3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-01 15:49:49 +01:00
Commit Graph

3957 Commits

Author SHA1 Message Date
James Prestwood
9479c31a72 handshake: add FT_OVER_8021X AKM for SHA256 PMKID derivation
Hostapd commit b6d3fd05e3 changed the PMKID derivation in accordance
with 802.11-2020 which then breaks PMKID validation in IWD. This
breaks the FT-8021x AKM in IWD if the AP uses this hostapd version
since the PMKID doesn't validate during EAPoL.

This updates the PMKID derivation to use the correct SHA hash for
this AKM and adds SHA1 based PMKID checking for interoperability
with older hostapd versions.
2023-07-05 18:16:01 +02:00
James Prestwood
8c4633ef72 handshake: split handshake_state_get_pmkid into separate APIs
The PMKID derivation has gotten messy due to the spec
updating/clarifying the hash size for the FT-8021X AKM. This
has led to hostapd updating the derivation which leaves older
hostapd versions using SHA1 and newer versions using SHA256.

To support this the checksum type is being fed to
handshake_state_get_pmkid so the caller can decide what sha to
use. In addition handshake_state_pmkid_matches is being added
which uses get_pmkid() but handles sorting out the hash type
automatically.

This lets preauthentication use handshake_state_get_pmkid where
there is the potential that a new PMKID is derived and eapol
can use handshake_state_pmkid_matches which only derives the
PMKID to compare against the peers.
2023-06-26 21:55:24 -05:00
James Prestwood
ae76fa876f crypto: modify crypto_derive_pmkid to take the length/checksum type
The existing API was limited to SHA1 or SHA256 and assumed a key
length of 32 bytes. Since other AKMs plan to be added update
this to take the checksum/length directly for better flexibility.
2023-06-26 21:32:11 -05:00
James Prestwood
d09b106998 ft: add debug prints for FT-over-DS
This is consistent with the over-Air path, and makes it clear when
reading the logs if over-DS was used, if there was a response frame,
and if the frame failed to parse in some way.
2023-06-26 21:31:20 -05:00
James Prestwood
2e2f6f991d wiphy: remove l_info's for control port/power save
These should not have been put into a getter for wiphy and now
the driver quirks are printed out in wiphy_print_basic_info.
2023-06-19 20:23:37 -05:00
James Prestwood
29edb1626d netdev: disable power save if required
Disable power save if the wiphy indicates its needed. Do this
before issuing GET_LINK so the netdev doesn't signal its up until
power save is disabled.
2023-06-19 20:23:28 -05:00
James Prestwood
b7872de90a netdev: move GETLINK into its own function, track command ID
Move this logic into its own function and track the command ID
so it can be canceled in case of netdev going down.
2023-06-19 20:23:14 -05:00
James Prestwood
8eab0229f1 doc: Document [DriverQuirks].PowerSaveDisable 2023-06-18 14:06:24 -05:00
James Prestwood
855318374e wiphy: print driver flags on startup
Similar to other basic information, print the driver flags so the
user is informed what is set.
2023-06-18 14:06:24 -05:00
James Prestwood
a50605a456 wiphy: add [DriverQuirks].PowerSaveDisable flag
Certain drivers do not handle power save very well resulting in
missed frames, firmware crashes, or other bad behavior. Its easy
enough to disable power save via iw, iwconfig, etc but since IWD
removes and creates the interface on startup it blows away any
previous power save setting. The setting must be done *after* IWD
creates the interface which can be done, but needs to be via some
external daemon monitoring IWD's state. For minimal systems,
e.g. without NetworkManager, it becomes difficult and annoying to
persistently disable power save.

For this reason a new driver flag POWER_SAVE_DISABLE is being
added. This can then be referenced when creating the interfaces
and if set, disable power save.
2023-06-18 14:06:21 -05:00
James Prestwood
0b4dc9d8a5 doc: document [DriverQuirks] group settings 2023-06-18 13:35:33 -05:00
James Prestwood
b1b45f5509 wiphy: allow for user-defined driver flags
The driver_infos list in wiphy.c is hard coded and, naturally,
not configurable from a user perspective. As drivers are updated
or added users may be left with their system being broken until the
driver is added, IWD released, and packaged.

