3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-09 05:29:23 +01:00
Commit Graph

6134 Commits

Author SHA1 Message Date
Denis Kenzior
5e631c8af8 handshake: Refactor ie setters
Calling handshake_state_setup_own_ciphers from within
handshate_state_set_authenticator_ie was misleading.  In all cases the
supplicant chooses the AKM.  This worked since our AP code only ever
advertises a single AKM, but would not work in the general case.

Similarly, the supplicant would choose which authentication type to use
by either sending the WPA1 or WPA2 IE (or OSEN).  Thus the setting of
the related variables in handshake_state_set_authenticator_ie was also
incorrect.  In iwd, the supplicant_ie would be set after the
authenticator_ie, so these settings would be overwritten in most cases.

Refactor these two setters so that the supplicant's chosen rsn_info
would be used to drive the handshake.
2021-09-20 15:19:27 -05:00
Denis Kenzior
63ef918671 ap: validate group cipher
Make sure to validate group_cipher from the STA similarly to how
akm_suites and pairwise_ciphers are validated.
2021-09-20 15:19:27 -05:00
Fabrice Fontaine
ec1c348b4f build: Add reallocarray to missing.h
reallocarray has been added to glibc relatively recently (version 2.26,
from 2017) and apparently not all users run new enough glibc. Moreover,
reallocarray is not available with uclibc-ng. So use realloc if
reallocarray is not available to avoid the following build failure
raised since commit 891b78e9e8:

/home/giuliobenetti/autobuild/run/instance-3/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: src/sae.o: in function `sae_rx_authenticate':
sae.c:(.text+0xd74): undefined reference to `reallocarray'

Fixes:
 - http://autobuild.buildroot.org/results/c6d3f86282c44645b4f1c61882dc63ccfc8eb35a
2021-09-20 10:32:51 -05:00
James Prestwood
f45696485c network: reply to pending messages on network_unregister
If there is a connect_after_* message for ANQP or OWE hidden networks
reply to these before unregistering the network.
2021-09-17 18:13:15 -05:00
James Prestwood
8a43473504 auto-t: add testOWE-transition
This adds several tests for OWE transition networks. Hostapd
does have special options for these networks but currently their
implementation is incorrect as the IE is not ever added to the
OWE BSS. Besides that using vendor_elements provides a much easier
way to create invalid IEs to test.
2021-09-17 18:05:10 -05:00
James Prestwood
8a735edac0 network: prefer OWE transition BSS over open
There isn't much control station has with how BSS's are inserted to
a network object. The rank algorithm makes that decision. Because of
this we could end up in a situation where the Open BSS is preferred
over the OWE transition BSS.

In attempt to better handle this any Open BSS in this type of network
will not be chosen unless its the only candidate (e.g. no other BSSs,
inability to connect with OWE, or an improperly configured network).
2021-09-17 18:05:07 -05:00
James Prestwood
e462dcda56 station: handle OWE Transition procedure
OWE Transition is described in the WiFi Alliance OWE Specification
version 1.1. The idea behind it is to support both legacy devices
without any concept of OWE as well as modern ones which support the
OWE protocol.

OWE is a somewhat special type of network. Where it advertises an
RSN element but is still "open". This apparently confuses older
devices so the OWE transition procedure was created.

The idea is simple: have two BSS's, one open, and one as a hidden
OWE network. Each network advertises a vendor IE which points to the
other. A device sees the open network and can connect (legacy) or
parse the IE, scan for the hidden OWE network, and connect to that
instead.

Care was taken to handle connections to hidden networks directly.
The policy is being set that any hidden network with the WFA OWE IE
is not connectable via ConnectHiddenNetwork(). These networks are
special, and can only be connected to via the network object for
the paired open network.

When scan results come in from any source (DBus, quick, autoconnect)
each BSS is checked for the OWE Transition IE. A few paths can be
taken here when the IE is found:

1. The BSS is open. The BSSID in the IE is checked against the
   current scan results (excluding hidden networks). If a match is
   found we should already have the hidden OWE BSS and nothing
   else needs to be done (3).

2. The BSS is open. The BSSID in the IE is not found in the
   current scan results, and the open network also has no OWE BSS
   in it. This will be processed after scan results.

