[wlan] Replace bare credentials with `Authentication` in SME FIDL.
This change replaces the `credential` field of the SME `ConnectRequest`
FIDL message with an `authentication` field that completely describes
the authentication method, including the desired security protocol. SME
no longer determines which security protocol is used and always attempts
to connect via the protocol specified in the `ConnectRequest`.
Bug: 72051
Bug: 95873
Testing: unit testing, manual testing, and `WlanTargetSecurityTest` suite
Change-Id: I8d29b5468f7935924a796afb14ac5ccbde36b03c
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/691227
API-Review: Rebecca Silberstein <silberst@google.com>
Reviewed-by: Dylan Swiggett <swiggett@google.com>
Reviewed-by: Rebecca Silberstein <silberst@google.com>
Commit-Queue: Sean Olson <seanolson@google.com>
Reviewed-by: Marc Khouri <mnck@google.com>
diff --git a/sdk/fidl/fuchsia.wlan.sme/BUILD.gn b/sdk/fidl/fuchsia.wlan.sme/BUILD.gn
index cf08822..c4514fb 100644
--- a/sdk/fidl/fuchsia.wlan.sme/BUILD.gn
+++ b/sdk/fidl/fuchsia.wlan.sme/BUILD.gn
@@ -15,6 +15,7 @@
public_deps = [
"//sdk/fidl/fuchsia.wlan.common",
+ "//sdk/fidl/fuchsia.wlan.common.security",
"//sdk/fidl/fuchsia.wlan.ieee80211",
"//sdk/fidl/fuchsia.wlan.internal",
"//sdk/fidl/fuchsia.wlan.mesh",
diff --git a/sdk/fidl/fuchsia.wlan.sme/sme.fidl b/sdk/fidl/fuchsia.wlan.sme/sme.fidl
index bb7cb49..fded336 100644
--- a/sdk/fidl/fuchsia.wlan.sme/sme.fidl
+++ b/sdk/fidl/fuchsia.wlan.sme/sme.fidl
@@ -3,6 +3,7 @@
// found in the LICENSE file.
library fuchsia.wlan.sme;
+using fuchsia.wlan.common.security;
using fuchsia.wlan.common;
using fuchsia.wlan.ieee80211 as ieee80211;
using fuchsia.wlan.internal;
@@ -158,27 +159,18 @@
channel fuchsia.wlan.common.WlanChannel;
};
-/// Empty struct used as credential value for open networks.
+/// Empty struct used for union variants with no associated data.
type Empty = struct {};
-/// Information required to connect to a protected network.
-type Credential = flexible union {
- /// The network does not use credentials (open networks).
- 1: none Empty;
-
- /// Plaintext password (handled as binary data).
- 2: password bytes;
-
- /// Hash representation of the network passphrase (handled as binary data).
- 3: psk bytes;
-};
-
type ConnectRequest = struct {
ssid ieee80211.Ssid;
bss_description fuchsia.wlan.internal.BssDescription;
/// Informs SME whether multiple candidates were available, for metrics.
multiple_bss_candidates bool;
- credential Credential;
+ /// Authentication method.
+ ///
+ /// Describes how SME authenticates when connecting to the target network.
+ authentication fuchsia.wlan.common.security.Authentication;
/// Deprecated. SME makes internal decision on whether to perform a passive or active
/// scan during connect. Setting this field will not affect anything for FullMAC, but
diff --git a/src/connectivity/wlan/lib/common/rust/src/security/mod.rs b/src/connectivity/wlan/lib/common/rust/src/security/mod.rs
index e984621..4a8ab1d1 100644
--- a/src/connectivity/wlan/lib/common/rust/src/security/mod.rs
+++ b/src/connectivity/wlan/lib/common/rust/src/security/mod.rs
@@ -48,7 +48,6 @@
pub mod wpa;
use fidl_fuchsia_wlan_common_security as fidl_security;
-use fidl_fuchsia_wlan_sme as fidl_sme;
use std::convert::TryFrom;
use thiserror::Error;
@@ -57,25 +56,6 @@
wpa::credential::{Passphrase, PassphraseError, Psk, PskError},
};
-// TODO(fxbug.dev/95873): This code is temporary. It is used to extract credentials from an
-// `Authentication` and convert those credentials into the `Credential` SME
-// FIDL message. The message will be removed in favor of `Authentication`.
-pub trait AuthenticationExt {
- fn into_sme_credential(self) -> fidl_sme::Credential;
-}
-
-impl AuthenticationExt for fidl_security::Authentication {
- /// Converts an `Authentication` into an SME `Credential`.
- fn into_sme_credential(self) -> fidl_sme::Credential {
- let fidl_security::Authentication { credentials, .. } = self;
- credentials
- .map(|credentials| {
- BareCredentials::try_from(*credentials).expect("unknown credentials variant").into()
- })
- .unwrap_or_else(|| fidl_sme::Credential::None(fidl_sme::Empty))
- }
-}
-
/// Extension methods for the `Credentials` FIDL datagram.
pub trait CredentialsExt {
fn into_wep(self) -> Option<fidl_security::WepCredentials>;
@@ -181,22 +161,6 @@
}
}
-// TODO(fxbug.dev/95873): This code is temporary. It is used to extract credentials from an
-// `Authentication` or `SecurityAuthenticator` and convert those credentials
-// into the `Credential` SME FIDL message. The message will be removed in
-// favor of `Authentication`.
