3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-04-02 08:56:52 +02:00

7414 Commits

Author SHA1 Message Date
James Prestwood
0a93c55552 netdev: implement PMKSA for fullmac drivers
Supporting PMKSA on fullmac drivers requires that we set the PMKSA
into the kernel as well as remove it. This can now be triggered
via the new PMKSA driver callbacks which are implemented and set
with this patch.
2025-04-01 11:15:03 -05:00
James Prestwood
7f9ea7640d handshake: use pmksa_cache_free 2025-04-01 11:14:40 -05:00
James Prestwood
c52d913f20 pmksa: add driver callbacks and pmksa_cache_free
In order to support fullmac drivers the PMKSA entries must be added
and removed from the kernel. To accomplish this a set of driver
callbacks will be added to the PMKSA module. In addition a new
pmksa_cache_free API will be added whos only purpose is to handle
the removal from the kernel.
2025-04-01 11:11:08 -05:00
James Prestwood
651b647570 netdev: remove/update some iwd_notice logs
The iwd_notice function was more meant for special purpose events
not general debug prints. For these error conditions we should be
using l_warn. For the informational "External Auth to SSID" log
we already print this information when connecting from station. In
addition there are logs when performing external auth so it should
be very obvious external auth is being used without this log.
2025-04-01 11:10:39 -05:00
James Prestwood
8cf9734d2b netdev: don't set CQM thresholds for fullmac cards
Since roaming is handled by the firmware setting CQM thresholds for
roaming is pointless.
2025-04-01 11:10:26 -05:00
James Prestwood
d70fbade44 netdev: fix invalid read after netdev_free
The netdev frame watches got cleaned up upon the interface going down
which works if the interface is simply being toggled but when IWD
shuts down it first shuts down the interface, then immediately frees
netdev. If a watched frame arrives immediately after that before the
interface shutdown callback it will reference netdev, which has been
freed.

Fix this by clearing out the frame watches in netdev_free.

==147== Invalid read of size 8
==147==    at 0x408ADB: netdev_neighbor_report_frame_event (netdev.c:4772)
==147==    by 0x467C75: frame_watch_unicast_notify (frame-xchg.c:234)
==147==    by 0x4E28F8: __notifylist_notify (notifylist.c:91)
==147==    by 0x4E2D37: l_notifylist_notify_matches (notifylist.c:204)
==147==    by 0x4A1388: process_unicast (genl.c:844)
==147==    by 0x4A1388: received_data (genl.c:972)
==147==    by 0x49D82F: io_callback (io.c:105)
==147==    by 0x49C93C: l_main_iterate (main.c:461)
==147==    by 0x49CA0B: l_main_run (main.c:508)
==147==    by 0x49CA0B: l_main_run (main.c:490)
==147==    by 0x49CC3F: l_main_run_with_signal (main.c:630)
==147==    by 0x4049EC: main (main.c:614)
2025-04-01 11:06:40 -05:00
James Prestwood
f0e515b6ff doc: document InitialRoamRequestedTimeout 2025-04-01 11:06:29 -05:00
James Prestwood
47ef40d645 auto-t: add tests for AP roam blacklisting 2025-04-01 11:06:21 -05:00
James Prestwood
9e10efbef5 station: roam blacklist AP even mid-roam
If an AP directed roam frame comes in while IWD is roaming its
still valuable to parse that frame and blacklist the BSS that
sent it.

This can happen most frequently during a roam scan while connected
to an overloaded BSS that is requesting IWD roams elsewhere.
2025-04-01 11:06:02 -05:00
James Prestwood
224afbb9ca station: roam blacklist BSS's, and consider when roaming
If the BSS is requesting IWD roam elsewhere add this BSS to the
blacklist using BLACKLIST_REASON_ROAM_REQUESTED. This will lower
the chances of IWD roaming/connecting back to this BSS in the
future.

