[PATCH v2 01/10] dbus: add DPP interface

newer

older

[PATCH 1/2] crypto: allow NULL...

iwd configure location and files

James Prestwood

Tuesday, 14 December 2021 Tue, 14 Dec '21

6:12 p.m.

--- src/dbus.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/dbus.h b/src/dbus.h index 7703b37f..bbc76608 100644 --- a/src/dbus.h +++ b/src/dbus.h @@ -43,6 +43,7 @@ #define IWD_STATION_DIAGNOSTIC_INTERFACE "net.connman.iwd.StationDiagnostic" #define IWD_AP_DIAGNOSTIC_INTERFACE "net.connman.iwd.AccessPointDiagnostic" #define IWD_STATION_DEBUG_INTERFACE "net.connman.iwd.StationDebug" +#define IWD_DPP_INTERFACE "net.connman.iwd.DeviceProvisioning" #define IWD_BASE_PATH "/net/connman/iwd" #define IWD_AGENT_MANAGER_PATH IWD_BASE_PATH -- 2.31.1

Show replies by date

James Prestwood

Tuesday, 14 December Tue, 14 Dec

6:12 p.m.

New subject: [PATCH v2 02/10] dpp: initial skeleton DPP module

--- Makefile.am | 1 + src/dpp.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+) create mode 100644 src/dpp.c v2: * Only create dpp_sm if device is station diff --git a/Makefile.am b/Makefile.am index 312081a0..5d14963b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -250,6 +250,7 @@ src_iwd_SOURCES = src/main.c linux/nl80211.h src/iwd.h src/missing.h \ src/offchannel.h src/offchannel.c \ src/dpp-util.h src/dpp-util.c \ src/json.h src/json.c \ + src/dpp.c \ $(eap_sources) \ $(builtin_sources) diff --git a/src/dpp.c b/src/dpp.c new file mode 100644 index 00000000..d727e639 --- /dev/null +++ b/src/dpp.c @@ -0,0 +1,128 @@ +/* + * + * Wireless daemon for Linux + * + * Copyright (C) 2021 Intel Corporation. All rights reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <ell/ell.h> + +#include "src/dbus.h" +#include "src/netdev.h" +#include "src/module.h" + +static uint32_t netdev_watch; + +struct dpp_sm { + struct netdev *netdev; +}; + +static void dpp_create(struct netdev *netdev) +{ + struct l_dbus *dbus = dbus_get_bus(); + struct dpp_sm *dpp = l_new(struct dpp_sm, 1); + + dpp->netdev = netdev; + + l_dbus_object_add_interface(dbus, netdev_get_path(netdev), + IWD_DPP_INTERFACE, dpp); +} + +static void dpp_free(struct dpp_sm *dpp) +{ + l_free(dpp); +} + +static void dpp_netdev_watch(struct netdev *netdev, + enum netdev_watch_event event, void *userdata) +{ + if (netdev_get_iftype(netdev) != NETDEV_IFTYPE_STATION) + return; + + switch (event) { + case NETDEV_WATCH_EVENT_NEW: + dpp_create(netdev); + break; + case NETDEV_WATCH_EVENT_DEL: + l_dbus_object_remove_interface(dbus_get_bus(), + netdev_get_path(netdev), + IWD_DPP_INTERFACE); + break; + default: + break; + } +} + +static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, + struct l_dbus_message *message, + void *user_data) +{ + struct dpp_sm *dpp = user_data; + + if (!netdev_get_is_up(dpp->netdev)) + return dbus_error_not_available(message); + + return dbus_error_not_supported(message); +} + +static struct l_dbus_message *dpp_dbus_stop(struct l_dbus *dbus, + struct l_dbus_message *message, + void *user_data) +{ + return dbus_error_not_supported(message); +} + +static void dpp_setup_interface(struct l_dbus_interface *interface) +{ + l_dbus_interface_method(interface, "StartEnrollee", 0, + dpp_dbus_start_enrollee, "", "a{sv}", + "uri", "args"); + l_dbus_interface_method(interface, "Stop", 0, + dpp_dbus_stop, "", ""); +} + +static void dpp_destroy_interface(void *user_data) +{ + struct dpp_sm *dpp = user_data; + + dpp_free(dpp); +} + +static int dpp_init(void) +{ + netdev_watch = netdev_watch_add(dpp_netdev_watch, NULL, NULL); + + l_dbus_register_interface(dbus_get_bus(), IWD_DPP_INTERFACE, + dpp_setup_interface, + dpp_destroy_interface, false); + return 0; +} + +static void dpp_exit(void) +{ + l_debug(""); + + netdev_watch_remove(netdev_watch); +} + +IWD_MODULE(dpp, dpp_init, dpp_exit); +IWD_MODULE_DEPENDS(dpp, netdev); -- 2.31.1

Denis Kenzior

9:32 p.m.

New subject: [PATCH v2 02/10] dpp: initial skeleton DPP module

Hi James, On 12/14/21 12:12 PM, James Prestwood wrote:

...

<snip>

...

+ +static void dpp_netdev_watch(struct netdev *netdev, + enum netdev_watch_event event, void *userdata) +{ + if (netdev_get_iftype(netdev) != NETDEV_IFTYPE_STATION) + return; + + switch (event) { + case NETDEV_WATCH_EVENT_NEW:

Can we also create it if the device is UP?

...

+ dpp_create(netdev); + break; + case NETDEV_WATCH_EVENT_DEL:

And delete if the device is DOWN?

...

+ l_dbus_object_remove_interface(dbus_get_bus(), + netdev_get_path(netdev), + IWD_DPP_INTERFACE); + break; + default: + break; + } +} + +static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, + struct l_dbus_message *message, + void *user_data) +{ + struct dpp_sm *dpp = user_data; + + if (!netdev_get_is_up(dpp->netdev)) + return dbus_error_not_available(message);

That way you can skip this check. There isn't much point in having this interface around if the device is not UP anyway.

...

+ + return dbus_error_not_supported(message); +} +

Regards, -Denis

James Prestwood

6:12 p.m.

New subject: [PATCH v2 03/10] dpp: generate URI on StartEnrollee

Generates the required keys, hashes, and sets the Uri property --- src/dpp.c | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 118 insertions(+), 2 deletions(-) v2; * Removed Frequency option and just choose a default * Use 19 as the default group diff --git a/src/dpp.c b/src/dpp.c index d727e639..10d8f542 100644 --- a/src/dpp.c +++ b/src/dpp.c @@ -29,11 +29,25 @@ #include "src/dbus.h" #include "src/netdev.h" #include "src/module.h" +#include "src/dpp-util.h" +#include "src/band.h" static uint32_t netdev_watch; struct dpp_sm { struct netdev *netdev; + char *uri; + + uint64_t wdev_id; + + uint8_t *pub_asn1; + size_t pub_asn1_len; + uint8_t pub_boot_hash[32]; + const struct l_ecc_curve *curve; + size_t key_len; + size_t nonce_len; + struct l_ecc_scalar *boot_private; + struct l_ecc_point *boot_public; }; static void dpp_create(struct netdev *netdev) @@ -47,8 +61,33 @@ static void dpp_create(struct netdev *netdev) IWD_DPP_INTERFACE, dpp); } +static void dpp_reset(struct dpp_sm *dpp) +{ + if (dpp->uri) { + l_free(dpp->uri); + dpp->uri = NULL; + } + + if (dpp->pub_asn1) { + l_free(dpp->pub_asn1); + dpp->pub_asn1 = NULL; + } + + if (dpp->boot_public) { + l_ecc_point_free(dpp->boot_public); + dpp->boot_public = NULL; + } + + if (dpp->boot_private) { + l_ecc_scalar_free(dpp->boot_private); + dpp->boot_private = NULL; + } +} + static void dpp_free(struct dpp_sm *dpp) { + dpp_reset(dpp); + l_free(dpp); } @@ -72,23 +111,100 @@ static void dpp_netdev_watch(struct netdev *netdev, } } +static bool dpp_parse_enrollee_params(struct l_dbus_message *message, + const char **info_out, + const char **host_out) +{ + struct l_dbus_message_iter iter; + struct l_dbus_message_iter variant; + const char *key; + char *info = NULL, *host = NULL; + + if (!l_dbus_message_get_arguments(message, "a{sv}", &iter)) { + l_error("Failed to parse StartEnrollee parameters"); + return false; + } + + while (l_dbus_message_iter_next_entry(&iter, &key, &variant)) { + if (!strcmp(key, "Information")) { + if (!l_dbus_message_iter_get_variant(&variant, "s", + &info)) + return false; + } else if (!strcmp(key, "Host")) { + if (!l_dbus_message_iter_get_variant(&variant, "s", + &host)) + return false; + } + /* + * TODO: + * - Allow a MAC to be specififed, this would require changing + * the device MAC prior to starting. + * - Allow a custom key pair to be supplied, or some way of + * deterministically generating one based on some seed. + */ + } + + if (info_out && info) + *info_out = info; + else if (!info_out && info) + l_free(info); + + if (host_out && host) + *host_out = host; + else if (!host_out && host) + l_free(host); + + return true; +} + static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, struct l_dbus_message *message, void *user_data) { struct dpp_sm *dpp = user_data; + const char *info = NULL, *host = NULL; + uint32_t freq = band_channel_to_freq(6, BAND_FREQ_2_4_GHZ); if (!netdev_get_is_up(dpp->netdev)) return dbus_error_not_available(message); - return dbus_error_not_supported(message); + if (!dpp_parse_enrollee_params(message, &info, &host)) + return dbus_error_invalid_args(message); + + dpp->curve = l_ecc_curve_from_ike_group(19); + dpp->key_len = l_ecc_curve_get_scalar_bytes(dpp->curve); + dpp->nonce_len = dpp_nonce_len_from_key_len(dpp->key_len); + + l_ecdh_generate_key_pair(dpp->curve, &dpp->boot_private, + &dpp->boot_public); + + dpp->pub_asn1 = l_ecc_point_to_asn1(dpp->boot_public, + &dpp->pub_asn1_len); + + dpp_hash(L_CHECKSUM_SHA256, dpp->pub_boot_hash, 1, + dpp->pub_asn1, dpp->pub_asn1_len); + + dpp->uri = dpp_generate_uri(dpp->pub_asn1, dpp->pub_asn1_len, 2, + netdev_get_address(dpp->netdev), &freq, + 1, info, host); + + l_debug("DPP Start Enrollee: %s", dpp->uri); + + l_dbus_property_changed(dbus_get_bus(), netdev_get_path(dpp->netdev), + IWD_DPP_INTERFACE, "Uri"); + + return l_dbus_message_new_method_return(message); } static struct l_dbus_message *dpp_dbus_stop(struct l_dbus *dbus, struct l_dbus_message *message, void *user_data) { - return dbus_error_not_supported(message); + struct dpp_sm *dpp = user_data; + + dpp_reset(dpp); + + return l_dbus_message_new_method_return(message); } static void dpp_setup_interface(struct l_dbus_interface *interface) -- 2.31.1