This adds the ability to define driver flags inside main.conf under
the "DriverQuirks" group. Keys in this group correspond to values in
enum driver_flag and values are a list of glob matches for specific
drivers:

[DriverQuirks]
DefaultInterface=rtl81*,rtl87*,rtl88*,rtw_*,brcmfmac,bcmsdh_sdmmc
ForcePae=buggy_pae_*
2023-06-18 13:32:58 -05:00
James Prestwood
6065d86fa7 wiphy: store driver flags directly in wiphy object
Rather than keep a pointer to the driver_info entry copy the flags
into the wiphy object. This preps for supporting driver flags via
a configuration file, specifically allowing for entries that are a
subset of others. For example:

{ "rtl88*",          DEFAULT_IF },
{ "rtl88x2bu",       FORCE_PAE },

Before it was not possible to add entires like this since only the
last entry match would get set. Now DEFAULT_IF would get set to all
matches, and FORCE_PAE to only rtl88x2bu. This isn't especially
important for the static list since it could be modified to work
correctly, but will be needed when parsing flags from a
configuration file that may contain duplicates or subsets of the
static list.
2023-06-18 13:16:03 -05:00
James Prestwood
568048b0ee ft: add debugging in __ft_rx_authenticate
If there was some problem during the FT authenticate stage
its nice to know more of what happened: whether the AP didn't
respond, rejected the attempt, or sent an invalid frame/IEs.
2023-06-06 10:35:48 -05:00
James Prestwood
189c23a5d9 station: use wiphy_radio_work_reschedule in FT path
If FT fails the work item needs to be rescheduled rather than
inserted.
2023-05-22 09:37:25 -05:00
James Prestwood
109cb70f22 wiphy: make wiphy work queue reentrant
In some situations its convenient for the same work item to be
inserted (rescheduled) while its in progress. FT for example does
this now if a roam fails. The same ft_work item gets re-inserted
which, currently, is not safe to do since the item is modified
and removed once completed.

Fix this by introducing wiphy_radio_work_reschedule which is an
explicit API for re-inserting work items from within the do_work
callback.

The wiphy work logic was changed around slightly to remove the item
at the head of the queue prior to starting and note the ID going
into do_work. If do_work signaled done and ID changed we know it
was re-inserted and can skip the destroy logic and move onto the
next item. If the item is not done continue as normal but set the
priority to INT_MIN, as usual, to prevent other items from getting
to the head of the queue.
2023-05-22 09:35:20 -05:00
James Prestwood
23f0f5717c station: allow roaming before netconfig finishes
If IWD connects under bad RF conditions and netconfig takes
a while to complete (e.g. slow DHCP), the roam timeout
could fire before DHCP is done. Then, after the roam,
IWD would transition automatically to connected before
DHCP was finished. In theory DHCP could still complete after
this point but any process depending on IWD's connected
state would be uninformed and assume IP networking is up.

Fix this by stopping netconfig prior to a roam if IWD is not
in a connected state. Then, once the roam either failed or
succeeded, start netconfig again.
2023-05-07 18:04:08 -05:00
James Prestwood
b080854d3e dpp: fix incorrect offchannel usage as configurator
When acting as a configurator the enrollee can start on a different
channel than IWD is connected to. IWD will begin the auth process
on this channel but tell the enrollee to transition to the current
channel after the auth request. Since a configurator must be
connected (a requirement IWD enforces) we can assume a channel
transition will always be to the currently connected channel. This
allows us to simply cancel the offchannel request and wait for a
response (rather than start another offchannel).

Doing this improves the DPP performance and reduces the potential
for a lost frame during the channel transition.

This patch also addresses the comment that we should wait for the
auth request ACK before canceling the offchannel. Now a flag is
set and IWD will cancel the offchannel once the ACK is received.
2023-04-30 13:03:48 -05:00
James Prestwood
6c97ebb813 ft: fix double free when disconnecting mid-FT
If IWD gets a disconnect during FT the roaming state will be
cleared, as well as any ft_info's during ft_clear_authentications.
This includes canceling the offchannel operation which also
destroys any pending ft_info's if !info->parsed. This causes a
double free afterwards. In addition the l_queue_remove inside the
foreach callback is not a safe operation either.

