3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 22:19:23 +01:00
Commit Graph

3956 Commits

Author SHA1 Message Date
James Prestwood
62bdd1bea5 band: add band_freq
HE has different rules depending on the frequency, so the band
structure also needs to track the frequency for any rate information
to have context.
2022-07-19 15:45:47 -05:00
James Prestwood
d8fe443363 ie: add IE's from 802.11ax amendment 2022-07-19 15:45:28 -05:00
James Prestwood
e089ab2de2 scan: add colocated scan flag 2022-07-19 15:45:18 -05:00
Denis Kenzior
b84b71042b iwd: Add missing module dependencies
Certain module dependencies were missing, which could cause a crash on
exit under (very unlikely) circumstances.

  #0  l_queue_peek_head (queue=<optimized out>) at ../iwd-1.28/ell/queue.c:241
  #1  0x0000aaaab752f2a0 in wiphy_radio_work_done (wiphy=0xaaaac3a129a0, id=6)
      at ../iwd-1.28/src/wiphy.c:2013
  #2  0x0000aaaab7523f50 in netdev_connect_free (netdev=netdev@entry=0xaaaac3a13db0)
      at ../iwd-1.28/src/netdev.c:765
  #3  0x0000aaaab7526208 in netdev_free (data=0xaaaac3a13db0) at ../iwd-1.28/src/netdev.c:909
  #4  0x0000aaaab75a3924 in l_queue_clear (queue=queue@entry=0xaaaac3a0c800,
      destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:107
  #5  0x0000aaaab75a3974 in l_queue_destroy (queue=0xaaaac3a0c800,
      destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:82
  #6  0x0000aaaab7522050 in netdev_exit () at ../iwd-1.28/src/netdev.c:6653
  #7  0x0000aaaab7579bb0 in iwd_modules_exit () at ../iwd-1.28/src/module.c:181

In this particular case, wiphy module was de-initialized prior to the
netdev module:

Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/wiphy.c:wiphy_free() Freeing wiphy phy0[0]
Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/netdev.c:netdev_free() Freeing netdev wlan0[45]
2022-07-18 10:58:06 -05:00
James Prestwood
80f9374440 ap: remove diagnostic interface when netdev goes down
This fixes a crash associated with toggling the iftype to AP mode
then calling GetDiagnostics. The diagnostic interface is never
cleaned up when netdev goes down so DBus calls can still be made
which ends up crashing since the AP interface objects are no longer
valid.

Running the following iwctl commands in a script (once or twice)
triggers this crash reliably:

iwctl device wlp2s0 set-property Mode ap
iwctl device wlp2s0 set-property Mode station
iwctl device wlp2s0 set-property Mode ap
iwctl ap wlp2s0 start myssid secret123
iwctl ap wlp2s0 show

++++++++ backtrace ++++++++
0  0x7f8f1a8fe320 in /lib64/libc.so.6
1  0x451f35 in ap_dbus_get_diagnostics() at src/ap.c:4043
2  0x4cdf5a in _dbus_object_tree_dispatch() at ell/dbus-service.c:1815
3  0x4bffc7 in message_read_handler() at ell/dbus.c:285
4  0x4b5d7b in io_callback() at ell/io.c:120
5  0x4b489b in l_main_iterate() at ell/main.c:476
6  0x4b49a6 in l_main_run() at ell/main.c:519
7  0x4b4cd9 in l_main_run_with_signal() at ell/main.c:645
8  0x404f5b in main() at src/main.c:600
9  0x7f8f1a8e8b75 in /lib64/libc.so.6
+++++++++++++++++++++++++++
2022-07-01 11:58:06 -05:00
Jesse Lentz
125c9b195c dpp: Add Started, Role, and URI properties to API
Add three new properties to the DeviceProvisioning API: Started, Role,
and URI.
2022-06-27 11:07:13 -05:00
James Prestwood
7fad6590bd eapol: allow 'secure' to be set on rekeys
About a month ago hostapd was changed to set the secure bit on
eapol frames during rekeys (bc36991791). The spec is ambiguous
about this and has conflicting info depending on the sections you
read (12.7.2 vs 12.7.6). According to the hostapd commit log TGme
is trying to clarify this and wants to set secure=1 in the case
of rekeys. Because of this, IWD is completely broken with rekeys
since its disallows secure=1 on PTK 1/4 and 2/4.