Denis Kenzior

11:28 p.m.

New subject: [PATCH v2 03/10] dpp: generate URI on StartEnrollee

Hi James, On 12/14/21 12:12 PM, James Prestwood wrote:

...

<snip>

...

@@ -72,23 +111,100 @@ static void dpp_netdev_watch(struct netdev *netdev, } } +static bool dpp_parse_enrollee_params(struct l_dbus_message *message, + const char **info_out, + const char **host_out) +{ + struct l_dbus_message_iter iter; + struct l_dbus_message_iter variant; + const char *key; + char *info = NULL, *host = NULL; + + if (!l_dbus_message_get_arguments(message, "a{sv}", &iter)) { + l_error("Failed to parse StartEnrollee parameters"); + return false; + } + + while (l_dbus_message_iter_next_entry(&iter, &key, &variant)) { + if (!strcmp(key, "Information")) { + if (!l_dbus_message_iter_get_variant(&variant, "s", + &info)) + return false; + } else if (!strcmp(key, "Host")) { + if (!l_dbus_message_iter_get_variant(&variant, "s", + &host)) + return false; + } + /* + * TODO: + * - Allow a MAC to be specififed, this would require changing + * the device MAC prior to starting. + * - Allow a custom key pair to be supplied, or some way of + * deterministically generating one based on some seed. + */ + } +

Note that Information & Hostname have some limitations as to what characters are allowed. DBus strings are valid UTF8 strings, but it seems EasyConnect spec wants these to be ASCII sans ';' characters. Given the lack of utility of these parameters, perhaps we should just drop them entirely.

...

+ if (info_out && info) + *info_out = info; + else if (!info_out && info) + l_free(info); + + if (host_out && host) + *host_out = host; + else if (!host_out && host) + l_free(host); + + return true; +} + static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, struct l_dbus_message *message, void *user_data) { struct dpp_sm *dpp = user_data; + const char *info = NULL, *host = NULL; + uint32_t freq = band_channel_to_freq(6, BAND_FREQ_2_4_GHZ); if (!netdev_get_is_up(dpp->netdev)) return dbus_error_not_available(message); - return dbus_error_not_supported(message); + if (!dpp_parse_enrollee_params(message, &info, &host)) + return dbus_error_invalid_args(message); + + dpp->curve = l_ecc_curve_from_ike_group(19); + dpp->key_len = l_ecc_curve_get_scalar_bytes(dpp->curve); + dpp->nonce_len = dpp_nonce_len_from_key_len(dpp->key_len); +

Since the curve is most likely always going to be the same, it might make sense to initialize these parts when creating the dpp_sm object.

...

+ l_ecdh_generate_key_pair(dpp->curve, &dpp->boot_private, + &dpp->boot_public);

Similarly, maybe the boot key should be created only once or when the dpp_sm object is created?

...

+ + dpp->pub_asn1 = l_ecc_point_to_asn1(dpp->boot_public, + &dpp->pub_asn1_len); + + dpp_hash(L_CHECKSUM_SHA256, dpp->pub_boot_hash, 1, + dpp->pub_asn1, dpp->pub_asn1_len); + + dpp->uri = dpp_generate_uri(dpp->pub_asn1, dpp->pub_asn1_len, 2, + netdev_get_address(dpp->netdev), &freq, + 1, info, host); + + l_debug("DPP Start Enrollee: %s", dpp->uri); + + l_dbus_property_changed(dbus_get_bus(), netdev_get_path(dpp->netdev), + IWD_DPP_INTERFACE, "Uri");

There is no such property now. And you should return the uri string as part of the method return.

...

+ + return l_dbus_message_new_method_return(message); }

<snip> Regards, -Denis

James Prestwood

6:12 p.m.

New subject: [PATCH v2 04/10] dpp-util: add dpp status and attribute types

--- src/dpp-util.h | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) v2: * Remove __DPP_STATUS_INVALID diff --git a/src/dpp-util.h b/src/dpp-util.h index ad360cdd..75bc33c1 100644 --- a/src/dpp-util.h +++ b/src/dpp-util.h @@ -34,6 +34,46 @@ struct dpp_uri_info { char *host; }; +enum dpp_frame_type { + DPP_FRAME_AUTHENTICATION_REQUEST = 0, + DPP_FRAME_AUTHENTICATION_RESPONSE = 1, + DPP_FRAME_AUTHENTICATION_CONFIRM = 2, + /* 3 - 4 reserved */ + DPP_FRAME_PEER_DISCOVERY_REQUEST = 5, + DPP_FRAME_PEER_DISCOVERY_RESPONSE = 6, + DPP_FRAME_PKEX_VERSION1_XCHG_REQUST = 7, + DPP_FRAME_PKEX_XCHG_RESPONSE = 8, + DPP_FRAME_PKEX_COMMIT_REVEAL_REQUEST = 9, + DPP_FRAME_PKEX_COMMIT_REVEAP_RESPONSE = 10, + DPP_FRAME_CONFIGURATION_RESULT = 11, + DPP_FRAME_CONNECTION_STATUS_RESULT = 12, + DPP_FRAME_PRESENCE_ANNOUNCEMENT = 13, + DPP_FRAME_RECONF_ANNOUNCEMENT = 14, + DPP_FRAME_RECONF_AUTHENTICATION_REQUEST = 15, + DPP_FRAME_RECONF_AUTHENTICATION_RESPONSE = 16, + DPP_FRAME_RECONF_AUTHENTICATION_CONFIRM = 17, + DPP_FRAME_PKEX_XCHG_REQUEST = 18, + /* 19 - 255 reserved */ +}; + +enum dpp_status { + DPP_STATUS_OK, + DPP_STATUS_NOT_COMPATIBLE, + DPP_STATUS_AUTH_FAILURE, + DPP_STATUS_BAD_CODE, + DPP_STATUS_BAD_GROUP, + DPP_STATUS_CONFIGURE_FAILURE, + DPP_STATUS_RESPONSE_PENDING, + DPP_STATUS_INVALID_CONNECTOR, + DPP_STATUS_NO_MATCH, + DPP_STATUS_CONFIG_REJECTED, + DPP_STATUS_NO_AP, + DPP_STATUS_CONFIGURE_PENDING, + DPP_STATUS_CSR_NEEDED, + DPP_STATUS_CSR_BAD, + DPP_STATUS_NEW_KEY_NEEDED, +}; + enum dpp_attribute_type { /* 0000 - 0FFF reserved */ DPP_ATTR_STATUS = 0x1000, -- 2.31.1

James Prestwood

6:12 p.m.

