4:11 a.m.
Moves the parsing of NL80211_ATTR_REQ_IE into its own parsing
function for use elsewhere.
---
src/netdev.c | 62 ++++++++++++++++++++++++++++++----------------------
1 file changed, 36 insertions(+), 26 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index fe6232bd..9e665ee4 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1851,6 +1851,41 @@ static void netdev_send_qos_map_set(struct netdev *netdev,
netdev, NULL);
}
+static void parse_request_ies(struct netdev *netdev, const uint8_t *ies,
+ size_t ies_len)
+{
+ struct ie_tlv_iter iter;
+ const void *data;
+
+ /*
+ * The driver may have modified the IEs we passed to CMD_CONNECT
+ * before sending them out, the actual IE sent is reflected in the
+ * ATTR_REQ_IE sequence. These are the values EAPoL will need to use.
+ */
+ ie_tlv_iter_init(&iter, ies, ies_len);
+
+ while (ie_tlv_iter_next(&iter)) {
+ data = ie_tlv_iter_get_data(&iter);
+
+ switch (ie_tlv_iter_get_tag(&iter)) {
+ case IE_TYPE_RSN:
+ handshake_state_set_supplicant_ie(netdev->handshake,
+ data - 2);
+ break;
+ case IE_TYPE_VENDOR_SPECIFIC:
+ if (!is_ie_wpa_ie(data, ie_tlv_iter_get_length(&iter)))
+ break;
+
+ handshake_state_set_supplicant_ie(netdev->handshake,
+ data - 2);
+ break;
+ case IE_TYPE_MOBILITY_DOMAIN:
+ handshake_state_set_mde(netdev->handshake, data - 2);
+ break;
+ }
+ }
+}
+
static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
{
struct l_genl_attr attr;
@@ -1929,33 +1964,8 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct
netdev *netdev)
if (!ies)
goto process_resp_ies;
- /*
- * The driver may have modified the IEs we passed to CMD_CONNECT
- * before sending them out, the actual IE sent is reflected in the
- * ATTR_REQ_IE sequence. These are the values EAPoL will need to use.
- */
- ie_tlv_iter_init(&iter, ies, ies_len);
-
- while (ie_tlv_iter_next(&iter)) {
- data = ie_tlv_iter_get_data(&iter);
- switch (ie_tlv_iter_get_tag(&iter)) {
- case IE_TYPE_RSN:
- handshake_state_set_supplicant_ie(netdev->handshake,
- data - 2);
- break;
- case IE_TYPE_VENDOR_SPECIFIC:
- if (!is_ie_wpa_ie(data, ie_tlv_iter_get_length(&iter)))
- break;
-
- handshake_state_set_supplicant_ie(netdev->handshake,
- data - 2);
- break;
- case IE_TYPE_MOBILITY_DOMAIN:
- handshake_state_set_mde(netdev->handshake, data - 2);
- break;
- }
- }
+ parse_request_ies(netdev, ies, ies_len);
process_resp_ies:
if (resp_ies) {
--
2.26.2
4:11 a.m.
New subject: [PATCH 2/6] netdev: separate netdev_{roam,connect}_event
netdev_connect_event was being reused for parsing of CMD_ROAM
attributes which made some amount of sense since these events
are nearly identical, but due to the nature of firmware roaming
there really isn't much IWD needs to parse from CMD_ROAM. In
addition netdev_connect_event was getting rather complicated
since it had to handle both CMD_ROAM and CMD_CONNECT.
The only bits of information IWD needs to parse from CMD_ROAM
is the roamed BSSID, authenticator IEs, and supplicant IEs. Since
this is so limited it now makes little sense to reuse the entire
netdev_connect_event function, and intead only parse what is
needed for CMD_ROAM.
---
src/netdev.c | 60 ++++++++++++++++++++++++----------------------------
1 file changed, 28 insertions(+), 32 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 9e665ee4..9f26ce68 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1897,7 +1897,6 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct
netdev *netdev)
struct ie_tlv_iter iter;
const uint8_t *resp_ies = NULL;
size_t resp_ies_len;
- uint8_t cmd = l_genl_msg_get_command(msg);
l_debug("");
@@ -1951,16 +1950,9 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct
netdev *netdev)
goto error;
}
- /*
- * A CMD_ROAM event will not have a status code, since it indicates
- * the hardware has already roamed. A failed roam on fullmac should
- * result in an explicit disconnect event.
