3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-26 10:39:23 +01:00
Commit Graph

1237 Commits

Author SHA1 Message Date
Andrew Zaborowski
6dc5d2c3ec eap-mschapv2: Load credentials obtained from agent
If needed load the username and password obtained from the agent and
received in the settings object.
2018-04-26 11:23:29 -05:00
Andrew Zaborowski
cb775819b8 network: Pass secrets to EAP methods
On connect add any secrets we've received through the agent to the
l_settings objects which the EAP methods will process in load_settings.
The settings object is modified but is never written to storage.  If
this was to change because some settings need to be saved to storage,
a new l_settings object might be needed with the union of the settings
from the file and the secrets so as to avoid saving the sensitive data.
2018-04-26 11:23:29 -05:00
James Prestwood
d1a13036d2 eap: fix EAP-SIM/AKA/AKA' after settings change
These EAP methods do not store the identity inside the settings file
since it is obtained from the SIM card, then provided to IWD via
get_identity method. If the get_identity method is implemented, do
not fail the settings check when EAP-Identity is missing.
2018-04-20 14:36:52 -05:00
Andrew Zaborowski
2382dc7ffa network: Validate 8021x settings and request passwords
Use eap_check_settings directly from network.c before we start the
connection attempt at netdev.c level, to obtain all of the required
passwords/passphrases through the agent.  This is in network.c because
here we can decide the policies for whether to call the agent in
autoconnect or only if we had a request from the user, also whether we
want to save any of that for later re-use (either password data or
kernel-side key serial), etc.

In this patch we save the credentials for the lifetime of the network
object in memory, and we skip the network if it requires any passphrases
we don't have while in autoconnect, same as with PSK networks where the
PSK isn't given in the settings.  Note that NetworkManager does pop up
the password window for PSK or EAP passwords even in autoconnect.

If EAP needs multiple passwords we will call the agent sequentially for
each.
2018-04-19 14:05:20 -05:00
Andrew Zaborowski
7541b595f9 eap-peap: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.  Then also call eap_check_settings to validate the inner
method's settings.
2018-04-19 13:23:03 -05:00
Andrew Zaborowski
86aa4e8af1 eap-gtc: Implement .check_settings
Only do the same validation that .load_settings would do for GTC.
2018-04-19 13:14:37 -05:00
Andrew Zaborowski
8650bddcfe eap-aka: Implement .check_settings
Also it seems aka->identity could not have been set at the time
it was used in the error message so I changed that error message
slightly.
2018-04-19 13:14:25 -05:00
Andrew Zaborowski
200312c4e5 eap-sim: Implement .check_settings 2018-04-19 13:13:58 -05:00
Andrew Zaborowski
d27b0d5b1e eap-ttls: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.  Then also call eap_check_settings to validate the inner
method's settings.
2018-04-19 13:13:07 -05:00
Andrew Zaborowski
8eea2c39d1 eap-tls: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.
2018-04-19 13:11:39 -05:00
Andrew Zaborowski
3b2b194170 eap-mschapv2: Implement .check_settings
Move the settings validation from .load_settings plus allow the
username/password to be supplied in the secrets l_queue instead of
in the l_settings.
2018-04-19 13:01:58 -05:00
Andrew Zaborowski
9134743a97 eap-md5: Implement .check_settings
Only do the same validation that .load_settings would do for MD5.
2018-04-19 13:00:44 -05:00
Andrew Zaborowski
246e76c7b0 eap: Validate settings, report passwords needed
With the goal of requesting the required passwords/passphrases, such as
the TLS private key passphrase, from the agent, add a static method
eap_check_settings to validate the settings and calculate what passwords
are needed for those settings, if any.  This is separate from
eap_load_settings because that can only be called later, once we've
got an eap state machine object.  We need to get all the needed EAP
credentials from the user before we even start connecting.

While we do this, we also validate the settings and output any error
messages through l_error (this could be changed so the messages go
somewhere else in the future), so I removed the error messages from
eap_load_settings and that method now assumes that eap_check_settings
has been called before.

eap_check_settings calls the appropriate method's .check_settings method
if the settings are complete enough to contain the method name.  The
policy is that any data can be provided inside the l_settings object
(from the network provisioning/config file), but some of the more
sensitive fields, like private key passwords, can be optionally omitted
and then the UI will ask for them and iwd will be careful with
caching them.