This then allows IWD to consider this blacklist state when picking
a roam candidate. Its undesireable to fully ban a roam blacklisted
BSS, so some additional sorting logic has been added. Prior to
comparing based on rank, BSS's will be sorted into two higher level
groups:

Above Threshold - BSS is above the RoamThreshold
Below Threshold - BSS is below the RoamThreshold

Within each of these groups the BSS may be roam blacklisted which
will position it at the bottom of the list within its respecitve
group.
2025-04-01 11:05:22 -05:00
James Prestwood
bf69e6210c netdev: add netdev_get_low_signal_threshold 2025-04-01 10:55:10 -05:00
James Prestwood
258482d509 blacklist: add new blacklist reason, ROAM_REQUESTED
This adds a new (less severe) blacklist reason as well as an option
to configure the timeout. This blacklist reason will be used in cases
where a BSS has requested IWD roam elsewhere. At that time a new
blacklist entry will be added which will be used along with some
other criteria to determine if IWD should connect/roam to that BSS
again.

Now that we have multiple blacklist reasons there may be situations
where a blacklist entry already exists but with a different reason.
This is going to be handled by the reason severity. Since we have
just two reasons we will treat a connection failure as most severe
and a roam requested as less severe. This leaves us with two
possible situations:

1. BSS is roam blacklisted, then gets connection blacklisted:
   The reason will be "promoted" to connection blacklisted.

2. BSS is connection blacklisted, then gets roam blacklisted:
   The blacklist request will be ignored
2025-04-01 10:54:04 -05:00
James Prestwood
1caad4ca88 blacklist: fix pruning to remove the entry if its expired
When pruning the list check_if_expired was comparing to the maximum
amount of time a BSS can be blacklisted, not if the current time had
exceeded the expirationt time. This results in blacklist entries
hanging around longer than they should, which would result in them
poentially being blacklisted even longer if there was another reason
to blacklist in the future.

Instead on prune check the actual expiration and remove the entry if
its expired. Doing this removes the need to check any of the times
in blacklist_contains_bss since prune will remove any expired entries
correctly.
2025-04-01 10:53:18 -05:00
James Prestwood
59464a0ca4 blacklist: include a blacklist reason
To both prepare for some new blacklisting behavior and allow for
easier consolidation of the network-specific blacklist include a
reason enum for each entry. This allows IWD to differentiate
between multiple blacklist types. For now only the existing
"permanent" type is being added which prevents connections to that
BSS via autoconnect until it expires.
2025-04-01 10:52:25 -05:00
James Prestwood
93b25c87d6 auto-t: add test for disabling the timeout blacklist 2025-04-01 10:27:42 -05:00
James Prestwood
e971ef71d5 station: always add BSS to network blacklist on failure
Allowing the timeout blacklist to be disabled has introduced a bug
where a failed connection will not result in the BSS list to be
traversed. This causes IWD to retry the same BSS over and over which
be either a) have some issue preventing a connection or b) may simply
be unreachable/out of range.

This is because IWD was inherently relying on the timeout blacklist
to flag BSS's on failures. With it disabled there was nothing to tell
network_bss_select that we should skip the BSS and it would return
the same BSS indefinitely.

To fix this some of the blacklisting logic was re-worked in station.
Now, a BSS will always get network blacklisted upon a failure. This
allows network.c to traverse to the next BSS upon failure.

For auth/assoc failures we will then only timeout blacklist under
certain conditions, i.e. the status code was not in the temporary
list.

Fixes: 77639d2d452e ("blacklist: allow configuration to disable the blacklist")
2025-04-01 10:27:13 -05:00
Marcel Holtmann
bff5006b38 Release 3.5 3.5 2025-03-26 10:47:40 +01:00
James Prestwood
ea571861d6 auto-t: update scapy imports for newer version
Something changed between scapy versions and now the modules
being imported don't exist.
2025-03-07 10:29:19 -06:00
James Prestwood
f3e4263f51 doc: document how to disable blacklisting 2025-03-04 08:43:54 -06:00
James Prestwood
77639d2d45 blacklist: allow configuration to disable the blacklist
Certain use cases may not need or want this feature so allowing it to
be disabled is a much cleaner way than doing something like setting
the timeouts very low.

Now [Blacklist].InitialTimeout can be set to zero which will prevent
any blacklisting.