-impl From<BareCredentials> for fidl_sme::Credential {
- fn from(credentials: BareCredentials) -> Self {
- match credentials {
- BareCredentials::WepKey(key) => fidl_sme::Credential::Password(key.into()),
- BareCredentials::WpaPassphrase(passphrase) => {
- fidl_sme::Credential::Password(passphrase.into())
- }
- BareCredentials::WpaPsk(psk) => fidl_sme::Credential::Psk(psk.into()),
- }
- }
-}
-
impl TryFrom<fidl_security::Credentials> for BareCredentials {
type Error = SecurityError;
diff --git a/src/connectivity/wlan/lib/sme/src/client/mod.rs b/src/connectivity/wlan/lib/sme/src/client/mod.rs
index 1e5508c..bfa1f8e 100644
--- a/src/connectivity/wlan/lib/sme/src/client/mod.rs
+++ b/src/connectivity/wlan/lib/sme/src/client/mod.rs
@@ -22,10 +22,9 @@
state::{ClientState, ConnectCommand},
},
crate::{responder::Responder, Config, MlmeRequest, MlmeSink, MlmeStream},
- fidl_fuchsia_wlan_common as fidl_common,
- fidl_fuchsia_wlan_common_security::Authentication,
- fidl_fuchsia_wlan_ieee80211 as fidl_ieee80211, fidl_fuchsia_wlan_internal as fidl_internal,
- fidl_fuchsia_wlan_mlme as fidl_mlme, fidl_fuchsia_wlan_sme as fidl_sme,
+ fidl_fuchsia_wlan_common as fidl_common, fidl_fuchsia_wlan_ieee80211 as fidl_ieee80211,
+ fidl_fuchsia_wlan_internal as fidl_internal, fidl_fuchsia_wlan_mlme as fidl_mlme,
+ fidl_fuchsia_wlan_sme as fidl_sme,
fuchsia_inspect_contrib::auto_persist::{self, AutoPersist},
fuchsia_zircon as zx,
futures::channel::{mpsc, oneshot},
@@ -531,23 +530,8 @@
return connect_txn_stream;
}
- // TODO(fxbug.dev/95873): This code is temporary. It attempts to construct an
- // `Authentication` message from a security context using the
- // `Credential` in the `ConnectRequest` message. In the future, the
- // `Credential` field will be replaced with an `Authentication`
- // field and this step will no longer be needed.
- let authentication = Authentication::try_from(SecurityContext {
- security: &req.credential,
- device: &self.context.device_info,
- security_support: &self.context.security_support,
- config: &self.cfg,
- bss: &bss_description,
- });
- let protection = match authentication
+ let protection = match SecurityAuthenticator::try_from(req.authentication)
.map_err(From::from)
- .and_then(|authentication| {
- SecurityAuthenticator::try_from(authentication).map_err(From::from)
- })
.and_then(|authenticator| {
Protection::try_from(SecurityContext {
security: &authenticator,
@@ -782,6 +766,17 @@
}
}
+ fn authentication_wpa1_passphrase() -> fidl_security::Authentication {
+ fidl_security::Authentication {
+ protocol: fidl_security::Protocol::Wpa1,
+ credentials: Some(Box::new(fidl_security::Credentials::Wpa(
+ fidl_security::WpaCredentials::Passphrase(
+ b"password".as_slice().try_into().unwrap(),
+ ),
+ ))),
+ }
+ }
+
fn authentication_wpa2_personal_psk() -> fidl_security::Authentication {
fidl_security::Authentication {
protocol: fidl_security::Protocol::Wpa2Personal,
@@ -1441,14 +1436,7 @@
let mut connect_txn_stream = sme.on_connect_command(connect_req(
Ssid::try_from("wpa2").unwrap(),
bss_description,
- // TODO(fxbug.dev/95873): The more interesting test case here is a WPA1 using
- // credentials that are compatible with both WPA1 and WPA2.
- // However, because the `Authentication`'s security protocol is
- // ignored, this fails, because a passphrase is compatible with
- // WPA2. Change this test case once `Authentication` is part of
- // the SME `Connect` FIDL API.
- //authentication_wpa1_passphrase(),
- authentication_open(),
+ authentication_wpa1_passphrase(),
));
assert_variant!(
connect_txn_stream.try_next(),
@@ -1462,9 +1450,7 @@
let mut connect_txn_stream = sme.on_connect_command(connect_req(
Ssid::try_from("wpa3").unwrap(),
bss_description,
- // TODO(fxbug.dev/95873): See the TODO above.
- //authentication_wpa2_personal_passphrase(),
- authentication_wpa2_personal_psk(),
+ authentication_wpa2_personal_passphrase(),
));
assert_variant!(
connect_txn_stream.try_next(),
@@ -1728,38 +1714,11 @@
bss_description: fidl_internal::BssDescription,
authentication: fidl_security::Authentication,
) -> fidl_sme::ConnectRequest {
- // TODO(fxbug.dev/95873): This code is temporary and allows tests to be written against
- // `Authentication` rather than `Credential` prior to changes to the
- // SME FIDL API. This should be removed once the `credential` field
- // in `ConnectRequest` is replaced with an `authentication` field.
- // Note that this means that security protocols specified in test
- // code are not subject to the given `Authentication` but rather the
- // heuristics used in `on_connect_command`.
- // Discard information regarding security protocol.
