Feature/RSNO Porting #70
Open
+2,629
−171
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fengming-ye
requested review from
jukkar,
krish2718 and
rlubos
as code owners
|
could you pls review PR and leave comments? |
MaochenWang1
approved these changes
Jan 14, 2025
krish2718
reviewed
Jan 14, 2025
Were there any conflicts? How did you fix the conflicts? Hopefully the original commits haven't been modified? |
|
Also, please raise a manifest update PR with detailed description how these can be used? Do we need to extend the Wi-Fi management layer for this? extend docs/tests? |
…erriding Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 6b0ce29d25d662b68dcc599e62d42eab0690b976)
Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit c16ac89be235ddb07247e0143abf245bb7760c40)
…ng parsing Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 48ca68f6f8ba6769d031fac0523e666de7020f57)
…ring parsing Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit b8a2d11ae04ec20aa6370af4d21150a2a1a5fc89)
Allow hostapd to be configured to advertised two separate sets of RSNE/RSNXE parameters so that RSNE/RSNXE can use a reduced set of capabilities (e.g., WPA2-Personal only) for supporting deployed STAs that have issues with transition modes while the new override elements can use a newer security option (e.g., WPA3-Personal only) for STAs that support the new mechanism. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 157b0163832c688a08c34abb102319325b935d58)
…ents support Add a separate feature flag for STA mode to indicate support for RSN override elements. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 6fad7224be2f54ef9db77aa15a5beee441fa6db5)
Add a new capability flag based on the nl80211 feature advertisement for RSN overriding support. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 341bcb2b5c7d83acd2f8f0237182d54d883603e7)
This is a step towards allowing the contents of RSNE/RSNXE to be overridden. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 5488e120d3d47ba602d89b8365a8d8e5e5aa3e4f)
…pa_supplicant In addition, add some of the previously missed AKM suites from the default capabilities. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit d0b55eb360d34231b095a14d55592ea682895e27)
Add support for RSNE/RSNXE Override elements. Use these elements to determine AP's extended RSN parameters. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 765c48d5adcf8996b2568a7b2ec9d3a9c34ec902)
Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 8d54863550b086425c6aa3e13f1724ebc3196421)
wpa_supplicant was ignoring RSNXE also if the AP is not using valid RSN overriding combination when the STA supports RSN overriding. Fix this fallback to the RSNXE when AP is not using valid RSN overriding. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 526ea193c87d51381132831dd42e9d45fe018dfa)
Use current connection MLO capability to fetch the appropriate RSNE/RSNXE variant while processing association event. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit ff99012d84642e34cc1aa874e121c2e63954875a)
Add an explicit rsn_override_omit_rsnxe=1 configuration parameter to allow the RSNXE to be omitted when using the RSNXOE and wanting to minimize interoperability issues with STAs that might recognize the RSNXE, but not handle it correctly, e.g., when multiple octets of payload is included. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 8b2ddfdbb68889422c98993dc728714c6e817ea0)
The RSNXE generation function was extended to support this earlier, but that update was missed from the RSNXOE variant. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit bb61f6cb9561688b736a9895f63d0840e2257507)
…ting This is convenient for testing STA behavior with various RSN element combinations and special cases. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 2e4c612dd2888087188b2fdd9800b6771c950524)
This was not done in case the STA did not use RSN overriding. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 4adf234cd32edd755f068e550eded4d680e08067)
Use else-if check for better clarity regarding usage of wpa_ie_buf3 to make it explicit that memory is allocated for this pointer only once. Signed-off-by: Adil Saeed Musthafa <[email protected]> (cherry picked from commit 376adfea8debe5dae69976a5f5af6a56ecb9480e)
The separate RSNOE/RSNO2E/RSNXOE buffers were not actually used on the Authenticator, so remove them. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 524c452153f68b599a001f8ca6265ef772882beb)
…ant was used This replaces the use of the RSNE Override and RSNE Override 2 elements with empty payload to indicate which RSNE variant was used. In addition, this adds stricter validation of the RSNE in (Re)Association Request frame to allow only the pairwise cipher suites and AKMs listed in the indicated RSNE variant to be used. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 62ca121f9625ffe16b2d5764568bf6ccffd7d64e)
…ding This provides an implicitly protected (SNonce is used as an input to PTK derivation) mechanism for a STA to indicate support for RSN overriding in a manner that does not cause interopability issues with deployed APs. In addition, update sm->SNonce on the Authenticator only based on message 2/4 since that is the only EAPOL-Key message that is defined to provide the actual SNonce value. While clearing of this internal buffer on message 4/4 might not cause issues, it is better to keep the actual SNonce value here since the SNonce cookie can be used at a later point in the sequence. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 6f522baa1b445536b3aa7ea0d3a28475fa91e644)
… 3/4 This allows all variants to be verified based on a protected frame to achieve robust downgrade protection. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 521374b9785a2e110ae7a11b889eba938e7542f4)
… MLD Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 4d110b4f87b08bfd711e5c300e731f95d3f4c614)
Use the RSN Override Link KDE to include the override variants of the RSNE/RSNXE for each link so that all variants are verifies when processing the protected EAPOL-Key message 3/4. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit be6e4279fa5f7c5e96cf55503ab97058aced7960)
…iation event
Store the full set of AP's RSNE/RSNXE variants to wpa_sm while
processing association event. Commit 521374b9785a did this for the cases
that were needed for SME-in-wpa_supplicant cases, but forgot to update
the cases needed for SME-in-driver. Convert those to the updated
protocol design as well.
