3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 13:59:24 +01:00
Commit Graph

3661 Commits

Author SHA1 Message Date
James Prestwood
672098118d netdev: fix bug setting OWE IE length
The length was being set to whatever the last nl80211 attribute was,
not the length for the RESP_IE iteration.
2022-02-03 11:40:08 -06:00
Denis Kenzior
8a5b3f6880 handshake: Do not crash if handshake is destroyed
Commit 4d2176df29 ("handshake: Allow event handler to free handshake")
introduced a re-entrancy guard so that handshake_state objects that are
destroyed as a result of the event do not cause a crash.  It rightly
used a temporary object to store the passed in handshake.  Unfortunately
this caused variable shadowing which resulted in crashes fixed by commit
d22b174a73 ("handshake: use _hs directly in handshake_event").
However, since the temporary was no longer used, this fix itself caused
a crash:

 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
1236				handshake_event(sm->handshake,
(gdb) bt
 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
 #1  0x00005555f0bab118 in eapol_key_handle (unencrypted=<optimized out>, frame=<optimized out>, sm=0x5555f2b4a920) at src/eapol.c:2343
 #2  eapol_rx_packet (proto=<optimized out>, from=<optimized out>, frame=<optimized out>, unencrypted=<optimized out>, user_data=0x5555f2b4a920) at src/eapol.c:2665
 #3  0x00005555f0bac497 in __eapol_rx_packet (ifindex=62, src=src@entry=0x5555f2b62574 "x\212 J\207\267", proto=proto@entry=34958, frame=frame@entry=0x5555f2b62588 "\002\003",
   len=len@entry=121, noencrypt=noencrypt@entry=false) at src/eapol.c:3017
 #4  0x00005555f0b8c617 in netdev_control_port_frame_event (netdev=0x5555f2b64450, msg=0x5555f2b62588) at src/netdev.c:5574
 #5  netdev_unicast_notify (msg=msg@entry=0x5555f2b619a0, user_data=<optimized out>) at src/netdev.c:5613
 #6  0x00007f60084c9a51 in dispatch_unicast_watches (msg=0x5555f2b619a0, id=<optimized out>, genl=0x5555f2b3fc80) at ell/genl.c:954
 #7  process_unicast (nlmsg=0x7fff61abeac0, genl=0x5555f2b3fc80) at ell/genl.c:973
 #8  received_data (io=<optimized out>, user_data=0x5555f2b3fc80) at ell/genl.c:1098
 #9  0x00007f60084c61bd in io_callback (fd=<optimized out>, events=1, user_data=0x5555f2b3fd20) at ell/io.c:120
 #10 0x00007f60084c536d in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #11 0x00007f60084c543e in l_main_run () at ell/main.c:525
 #12 l_main_run () at ell/main.c:507
 #13 0x00007f60084c5670 in l_main_run_with_signal (callback=callback@entry=0x5555f0b89150 <signal_handler>, user_data=user_data@entry=0x0) at ell/main.c:647
 #14 0x00005555f0b886a4 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This happens when the driver does not support rekeying, which causes iwd to
attempt a disconnect and re-connect.  The disconnect action is
taken during the event callback and destroys the underlying eapol state
machine.  Since a temporary isn't used, attempting to dereference
sm->handshake results in a crash.

Fix this by introducing a UNIQUE_ID macro which should prevent shadowing
and using a temporary variable as originally intended.

Fixes: d22b174a73 ("handshake: use _hs directly in handshake_event")
Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
Reported-By: Toke Høiland-Jørgensen <toke@toke.dk>
Tested-by: Toke Høiland-Jørgensen <toke@toke.dk>
2022-02-03 09:44:08 -06:00
Denis Kenzior
fe2272c112 dbus: netdev/wheel do not use .Agent interface
There is no need to punch the holes for netdev/wheel groups to send to
the .Agent interface.  This is only done by the iwd daemon itself and
the policy for user 'root' already takes care of this.
2022-01-31 14:06:20 -06:00
James Prestwood
6ff99f1766 scan: parse BSS_SIGNAL_UNSPEC, fix potential zero signal
A select few drivers send this instead of SIGNAL_MBM. The docs say this
value is the signal 'in unspecified units, scaled to 0..100'. The range
for SIGNAL_MBM is -10000..0 so this can be scaled to the MBM range easy
enough...

