3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-04-06 13:07:49 +02:00

87 Commits

Author SHA1 Message Date
James Prestwood
b5aff74e3b dpp: scale PKEX timeout by the number of frequencies used
If the number of frequencies used is very small reduce the timeout
to avoid waiting for extended periods of time.
2024-08-27 21:25:21 -05:00
James Prestwood
294426b450 dpp: allow PKEX configurators to run without multicast RX support
Since IWD enrollees can send unicast frames, a PKEX configurator could
still run without multicast support. Using this combination basically
allows any driver to utilize DPP/PKEX assuming the MAC address can
be communicated using some out of band mechanism.
2024-08-27 21:25:15 -05:00
James Prestwood
4482b8dc24 dpp: add Address/Frequency as parameters to PKEX enrollees
The DPP spec allows for obtaining frequency and MAC addresses up
to the implementation. IWD already takes advantage of this by
first scanning for nearby APs and using only those frequencies.
For further optimization an enrollee may be able to determine the
configurators frequency and MAC ahead of time which would make
finding the configurator much faster.
2024-08-27 21:24:48 -05:00
James Prestwood
bf2441e311 dpp: factor out key derivation and starting PKEX into functions
This will make things a bit easier in future patches, and reduces
some of the length/complexity of these functions.
2024-08-27 21:24:33 -05:00
James Prestwood
eff2a2afcf dpp: explicitly disconnect station if enrollee is started
Prior to now the DPP state was required to be disconnected before
DPP would start. This is inconvenient for the user since it requires
extra state checking and/or DBus method calls. Instead model this
case like WSC and issue a disconnect to station if DPP is requested
to start.

The other conditions on stopping DPP are also preserved and no
changes to the configurator role have been made, i.e. being
disconnected while configuring still stops DPP. Similarly any
connection made during enrolling will stop DPP.

It should also be noted that station's autoconfigure setting is also
preserved and set back to its original value upon DPP completing.
2024-07-24 15:25:31 -05:00
James Prestwood
30ca00d2c4 dpp: factor out PKEX/DPP start prep into function
In order to slightly rework the DPP state machine to handle
automatically disconnecting (for enrollees) functions need to be
created that isolate everything needed to start DPP/PKEX in case
a disconnect needs to be done first.
2024-07-24 15:25:25 -05:00
James Prestwood
405b897687 dpp: check wrapped data exists in authenticate response 2024-03-04 13:48:08 -06:00
James Prestwood
8f7443b0b3 station: add additional internal state, STATION_STATE_NETCONFIG
This is still treated as "connecting" from a DBus perspective but
will allow for better handling internally for some roaming corner
cases.
2024-01-08 22:04:41 -06:00
James Prestwood
8f5109c439 dpp: fix extra settings not being used when connecting
Before this change DPP was writing the credentials both to disk
and into the network object directly. This allowed the connection
to work fine but additional settings were not picked up due to
network_set_passphrase/psk loading the settings before they were
written.

Instead DPP can avoid setting the credentials to the network
object entirely and just write them to disk. Then, wait for
known networks to notify that the profile was either created
or updated then DPP can proceed to connecting. network_autoconnect()
will take care of loading the profile that DPP wrote and remove the
need for DPP to touch the network object at all.