- */
- if (cmd == NL80211_CMD_CONNECT) {
- /* AP Rejected the authenticate / associate */
- if (!status_code || *status_code != 0)
- goto error;
- }
+ /* AP Rejected the authenticate / associate */
+ if (!status_code || *status_code != 0)
+ goto error;
if (!ies)
goto process_resp_ies;
@@ -2029,18 +2021,6 @@ process_resp_ies:
goto done;
if (netdev->sm) {
- /*
- * Let station know about the roam so a state change can occur.
- */
- if (cmd == NL80211_CMD_ROAM) {
- if (netdev->event_filter)
- netdev->event_filter(netdev,
- NETDEV_EVENT_ROAMING,
- NULL, netdev->user_data);
- /* EAPoL started after GET_SCAN */
- return;
- }
-
/*
* Start processing EAPoL frames now that the state machine
* has all the input data even in FT mode.
@@ -4169,20 +4149,35 @@ static bool netdev_get_fw_scan_cb(int err, struct l_queue
*bss_list,
* The current handshake/netdev_handshake objects are reused after being
* reset to allow eapol to happen again without it thinking this is a re-key.
*/
-static bool netdev_roam_event(struct l_genl_msg *msg, struct netdev *netdev)
+static void netdev_roam_event(struct l_genl_msg *msg, struct netdev *netdev)
{
struct netdev_handshake_state *nhs =
l_container_of(netdev->handshake,
struct netdev_handshake_state,
super);
- const uint8_t *mac;
+ struct l_genl_attr attr;
+ uint16_t type, len;
+ const void *data;
+ const uint8_t *mac = NULL;
l_debug("");
netdev->operational = false;
- if (nl80211_parse_attrs(msg, NL80211_ATTR_MAC, &mac,
- NL80211_ATTR_UNSPEC) < 0) {
+ l_genl_attr_init(&attr, msg);
+
+ while (l_genl_attr_next(&attr, &type, &len, &data)) {
+ switch (type) {
+ case NL80211_ATTR_MAC:
+ mac = data;
+ break;
+ case NL80211_ATTR_REQ_IE:
+ parse_request_ies(netdev, data, len);
+ break;
+ }
+ }
+
+ if (!mac) {
l_error("Failed to parse ATTR_MAC from CMD_ROAM");
goto failed;
}
@@ -4199,14 +4194,16 @@ static bool netdev_roam_event(struct l_genl_msg *msg, struct
netdev *netdev)
netdev, NULL))
goto failed;
- return true;
+ if (netdev->event_filter)
+ netdev->event_filter(netdev, NETDEV_EVENT_ROAMING,
+ NULL, netdev->user_data);
+ return;
failed:
l_error("Failed to roam to new BSS");
netdev_connect_failed(netdev, NETDEV_RESULT_ABORTED,
MMPDU_REASON_CODE_UNSPECIFIED);
- return false;
}
static void netdev_mlme_notify(struct l_genl_msg *msg, void *user_data)
@@ -4251,9 +4248,8 @@ static void netdev_mlme_notify(struct l_genl_msg *msg, void
*user_data)
netdev_associate_event(msg, netdev);
break;
case NL80211_CMD_ROAM:
- if (!netdev_roam_event(msg, netdev))
- return;
- /* fall through */
+ netdev_roam_event(msg, netdev);
+ break;
case NL80211_CMD_CONNECT:
netdev_connect_event(msg, netdev);
break;
--
2.26.2
4:11 a.m.
New subject: [PATCH 3/6] wiphy: add offload out parameter to wiphy_can_connect_sae
This will be set if the SAE connection requires offloading to
work.