Now, this isn't exactly correct because this value ultimately gets
returned from GetOrderedNetworks() and is documented as 100 * dBm where
in reality its just a unit-less signal strength value. Its not ideal, but
this patch at least will fix BSS ranking for these few drivers.
2022-01-31 13:40:19 -06:00
Diederik de Haas
010b0e27f9 dbus: Remove 'at_console', add 'netdev' settings
The 'at_console' D-Bus policy setting has been deprecated for more then
10 years and could be ignored at any time in the future. Moreover, while
the intend was to allow locally logged on users to interact with iwd, it
didn't actually do that.
More info at https://www.spinics.net/lists/linux-bluetooth/msg75267.html
and https://gitlab.freedesktop.org/dbus/dbus/-/issues/52
Therefor remove the 'at_console' setting block.

On Debian (based) systems, there is a standard defined group which is
allowed to manage network interfaces, and that is the 'netdev' group.
So add a D-Bus setting block to grant the 'netdev' group that access.
2022-01-26 14:03:27 -06:00
James Prestwood
d4b93220c5 sae: fix missing reallocarray definition
Building on GCC 8 resulted in this compiler error.

src/sae.c:107:25: error: implicit declaration of function 'reallocarray';
	did you mean 'realloc'? [-Werror=implicit-function-declaration]
	sm->rejected_groups = reallocarray(NULL, 2, sizeof(uint16_t));
2022-01-26 13:21:52 -06:00
Denis Kenzior
b47ada02bf treewide: Fix compiler warnings
src/erp.c:134:10: error: comparison of integer expressions of different
signedness: 'unsigned int' and 'int' [-Werror=sign-compare]

src/eap-ttls.c:378:10: error: comparison of integer expressions of different signedness: 'uint32_t' {aka 'unsigned int'} and 'int' [-Werror=sign-compare]
2022-01-26 13:21:52 -06:00
James Prestwood
d22b174a73 handshake: use _hs directly in handshake_event
Fixes the following crash:
 #0  0x000211c4 in netdev_connect_event (msg=<optimized out>, netdev=0x2016940) at src/netdev.c:2915
 #1  0x76f11220 in process_multicast (nlmsg=0x7e8acafc, group=<optimized out>, genl=<optimized out>) at ell/genl.c:1029
 #2  received_data (io=<optimized out>, user_data=<optimized out>) at ell/genl.c:1096
 #3  0x76f0da08 in io_callback (fd=<optimized out>, events=1, user_data=0x200a560) at ell/io.c:120
 #4  0x76f0ca78 in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #5  0x76f0cb74 in l_main_run () at ell/main.c:525
 #6  l_main_run () at ell/main.c:507
 #7  0x76f0cdd4 in l_main_run_with_signal (callback=callback@entry=0x18c94 <signal_handler>, user_data=user_data@entry=0x0)
   at ell/main.c:647
 #8  0x00018178 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This crash was introduced in commit:
4d2176df29 ("handshake: Allow event handler to free handshake")

The culprit seems to be that 'hs' is being used both in the caller and
in the macro.  Since the macro defines a variable 'hs' in local block
scope, it overrides 'hs' from function scope.  Yet (_hs) still evaluates
to 'hs' leading the local variable to be initialized with itself.  Only
the 'handshake_event(hs, HANDSHAKE_EVENT_SETTING_KEYS))' is affected
since it is the only macro invocation that uses 'hs' from function
scope.  Thus, the crash would only happen on hardware supporting handshake
offload (brcmfmac).

Fix this by removing the local scope variable declaration and evaluate
(_hs) instead.

Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
2022-01-26 13:20:00 -06:00
James Prestwood
b2d0bb08a0 network: fix double whitespace 2022-01-24 16:39:45 -06:00
Denis Kenzior
30b04bc3bb json: Tighten up json_iter_get_int/get_uint
- Ensure that input isn't an empty string

- Ensure that EINVAL errno (which could be optionally returned by
  strto{ul|l} is also checked.

- Since strtoul allows '+' and '-' characters in input, ensure that
  input which is expected to be an unsigned number doesn't start with
  '-'
2022-01-23 11:22:34 -06:00
James Prestwood
26b7446178 sae: pass exact length to l_ecc_point_from_data
l_ecc_point_from_data now strictly enforces the buffer length.
2022-01-21 13:44:59 -06:00
James Prestwood
d8116e8828 dpp-util: add dpp_point_from_asn1()
Given an ASN1 blob of the right form, parse and create
an l_ecc_point object. The form used is specific to DPP
hence why this isn't general purpose and put into dpp-util.
2022-01-21 10:52:26 -06:00
Andrew Zaborowski
dfaf6e045f p2p: Fix ie_tlv_extract_wfd_payload call typo 2022-01-21 08:53:35 -06:00
Andrew Zaborowski
4d2176df29 handshake: Allow event handler to free handshake
Like in ap.c, allow the event callback to mark the handshake state as
destroyed, without causing invalid accesses after the callback has
returned.  In this case the crash was because try_handshake_complete
needed to access members of handshake_state after emitting the event,
as well as access the netdev, which also has been destroyed:

