wpa_supplicant: backport support for OWE #111498

mweinelt · 2021-01-31T21:53:05Z

Motivation for this change

The wpa_supplicant upstream is slow to push out new releases and has
been asked several times to do so. Support for Opportunistic Wireless
Encryption has been on master since late 2019 and still hasn't made it
into a release yet.

This backports a rather simple patchset to enable OWE key management
and exposes it also via DBus, so it can be used from Network-Manager.

I have been using this patch since august 2020 and it's been working fine.

Things done

pkgs/os-specific/linux/wpa_supplicant/default.nix

The wpa_supplicant upstream is slow to push out new releases and has been asked several times to do so. Support for Opportunistic Wireless Encryption has been on master since late 2019 and still hasn't made it into a release yet. This backports a rather simple patchset to enable OWE key management and exposes it also via DBus, so it can be used from Network-Manager.

mweinelt · 2021-01-31T23:31:50Z

This should probably have some real-world testing. There are basically two scenarios

open + OWE with transition mode
- only the open bssid advertises itself with beacons
- beacons contain transition IE that enables OWE-capable stations to automatically connect to the OWE vif.
only OWE

Setting up OpenWrt with an open & OWE network and transition mode looks like this:

config wifi-iface 'client0_vlan130'
	option owe_transition_ssid 'owe_tm.darmstadt.freifunk.net'
	option network 'vlan130'
	option encryption 'none'
	option device 'radio0'
	option owe_transition_bssid 'ce:c7:b9:90:a7:82'
	option ifname 'client0_vlan130'
	option macaddr 'ce:c7:b9:90:a7:81'
	option ssid 'darmstadt.freifunk.net'
	option mode 'ap'

config wifi-iface 'owe0_vlan130'
	option owe_transition_ssid 'darmstadt.freifunk.net'
	option network 'vlan130'
	option encryption 'owe'
	option device 'radio0'
	option hidden '1'
	option ieee80211w '2'
	option owe_transition_bssid 'ce:c7:b9:90:a7:81'
	option ifname 'owe0_vlan130'
	option macaddr 'ce:c7:b9:90:a7:82'
	option ssid 'owe_tm.darmstadt.freifunk.net'
	option mode 'ap'

picnoir

Note wrt. last message.

The OWE support seems to already be implemented in 2.9. This patch "only" advertises the OWE key support to the DBUS interface.

The patch has been applied upstream: https://www.spinics.net/lists/hostap/msg06661.html, LGTM.

picnoir · 2021-02-01T08:36:50Z

For the giggles:

	/*
	 * KeyMgmt
	 *
	 * When adding a new entry here, please take care to extend key_mgmt[]
	 * and keep documentation in doc/dbus.doxygen up to date.
	 */

Of course, the doc hasn't been updated here.

picnoir · 2021-02-01T08:46:08Z

Wait, WTF.

On https://www.spinics.net/lists/hostap/msg06611.html, we can see the diff

-	const char *capabilities[10] = { NULL, NULL, NULL, NULL, NULL, NULL,
-					NULL, NULL, NULL, NULL };
+	const char *capabilities[11] = { NULL };

while on the official mailing list https://w1.fi/cgit/hostap/patch/?id=7800725afb27397f7d6033d4969e2aeb61af4737, we end up with:

-	const char *capabilities[10] = { NULL, NULL, NULL, NULL, NULL, NULL,
-					NULL, NULL, NULL, NULL };
+	const char *capabilities[11];

Same mailing list header for both emails:

    To: hostap@xxxxxxxxxxxxxxxxxxx
    Subject: [PATCH] dbus: export OWE capability and OWE BSS key_mgmt
    From: Beniamino Galvani <bgalvani@xxxxxxxxxx>
    Date: Sun, 13 Oct 2019 15:18:54 +0200
    Cc: Beniamino Galvani <bgalvani@xxxxxxxxxx>

From 7800725afb27397f7d6033d4969e2aeb61af4737 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Sun, 13 Oct 2019 15:18:54 +0200
Subject: dbus: Export OWE capability and OWE BSS key_mgmt

Anybody know what's happening here!? I'm failing to understand the implications of this diff after reading that code section.

This sounds definitely fishy to me.

Note: we applied the patch coming from the w1.fi official mailing list.

ofborg bot requested a review from MarcWeber January 31, 2021 22:10

ofborg bot added 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 labels Jan 31, 2021

SuperSandro2000 reviewed Jan 31, 2021

View reviewed changes

pkgs/os-specific/linux/wpa_supplicant/default.nix Outdated Show resolved Hide resolved

mweinelt force-pushed the wpa_supplicant/owe branch from 62f857e to 28f8b5f Compare January 31, 2021 23:20

picnoir approved these changes Feb 1, 2021

View reviewed changes

picnoir merged commit 4695a7c into NixOS:master Feb 1, 2021

mweinelt deleted the wpa_supplicant/owe branch February 1, 2021 10:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

wpa_supplicant: backport support for OWE #111498

wpa_supplicant: backport support for OWE #111498

mweinelt commented Jan 31, 2021

mweinelt commented Jan 31, 2021 •

edited

Loading

picnoir left a comment

picnoir commented Feb 1, 2021

picnoir commented Feb 1, 2021

wpa_supplicant: backport support for OWE #111498

wpa_supplicant: backport support for OWE #111498

Conversation

mweinelt commented Jan 31, 2021

Motivation for this change

Things done

mweinelt commented Jan 31, 2021 • edited Loading

picnoir left a comment

Choose a reason for hiding this comment

picnoir commented Feb 1, 2021

picnoir commented Feb 1, 2021

mweinelt commented Jan 31, 2021 •

edited

Loading