[PATCH v2 1/4] wiphy: add OweDisable driver quirk

[PATCH v2 1/4] wiphy: add OweDisable driver quirk

[James Prestwood]

Some drivers like brcmfmac don't support OWE but from userspace its
not possible to query this information. Rather than completely
blacklist brcmfmac we can allow the user to configure this and
disable OWE in IWD.
---
 src/wiphy.c | 16 +++++++++++++++-
 src/wiphy.h |  1 +
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/wiphy.c b/src/wiphy.c
index cc0e6dd7..d57d657a 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -72,6 +72,7 @@ enum driver_flag {
 	DEFAULT_IF = 0x1,
 	FORCE_PAE = 0x2,
 	POWER_SAVE_DISABLE = 0x4,
+	OWE_DISABLE = 0x8,
 };
 
 struct driver_flag_name {
@@ -103,6 +104,7 @@ static const struct driver_flag_name driver_flag_names[] = {
 	{ "DefaultInterface", DEFAULT_IF },
 	{ "ForcePae",         FORCE_PAE },
 	{ "PowerSaveDisable", POWER_SAVE_DISABLE },
+	{ "OweDisable",       OWE_DISABLE },
 };
 
 struct wiphy {
@@ -344,7 +346,8 @@ wpa2_personal:
 		if (info->akm_suites & IE_RSN_AKM_SUITE_PSK)
 			return IE_RSN_AKM_SUITE_PSK;
 	} else if (security == SECURITY_NONE) {
-		if (info->akm_suites & IE_RSN_AKM_SUITE_OWE)
+		if (info->akm_suites & IE_RSN_AKM_SUITE_OWE &&
+					!wiphy_owe_disabled(wiphy))
 			return IE_RSN_AKM_SUITE_OWE;
 	}
 
@@ -721,6 +724,14 @@ bool wiphy_power_save_disabled(struct wiphy *wiphy)
 	return false;
 }
 
+bool wiphy_owe_disabled(struct wiphy *wiphy)
+{
+	if (wiphy->driver_flags & OWE_DISABLE)
+		return true;
+
+	return false;
+}
+
 const uint8_t *wiphy_get_extended_capabilities(struct wiphy *wiphy,
 							uint32_t iftype)
 {
@@ -1355,6 +1366,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
 		if (wiphy->driver_flags & POWER_SAVE_DISABLE)
 			flags = l_strv_append(flags, "PowerSaveDisable");
 
+		if (wiphy->driver_flags & OWE_DISABLE)
+			flags = l_strv_append(flags, "OweDisable");
+
 		joined = l_strjoinv(flags, ' ');
 
 		l_info("\tDriver Flags: %s", joined);
diff --git a/src/wiphy.h b/src/wiphy.h
index fe7e9e49..a68e48c3 100644
--- a/src/wiphy.h
+++ b/src/wiphy.h
@@ -134,6 +134,7 @@ const char *wiphy_get_name(struct wiphy *wiphy);
 bool wiphy_uses_default_if(struct wiphy *wiphy);
 bool wiphy_control_port_enabled(struct wiphy *wiphy);
 bool wiphy_power_save_disabled(struct wiphy *wiphy);
+bool wiphy_owe_disabled(struct wiphy *wiphy);
 const uint8_t *wiphy_get_extended_capabilities(struct wiphy *wiphy,
 							uint32_t iftype);
 const uint8_t *wiphy_get_rm_enabled_capabilities(struct wiphy *wiphy);
-- 
2.34.1

[PATCH v2 2/4] network: don't allow connection to OWE AKM if disabled

[James Prestwood]

---
 src/network.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/network.c b/src/network.c
index 20d9a3dd..5a856fb4 100644
--- a/src/network.c
+++ b/src/network.c
@@ -911,6 +911,9 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return ret;
 	}
 
+	if (IE_AKM_IS_OWE(rsn.akm_suites) && wiphy_owe_disabled(wiphy))
+		return -EPERM;
+
 	if (!config || !config->have_transition_disable) {
 		if (band == BAND_FREQ_6_GHZ)
 			goto mfp_no_tkip;
-- 
2.34.1

Re: [PATCH v2 2/4] network: don't allow connection to OWE AKM if disabled

[Denis Kenzior]

Hi James,

On 10/23/24 1:29 PM, James Prestwood wrote:
> ---
>   src/network.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/src/network.c b/src/network.c
> index 20d9a3dd..5a856fb4 100644
> --- a/src/network.c
> +++ b/src/network.c
> @@ -911,6 +911,9 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
>   		return ret;
>   	}
>   
> +	if (IE_AKM_IS_OWE(rsn.akm_suites) && wiphy_owe_disabled(wiphy))
> +		return -EPERM;
> +

Hmm, why do we need this if we already check wiphy_owe_disabled in 
wiphy_select_akm in patch 1?