==257707== Invalid read of size 8
==257707==    at 0x408C85: try_handshake_complete (netdev.c:1487)
==257707==    by 0x408C85: try_handshake_complete (netdev.c:1480)
(...)
==257707==  Address 0x4e187e8 is 856 bytes inside a block of size 872 free'd
==257707==    at 0x484621F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==257707==    by 0x437887: ap_stop_handshake (ap.c:151)
==257707==    by 0x439793: ap_del_station (ap.c:316)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3411)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3399)
==257707==    by 0x454276: p2p_group_event (p2p.c:1006)
==257707==    by 0x439147: ap_event (ap.c:281)
==257707==    by 0x4393AB: ap_new_rsna (ap.c:390)
==257707==    by 0x4393AB: ap_handshake_event (ap.c:1010)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1485)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1480)
(...)
2022-01-21 08:51:49 -06:00
Andrew Zaborowski
079489bd66 ap: Don't defer ap_reset when ap_free called in event
Previously we added logic to defer doing anything in ap_free() to after
the AP event handler has returned so that ap_event() has a chance to
inform whoever called it that the ap_state has been freed.  But there's
also a chance that the event handler is destroying both the AP and the
netdev it runs on, so after the handler has returned we can't even use
netdev_get_wdev_id or netdev_get_ifindex.  The easiest solution seems to
be to call ap_reset() in ap_free() even if we're within an event handler
to ensure we no longer need any external objects.  Also make sure
ap_reset() can be called multiple times.

Another option would be to watch for NETDEV_WATCH_EVENT_DEL and remove
our reference to the netdev (because there's no need actually call
l_rtnl_ifaddr_delete or frame_watch_wdev_remove if the netdev was
destroyed -- frame_watch already tracks netdev removals), or to save
just the ifindex and the wdev id...
2022-01-21 08:51:04 -06:00
James Prestwood
76b6aa66b3 dpp: fix dpp_offchannel_start corner cases
The purpose of this was to have a single utility to both cancel an
existing offchannel operation (if one exists) and start a new one.

The problem was the previous offchannel operation was being canceled
first which opened up the radio work queue to other items. This is
not desireable as, for example, a scan would end up breaking the
DPP protocol most likely.

Starting the new offchannel then canceling is the correct order of
operations but to do this required saving the new ID, canceling, then
setting offchannel_id to the new ID so dpp_presence_timeout wouldn't
overwrite the new ID to zero.

This also removes an explicit call to offchannel_cancel which is
already done by dpp_offchannel_start.
2022-01-20 14:19:56 -06:00
James Prestwood
8ce491fbb2 dpp: use own/peer naming rather than i/r
Several members are named based on initiator/responder (i/r)
terminology. Eventually both initiator and responder will be
supported so rename these members to use own/peer naming
instead.
2022-01-20 14:11:44 -06:00
James Prestwood
52fafd8f5b dpp-util: use ell/asn1-private.h for ASN1 generation
ASN1 parsing will soon be required which will need some utilities in
asn1-private.h. To avoid duplication include this private header and
replace the OID's with the defined structures as well as remove the
duplicated macros.
2022-01-20 13:59:37 -06:00
James Prestwood
73cd3578d9 station: fix OWE scan logic with autoconnect
station_set_scan_results takes an autoconnect flag which was being
set true in both regular/quick autoconnect scans. Since OWE networks
are processed after setting the scan results IWD could end up
connecting to a network before all the OWE hidden networks are
populated.

To fix this regular/quick autoconnect results will set the flag to
false, then process OWE networks, then start autoconnect. If any
OWE network scans are pending station_autoconnect_start will fail
but will pick back up after the hidden OWE scan.
2022-01-20 13:54:14 -06:00
James Prestwood
ac78076663 eap-pwd: add length checks for fragmented packets 2022-01-20 13:49:32 -06:00
James Prestwood
f70c0cb2f9 dpp: free nl80211 object on exit 2022-01-19 17:17:26 -06:00
James Prestwood
2c6bb735ac station: send debug "roam-scan-triggered" event 2022-01-19 16:37:51 -06:00
Denis Kenzior
62978ef0fb scan: Allow scan_cancel for finished requests
scan_request_failed and scan_finished remove the finished scan_request
from the request queue right away, before calling the callback.  This
breaks those clients that rely on scan_cancel working on such requests
(i.e. to force the destroy callback to be invoked synchronously, see
a0911ca778 ("station: Make sure roam_scan_id is always canceled").