In addition some other small changes were added:
 - Warn if the multiplier is 0, and set to 1 if so.
 - Warn if the initial timeout exceeds the maximum timeout.
 - Log if the blacklist is disabled
 - Use L_USEC_PER_SEC instead of magic numbers.
2025-03-04 08:40:53 -06:00
James Prestwood
1662707f22 doc: document [DriverQuirks].SaeDisable 2025-02-13 09:27:20 -06:00
James Prestwood
5f4bf2a5e5 wiphy: add driver quirk to disable SAE
SAE/WPA3 is completely broken on brcmfmac, at least without a custom
kernel patch which isn't included in many OS distributions. In order
to help with this add a driver quirk so devices with brcmfmac can
utilize WPA2 instead of WPA3 and at least connect to networks at
this capacity until the fix is more widely distributed.
2025-02-13 09:26:17 -06:00
Marcel Holtmann
40af18f96a Release 3.4 3.4 2025-02-11 00:09:12 +01:00
Marcel Holtmann
ab4fa30c7e build: Require at least version 0.72 when building with external ELL 2025-02-10 23:57:46 +01:00
Marcel Holtmann
43f73823ec build: Include extra files for ELL test extensions 2025-02-10 23:02:10 +01:00
Marcel Holtmann
f4439fd2b6 build: Enable support for TAP, the Test Anything Protocol 2025-02-07 23:01:37 +01:00
James Prestwood
bf82aff039 handshake: add more debugging around PMKSA caching
Instead of just printing the PMKSA pointer separate this into two
separate debug messages, one for if the PMKSA exists and the other
if it does not. In addition print out the MAC of the AP so we have
a reference of which PMKSA this is.
2025-01-06 09:37:14 -06:00
Marcel Holtmann
4b535cee1f Release 3.3 3.3 2024-12-20 08:51:07 +01:00
James Prestwood
7144741537 netdev: destroy auth-proto after external auth
With external auth there is no associate event meaning the auth proto
never gets freed, which prevents eapol from starting inside the
OCI callback. Check for this specific case and free the auth proto
after signaling that external auth has completed.
2024-12-19 23:57:21 -06:00
James Prestwood
64b872f363 monitor: add --pcap-size,--pcap-count
The user can now limit the size and count of PCAP files iwmon will
create. This allows iwmon to run for long periods of time without
filling up disk space.
2024-12-17 11:26:38 -06:00
James Prestwood
83a2457550 monitor: add support for limiting PCAP size/count
This implements support for "rolling captures" by allowing iwmon to
limit the PCAP file size and number of PCAP's that are created.
This is a useful feature when long term monitoring is needed. If
there is some rare behavior requiring iwmon to run for days, months,
or longer the resulting PCAP file would become quite large and fill
up disk space.

When enabled (command line arguments in subsequent patch) the PCAP
file size is checked on each write. If it exceeds the limit a new
PCAP file will be created. Once the number of old PCAP files reaches
the set limit the oldest PCAP will be removed from disk.
2024-12-17 11:24:12 -06:00
James Prestwood
43f895142c monitor: track current PCAP size
This will come into play when support for rolling captures is
added to iwmon.
2024-12-17 11:23:56 -06:00
James Prestwood
c352b35bf1 monitor: add --time-format,-t option
For syncing iwmon captures with other logging its useful to
timestamp in some absolute format like UTC. This adds an
option which allows the user to specify what time format to
show. For now support:

delta - (default) The time delta between the first packet
        and the current packet.
utc   - The packet time in UTC
2024-12-17 11:22:03 -06:00
James Prestwood
d4bba5c838 wiphy: add info print for MulticastRxDisabled quirk
This was forgotten in the prior patch set. It does not change any
behavior but just adds this to the driver flags debug print when
IWD starts up.
2024-12-17 11:21:28 -06:00
Marcel Holtmann
1dd9f94713 Release 3.2 3.2 2024-11-25 19:04:47 +01:00
James Prestwood
c458e6612d doc: document [DriverQuirks].MulticastRxDisable 2024-11-25 11:47:14 -06:00
James Prestwood
45db339dcd dpp: use wiphy_supports_multicast_rx
The ath10k driver has shown some performance issues, specifically
packet loss, when frame watches are registered with the multicast
RX flag set. This is relevant for DPP which registers for these
when DPP starts (if the driver supports it). This has only been
observed when there are large groups of clients all using the same
wifi channel so its unlikely to be much of an issue for those using
IWD/ath10k and DPP unless you run large deployments of clients.