Now, a bool is passed to the verify functions which signifies if
the PTK has been negotiated already. If secure differs from this
the key frame is not verified.
2022-06-24 18:11:56 -05:00
James Prestwood
a276243e9a storage: warn user on badly named provisioning file
The man pages (iwd.network) have a section about how to name provisioning
files containing non-alphanumeric characters but not everyone reads the
entire man page.

Warning them that the provisioning file was not read and pointing to
'man iwd.network' should lead someone in the right direction.
2022-06-24 10:40:11 -05:00
Denis Kenzior
16739cb4e6 eap: Fix EAP-Success handling
EAP-Success might come in with an identifier that is incremented by 1
from the last Response packet.  Since identifier field is a byte, the
value might overflow (from 255 -> 0.)  This overflow isn't handled
properly resulting in EAP-Success/Failure packets with a 0 identifier
due to overflow being erroneously ignored.  Fix that.
2022-06-23 16:20:28 -05:00
Andrew Zaborowski
032a3d1473 station: Move netconfig_reset() to common path
To avoid repetition, call netconfig_reset in
station_reset_connection_state.
2022-06-17 14:09:55 -05:00
Andrew Zaborowski
e88a0757ab storage: Log a message on network file parse errors
Most users of storage_network_open don't log errors when the function
returns a NULL and fall back to defaults (empty l_settings).
storage_network_open() itself only logs errors if the flie is encrypted.
Now also log an error when l_settings_load_from_file() fails to help track
down potential syntax errors.
2022-06-17 14:09:38 -05:00
Andrew Zaborowski
ba1253df3b netconfig: Fix address format validation
Drop the wrong negation in the error check.  Check that there are no extra
characters after prefix length suffix.  Reset errno 0 before the strtoul
call, as recommended by the manpage.
2022-06-17 14:04:07 -05:00
James Prestwood
f2fe9206c6 p2p: fix warning for uninitialized variable (clang)
This is actually a false positive only because
p2p_device_validate_conn_wfd bails out if the IE is NULL which
avoids using wfd_data_length. But its subtle and without inspecting
the code it does seem like the length could be used uninitialized.

src/p2p.c:940:7: error: variable 'wfd_data_len' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
                if (dev->conn_own_wfd)
                    ^~~~~~~~~~~~~~~~~
src/p2p.c:946:8: note: uninitialized use occurs here
                                                        wfd_data_len))
                                                        ^~~~~~~~~~~~
src/p2p.c:940:3: note: remove the 'if' if its condition is always true
                if (dev->conn_own_wfd)
                ^~~~~~~~~~~~~~~~~~~~~~
src/p2p.c:906:23: note: initialize the variable 'wfd_data_len' to silence this warning
                ssize_t wfd_data_len;
                                    ^
                                     = 0
2022-06-10 14:44:18 -05:00
James Prestwood
8a8c2fbe38 storage: remove unused variables
The auto macros apparently made it difficult for gcc to
detect, but clang was able to find them.
2022-06-10 14:44:10 -05:00
James Prestwood
39b36f8e21 fils: pragma false positive for uninitialized variable
On musl-gcc the compiler is giving a warning for igtk_key_index
and gtk_key_index being used uninitialized. This isn't possible
since they are only used if gtk/igtk are non-NULL so pragma to
ignore the warning.

src/fils.c: In function 'fils_rx_associate':
src/fils.c:580:17: error: 'igtk_key_index' may be used uninitialized
	in this function [-Werror=maybe-uninitialized]
  580 |                 handshake_state_install_igtk(fils->hs,
					igtk_key_index,igtk + 6,
					igtk_len - 6, igtk);

(same error for gtk_key_index)
2022-06-10 13:59:01 -05:00
James Prestwood
2ad5e48314 network: fix handling of AlwaysRandomizeAddress/AddressOverride
For network configuration files the man pages (iwd.network) state
that [General].{AlwaysRandomizeAddress,AddressOverride} are only
used if main.conf has [General].AddressRandomization=network.