To fix this don't remove the ft_info inside the offchannel
destroy callback. The info will get freed by ft_associate regardless
of the outcome (parsed or !parsed). This is also consistent with
how the onchannel logic works.

Log and crash backtrace below:

iwd[488]: src/station.c:station_try_next_transition() 5, target aa:46:8d:37:7c:87
iwd[488]: src/wiphy.c:wiphy_radio_work_insert() Inserting work item 16668
iwd[488]: src/wiphy.c:wiphy_radio_work_insert() Inserting work item 16669
iwd[488]: src/wiphy.c:wiphy_radio_work_done() Work item 16667 done
iwd[488]: src/wiphy.c:wiphy_radio_work_next() Starting work item 16668
iwd[488]: src/netdev.c:netdev_mlme_notify() MLME notification Remain on Channel(55)
iwd[488]: src/netdev.c:netdev_mlme_notify() MLME notification Del Station(20)
iwd[488]: src/netdev.c:netdev_link_notify() event 16 on ifindex 5
iwd[488]: src/netdev.c:netdev_mlme_notify() MLME notification Deauthenticate(39)
iwd[488]: src/netdev.c:netdev_deauthenticate_event()
iwd[488]: src/netdev.c:netdev_mlme_notify() MLME notification Disconnect(48)
iwd[488]: src/netdev.c:netdev_disconnect_event()
iwd[488]: Received Deauthentication event, reason: 6, from_ap: true
iwd[488]: src/station.c:station_disconnect_event() 5
iwd[488]: src/station.c:station_disassociated() 5
iwd[488]: src/station.c:station_reset_connection_state() 5
iwd[488]: src/station.c:station_roam_state_clear() 5
iwd[488]: double free or corruption (fasttop)

5  0x0000555b3dbf44a4 in ft_info_destroy ()
6  0x0000555b3dbf45b3 in remove_ifindex ()
7  0x0000555b3dc4653c in l_queue_foreach_remove ()
8  0x0000555b3dbd0dd1 in station_reset_connection_state ()
9  0x0000555b3dbd37e5 in station_disassociated ()
10 0x0000555b3dbc8bb8 in netdev_mlme_notify ()
11 0x0000555b3dc4e80b in received_data ()
12 0x0000555b3dc4b430 in io_callback ()
13 0x0000555b3dc4a5ed in l_main_iterate ()
14 0x0000555b3dc4a6bc in l_main_run ()
15 0x0000555b3dc4a8e0 in l_main_run_with_signal ()
16 0x0000555b3dbbe888 in main ()
2023-04-30 13:00:03 -05:00
James Prestwood
e13e2a5636 common: add FT-8021X-SHA384 to AKM_IS_8021X
Without this the AKM shows up as WEP.
2023-04-16 13:01:01 -05:00
James Prestwood
ad769b718b handshake: remove hardcoded kek_len for FTE decode
The KEK length should be obtained with the getter to ensure the
AKM is taken into account
2023-04-16 13:00:41 -05:00
James Prestwood
590e8f4f13 eapol: add support for FT-8021X-SHA384
The SHA384 variant was not being checked for in any of the
MIC calculations/verifications or for EAPoL decryption.
2023-04-16 12:59:54 -05:00
James Prestwood
a952cc6a47 eapol: relax (but warn) on secure bit check in handshake 1/4
Hostapd commit bc36991791 now properly sets the secure bit on
message 1/4. This was addressed in an earlier IWD commit but
neglected to allow for backwards compatibility. The check is
fatal which now breaks earlier hostapd version (older than 2.10).

Instead warn on this condition rather than reject the rekey.

Fixes: 7fad6590bd ("eapol: allow 'secure' to be set on rekeys")
2023-04-16 11:27:22 -05:00
Denis Kenzior
b42923dc5d treewide: Prefer flexible arrays to zero-length arrays
https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
2023-04-13 22:20:57 -05:00
James Prestwood
e0ea324f77 band: fix HT40+/- checks when creating chandef
The HT40+/- flags were reversed when checking against the 802.11
behavior flags.