- let credential = if let Some(credentials) = authentication.credentials {
- match *credentials {
- fidl_security::Credentials::Wep(fidl_security::WepCredentials { key }) => {
- fidl_sme::Credential::Password(key)
- }
- fidl_security::Credentials::Wpa(wpa) => match wpa {
- fidl_security::WpaCredentials::Passphrase(passphrase) => {
- fidl_sme::Credential::Password(passphrase)
- }
- fidl_security::WpaCredentials::Psk(psk) => {
- fidl_sme::Credential::Psk(psk.to_vec())
- }
- _ => panic!("Unkown `WpaCredentials` variant"),
- },
- _ => panic!("Unknown `Credentials` variant"),
- }
- } else {
- fidl_sme::Credential::None(fidl_sme::Empty)
- };
fidl_sme::ConnectRequest {
ssid: ssid.to_vec(),
bss_description,
multiple_bss_candidates: true,
- credential,
+ authentication,
deprecated_scan_type: fidl_common::ScanType::Passive,
}
}
diff --git a/src/connectivity/wlan/lib/sme/src/client/protection.rs b/src/connectivity/wlan/lib/sme/src/client/protection.rs
index 853ef1c..c7cc852 100644
--- a/src/connectivity/wlan/lib/sme/src/client/protection.rs
+++ b/src/connectivity/wlan/lib/sme/src/client/protection.rs
@@ -6,14 +6,10 @@
crate::client::{rsn::Rsna, ClientConfig},
anyhow::{format_err, Error},
fidl_fuchsia_wlan_common as fidl_common,
- fidl_fuchsia_wlan_common_security::{
- Authentication, Credentials, Protocol, WepCredentials, WpaCredentials,
- },
fidl_fuchsia_wlan_mlme::DeviceInfo,
- fidl_fuchsia_wlan_sme::Credential,
std::convert::{TryFrom, TryInto},
wlan_common::{
- bss::{self, BssDescription},
+ bss::BssDescription,
ie::{
self,
rsn::rsne::{self, Rsne},
@@ -21,11 +17,7 @@
},
security::{
wep::{self, WepKey},
- wpa::{
- self,
- credential::{Passphrase, Psk},
- },
- SecurityAuthenticator,
+ wpa, SecurityAuthenticator,
},
},
wlan_rsn::{
@@ -68,53 +60,6 @@
VendorIes(Vec<u8>),
}
-// TODO(fxbug.dev/95873): This code is temporary. It primarily provides conversions between the SME
-// `Credential` FIDL message and the `Credentials` message used in
-// `Authentication`. See the `TryFrom<SecurityContext<'_, Credential>>`
-// implementation below.
-trait CredentialExt {
- fn to_wep_credentials(&self) -> Result<Credentials, Error>;
- fn to_wpa1_wpa2_personal_credentials(&self) -> Result<Credentials, Error>;
- fn to_wpa3_personal_credentials(&self) -> Result<Credentials, Error>;
- fn is_none(&self) -> bool;
-}
-
-impl CredentialExt for Credential {
- fn to_wep_credentials(&self) -> Result<Credentials, Error> {
- match self {
- Credential::Password(ref password) => WepKey::parse(password.as_slice())
- .map(|key| Credentials::Wep(WepCredentials { key: key.into() }))
- .map_err(From::from),
- _ => Err(format_err!("Failed to construct credential for WEP")),
- }
- }
-
- fn to_wpa1_wpa2_personal_credentials(&self) -> Result<Credentials, Error> {
- match self {
- Credential::Password(ref password) => Passphrase::try_from(password.as_slice())
- .map(|passphrase| Credentials::Wpa(WpaCredentials::Passphrase(passphrase.into())))
- .map_err(From::from),
- Credential::Psk(ref psk) => Psk::try_from(psk.as_slice())
- .map(|psk| Credentials::Wpa(WpaCredentials::Psk(psk.into())))
- .map_err(From::from),
- _ => Err(format_err!("Failed to construct credential for WPA1 or WPA2")),
- }
- }
-
- fn to_wpa3_personal_credentials(&self) -> Result<Credentials, Error> {
- match self {
- Credential::Password(ref password) => Passphrase::try_from(password.as_slice())
- .map(|passphrase| Credentials::Wpa(WpaCredentials::Passphrase(passphrase.into())))
- .map_err(From::from),
- _ => Err(format_err!("Failed to construct credential for WPA3")),
- }
- }
-
- fn is_none(&self) -> bool {
- matches!(self, Credential::None(_))
- }
-}
-
/// Context for authentication.
///
/// This ephemeral type is used to query and derive various IEs and RSN entities based on
@@ -239,78 +184,6 @@
}
}
-// TODO(fxbug.dev/95873): This code is temporary. It constructs an `Authentication` FIDL message
-// from a security context with a `Credential` from the SME `Connect` FIDL
-// API. The `Credential` in the `ConnectRequest` will be changed into an
-// `Authentication` in the future, and this code will no longer be
-// necessary. This code is effectively a port of the
-// `crate::client::get_protection` function.
-impl<'a> TryFrom<SecurityContext<'a, Credential>> for Authentication {
- type Error = Error;
-
- fn try_from(context: SecurityContext<'a, Credential>) -> Result<Self, Self::Error> {
- use bss::Protection::*;
-
- // Note that this `Protection` type is distinct from the type defined in this module. This
- // type is strictly nominal and contains no metadata, credentials, etc.
- let protection = context.bss.protection();
- let credential = context.security;
- match protection {
- // Unsupported
- // TODO(fxbug.dev/92693): Support WPA Enterprise.