3. The BSS is not open and contains the OWE IE. This BSS will
   automatically get added to the network object and nothing else
   needs to be done.

After the scan results each network is checked for any non-paired
open BSS's. If found a scan is started for these BSS's per-network.
Once these scan results come in the network is notified.

From here network.c can detect that this is an OWE transition
network and connect to the OWE BSS rather than the open one.
2021-09-17 17:59:54 -05:00
James Prestwood
71384da38f network: add network_get_station 2021-09-17 17:59:52 -05:00
James Prestwood
a6c4972290 scan: add scan API specifically for OWE transition networks
Specifically OWE networks with multiple open/hidden BSS's are troublesome
to scan for with the current APIs. The scan parameters are limited to a
single SSID and even if that was changed we have the potential of hitting
the max SSID's per scan limit. In all, it puts the burden onto the caller
to sort out the SSIDs/frequencies to scan for.

Rather than requiring station to handle this a new scan API was added,
scan_owe_hidden() which takes a list of open BSS's and will automatically
scan for the SSIDs in the OWE transition IE for each.

It is slightly optimized to first check if all the hidden SSID's are the
same. This is the most likely case (e.g. single pair or single network)
and a single scan command can be used. Otherwise individual scan commands
are queued for each SSID/frequency combo.
2021-09-17 17:59:43 -05:00
Denis Kenzior
c235c9fa54 handshake: Only bitwise compare when needed
handshake_util_ap_ie_matches() is used to make sure that the RSN element
received from the Authenticator during handshake / association response
is the same as the one advertised in Beacon/Probe Response frames.  This
utility tries to bitwise compare the element first, and only if that
fails, compares RSN members individually.

For FT, bitwise comparison will always fail since the PMKID has to be
included by the Authenticator in any RSN IEs included in Authenticate
& Association Response frames.

Perform the bitwise comparison as an optimization only during processing
of eapol message 3/4.  Also keep the parsed rsn information for future
use and to possibly avoid re-parsing it during later checks.
2021-09-17 09:19:26 -05:00
Denis Kenzior
4d95e3a161 handshake: Update KDE definitions to 802.11-2020 2021-09-17 08:27:20 -05:00
Denis Kenzior
77d2d79ac2 handshake: Also check OCVC bit 2021-09-17 08:22:40 -05:00
Denis Kenzior
171b2b90b8 ie: Add support for OCVC bit in RSNE utils 2021-09-17 08:22:15 -05:00
Denis Kenzior
805920dc68 monitor: print OCVC bit in RSNE 2021-09-17 08:21:49 -05:00
Denis Kenzior
64923913c2 station: Trigger autoconnect only on last subset
DBus scan is performed in several subsets.  In certain corner-case
circumstances it would be possible for autoconnect to run after each
subset scan.  Instead, trigger autoconnect only after the dbus scan
completes.

This also works around a condition where ANQP results could trigger
autoconnect too early.
2021-09-16 17:28:04 -05:00
Denis Kenzior
17827f1ff9 station: Commonize autoconnect starting logic 2021-09-16 16:41:59 -05:00
Denis Kenzior
c0fe7070a3 station: Simplify station_set_scan_results() calls
Several invocations of station_set_scan_results() base the
'add_to_autoconnect' parameter on station_is_autoconnecting().  Simplify
the code by having station_set_scan_results() invoke that itself.
'add_to_autoconnect' now becomes an 'intent' parameter, specifying
whether autoconnect path should be invoked as a result of these scan
results or not when station is in an appropriate state.  Rename
'add_to_autoconnect' parameter to make this clearer.
2021-09-16 16:38:16 -05:00
Denis Kenzior
514e3b2710 station: Don't autoconnect via debug scans
Scans triggered via the StationDebug interface should not trigger the
autoconnect logic.
2021-09-16 16:38:03 -05:00
James Prestwood
163fb868c2 station: Ignore OWE Transition BSSes
BSSes that advertise OWE Transition IE are special and should be ignored
for the purposes of ConnectHiddenNetwork
2021-09-16 16:35:57 -05:00
James Prestwood
e10bb3bd77 station: Do not re-process cached entries for anqp
If the frequency of the bss is not in the list of frequencies for the
current scan, then this is a cached bss.  It was likely already
processed for ANQP before, so skip it.
2021-09-16 16:35:15 -05:00
James Prestwood
4b7138b05c monitor: parse WFA OWE Transition IE 2021-09-16 11:22:25 -05:00
James Prestwood
a94c0ed29e scan: keep track of OWE Transition element 2021-09-16 11:21:32 -05:00
James Prestwood
df6221bcb2 scan: allow non-utf8 SSIDs to be scanned for
IWD has restricted SSIDs to only utf8 so they can be displayed but
with the addition of OWE transition networks this is an unneeded
restriction (for these networks). The SSID of an OWE transition
network is never displayed to the user so limiting to utf8 isn't
required.

