4:20 a.m.
---
src/wiphy.c | 5 +++++
src/wiphy.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/src/wiphy.c b/src/wiphy.c
index 82e3ca87..e230b273 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -404,6 +404,11 @@ bool wiphy_can_connect(struct wiphy *wiphy, struct scan_bss *bss)
return true;
}
+bool wiphy_supports_cmds_auth_assoc(struct wiphy *wiphy)
+{
+ return wiphy->support_cmds_auth_assoc;
+}
+
bool wiphy_has_feature(struct wiphy *wiphy, uint32_t feature)
{
return wiphy->feature_flags & feature;
diff --git a/src/wiphy.h b/src/wiphy.h
index 1fd71f0d..6c91220c 100644
--- a/src/wiphy.h
+++ b/src/wiphy.h
@@ -79,6 +79,7 @@ uint32_t wiphy_get_supported_bands(struct wiphy *wiphy);
const struct scan_freq_set *wiphy_get_supported_freqs(
const struct wiphy *wiphy);
bool wiphy_can_connect(struct wiphy *wiphy, struct scan_bss *bss);
+bool wiphy_supports_cmds_auth_assoc(struct wiphy *wiphy);
bool wiphy_can_randomize_mac_addr(struct wiphy *wiphy);
bool wiphy_rrm_capable(struct wiphy *wiphy);
bool wiphy_has_feature(struct wiphy *wiphy, uint32_t feature);
--
2.26.2
4:20 a.m.
New subject: [PATCH 2/6] wiphy: check SAE offload in wiphy_select_akm
This allows an SAE AKM to be selected if the hardware does not
support SAE in userspace, but does support SAE offload.
---
src/wiphy.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/wiphy.c b/src/wiphy.c
index e230b273..9aac830f 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -189,17 +189,15 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
}
/*
- * TODO: Only SoftMAC (mac80211) drivers are currently
- * capable of SAE since it requires ability to send
- * Authenticate and Associate frames (which is given by
- * support_cmds_auth_assoc). FullMAC drivers require
- * SAE offload which we do not support nor supported
- * in any upstream driver as of this time.
+ * If the hardware does not support SAE in userspace
+ * (NL80211_FEATURE_SAE), has no Auth/Assoc support,
+ * nor has SAE offload support downgrade to WPA2.
*/
- if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE) ||
- !wiphy->support_cmds_auth_assoc) {
- l_debug("No HW WPA3 support, trying WPA2");
- goto wpa2_personal;
+ if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) {
+ if (!wiphy_has_ext_feature(wiphy,
+ NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
+ !wiphy->support_cmds_auth_assoc)
+ goto wpa2_personal;
}
if (info.akm_suites &
--
2.26.2
2:11 a.m.
New subject: [PATCH 2/6] wiphy: check SAE offload in wiphy_select_akm
Hi James,
On 3/18/21 12:20 PM, James Prestwood wrote:
This allows an SAE AKM to be selected if the hardware does not
support SAE in userspace, but does support SAE offload.
---
src/wiphy.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/wiphy.c b/src/wiphy.c
index e230b273..9aac830f 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -189,17 +189,15 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
}
/*
- * TODO: Only SoftMAC (mac80211) drivers are currently
- * capable of SAE since it requires ability to send
- * Authenticate and Associate frames (which is given by
- * support_cmds_auth_assoc). FullMAC drivers require
- * SAE offload which we do not support nor supported
- * in any upstream driver as of this time.
+ * If the hardware does not support SAE in userspace
+ * (NL80211_FEATURE_SAE), has no Auth/Assoc support,
+ * nor has SAE offload support downgrade to WPA2.
So linux/nl80211.h states:
"
* @NL80211_FEATURE_SAE: This driver supports simultaneous authentication of
* equals (SAE) with user space SME (NL80211_CMD_AUTHENTICATE) in station
* mode
"
However, there's at least one upstream driver (qtnfmac) that supports SAE
through CMD_EXTERNAL_AUTH and sets NL80211_FEATURE_SAE as well.