---
src/wiphy.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/wiphy.c b/src/wiphy.c
index ab57a2d2..cf8c7c56 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -126,7 +126,7 @@ enum ie_rsn_cipher_suite wiphy_select_cipher(struct wiphy *wiphy,
uint16_t mask)
return 0;
}
-static bool wiphy_can_connect_sae(struct wiphy *wiphy)
+static bool wiphy_can_connect_sae(struct wiphy *wiphy, bool *offload)
{
/*
* SAE support in the kernel is a complete mess in that there are 3
@@ -153,8 +153,11 @@ static bool wiphy_can_connect_sae(struct wiphy *wiphy)
if (wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) {
/* Case (1) */
- if (wiphy->support_cmds_auth_assoc)
+ if (wiphy->support_cmds_auth_assoc) {
+ if (offload)
+ *offload = false;
return true;
+ }
/*
* Case (3)
@@ -165,8 +168,12 @@ static bool wiphy_can_connect_sae(struct wiphy *wiphy)
} else {
/* Case (2) */
if (wiphy_has_ext_feature(wiphy,
- NL80211_EXT_FEATURE_SAE_OFFLOAD))
+ NL80211_EXT_FEATURE_SAE_OFFLOAD)) {
+ if (offload)
+ *offload = true;
+
return true;
+ }
return false;
}
@@ -234,7 +241,7 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
goto wpa2_personal;
}
- if (!wiphy_can_connect_sae(wiphy))
+ if (!wiphy_can_connect_sae(wiphy, NULL))
goto wpa2_personal;
if (info.akm_suites &
--
2.26.2
4:11 a.m.
New subject: [PATCH 4/6] wiphy: allow FT AKM to be used if Auth/Assoc is not supported
Until now FT was only supported via Auth/Assoc commands which barred
any fullmac cards from using FT AKMs. With PSK offload support these
cards can do FT but only when offloading is used. This situation
is checked now by wiphy_select_akm and a boolean is returned as an
out parameter indicating if offloading is needed.
A new option [General].4WayOffload was added which is required to
enable this functionality. This was done mainly because it is
unknown how stable firmware offloading is from card to card.
Note: Enabling offload has one strange side effect which could
cause users problems when experimenting with this option. Once
offload is enabled the firmware no longer forwards eapol frames
for subsequent connections, even if offload is no longer being
used. Once enabled a user must restart the firmware (e.g. via
rebooting the machine) if they want to turn off the option.
---
src/wiphy.c | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/src/wiphy.c b/src/wiphy.c
index cf8c7c56..e51e06b4 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -185,12 +185,19 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
{
struct ie_rsn_info info;
enum security security;
+ bool offload_on;
+ bool offload_needed;
+ const struct l_settings *settings = iwd_get_config();
memset(&info, 0, sizeof(info));
scan_bss_get_rsn_info(bss, &info);
security = security_determine(bss->capability, &info);
+ if (!l_settings_get_bool(settings, "General", "4WayOffload",
+ &offload_on))
+ offload_on = false;
+
/*
* If FT is available, use FT authentication to keep the door open
* for fast transitions. Otherwise use SHA256 version if present.
@@ -241,7 +248,10 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
goto wpa2_personal;
}
- if (!wiphy_can_connect_sae(wiphy, NULL))
+ if (!wiphy_can_connect_sae(wiphy, &offload_needed))
+ goto wpa2_personal;
+
+ if (offload_needed && !offload_on)
goto wpa2_personal;
if (info.akm_suites &
@@ -253,10 +263,21 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
}
wpa2_personal:
+ /*
+ * Allow FT if either Auth/Assoc is supported OR if the card
+ * supports PSK offload. Without Auth/Assoc, PSK offload is the
+ * only mechanism to allow FT on these cards.
+ */
if ((info.akm_suites & IE_RSN_AKM_SUITE_FT_USING_PSK) &&
- bss->rsne && bss->mde_present &&
- wiphy->support_cmds_auth_assoc)
- return IE_RSN_AKM_SUITE_FT_USING_PSK;
+ bss->rsne && bss->mde_present) {
+ if (wiphy->support_cmds_auth_assoc)
+ return IE_RSN_AKM_SUITE_FT_USING_PSK;
+
+ if (wiphy_has_ext_feature(wiphy,
+ NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
+ offload_on)
+ return IE_RSN_AKM_SUITE_FT_USING_PSK;
+ }
if (info.akm_suites & IE_RSN_AKM_SUITE_PSK_SHA256)
return IE_RSN_AKM_SUITE_PSK_SHA256;
--
2.26.2
4:11 a.m.