One thing to note is that an idle callback is still needed from
within the known networks callback. This is because a new profile
requires network.c to set the network_info which is done in the
known networks callback. Rather than assume that network.c will be
called into before dpp.c an l_idle was added.
2023-12-19 12:41:50 -06:00
James Prestwood
0dd2f0000e dpp: set "" arguments to Release method call
Without this the DBus message does not initialize the message
correctly which causes future DBus calls to fail.
2023-12-13 10:06:07 -06:00
James Prestwood
5e0a97b197 dpp: fail early if multicast frame registration is unsupported
This is done already for DPP, do the same for PKEX. Few drivers
(ath9k upstream, ath10k/11k in progress) support this which is
unfortunate but since a configurator will not work without this
capability its best to fail early.
2023-11-17 10:51:23 -06:00
James Prestwood
6afda046c2 dpp: include 3rd party settings in network profile
If the configuration object contained IWD's 3rd party settings set
those into the network profile.
2023-11-17 09:48:58 -06:00
James Prestwood
6a60cb5a32 dpp: use the config's SSID to process scan results
The scan result handling was fragile because it assumed the kernel
would only give results matching the requested SSID. This isn't
something we should assume so instead keep the configuration object
around until after the scan and use the target SSID to lookup the
network.
2023-11-17 09:46:06 -06:00
James Prestwood
fa14ac125e dpp: use the new config->ssid member
This is now a NULL terminated string so it can be used directly.
2023-11-17 09:44:42 -06:00
James Prestwood
aa116ba522 dpp: check that DPP is running in station watch
This was causing unneeded WARNING prints because the DPP state
was never checked. Fix this and bail out if DPP isn't running.
2023-11-16 09:47:41 -06:00
James Prestwood
3c02f387cb dpp: scan to pick up extra frequencies when enrolling
The DPP-PKEX spec provides a very limited list of frequencies used
to discover configurators, only 3 on 2.4 and 5GHz bands. Since
configurators (at least in IWD's implementation) are only allowed
on the current operating frequency its very unlikely an enrollee
will find a configurator on these frequencies out of the entire
spectrum.

The spec does mention that the 3 default frequencies should be used
"In lieu of specific channel information obtained in a manner outside
the scope of this specification, ...". This allows the implementation
some flexibility in using a broader range of frequencies.

To increase the chances of finding a configurator shared code
enrollees will first issue a scan to determine what access points are
around, then iterate these frequencies. This is especially helpful
when the configurators are IWD-based since we know that they'll be
on the same channels as the APs in the area.
2023-11-16 09:14:32 -06:00
James Prestwood
c8a86edffe dpp: fix fragile scan/connecting logic
The post-DPP connection was never done quite right due to station's
state being unknown. The state is now tracked in DPP by a previous
patch but the scan path in DPP is still wrong.

It relies on station autoconnect logic which has the potential to
connect to a different network than what was configured with DPP.
Its unlikely but still could happen in theory. In addition the scan
was not selectively filtering results by the SSID that DPP
configured.

This fixes the above problems by first filtering the scan by the
SSID. Then setting the scan results into station without triggering
autoconnect. And finally using network_autoconnect() directly
instead of relying on station to choose the SSID.
2023-11-16 09:10:39 -06:00
James Prestwood
e2f28312e2 dpp: add station watch to DPP
DPP (both DPP and PKEX) run the risk of odd behavior if station
decides to change state. DPP is completely unaware of this and
best case would just result in a protocol failure, worst case
duplicate calls to __station_connect_network.

Add a station watch and stop DPP if station changes state during
the protocol.
2023-11-16 09:07:22 -06:00
James Prestwood
485f9f56bf dpp: remove duplicate connected network check 2023-11-16 09:07:10 -06:00
James Prestwood
2f4c09def0 dpp: fix removed dpp_reset in Stop()
It seems in my patch reordering both stop methods lost the actual
call to dpp_reset().
2023-11-09 20:15:56 -06:00
James Prestwood
2ca9a55fd5 dpp: Add StartConfigurator, PKEX agent support
Adds a configurator variant to be used along side an agent. When
called the configurator will start and wait for an initial PKEX
exchange message from an enrollee at which point it will request
the code from an agent. This provides more flexibility for
configurators that are capable of configuring multiple enrollees
with different identifiers/codes.

Note that the timing requirements per the DPP spec still apply
so this is not meant to be used with a human configurator but
within an automated agent which does a quick lookup of potential
identifiers/codes and can reply within the 200ms window.
2023-11-09 10:34:46 -06:00
James Prestwood
cf378e562e dpp: initial version of PKEX configurator support
The PKEX configurator role is currently limited to being a responder.
When started the configurator will listen on its current operating
channel for a PKEX exchange request. Once received it and the
encrypted key is properly decrypted it treats this peer as the
enrollee and won't allow configurations from other peers unless
PKEX is restarted. The configurator will encrypt and send its
encrypted ephemeral key in the PKEX exchange response. The enrollee
then sends its encrypted bootstrapping key (as commit-reveal request)
then the same for the configurator (as commit-reveal response).