Fix this by removing the scan_request from the request queue after
invoking the callback.  Also provide a re-entrancy guard that will make
sure that the scan_request isn't removed in scan_cancel itself.
2022-01-19 16:37:21 -06:00
Denis Kenzior
bef550df81 scan: Simplify scan_finished
There are similar operations being performed but with different
callbacks and userdata, depending on whether 'sr' is NULL or not.
Optimize the function flow slightly to make if-else unnecessary.

While here, update the comment.  periodic scans are now scheduled only
based on the periodic timeout timer.
2022-01-19 16:37:21 -06:00
Denis Kenzior
1fd6aba43c scan: Remove redundant call
l_queue_remove is already called in scan_request_failed.
2022-01-19 16:37:21 -06:00
Denis Kenzior
c125d2b003 scan: Move triggered variable to scan_request 2022-01-19 16:37:21 -06:00
Denis Kenzior
6051a14952 scan: Don't callback on SCAN_ABORTED
If periodic scan is active and we receive a SCAN_ABORTED event, we would
still invoke the periodic scan callback with an error.  This is rather
pointless since the periodic scan callback cannot do anything useful
with this information.  Fix that.
2022-01-19 16:37:21 -06:00
Denis Kenzior
280620d7ac scan: Remove unreachable code
We should never reach a point where NEW_SCAN_RESULTS or SCAN_ABORTED are
received before a corresponding TRIGGER_SCAN is received.  Even if this
does happen, there's no harm from processing the commands anyway.
2022-01-19 16:37:21 -06:00
Denis Kenzior
c4c86ea1df scan: Move 'started' to scan_request
This makes it a little easier to book-keep the started variable.  Since
scan_request already has a 'passive' bit-field, there should be no
storage penalty.
2022-01-19 16:37:21 -06:00
Denis Kenzior
af375a1cde scan: Don't crash on scan_cancel
If scan_cancel is called on a scan_request that is 'finished' but with
the GET_SCAN command still in flight, it will trigger a crash as
follows:
Received Deauthentication event, reason: 2, from_ap: true
src/station.c:station_disconnect_event() 11
src/station.c:station_disassociated() 11
src/station.c:station_reset_connection_state() 11
src/station.c:station_roam_state_clear() 11
src/scan.c:scan_cancel() Trying to cancel scan id 6 for wdev 200000002
src/scan.c:scan_cancel() Scan is at the top of the queue, but not triggered
src/scan.c:get_scan_done() get_scan_done
Aborting (signal 11) [/home/denkenz/iwd-master/src/iwd]
++++++++ backtrace ++++++++
 #0  0x7f9871aef3f0 in /lib64/libc.so.6
 #1  0x41f470 in station_roam_scan_notify() at /home/denkenz/iwd-master/src/station.c:2285
 #2  0x43936a in scan_finished() at /home/denkenz/iwd-master/src/scan.c:1709
 #3  0x439495 in get_scan_done() at /home/denkenz/iwd-master/src/scan.c:1739
 #4  0x4bdef5 in destroy_request() at /home/denkenz/iwd-master/ell/genl.c:676
 #5  0x4c070b in l_genl_family_cancel() at /home/denkenz/iwd-master/ell/genl.c:1960
 #6  0x437069 in scan_cancel() at /home/denkenz/iwd-master/src/scan.c:842
 #7  0x41dc2e in station_roam_state_clear() at /home/denkenz/iwd-master/src/station.c:1594
 #8  0x41dd2b in station_reset_connection_state() at /home/denkenz/iwd-master/src/station.c:1619
 #9  0x41dea4 in station_disassociated() at /home/denkenz/iwd-master/src/station.c:1644

The happens because get_scan_done callback is still called as a result of
l_genl_cancel.  Add a re-entrancy guard in the form of 'canceled'
variable in struct scan_request.  If set, get_scan_done will skip invoking
scan_finished.

It isn't clear what 'l_queue_peek_head() == results->sr' check was trying
to accomplish.  If GET_SCAN dump was scheduled, then it should be
reported.  Drop it.
2022-01-19 16:37:21 -06:00
Denis Kenzior
e1593df4bd scan: Call scan_finished if results->sr is NULL
results->sr is set to NULL for 'opportunistic' scans which were
triggered externally.  See scan_notify() for details.  However,
get_scan_done would only invoke scan_finished (and thus the periodic
scan callback sc->sp.callback) only if the scan queue was empty.  It
should do so in all cases.
2022-01-19 16:37:21 -06:00
James Prestwood
188d09af42 dpp-util: fix dpp_point_to_asn1 compressed type
The point type was being hard coded to 0x3 (BIT1) which may have resulted
in the peer subtracting Y from P when reading in the point (depending on
if Y was odd or not).