- Unknown | Wpa2Enterprise | Wpa3Enterprise => {
- Err(format_err!("Unsupported security protocol: {:?}", protection))
- }
- Open => credential
- .is_none()
- .then(|| Authentication { protocol: Protocol::Open, credentials: None })
- .ok_or_else(|| format_err!("Credential provided for open network")),
- Wep => credential.to_wep_credentials().map(|credentials| Authentication {
- protocol: Protocol::Wep,
- credentials: Some(Box::new(credentials)),
- }),
- Wpa1 => {
- credential.to_wpa1_wpa2_personal_credentials().map(|credentials| Authentication {
- protocol: Protocol::Wpa1,
- credentials: Some(Box::new(credentials)),
- })
- }
- Wpa1Wpa2PersonalTkipOnly | Wpa1Wpa2Personal | Wpa2PersonalTkipOnly | Wpa2Personal => {
- credential.to_wpa1_wpa2_personal_credentials().map(|credentials| Authentication {
- protocol: Protocol::Wpa2Personal,
- credentials: Some(Box::new(credentials)),
- })
- }
- // Use WPA3 if possible, but use WPA2 if WPA3 is not supported by the client or the
- // credential is incompatible with WPA3 (namely, if the credential is a PSK).
- Wpa2Wpa3Personal => credential
- .to_wpa3_personal_credentials()
- .ok()
- .and_then(|credentials| {
- context.config.wpa3_supported.then(|| Authentication {
- protocol: Protocol::Wpa3Personal,
- credentials: Some(Box::new(credentials)),
- })
- })
- .or_else(|| {
- credential.to_wpa1_wpa2_personal_credentials().ok().map(|credentials| {
- Authentication {
- protocol: Protocol::Wpa2Personal,
- credentials: Some(Box::new(credentials)),
- }
- })
- })
- .ok_or_else(|| format_err!("Failed to construct credential for WPA2 or WPA3")),
- Wpa3Personal => {
- credential.to_wpa3_personal_credentials().map(|credentials| Authentication {
- protocol: Protocol::Wpa3Personal,
- credentials: Some(Box::new(credentials)),
- })
- }
- }
- }
-}
-
impl<'a> TryFrom<SecurityContext<'a, SecurityAuthenticator>> for Protection {
type Error = Error;
@@ -868,93 +741,4 @@
.authentication_config()
.expect_err("created WPA3 auth config for incompatible device");
}
-
- #[test]
- fn authentication_from_credential_wpa2_wpa3_transitional() {
- let device = crate::test_utils::fake_device_info([1u8; 6]);
- let mut security_support = fake_security_support_empty();
- security_support.mfp.supported = true;
- security_support.sae.driver_handler_supported = true;
- security_support.sae.sme_handler_supported = true;
- let bss = fake_bss_description!(Wpa2Wpa3);
- let credential = Credential::Password("password".as_bytes().into());
-
- // WPA3 Personal should be used for transitional networks when driver support is available.
- let config = ClientConfig { wpa3_supported: true, ..Default::default() };
- let authentication = Authentication::try_from(SecurityContext {
- security: &credential,
- device: &device,
- security_support: &security_support,
- config: &config,
- bss: &bss,
- })
- .unwrap();
- assert!(matches!(authentication.protocol, Protocol::Wpa3Personal));
-
- // WPA2 Personal should be used for transitional networks when driver support is
- // unavailable.
- let config = ClientConfig { wpa3_supported: false, ..Default::default() };
- let authentication = Authentication::try_from(SecurityContext {
- security: &credential,
- device: &device,
- security_support: &security_support,
- config: &config,
- bss: &bss,
- })
- .unwrap();
- assert!(matches!(authentication.protocol, Protocol::Wpa2Personal));
- }
-
- // TODO(fxbug.dev/95873): This code is temporary. See `CredentialExt`.
- #[test]
- fn to_wep_credentials() {
- assert!(matches!(
- Credential::Password(b"ABCDEF0000".to_vec()).to_wep_credentials(),
- Ok(Credentials::Wep(_)),
- ));
- assert!(matches!(
- Credential::Password(b"ABCDEF0000123ABCDEF0000123".to_vec()).to_wep_credentials(),
- Ok(Credentials::Wep(_)),
- ));
- assert!(matches!(
- Credential::Password(b"vwxyz".to_vec()).to_wep_credentials(),
- Ok(Credentials::Wep(_)),
- ));
- assert!(matches!(
- Credential::Password(b"nopqrstuvwxyz".to_vec()).to_wep_credentials(),
- Ok(Credentials::Wep(_)),
- ));
-
- assert!(Credential::Password(b"ABCDEF0000F".to_vec()).to_wep_credentials().is_err());
- assert!(Credential::Password(b"ABCDEFNOPE".to_vec()).to_wep_credentials().is_err());
- assert!(Credential::Password(b"uvwxyz".to_vec()).to_wep_credentials().is_err());
- }
-
- // TODO(fxbug.dev/95873): This code is temporary. See `CredentialExt`.
