GSoC WPA Project

Demos

• NWAM wifi link administration
• Secure Objects Demo
• DLADM wifi link administration (Lynksys WMP600N - Ralink 2860 driver)
• iwp device driver wpa test (Intel 633ANHMW)
• ath device driver wpa test (Atheros 5002)

Information for Reviewers

Webrevs:

• (Complete)
  ksh93 bldenv.sh illumos.sh -c 'webrev -O -o complete_gsoc_webrev -p ssh:anonhg@hg.illumos.org/illumos-gate'

• (Without 3rd party source files)
  ksh93 bldenv.sh illumos.sh -c 'webrev -O -o no3rd_gsoc_webrev -p ssh:anonhg@hg.illumos.org/illumos-gate FILELIST'

Milan Jurik has kindly reviewed this changeset almost completely.
I have made corrections based on his comments and suggestions.
We need at least another reviewer before RTI.

Things that need review from particular people:

• the removal of wificonfig, especially the removal of old wifi ioctls in net80211_ioctl.c needs the review from someone familiar with net80211 module
• the new dladm wifi subcommands output and syntax need the review possibly from some wifi users in the oi/illumos community
• the new nwamadm select-wifi and nwamcfg create wlan commands need review from someone familiar with nwam admin model and known wlans
• changes to libdlwlan needs review from someone familiar with wpa_supplicant and wpa-enterprise

This changeset does not include:

• wired 802.1x support. Once we integrate this changeset in illumos-gate it would be very easy to add wired 801.1x support. wpa_s now can be extended very easily (a new wired driver interface and a couple of additional cflags are required). As of now we don't have a consumer dladm subcommand. I ask the community for guidance of this topic.

Information for Advocates

The large size of this changeset is due to:

• wpa_supplicant 1.1 (all the 3rd party wpa_s source files imported in illumos-gate are required for wpa_s to compile and for the features that we need enabled, there are no unused headers or source files)
• removal of wificonfig, wpad, pcan, pcwl
• the partial rewrite of userspace wifi link administration libraries and subcommands. (libdladm, wifi ioctls, libnwam, secure objects public/private interfaces, nwamadm, nwamcfg, nwamd, etc..). I tried to partially rewrite those libraries to improve admin interfaces usability, code maintenance, correctness and stability. Above all, I tried to simplify code (see nwamd and dladm) to improve debuggability and future features additions. Splitting these changes in more putbacks is technically impossible.

I ask the advocates for guidance and feedback on this regard.

This changeset has been imported in a fresh hg illumos-gate repository and tested with a full, non-incremental, build.

The output of the following commands can be found in the download section

• hg outgoing -v ssh:anonhg@hg.illumos.org/illumos-gate
• hg pbchk -p ssh:anonhg@hg.illumos.org/illumos-gate
• hg export tip
• mail_msg with NIGHTLY_OPTIONS='-FnCDlmprt'

The changeset is lint and cstyle clean.
Several wpa_s files were added to cstyle/headers exceptions.

Testing

The device drivers used for testing wpa-psk and wpa-enterprise connectivity are: rwn, wpi, ath.

These device drivers cover most of the wifi NIC verdors supported on illumos.

Connectivity with each of these drivers were personally tested twice on the latest illumos-gate (as of 29 nov 2012) built one time using sun studio and one time using gcc4.4.4 as primary compilers.

Illumos-gate package repository built with sun studio _176mb_

The base distro used for building and testing illumos-gate is oi-151a7 (64bit only)

The correct removal of deprecated pkgs lik pcan, pcwl, and wificonfig from openindiana installation has been tested with onu. Also old SUNWwpa and wpa pkgs has been renamed to wpa_supplicant pkg. These pkgs are replaced correctly after installation.