HT40+ means the secondary channel is above (+) the primary channel
therefore corresponds to the PRIMARY_CHANNEL_LOWER behavior. And
the opposite for HT40-.

Reported-By: Alagu Sankar <alagusankar@gmail.com>
2023-04-09 11:36:35 -05:00
Denis Kenzior
e82dac4b2d station: Fix potential buffer overflow
Use a more appropriate printf conversion string in order to avoid
unnecessary implicit conversion which can lead to a buffer overflow.
Reasons similar to commit:
98b758f893 ("knownnetworks: fix printing SSID in hex")
2023-03-17 15:52:22 -05:00
Denis Kenzior
dc38964e42 station: Use ft_authenticate_onchannel
In the case that the FT target is on the same channel as we're currently
operating on, use ft_authenticate_onchannel instead of ft_authenticate.
Going offchannel in this case can confuse some drivers.
2023-03-01 09:35:48 -06:00
Denis Kenzior
3345c56fbb ft: Introduce ft_authenticate_onchannel
Currently when we try FT-over-Air, the Authenticate frame is always
sent via offchannel infrastructure  We request the driver to go
offchannel, then send the Authenticate frame.  This works fine as long
as the target AP is on a different channel.  On some networks some (or
all) APs might actually be located on the same channel.  In this case
going offchannel will result in some drivers not actually sending the
Authenticate frame until after the offchannel operation completes.

Work around this by introducing a new ft_authenticate variant that will
not request an offchannel operation first.
2023-03-01 09:30:24 -06:00
James Prestwood
62301b7918 ap: handle -ENOTSUP when getting the GTK
Some hardware does not support this, so use a zero RSC in this
case rather than failing the association.
2023-02-27 10:28:11 -06:00
James Prestwood
fb8ef45213 ap: check FULL_AP_CLIENT_STATE for NEW_STATION
nl80211 has a check which returns -EINVAL for NEW_STATION if this
feature is not enabled and the mask contains Authenticated/Associated
flags.
2023-02-27 10:27:39 -06:00
James Prestwood
c57071df65 ap: add DisableHT setting
This allows the user to disable HT explicitly in the AP profile
2023-02-27 10:26:26 -06:00
James Prestwood
62c99d7c33 doc: document DisableHT AP setting 2023-02-27 10:26:17 -06:00
James Prestwood
c7034aa41b netdev: check iftype in channel switch event
Some drivers send this event when starting AP mode which means
the handshake object is NULL, causing a crash.
2023-02-27 10:25:05 -06:00
Jiajie Chen
98b758f893 knownnetworks: fix printing SSID in hex
Force conversion to unsigned char before printing to avoid sign
extension when printing SSID in hex. For example, if there are CJK
characters in SSID, it will generate a very long string like
/net/connman/iwd/ffffffe8ffffffaeffffffa1.
2023-02-27 10:22:47 -06:00
Jiajie Chen
89309a8621 knownnetworks: fix potential out of bounds write
If a very long ssid was used (e.g. CJK characters in SSID), it might do
out of bounds write to static variable for lack of checking the position
before the last snprintf() call.
2023-02-27 10:22:34 -06:00
Denis Kenzior
5e0ff318e7 netdev: Add additional debugs 2023-02-27 10:22:13 -06:00
Denis Kenzior
17120dfc3b eapol: Add a debug to eapol_start entry point 2023-02-27 10:17:34 -06:00
Andrew Zaborowski
ce3507558c eap-tls: Add FastReauthentication setting
Seeing that some authenticators can't handle TLS session caching
properly, allow the EAP-TLS-based methods session caching support to be
disabled per-network using a method specific FastReauthentication setting.
Defaults to true.

With the previous commit, authentication should succeed at least every
other attempt.  I'd also expect that EAP-TLS is not usually affected
because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
2023-01-30 10:19:58 -06:00
Andrew Zaborowski
5db06bf935 eap-tls: Drop cached session when phase2 fails
If we have a TLS session cached from this attempt or a previous
successful connection attempt but the overall EAP method fails, forget
the session to improve the chances that authentication succeeds on the
next attempt considering that some authenticators strangely allow
resumption but can't handle it all the way to EAP method success.
Logically the session resumption in the TLS layers on the server should
be transparent to the EAP layers so I guess those may be failed
attempts to further optimise phase 2 when the server thinks it can
already trust the client.
2023-01-30 09:42:59 -06:00
James Prestwood
967702e166 ap: correct extra IEs length calculation for WMM IE
The extra IE length for the WMM IE was being set to 26 which is
the HT IE length, not WMM. Fix this and use the proper size for
the WMM IE of 50 bytes.