New subject: [PATCH v2 05/10] dpp: send presence announcements on StartEnrollee

The presence procedure implemented is a far cry from what the spec actually wants. There are two reason for this: a) the kernels offchannel support is not at a level where it will work without rather annoying work arounds, and b) doing the procedure outlined in the spec will result in terrible discovery performance. Because of this a simpler single channel announcement is done by default and the full presence procedure is left out until/if it is needed. --- src/dpp.c | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 250 insertions(+), 1 deletion(-) v2: * Use a single frequency by default * Removed scanning from presence procedure diff --git a/src/dpp.c b/src/dpp.c index 10d8f542..ddc7c3c9 100644 --- a/src/dpp.c +++ b/src/dpp.c @@ -24,15 +24,33 @@ #include <config.h> #endif +#include <errno.h> + #include <ell/ell.h> +#include "linux/nl80211.h" + #include "src/dbus.h" #include "src/netdev.h" #include "src/module.h" #include "src/dpp-util.h" #include "src/band.h" +#include "src/offchannel.h" +#include "src/scan.h" +#include "src/wiphy.h" +#include "src/ie.h" +#include "src/frame-xchg.h" +#include "src/iwd.h" +#include "src/util.h" static uint32_t netdev_watch; +static struct l_genl_family *nl80211; +static uint8_t broadcast[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + +enum dpp_state { + DPP_STATE_NOTHING, + DPP_STATE_PRESENCE, +}; struct dpp_sm { struct netdev *netdev; @@ -48,14 +66,120 @@ struct dpp_sm { size_t nonce_len; struct l_ecc_scalar *boot_private; struct l_ecc_point *boot_public; + + enum dpp_state state; + + uint32_t *freqs; + size_t freqs_len; + size_t freqs_idx; + uint32_t dwell; + uint32_t current_freq; + struct scan_freq_set *presence_list; + + uint32_t offchannel_id; }; +static void dpp_send_frame_cb(struct l_genl_msg *msg, void *user_data) +{ + if (l_genl_msg_get_error(msg) < 0) + l_error("Error sending frame"); +} + +static void dpp_send_frame(uint64_t wdev_id, struct iovec *iov, size_t iov_len, + uint32_t freq) +{ + struct l_genl_msg *msg; + + msg = l_genl_msg_new_sized(NL80211_CMD_FRAME, 512); + l_genl_msg_append_attr(msg, NL80211_ATTR_WDEV, 8, &wdev_id); + l_genl_msg_append_attr(msg, NL80211_ATTR_WIPHY_FREQ, 4, &freq); + l_genl_msg_append_attr(msg, NL80211_ATTR_OFFCHANNEL_TX_OK, 0, NULL); + l_genl_msg_append_attrv(msg, NL80211_ATTR_FRAME, iov, iov_len); + + l_debug("Sending frame on frequency %u", freq); + + if (!l_genl_family_send(nl80211, msg, dpp_send_frame_cb, NULL, NULL)) + l_error("Could not send CMD_FRAME"); +} + +static size_t dpp_append_attr(uint8_t *to, enum dpp_attribute_type type, + void *attr, size_t attr_len) +{ + l_put_le16(type, to); + l_put_le16(attr_len, to + 2); + memcpy(to + 4, attr, attr_len); + + return attr_len + 4; +} + +static size_t dpp_build_header(const uint8_t *src, const uint8_t *dest, + enum dpp_frame_type type, + uint8_t buf[static 32]) +{ + uint8_t *ptr = buf + 24; + + memset(buf, 0, 32); + + l_put_le16(0x00d0, buf); + memcpy(buf + 4, dest, 6); + memcpy(buf + 10, src, 6); + memcpy(buf + 16, broadcast, 6); + + *ptr++ = 0x04; /* Category: Public */ + *ptr++ = 0x09; /* Action: Vendor specific usage */ + memcpy(ptr, wifi_alliance_oui, 3); + ptr += 3; + *ptr++ = 0x1a; /* WiFi Alliance DPP OI type */ + *ptr++ = 1; /* Cryptosuite */ + *ptr++ = type; + + return ptr - buf; +} + +static void dpp_presence_announce(struct dpp_sm *dpp) +{ + struct netdev *netdev = dpp->netdev; + uint8_t hdr[32]; + uint8_t attrs[32 + 4]; + uint8_t hash[32]; + uint8_t *ptr = attrs; + const uint8_t *addr = netdev_get_address(netdev); + struct iovec iov[3]; + + iov[0].iov_len = dpp_build_header(addr, broadcast, + DPP_FRAME_PRESENCE_ANNOUNCEMENT, hdr); + iov[0].iov_base = hdr; + + dpp_hash(L_CHECKSUM_SHA256, hash, 2, "chirp", strlen("chirp"), + dpp->pub_asn1, dpp->pub_asn1_len); + + ptr += dpp_append_attr(ptr, DPP_ATTR_RESPONDER_BOOT_KEY_HASH, hash, 32); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + iov[2].iov_base = NULL; + + l_debug("Sending presense annoucement on frequency %u and waiting %u", + dpp->current_freq, dpp->dwell); + + dpp_send_frame(netdev_get_wdev_id(netdev), iov, 2, dpp->current_freq); +} + +static void dpp_roc_started(void *user_data) +{ + struct dpp_sm *dpp = user_data; + + dpp_presence_announce(dpp); +} + static void dpp_create(struct netdev *netdev) { struct l_dbus *dbus = dbus_get_bus(); struct dpp_sm *dpp = l_new(struct dpp_sm, 1); dpp->netdev = netdev; + dpp->state = DPP_STATE_NOTHING; + dpp->wdev_id = netdev_get_wdev_id(netdev); l_dbus_object_add_interface(dbus, netdev_get_path(netdev), IWD_DPP_INTERFACE, dpp); @@ -82,12 +206,22 @@ static void dpp_reset(struct dpp_sm *dpp) l_ecc_scalar_free(dpp->boot_private); dpp->boot_private = NULL; } + + dpp->state = DPP_STATE_NOTHING; } static void dpp_free(struct dpp_sm *dpp) { dpp_reset(dpp); + if (dpp->freqs) + l_free(dpp->freqs); + + if (dpp->offchannel_id) { + offchannel_cancel(dpp->wdev_id, dpp->offchannel_id); + dpp->offchannel_id = 0; + } + l_free(dpp); } @@ -111,6 +245,98 @@ static void dpp_netdev_watch(struct netdev *netdev, } } +static void dpp_presence_timeout(int error, void *user_data) +{ + struct dpp_sm *dpp = user_data; + + if (dpp->state != DPP_STATE_PRESENCE) { + l_debug("DPP state changed, stopping presence announcements"); + dpp->freqs_idx = 0; + return; + } + + dpp->freqs_idx++; + + if (dpp->freqs_idx >= dpp->freqs_len) { + l_debug("Max retries on presence announcements"); + dpp->freqs_idx = 0; + } + + dpp->current_freq = dpp->freqs[dpp->freqs_idx]; + + l_debug("Presence timeout, moving to next frequency %u, duration %u", + dpp->current_freq, dpp->dwell); + + dpp->offchannel_id = offchannel_start(netdev_get_wdev_id(dpp->netdev), + dpp->current_freq, dpp->dwell, dpp_roc_started, + dpp, dpp_presence_timeout); +} + +/* + * EasyConnect 2.0 - 6.2.2 + */ +static uint32_t *dpp_add_default_channels(struct dpp_sm *dpp, size_t *len_out) +{ + struct wiphy *wiphy = wiphy_find_by_wdev( + netdev_get_wdev_id(dpp->netdev)); + const struct scan_freq_set *list = wiphy_get_supported_freqs(wiphy); + uint32_t freq; + + if (!dpp->presence_list) + dpp->presence_list = scan_freq_set_new(); + + scan_freq_set_add(dpp->presence_list, band_channel_to_freq(6, + BAND_FREQ_2_4_GHZ)); + /* + * "5 GHz: Channel 44 (5.220 GHz) if local regulations permit operation + * only in the 5.150 - 5.250 GHz band and Channel 149 (5.745 GHz) + * otherwise" + */ + freq = band_channel_to_freq(149, BAND_FREQ_5_GHZ); + + if (scan_freq_set_contains(list, freq)) + scan_freq_set_add(dpp->presence_list, freq); + else + scan_freq_set_add(dpp->presence_list, + band_channel_to_freq(44, BAND_FREQ_5_GHZ)); + + /* TODO: 60GHz: Channel 2 */ + + return scan_freq_set_to_fixed_array(dpp->presence_list, len_out); +} + +/* + * TODO: There is an entire procedure defined in the spec where you increase + * the ROC timeout with each unsuccessful iteration of channels, wait on channel + * for long periods of time etc. Due to offchannel issues in the kernel this + * procedure is not being fully implemented. In reality doing this would result + * in quite terrible DPP performance anyways. + */ +static void dpp_start_presence_announcements(struct dpp_sm *dpp, + uint32_t *limit_freqs, + size_t limit_len) +{ + uint32_t max_roc = wiphy_get_max_roc_duration( + wiphy_find_by_wdev(dpp->wdev_id)); + + if (2000 < max_roc) + max_roc = 2000; + + if (limit_freqs) { + dpp->freqs = limit_freqs; + dpp->freqs_len = limit_len; + } else + dpp->freqs = dpp_add_default_channels(dpp, &dpp->freqs_len); + + dpp->dwell = max_roc; + dpp->freqs_idx = 0; + dpp->current_freq = dpp->freqs[0]; + + dpp->offchannel_id = offchannel_start(netdev_get_wdev_id(dpp->netdev), + dpp->current_freq, dpp->dwell, dpp_roc_started, + dpp, dpp_presence_timeout); +} + static bool dpp_parse_enrollee_params(struct l_dbus_message *message, const char **info_out, const char **host_out) @@ -164,10 +390,14 @@ static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, struct dpp_sm *dpp = user_data; const char *info = NULL, *host = NULL; uint32_t freq = band_channel_to_freq(6, BAND_FREQ_2_4_GHZ); + struct l_dbus_message *reply; if (!netdev_get_is_up(dpp->netdev)) return dbus_error_not_available(message); + if (dpp->state != DPP_STATE_NOTHING) + return dbus_error_already_exists(message); + if (!dpp_parse_enrollee_params(message, &info, &host)) return dbus_error_invalid_args(message); @@ -188,12 +418,25 @@ static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, netdev_get_address(dpp->netdev), &freq, 1, info, host); + dpp->state = DPP_STATE_PRESENCE; + l_debug("DPP Start Enrollee: %s", dpp->uri); l_dbus_property_changed(dbus_get_bus(), netdev_get_path(dpp->netdev), IWD_DPP_INTERFACE, "Uri"); - return l_dbus_message_new_method_return(message); + /* + * Going off spec here. Select a single channel to send presence + * announcements on. This will be advertised in the URI. The full + * presence procedure can be implemented if it is ever needed. + */ + dpp_start_presence_announcements(dpp, &freq, 1); + + reply = l_dbus_message_new_method_return(message); + + l_dbus_message_set_arguments(reply, "s", dpp->uri); + + return reply; } static struct l_dbus_message *dpp_dbus_stop(struct l_dbus *dbus, @@ -225,6 +468,12 @@ static void dpp_destroy_interface(void *user_data) static int dpp_init(void) { + nl80211 = l_genl_family_new(iwd_get_genl(), NL80211_GENL_NAME); + if (!nl80211) { + l_error("Failed to obtain nl80211"); + return -EIO; + } + netdev_watch = netdev_watch_add(dpp_netdev_watch, NULL, NULL); l_dbus_register_interface(dbus_get_bus(), IWD_DPP_INTERFACE, -- 2.31.1

Denis Kenzior

11:50 p.m.