After this, PKEX authentication begins. The enrollee is expected to
send the authenticate request, since its the initiator.
2023-11-09 10:26:59 -06:00
James Prestwood
a7d35a27a3 dpp: initial version of PKEX enrollee support
This is the initial support for PKEX enrollees acting as the
initiator. A PKEX initiator starts the protocol by broadcasting
the PKEX exchange request. This request contains a key encrypted
with the pre-shared PKEX code. If accepted the peer sends back
the exchange response with its own encrypted key. The enrollee
decrypts this and performs some crypto/hashing in order to establish
an ephemeral key used to encrypt its own boostrapping key. The
boostrapping key is encrypted and sent to the peer in the PKEX
commit-reveal request. The peer then does the same thing, encrypting
its own bootstrapping key and sending to the initiator as the
PKEX commit-reveal response.

After this, both peers have exchanged their boostrapping keys
securely and can begin DPP authentication, then configuration.

For now the enrollee will only iterate the default channel list
from the Easy Connect spec. Future upates will need to include some
way of discovering non-default channel configurators, but the
protocol needs to be ironed out first.
2023-11-09 10:23:01 -06:00
James Prestwood
f9833665b7 dpp: introduce dpp_interface type, prep for PKEX
PKEX and DPP will share the same state machine since the DPP protocol
follows PKEX. This does pose an issue with the DBus interfaces
because we don't want DPP initiated by the SharedCode interface to
start setting properties on the DeviceProvisioning interface.

To handle this a dpp_interface enum is being introduced which binds
the dpp_sm object to a particular interface, for the life of the
protocol run. Once the protocol finishes the dpp_sm can be unbound
allowing either interface to use it again later.
2023-11-09 10:05:13 -06:00
James Prestwood
9107378efe station: provide new state in __station_connect_network
This is being done to allow the DPP module to work correctly. DPP
currently uses __station_connect_network incorrectly since it
does not (and cannot) change the state after calling. The only
way to connect with a state change is via station_connect_network
which requires a DBus method that triggered the connection; DPP
does not have this due to its potentially long run time.

To support DPP there are a few options:
 1. Pass a state into __station_connect_network (this patch)
 2. Support a NULL DBus message in station_connect_network. This
    would require several NULL checks and adding all that to only
    support DPP just didn't feel right.
 3. A 3rd connect API in station which wraps
    __station_connect_network and changes the state. And again, an
    entirely new API for only DPP felt wrong (I guess we did this
    for network_autoconnect though...)

Its about 50/50 between call sites that changed state after calling
and those that do not. Changing the state inside
__station_connect_network felt useful enough to cover the cases that
could benefit and the remaining cases could handle it easily enough:
 - network_autoconnect(), and the state is changed by station after
   calling so it more or less follows the same pattern just routes
   through network. This will now pass the CONNECTING_AUTO state
   from within network vs station.
 - The disconnect/reconnect path. Here the state is changed to
   ROAMING prior in order to avoid multiple state changes. Knowing
   this the same ROAMING state can be passed which won't trigger a
   state change.
 - Retrying after a failed BSS. The state changes on the first call
   then remains the same for each connection attempt. To support this
   the current station->state is passed to avoid a state change.
2023-11-02 20:40:07 -05:00
James Prestwood
c398672200 dpp: allow enrollee to be authentication initiator
Until now IWD only supported enrollees as responders (configurators
could do both). For PKEX it makes sense for the enrollee to be the
initiator because configurators in the area are already on their
operating channel and going off is inefficient. For PKEX, whoever
initiates also initiates authentication so for this reason the
authentication path is being opened up to allow enrollees to
initiate.
2023-11-02 20:30:18 -05:00
James Prestwood
b8bfbc141d dpp: fix config request header check
The check for the header was incorrect according to the spec.
Table 58 indicates that the "Query Response Info" should be set
to 0x00 for the configuration request. The frame handler was
expecting 0x7f which is the value for the config response frame.

Unfortunately wpa_supplicant also gets this wrong and uses 0x7f
in all cases which is likely why this value was set incorrectly
in IWD. The issue is that IWD's config request is correct which
means IWD<->IWD configuration is broken. (and wpa_supplicant as
a configurator likely doesn't validate the config request).