*/
- if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE) ||
- !wiphy->support_cmds_auth_assoc) {
The original code here seems to cover the above case...
- l_debug("No HW WPA3 support, trying WPA2");
- goto wpa2_personal;
+ if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) {
And this looks like it would allow qtnfmac through...
+ if (!wiphy_has_ext_feature(wiphy,
+ NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
+ !wiphy->support_cmds_auth_assoc)
+ goto wpa2_personal;
Perhaps all this mess needs to be moved into a separate function with all these
details explained.
To me it looks like there's 3 paths:
1. SoftMac case:
FEATURE_SAE &&
wiphy_supports_cmds_auth_assoc == true
2. Non-Offloaded case via CMD_EXTERNAL_AUTH
FEATURE_SAE &&
wiphy_supports_cmds_auth_assoc == false
3. Offloaded case:
!FEATURE_SAE &&
FEATURE_EXT_SAE_OFFLOAD &&
wiphy_supports_cmds_auth_assoc == false
And then maybe in the case of brcmfmac it supports case 2 without setting
FEATURE_SAE.
Total mess as there seems to be no way to check for external auth support.
}
if (info.akm_suites &
Regards,
-Denis
4:20 a.m.
New subject: [PATCH 3/6] wiphy: check SAE offload in wiphy_can_connect
This allows this wiphy_can_connect to pass for an SAE BSS
if the hardware does not support user space SAE, but does
support SAE offload.
---
src/wiphy.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/wiphy.c b/src/wiphy.c
index 9aac830f..6533cc7e 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -376,15 +376,18 @@ bool wiphy_can_connect(struct wiphy *wiphy, struct scan_bss *bss)
case IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256:
/*
* if the AP ONLY supports SAE/WPA3, then we can only
- * connect if the wiphy feature is supported. Otherwise
- * the AP may list SAE as one of the AKM's but also
- * support PSK (hybrid). In this case we still want to
- * allow a connection even if SAE is not supported.
+ * connect if the wiphy either supports userspace SAE or
+ * SAE offload. Otherwise the AP may list SAE as one of
+ * the AKM's but also support PSK (hybrid). In this case
+ * we still want to allow a connection even if SAE is
+ * not supported.
*/
- if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE) ||
+ if (!wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) {
+ if (!wiphy_has_ext_feature(wiphy,
+ NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
!wiphy->support_cmds_auth_assoc)
- return false;
-
+ return false;
+ }
break;
case IE_RSN_AKM_SUITE_OWE:
case IE_RSN_AKM_SUITE_FILS_SHA256:
--
2.26.2
4:20 a.m.
New subject: [PATCH 4/6] handshake: add offload flag
If true, this flag indicates the handshake is being offloaded to
the kernel/hardware.
---
src/handshake.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/handshake.h b/src/handshake.h
index b738efd9..e667fccd 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -116,6 +116,7 @@ struct handshake_state {
bool wait_for_gtk : 1;
bool no_rekey : 1;
bool support_fils : 1;
+ bool offload : 1;
uint8_t ssid[32];
size_t ssid_len;
char *passphrase;
--
2.26.2
4:20 a.m.
New subject: [PATCH 5/6] netdev: add SAE offload support
SAE offload support requires some minor tweaks to CMD_CONNECT
as well as special checks once the connect event comes in. Since
at this point we are fully connected.
---
src/netdev.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 66a781bc..f4b44b31 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1979,6 +1979,13 @@ process_resp_ies:
netdev_send_qos_map_set(netdev, qos_set, qos_len);
}
+ /*
+ * A successful connect event using offload means IWD is fully
+ * connected and completed the 4-way handshake
+ */
+ if (netdev->handshake->offload)
+ goto done;
+
if (netdev->sm) {
/*
* Let station know about the roam so a state change can occur.