New subject: [PATCH v2 05/10] dpp: send presence announcements on StartEnrollee

Hi James, On 12/14/21 12:12 PM, James Prestwood wrote:

...

Do you need this part if no scanning is done?

...

+#include "src/wiphy.h" +#include "src/ie.h" +#include "src/frame-xchg.h"

Or this?

...

+#include "src/iwd.h" +#include "src/util.h" static uint32_t netdev_watch; +static struct l_genl_family *nl80211; +static uint8_t broadcast[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; +

nit: space after { and before }.

...

+enum dpp_state { + DPP_STATE_NOTHING, + DPP_STATE_PRESENCE, +}; struct dpp_sm { struct netdev *netdev; @@ -48,14 +66,120 @@ struct dpp_sm { size_t nonce_len; struct l_ecc_scalar *boot_private; struct l_ecc_point *boot_public; + + enum dpp_state state; + + uint32_t *freqs; + size_t freqs_len; + size_t freqs_idx; + uint32_t dwell; + uint32_t current_freq; + struct scan_freq_set *presence_list; + > + uint32_t offchannel_id; };

<snip>

...

+static void dpp_presence_announce(struct dpp_sm *dpp) +{ + struct netdev *netdev = dpp->netdev; + uint8_t hdr[32]; + uint8_t attrs[32 + 4]; + uint8_t hash[32]; + uint8_t *ptr = attrs; + const uint8_t *addr = netdev_get_address(netdev); + struct iovec iov[3];

Hmm, you only use 2 iovs?

...

+ + iov[0].iov_len = dpp_build_header(addr, broadcast, + DPP_FRAME_PRESENCE_ANNOUNCEMENT, hdr); + iov[0].iov_base = hdr; + + dpp_hash(L_CHECKSUM_SHA256, hash, 2, "chirp", strlen("chirp"), + dpp->pub_asn1, dpp->pub_asn1_len); + + ptr += dpp_append_attr(ptr, DPP_ATTR_RESPONDER_BOOT_KEY_HASH, hash, 32); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + iov[2].iov_base = NULL;

This one seems extraneous.

...

+ + l_debug("Sending presense annoucement on frequency %u and waiting %u", + dpp->current_freq, dpp->dwell); + + dpp_send_frame(netdev_get_wdev_id(netdev), iov, 2, dpp->current_freq); +} +

<snip>

...

+/* + * TODO: There is an entire procedure defined in the spec where you increase + * the ROC timeout with each unsuccessful iteration of channels, wait on channel + * for long periods of time etc. Due to offchannel issues in the kernel this + * procedure is not being fully implemented. In reality doing this would result + * in quite terrible DPP performance anyways. + */ +static void dpp_start_presence_announcements(struct dpp_sm *dpp, + uint32_t *limit_freqs, + size_t limit_len) +{ + uint32_t max_roc = wiphy_get_max_roc_duration( + wiphy_find_by_wdev(dpp->wdev_id)); + + if (2000 < max_roc) + max_roc = 2000; + + if (limit_freqs) { + dpp->freqs = limit_freqs; + dpp->freqs_len = limit_len;

This seems wrong since you're pointing to stack memory that will go *poof*.

...

+ } else + dpp->freqs = dpp_add_default_channels(dpp, &dpp->freqs_len); + + dpp->dwell = max_roc; + dpp->freqs_idx = 0; + dpp->current_freq = dpp->freqs[0]; + + dpp->offchannel_id = offchannel_start(netdev_get_wdev_id(dpp->netdev), + dpp->current_freq, dpp->dwell, dpp_roc_started, + dpp, dpp_presence_timeout); +} + static bool dpp_parse_enrollee_params(struct l_dbus_message *message, const char **info_out, const char **host_out) @@ -164,10 +390,14 @@ static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, struct dpp_sm *dpp = user_data; const char *info = NULL, *host = NULL; uint32_t freq = band_channel_to_freq(6, BAND_FREQ_2_4_GHZ); + struct l_dbus_message *reply; if (!netdev_get_is_up(dpp->netdev)) return dbus_error_not_available(message); + if (dpp->state != DPP_STATE_NOTHING) + return dbus_error_already_exists(message);

dbus_error_busy

...

+ if (!dpp_parse_enrollee_params(message, &info, &host)) return dbus_error_invalid_args(message); @@ -188,12 +418,25 @@ static struct l_dbus_message *dpp_dbus_start_enrollee(struct l_dbus *dbus, netdev_get_address(dpp->netdev), &freq, 1, info, host); + dpp->state = DPP_STATE_PRESENCE; + l_debug("DPP Start Enrollee: %s", dpp->uri); l_dbus_property_changed(dbus_get_bus(), netdev_get_path(dpp->netdev), IWD_DPP_INTERFACE, "Uri"); - return l_dbus_message_new_method_return(message); + /* + * Going off spec here. Select a single channel to send presence + * announcements on. This will be advertised in the URI. The full + * presence procedure can be implemented if it is ever needed. + */ + dpp_start_presence_announcements(dpp, &freq, 1);

Looks like freq from patch 03 belongs here.

...

+ + reply = l_dbus_message_new_method_return(message); + + l_dbus_message_set_arguments(reply, "s", dpp->uri); + + return reply; } static struct l_dbus_message *dpp_dbus_stop(struct l_dbus *dbus,

Regards, -Denis

James Prestwood

6:12 p.m.