- #[test]
- fn to_wpa1_wpa2_personal_credentials() {
- assert!(matches!(
- Credential::Password(b"password".to_vec()).to_wpa1_wpa2_personal_credentials(),
- Ok(Credentials::Wpa(WpaCredentials::Passphrase(_))),
- ));
- assert!(matches!(
- Credential::Psk(vec![0u8; PSK_SIZE_BYTES]).to_wpa1_wpa2_personal_credentials(),
- Ok(Credentials::Wpa(WpaCredentials::Psk(_))),
- ));
-
- assert!(Credential::Password(b"no".to_vec()).to_wpa1_wpa2_personal_credentials().is_err());
- assert!(Credential::Psk(vec![0u8; 8]).to_wpa1_wpa2_personal_credentials().is_err());
- }
-
- // TODO(fxbug.dev/95873): This code is temporary. See `CredentialExt`.
- #[test]
- fn to_wpa3_personal_credentials() {
- assert!(matches!(
- Credential::Password(b"password".to_vec()).to_wpa3_personal_credentials(),
- Ok(Credentials::Wpa(WpaCredentials::Passphrase(_))),
- ));
-
- assert!(Credential::Password(b"no".to_vec()).to_wpa3_personal_credentials().is_err());
- assert!(Credential::Psk(vec![0u8; PSK_SIZE_BYTES]).to_wpa3_personal_credentials().is_err());
- }
}
diff --git a/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/BUILD.gn b/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/BUILD.gn
index 2563f8d..5454d16 100644
--- a/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/BUILD.gn
+++ b/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/BUILD.gn
@@ -8,6 +8,7 @@
edition = "2021"
deps = [
"//sdk/fidl/fuchsia.wlan.common:fuchsia.wlan.common-rustc",
+ "//sdk/fidl/fuchsia.wlan.common.security:fuchsia.wlan.common.security-rustc",
"//sdk/fidl/fuchsia.wlan.device:fuchsia.wlan.device-rustc",
"//sdk/fidl/fuchsia.wlan.device.service:fuchsia.wlan.device.service-rustc",
"//sdk/fidl/fuchsia.wlan.ieee80211:fuchsia.wlan.ieee80211-rustc",
diff --git a/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/src/lib.rs b/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/src/lib.rs
index 52e4006..34e6239 100644
--- a/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/src/lib.rs
+++ b/src/connectivity/wlan/testing/hw-sim/test/multiple_clients_ap/src/lib.rs
@@ -11,10 +11,10 @@
use {
anyhow::format_err,
- fidl_fuchsia_wlan_common as fidl_common,
+ fidl_fuchsia_wlan_common as fidl_common, fidl_fuchsia_wlan_common_security as fidl_security,
fidl_fuchsia_wlan_device_service::DeviceServiceMarker,
fidl_fuchsia_wlan_ieee80211 as fidl_ieee80211,
- fidl_fuchsia_wlan_sme::{self as fidl_sme, ClientSmeProxy, ConnectRequest, Credential},
+ fidl_fuchsia_wlan_sme::{self as fidl_sme, ClientSmeProxy, ConnectRequest},
fuchsia_async as fasync,
fuchsia_component::client::connect_to_protocol,
fuchsia_zircon::DurationNum,
@@ -137,7 +137,10 @@
beacon_period: TimeUnit::DEFAULT_BEACON_INTERVAL.0 * 20u16,
channel: WLANCFG_DEFAULT_AP_CHANNEL.into(),
),
- credential: Credential::None(fidl_sme::Empty {}),
+ authentication: fidl_security::Authentication {
+ protocol: fidl_security::Protocol::Open,
+ credentials: None,
+ },
deprecated_scan_type: fidl_common::ScanType::Passive,
multiple_bss_candidates: false, // only used for metrics, select arbitrary value
};
@@ -179,7 +182,10 @@
beacon_period: TimeUnit::DEFAULT_BEACON_INTERVAL.0 * 20u16,
channel: WLANCFG_DEFAULT_AP_CHANNEL.into(),
),
- credential: Credential::None(fidl_sme::Empty {}),
+ authentication: fidl_security::Authentication {
+ protocol: fidl_security::Protocol::Open,
+ credentials: None,
+ },
deprecated_scan_type: fidl_common::ScanType::Passive,
multiple_bss_candidates: false, // only used for metrics, select arbitrary value
};
diff --git a/src/connectivity/wlan/testing/wlan-service-util/src/client.rs b/src/connectivity/wlan/testing/wlan-service-util/src/client.rs
index d89af493..c81b44e 100644
--- a/src/connectivity/wlan/testing/wlan-service-util/src/client.rs
+++ b/src/connectivity/wlan/testing/wlan-service-util/src/client.rs
@@ -21,7 +21,7 @@
security::{
wep::WepKey,
wpa::credential::{Passphrase, Psk},
- BareCredentials, SecurityError,
+ SecurityError,
},
};
@@ -175,23 +175,10 @@
bss: BssDescription::try_from(target_bss_desc.clone())?,
unparsed_credential_bytes: target_pwd,
})?;
- // TODO(fxbug.dev/95873): This code is temporary. It converts the credentials of the negotiated
- // `Authentication` into the `Credential` FIDL message used by SME. The
- // `ConnectRequest::credential` field will be replaced by an
- // `Authentication` field in the future, at which point the negotiated
- // `Authentication` can be used directly to construct the
- // `ConnectRequest`.
- // Discard security protocol information and extract any credentials.