But for large deployments with IWD/ath10k we need a way to disable
the multicast RX registrations. Now, with the addition of
wiphy_supports_multicast_rx we can both check that the driver
supports this as well as if its been disabled by the driver quirk.
2024-11-25 11:47:07 -06:00
James Prestwood
887d8c8fe8 wiphy: add driver quirk for disabling multicast rx (and helper)
This driver quirk and associated helper API lets other modules both
check if multicast RX is supported, and if its been disabled via
the driver quirk setting.
2024-11-25 11:46:53 -06:00
James Prestwood
c6932efa30 wiphy: make "wiphy" const in wiphy_has_ext_feature 2024-11-25 11:46:49 -06:00
James Prestwood
f3ba82b0e1 doc: document DisablePMKSA option 2024-11-25 08:55:16 -06:00
James Prestwood
a26fcd8f2d auto-t: add PMKSA tests
Adds a test for just PMKSA and testing expiration as well as includes
some PMKSA tests in the SAE roaming test to ensure FT/reassociation
works.
2024-11-25 08:54:57 -06:00
James Prestwood
ab49b404fd station: support PMKSA connections
The actual connection piece of this is very minimal, and only
requires station to check if there is a PMKSA cached, and if so
include the PMKID in the RSNE. Netdev then takes care of the rest.

The remainder of this patch is the error handling if a PMKSA
connection fails with INVALID_PMKID. In this case IWD should retry
the same BSS without PMKSA.

An option was also added to disable PMKSA if a user wants to do
that. In theory PMKSA is actually less secure compared to SAE so
it could be something a user wants to disable. Going forward though
it will be enabled by default as its a requirement from the WiFi
alliance for WPA3 certification.
2024-11-25 08:53:01 -06:00
James Prestwood
9bc71b2853 station: hold reference to handshake object
To prepare for PMKSA support station needs access to the handshake
object. This is because if PMKSA fails due to an expired/missing
PMKSA on the AP station should retry using the standard association.
This poses a problem currently because netdev frees the handshake
prior to calling the connect callback.
2024-11-25 08:52:21 -06:00
James Prestwood
5b104967ce netdev: add support to use PMKSA over SAE if available
This was quite simple and only requiring caching the PMKSA after a
successful handshake, and using the correct authentication type
for connections if we have a prior PMKSA cached.

This is only being added for initial SAE associations for now since
this is where we gain the biggest improvement, in addition to the
requirement by the WiFi alliance to label products as "WPA3 capable"
2024-11-25 08:51:28 -06:00
James Prestwood
4680c0c13b handshake: add handshake_state_remove_pmksa
This is needed in order to clear the PMKSA from the handshake state
without actually putting it back into the cache. This is something
that will be needed in case the AP rejects the association due to
an expired (or forgotten) PMKSA.
2024-11-25 08:50:59 -06:00
Denis Kenzior
c36358cc7c handshake: Add pmksa setter & stealer
The majority of this patch was authored by Denis Kenzior, but
I have appended setting the PMK inside handshake_state_set_pmksa
as well as checking if the pmkid exists in
handshake_state_steal_pmkid.

Authored-by: Denis Kenzior <denkenz@gmail.com>
Authored-by: James Prestwood <prestwoj@gmail.com>
2024-11-25 08:46:51 -06:00
Denis Kenzior
235f6e5f14 pmksa: Add debugging 2024-11-25 08:41:31 -06:00
Denis Kenzior
980e132f48 unit: Add basic pmksa test 2024-11-25 08:37:28 -06:00
Denis Kenzior
900aa5810e pmksa: Add skeleton 2024-11-25 08:34:29 -06:00
James Prestwood
8cf83d6620 auto-t: update testSAE to disable PMKSA
There are quite a few tests here for various scenarios and PMKSA
throws a wrench into that. Rather than potentially breaking the
tests in attempt to get them working with PMKSA, just disable PMKSA.
2024-11-25 08:34:07 -06:00