Within struct eap_secret_info, "id" is mainly for the EAP method to
locate the info in the list.  "value" is the actual value returned
by agent.  "parameter" is an optional string to be passed to the agent.
For a private key passphrase it may be the path to the key file, for a
password it may be the username for which the password is requested.
2018-04-19 13:00:12 -05:00
Andrew Zaborowski
15a037f633 agent: Add new request types
Add new agent.h methods and corresponding DBus methods to request
the 3 different EAP credential types from user.
2018-04-19 11:49:41 -05:00
Andrew Zaborowski
b862fd8fe1 agent: Check if callback has sent a new request
In agent_receive_reply we first call the callback for the pending
request (agent_finalize_pending) then try to send the next request
in the queue.  Check that the next request has not been sent already
which could happen if it has been just queued by the callback.
2018-04-19 11:45:03 -05:00
Andrew Zaborowski
c6e3140b38 device: Handle disconnect by AP and by SME events same way
The difference in the handlers was that in the
NETDEV_EVENT_DISCONNECT_BY_AP case we would make sure to reply
to a pending dbus Connect call.  We also need to do that for
NETDEV_EVENT_DISCONNECT_BY_SME.  This happens if another process
sends an nl80211 disconnect command while we're connecting.
2018-04-19 10:36:18 -05:00
Andrew Zaborowski
32d846470b device: Use active scans when connected
When we're connected we're advertising our hardware address anyway so
there's no benefit from using passive scanning.
2018-04-10 00:19:33 -05:00
Andrew Zaborowski
d9ae78b780 device: Drop unsupported bands from roam scan frequency set
The kernel will reject the TRIGGER_SCAN commands that include
frequencies not supported by the wiphy.
2018-04-10 00:19:30 -05:00
James Prestwood
c0739c1965 eap-gtc: add EAP-GTC method implementation 2018-04-04 09:42:28 -05:00
James Prestwood
d1c7f360d2 eap: add EAP_TYPE_GTC (6) type 2018-04-04 09:40:05 -05:00
James Prestwood
88a1520dbd main: set eapol config 2018-04-02 13:54:25 -05:00
James Prestwood
50eae9bf87 eapol: process config setting for handshake timeout
The eapol handshake timeout can now be configured in main.conf
(/etc/iwd/main.conf) using the key eapol_handshake_timeout. This
allows the user to configure a long timeout if debugging.
2018-04-02 13:54:25 -05:00
Andrew Zaborowski
5a17c2275f eapol: Make sure rsn_info is initialized in eapol_handle_ptk_1_of_4
After an EAP exchange rsn_info would be uninitialized and in the FT case
we'd use it to generate the step 2 IEs which would cause an RSNE
mismatch during FT handshake.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
8b534ba067 eapol: In FT-EAP use all 64 bytes of the MSK
Until now we'd save the second 32 bytes of the MSK as the PMK and use
that for the PMK-R0 as well as the PMKID calculation.  The PMKID
actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey
input maps to the second 32 bytes.  Add a pmk_len parameter to
handshake_state_set_pmk to handle that.  Update the eapol_eap_results_cb
802.11 quotes to the 2016 version.
2018-03-15 11:40:17 -05:00
Tim Kourt
436e95d599 peap: Postpone cleanup on phase two failure 2018-03-01 09:13:17 -06:00
Andrew Zaborowski
d2247c3a3f netdev: Avoid calling netdev_connect_ok twice in FT
handshake_state_install_ptk triggers a call to
netdev_set_pairwise_key_cb which calls netdev_connect_ok, so don't call
netdev_connect_ok after handshake_state_install_ptk.  This doesn't fix
any specific problem though.
2018-02-26 09:59:58 -06:00
Tim Kourt
9783e236a1 peap: handle completion of phase two 2018-02-23 15:19:52 -06:00
Tim Kourt
97980c0315 eap: allow to discard EAP-Success/EAP-Failure pkts 2018-02-23 12:48:40 -06:00
Tim Kourt
ad94752170 eap: add accessor for method success 2018-02-21 20:14:50 -06:00
Andrew Zaborowski
7fd6803c7a agent: Fix cancelling running request
If the request being cancelled by agent_request_cancel has already been
sent over dbus we need to reset pending_id, the timeout, call l_dbus_cancel
to avoid the agent_receive_reply callback (and crash) and perhaps start
the next request.  Alternatively we could only reset the callback and not
free the request, then wait until the agent method to return before starting
the next request.
2018-02-20 11:07:00 -06:00
Tim Kourt
55e8d7fdcc peap: add retransmission support 2018-02-15 13:00:22 -06:00
Tim Kourt
78270bc39e eap: interoperability support for Success/Failure pkts 2018-02-15 12:59:45 -06:00
Tim Kourt
91ec5cff8c peap: add phase two eap tx/rx handlers 2018-02-14 21:34:21 -06:00
Tim Kourt
1ece3b13e4 peap: introduce and configure phase two eap method 2018-02-14 21:31:24 -06:00
Tim Kourt
50b7a01f87 peap: handle send for phase two data 2018-02-14 21:30:33 -06:00
Tim Kourt
8ae6e7c3de peap: switch tx_pdu_buf to use databuf struct 2018-02-14 21:28:03 -06:00
Tim Kourt
93d0dac77b peap: handle receive for phase two data 2018-02-14 21:26:54 -06:00
Tim Kourt
487c5cbafc peap: send ack on established tunnel 2018-02-14 17:37:19 -06:00
Tim Kourt
43c650a2b4 peap: add specification reference by the version 2018-02-14 17:36:08 -06:00
Tim Kourt
5b19d0454a eap: make eap_handle_request public 2018-02-14 15:09:27 -06:00
Andrew Zaborowski
7e8e8b2ac2 eapol: Stop eapol timeout after step 3/4
Move the cancelling of the eapol timeout from the end of step 1 to
step 3 to guard the whole handshake.  At the end of step 1 stop the
EAPOL-Start timeout for the case of 802.1X authentication + a cached
PMKSA (not used yet.)
2018-02-13 12:46:27 -06:00
Andrew Zaborowski
0abab92cac scan: Add new Operating Classes from 802.11-2016 2018-02-13 11:59:42 -06:00
Andrew Zaborowski
d42e848567 device: Workaround for 0 oper class in Neighbor Report
Some APs respond to Neighbor Report Requests with neighbor reports that
have a zero operating class value and a non-zero channel number.  This
does not mean that the channel is in the same band that the reporting
AP operates in.  Try to guess the band that the channel refers to out of
2.4 and 5GHz -- the bands supported by those APs.