- let credential = authentication
- .credentials
- .map(|credentials| {
- BareCredentials::try_from(*credentials).expect("unknown credentials variant").into()
- })
- .unwrap_or_else(|| fidl_sme::Credential::None(fidl_sme::Empty));
let mut req = fidl_sme::ConnectRequest {
ssid: target_ssid.clone().into(),
bss_description: target_bss_desc,
- credential,
+ authentication,
deprecated_scan_type: fidl_common::ScanType::Passive,
multiple_bss_candidates: false, // only used for metrics, select an arbitrary value
};
@@ -379,7 +366,6 @@
assert_variant,
channel::{Cbw, Channel},
fake_fidl_bss_description,
- security::AuthenticationExt as _,
},
};
@@ -937,13 +923,7 @@
bss: BssDescription::try_from(target_bss_desc.clone()).unwrap(),
unparsed_credential_bytes: target_password.to_vec(),
})
- .unwrap()
- // TODO(fxbug.dev/95873): This conversion is temporary. It converts the negotiated
- // `Authentication` into an SME `Credential`. The `credential`
- // field of `ConnectRequest` will be replaced by an
- // `Authentication`, at which time the conversion will be
- // unnecessary.
- .into_sme_credential(),
+ .unwrap(),
result_code,
);
@@ -1001,13 +981,7 @@
bss: BssDescription::try_from(target_bss_desc.clone()).unwrap(),
unparsed_credential_bytes: target_password.to_vec(),
})
- .unwrap()
- // TODO(fxbug.dev/95873): This conversion is temporary. It converts the negotiated
- // `Authentication` into an SME `Credential`. The `credential`
- // field of `ConnectRequest` will be replaced by an
- // `Authentication`, at which time the conversion will be
- // unnecessary.
- .into_sme_credential(),
+ .unwrap(),
target_bss_desc,
);
}
@@ -1040,13 +1014,7 @@
bss: BssDescription::try_from(target_bss_desc.clone()).unwrap(),
unparsed_credential_bytes: vec![],
})
- .unwrap()
- // TODO(fxbug.dev/95873): This conversion is temporary. It converts the negotiated
- // `Authentication` into an SME `Credential`. The `credential`
- // field of `ConnectRequest` will be replaced by an
- // `Authentication`, at which time the conversion will be
- // unnecessary.
- .into_sme_credential(),
+ .unwrap(),
target_bss_desc,
);
}
@@ -1055,13 +1023,13 @@
exec: &mut TestExecutor,
server: &mut StreamFuture<ClientSmeRequestStream>,
expected_ssid: &Ssid,
- expected_credential: fidl_sme::Credential,
+ expected_authentication: fidl_security::Authentication,
expected_bss_desc: fidl_internal::BssDescription,
) {
match poll_client_sme_request(exec, server) {
Poll::Ready(ClientSmeRequest::Connect { req, .. }) => {
assert_eq!(expected_ssid, &req.ssid);
- assert_eq!(req.credential, expected_credential);
+ assert_eq!(req.authentication, expected_authentication);
assert_eq!(req.bss_description, expected_bss_desc);
}
_ => panic!("expected a Connect request"),
@@ -1072,13 +1040,13 @@
exec: &mut TestExecutor,
server: &mut StreamFuture<ClientSmeRequestStream>,
expected_ssid: &Ssid,
- expected_credential: fidl_sme::Credential,
+ expected_authentication: fidl_security::Authentication,
connect_result: fidl_ieee80211::StatusCode,
) {
let responder = match poll_client_sme_request(exec, server) {
Poll::Ready(ClientSmeRequest::Connect { req, txn, .. }) => {
assert_eq!(expected_ssid, &req.ssid[..]);
- assert_eq!(req.credential, expected_credential);
+ assert_eq!(req.authentication, expected_authentication);
txn.expect("expected a Connect transaction channel")
}
Poll::Pending => panic!("expected a request to be available"),
diff --git a/src/connectivity/wlan/tools/wlantool/wlan_dev/src/lib.rs b/src/connectivity/wlan/tools/wlantool/wlan_dev/src/lib.rs
index 73f244e..88d39f4 100644
--- a/src/connectivity/wlan/tools/wlantool/wlan_dev/src/lib.rs
+++ b/src/connectivity/wlan/tools/wlantool/wlan_dev/src/lib.rs
@@ -31,7 +31,7 @@
security::{
wep::WepKey,
wpa::credential::{Passphrase, Psk},
- AuthenticationExt as _, SecurityError,
+ SecurityError,
},
},
};
@@ -481,11 +481,7 @@
let mut req = fidl_sme::ConnectRequest {
ssid: ssid.to_vec(),
bss_description,
- // TODO(fxbug.dev/95873): This conversion is temporary. It converts the negotiated
- // `Authentication` into an SME `Credential`. The `credential` field
- // of `ConnectRequest` will be replaced by an `Authentication`, at
- // which time the conversion will be unnecessary.