New subject: [PATCH v2 06/10] dpp: add DPP authentication protocol

This implements the DPP protocol used to authenticate to a DPP configurator. Note this is not a full implementation of the protocol and there are a few missing features which will be added as needed: - Mutual authentication (needed for BLE bootstrapping) - Configurator support - Initiator role --- src/dpp.c | 571 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 571 insertions(+) diff --git a/src/dpp.c b/src/dpp.c index ddc7c3c9..78074fd2 100644 --- a/src/dpp.c +++ b/src/dpp.c @@ -42,6 +42,9 @@ #include "src/frame-xchg.h" #include "src/iwd.h" #include "src/util.h" +#include "src/crypto.h" +#include "src/mpdu.h" +#include "ell/useful.h" static uint32_t netdev_watch; static struct l_genl_family *nl80211; @@ -50,6 +53,7 @@ static uint8_t broadcast[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; enum dpp_state { DPP_STATE_NOTHING, DPP_STATE_PRESENCE, + DPP_STATE_AUTHENTICATING, }; struct dpp_sm { @@ -77,6 +81,18 @@ struct dpp_sm { struct scan_freq_set *presence_list; uint32_t offchannel_id; + + uint8_t auth_addr[6]; + uint8_t r_nonce[32]; + uint8_t i_nonce[32]; + + uint64_t ke[L_ECC_MAX_DIGITS]; + uint64_t k2[L_ECC_MAX_DIGITS]; + + struct l_ecc_scalar *proto_private; + struct l_ecc_point *proto_public; + + struct l_ecc_point *i_proto_public; }; static void dpp_send_frame_cb(struct l_genl_msg *msg, void *user_data) @@ -102,6 +118,34 @@ static void dpp_send_frame(uint64_t wdev_id, struct iovec *iov, size_t iov_len, l_error("Could not send CMD_FRAME"); } +static uint8_t *dpp_unwrap_attr(enum dpp_frame_type type, const void *start, + const void *key, size_t key_len, + const uint8_t *wrapped, size_t wrapped_len, + size_t *unwrapped_len) +{ + uint8_t ad0[] = { 0x50, 0x6f, 0x9a, 0x1a, 0x01, type }; + struct iovec ad[2]; + uint8_t *unwrapped; + + ad[0].iov_base = ad0; + ad[0].iov_len = sizeof(ad0); + + ad[1].iov_base = (void *)start; + ad[1].iov_len = ((wrapped - 4) - ((const uint8_t *)start)); + + unwrapped = l_malloc(wrapped_len - 16); + + if (!aes_siv_decrypt(key, key_len, wrapped, wrapped_len, ad, 2, + unwrapped)) { + l_free(unwrapped); + return NULL; + } + + *unwrapped_len = wrapped_len - 16; + + return unwrapped; +} + static size_t dpp_append_attr(uint8_t *to, enum dpp_attribute_type type, void *attr, size_t attr_len) { @@ -112,6 +156,93 @@ static size_t dpp_append_attr(uint8_t *to, enum dpp_attribute_type type, return attr_len + 4; } +/* + * Encrypt DPP attributes encapsulated in DPP wrapped data. + * + * hdr - pointer to start of OUI, or NULL + * wrap_start - pointer to the start of wrapped data attribute + * to - buffer to encrypt data. + * to_len - size of 'to' + * key - key used to encrypt + * key_len - size of 'key' + * num_attrs - number of attributes listed (type, length, data triplets) + * ... - List of attributes, Type, Length, and data + */ +static size_t dpp_append_wrapped_data(uint8_t *hdr, uint8_t *wrap_start, + uint8_t *to, size_t to_len, + const void *key, size_t key_len, + size_t num_attrs, ...) +{ + size_t i; + size_t attrs_len = 0; + _auto_(l_free) uint8_t *plaintext = NULL; + uint8_t *ptr; + struct iovec ad[2]; + size_t ad_size = 0; + va_list va; + + if (hdr) { + ad[0].iov_base = hdr; + ad[0].iov_len = 6; + ad_size++; + } + + va_start(va, num_attrs); + + /* Count up total attributes length */ + for (i = 0; i < num_attrs; i++) { + va_arg(va, enum dpp_attribute_type); + attrs_len += va_arg(va, size_t) + 4; + va_arg(va, void*); + } + + if (to_len < attrs_len + 4 + 16) + return false; + + plaintext = l_malloc(attrs_len); + + ptr = plaintext; + + va_end(va); + + va_start(va, num_attrs); + + /* Build up plaintext attributes */ + for (i = 0; i < num_attrs; i++) { + enum dpp_attribute_type type = va_arg(va, + enum dpp_attribute_type); + size_t l = va_arg(va, size_t); + void *p = va_arg(va, void *); + + l_put_le16(type, ptr); + ptr += 2; + l_put_le16(l, ptr); + ptr += 2; + memcpy(ptr, p, l); + ptr += l; + } + + va_end(va); + + ptr = to; + + l_put_le16(DPP_ATTR_WRAPPED_DATA, ptr); + ptr += 2; + l_put_le16(attrs_len + 16, ptr); + ptr += 2; + + if (wrap_start) { + ad[1].iov_base = wrap_start; + ad[1].iov_len = ptr - wrap_start - 4; + ad_size++; + } + + aes_siv_encrypt(key, key_len, plaintext, attrs_len, + ad, ad_size, ptr); + + return attrs_len + 4 + 16; +} + static size_t dpp_build_header(const uint8_t *src, const uint8_t *dest, enum dpp_frame_type type, uint8_t buf[static 32]) @@ -136,6 +267,439 @@ static size_t dpp_build_header(const uint8_t *src, const uint8_t *dest, return ptr - buf; } +static void dpp_free_auth_data(struct dpp_sm *dpp) +{ + if (dpp->proto_public) { + l_ecc_point_free(dpp->proto_public); + dpp->proto_public = NULL; + } + + if (dpp->proto_private) { + l_ecc_scalar_free(dpp->proto_private); + dpp->proto_private = NULL; + } + + if (dpp->i_proto_public) { + l_ecc_point_free(dpp->i_proto_public); + dpp->i_proto_public = NULL; + } +} + +static void send_authenticate_response(struct dpp_sm *dpp, void *r_auth) +{ + uint8_t hdr[32]; + uint8_t attrs[512]; + uint8_t *ptr = attrs; + uint8_t status = DPP_STATUS_OK; + uint64_t r_proto_key[L_ECC_MAX_DIGITS * 2]; + uint8_t version = 2; + uint8_t r_capabilities = 0x01; + struct iovec iov[3]; + uint8_t wrapped2_plaintext[dpp->key_len + 4]; + uint8_t wrapped2[dpp->key_len + 16 + 8]; + size_t wrapped2_len; + + l_ecc_point_get_data(dpp->proto_public, r_proto_key, + sizeof(r_proto_key)); + + iov[0].iov_len = dpp_build_header(netdev_get_address(dpp->netdev), + dpp->auth_addr, + DPP_FRAME_AUTHENTICATION_RESPONSE, hdr); + iov[0].iov_base = hdr; + + ptr += dpp_append_attr(ptr, DPP_ATTR_STATUS, &status, 1); + ptr += dpp_append_attr(ptr, DPP_ATTR_RESPONDER_BOOT_KEY_HASH, + dpp->pub_boot_hash, 32); + ptr += dpp_append_attr(ptr, DPP_ATTR_RESPONDER_PROTOCOL_KEY, + r_proto_key, dpp->key_len * 2); + ptr += dpp_append_attr(ptr, DPP_ATTR_PROTOCOL_VERSION, &version, 1); + + /* Wrap up secondary data (R-Auth) */ + wrapped2_len = dpp_append_attr(wrapped2_plaintext, + DPP_ATTR_RESPONDER_AUTH_TAG, + r_auth, dpp->key_len); + aes_siv_encrypt(dpp->ke, dpp->key_len, wrapped2_plaintext, + dpp->key_len + 4, NULL, 0, wrapped2); + + wrapped2_len += 16; + + /* Wrap up primary data */ + ptr += dpp_append_wrapped_data(hdr + 26, attrs, + ptr, 512, dpp->k2, dpp->key_len, 4, + DPP_ATTR_RESPONDER_NONCE, dpp->nonce_len, dpp->r_nonce, + DPP_ATTR_INITIATOR_NONCE, dpp->nonce_len, dpp->i_nonce, + DPP_ATTR_RESPONDER_CAPABILITIES, 1, &r_capabilities, + DPP_ATTR_WRAPPED_DATA, wrapped2_len, wrapped2); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + iov[2].iov_base = NULL; + + dpp_send_frame(netdev_get_wdev_id(dpp->netdev), iov, 2, + dpp->current_freq); +} + +static void authenticate_confirm(struct dpp_sm *dpp, const uint8_t *from, + const uint8_t *attrs, size_t attrs_len) +{ + struct dpp_attr_iter iter; + enum dpp_attribute_type type; + size_t len; + const uint8_t *data; + int status = -1; + const uint8_t *r_boot_hash = NULL, *wrapped = NULL; + const uint8_t *i_auth = NULL; + size_t i_auth_len; + _auto_(l_free) uint8_t *unwrapped = NULL; + size_t wrapped_len = 0; + uint64_t i_auth_check[L_ECC_MAX_DIGITS]; + const void *unwrap_key; + + if (dpp->state != DPP_STATE_AUTHENTICATING) + return; + + if (memcmp(from, dpp->auth_addr, 6)) + return; + + l_debug("authenticate confirm"); + + dpp_attr_iter_init(&iter, attrs, attrs_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_STATUS: + status = l_get_u8(data); + break; + case DPP_ATTR_RESPONDER_BOOT_KEY_HASH: + r_boot_hash = data; + /* + * Spec requires this, but does not mention if anything + * is to be done with it. + */ + break; + case DPP_ATTR_INITIATOR_BOOT_KEY_HASH: + /* No mutual authentication */ + break; + case DPP_ATTR_WRAPPED_DATA: + wrapped = data; + wrapped_len = len; + break; + default: + break; + } + } + + if (!r_boot_hash || !wrapped) { + l_debug("Attributes missing from authenticate confirm"); + return; + } + + /* + * "The Responder obtains the DPP Authentication Confirm frame and + * checks the value of the DPP Status field. If the value of the DPP + * Status field is STATUS_NOT_COMPATIBLE or STATUS_AUTH_FAILURE, the + * Responder unwraps the wrapped data portion of the frame using k2" + */ + if (status == DPP_STATUS_OK) + unwrap_key = dpp->ke; + else if (status == DPP_STATUS_NOT_COMPATIBLE || + status == DPP_STATUS_AUTH_FAILURE) + unwrap_key = dpp->k2; + else + goto auth_confirm_failed; + + unwrapped = dpp_unwrap_attr(DPP_FRAME_AUTHENTICATION_CONFIRM, attrs, + unwrap_key, dpp->key_len, wrapped, wrapped_len, + &wrapped_len); + if (!unwrapped) + goto auth_confirm_failed; + + if (status != DPP_STATUS_OK) { + /* + * "If unwrapping is successful, the Responder should generate + * an alert indicating the reason for the protocol failure." + */ + l_debug("Authentication failed due to status %s", + status == DPP_STATUS_NOT_COMPATIBLE ? + "NOT_COMPATIBLE" : "AUTH_FAILURE"); + goto auth_confirm_failed; + } + + dpp_attr_iter_init(&iter, unwrapped, wrapped_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_INITIATOR_AUTH_TAG: + i_auth = data; + i_auth_len = len; + break; + case DPP_ATTR_RESPONDER_NONCE: + /* Only if error */ + break; + default: + break; + } + } + + if (!i_auth || i_auth_len != dpp->key_len) { + l_debug("I-Auth missing from wrapped data"); + goto auth_confirm_failed; + } + + dpp_derive_i_auth(dpp->r_nonce, dpp->i_nonce, dpp->nonce_len, + dpp->proto_public, dpp->i_proto_public, + dpp->boot_public, i_auth_check); + + if (memcmp(i_auth, i_auth_check, i_auth_len)) { + l_error("I-Auth did not verify"); + goto auth_confirm_failed; + } + + l_debug("Authentication successful"); + + return; + +auth_confirm_failed: + dpp->state = DPP_STATE_PRESENCE; + dpp_free_auth_data(dpp); +} + +static void dpp_auth_request_failed(struct dpp_sm *dpp, + enum dpp_status status, + void *k1) +{ + uint8_t hdr[32]; + uint8_t attrs[128]; + uint8_t *ptr = attrs; + uint8_t version = 2; + uint8_t r_capabilities = 0x01; + uint8_t s = status; + struct iovec iov[3]; + + iov[0].iov_len = dpp_build_header(netdev_get_address(dpp->netdev), + dpp->auth_addr, + DPP_FRAME_AUTHENTICATION_RESPONSE, hdr); + iov[0].iov_base = hdr; + + ptr += dpp_append_attr(ptr, DPP_ATTR_STATUS, &s, 1); + ptr += dpp_append_attr(ptr, DPP_ATTR_RESPONDER_BOOT_KEY_HASH, + dpp->pub_boot_hash, 32); + + ptr += dpp_append_attr(ptr, DPP_ATTR_PROTOCOL_VERSION, &version, 1); + + ptr += dpp_append_wrapped_data(hdr + 26, attrs, + ptr, sizeof(attrs) - (ptr - attrs), k1, dpp->key_len, 2, + DPP_ATTR_INITIATOR_NONCE, dpp->nonce_len, dpp->i_nonce, + DPP_ATTR_RESPONDER_CAPABILITIES, 1, &r_capabilities); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + iov[2].iov_base = NULL; + + dpp_send_frame(netdev_get_wdev_id(dpp->netdev), iov, 2, + dpp->current_freq); +} + +static void authenticate_request(struct dpp_sm *dpp, const uint8_t *from, + const uint8_t *attrs, size_t attrs_len) +{ + struct dpp_attr_iter iter; + enum dpp_attribute_type type; + size_t len; + const uint8_t *data; + const uint8_t *r_boot = NULL; + const uint8_t *i_boot = NULL; + const uint8_t *i_proto = NULL; + const uint8_t *wrapped = NULL; + const uint8_t *i_nonce = NULL; + size_t r_boot_len = 0, i_proto_len = 0, wrapped_len = 0; + size_t i_nonce_len = 0; + _auto_(l_free) uint8_t *unwrapped = NULL; + _auto_(l_ecc_scalar_free) struct l_ecc_scalar *m = NULL; + _auto_(l_ecc_scalar_free) struct l_ecc_scalar *n = NULL; + uint64_t k1[L_ECC_MAX_DIGITS]; + uint64_t r_auth[L_ECC_MAX_DIGITS]; + + if (dpp->state != DPP_STATE_PRESENCE) + return; + + l_debug("authenticate request"); + + dpp_attr_iter_init(&iter, attrs, attrs_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_INITIATOR_BOOT_KEY_HASH: + i_boot = data; + /* + * This attribute is required by the spec, but only + * used for mutual authentication. + */ + break; + case DPP_ATTR_RESPONDER_BOOT_KEY_HASH: + r_boot = data; + r_boot_len = len; + break; + case DPP_ATTR_INITIATOR_PROTOCOL_KEY: + i_proto = data; + i_proto_len = len; + break; + case DPP_ATTR_WRAPPED_DATA: + /* I-Nonce/I-Capabilities part of wrapped data */ + wrapped = data; + wrapped_len = len; + break; + + /* Optional attributes */ + case DPP_ATTR_PROTOCOL_VERSION: + if (l_get_u8(data) != 2) { + l_debug("Protocol version did not match"); + return; + } + + break; + /* + * TODO: Go on this channel for remainder of auth protocol. + * + * "the Responder determines whether it can use the requested + * channel for the following exchanges. If so, it sends the DPP + * Authentication Response frame on that channel. If not, it + * discards the DPP Authentication Request frame without + * replying to it." + * + * For the time being this feature is not being implemented and + * the frame will be dropped. + */ + case DPP_ATTR_CHANNEL: + return; + default: + break; + } + } + + if (!r_boot || !i_boot || !i_proto || !wrapped) + goto auth_request_failed; + + if (r_boot_len != 32 || memcmp(dpp->pub_boot_hash, + r_boot, r_boot_len)) { + l_debug("Responder boot key hash failed to verify"); + goto auth_request_failed; + } + + dpp->i_proto_public = l_ecc_point_from_data(dpp->curve, + L_ECC_POINT_TYPE_FULL, + i_proto, i_proto_len); + if (!dpp->i_proto_public) { + l_debug("Initiators protocol key invalid"); + goto auth_request_failed; + } + + m = dpp_derive_k1(dpp->i_proto_public, dpp->boot_private, k1); + if (!m) + goto auth_request_failed; + + unwrapped = dpp_unwrap_attr(DPP_FRAME_AUTHENTICATION_REQUEST, attrs, k1, + dpp->key_len, wrapped, wrapped_len, &wrapped_len); + if (!unwrapped) + goto auth_request_failed; + + dpp_attr_iter_init(&iter, unwrapped, wrapped_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_INITIATOR_NONCE: + i_nonce = data; + i_nonce_len = len; + break; + case DPP_ATTR_INITIATOR_CAPABILITIES: + /* + * "If the Responder is not capable of supporting the + * role indicated by the Initiator, it shall respond + * with a DPP Authentication Response frame indicating + * failure by adding the DPP Status field set to + * STATUS_NOT_COMPATIBLE" + */ + if (!(l_get_u8(data) & 0x2)) { + l_debug("Initiator is not configurator"); + + dpp_auth_request_failed(dpp, + DPP_STATUS_NOT_COMPATIBLE, k1); + goto auth_request_failed; + } + + break; + default: + break; + } + } + + if (i_nonce_len != dpp->nonce_len) { + l_debug("I-Nonce has unexpected length %lu", i_nonce_len); + goto auth_request_failed; + } + + memcpy(dpp->i_nonce, i_nonce, i_nonce_len); + + /* Derive keys k2, ke, and R-Auth for authentication response */ + + l_ecdh_generate_key_pair(dpp->curve, &dpp->proto_private, + &dpp->proto_public); + + n = dpp_derive_k2(dpp->i_proto_public, dpp->proto_private, dpp->k2); + if (!n) + goto auth_request_failed; + + l_getrandom(dpp->r_nonce, dpp->nonce_len); + + if (!dpp_derive_ke(dpp->i_nonce, dpp->r_nonce, m, n, dpp->ke)) + goto auth_request_failed; + + if (!dpp_derive_r_auth(dpp->i_nonce, dpp->r_nonce, dpp->nonce_len, + dpp->i_proto_public, dpp->proto_public, + dpp->boot_public, r_auth)) + goto auth_request_failed; + + memcpy(dpp->auth_addr, from, 6); + + dpp->state = DPP_STATE_AUTHENTICATING; + + send_authenticate_response(dpp, r_auth); + + return; + +auth_request_failed: + dpp->state = DPP_STATE_PRESENCE; + dpp_free_auth_data(dpp); +} + +static void dpp_handle_auth_frame(const struct mmpdu_header *frame, + const void *body, size_t body_len, + int rssi, void *user_data) +{ + struct dpp_sm *dpp = user_data; + const uint8_t *ptr; + + if (body_len < 8) + return; + + ptr = body + 7; + body_len -= 7; + + switch (*ptr) { + case DPP_FRAME_AUTHENTICATION_REQUEST: + authenticate_request(dpp, frame->address_2, ptr + 1, + body_len - 1); + break; + case DPP_FRAME_AUTHENTICATION_CONFIRM: + authenticate_confirm(dpp, frame->address_2, ptr + 1, + body_len - 1); + break; + default: + l_debug("Unhandled DPP frame %u", *ptr); + break; + } +} + static void dpp_presence_announce(struct dpp_sm *dpp) { struct netdev *netdev = dpp->netdev; @@ -176,6 +740,7 @@ static void dpp_create(struct netdev *netdev) { struct l_dbus *dbus = dbus_get_bus(); struct dpp_sm *dpp = l_new(struct dpp_sm, 1); + uint8_t dpp_prefix[] = { 0x04, 0x09, 0x50, 0x6f, 0x9a, 0x1a, 0x01 }; dpp->netdev = netdev; dpp->state = DPP_STATE_NOTHING; @@ -183,6 +748,10 @@ static void dpp_create(struct netdev *netdev) l_dbus_object_add_interface(dbus, netdev_get_path(netdev), IWD_DPP_INTERFACE, dpp); + + frame_watch_add(netdev_get_wdev_id(netdev), 0, 0x00d0, dpp_prefix, + sizeof(dpp_prefix), dpp_handle_auth_frame, + dpp, NULL); } static void dpp_reset(struct dpp_sm *dpp) @@ -222,6 +791,8 @@ static void dpp_free(struct dpp_sm *dpp) dpp->offchannel_id = 0; } + dpp_free_auth_data(dpp); + l_free(dpp); } -- 2.31.1

