3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-22 23:09:34 +01:00
Commit Graph

3585 Commits

Author SHA1 Message Date
Christian Rebischke
6e44295fe2 iwd.service: Harden systemd service file
This commit hardens the iwd.service.in template file for systemd
services. The following is a short explanation for each added directive:

+PrivateTmp=true

If true, sets up a new file system namespace for the executed processes
and mounts private /tmp and /var/tmp directories inside it that is not
shared by processes outside of the namespace.

+NoNewPrivileges=true

If true, ensures that the service process and all its children can never
gain new privileges through execve() (e.g. via setuid or setgid bits, or
filesystem capabilities).

+PrivateDevices=true

If true, sets up a new /dev mount for the executed processes and only
adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as
well as the pseudo TTY subsystem) to it, but no physical devices such as
/dev/sda, system memory /dev/mem, system ports /dev/port and others.

+ProtectHome=yes

If true, the directories /home, /root and /run/user are made
inaccessible and empty for processes invoked by this unit.

+ProtectSystem=strict

If set to "strict" the entire file system hierarchy is mounted
read-only, except for the API file system subtrees /dev, /proc and /sys
(protect these directories using PrivateDevices=,
ProtectKernelTunables=, ProtectControlGroups=).

+ReadWritePaths=/var/lib/iwd/

Sets up a new file system namespace for executed processes. These
options may be used to limit access a process might have to the file
system hierarchy. Each setting takes a space-separated list of paths
relative to the host's root directory (i.e. the system running the
service manager). Note that if paths contain symlinks, they are resolved
relative to the root directory set with RootDirectory=/RootImage=.
Paths listed in ReadWritePaths= are accessible from within
the namespace with the same access modes as from outside of
it.

+ProtectControlGroups=yes

If true, the Linux Control Groups (cgroups(7)) hierarchies accessible
through /sys/fs/cgroup will be made read-only to all processes of the
unit.

+ProtectKernelModules=yes

If true, explicit module loading will be denied. This allows module
load and unload operations to be turned off on modular kernels.

For further explanation to all directives see `man systemd.directives`
2019-03-19 14:00:46 -05:00
James Prestwood
dee6703122 sae: check group number on UNSUPP_FINITE_CYCLIC_GROUP
Hostapd has now been updated to include the group number when rejecting
the connection with UNSUPP_FINITE_CYCLIC_GROUP. We still need the existing
len == 0 check because old hostapd versions will still behave this way.
2019-03-19 13:59:29 -05:00
James Prestwood
9887c376b7 doc: add [General] group to main.conf
The pattern in main.conf made it appear that ControlPortOverNL80211
was part of the EAPoL group, which it is not.
2019-03-19 13:58:39 -05:00
Andrew Zaborowski
2133e8a9fc eap-ttls: Memzero copies of secrets
The AVP buffers are cleared because some plaintext secrets get written
into them.
2019-03-19 11:46:51 -05:00
Andrew Zaborowski
14572c0f1a mschaputil: Memzero copies of secrets 2019-03-19 11:43:49 -05:00
Andrew Zaborowski
7031045dfb unit: Update mschapv2 test to use mschap_nt_password_hash 2019-03-19 11:34:46 -05:00
Andrew Zaborowski
0bf3ae97d7 eap-mschapv2: Drop mschapv2_nt_password_hash, use mschap_nt_password_hash
The two functions looked identical, drop mschapv2_nt_password_hash and
update callers to use mschap_nt_password_hash from mschaputil.c/.h.
2019-03-19 11:34:23 -05:00
Denis Kenzior
570abd7bfb eapol: Convert memsets to explicit_bzero
We were wiping out certain secrets via memset.  Convert them to
explicit_bzero just in case the compiler decides to optimize them out.
2019-03-19 11:25:22 -05:00
Andrew Zaborowski
f76e10799f eapol,handshake: Memzero copies of secrets 2019-03-19 11:20:40 -05:00
Andrew Zaborowski
c682847249 eap-md5: Memzero copies of secrets 2019-03-19 11:11:16 -05:00
Andrew Zaborowski
8954c62bcf eap-sim: Memzero secrets after use
Also slightly simplify eap_aka_prf_prime and other functions.
2019-03-19 11:05:11 -05:00
Andrew Zaborowski
b1317d3984 eap-aka: Memzero secrets after use 2019-03-19 11:04:29 -05:00
Andrew Zaborowski
28840b29a8 simutil: Memzero secrets after use
Also slightly simplify eap_aka_prf_prime and other functions.
2019-03-19 11:03:33 -05:00
Andrew Zaborowski
c80b239b93 simutil: Optimize l_checksum usage
The checksum object was created / destroyed repeatedly.  It was
sufficient to simply call checksum_reset since the key was never
changed.
2019-03-19 11:02:55 -05:00
Andrew Zaborowski
aa7abb44c5 eap-gtc: Memzero copies of secrets
The single-use password is apparently sent in plaintext over the network
but at least try to prevent it from staying in the memory until we know
it's been used.
2019-03-19 10:56:24 -05:00
Andrew Zaborowski
5306e37279 eap-tls,eap-peap: Memzero copies of secrets 2019-03-19 10:54:18 -05:00
Andrew Zaborowski
a090b1ef52 netdev: Update Associate IEs with the values actually sent
station.c generates the IEs we will need to use for the
Authenticate/Associate and EAPoL frames and sets them into the
handshake_state object.  However the driver may modify some of them
during CMD_CONNECT and we need to use those update values so the AP
isn't confused about differing IEs in diffent frames from us.