...

Ah, I guess this function doesn't perform the special case check like 
station_build_handshake_rsn() does.  That's probably why we have the problem 
with reconnects

>   	if (!config || !config->have_transition_disable) {
>   		if (band == BAND_FREQ_6_GHZ)
>   			goto mfp_no_tkip;

Regards,
-Denis

[PATCH v2 3/4] network: fix OWE transition BSS selection

[James Prestwood]

The selection loop was choosing an initial candidate purely for
use of the "fallback_to_blacklist" flag. But we have a similar
case with OWE transitional networks where we avoid the legacy
open network in preference for OWE:

/* Don't want to connect to the Open BSS if possible */
if (!bss->rsne)
	continue;

If no OWE network gets selected we may iterate all BSS's and end
the loop, which then returns NULL.

To fix this move the blacklist check earlier and still ignore any
BSS's in the blacklist. Also add a new flag in the selection loop
indicating an open network was skipped. If we then exhaust all
other BSS's we can return this candidate.
---
 src/network.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

v2:
 - Fixed issue where the loop returned the first candidate, not
   the actual BSS that its currently checking.

diff --git a/src/network.c b/src/network.c
index 5a856fb4..cd8b0ee9 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1281,6 +1281,7 @@ struct scan_bss *network_bss_select(struct network *network,
 	struct l_queue *bss_list = network->bss_list;
 	const struct l_queue_entry *bss_entry;
 	struct scan_bss *candidate = NULL;
+	bool skipped_open = false;
 
 	for (bss_entry = l_queue_get_entries(bss_list); bss_entry;
 			bss_entry = bss_entry->next) {
@@ -1300,30 +1301,34 @@ struct scan_bss *network_bss_select(struct network *network,
 		if (!candidate)
 			candidate = bss;
 
+		/* check if temporarily blacklisted */
+		if (l_queue_find(network->blacklist, match_bss, bss))
+			continue;
+
+		if (blacklist_contains_bss(bss->addr))
+			continue;
+
 		/* OWE Transition BSS */
 		if (bss->owe_trans) {
 			/* Don't want to connect to the Open BSS if possible */
-			if (!bss->rsne)
+			if (!bss->rsne) {
+				skipped_open = true;
 				continue;
+			}
 
 			/* Candidate is not OWE, set this as new candidate */
 			if (!(candidate->owe_trans && candidate->rsne))
 				candidate = bss;
 		}
 
-		/* check if temporarily blacklisted */
-		if (l_queue_find(network->blacklist, match_bss, bss))
-			continue;
-
-		if (!blacklist_contains_bss(bss->addr))
-			return bss;
+		return bss;
 	}
 
 	/*
 	 * No BSS was found, but if we are falling back to blacklisted BSS's we
 	 * can just use the first connectable candidate found above.
 	 */
-	if (fallback_to_blacklist)
+	if (fallback_to_blacklist || skipped_open)
 		return candidate;
 
 	return NULL;
-- 
2.34.1

[PATCH v2 4/4] auto-t: add test for the new OweDisable driver quirk

[James Prestwood]

Tests that when OWE is disabled IWD will still connect to the legacy
open network.
---
 autotests/testOWE-disabled/connection_test.py | 51 +++++++++++++++++++
 autotests/testOWE-disabled/hw.conf            |  7 +++
 autotests/testOWE-disabled/main.conf          |  2 +
 autotests/testOWE-disabled/ssidOWE.conf       | 15 ++++++
 autotests/testOWE-disabled/ssidOpen.conf      |  9 ++++
 autotests/testOWE-disabled/transition.open    |  0
 6 files changed, 84 insertions(+)
 create mode 100644 autotests/testOWE-disabled/connection_test.py
 create mode 100644 autotests/testOWE-disabled/hw.conf
 create mode 100644 autotests/testOWE-disabled/main.conf
 create mode 100644 autotests/testOWE-disabled/ssidOWE.conf
 create mode 100644 autotests/testOWE-disabled/ssidOpen.conf
 create mode 100644 autotests/testOWE-disabled/transition.open