This shouldn't have caused any problems prior as the tail length
is always allocated with 256 or 512 extra bytes of headroom.
2023-01-27 12:21:06 -06:00
Denis Kenzior
54a0683558 wiphy: Fix buffer overflow due to off-by-one error
Since channels numbers are used as indexes into the array, and given
that channel numbers start at '1' instead of 0, make sure to allocate a
buffer large enough to not overflow when the max channel number for a
given band is accessed.

src/manager.c:manager_wiphy_dump_callback() New wiphy phy1 added (1)
==22290== Invalid write of size 2
==22290==    at 0x4624B2: nl80211_parse_supported_frequencies (nl80211util.c:570)
==22290==    by 0x417CA5: parse_supported_bands (wiphy.c:1636)
==22290==    by 0x418594: wiphy_parse_attributes (wiphy.c:1805)
==22290==    by 0x418E20: wiphy_update_from_genl (wiphy.c:1991)
==22290==    by 0x464589: manager_wiphy_dump_callback (manager.c:564)
==22290==    by 0x4CBDDA: process_unicast (genl.c:944)
==22290==    by 0x4CC19C: received_data (genl.c:1056)
==22290==    by 0x4C7140: io_callback (io.c:120)
==22290==    by 0x4C5A97: l_main_iterate (main.c:476)
==22290==    by 0x4C5BDC: l_main_run (main.c:523)
==22290==    by 0x4C5F0F: l_main_run_with_signal (main.c:645)
==22290==    by 0x40503B: main (main.c:600)
==22290==  Address 0x4aa76ec is 0 bytes after a block of size 28 alloc'd
==22290==    at 0x48417B5: malloc (vg_replace_malloc.c:393)
==22290==    by 0x4BC4D1: l_malloc (util.c:62)
==22290==    by 0x417BE4: parse_supported_bands (wiphy.c:1619)
==22290==    by 0x418594: wiphy_parse_attributes (wiphy.c:1805)
==22290==    by 0x418E20: wiphy_update_from_genl (wiphy.c:1991)
==22290==    by 0x464589: manager_wiphy_dump_callback (manager.c:564)
==22290==    by 0x4CBDDA: process_unicast (genl.c:944)
==22290==    by 0x4CC19C: received_data (genl.c:1056)
==22290==    by 0x4C7140: io_callback (io.c:120)
==22290==    by 0x4C5A97: l_main_iterate (main.c:476)
==22290==    by 0x4C5BDC: l_main_run (main.c:523)
==22290==    by 0x4C5F0F: l_main_run_with_signal (main.c:645)
==22290==
2023-01-26 10:02:36 -06:00
Denis Kenzior
5612045407 ap: Fix member naming on big endian 2023-01-23 09:45:22 -06:00
James Prestwood
0c223892b1 doc: Document RekeyTimeout for AP profiles 2023-01-18 15:41:53 -06:00
James Prestwood
c5a281781d ap: support PTK rekeys
This adds support for rekeys to AP mode. A single timer is used and
reset to the next station needing a rekey. A default rekey timer of
600 seconds is used unless the profile sets a timeout.
2023-01-18 15:40:56 -06:00
James Prestwood
995c34450e eapol: implement rekey support for authenticator
The only changes required was to set the secure bit for message 1,
reset the frame retry counter, and change the 2/4 verifier to use
the rekey flag rather than ptk_complete. This is because we must
set ptk_complete false in order to detect retransmissions of the
4/4 frame.

