Some of the EAP-PEAP server implementations seem to require a
cleartext ACK for the tunneled EAP-Success message similar to EAP-TLS
specification, instead of simply shutting down the tunnel like
EAP-PEAPv1 requires.
ACKing the tunneled EAP-Success seems also to work for implementations
which were relying on the tunnel close event.
create_dirs was dependent on the path ending in '/' to create the
full path. The hotspot code did not include a '/' at the end so
it was not getting created, which prevented the hotspot module
from initializing.
Station was building up the HS20 elements manually. Now we can
use this new API and let network take care of the complexity
of building network specific vendor IEs.
This op builds up the vendor IEs required for hotspot 2.0. The
version, and optionally the RC are provided in order to correctly
build the HS20 Indication Element and RC Selection element.
The HS20 module had its own getter for returning the matched roaming
consortium. Since we already have the network_info op for matching
we might as well return the matched RC rather than just a bool. This
allows the RC to be included in (Re)Association without the need for
a specific getter.
When performing a fast transition to another OPEN network the RSN
element won't be there and therefore the bss->rsne is gonna be NULL.
Fix crash by not accessing the rsne member when performing a fast
transition to an AP that doe snot advertise any RSN IE.
Crash caught with gdb:
src/station.c:station_transition_start() 186, target 34:8f:27:2f:b8:fc
Program received signal SIGSEGV, Segmentation fault.
handshake_state_set_authenticator_ie (s=0x555555626eb0, ie=0x0) at src/handshake.c:163
163 s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
(gdb) bt
#0 handshake_state_set_authenticator_ie (s=0x555555626eb0, ie=0x0) at src/handshake.c:163
#1 0x0000555555561a98 in fast_transition (netdev=0x55555562fbe0, target_bss=0x55555561f4a0,
over_air=over_air@entry=true, cb=0x55555556d5b0 <station_fast_transition_cb>) at src/netdev.c:3164
#2 0x0000555555565dfd in netdev_fast_transition (netdev=<optimized out>, target_bss=<optimized out>,
cb=<optimized out>) at src/netdev.c:3232
#3 0x000055555556ccbd in station_transition_start (bss=0x55555561f4a0, station=0x555555617da0)
at src/station.c:1261
#4 station_roam_scan_notify (err=<optimized out>, bss_list=<optimized out>, userdata=0x555555617da0)
at src/station.c:1444
#5 0x0000555555579560 in scan_finished (sc=0x55555562bf80, err=err@entry=0, bss_list=0x55555561bd90,
sr=0x555555626b30, wiphy=<optimized out>) at src/scan.c:1234
#6 0x0000555555579620 in get_scan_done (user=0x555555618920) at src/scan.c:1264
#7 0x00005555555abd23 in destroy_request (data=0x55555561b000) at ell/genl.c:673
#8 0x00005555555ac129 in process_unicast (nlmsg=0x7fffffffc310, genl=0x55555560b7a0) at ell/genl.c:940
#9 received_data (io=<optimized out>, user_data=0x55555560b7a0) at ell/genl.c:1039
#10 0x00005555555a8aa3 in io_callback (fd=<optimized out>, events=1, user_data=0x55555560b840)
at ell/io.c:126
#11 0x00005555555a7ccd in l_main_iterate (timeout=<optimized out>) at ell/main.c:473
#12 0x00005555555a7d9c in l_main_run () at ell/main.c:520
#13 l_main_run () at ell/main.c:502
#14 0x00005555555a7fac in l_main_run_with_signal (callback=<optimized out>, user_data=0x0)
at ell/main.c:642
#15 0x000055555555e5b8 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:519
After wsc_store_credentials, wsc_try_credentials is called which
sets the PSK obtained via the protocol. After the known network
refactor network_settings_load was changed to depend on the
network_info->open() call. Since there is no known network for
this initial WSC connection this always fails and the PSK is not
set into the network object (and the connection is failed).