Fixes: 521374b9785a ("RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4")
Signed-off-by: Veerendranath Jakkam <[email protected]>
(cherry picked from commit abd7f47958fea43c576693d9be4717b2af0e1db6)
…frames Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 8324947a673ad0fb356bcc35a9882946262c17d5)
…cating driver support Use separate interfaces for indicating driver and supplicant RSN overriding support. Modifying this interface is fine since this feature is still under development. Subsequent commit will define the interface for indicating supplicant RSN overriding support to the driver. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 88150522cea61e05e07e891dff04dfed67176127)
…river Modify wpa_supplicant code based on the updated driver interface for RSN overriding capability indication. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit 70b8f64faf8733c4e45453e29f4632ebbe556600)
… if RSNO not used A STA that supports RSN overriding will always use the SNonce cookie. An AP that does not advertise RSN overriding elements must not enforce that SNonce cookie is used with RSN Selection element since a STA includes the latter only when it sees the AP advertising RSN overriding elements. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 66d8ac8cccbcb6551f24c7049fe45d7bf92ece10)
…RSN overriding not used STA needs to skip validating RSN Override elements when RSN overriding is not used since AP will not send RSN Override elements in EAPOL-Key message 3/4. This is handled correctly in non-MLO case but in MLO case wpa_supplicant always validates RSN Override link KDEs. Fix validating RSN Override elements in MLO case as well. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit bbb55af8c34cc2976442e998801dd7125d9b77d6)
…s validation Always set SNonce cookie and enable RSN Override elements validation irrespective of the RSN Selection element usage in (Re)Association Request frame when RSN overriding supported. Signed-off-by: Veerendranath Jakkam <[email protected]> (cherry picked from commit df8c5e22d732a7e357bf2b1a287967a0de6d7183)
Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 9da9e41612e456a13e90e8cc2e71b75aa3400392)
Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 064a46b47886deafe226d6c1938bbbfe4e7c9497)
… Link KDE While these elements fit without issue in production use cases, it is possible to override the elements for testing purposes and if such overridden elements are overly long, they would nto fit into the maximum length RSN Override Link KDE. This could result in difficult to debug failure cases, so check for this explicitly and instead of sending out the invalid M3, report the internal issue in the debug log and do not send M3. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit d98417218942d855f3e11051edb3da38d94906c8)
Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 87c6b322ee77a5192700fd59f216017cb6c4debd)
… Beacon frame
When rsn_override_omit_rsnxe=1 is used to omit the RSNXE from Beacon and
Probe Response frames, it should also be omitted from (Re)Association
Response frames since there is a general expectation on the RSNXE being
used consistently between these frames. This is unlikely to have much of
a difference for most use cases in practice, but this could impact FILS
association if the non-AP STA were to confirm that the unprotected and
protected version of the RSNXE from the AP were identical.
Fixes: 8b2ddfdbb688 ("RSNO: Allow RSNXE to be omitted")
Signed-off-by: Jouni Malinen <[email protected]>
(cherry picked from commit d1337b159b8304252f212357537e33928efbb931)
Integer promotion converts u8 rsnxe[i] to an int which is not sufficiently large to be able to handle the maximum shift left of 24 bits here. Type cast rsnxe[i] to u32 explicitly to get rid of the sign bit and avoid this undefined behavior from the shift operation. Credit to OSS-Fuzz: https://issues.oss-fuzz.com/issues/376786400 Fixes: d675d3b ("Add helper functions for parsing RSNXE capabilities") Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit c2f90ef35ba7c541641ba1d93693f3e989fa5704)
If an association uses RSN overriding and the AP advertises an RSNXOE, use the RSNXOE instead of the RSNXE when determining AP's RSN capabilities. In particular, this is needed to determine the correct KDK length for PTK derivation in a case where the RSNXOE advertises support for secure ranging while the RSNXE does not. Signed-off-by: Jouni Malinen <[email protected]> (cherry picked from commit 59c608bd8d55089ef8d4aa2f2b7dd46ddd2e4f31)
…twork The new ssid block configuration parameter rsn_overriding can now be used to override the value of the global rsn_overriding parameter. Signed-off-by: Shivani Baranwal <[email protected]> (cherry picked from commit 007d3f01b776168ac8f1d1fb2e8e1cb60ad2303f)
By default enable rsno overriding as it is common process and required in common connection. Signed-off-by: Fengming Ye <[email protected]>
fengming-ye
force-pushed
the
feature/rsno
branch
from
275cde2 to
493afae
Compare
updated.
There are 2 simple conflict caused by zephyr unique change and 1 unimportant conflict which is in wlantest/rx_mgmt.c.
The change is transparent to user. So the usage is not changed. I'm raising update manifest PR. And we don't need to extend L2 wifi. |
So, those are part of the commit itself? Ideally better to put them in a separate commit to identify those easily.
So, how will this feature be used? |
They are just line offset conflict. And these commits will be dropped when next upmerge. This feature does not touch command process. Just recognise RSN Override IE beffore RSN IE. The other process is the same. |
No, we cannot rewrite history in Zephyr west projects, so, we just do a
If they are small then it's fine, else during cherry-picking we can create new commits for fixing conflicts. |
They are small. You can check them in my list with original commits |
krish2718
approved these changes
Jan 15, 2025
There was a problem hiding this comment.
Please add CONFIG_TESTING_OPTIONS to the twister at https://github.com/zephyrproject-rtos/zephyr/tree/main/tests/net/wifi/configs
jukkar
approved these changes
Jan 15, 2025
|
Hi @jukkar can you merge this since it's approved? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Porting open source wpa_supplicant RSN override commits.