- credential: authentication.into_sme_credential(),
+ authentication,
deprecated_scan_type: scan_type.into(),
multiple_bss_candidates: false, // only used for metrics, select arbitrary value
};
diff --git a/src/connectivity/wlan/wlancfg/src/client/mod.rs b/src/connectivity/wlan/wlancfg/src/client/mod.rs
index 867c8bb..7493c8c 100644
--- a/src/connectivity/wlan/wlancfg/src/client/mod.rs
+++ b/src/connectivity/wlan/wlancfg/src/client/mod.rs
@@ -16,7 +16,7 @@
anyhow::{format_err, Error},
fidl::epitaph::ChannelEpitaphExt,
fidl_fuchsia_wlan_common as fidl_common, fidl_fuchsia_wlan_policy as fidl_policy,
- fidl_fuchsia_wlan_sme as fidl_sme, fuchsia_zircon as zx,
+ fuchsia_zircon as zx,
futures::{
channel::oneshot,
lock::{Mutex, MutexGuard},
@@ -417,15 +417,6 @@
}
}
-/// convert from policy fidl Credential to sme fidl Credential
-pub fn sme_credential_from_policy(cred: &Credential) -> fidl_sme::Credential {
- match cred {
- Credential::Password(pwd) => fidl_sme::Credential::Password(pwd.clone()),
- Credential::Psk(psk) => fidl_sme::Credential::Psk(psk.clone()),
- Credential::None => fidl_sme::Credential::None(fidl_sme::Empty {}),
- }
-}
-
/// Handle inbound requests to register an additional ClientStateUpdates listener.
async fn handle_listener_request(
update_sender: listener::ClientListenerMessageSender,
@@ -492,7 +483,7 @@
super::*,
crate::{
access_point::state_machine as ap_fsm,
- config_management::{Credential, NetworkConfig, SecurityType, WPA_PSK_BYTE_LEN},
+ config_management::{self, Credential, NetworkConfig, SecurityType, WPA_PSK_BYTE_LEN},
telemetry::{TelemetryEvent, TelemetrySender},
util::testing::{
create_inspect_persistence_channel, create_mock_cobalt_sender, create_wlan_hasher,
@@ -501,7 +492,7 @@
},
async_trait::async_trait,
fidl::endpoints::{create_proxy, create_request_stream, Proxy},
- fuchsia_async as fasync,
+ fidl_fuchsia_wlan_sme as fidl_sme, fuchsia_async as fasync,
fuchsia_inspect::{self as inspect},
futures::{
channel::{mpsc, oneshot},
@@ -605,7 +596,17 @@
let mut req = fidl_sme::ConnectRequest {
ssid: ssid.to_vec(),
bss_description,
- credential: sme_credential_from_policy(&connect_req.target.credential),
+ authentication: config_management::select_authentication_method(
+ match connect_req.target.credential {
+ Credential::None => client_types::SecurityTypeDetailed::Open,
+ Credential::Password(_) | Credential::Psk(_) => {
+ types::SecurityTypeDetailed::Wpa2Personal
+ }
+ },
+ connect_req.target.credential,
+ true,
+ )
+ .unwrap(),
deprecated_scan_type: fidl_common::ScanType::Passive,
multiple_bss_candidates: false,
};
@@ -869,7 +870,7 @@
req, ..
}))) => {
assert_eq!(b"foobar", &req.ssid[..]);
- assert_eq!(fidl_sme::Credential::None(fidl_sme::Empty), req.credential);
+ assert_eq!(None, req.authentication.credentials);
}
);
}
@@ -919,7 +920,7 @@
req, ..
}))) => {
assert_eq!(b"foobar-protected", &req.ssid[..]);
- assert_eq!(fidl_sme::Credential::Password(b"supersecure".to_vec()), req.credential);
+ assert_eq!(Credential::Password(b"supersecure".to_vec()), req.authentication.credentials.into())
// TODO(hahnr): Send connection response.
}
);
@@ -970,7 +971,7 @@
req, ..
}))) => {
assert_eq!(b"foobar-psk", &req.ssid[..]);
- assert_eq!(fidl_sme::Credential::Psk([64; WPA_PSK_BYTE_LEN].to_vec()), req.credential);
+ assert_eq!(Credential::Psk([64; WPA_PSK_BYTE_LEN].to_vec()), req.authentication.credentials.into())
// TODO(hahnr): Send connection response.
}
);
diff --git a/src/connectivity/wlan/wlancfg/src/client/state_machine.rs b/src/connectivity/wlan/wlancfg/src/client/state_machine.rs
index 72248c9..75bc41d 100644
--- a/src/connectivity/wlan/wlancfg/src/client/state_machine.rs
+++ b/src/connectivity/wlan/wlancfg/src/client/state_machine.rs
@@ -4,7 +4,7 @@
use {
crate::{
- client::{bss_selection, network_selection, sme_credential_from_policy, types},
+ client::{bss_selection, network_selection, types},
config_management::{self, PastConnectionData, SavedNetworksManagerApi},
telemetry::{DisconnectInfo, TelemetryEvent, TelemetrySender},
util::{
@@ -525,12 +525,7 @@
ssid: options.connect_request.target.network.ssid.to_vec(),
bss_description,
multiple_bss_candidates,
- // TODO(fxbug.dev/95873): This code is temporary. It extracts a bare
- // credential from the authentication rather than
- // transmitting the authentication in its entirety.