Fix this by checking both 0x7f and 0x00 to handle both
supplicants.
2023-11-02 20:28:06 -05:00
James Prestwood
a943a81f87 dpp: remove scan_periodic_stop calls
Stopping periodic scans and not restarting them prevents autoconnect
from working again if DPP (or the post-DPP connect) fails. Since
the DPP offchannel work is at a higher priority than scanning (and
since new offchannels are queue'd before canceling) there is no risk
of a scan happening during DPP so its safe to leave periodic scans
running.
2023-11-02 20:27:59 -05:00
James Prestwood
acb1abceae dpp: support mutual authentication
This will be needed for PKEX support. It requires an additional
value, L, be derived and used in some of the hashing functions.
2023-10-29 17:17:21 -05:00
James Prestwood
0859ed8448 dpp: make the protocol timeout more flexible
Include a specific timeout value so different protocols can specify
different timeouts. For example once the authentication timeout
should not take very long (even 10 seconds seems excessive) but
adding PKEX may warrant longer timeouts.

For example discovering a configurator IWD may want to wait several
minutes before ending the discovery. Similarly running PKEX as a
configurator we should put a hard limit on the time, but again
minutes rather than 10 seconds.
2023-10-29 17:05:35 -05:00
James Prestwood
efdc2a63eb dpp: check configurator role in config request frame
We shouldn't ever get this frame as an enrollee, so disregard
2023-10-29 17:05:10 -05:00
James Prestwood
c0b92d9498 dpp-util: allow mutual auth in dpp_derive_ke
The Ke derivation requires an additional "L.x" value when
mutual authentication is used.
2023-10-19 09:33:24 -05:00
James Prestwood
808f8eea34 dpp-util: allow for mutual authentication in i/r_auth
When using mutual authentication an additional value needs to
be hashed when deriving i/r_auth values. A NULL value indicates
no mutual authentication (zero length iovec is passed to hash).
2023-10-19 09:25:35 -05:00
James Prestwood
0c9df85f5e dpp: fix retransmits if on operating channel
DPP configurators are running the majority of the protocol on the
current operating channel, meaning no ROC work. The retry logic
was bailing out if !dpp->roc_started with the assumption that DPP
was in between requesting offchannel work and it actually starting.
For configurators, this may not be the case. The offchannel ID also
needs to be checked, and if no work is scheduled we can send the
frame.
2023-10-17 10:35:13 -05:00
James Prestwood
30effaf164 dpp: move/store max_roc setting into dpp_create
This value won't change since its per-phy so initialize it
when creating the DPP state machine rather than every time
DPP is started.
2023-10-17 10:31:32 -05:00
James Prestwood
33ba7f7dcd dpp: rename dpp_presence_timeout to be generic
PKEX will utilize the same offchannel timeout, so rename to
dpp_offchannel_timeout to be more generic.
2023-10-17 10:30:47 -05:00
James Prestwood
d0c1025179 dpp: rename auth_addr to peer_addr
This is more generic and with adding PKEX it makes sense to
refer to it as peer_addr.
2023-10-17 10:20:50 -05:00
James Prestwood
b080854d3e dpp: fix incorrect offchannel usage as configurator
When acting as a configurator the enrollee can start on a different
channel than IWD is connected to. IWD will begin the auth process
on this channel but tell the enrollee to transition to the current
channel after the auth request. Since a configurator must be
connected (a requirement IWD enforces) we can assume a channel
transition will always be to the currently connected channel. This
allows us to simply cancel the offchannel request and wait for a
response (rather than start another offchannel).

Doing this improves the DPP performance and reduces the potential
for a lost frame during the channel transition.

This patch also addresses the comment that we should wait for the
auth request ACK before canceling the offchannel. Now a flag is
set and IWD will cancel the offchannel once the ACK is received.
2023-04-30 13:03:48 -05:00
James Prestwood
81ee935a48 offchannel: add priority to start call
This will let the caller specify their own priority.
2022-09-21 21:17:04 -05:00
Jesse Lentz
125c9b195c dpp: Add Started, Role, and URI properties to API
Add three new properties to the DeviceProvisioning API: Started, Role,
and URI.
2022-06-27 11:07:13 -05:00
James Prestwood
19693f587f dpp,dpp-util: cast size_t for constant arguments to va_arg
There were a few places in dpp/dpp-util which passed a single byte but
was being read in with va_arg(va, size_t). On some architectures this was
causing failures presumably from the compiler using an integer type
smaller than size_t. As we do elsewhere, cast to size_t to force the
compiler to pass a properly sized iteger to va_arg.
2022-06-03 11:54:58 -05:00
James Prestwood
b27ab1270c dpp: wait before retransmitting frames with no-ACK
The upstream code immediately retransmitted any no-ACK frames.
This would work in cases where the peer wasn't actively switching
channels (e.g. the ACK was simply lost) but caused unintended
behavior in the case of a channel switch when the peer was not
listening.