@@ -2002,6 +2009,7 @@ process_resp_ies:
return;
}
+done:
netdev_connect_ok(netdev);
return;
@@ -2601,7 +2609,9 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
*netdev,
const struct iovec *vendor_ies,
size_t num_vendor_ies)
{
- uint32_t auth_type = NL80211_AUTHTYPE_OPEN_SYSTEM;
+ uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) ?
+ NL80211_AUTHTYPE_SAE :
+ NL80211_AUTHTYPE_OPEN_SYSTEM;
struct l_genl_msg *msg;
struct iovec iov[4 + num_vendor_ies];
int iov_elems = 0;
@@ -2618,6 +2628,15 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
*netdev,
bss->ssid_len, bss->ssid);
l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
+ if (hs->offload) {
+ l_genl_msg_append_attr(msg, NL80211_ATTR_EXTERNAL_AUTH_SUPPORT,
+ 0, NULL);
+
+ if (IE_AKM_IS_SAE(hs->akm_suite))
+ l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PASSWORD,
+ strlen(hs->passphrase), hs->passphrase);
+ }
+
if (prev_bssid)
l_genl_msg_append_attr(msg, NL80211_ATTR_PREV_BSSID, ETH_ALEN,
prev_bssid);
@@ -2659,7 +2678,9 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev
*netdev,
l_genl_msg_append_attr(msg, NL80211_ATTR_AKM_SUITES,
4, &nl_akm);
- if (hs->wpa_ie)
+ if (IE_AKM_IS_SAE(hs->akm_suite))
+ wpa_version = NL80211_WPA_VERSION_3;
+ else if (hs->wpa_ie)
wpa_version = NL80211_WPA_VERSION_1;
else
wpa_version = NL80211_WPA_VERSION_2;
@@ -3020,6 +3041,9 @@ int netdev_connect(struct netdev *netdev, struct scan_bss *bss,
switch (hs->akm_suite) {
case IE_RSN_AKM_SUITE_SAE_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256:
+ if (hs->offload)
+ goto build_cmd_connect;
+
netdev->ap = sae_sm_new(hs, netdev_sae_tx_authenticate,
netdev_sae_tx_associate,
netdev);
@@ -3038,13 +3062,14 @@ int netdev_connect(struct netdev *netdev, struct scan_bss *bss,
netdev);
break;
default:
+build_cmd_connect:
cmd_connect = netdev_build_cmd_connect(netdev, bss, hs,
NULL, vendor_ies, num_vendor_ies);
if (!cmd_connect)
return -EINVAL;
- if (is_rsn || hs->settings_8021x)
+ if (!hs->offload && (is_rsn || hs->settings_8021x))
sm = eapol_sm_new(hs);
}
--
2.26.2
2:15 a.m.
New subject: [PATCH 5/6] netdev: add SAE offload support
Hi James,
On 3/18/21 12:20 PM, James Prestwood wrote:
SAE offload support requires some minor tweaks to CMD_CONNECT
as well as special checks once the connect event comes in. Since
at this point we are fully connected.
---
src/netdev.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 66a781bc..f4b44b31 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1979,6 +1979,13 @@ process_resp_ies:
netdev_send_qos_map_set(netdev, qos_set, qos_len);
}
+ /*
+ * A successful connect event using offload means IWD is fully
+ * connected and completed the 4-way handshake
+ */
+ if (netdev->handshake->offload)
+ goto done;
+
So we only offload SAE connections, right? Otherwise for 802.1X + HS offload
this may be incorrect...
if (netdev->sm) {
/*
* Let station know about the roam so a state change can occur.
<snip>
@@ -2618,6 +2628,15 @@ static struct l_genl_msg
*netdev_build_cmd_connect(struct netdev *netdev,
bss->ssid_len, bss->ssid);
l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
+ if (hs->offload) {
+ l_genl_msg_append_attr(msg, NL80211_ATTR_EXTERNAL_AUTH_SUPPORT,
+ 0, NULL);
+
Hmm, this part looks suspicious? See my reply to patch 2?