Instead set the compressed type to whatever avoids the subtraction which
both saves IWD from needing to do it, as well as the peer.
2022-01-18 15:01:59 -06:00
Denis Kenzior
44a7bc640b scan: Remove work_started variable
With the introduction of wiphy_radio_work_is_running we no longer need
to track this separately.
2022-01-18 13:04:12 -06:00
Denis Kenzior
b20774a55f station: Add some additional debugs 2022-01-14 16:30:26 -06:00
Diederik de Haas
a5495978b7 dpp: fix 2 spelling errors 2022-01-14 12:46:56 -06:00
Diederik de Haas
8a09cd3472 doc: fix overriden -> overridden 2022-01-14 12:46:16 -06:00
Denis Kenzior
60e0a5073a anqputil: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
    'anqp + l_get_le16(anqp + 2)'
2022-01-14 12:08:01 -06:00
Denis Kenzior
d2ca0c4f18 dpp-util: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'iter->pos + len'
2022-01-14 12:07:57 -06:00
Denis Kenzior
eddcc4c5b6 erp: Fix off by one error
The intent of this check is to make sure that at least 2 bytes are
available for reading.  However, the unintended consequence is that tags
with a zero length at the end of input would be rejected.

While here, rework the check to be more resistant to potential
overflow conditions.
2022-01-14 10:22:41 -06:00
Denis Kenzior
938e056896 erp: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
5e9178b9de wscutil: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
22faf3482c eap-ttls: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
01960ec66e erp: Fix comment that is > 80 chars wide 2022-01-14 09:49:47 -06:00
James Prestwood
bbfcdf0ac7 dpp: stop periodic scanning when starting DPP 2022-01-12 12:46:18 -06:00
James Prestwood
34348fcb42 scan: don't print notification if sc is not found
If this scan is not for any IWD wdev's don't print
2022-01-12 12:46:15 -06:00
James Prestwood
ceb6da81b3 dpp: support retransmitting frames with no ACK
The DPP spec says nothing about how to handle re-transmits but it
was found in testing this can happen relatively easily for a few
reasons.

If the configurator requests a channel switch but does not get onto
the new channel quick enough the enrollee may have already sent the
authenticate response and it was missed. Also by nature of how the
kernel goes offchannel there are moments in time between ROC when
the card is idle and not receiving any frames.

Only frames where there was no ACK will be retransmitted. If the
peer received the frame and dropped it resending the same frame wont
do any good.
2022-01-12 12:45:05 -06:00
James Prestwood
2435adc33b nl80211util: support ATTR_FRAME in parse_attrs() 2022-01-12 12:44:56 -06:00
James Prestwood
9aae6e2c16 dpp: pass dpp_sm to dpp_send_frame
The SM has the wdev_id already, so rather than using that or looking
up just pass the dpp_sm directly.
2022-01-12 09:38:06 -06:00
James Prestwood
fc61e5fe46 dpp: rework order of operations after being configured
Now the result is sent immediately. Prior a connect attempt or
scan could have started, potentially losing this frame. In addition
the offchannel operation is cancelled after sending the result
which will allow the subsequent connect or scan to happen much
faster since it doesn't have to wait for ROC to expire.
2022-01-12 09:33:57 -06:00
James Prestwood
94afeabc18 dpp: put no station device print behind else if
The previous (incorrect) else was removed since it ended up
printing in most cases since the if clause returned. This should
have been an else if conditional from the start and only print if the
station device was not found.
2022-01-12 09:32:37 -06:00
James Prestwood
0c8d3f106a dpp: don't send StartEnrollee reply until offchannel starts
IWD may be in the middle of some long operation, e.g. scanning.
If the URI is returned before IWD is ready, a configurator could
start sending frames and IWD either wont receive them, or will
be unable to respond quickly.
2022-01-12 09:32:13 -06:00
James Prestwood
295430a47e frame-xchg: use work priorities rather than hard coding 2022-01-11 12:38:10 -06:00
James Prestwood
ae12132495 offchannel: use work priorities rather than hard coding
The offchannel priority was also changed to zero, which matches the
priority of frames. Currently there should be no interaction between
offchannel and connect (previous offchannel priority).
2022-01-11 12:37:59 -06:00
James Prestwood
87e1045b11 netdev: use work priorities rather than hard coding 2022-01-11 12:37:44 -06:00
James Prestwood
217bb6dc65 scan: don't special case periodic scan work
Periodic scans were handled specially where they were only
started if no other requests were pending in the scan queue.
This is fine, and what we want, but this can actually be
handled automatically by nature of the wiphy work queue rather
than needing to check the request queue explicitly.

Instead we can insert periodic scans at a lower priority than
other scans. This puts them at the end of the work queue, as
well as allows future requests to jump ahead if a periodic scan
has not yet started.