Initiating a rekey can now be done by simply calling eapol_start().
2023-01-18 15:39:36 -06:00
James Prestwood
d504b74c61 manager: handle -ENODEV special in interface callback
If IWD ends up dumping wiphy's twice (because of NEW_WIPHY event
soon after initial dump) it will also try and dump interfaces
twice leading to multiple DEL_INTERFACE calls. The second attempt
will fail with -ENODEV (since the interface was already deleted).
Just silently fail with this case and let the other DEL_INTERFACE
path handle the re-creation.
2023-01-17 13:11:53 -06:00
James Prestwood
6957b5fdf0 wiphy: prevent multiple wiphy registrations
With really badly timed events a wiphy can be registered twice. This
happens when IWD starts and requests a wiphy dump. Immediately after
a NEW_WIPHY event comes in (presumably when the driver loads) which
starts another dump. The NEW_WIPHY event can't simply be ignored
since it could be a hotplug (e.g. USB card) so to fix this we can
instead just prevent it from being registered.

This does mean both dumps will happen but the information will just
be added to the same wiphy object.
2023-01-17 13:11:38 -06:00
James Prestwood
d8ca993a1c station: cancel roam timer when FT starts
Past commits should address any potential problems of the timer
firing during FT, but its still good practice to cancel the timer
once it is no longer needed, i.e. once FT has started.
2023-01-13 17:00:26 -06:00
James Prestwood
fdd5d166b5 station: check for FT work in station_cannot_roam
If station has already started FT ensure station_cannot_roam takes
that into account. Since the state has not yet changed it must also
check if the FT work ID is set.
2023-01-13 17:00:21 -06:00
James Prestwood
155c266d6c station: add checks to prevent multiple roam scans
Under the following conditions IWD can accidentally trigger a second
roam scan while one is already in progress:

 - A low RSSI condition is met. This starts the roam rearm timer.
 - A packet loss condition is met, which triggers a roam scan.
 - The roam rearm timer fires and starts another roam scan while
   also overwriting the first roam scan ID.
 - Then, if IWD gets disconnected the overwritten roam scan gets
   canceled, and the roam state is cleared which NULL's
   station->connected_network.
 - The initial roam scan results then come in with the assumption
   that IWD is still connected which results in a crash trying to
   reference station->connected_network.

This can be fixed by adding a station_cannot_roam check in the rearm
timer. If IWD is already doing a roam scan station->preparing_roam
should be set which will cause it to return true and stop any further
action.

Aborting (signal 11) [/usr/libexec/iwd]
iwd[426]: ++++++++ backtrace ++++++++
iwd[426]: #0  0x7f858d7b2090 in /lib/x86_64-linux-gnu/libc.so.6
iwd[426]: #1  0x443df7 in network_get_security() at ome/locus/workspace/iwd/src/network.c:287
iwd[426]: #2  0x421fbb in station_roam_scan_notify() at ome/locus/workspace/iwd/src/station.c:2516
iwd[426]: #3  0x43ebc1 in scan_finished() at ome/locus/workspace/iwd/src/scan.c:1861
iwd[426]: #4  0x43ecf2 in get_scan_done() at ome/locus/workspace/iwd/src/scan.c:1891
iwd[426]: #5  0x4cbfe9 in destroy_request() at ome/locus/workspace/iwd/ell/genl.c:676
iwd[426]: #6  0x4cc98b in process_unicast() at ome/locus/workspace/iwd/ell/genl.c:954
iwd[426]: #7  0x4ccd28 in received_data() at ome/locus/workspace/iwd/ell/genl.c:1052
iwd[426]: #8  0x4c79c9 in io_callback() at ome/locus/workspace/iwd/ell/io.c:120
iwd[426]: #9  0x4c62e3 in l_main_iterate() at ome/locus/workspace/iwd/ell/main.c:476
iwd[426]: #10 0x4c6426 in l_main_run() at ome/locus/workspace/iwd/ell/main.c:519
iwd[426]: #11 0x4c6752 in l_main_run_with_signal() at ome/locus/workspace/iwd/ell/main.c:645
iwd[426]: #12 0x405987 in main() at ome/locus/workspace/iwd/src/main.c:600
iwd[426]: #13 0x7f858d793083 in /lib/x86_64-linux-gnu/libc.so.6
iwd[426]: +++++++++++++++++++++++++++
2023-01-13 17:00:04 -06:00