Allow non-utf8 SSIDs to be scanned for by including the length in
the scan parameters and not relying on strlen().
2021-09-16 11:20:46 -05:00
James Prestwood
56c2cf9f10 ie: add ie_parse_owe_transition_from_data
This is a parser for the WFA OWE Transition element. For now the
optional band/channel bytes will not be parsed as hostapd does not
yet support these and would also require the 802.11 appendix E-1
to be added to IWD. Because of this OWE Transition networks are
assumed to be on the same channel as their open counterpart.
2021-09-16 11:20:14 -05:00
Andrew Zaborowski
42bd5ba7c2 netconfig: Remove usage of in6_addr.__in6_u
in6_addr.__in6_u.__u6_addr8 is glibc-specific and named differently in
the headers shipped with musl libc for example.  The POSIX compliant and
universal way of accessing it is in6_addr.s6_addr.
2021-09-16 11:09:51 -05:00
James Prestwood
c19dc6605f network: fix pending hidden OWE scan logic
This was actually broken if triggered because __network_connect
checks if network->connect_after_owe_hidden is set and returns
already in progress. We want to keep this behavior though for
obvious reasons.

To fix this station_connect_network can be called directly which
bypasses the check. This is essentially how ANQP avoids this
problem as well.
2021-09-15 18:36:54 -05:00
James Prestwood
e11ad83222 auto-t: hostapd.py: add disable() 2021-09-15 16:42:21 -05:00
James Prestwood
f8b703efed network: support connect during OWE hidden scan
Similar to ANQP a connect call could come in while station is
scanning for OWE hidden networks. This is supported in the same
manor by saving away the dbus message and resuming the connection
after the hidden OWE scan.
2021-09-15 15:49:21 -05:00
James Prestwood
e6f5efbe73 station: add OWE_HIDDEN_STARTED/FINISHED events 2021-09-15 15:49:05 -05:00
James Prestwood
81816ce04d station: network: make ANQP watch a generic event
With the addition of OWE transition network needs to be notified
of the hidden OWE scan which is quite similar to how it is notified
of ANQP. The ANQP event watch can be made generic and reused to
allow other events besides ANQP.
2021-09-15 15:49:02 -05:00
James Prestwood
926dc608af network: set handshake SSID based on BSS, not network
This is being added to support OWE transition mode. For these
type of networks the OWE BSS may contain a different SSID than
that of the network, but the WFA spec requires this be hidden
from the user. This means we need to set the handshake SSID based
on the BSS rather than the network object.
2021-09-15 14:59:05 -05:00
James Prestwood
4329b669d0 ie: add WFA OWE Transition element type 2021-09-15 12:56:43 -05:00
Andrew Zaborowski
8b573fe398 netconfig: Refactor netconfig_set_dns
Refactor netconfig_set_dns to be a bit easier to follow and remove use
of macros.  Also bail out early if no DNS addresses are provided instead
of building an empty DNS list since resolve_set_dns() simply returns if
a NULL or empty DNS list is provided.
2021-09-14 15:12:12 -05:00
Andrew Zaborowski
97587e399f doc: Add net.connman.iwd.IPv{4,6}Configuration API doc 2021-09-14 15:12:10 -05:00
Marcel Holtmann
6f4b91ac8e Release 1.18 2021-09-14 22:00:19 +02:00
Marcel Holtmann
481af204b0 build: Require at least version 0.44 when building with external ELL 2021-09-14 22:00:02 +02:00
Denis Kenzior
6dbde8121d monitor: Support short form of '--noies' option 2021-09-14 10:43:36 -05:00
James Prestwood
7fda423e12 auto-t: remove ';' in testSAE autoconnect_test.py 2021-09-09 16:57:38 -05:00
James Prestwood
4c6f0ff75a auto-t: add SAE test for no supported groups 2021-09-09 16:57:38 -05:00
James Prestwood
a0a05a88b9 auto-t: add SAE test for a non-ACKed confirm 2021-09-09 16:57:38 -05:00
James Prestwood
1574909535 auto-t: change testSAE timeout_test to use match/offset
This makes things more clear on what frames are being blocked
since it passes over header information to get to the actual
SAE payload.
2021-09-09 16:57:38 -05:00
James Prestwood
9049ed2f25 auto-t: hwsim.py: add match/match_offset properties 2021-09-09 16:57:38 -05:00
James Prestwood
3f4cafe135 hwsim: add MatchBytes/MatchBytesOffset rule properties
If set, a rule will start matching 'MatchBytes' some number of bytes
into the frame (MatchBytesOffset). This is useful since header
information, addresses, and sequence numbers may be unpredictable
between test runs.