Features added and Improvements for End Users

• wpad daemon and libdlwlan were totally broken. user experience when connecting to secure wifi network has been improved a lot:
  • solved AP association timeouts especially with iwp driver
  • solved wpa 4way handshake timeouts for wpa2
  • improved wpa_s daemon stability (wpa_s instances are managed by wpa_s daemon itself, and not by smf)
  • wpad/libdladm clears correctly the previous device driver configuration when disconnecting/disassociating
  • wpa_s instances now are terminated correctly
  • time required for completing AP association is greatly reduced

• dladm wifi subcommands user experience has been improved a lot:
  • scan results show detailed secure mode for each wifi network (distinction between wpa/wpa2/wpa-eap etc..)
  • signal level is now a 7bit decimal value
  • much more detailed dladm show-wifi output (wpa_s state, key mgmt and cyphers used...)
  • user is informed on stdout about the status of wpa_s and why AP association has failed (for example a bad psk, eap password or client cert.)

• secure objects
  • setting the wep keyslot is now integrated in create-secobj subcommand
  • setting the eap-ttls and eap-peap phase2 authentication is now integrated in create-secobj subcommand
  • root user can print secure object values using -o all flag

• nwamadm select-wifi
  • scan results have now the same format of dladm scan-wifi
  • added known wlan ID field to scan results
  • command returns when association is really completed (wpa_s events)

• nwamd wifi link administration was poorly designed and needlessly complex partially because of the bad underlying libdlwlan interface. my focus here was to keep all the current features provided by nwamd and to keep the code as simple as possible.
  • improved nwamd daemon stability and reduced complexities in nwam wifi state machine
  • secure objects created by nwamd daemon were broken. there wasn't a strict association between secure objects and known wlans, and duplicates in SSIDs or existing secure objects could have prevented known wlan creation. now all these problems are fixed.
  • known-wlans.conf is parsed directly by wpa_s config backend when a wpa_s instance is created. This allows wpa_s to automatically connect to saved network when nwam is enabled.
  • etc....( more here )

Additional Notes for Reviewers and Illumos-gate Developers

• wpa_s control interface is the method used for interacting with wpa_s supplicant. This way we can configure and send command to wpa_s at runtime and receive from wpa_s notifications on the wifi link status. This facilitates future extensions of the libdlwlan library since no new interfaces needs to be implemented.
• reduced significantly nwamd deamon memory usage
• nwamd wifi links status is now managed with DLPI events and wpa_s control events. This keeps in sync nwamd and wpa_s state machines.
• wpa_s debugging can be enabled using svccfg

Changes to official wpa_s source files are just a few, required for adding illumos device driver interface and other small fixes: you can find the differences here: (brief and complete diffs)

Some of the motivations behind the changes made in this project are explained in technical details in these blog posts

What is still missing/not working

• Background active/passive scan while associated with the AP (never worked at all in the past, wpa_s/libdlwlan/net80211 now support it but no device drivers except 'arn' support it. if users don't really need it, I'll just drop this)
• Wifi HT rates are not supported by net80211 and device drivers even if net80211 seems to offer interfaces for it.(never worked at all in the past)
• Ad-hoc mode (never worked at all in the past, but now iwp driver, libdlwlan and wpa_s supports it. needs more testing and some fixes in wpa_s driver interface)
• Static Wep (needs more testing and some fixes in wpa_s driver interface)
• support for retrieving EAP-TLS client certificates from PKCS#11 token when wpa_s uses OpenSSL Engine. This breaks full support for EAP-TLS on nwamd as well. (as of now the user can import both client cert and private keys, but dladm still needs the client cert as an argument on command line. This needs support for referencing imported certificates with a string, like for RSA keys).
• simnet utility (never worked at all in the past, and now with the new libdlwlan API is even worse, i think we should drop wifi support from it and for SIMNET deviced from dladm wifi subcommands)

• /etc/nwam/known_wlans.conf uses a different systax. I need to ensure this file is cleaned before it's read/written using the new syntax.

• nwam-manager: i need to find some time to adapt nwam-manager to the new libnwam/libdlwlan interface...

I would like to thank Milan Jurik for all his support and suggestions, especially for helping me preparing this last review. I admit in many cases i've spent more time asking about the problems I had instead of simply fixing the underlying issue. One the other side this has been my first real contribution to illumos-gate so I've just learned many ways to speed up my work during this period.

Redmine Open Issues

This project has not been associated with a specific issue in redmine yet. I've just put the 1095 reference in commit message because it was Some issues already opened that mentions problems solved in this changeset are:

• 1095
• 2577
• 2995
• 2548
• 3197
• other bugs reported on devel list