New subject: [PATCH 5/6] netdev: allow PSK offload for FT AKMs
This adds a new connection type, TYPE_PSK_OFFLOAD, which
allows the 4-way handshake to be offloaded by the firmware.
If offloading is enabled ([General].4WayOffload), use
ATTR_PMK when sending CMD_CONNECT which enables PSK offloading
to firmware.
The CMD_ROAM event path was also modified to take into account
handshake offloading. If the handshake is offloaded we still
must issue GET_SCAN, but not start eapol since the firmware
takes care of this.
---
src/netdev.c | 58 +++++++++++++++++++++++++++++++++++-----------------
1 file changed, 39 insertions(+), 19 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 9f26ce68..e17e8520 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -71,6 +71,7 @@ enum connection_type {
CONNECTION_TYPE_SOFTMAC,
CONNECTION_TYPE_FULLMAC,
CONNECTION_TYPE_SAE_OFFLOAD,
+ CONNECTION_TYPE_PSK_OFFLOAD,
};
static uint32_t unicast_watch;
@@ -202,6 +203,7 @@ static inline bool is_offload(struct handshake_state *hs)
case CONNECTION_TYPE_FULLMAC:
return false;
case CONNECTION_TYPE_SAE_OFFLOAD:
+ case CONNECTION_TYPE_PSK_OFFLOAD:
return true;
}
@@ -1238,11 +1240,6 @@ static void netdev_connect_ok(struct netdev *netdev)
netdev->fw_roam_bss = NULL;
}
- /* Allow station to sync the PSK to disk */
- if (is_offload(netdev->handshake))
- handshake_event(netdev->handshake,
- HANDSHAKE_EVENT_SETTING_KEYS);
-
if (netdev->connect_cb) {
netdev->connect_cb(netdev, NETDEV_RESULT_OK, NULL,
netdev->user_data);
@@ -2012,14 +2009,6 @@ process_resp_ies:
netdev_send_qos_map_set(netdev, qos_set, qos_len);
}
- /*
- * TODO: Only SAE/WPA3-personal offload is supported. In this case IWD
- * is 'done'. In the case of 8021x offload EAP still needs to take
- * place, so this must be updated accordingly when that is implemented.
- */
- if (is_offload(netdev->handshake))
- goto done;
-
if (netdev->sm) {
/*
* Start processing EAPoL frames now that the state machine
@@ -2031,7 +2020,11 @@ process_resp_ies:
return;
}
-done:
+ /* Allow station to sync the PSK to disk */
+ if (is_offload(netdev->handshake))
+ handshake_event(netdev->handshake,
+ HANDSHAKE_EVENT_SETTING_KEYS);
+
netdev_connect_ok(netdev);
return;
@@ -2663,6 +2656,9 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
*netdev,
l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PASSWORD,
strlen(hs->passphrase), hs->passphrase);
break;
+ case CONNECTION_TYPE_PSK_OFFLOAD:
+ l_genl_msg_append_attr(msg, NL80211_ATTR_PMK, 32, hs->pmk);
+ break;
}
if (prev_bssid)
@@ -3027,6 +3023,12 @@ static int netdev_handshake_state_setup_connection_type(
struct wiphy *wiphy = nhs->netdev->wiphy;
bool softmac = wiphy_supports_cmds_auth_assoc(wiphy);
bool canroam = wiphy_supports_firmware_roam(wiphy);
+ const struct l_settings *settings = iwd_get_config();
+ bool offload_on;
+
+ if (!l_settings_get_bool(settings, "General", "4WayOffload",
+ &offload_on))
+ offload_on = false;
/*
* Sanity check that any FT AKMs are set only on softmac or on
@@ -3036,15 +3038,19 @@ static int netdev_handshake_state_setup_connection_type(
return -ENOTSUP;
switch (hs->akm_suite) {
+ case IE_RSN_AKM_SUITE_PSK:
+ case IE_RSN_AKM_SUITE_FT_USING_PSK:
+ case IE_RSN_AKM_SUITE_PSK_SHA256:
+ if (offload_on && wiphy_has_ext_feature(wiphy,
+ NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
+ goto psk_offload;
+ /* fall through */
case IE_RSN_AKM_SUITE_8021X:
case IE_RSN_AKM_SUITE_FT_OVER_8021X:
case IE_RSN_AKM_SUITE_8021X_SHA256:
case IE_RSN_AKM_SUITE_8021X_SUITE_B_SHA256:
case IE_RSN_AKM_SUITE_8021X_SUITE_B_SHA384:
case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
- case IE_RSN_AKM_SUITE_PSK:
- case IE_RSN_AKM_SUITE_FT_USING_PSK:
- case IE_RSN_AKM_SUITE_PSK_SHA256:
if (softmac)
goto softmac;
@@ -3086,6 +3092,9 @@ fullmac:
sae_offload:
nhs->type = CONNECTION_TYPE_SAE_OFFLOAD;
return 0;
+psk_offload:
+ nhs->type = CONNECTION_TYPE_PSK_OFFLOAD;
+ return 0;
}
static int netdev_connect_common(struct netdev *netdev,
@@ -4104,7 +4113,7 @@ static bool netdev_get_fw_scan_cb(int err, struct l_queue
*bss_list,
* In this case we should just ignore this and allow the disconnect
* logic to continue.
