1316c 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2074,6 +2074,21 @@ static void netdev_get_oci_cb(struct l_genl_msg *msg, void
*user_data)
handshake_state_set_chandef(netdev->handshake, l_steal_ptr(chandef));
done:
+ if (netdev->ap) {
+ /*
+ * Cant do much here. IWD assumes every kernel/driver supports
+ * this. There is no way of detecting support either.
+ */
+ if (L_WARN_ON(err < 0))
+ netdev_connect_failed(netdev,
+ NETDEV_RESULT_AUTHENTICATION_FAILED,
+ MMPDU_STATUS_CODE_UNSPECIFIED);
+ else
+ auth_proto_rx_oci(netdev->ap);
+
+ return;
+ }
+
L_WARN_ON(!eapol_start(netdev->sm));
}
@@ -4099,6 +4114,8 @@ static void prepare_ft(struct netdev *netdev, const struct scan_bss
*target_bss)
netdev->operational = false;
netdev->in_ft = true;
+ handshake_state_set_chandef(netdev->handshake, NULL);
+
/*
* Cancel commands that could be running because of EAPoL activity
* like re-keying, this way the callbacks for those commands don't
@@ -4274,7 +4291,8 @@ int netdev_fast_transition(struct netdev *netdev,
netdev->ap = ft_over_air_sm_new(netdev->handshake,
netdev_ft_tx_authenticate,
- netdev_ft_tx_associate, netdev);
+ netdev_ft_tx_associate,
+ netdev_get_oci, netdev);
memcpy(netdev->ap->prev_bssid, orig_bss->addr, ETH_ALEN);
wiphy_radio_work_insert(netdev->wiphy, &netdev->work, 1,
--
2.31.1
3:55 a.m.
New subject: [PATCH 6/9] ft: get OCI prior to reassociation
Hi James,
On 9/27/21 12:04 PM, James Prestwood wrote:
This modifies the FT logic to fist call get_oci() before
reassociation. This allows the OCI to be included in reassociation
and in the 4-way handshake later on.
---
src/ft.c | 13 ++++++++++++-
src/ft.h | 2 ++
src/netdev.c | 20 +++++++++++++++++++-
3 files changed, 33 insertions(+), 2 deletions(-)
<snip>
@@ -2074,6 +2074,21 @@ static void netdev_get_oci_cb(struct
l_genl_msg *msg, void *user_data)
handshake_state_set_chandef(netdev->handshake, l_steal_ptr(chandef));
done:
+ if (netdev->ap) {
+ /*
+ * Cant do much here. IWD assumes every kernel/driver supports
+ * this. There is no way of detecting support either.
+ */
+ if (L_WARN_ON(err < 0))
+ netdev_connect_failed(netdev,
+ NETDEV_RESULT_AUTHENTICATION_FAILED,
+ MMPDU_STATUS_CODE_UNSPECIFIED);
You could just let the other side reject our Association or reset ocvc, but okay.
+ else
+ auth_proto_rx_oci(netdev->ap);
+
+ return;
+ }
+
L_WARN_ON(!eapol_start(netdev->sm));
}
Otherwise looks fine. Not sure if this patch requires changes due to comments
in patch 7.
Regards,
-Denis
4:15 a.m.
New subject: [PATCH 6/9] ft: get OCI prior to reassociation
Hi,
On Mon, 2021-09-27 at 12:55 -0500, Denis Kenzior wrote:
Hi James,
On 9/27/21 12:04 PM, James Prestwood wrote:
> This modifies the FT logic to fist call get_oci() before
> reassociation. This allows the OCI to be included in reassociation
> and in the 4-way handshake later on.