Eventually, once all pending scans are done, the peridoic scan
may begin. This is no different than the preivous behavior and
avoids the need for any special checks once scan requests
complete.

One check was added to address the problem of the periodic scan
timer firing before the scan could even start. Currently this
happened to be handled fine in scan_periodic_queue, as it checks
the queue length. Since this check was removed we must see check
for this condition inside scan_periodic_timeout.
2022-01-11 12:37:13 -06:00
James Prestwood
c7a6730d28 scan: set scan priority via scan_common
This adds a priority argument to scan_common rather than hard
coding it when inserting the work item and uses the newly
defined wiphy priority for scanning.
2022-01-11 12:36:36 -06:00
James Prestwood
6e5d1a540c wiphy: define work priorities in one place
Work priority was never explicitly defined anywhere, and a module
using wiphy_radio_work APIs needed to ensure it was not inserting
at a priority that would interfere with other work.

Now all the types of work have been defined with their own priority
and future priorities can easily be added before, after, or in
between existing priorities.
2022-01-11 12:36:22 -06:00
Denis Kenzior
372a1c05e6 scan: Simplify debug statement
l_debug will already print the function name, so including it in the
printed string is redundant
2022-01-11 11:07:33 -06:00
Denis Kenzior
5cb7591bc0 treewide: Use __func__ when possible
Instead of hard-coding the function name in l_warn/l_error statements,
use '__func__'
2022-01-11 11:07:33 -06:00
Denis Kenzior
8b9442efe0 treewide: Prefer not using assignment in if 2022-01-11 11:07:33 -06:00
Denis Kenzior
6ae1917733 netdev: Make code more readable
Introduce a new 'hs' variable to make the code a bit more compact and
readable.  Avoid splitting pointer dereferences on multiple lines.
2022-01-11 11:07:33 -06:00
Denis Kenzior
073346ee37 treewide: Remove unneeded else statements
The code is more readable without the unnecessary nesting
2022-01-11 11:07:33 -06:00
Denis Kenzior
b44460464e treewide: Add () around certain macros 2022-01-11 11:07:33 -06:00
Denis Kenzior
cba19d3bf5 treewide: Remove pointless return statement 2022-01-11 11:07:33 -06:00
Denis Kenzior
fe95cbe077 treewide: Various style fixups
- Mostly problems with whitespace:
	- Use of spaces instead of tabs
	- Stray spaces before closing ')
	- Missing spaces

- Missing 'void' from function declarations & definitions that
  take no arguments.

- Wrong indentation level
2022-01-11 11:07:05 -06:00
James Prestwood
967c95829f scan: fix double space 2022-01-11 08:57:05 -06:00
Peter Seiderer
6ce41f6211 dpp: fix implicit declaration of function explicit_bzero warning
- add missing src/missing.h include for explicit_bzero, fixes uclibc
  compile/linking

Fixes:

  src/dpp.c:166:2: warning: implicit declaration of function ‘explicit_bzero’ [-Wimplicit-function-declaration]
    166 |  explicit_bzero(dpp->r_nonce, dpp->nonce_len);
        |  ^~~~~~~~~~~~~~
2022-01-10 15:43:52 -06:00
James Prestwood
82818d7454 dpp: allow config response handling without station
If the device is not in station mode DPP can still write out
the credentials and finish without attempting to connect or
scan.
2022-01-10 10:59:15 -06:00
James Prestwood
e6ecc078a1 dpp: handle CHANNEL attribute in auth request
When this attribute is included, the initiator is requesting all
future frames be sent on this channel. There is no reason for a
configurator to act on this attribute (at least for now) so the
request frame will be dropped in this case. Enrollees will act
on it by switching to the new channel and sending the authentication
response.
2022-01-10 10:59:05 -06:00
James Prestwood
235042fcd5 dpp: refactor calls to offchannel_start into common function
This will aid in channel switching during authentication by allowing
an arbitrary channel to be passed in rather than dpp->current_freq.
2022-01-10 10:58:56 -06:00
James Prestwood
39020bf14d dpp: move r_auth into dpp_sm
In order to support channel switching during authentication r_auth
needs to be held onto in dpp_sm for after the ROC call starts.
2022-01-10 10:58:47 -06:00
James Prestwood
786e36eee6 dpp: don't allow StartEnrollee while connected
While connected the driver ends up choosing quite small ROC
durations leading to excessive calls to ROC. This also will
negatively effect any wireless performance for the current
network and possibly lead to missed DPP frames.
2022-01-10 10:58:17 -06:00
James Prestwood
0f7ea99605 dpp: don't allocate transient ssid strings
These can be kept on the stack and avoid the need for
allocated memory and unneeded auto-free functionality.
2022-01-10 10:52:41 -06:00
James Prestwood
847a8ba265 dpp: memset header to fix uninitialized buffer 2022-01-07 11:49:55 -06:00
James Prestwood
226fd5c0b8 dpp: unref DPP frame if sending fails 2022-01-07 11:49:44 -06:00
James Prestwood
6a421a1254 dpp: speed up connection after being configured
Currently the enrollee relied on autoconnect to handle connecting
to the newly configured network. This usually resulted in poor
performance since periodic scans are done at large intervals apart.