Specifically the "wl" driver seems to do this at least for the RSN IE.
2019-03-19 09:46:32 -05:00
James Prestwood
a983ca0c33 eap-pwd: fix buffer overflow for larger groups
The KDF function processes data in 32 byte chunks so for groups which
primes are not divisible by 32 bytes, you will get a buffer overflow
when copying the last chunk of data.

Now l_checksum_get_digest is limited to the bytes remaining in the
buffer, or 32, whichever is the smallest.
2019-03-19 09:44:36 -05:00
James Prestwood
06ee531749 testutil: retry up to 3 times for connectivity 2019-03-19 09:42:53 -05:00
Tim Kourt
55b3a974c6 auto-t: Split EAP-WPS tests
Previously, the WPS tests have shared a single instance of iwd
among themselves. This approach didn’t allow to identify which
tests have passed and which failed. The new solution makes WPS
tests independent from each other by creating a new instance
of iwd for each one of them.
2019-03-19 09:41:39 -05:00
James Prestwood
0288c537a2 eapol: have eapol_encrypt_key_data return length/error
Since eapol_encrypt_key_data already calculates the key data length and
encodes it into the key frame, we can just return this length and avoid
having to obtain it again from the frame.
2019-03-18 18:02:37 -05:00
James Prestwood
71c7d826e4 tools: fix test_runner_kernel_config for HT/VHT
This should now properly load regulatory.db and disable verification
2019-03-18 12:21:49 -05:00
James Prestwood
3863fa3670 eap-pwd: mitigate potential timing attacks in EAP-PWD
Similar to SAE, EAP-PWD derives an ECC point (PWE). It is possible
for information to be gathered from the timing of this derivation,
which could be used to to recover the password.

This change adapts EAP-PWD to use the same mitigation technique as
SAE where we continue to derive ECC points even after we have found
a valid point. This derivation loop continues for a set number of
iterations (20 in this case), so anyone timing it will always see
the same timings for every run of the protocol.
2019-03-18 11:29:40 -05:00
Tim Kourt
58522fe98f storage: Allow load/sync known freqs. to file 2019-03-15 17:50:29 -05:00
Tim Kourt
664cf5a368 auto-t: TTLS-MSCHAPv2 - remove iwd instance on failure 2019-03-15 17:04:11 -05:00
Tim Kourt
bda956f2b2 auto-t: SAE - remove iwd instance on failure 2019-03-15 17:04:07 -05:00
Tim Kourt
b4485f3e1b auto-t: Ad-Hoc - remove iwd instance on failure 2019-03-15 17:03:34 -05:00
Andrew Zaborowski
2b544541bc scan: Drop notify callback's ifindex parameter
This is not used by any of the scan notify callback implementations and
for P2P we're going to need to scan on an interface without an ifindex
so without this the other changes should be mostly contained in scan.
2019-03-15 12:17:53 -05:00
Tim Kourt
5e95e30e41 scan: Fix misinterpretation of the channel as frequency 2019-03-14 20:11:32 -05:00
Andrew Zaborowski
154e9f63bc wiphy, netdev: Add enum values for P2P-related iftypes
Also add a mask parameter to wiphy_get_supported_iftypes to make sure
the SupportedModes property only contains the values that can be used
as Device.Mode.
2019-03-11 18:03:40 -05:00
Andrew Zaborowski
e344df432b wiphy: Fix printing supported iftypes
dbus_iftype_to_string returns NULL for unknown iftypes, the strdup will
also return NULL and ret[i] will be assigned a NULL.  As a result
the l_strjoinv will not print the known iftypes that might have come
after that and will the l_strfreev will leak the strduped strings.
2019-03-11 18:03:38 -05:00
Andrew Zaborowski
98623edd7d scan: Drop remaining sched scan code 2019-03-11 17:49:15 -05:00
Andrew Zaborowski
d0ccb8496a scan: Fix tracking external scans in sc->state
sc->state would get set when the TRIGGERED event arrived or when the
triggered callback for our own SCAN_TRIGGER command is received.
However it would not get reset to NOT_RUNNING when the NEW_SCAN_RESULTS
event is received, instead we'd first request the results with GET_SCAN
and only reset sc->state when that returns.  If during that command a
new scan gets triggered, the GET_SCAN callback would still reset
sc->state and clobber the value set by the new scan.