> ---
> src/ft.c | 13 ++++++++++++-
> src/ft.h | 2 ++
> src/netdev.c | 20 +++++++++++++++++++-
> 3 files changed, 33 insertions(+), 2 deletions(-)
>
<snip>
> @@ -2074,6 +2074,21 @@ static void netdev_get_oci_cb(struct
> l_genl_msg *msg, void *user_data)
> handshake_state_set_chandef(netdev->handshake,
> l_steal_ptr(chandef));
>
> done:
> + if (netdev->ap) {
> + /*
> + * Cant do much here. IWD assumes every
> kernel/driver supports
> + * this. There is no way of detecting support
> either.
> + */
> + if (L_WARN_ON(err < 0))
> + netdev_connect_failed(netdev,
> + NETDEV_RESULT_AUTHENTICATIO
> N_FAILED,
> + MMPDU_STATUS_CODE_UNSPECIFI
> ED);
You could just let the other side reject our Association or reset
ocvc, but okay.
> + else
> + auth_proto_rx_oci(netdev->ap);
> +
> + return;
> + }
> +
> L_WARN_ON(!eapol_start(netdev->sm));
> }
>
Otherwise looks fine. Not sure if this patch requires changes due to
comments
in patch 7.
I'll make sure. Also, I realized we will be getting the OCI again after
FT succeeds so I need to change up some logic a bit so we only get OCI
when its not already updated. I also have FILS changes locally which
suffer the same problem.
Regards,
-Denis
3:04 a.m.
New subject: [PATCH 7/9] station: set OCVC for handshakes
Setting OCVC true for all connections except FT-over-DS. Since
Authentication is skipped there is no way to obtain OCI information
from the kernel prior to (Re)association.
---
src/station.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/station.c b/src/station.c
index 672c4860..96794998 100644
--- a/src/station.c
+++ b/src/station.c
@@ -998,11 +998,11 @@ static int station_build_handshake_rsn(struct handshake_state *hs,
enum security security = network_get_security(network);
bool add_mde = false;
struct erp_cache_entry *erp_cache = NULL;
-
struct ie_rsn_info bss_info;
uint8_t rsne_buf[256];
struct ie_rsn_info info;
uint8_t *ap_ie;
+ bool ocvc = true;
memset(&info, 0, sizeof(info));
@@ -1080,6 +1080,16 @@ static int station_build_handshake_rsn(struct handshake_state *hs,
goto not_supported;
build_ie:
+ if (IE_AKM_IS_FT(info.akm_suites)) {
+ /* Don't set OCVC if FT-over-DS is enabled */
+ if (bss->mde[2] & 1)
+ ocvc = false;
+
+ add_mde = true;
+ }
+
+ info.ocvc = ocvc;
+
/* RSN takes priority */
if (bss->rsne) {
ap_ie = bss->rsne;
@@ -1099,9 +1109,6 @@ build_ie:
if (!handshake_state_set_supplicant_ie(hs, rsne_buf))
goto not_supported;
- if (IE_AKM_IS_FT(info.akm_suites))
- add_mde = true;
-
/*
* If FILS was chosen, the ERP cache has been verified to exist. Take
* a reference now so it remains valid (in case of expiration) until
--
2.31.1
3:47 a.m.
New subject: [PATCH 7/9] station: set OCVC for handshakes
Hi James,
On 9/27/21 12:04 PM, James Prestwood wrote:
Setting OCVC true for all connections except FT-over-DS. Since
Authentication is skipped there is no way to obtain OCI information
from the kernel prior to (Re)association.
---
src/station.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/station.c b/src/station.c
index 672c4860..96794998 100644
--- a/src/station.c
+++ b/src/station.c
@@ -998,11 +998,11 @@ static int station_build_handshake_rsn(struct handshake_state *hs,
enum security security = network_get_security(network);
bool add_mde = false;
struct erp_cache_entry *erp_cache = NULL;
-
struct ie_rsn_info bss_info;
uint8_t rsne_buf[256];
struct ie_rsn_info info;
uint8_t *ap_ie;
+ bool ocvc = true;
memset(&info, 0, sizeof(info));
@@ -1080,6 +1080,16 @@ static int station_build_handshake_rsn(struct handshake_state
*hs,
goto not_supported;
build_ie:
+ if (IE_AKM_IS_FT(info.akm_suites)) {
+ /* Don't set OCVC if FT-over-DS is enabled */
+ if (bss->mde[2] & 1)
+ ocvc = false;
+
+ add_mde = true;
+ }
+
+ info.ocvc = ocvc;
+
You can't really do it this way since this builds the handshake for an initial
association. Only FT-over-DS is affected, and so you want to reset ocvc
elsewhere. Maybe prior to calling netdev_fast_transition_over_ds or somewhere
inside that function.