Instead first check if the newly configured network is already
in IWD's network queue. If so it can be connected to immediately.
If not, a full scan must be done and results given to station.
2022-01-06 17:37:14 -06:00
James Prestwood
1ec0fd75e1 dpp: parse configuration request values
With better JSON support the configuration request object
can now be fully parsed. As stated in the previous comment
there really isn't much use from the configurator side apart
from verifying mandatory values are included.

This patch also modifies the configuration result to handle
sending non 'OK' status codes in case of JSON parsing errors.
2022-01-06 17:36:19 -06:00
James Prestwood
67ded4c2fd json: restrict json_iter_{parse,next} to objects/arrays
json_iter_parse is only meant to work on objects while
json_iter_next is only meant to work on arrays.

This adds checks in both APIs to ensure they aren't being
used incorrectly.
2022-01-06 16:43:18 -06:00
James Prestwood
1f91c03bf6 json: add NULL check for container on get_container
In case the caller just wants to check an object is iterable,
without actually iterating it.
2022-01-06 16:43:18 -06:00
James Prestwood
790d431624 json: add json_iter_get_string 2022-01-06 16:43:18 -06:00
James Prestwood
0d7482e379 json: add json_iter_get_container
This allows getting an iterator for a container nested inside
an array.
2022-01-06 16:01:39 -06:00
James Prestwood
7991c861e1 json: add support for array iteration
Arrays can now be parsed using the JSON_ARRAY type (stored in
a struct json_iter) then iterated using json_iter_next. When
iterating the type can be checked with json_iter_get_type. For
each iteration the value can be obtained using any of the type
getters (int/uint/boolean/null).
2022-01-06 15:15:06 -06:00
James Prestwood
ebed84ab55 json: increase default token size to 60 2022-01-06 14:26:09 -06:00
James Prestwood
4f1cd8af93 json: add support for primitive types
This adds support for boolean, (unsigned) integers, and
null types. JSON_PRIMITIVE should be used as the type when
parsing and the value should be struct json_iter.

Once parsed the actual value can be obtained using one of
the primitive getters. If the type does not match they will
return false.

If using JSON_OPTIONAL with JSON_PRIMITIVE the resulting
iterator can be checked with json_iter_is_valid. If false
the key/value was not found or the type was not matching.
2022-01-06 14:10:26 -06:00
James Prestwood
23a1a66aee json: fix find_object_tokens
First, this was renamed to 'count_tokens_in_container' to be
more general purpose (i.e. include future array counting).

The way the tokens are counted also changed to be more intuitive.
While the previous way was correct, it was somewhat convoluted in
how it worked (finding the next parent of the objects parent).

Instead we can use the container token itself as the parent and
begin counting tokens. When we find a token with a parent index
less than the target we have reached the end of this container.
This also works for nested containers, including arrays since we
no longer rely on a key (which an array element would not have).

For example::

{
	"first":{"foo":"bar"},
	"second":{"foo2":"bar2"}
}

index 0		<overall object>
index 1		"first"		with parent 0
index 2         {"foo":"bar"}   with parent 1

Counting tokens inside "first"'s object we have:

index 3		"foo"		with parent 2
index 4		"bar"		with parent 3

If we continue counting we reach:

index 5		"second"	with parent 0

This terminates the counting loop since the parent index is
less than '2' (the index of {"foo":"bar"} object).
2022-01-06 14:10:21 -06:00
Denis Kenzior
f05e60f338 dpp: Fix compilation on 32 bit
In file included from ./ell/ell.h:15,
                 from ../../src/dpp.c:29:
../../src/dpp.c: In function ‘authenticate_request’:
../../ell/log.h:79:22: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 8 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   79 |   l_log(L_LOG_DEBUG, "%s:%s() " format, __FILE__, \
      |                      ^~~~~~~~~~
../../ell/log.h:54:16: note: in definition of macro ‘l_log’
   54 |      __func__, format "\n", ##__VA_ARGS__)
      |                ^~~~~~
../../ell/log.h:103:31: note: in expansion of macro ‘L_DEBUG_SYMBOL’
  103 | #define l_debug(format, ...)  L_DEBUG_SYMBOL(__debug_desc, format, ##__VA_ARGS__)
      |                               ^~~~~~~~~~~~~~
../../src/dpp.c:1235:3: note: in expansion of macro ‘l_debug’
 1235 |   l_debug("I-Nonce has unexpected length %lu", i_nonce_len);
      |   ^~~~~~~
2022-01-05 13:50:59 -06:00
Denis Kenzior
7c30fc2cbf netdev: do not leak auth_cmd
Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fa226fbf0f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8)
    #1 0x688c98 in l_malloc ell/util.c:62
    #2 0x6c2b19 in msg_alloc ell/genl.c:740
    #3 0x6cb32c in l_genl_msg_new_sized ell/genl.c:1567
    #4 0x424f57 in netdev_build_cmd_authenticate src/netdev.c:3285
    #5 0x425b50 in netdev_sae_tx_authenticate src/netdev.c:3385
2021-12-23 09:58:05 -06:00
Denis Kenzior
60366346fb handshake: Do not leak vendor_ies
Direct leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x7fd748ad00f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8)
    #1 0x688c21 in l_malloc ell/util.c:62
    #2 0x4beec7 in handshake_state_set_vendor_ies src/handshake.c:324
    #3 0x464e4e in station_handshake_setup src/station.c:1203
    #4 0x472a2f in __station_connect_network src/station.c:2975
    #5 0x473a30 in station_connect_network src/station.c:3078
    #6 0x4ed728 in network_connect_8021x src/network.c:1497

Fixes: f24cfa481b ("handshake: Add setter for vendor IEs")
2021-12-22 21:32:18 -06:00
James Prestwood
eeab42af03 dpp: init unwrapped pointer to NULL
Fixes possible issues with auto-free on error paths
2021-12-22 17:06:16 -06:00
James Prestwood
ce9188ee35 dpp: zero nonces/keys on dpp_reset 2021-12-22 17:06:16 -06:00
James Prestwood
1a9734d704 dpp: implement configurator role
This implements a configurator in the responder role. Currently
configuring an enrollee is limited to only the connected network.
This is to avoid the need to go offchannel for any reason. But
because of this a roam, channel switch, or disconnect will cause
the configuration to fail as none of the frames are being sent
offchannel.
2021-12-20 18:13:44 -06:00
James Prestwood
ec0f4e8826 dpp: add role definitions
Added both enrollee and configurator roles, as well as the needed
logic inside the authentication protocol to verify role compatibility.
The dpp_sm's role will now be used when setting capability bits making
the auth protocol agnostic to enrollees or configurators.
2021-12-20 18:13:44 -06:00
James Prestwood
8f711078b8 dpp: add timeout for auth/config protocols
This also allows the card to re-issue ROC if it ends in the middle of
authenticating or configuring as well as add a maximum timeout for
auth/config protocols.

IO errors were also handled as these sometimes can happen with
certain drivers but are not fatal.
2021-12-20 18:13:44 -06:00
James Prestwood
00fddaa868 dpp-util: add dpp_configuration_new/dpp_configuration_to_json
Allows creating a new configuration object based on settings, ssid,
and akm suite (for configurator role) as well as converting a
configuration object to JSON.
2021-12-20 17:04:26 -06:00
James Prestwood
d3fca54a7e dpp-util: pass actual ad_size, not hard coded '2'. 2021-12-20 17:04:21 -06:00
James Prestwood
c42080fe28 dpp: use frame data directly in unwrap for config response
Rather than hard coding ad0, use the actual frame data. There really
isn't a reason this would differ (only status attribute) but just
in case its better to use the frame data directly.
2021-12-20 17:03:55 -06:00
James Prestwood
d2240c4a62 dpp: handle protocol errors in ROC timeout
This is a standing TODO of properly handling these timeouts but
for now just treat any ROC timeout as an error if authenticating
or configuring.
2021-12-17 15:34:19 -06:00
James Prestwood
926c8bb9bd dpp: add support for configuration protocol
This is a minimal implementation only supporting legacy network
configuration, i.e. only SSID and PSK/passphrase are supported.

Missing features include:
 - Fragmentation/comeback delay support
 - DPP AKM support
 - 8021x/PKEX support
2021-12-17 15:33:46 -06:00
James Prestwood
59a5cf3de4 dpp: add DPP authentication protocol
This implements the DPP protocol used to authenticate to a
DPP configurator.

Note this is not a full implementation of the protocol and
there are a few missing features which will be added as
needed:

 - Mutual authentication (needed for BLE bootstrapping)
 - Configurator support
 - Initiator role
2021-12-17 14:19:20 -06:00
James Prestwood
84c095e787 dpp-util: add DPP attribute building APIs 2021-12-17 13:37:04 -06:00