In this case if network_settings_load fails we can just create
an empty settings object to be filled later.
known_network_update was being used to both update and create known
networks as they appeared on the file system. Hotspot needs updating
capabilities so known_network_update was exposed and updated with
one major difference; it no longer can be used to create new known
networks. For creation, a new API was added (known_network_new)
which will create and add to the queue.
Since hotspot networks may require ANQP the autoconnect loop needed to
be delayed until after the ANQP results came back and the network
objects were updated. If there are hotspot networks in range ANQP will
be performed and once complete autoconnect will begin for all networks
including hotspots. If no hotspots are in range autoconnect will
proceed as it always has.
Note: Assuming hotspots are in range this will introduce some delay
in autoconnecting to any network since ANQP must come back. The full
plan is to intellegently decide when and when not to do ANQP in order
to minimize delays but since ANQP is disabled by default the behavior
introduced with this patch is acceptable.
The remove op was being called inside known_networks_remove, which only
gets called from L_DIR_WATCH events. In this case the actual provisioning
has already been removed. Calling remove() again causes the op
implementation to then try and remove the file that no longer exists.
Valgrind does not like uninitialized bytes used in a syscall. In this
case the buffer is an out buffer but since valgrind doesn't know that
it complains. Initializing to zero fixes the warning:
Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
at 0x5162C4D: send (send.c:28)
by 0x457AF4: l_checksum_update (checksum.c:319)
by 0x43C03C: eap_wsc_handle_m2 (eap-wsc.c:842)
by 0x43CD33: eap_wsc_handle_request (eap-wsc.c:1048)
by 0x43A3A7: __eap_handle_request.part.0 (eap.c:266)
by 0x41A426: eapol_rx_packet.part.12 (eapol.c:2262)
by 0x41B536: __eapol_rx_packet (eapol.c:2650)
by 0x407C80: netdev_control_port_frame_event (netdev.c:3542)
by 0x407C80: netdev_unicast_notify (netdev.c:3684)
by 0x4598C5: dispatch_unicast_watches (genl.c:899)
by 0x4598C5: process_unicast (genl.c:918)
by 0x4598C5: received_data (genl.c:1039)
by 0x456452: io_callback (io.c:126)
by 0x45569D: l_main_iterate (main.c:473)
by 0x45576B: l_main_run (main.c:520)
Address 0x1ffeffe290 is on thread 1's stack
in frame #2, created by eap_wsc_handle_m2 (eap-wsc.c:797)
We were not using or taking into account the noencrypt flag obtained
from the kernel via CONTROL_PORT events. For the most part this still
worked as the kernel would never include NO_ENCRYPT flag (due to a bug).
However, this was actually incorrect and led to loss of synchronization
between the AP and STA 4-Way handshake state machines when certain
packets were lost and had to be re-transmitted.
Allow users to provide a glob string that the contents of the server
certificate's subject DN should be matched against as a primitive
protection against rogue APs using certificates purchased from
commercial CAs trusted by the client. If the network uses an AP
certificate emitted by a commerical CA and the clients are configured
to trust those CAs so that the client configurations don't have to be
updated when the AP renews its certificate, this new option can be used
to check if the CN in the AP certificate's DN matches the known domain
name. This logic assumes that the commercial CAs provide enough
assurance that only the owner of the domain can buy a certificate with
that domain in the CN field.
The format of this option is similar to apple's TLSTrustedServerNames
and wpa_supplicant's domain_match/domain_suffix_match format, the exact
syntax is documented in ell/tls.c.
Some capability bits are required by the spec to be set for
probe requests for certain features (HS20, FILS, FT). Currently
these features work as-is, but depending on the hardware we may
be in violation of the spec if we assume the correct bits are
set when we get the wiphy dump.
Just to be safe we can explicity set these capability bits.
There are also two ways the kernel exposes these capabilities.
Per-type or globally. The hardware may expose one, or both of
these capability arrays. To combat this we are now always
creating a per-type capability array for stations. If the
wiphy dump has not produced a per-type capability array we
now create one based off the global capability array. That
way we can always assume there is a capability array for a
station iftype.
James Prestwood