diff --git a/autotests/testOWE-disabled/connection_test.py b/autotests/testOWE-disabled/connection_test.py
new file mode 100644
index 00000000..849cb58a
--- /dev/null
+++ b/autotests/testOWE-disabled/connection_test.py
@@ -0,0 +1,51 @@
+#!/usr/bin/python3
+
+import unittest
+import sys
+
+sys.path.append('../util')
+from iwd import IWD, Network
+from hostapd import HostapdCLI
+import testutil
+
+class Test(unittest.TestCase):
+    def test_autoconnect_to_open(self):
+        IWD.copy_to_storage("transition.open")
+
+        wd = IWD(True)
+
+        devices = wd.list_devices(1)
+        device = devices[0]
+        device.autoconnect = True
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        testutil.test_iface_operstate()
+
+        network = Network(device.connected_network)
+
+        self.assertEqual(network.name, "transition")
+        self.assertIn(device.address, self.hapd.list_sta())
+
+        device.disconnect()
+
+    def setUp(self):
+        self.hapd = HostapdCLI(config="ssidOpen.conf")
+        pass
+
+    def tearDown(self):
+        IWD.clear_storage()
+
+        self.wd = None
+
+    @classmethod
+    def setUpClass(cls):
+        pass
+
+    @classmethod
+    def tearDownClass(cls):
+        IWD.clear_storage()
+
+if __name__ == '__main__':
+    unittest.main(exit=True)
diff --git a/autotests/testOWE-disabled/hw.conf b/autotests/testOWE-disabled/hw.conf
new file mode 100644
index 00000000..42b12d59
--- /dev/null
+++ b/autotests/testOWE-disabled/hw.conf
@@ -0,0 +1,7 @@
+[SETUP]
+num_radios=3
+start_iwd=0
+
+[HOSTAPD]
+rad0=ssidOpen.conf
+rad1=ssidOWE.conf
diff --git a/autotests/testOWE-disabled/main.conf b/autotests/testOWE-disabled/main.conf
new file mode 100644
index 00000000..2554c011
--- /dev/null
+++ b/autotests/testOWE-disabled/main.conf
@@ -0,0 +1,2 @@
+[DriverQuirks]
+OweDisable=mac80211_hwsim
\ No newline at end of file
diff --git a/autotests/testOWE-disabled/ssidOWE.conf b/autotests/testOWE-disabled/ssidOWE.conf
new file mode 100644
index 00000000..72809fa6
--- /dev/null
+++ b/autotests/testOWE-disabled/ssidOWE.conf
@@ -0,0 +1,15 @@
+ssid=owe-hidden
+bssid=02:00:00:00:f1:00
+channel=1
+ignore_broadcast_ssid=1
+ieee80211w=1
+
+wpa=2
+wpa_key_mgmt=OWE
+rsn_pairwise=CCMP
+vendor_elements=dd15506f9a1c02000000f0000a7472616e736974696f6e
+
+# You would conventionally use these options but hostapd does not include an
+# IE for the OWE network, hence vendor_elements must be used directly
+#owe_transition_ssid="transition"
+#owe_transition_bssid=02:00:00:00:f0:00
diff --git a/autotests/testOWE-disabled/ssidOpen.conf b/autotests/testOWE-disabled/ssidOpen.conf
new file mode 100644
index 00000000..096b52c4
--- /dev/null
+++ b/autotests/testOWE-disabled/ssidOpen.conf
@@ -0,0 +1,9 @@
+channel=1
+ssid=transition
+bssid=02:00:00:00:f0:00
+vendor_elements=dd15506f9a1c02000000f1000a6f77652d68696464656e
+
+# You would conventionally use these options but hostapd does not include an
+# IE for the OWE network, hence vendor_elements must be used directly
+#owe_transition_ssid="owe-hidden"
+#owe_transition_bssid=02:00:00:00:f1:00
diff --git a/autotests/testOWE-disabled/transition.open b/autotests/testOWE-disabled/transition.open
new file mode 100644
index 00000000..e69de29b
-- 
2.34.1