/* RSN takes priority */
if (bss->rsne) {
ap_ie = bss->rsne;
@@ -1099,9 +1109,6 @@ build_ie:
if (!handshake_state_set_supplicant_ie(hs, rsne_buf))
goto not_supported;
- if (IE_AKM_IS_FT(info.akm_suites))
- add_mde = true;
-
/*
* If FILS was chosen, the ERP cache has been verified to exist. Take
* a reference now so it remains valid (in case of expiration) until
Also, can we add a way to disable OCV in case we get into compatibility issues?
Regards,
-Denis
3:04 a.m.
New subject: [PATCH 8/9] auto-t: set ocv on PSK FT test
---
autotests/testPSK-roam/connection_test.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/autotests/testPSK-roam/connection_test.py
b/autotests/testPSK-roam/connection_test.py
index b4ead946..d9d86840 100644
--- a/autotests/testPSK-roam/connection_test.py
+++ b/autotests/testPSK-roam/connection_test.py
@@ -100,11 +100,13 @@ class Test(unittest.TestCase):
self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-PSK')
self.bss_hostapd[0].set_value('ft_over_ds', '0')
+ self.bss_hostapd[0].set_value('ocv', '1')
self.bss_hostapd[0].reload()
self.bss_hostapd[0].wait_for_event("AP-ENABLED")
self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-PSK')
self.bss_hostapd[1].set_value('ft_over_ds', '0')
+ self.bss_hostapd[0].set_value('ocv', '1')
self.bss_hostapd[1].reload()
self.bss_hostapd[1].wait_for_event("AP-ENABLED")
@@ -115,11 +117,13 @@ class Test(unittest.TestCase):
self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-PSK')
self.bss_hostapd[0].set_value('ft_over_ds', '1')
+ self.bss_hostapd[0].set_value('ocv', '0')
self.bss_hostapd[0].reload()
self.bss_hostapd[0].wait_for_event("AP-ENABLED")
self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-PSK')
self.bss_hostapd[1].set_value('ft_over_ds', '1')
+ self.bss_hostapd[0].set_value('ocv', '0')
self.bss_hostapd[1].reload()
self.bss_hostapd[1].wait_for_event("AP-ENABLED")
--
2.31.1
3:04 a.m.
New subject: [PATCH 9/9] station: remove signal_low check for FT-over-DS
If the AP advertises FT-over-DS support it likely wants us to use
it. Additionally signal_low is probably going to be true since IWD
has started a roam attempt.
---
src/station.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/station.c b/src/station.c
index 96794998..9da5c595 100644
--- a/src/station.c
+++ b/src/station.c
@@ -2022,8 +2022,7 @@ static void station_transition_start(struct station *station,
vendor_ies = network_info_get_extra_ies(info, bss, &iov_elems);
handshake_state_set_vendor_ies(hs, vendor_ies, iov_elems);
- /* FT-over-DS can be better suited for these situations */
- if ((hs->mde[4] & 1) && station->signal_low) {
+ if ((hs->mde[4] & 1)) {
ret = netdev_fast_transition_over_ds(station->netdev,
bss, station->connected_bss,
station_fast_transition_cb);
--
2.31.1
356
days inactive
356
days old
12 comments
2 participants
participants (2)
-
Denis Kenzior -
James Prestwood