- credential: sme_credential_from_policy(
- &authentication.credentials.map(|credentials| *credentials).into()
- ),
+ authentication,
deprecated_scan_type: fidl_fuchsia_wlan_common::ScanType::Active,
};
common_options.proxy.connect(&mut sme_connect_request, Some(remote)).map_err(|e| {
@@ -1198,7 +1193,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.multiple_bss_candidates, true);
@@ -1353,7 +1348,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description.clone().into());
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.multiple_bss_candidates, false);
@@ -1598,7 +1593,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, .. }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
}
@@ -1822,7 +1817,7 @@
poll_sme_req(&mut executor, &mut sme_req_future),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, .. }) => {
assert_eq!(req.ssid, ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
}
@@ -1939,7 +1934,7 @@
poll_sme_req(&mut executor, &mut sme_req_future),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, .. }) => {
assert_eq!(req.ssid, ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
}
@@ -2287,7 +2282,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.multiple_bss_candidates, false);
@@ -2407,7 +2402,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description.clone());
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.multiple_bss_candidates, true);
@@ -2557,7 +2552,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.bss_description, bss_description.clone());
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.multiple_bss_candidates, true);
@@ -2698,7 +2693,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential.clone()));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.bss_description, bss_description);
assert_eq!(req.multiple_bss_candidates, true);
@@ -4747,7 +4742,7 @@
poll_sme_req(&mut exec, &mut sme_fut),
Poll::Ready(fidl_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, next_network_ssid.to_vec());
- assert_eq!(req.credential, sme_credential_from_policy(&connect_request.target.credential));
+ assert_eq!(connect_request.target.credential, req.authentication.credentials.into());
assert_eq!(req.deprecated_scan_type, fidl_fuchsia_wlan_common::ScanType::Active);
assert_eq!(req.bss_description, bss_description.clone());
assert_eq!(req.multiple_bss_candidates, true);
diff --git a/src/connectivity/wlan/wlancfg/src/config_management/network_config.rs b/src/connectivity/wlan/wlancfg/src/config_management/network_config.rs
index 2d4cd11..6513d83 100644
--- a/src/connectivity/wlan/wlancfg/src/config_management/network_config.rs
+++ b/src/connectivity/wlan/wlancfg/src/config_management/network_config.rs
@@ -421,13 +421,12 @@
}
}
-// TODO(fxbug.dev/95873): This code is temporary. It allows common FIDL credentials to be extracted
-// from an `Authentication` and converted back into the Policy `Credential`
-// type. This is used to discard the `Authentication` prior to changing the
-// SME FIDL APIs, which will directly accept it. Though `From`
-// implementations should generally not panic, this conversion panics if
-// unrecognized FIDL is encountered. This is very unlikely to occur, as this
-// code is used to roundtrip FIDL within the same binary.
+// TODO(fxbug.dev/102606): Remove this conversion. Once calls to `select_authentication_method` are
+// removed from the state machine, there will instead be an
+// `Authentication` (or `SecurityAuthenticator`) field in
+// `ScannedCandidate` which can be more directly compared to SME
+// `ConnectRequest`s in tests.
+#[cfg(test)]
impl From<Option<fidl_security::Credentials>> for Credential {
fn from(credentials: Option<fidl_security::Credentials>) -> Self {
use fidl_security::{Credentials, WepCredentials, WpaCredentials};
@@ -445,6 +444,14 @@
}
}
+// TODO(fxbug.dev/102606): Remove this conversion. See the similar conversion above.
+#[cfg(test)]
+impl From<Option<Box<fidl_security::Credentials>>> for Credential {
+ fn from(credentials: Option<Box<fidl_security::Credentials>>) -> Self {
+ credentials.map(|credentials| *credentials).into()
+ }
+}
+
#[derive(Arbitrary)] // Derive Arbitrary for fuzzer
#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
pub enum SecurityType {
diff --git a/src/connectivity/wlan/wlancfg/src/mode_management/iface_manager.rs b/src/connectivity/wlan/wlancfg/src/mode_management/iface_manager.rs
index 346b656..81886da 100644
--- a/src/connectivity/wlan/wlancfg/src/mode_management/iface_manager.rs
+++ b/src/connectivity/wlan/wlancfg/src/mode_management/iface_manager.rs
@@ -2104,7 +2104,7 @@
poll_sme_req(&mut exec, &mut _sme_stream),
Poll::Ready(fidl_fuchsia_wlan_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, TEST_SSID.clone());
- assert_eq!(req.credential, fidl_fuchsia_wlan_sme::Credential::Password(TEST_PASSWORD.as_bytes().to_vec()));
+ assert_eq!(Credential::Password(TEST_PASSWORD.as_bytes().to_vec()), req.authentication.credentials.into());
let (_stream, ctrl) = txn.expect("connect txn unused")
.into_stream_and_control_handle().expect("error accessing control handle");
ctrl
@@ -2266,7 +2266,7 @@
poll_sme_req(&mut exec, &mut _sme_stream),
Poll::Ready(fidl_fuchsia_wlan_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, TEST_SSID.clone());
- assert_eq!(req.credential, fidl_fuchsia_wlan_sme::Credential::Password(TEST_PASSWORD.as_bytes().to_vec()));
+ assert_eq!(Credential::Password(TEST_PASSWORD.as_bytes().to_vec()), req.authentication.credentials.into());
let (_stream, ctrl) = txn.expect("connect txn unused")
.into_stream_and_control_handle().expect("error accessing control handle");
ctrl
@@ -5038,7 +5038,7 @@
poll_sme_req(&mut exec, &mut sme_stream),
Poll::Ready(fidl_fuchsia_wlan_sme::ClientSmeRequest::Connect{ req, txn, control_handle: _ }) => {
assert_eq!(req.ssid, TEST_SSID.clone());
- assert_eq!(req.credential, fidl_fuchsia_wlan_sme::Credential::Password(TEST_PASSWORD.as_bytes().to_vec()));
+ assert_eq!(Credential::Password(TEST_PASSWORD.as_bytes().to_vec()), req.authentication.credentials.into());
let (_stream, ctrl) = txn.expect("connect txn unused")
.into_stream_and_control_handle().expect("error accessing control handle");
ctrl