James Prestwood

6:12 p.m.

New subject: [PATCH v2 07/10] dpp-util: add dpp_parse_configuration_object

This parses the configuration JSON object from the configuration response. Only a minimal configuration object is supported for now. --- Makefile.am | 5 +-- src/dpp-util.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++ src/dpp-util.h | 12 ++++++ 3 files changed, 124 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 5d14963b..d079ba89 100644 --- a/Makefile.am +++ b/Makefile.am @@ -552,9 +552,8 @@ unit_test_p2p_LDADD = $(ell_ldadd) unit_test_dpp_SOURCES = unit/test-dpp.c src/dpp-util.h src/dpp-util.c \ src/band.h src/band.c \ - src/util.h src/util.c src/crypto.h src/crypto.c - src/util.h src/util.c - + src/util.h src/util.c src/crypto.h \ + src/crypto.c src/json.h src/json.c unit_test_dpp_LDADD = $(ell_ldadd) unit_test_json_SOURCES = unit/test-json.c src/json.h src/json.c shared/jsmn.h diff --git a/src/dpp-util.c b/src/dpp-util.c index 75b0b11c..54bf56cd 100644 --- a/src/dpp-util.c +++ b/src/dpp-util.c @@ -34,6 +34,9 @@ #include "src/util.h" #include "src/band.h" #include "src/crypto.h" +#include "src/json.h" +#include "ell/useful.h" +#include "src/ie.h" #define TOKEN_NEXT(p, sep) \ ({ \ @@ -127,6 +130,113 @@ char *dpp_generate_uri(const uint8_t *asn1, size_t asn1_len, uint8_t version, return l_string_unwrap(uri); } +static uint32_t dpp_parse_akm(char *akms) +{ + _auto_(l_strv_free) char **split = l_strsplit(akms, '+'); + char **i = split; + uint32_t akm_out = 0; + + while (*i) { + if (!strncmp(*i, "psk", 3)) + akm_out |= IE_RSN_AKM_SUITE_PSK; + else if (!strncmp(*i, "sae", 3)) + akm_out |= IE_RSN_AKM_SUITE_SAE_SHA256; + + i++; + } + + return akm_out; +} + +/* + * TODO: This handles the most basic configuration. i.e. a configuration object + * with ssid/passphrase/akm. + */ +struct dpp_configuration *dpp_parse_configuration_object(const char *json, + size_t json_len) +{ + struct dpp_configuration *config; + struct json_contents *c; + struct json_iter iter; + struct json_iter discovery; + struct json_iter cred; + _auto_(l_free)char *tech = NULL; + _auto_(l_free)char *ssid = NULL; + _auto_(l_free)char *akm = NULL; + _auto_(l_free)char *pass = NULL; + _auto_(l_free)char *psk = NULL; + + c = json_contents_new(json, json_len); + if (!c) + return NULL; + + json_iter_init(&iter, c); + + if (!json_iter_parse(&iter, + JSON_MANDATORY("wi-fi_tech", JSON_STRING, &tech), + JSON_MANDATORY("discovery", JSON_OBJECT, &discovery), + JSON_MANDATORY("cred", JSON_OBJECT, &cred), + JSON_UNDEFINED)) + goto free_contents; + + if (!tech || strncmp(tech, "infra", 5)) + goto free_contents; + + + if (!json_iter_parse(&discovery, + JSON_MANDATORY("ssid", JSON_STRING, &ssid), + JSON_UNDEFINED)) + goto free_contents; + + if (!ssid || !util_ssid_is_utf8(strlen(ssid),(const uint8_t *)ssid)) + goto free_contents; + + if (!json_iter_parse(&cred, + JSON_MANDATORY("akm", JSON_STRING, &akm), + JSON_OPTIONAL("pass", JSON_STRING, &pass), + JSON_OPTIONAL("psk", JSON_STRING, &psk), + JSON_UNDEFINED)) + goto free_contents; + + if (!pass && (!psk || strlen(psk) != 64)) + goto free_contents; + + config = l_new(struct dpp_configuration, 1); + + if (pass) + config->passphrase = l_steal_ptr(pass); + else + config->psk = l_steal_ptr(psk); + + memcpy(config->ssid, ssid, strlen(ssid)); + config->ssid_len = strlen(ssid); + + config->akm_suites = dpp_parse_akm(akm); + if (!config->akm_suites) + goto free_config; + + json_contents_free(c); + + return config; + +free_config: + dpp_configuration_free(config); +free_contents: + json_contents_free(c); + return NULL; +} + +void dpp_configuration_free(struct dpp_configuration *config) +{ + if (config->passphrase) + l_free(config->passphrase); + + if (config->psk) + l_free(config->psk); + + l_free(config); +} + void dpp_attr_iter_init(struct dpp_attr_iter *iter, const uint8_t *pdu, size_t len) { diff --git a/src/dpp-util.h b/src/dpp-util.h index 75bc33c1..a9995368 100644 --- a/src/dpp-util.h +++ b/src/dpp-util.h @@ -112,6 +112,18 @@ enum dpp_attribute_type { DPP_ATTR_CONFIGURATOR_NONCE = 0x1022, }; +struct dpp_configuration { + uint8_t ssid[32]; + size_t ssid_len; + uint32_t akm_suites; + char *passphrase; + char *psk; /* hex string */ +}; + +struct dpp_configuration *dpp_parse_configuration_object(const char *json, + size_t json_len); +void dpp_configuration_free(struct dpp_configuration *conf); + struct dpp_attr_iter { const uint8_t *pos; const uint8_t *end; -- 2.31.1

James Prestwood

6:12 p.m.

New subject: [PATCH v2 08/10] dpp: add support for configuration protocol

This is a minimal implementation only supporting legacy network configuration, i.e. only SSID and PSK/passphrase are supported. Missing features include: - Fragmentation/comeback delay support - DPP AKM support - 8021x/PKEX support --- src/dpp.c | 297 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 297 insertions(+) diff --git a/src/dpp.c b/src/dpp.c index 78074fd2..25cebfd3 100644 --- a/src/dpp.c +++ b/src/dpp.c @@ -45,6 +45,8 @@ #include "src/crypto.h" #include "src/mpdu.h" #include "ell/useful.h" +#include "src/common.h" +#include "src/storage.h" static uint32_t netdev_watch; static struct l_genl_family *nl80211; @@ -54,6 +56,7 @@ enum dpp_state { DPP_STATE_NOTHING, DPP_STATE_PRESENCE, DPP_STATE_AUTHENTICATING, + DPP_STATE_CONFIGURING, }; struct dpp_sm { @@ -85,6 +88,7 @@ struct dpp_sm { uint8_t auth_addr[6]; uint8_t r_nonce[32]; uint8_t i_nonce[32]; + uint8_t e_nonce[32]; uint64_t ke[L_ECC_MAX_DIGITS]; uint64_t k2[L_ECC_MAX_DIGITS]; @@ -93,6 +97,8 @@ struct dpp_sm { struct l_ecc_point *proto_public; struct l_ecc_point *i_proto_public; + + uint8_t diag_token; }; static void dpp_send_frame_cb(struct l_genl_msg *msg, void *user_data) @@ -187,6 +193,13 @@ static size_t dpp_append_wrapped_data(uint8_t *hdr, uint8_t *wrap_start, ad_size++; } + /* The configuration result requires this zero-length data component */ + if (hdr && hdr[5] == DPP_FRAME_CONFIGURATION_RESULT) { + ad[1].iov_base = NULL; + ad[1].iov_len = 0; + ad_size++; + } + va_start(va, num_attrs); /* Count up total attributes length */ @@ -267,6 +280,284 @@ static size_t dpp_build_header(const uint8_t *src, const uint8_t *dest, return ptr - buf; } +static size_t dpp_build_config_header(const uint8_t *src, const uint8_t *dest, + uint8_t diag_token, + uint8_t buf[static 37]) +{ + uint8_t *ptr = buf + 24; + + memset(buf, 0, 37); + + l_put_le16(0x00d0, buf); + memcpy(buf + 4, dest, 6); + memcpy(buf + 10, src, 6); + memcpy(buf + 16, broadcast, 6); + + *ptr++ = 0x04; /* Public */ + *ptr++ = 0x0a; /* Action */ + *ptr++ = diag_token; + + *ptr++ = IE_TYPE_ADVERTISEMENT_PROTOCOL; + *ptr++ = 8; /* len */ + *ptr++ = 0x00; + *ptr++ = IE_TYPE_VENDOR_SPECIFIC; + *ptr++ = 5; + memcpy(ptr, wifi_alliance_oui, 3); + ptr += 3; + *ptr++ = 0x1a; + *ptr++ = 1; + + return ptr - buf; +} + +static void dpp_configuration_start(struct dpp_sm *dpp, const uint8_t *addr) +{ + const char *json = "{\"name\":\"IWD\",\"wi-fi_tech\":\"infra\"," + "\"netRole\":\"sta\"}"; + struct iovec iov[3]; + uint8_t hdr[37]; + uint8_t attrs[512]; + size_t json_len = strlen(json); + uint8_t *ptr = attrs; + + l_getrandom(&dpp->diag_token, 1); + + iov[0].iov_len = dpp_build_config_header( + netdev_get_address(dpp->netdev), + addr, dpp->diag_token, hdr); + iov[0].iov_base = hdr; + + l_getrandom(dpp->e_nonce, dpp->nonce_len); + + /* length */ + ptr += 2; + + ptr += dpp_append_wrapped_data(NULL, NULL, ptr, sizeof(attrs), + dpp->ke, dpp->key_len, 2, + DPP_ATTR_ENROLLEE_NONCE, dpp->nonce_len, dpp->e_nonce, + DPP_ATTR_CONFIGURATION_REQUEST, json_len, json); + + l_put_le16(ptr - attrs - 2, attrs); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + + dpp->state = DPP_STATE_CONFIGURING; + + dpp_send_frame(dpp->wdev_id, iov, 2, dpp->current_freq); +} + +static void send_config_result(struct dpp_sm *dpp, const uint8_t *to) +{ + uint8_t hdr[32]; + struct iovec iov[2]; + uint8_t attrs[256]; + uint8_t *ptr = attrs; + uint8_t zero = 0; + + iov[0].iov_len = dpp_build_header(netdev_get_address(dpp->netdev), to, + DPP_FRAME_CONFIGURATION_RESULT, hdr); + iov[0].iov_base = hdr; + + ptr += dpp_append_wrapped_data(hdr + 26, NULL, ptr, sizeof(attrs), + dpp->ke, dpp->key_len, 2, + DPP_ATTR_STATUS, 1, &zero, + DPP_ATTR_ENROLLEE_NONCE, dpp->nonce_len, dpp->e_nonce); + + iov[1].iov_base = attrs; + iov[1].iov_len = ptr - attrs; + + dpp_send_frame(dpp->wdev_id, iov, 2, dpp->current_freq); +} + +static void dpp_write_config(struct dpp_configuration *config) +{ + _auto_(l_free) char *ssid = l_malloc(config->ssid_len + 1); + _auto_(l_settings_free) struct l_settings *settings = l_settings_new(); + _auto_(l_free) char *path; + + memcpy(ssid, config->ssid, config->ssid_len); + ssid[config->ssid_len] = '\0'; + + path = storage_get_network_file_path(SECURITY_PSK, ssid); + + if (l_settings_load_from_file(settings, path)) { + /* Remove any existing Security keys */ + l_settings_remove_group(settings, "Security"); + } + + if (config->passphrase) + l_settings_set_string(settings, "Security", "Passphrase", + config->passphrase); + else if (config->psk) + l_settings_set_string(settings, "Security", "PreSharedKey", + config->psk); + + l_debug("Storing credential for '%s(%s)'", ssid, + security_to_str(SECURITY_PSK)); + storage_network_sync(SECURITY_PSK, ssid, settings); +} + +static void dpp_handle_config_frame(const struct mmpdu_header *frame, + const void *body, size_t body_len, + int rssi, void *user_data) +{ + struct dpp_sm *dpp = user_data; + const uint8_t *ptr = body; + uint16_t status; + uint16_t fragmented; /* Fragmented/Comeback delay field */ + uint8_t adv_protocol_element[] = { 0x6C, 0x08, 0x7F }; + uint8_t adv_protocol_id[] = { 0xDD, 0x05, 0x50, 0x6F, + 0x9A, 0x1A, 0x01 }; + uint16_t query_len; + struct dpp_attr_iter iter; + enum dpp_attribute_type type; + size_t len; + const uint8_t *data; + const char *json = NULL; + size_t json_len = 0; + int dstatus = -1; + const uint8_t *wrapped = NULL; + const uint8_t *e_nonce = NULL; + size_t wrapped_len = 0; + _auto_(l_free) uint8_t *unwrapped = NULL; + struct dpp_configuration *config; + uint8_t ad0[] = { 0x00, 0x10, 0x01, 0x00, 0x05 }; + struct iovec ad = { + .iov_base = ad0, + .iov_len = 5 + }; + + if (dpp->state != DPP_STATE_CONFIGURING) + return; + + ptr += 2; + + /* + * Can a configuration request come from someone other than who you + * authenticated to? + */ + if (memcmp(dpp->auth_addr, frame->address_2, 6)) + return; + + if (*ptr++ != dpp->diag_token) + return; + + status = l_get_le16(ptr); + ptr += 2; + + if (status != 0) { + l_debug("Bad configuration status %u", status); + return; + } + + fragmented = l_get_le16(ptr); + ptr += 2; + + /* + * TODO: handle 0x0001 (fragmented), as well as comeback delay. + */ + if (fragmented != 0) { + l_debug("Fragmented messages not currently supported"); + return; + } + + if (memcmp(ptr, adv_protocol_element, sizeof(adv_protocol_element))) { + l_debug("Invalid Advertisement protocol element"); + return; + } + + ptr += sizeof(adv_protocol_element); + + if (memcmp(ptr, adv_protocol_id, sizeof(adv_protocol_id))) { + l_debug("Invalid Advertisement protocol ID"); + return; + } + + ptr += sizeof(adv_protocol_id); + + query_len = l_get_le16(ptr); + ptr += 2; + + dpp_attr_iter_init(&iter, ptr, query_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_STATUS: + dstatus = l_get_u8(data); + break; + case DPP_ATTR_WRAPPED_DATA: + wrapped = data; + wrapped_len = len; + break; + default: + /* + * TODO: CSR Attribute + */ + break; + } + } + + if (dstatus != DPP_STATUS_OK || !wrapped) { + l_debug("Bad status or missing attributes"); + return; + } + + unwrapped = l_malloc(wrapped_len - 16); + + aes_siv_decrypt(dpp->ke, dpp->key_len, wrapped, wrapped_len, &ad, + 1, unwrapped); + + wrapped_len -= 16; + + dpp_attr_iter_init(&iter, unwrapped, wrapped_len); + + while (dpp_attr_iter_next(&iter, &type, &len, &data)) { + switch (type) { + case DPP_ATTR_ENROLLEE_NONCE: + if (len != dpp->nonce_len) + break; + + if (memcmp(data, dpp->e_nonce, dpp->nonce_len)) + break; + + e_nonce = data; + break; + case DPP_ATTR_CONFIGURATION_OBJECT: + json = (const char *)data; + json_len = len; + break; + default: + break; + } + } + + if (!json || !e_nonce) { + l_debug("No configuration object in response"); + return; + } + + config = dpp_parse_configuration_object(json, json_len); + if (!config) { + l_error("Configuration object did not parse"); + return; + } + + dpp_write_config(config); + /* + * TODO: Depending on the info included in the configuration object a + * limited scan could be issued to get autoconnect to trigger faster. + * In addition this network may already be in past scan results and + * could be joined immediately. + * + * For now just wait for autoconnect. + */ + + dpp_configuration_free(config); + + send_config_result(dpp, dpp->auth_addr); +} + static void dpp_free_auth_data(struct dpp_sm *dpp) { if (dpp->proto_public) { @@ -457,6 +748,8 @@ static void authenticate_confirm(struct dpp_sm *dpp, const uint8_t *from, l_debug("Authentication successful"); + dpp_configuration_start(dpp, from); + return; auth_confirm_failed: @@ -741,6 +1034,7 @@ static void dpp_create(struct netdev *netdev) struct l_dbus *dbus = dbus_get_bus(); struct dpp_sm *dpp = l_new(struct dpp_sm, 1); uint8_t dpp_prefix[] = { 0x04, 0x09, 0x50, 0x6f, 0x9a, 0x1a, 0x01 }; + uint8_t dpp_conf_prefix[] = { 0x04, 0x0b }; dpp->netdev = netdev; dpp->state = DPP_STATE_NOTHING; @@ -752,6 +1046,9 @@ static void dpp_create(struct netdev *netdev) frame_watch_add(netdev_get_wdev_id(netdev), 0, 0x00d0, dpp_prefix, sizeof(dpp_prefix), dpp_handle_auth_frame, dpp, NULL); + frame_watch_add(netdev_get_wdev_id(netdev), 0, 0x00d0, dpp_conf_prefix, + sizeof(dpp_conf_prefix), + dpp_handle_config_frame, dpp, NULL); } static void dpp_reset(struct dpp_sm *dpp) -- 2.31.1