To fix that repurpose sc->state to only track that period from the
TRIGGERED signal to the NEW_SCAN_RESULTS signal.  sc->triggered can be
used to check if we're still waiting for the GET_SCAN command and
sc->start_cmd_id to check if we're waiting for the scan to get
triggered, so one of these three variables will now always indicate if
a scan is in progress.
2019-03-11 17:28:41 -05:00
Denis Kenzior
e295b73c4c netdev: Fix crash when aborting a connection
We can crash if we abort the connection, but the connect command has
already gone through.  In this case we will get a sequence of
authenticate_event, associate_event, connect_event.  The first and last
events don't crash since they check whether netdev->connected is true.
However, this causes an annoying warning to be printed.

Fix this by introducing an 'aborting' flag and ignore all connection
related events if it is set.

++++++++ backtrace ++++++++
2019-03-08 16:28:15 -06:00
Tim Kourt
1677f6b046 doc: Update software versions 2019-03-08 11:10:17 -06:00
Tim Kourt
c26af17ca0 doc: Add config options for High Throughput 2019-03-08 11:09:29 -06:00
Tim Kourt
4b9abde3e5 scan: Optimize frequency set foreach logic 2019-03-07 16:27:24 -06:00
James Prestwood
ef06f06cfb owe: handle all non-zero status codes in owe_rx_associate
Now that the OWE failure/retry is handled in netdev, we can catch
all associate error status' inside owe_rx_associate rather than only
catching UNSUPP_FINITE_CYCLIC_GROUP.
2019-03-05 16:20:40 -06:00
James Prestwood
e3f4bfb428 netdev: process association in netdev_associate_event
Apart from OWE, the association event was disregarded and all association
processing was done in netdev_connect_event. This led to
netdev_connect_event having to handle all the logic of both success and
failure, as well as parsing the association for FT and OWE. Also, without
checking the status code in the associate frame there is the potential
for the kernel to think we are connected even if association failed
(e.g. rogue AP).

This change introduces two flags into netdev, expect_connect_failure and
ignore_connect_event. All the FT processing that was once in
netdev_connect_event has now been moved into netdev_associate_event, as
well as non-FT associate frame processing. The connect event now only
handles failure cases for soft/half MAC cards.

Note: Since fullmac cards rely on the connect event, the eapol_start
and netdev_connect_ok were left in netdev_connect_event. Since neither
auth/assoc events come in on fullmac we shouldn't have any conflict with
the new flags.

Once a connection has completed association, EAPoL is started from
netdev_associate_event (if required) and the ignore_connect_event flag can
be set. This will bypass the connect event.