*/
- if (!netdev->sm)
+ if (!is_offload(netdev->handshake) && !netdev->sm)
return false;
if (err < 0) {
@@ -4132,6 +4141,11 @@ static bool netdev_get_fw_scan_cb(int err, struct l_queue
*bss_list,
handshake_state_set_authenticator_ie(netdev->handshake, bss->rsne);
+ if (is_offload(netdev->handshake)) {
+ netdev_connect_ok(netdev);
+ return false;
+ }
+
eapol_start(netdev->sm);
return false;
@@ -4182,14 +4196,20 @@ static void netdev_roam_event(struct l_genl_msg *msg, struct
netdev *netdev)
goto failed;
}
+ /* Handshake completed in firmware, just get the roamed BSS */
+ if (is_offload(netdev->handshake))
+ goto get_fw_scan;
+
/* Reset handshake state */
nhs->complete = false;
nhs->ptk_installed = false;
nhs->gtk_installed = true;
nhs->igtk_installed = true;
- handshake_state_set_authenticator_address(netdev->handshake, mac);
netdev->handshake->ptk_complete = false;
+get_fw_scan:
+ handshake_state_set_authenticator_address(netdev->handshake, mac);
+
if (!scan_get_firmware_scan(netdev->wdev_id, netdev_get_fw_scan_cb,
netdev, NULL))
goto failed;
--
2.26.2
4:11 a.m.
New subject: [PATCH 6/6] doc: document new [General].4WayOffload
This option will allow the 4-way handshake to be offloaded to
firmware if it supports it.
---
src/iwd.config.rst | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/iwd.config.rst b/src/iwd.config.rst
index 478bd616..c9e67a2d 100644
--- a/src/iwd.config.rst
+++ b/src/iwd.config.rst
@@ -174,6 +174,21 @@ The group ``[General]`` contains general settings.
off by default. If you want to easily utilize Hotspot 2.0 networks,
then setting ``DisableANQP`` to ``false`` is recommended.
+ * - 4WayOffload
+ - Values: **false**, true
+
+ Enables the use of 4-way handshake offloading. Some drivers can offload
+ the 4-way handshake to firmware which may be required to support certain
+ protocols that act on Authenticate/Associate frames (OWE, SAE, FT etc)
+ for drivers which do not support Authenticate/Associate commands. This
+ option is turned off by default as it is not widely tested.
+
+ Note: There seems to be a bug in the brcmfmac driver/firmware where once
+ offloading is enabled (by turning on this option) it cannot be turned
+ off in the firmware without a hard reboot (or some means of restarting
+ the firmware).
+
+
Network
---------
--
2.26.2
5:09 a.m.
Hi James,
On 4/2/21 12:11 PM, James Prestwood wrote:
Moves the parsing of NL80211_ATTR_REQ_IE into its own parsing
function for use elsewhere.
---
src/netdev.c | 62 ++++++++++++++++++++++++++++++----------------------
1 file changed, 36 insertions(+), 26 deletions(-)
Patch 1 & 2 applied, thanks.
Regards,
-Denis
534
days inactive
534
days old
6 comments
2 participants
participants (2)
-
Denis Kenzior -
James Prestwood