To avoid unintended matches the Prefix property is left unchanged
and will match starting at the beginning of the frame.
2021-09-09 16:57:38 -05:00
James Prestwood
a50af3b751 auto-t: remove OWE renegotiate test
Since IWD tries group 20 first all other OWE tests are actually
triggering group negotiation where this test is not. Since this
code is exercised this test can be removed completely, as well
as the additional radio/network.
2021-09-08 20:05:07 -05:00
Denis Kenzior
23af586acd netdev: Properly handle auth_proto error returns
Kernel keeps transmitting authentication frames until told to stop or an
authentication frame the kernel considers 'final' is received.  Detect
cases where the kernel would keep retransmitting, and if auth_proto
encounters a fatal protocol error, prevent these retransmissions from
occuring by sending a Deauthenticate command to the kernel.

Additionally, treat -EBADMSG/-ENOMSG return from auth_proto specially.
These error codes are meant to convey that a frame should be silently
dropped and retransmissions should continue.
2021-09-08 17:04:36 -05:00
James Prestwood
eeb42c56f0 auto-t: add sae test for non-acked commit
This test simulates the scenario where IWDs commit is not acked which
exposes a hostapd bug that ultimately fails the connection. This behavior
can be seen by reverting the commit which works around this issue:

"sae: don't send commit in confirmed state"

With the above patch applied this test should pass.

Note: The existing timeout test was reused as it was not of much use
anyways. All it did was block auth/assoc frames and expect a failure
which didn't exercise any SAE logic anyways.
2021-09-08 16:48:07 -05:00
James Prestwood
3d82ab167f mpdu: add MMPDU_STATUS_CODE_SAE_PK 2021-09-08 16:47:36 -05:00
James Prestwood
305189523a auth-proto: document acceptable return values for auth-protos
Since all auth-protos are hidden behind an abstraction they need
to be consisten with the return values as some should be handled
specially.
2021-09-08 16:46:45 -05:00
James Prestwood
7e9b4170b1 sae: don't send commit/confirm in confirmed state
This works around a hostapd bug (described more in the TODO comment)
which is exposed because of the kernels overly agressive re-transmit
behavior on missed ACKs. Combined this results in a death if the
initial commit is not acked. This behavior has been identified in
consumer access points and likely won't ever be patched for older
devices. Because of this IWD must work around the problem which can
be eliminated by not sending out this commit message.

This bug was reported to the hostapd ML:

https://lists.infradead.org/pipermail/hostap/2021-September/039842.html

This change should not cause any compatibility problems to non-hostapd
access points and is identical to how wpa_supplicant treats this
scenario.
2021-09-08 16:46:07 -05:00
James Prestwood
f78ea26f13 fils: change fatal return code to -EPROTO
This keeps FILS consistent with what netdev expects for a fatal
auth-proto return.
2021-09-08 14:35:05 -05:00