If a connection has failed during association for whatever reason, we can
set expect_connect_failure, the netdev reason, and the MPDU status code.
This allows netdev_connect_event to both handle the error, and, if required,
send a deauth telling the kernel that we have failed (protecting against the
rogue AP situation).
2019-03-05 16:02:52 -06:00
James Prestwood
5027bd3d0b ftutil: add associate parser
Helper to obtain RSNE, MDE, and FTE from associate frame.
2019-03-05 11:44:41 -06:00
James Prestwood
210b8645b7 netdev: remove OWE handling from netdev_connect_event
OWE processing can be completely taken care of inside
netdev_authenticate_event and netdev_associate_event. This removes
the need for OWE specific checks inside netdev_connect_event. We can
now return early out of the connect event if OWE is in progress.
2019-03-01 17:16:17 -06:00
James Prestwood
6de133aee7 auto-t: add timeout test for testOWE
This simulates an authenticate timeout. This test really just proves
that IWD doesn't crash in this case.
2019-03-01 17:15:22 -06:00
James Prestwood
981892470a auto-t: test for temporary blacklist
The simplest way to test this was to create a new AP, where
max_num_sta=1. This only allows a single STA to connect to this AP.
We connect a device to this AP, then try and connect with another.
This results in hostapd failing with DENIED_NO_MORE_STAS, which will
cause a temporary blacklist. We can then disconnect both devices,
and reconnect the device that previously got denied. If it connects
then we know the blacklist only persisted for that earlier connection.
2019-03-01 13:13:19 -06:00
James Prestwood
cd6e32bf90 station: temporarily blacklist BSS for certain status codes
Several Auth/Assoc failure status codes indicate that the connection
failed for reasons such as bandwidth issues, poor channel conditions
etc. These conditions should not result in the BSS being blacklisted
since its likely only a temporary issue and the AP is not actually
"broken" per-se.

This adds support in station.c to temporarily blacklist these BSS's
on a per-network basis. After the connection has completed we clear
out these blacklist entries.
2019-03-01 13:13:08 -06:00
James Prestwood
64dedd9aa5 network: add APIs to blacklist BSS's per-network
Certain error conditions require that a BSS be blacklisted only for
the duration of the current connection. The existing blacklist
does not allow for this, and since this blacklist is shared between
all interfaces it doesnt make sense to use it for this purpose.

Instead, each network object can contain its own blacklist of
scan_bss elements. New elements can be added with network_blacklist_add.
The blacklist is cleared when the connection completes, either
successfully or not.

Now inside network_bss_select both the per-network blacklist as well as
the global blacklist will be checked before returning a BSS.
2019-03-01 13:08:01 -06:00
James Prestwood
3af51558f2 netdev: pass event data to netdev events
Several netdev events benefit from including event data in the callback.
This is similar to how the connect callback works as well. The content
of the event data is documented in netdev.h (netdev_event_func_t).

By including event data for the two disconnect events, we can pass the
reason code to better handle the failure in station.c. Now, inside
station_disconnect_event, we still check if there is a pending connection,
and if so we can call the connect callback directly with HANDSHAKE_FAILED.
Doing it this way unifies the code path into a single switch statment to
handle all failures.

In addition, we pass the RSSI level index as event data to
RSSI_LEVEL_NOTIFY. This removes the need for a getter to be exposed in
netdev.h.
2019-02-28 18:26:45 -06:00
Tim Kourt
a5424829b6 scan: Standardize nomenclature between scan triggers 2019-02-28 18:25:44 -06:00
Tim Kourt
c5d6b70520 scan: Deprecate scan_send_start()
On successful send, scan_send_start(..) used to set msg to NULL,
therefore the further management of the command by the caller was
impossible. This patch removes wrapper around l_genl_family_send()
and lets the callers to take responsibility for the command.
2019-02-28 18:25:15 -06:00
James Prestwood
8fed50a448 netdev: station: fix status/reason code in callbacks
This change cleans up the mess of status vs reason codes. The two
types of codes have already been separated into different enumerations,
but netdev was still treating them the same (with last_status_code).

A new 'event_data' argument was added to the connect callback, which
has a different meaning depending on the result of the connection
(described inside netdev.h, netdev_connect_cb_t). This allows for the
removal of netdev_get_last_status_code since the status or reason
code is now passed via event_data.

Inside the netdev object last_status_code was renamed to last_code, for
the purpose of storing either status or reason. This is only used when
a disconnect needs to be emitted before failing the connection. In all
other cases we just pass the code directly into the connect_cb and do
not store it.

All ocurrences of netdev_connect_failed were updated to use the proper
code depending on the netdev result. Most of these simply changed from
REASON_CODE_UNSPECIFIED to STATUS_CODE_UNSPECIFIED. This was simply for
consistency (both codes have the same value).

netdev_[authenticate|associate]_event's were updated to parse the
status code and, if present, use that if their was a failure rather
than defaulting to UNSPECIFIED.
2019-02-28 13:38:36 -06:00
Andrew Zaborowski
6017dc5730 eap-ttls: Check phase2-method is non-NULL in load_settings
Even though .check_settings in our EAP method implementations does the
settings validation, .load_settings also has minimum sanity checks to
rule out segfaults if the settings have changed since the last
.check_settings call.
2019-02-28 13:02:26 -06:00