If either IWD or the peer needed to switch channels based on the
authenticate request the response may end up not getting ACKed
because the peer is idle, or in the middle of the hardware changing
channels. IWD would get no-ACK and immediately send the frame again
and most likely the same behavior would result. This would very
quickly increment frame_retry past the maximum and DPP would fail.

Instead when no ACK is received wait 1 second before sending out
the next frame. This can re-use the existing frame_pending buffer
and the same logic for re-transmitting.
2022-04-15 12:15:52 -05:00
James Prestwood
14217e6ca4 dpp: print error if CMD_FRAME fails 2022-04-15 12:15:44 -05:00
James Prestwood
07197e24fc dpp: handle sending a frame after ROC ends
There is a potential corner case of an offchannel frame callback
being called after ROC has ended.

This could happen in theory if a received frame is queued right as
the ROC session expires. If the ROC cancel event makes it to user
space before the frame IWD will schedule another ROC then receive
the frame. This doesn't prevent IWD from sending out another
frame since OFFCHANNEL_TX_OK is used, but it will prevent IWD from
receiving a response frame since no dwell duration is used with DPP.

To handle this an roc_started bool was added to the dpp_sm which
tracks the ROC state. If dpp_send_frame is called when roc_started
is false the frame will be saved and sent out once the ROC session
is started again.
2022-04-15 12:12:49 -05:00
James Prestwood
dbca7fcc02 dpp: set new_freq when configuring as initiator
This is used to hold the current BSS frequency which will be
used after IWD receives a presence announcement. Since this was
not being set, the logic was always thinking there was a channel
mismatch (0 != current_freq) and attempting to go offchannel to
'0' which resulted in -EINVAL, and ultimately protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
ad1e5252f3 dpp: fail if disconnected during DPP protocol
If the connected BSS is NULL IWD was disconnected and this should
trigger a protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
82b808cdfe dpp: add support for initiating as a configurator
The difference between the existing code is that IWD will send the
authentication request, making it the initiator.

This handles the use case where IWD is provided a peers URI containing
its bootstrapping key rather than IWD always providing its own URI.
A new DBus API was added, ConfigureEnrollee().

Using ConfigureEnrollee() IWD will act as a configurator but begin by
traversing a channel list (URI provided or default) and waiting for
presence announcements (with one caveat). When an announcement is
received IWD will send an authentication request to the peer, receive
its reply, and send an authentication confirm.

As with being a responder, IWD only supports configuration to the
currently connected BSS and will request the enrollee switch to this
BSS's frequency to preserve network performance.

The caveat here is that only one driver (ath9k) supports multicast frame
registration which prevents presence frame from being received. In this
case it will be required the the peer URI contains a MAC and channel
information. This is because IWD will jump right into sending auth
requests rather than waiting for a presence announcement.
2022-02-22 16:25:47 -06:00
James Prestwood
de411818f0 dpp: manually register for some frame watches
The frame watch which covers the presence procedure (and most
frames for that matter) needs to support multicast frames for
presence to work. Doing this in frame-xchg seems like the right
choice but only ath9k supports multicast frame registration.
Because of this limited support DPP will register for these frames
manually.
2022-02-22 16:24:47 -06:00
James Prestwood
c819903a7c dpp: check return of aes_siv_encrypt
This was caught by static analysis. As is common this should never
happen in the real world since the only way this can fail (apart from
extreme circumstances like OOM) is if the key size is incorrect, which
it will never be.
2022-02-18 14:45:45 -06:00
James Prestwood
429eabf042 dpp: unregister interface on exit
This fixes a cleanup issue where DPP tries to cleanup both on
dpp_exit() and when netdev goes down.
2022-02-15 15:13:52 -06:00