wpa_supplicant also has this workaround in place.
2018-02-13 11:58:38 -06:00
Marcel Holtmann
c31244ddec build: Add support for installing systemd service unit 2018-02-10 18:42:43 +01:00
James Prestwood
41936468ed netdev: basic support for receiving SA Query requests 2018-02-08 10:34:53 -06:00
Tim Kourt
8c1b175b8b peap: derive and install eap key material 2018-02-02 14:27:05 -06:00
Tim Kourt
c5ec12e0e4 peap: response fragmentation support 2018-02-02 12:58:28 -06:00
Tim Kourt
71ebb7c1d5 peap: send response pkts 2018-02-01 22:09:12 -06:00
Tim Kourt
84be0eb8d3 peap: handle fragmented request 2018-02-01 22:08:13 -06:00
James Prestwood
f3cc96499c netdev: added support for SA Query
SA Query procedure is used when an unprotected disassociate frame
is received (with frame protection enabled). There are two code
paths that can occur when this disassociate frame is received:

1. Send out SA Query and receive a response from the AP within a
   timeout. This means that the disassociate frame was not sent
   from the AP and can be ignored.

2. Send out SA Query and receive no response. In this case it is
   assumed that the AP went down ungracefully and is now back up.
   Since frame protection is enabled, you must re-associate with
   the AP.
2018-02-01 11:33:47 -06:00