+ if (IE_AKM_IS_SAE(hs->akm_suite))
+ l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PASSWORD,
+ strlen(hs->passphrase), hs->passphrase);
+ }
+
if (prev_bssid)
l_genl_msg_append_attr(msg, NL80211_ATTR_PREV_BSSID, ETH_ALEN,
prev_bssid);
Regards,
-Denis
2:51 a.m.
New subject: [PATCH 5/6] netdev: add SAE offload support
On Fri, 2021-03-19 at 10:15 -0500, Denis Kenzior wrote:
Hi James,
On 3/18/21 12:20 PM, James Prestwood wrote:
> SAE offload support requires some minor tweaks to CMD_CONNECT
> as well as special checks once the connect event comes in. Since
> at this point we are fully connected.
> ---
> src/netdev.c | 31 ++++++++++++++++++++++++++++---
> 1 file changed, 28 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 66a781bc..f4b44b31 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -1979,6 +1979,13 @@ process_resp_ies:
> netdev_send_qos_map_set(netdev, qos_set,
> qos_len);
> }
>
> + /*
> + * A successful connect event using offload means IWD is fully
> + * connected and completed the 4-way handshake
> + */
> + if (netdev->handshake->offload)
> + goto done;
> +
So we only offload SAE connections, right? Otherwise for 802.1X + HS
offload
this may be incorrect...
> if (netdev->sm) {
> /*
> * Let station know about the roam so a state change
> can occur.
<snip>
> @@ -2618,6 +2628,15 @@ static struct l_genl_msg
> *netdev_build_cmd_connect(struct netdev *netdev,
> bss->ssid_len, bss-
> >ssid);
> l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4,
> &auth_type);
>
> + if (hs->offload) {
> + l_genl_msg_append_attr(msg,
> NL80211_ATTR_EXTERNAL_AUTH_SUPPORT,
> + 0, NULL);
> +
Hmm, this part looks suspicious? See my reply to patch 2?
Yeah I misread the docs, as well as followed how wpa_s does it (which
includes this) but its not needed. With respect to your other comments
I think I'll punt on EXTERNAL_AUTH for now since I have no way of
testing it and only one driver actually uses it.
> + if (IE_AKM_IS_SAE(hs->akm_suite))
> + l_genl_msg_append_attr(msg,
> NL80211_ATTR_SAE_PASSWORD,
> + strlen(hs->passphrase), hs-
> >passphrase);
> + }
> +
> if (prev_bssid)
> l_genl_msg_append_attr(msg, NL80211_ATTR_PREV_BSSID,
> ETH_ALEN,
> prev_bssid);
Regards,
-Denis
3:33 a.m.
New subject: [PATCH 5/6] netdev: add SAE offload support
On Fri, 2021-03-19 at 10:15 -0500, Denis Kenzior wrote:
Hi James,
On 3/18/21 12:20 PM, James Prestwood wrote:
> SAE offload support requires some minor tweaks to CMD_CONNECT
> as well as special checks once the connect event comes in. Since
> at this point we are fully connected.
> ---
> src/netdev.c | 31 ++++++++++++++++++++++++++++---
> 1 file changed, 28 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 66a781bc..f4b44b31 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -1979,6 +1979,13 @@ process_resp_ies:
> netdev_send_qos_map_set(netdev, qos_set,
> qos_len);
> }
>
> + /*
> + * A successful connect event using offload means IWD is fully
> + * connected and completed the 4-way handshake
> + */
> + if (netdev->handshake->offload)
> + goto done;
> +
So we only offload SAE connections, right? Otherwise for 802.1X + HS
offload
this may be incorrect...