James Prestwood

6:12 p.m.

New subject: [PATCH v2 09/10] dpp: handle protocol errors in ROC timeout

This is a standing TODO of properly handling these timeouts but for now just treat any ROC timeout as an error if authenticating or configuring. --- src/dpp.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/src/dpp.c b/src/dpp.c index 25cebfd3..a147e8c0 100644 --- a/src/dpp.c +++ b/src/dpp.c @@ -1117,10 +1117,24 @@ static void dpp_presence_timeout(int error, void *user_data) { struct dpp_sm *dpp = user_data; - if (dpp->state != DPP_STATE_PRESENCE) { - l_debug("DPP state changed, stopping presence announcements"); - dpp->freqs_idx = 0; + switch (dpp->state) { + case DPP_STATE_PRESENCE: + break; + case DPP_STATE_NOTHING: + /* Protocol already terminated */ return; + case DPP_STATE_AUTHENTICATING: + case DPP_STATE_CONFIGURING: + /* + * TODO: If either the auth or config protocol is running we + * need to stay on channel until the specified timeouts. + * Unfortunately the kernel makes this very inconvenient since + * there is no way to stay on channel indefinitely or any way + * of knowing what duration the kernel/card actually chooses. + * + * For now just treat this as a failure. + */ + goto protocol_failed; } dpp->freqs_idx++; @@ -1138,6 +1152,12 @@ static void dpp_presence_timeout(int error, void *user_data) dpp->offchannel_id = offchannel_start(netdev_get_wdev_id(dpp->netdev), dpp->current_freq, dpp->dwell, dpp_roc_started, dpp, dpp_presence_timeout); + return; + +protocol_failed: + dpp_reset(dpp); + dpp_free_auth_data(dpp); + return; } /* -- 2.31.1

James Prestwood

6:12 p.m.

New subject: [PATCH v2 10/10] doc: document DPP interface

--- doc/device-provisioning.txt | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 doc/device-provisioning.txt diff --git a/doc/device-provisioning.txt b/doc/device-provisioning.txt new file mode 100644 index 00000000..444bac74 --- /dev/null +++ b/doc/device-provisioning.txt @@ -0,0 +1,32 @@ +Device Provisioning hierarchy +============================= + +Service net.connman.iwd +Interface net.connman.iwd.DeviceProvisioning [Experimental] +Object path /net/connman/iwd/{phy0,phy1,...}/{1,2,...} + +Methods string StartEnrollee(dict arguments) + + Start a DPP enrollee. Currently only station devices are + supported. The method arguments should be a dictionary. + There are no required dictionary key/values but it may + include: + + Information: string - Vendor specific info to advertise + in the URI (I:). + Host: string - Host information to advertise in the + URI (H:). + + Returns the enrollees URI + + Possible errors: net.connman.iwd.InvalidArguments + net.connman.iwd.AlreadyExists + net.connman.iwd.NotAvailable + + void Stop() + + Stop an enrollee. + + Possible errors: net.connman.iwd.Busy + net.connman.iwd.Failed + net.connman.iwd.InvalidArguments -- 2.31.1

Denis Kenzior

9:35 p.m.

New subject: [PATCH v2 10/10] doc: document DPP interface

Hi James, On 12/14/21 12:12 PM, James Prestwood wrote:

...

Do we really want the users to provide this or should we simply grab it from gethostname()? Are there limits on the contents of the information / hostname strings?

...

+ + Returns the enrollees URI + + Possible errors: net.connman.iwd.InvalidArguments + net.connman.iwd.AlreadyExists + net.connman.iwd.NotAvailable + + void Stop() + + Stop an enrollee. + + Possible errors: net.connman.iwd.Busy + net.connman.iwd.Failed + net.connman.iwd.InvalidArguments

Regards, -Denis

202

days inactive

202

days old

iwd@lists.01.org

Manage subscription

13 comments

2 participants

tags (0)

participants (2)

Denis Kenzior
James Prestwood

2022

2021

2020

2019

[PATCH v2 01/10] dbus: add DPP interface