Re: [PATCH v3 3/3] owe: netdev: refactor to remove OWE as an auth-proto

From: James Prestwood <prestwoj@gmail.com>
To: Wen Gong <quic_wgong@quicinc.com>, iwd@lists.01.org, iwd@lists.linux.dev
Cc: Denis Kenzior <denkenz@gmail.com>
Subject: Re: [PATCH v3 3/3] owe: netdev: refactor to remove OWE as an auth-proto
Date: Wed, 12 Jul 2023 19:33:59 -0700	[thread overview]
Message-ID: <d2a490cf-ae06-ed26-33eb-5475616bd725@gmail.com> (raw)
In-Reply-To: <00246aa8-fe45-f5c2-cf2a-3450cee414f2@quicinc.com>

Hi Wen,

On 7/12/23 7:23 PM, Wen Gong wrote:
> On 7/12/2023 10:52 PM, James Prestwood wrote:
>> Hi Wen,
>>
>> On 7/12/23 4:17 AM, Wen Gong wrote:
>>> On 9/4/2021 3:35 AM, James Prestwood wrote:
>>>> ---
>>> ...
>>>> +
>>>> +            case IE_TYPE_RSN:
>>>> +                if (!netdev->owe_sm)
>>>> +                    continue;
>>>> +
>>>> +                if (ie_parse_rsne(&iter, &info) < 0) {
>>>> +                    l_error("could not parse RSN IE");
>>>> +                    goto error;
>>>> +                }
>>>> +
>>>> +                /*
>>>> +                 * RFC 8110 Section 4.2
>>>> +                 * An AP agreeing to do OWE MUST include the OWE 
>>>> AKM in
>>>> +                 * the RSN element portion of the 802.11 association
>>>> +                 * response.
>>>> +                 */
>>> Now it is happen connect to OWE AP fail with some APs, because the 
>>> assoc resp do not inclued RSNE.
>>>> +                if (info.akm_suites != IE_RSN_AKM_SUITE_OWE) {
>>>> +                    l_error("OWE AKM not included");
>>>> +                    goto deauth;
>>>> +                }
>>>> +
>>>> +                owe_akm_found = true;
>>>> +
>>>> +                break;
>>>> +            }
>>>> +        }
>>>> +
>>>> +        if (netdev->owe_sm) {
>>>> +            if (!owe_dh || !owe_akm_found) {
>>>> +                l_error("OWE DH element/RSN not found");
>>>
>>> It failed here.
>>>
>>> So is the check for owe_akm_found MUST added here if owe_dh is 
>>> existed in assoc resp?
>>
>> As the comment states, the OWE RFC says that the RSN element must be 
>> included in the associate response if we are to stay compliant with 
>> the spec.
>>
>> But as you may have noticed we don't actually do anything with this 
>> element besides parse it. I don't see that wpa_supplicant enforces 
>> this either, so it may be fine to relax this check.
> Thanks for you to relax the check.
>>
>> I would prefer to see iwmon logs when you connect to this AP, just to 
>> confirm that the AP isn't including the IE and not something else. 
>> Would you be able to get those?
>>
> I have collected iwd log with hexdump, it does not include RSNIE in 
> assoc resp ies:

Sorry, I should have been more specific. Using IWD_GENL_DEBUG does 
contain the information, but its not really a readable format. We have a 
tool called iwmon which you run in parallel to IWD. This parses the raw 
data and displays a human readable output:

$ sudo iwmon --nortnl --nowiphy --noscan

Denis,

Is relaxing the RSNE check in the associate response (for OWE only) 
something you'd be ok with? Obviously with an L_WARN_ON/l_warn message.

Thanks,
James