Yes, but this should only get set if we are actually doing offloading,
which we don't yet support for 1x/PSK. I havent dove into this yet, but
what would the procedure be here for 1x offloading (theoretically)?
Now in light of CMD_EXTERNAL_AUTH the code below in a previous patch
needs to change to account for this:
if (!wiphy_supports_cmds_auth_assoc(wiphy))
hs->offload = true;
But as far as this check goes I don't see an issue unless you think
8021x offload has more handling that needs to be done. I'm not exactly
sure how much of 1x is offloaded (auth/assoc?, EAP?, 4-way? all?)
> if (netdev->sm) {
> /*
> * Let station know about the roam so a state change
> can occur.
<snip>
> @@ -2618,6 +2628,15 @@ static struct l_genl_msg
> *netdev_build_cmd_connect(struct netdev *netdev,
> bss->ssid_len, bss-
> >ssid);
> l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4,
> &auth_type);
>
> + if (hs->offload) {
> + l_genl_msg_append_attr(msg,
> NL80211_ATTR_EXTERNAL_AUTH_SUPPORT,
> + 0, NULL);
> +
Hmm, this part looks suspicious? See my reply to patch 2?
> + if (IE_AKM_IS_SAE(hs->akm_suite))
> + l_genl_msg_append_attr(msg,
> NL80211_ATTR_SAE_PASSWORD,
> + strlen(hs->passphrase), hs-
> >passphrase);
> + }
> +
> if (prev_bssid)
> l_genl_msg_append_attr(msg, NL80211_ATTR_PREV_BSSID,
> ETH_ALEN,
> prev_bssid);
Regards,
-Denis
3:42 a.m.
New subject: [PATCH 5/6] netdev: add SAE offload support
Hi James,
> So we only offload SAE connections, right? Otherwise for 802.1X
+ HS
> offload
> this may be incorrect...
Yes, but this should only get set if we are actually doing offloading,
which we don't yet support for 1x/PSK. I havent dove into this yet, but
what would the procedure be here for 1x offloading (theoretically)?
Ok, figured. I was just wondering if this warrants a TODO or a comment.
1X cannot be offloaded. Only the 4way handshake can. So in theory, if we're
offloading the 4way handshake, we still need to go through eapol for the 802.1X
part. And once that is successful, then we issue NL80211_CMD_SET_PMK to tell
the driver that 802.1X succeeded. Not sure whether we get an event after the
driver completes the handshake?
Now in light of CMD_EXTERNAL_AUTH the code below in a previous patch
needs to change to account for this:
if (!wiphy_supports_cmds_auth_assoc(wiphy))
hs->offload = true;
But as far as this check goes I don't see an issue unless you think
8021x offload has more handling that needs to be done. I'm not exactly
sure how much of 1x is offloaded (auth/assoc?, EAP?, 4-way? all?)
Auth/Assoc is offloaded to the driver, 1X is done by userspace, 4-way is then
done by the driver.
Regards,
-Denis
4:20 a.m.
New subject: [PATCH 6/6] station: set handshake offload if required
If IWD is connecting to a SAE/WPA3 BSS and Auth/Assoc commands
are not supported the only option is SAE offload. At this point
network_connect should have verified that the extended feature
for SAE offload exists so we can simply enable offload if these
commands are not supported.
---
src/station.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/station.c b/src/station.c
index 2e577290..5d118a3c 100644
--- a/src/station.c
+++ b/src/station.c
@@ -979,6 +979,10 @@ static struct handshake_state *station_handshake_setup(struct station
*station,
goto no_psk;
handshake_state_set_passphrase(hs, passphrase);
+
+ /* SAE offload required */
+ if (!wiphy_supports_cmds_auth_assoc(wiphy))
+ hs->offload = true;
} else {
const uint8_t *psk = network_get_psk(network);
--
2.26.2
548
days inactive
549
days old
10 comments
2 participants
participants (2)
-
Denis Kenzior -
James Prestwood