This actually was not being enforced and both iwd.network settings
were still taken into account regardless of what AddressRandomization
was set to (even disabled).

The handshake setup code now checks the AddressRandomization value
and if anything other than 'network' skips the randomization.
2022-06-03 15:52:06 -05:00
James Prestwood
19693f587f dpp,dpp-util: cast size_t for constant arguments to va_arg
There were a few places in dpp/dpp-util which passed a single byte but
was being read in with va_arg(va, size_t). On some architectures this was
causing failures presumably from the compiler using an integer type
smaller than size_t. As we do elsewhere, cast to size_t to force the
compiler to pass a properly sized iteger to va_arg.
2022-06-03 11:54:58 -05:00
Andrew Zaborowski
eb8362bf76 eap-tls: Keep l_tls instance for reauthentication
After one of the eap-tls-common-based methods succeeds keep the TLS
tunnel instance until the method is freed, rather than free it the
moment the method succeeds.  This fixes repeated method runs where until
now each next run would attempt to create a new TLS tunnel instance
but would have no authentication data (CA certificate, client
certificate, private key and private key passphrase) since those are
were by the old l_tls object from the moment of the l_tls_set_auth_data()
call.

Use l_tls_reset() to reset the TLS state after method success, followed
by a new l_tls_start() when the reauthentication starts.
2022-05-26 11:23:46 -05:00
James Prestwood
7104e12667 ft: remove frame type check in FT
A user reported that IWD was failing to FT in some cases and this was
due to the AP setting the Retry bit in the frame type. This was
unexpected by IWD since it directly checks the frame type against
0x00b0 which does not account for any B8-B15 bits being set.

IWD doesn't need to verify the frame type field for a few reasons:
First mpdu_validate checks the management frame type, Second the kernel
checks prior to forwarding the event. Because of this the check was
removed completely.

Reported-By: Michael Johnson <mjohnson459@gmail.com>
2022-05-23 13:01:10 -05:00
Jesse Lentz
ce227e7b94 station: Provide SignalLevelAgent update while connecting
When a station enters the "connecting" state, if a SignalLevelAgent is
registered, provide an initial signal level via a "Changed" method call.
2022-05-23 12:56:55 -05:00
Jesse Lentz
38e2d4383a station: Simplify usage of station_signal_agent_notify()
station_signal_agent_notify() has been refactored so that its usage is
simpler. station_rssi_level_changed() has been replaced by an inlined
call to station_signal_agent_notify().
2022-05-23 12:38:41 -05:00
Jesse Lentz
6cea51b79f netdev: Initialize signal level during connection attempt
The call to netdev_rssi_level_init() in netdev_connect_common() is
currently a no-op, because netdev->connected has not yet been set at
this stage of the connection attempt. Because netdev_rssi_level_init()
is only used twice, it's been replaced by two inlined calls to
netdev_set_rssi_level_idx().
2022-05-23 12:36:00 -05:00
Jesse Lentz
3d27d0d80a station: send initial signal level notification
After registration of a SignalLevelAgent, make iwd inform the client of
the initial signal level via a "Changed" method call.
2022-05-20 16:56:59 -05:00
Jesse Lentz
0b9e7eb120 Allow SignalLevelAgent method calls in dbus policy
The SignalLevelAgent API is currently broken by the system bus's
security policy, which blocks iwd's outgoing method call messages. This
patch punches a hole for method calls on the
net.connman.iwd.SignalLevelAgent interface.
2022-05-20 14:50:54 -05:00
Denis Kenzior
d459509087 manpage: describe 'none' in NameResolvingService 2022-05-20 10:14:17 -05:00
Denis Kenzior
b96bbb35e0 resolve: Add "none" method
There may be situations where DNS information should not be set (for
example in auto-tests where the resolver daemon is not running) or if a
user wishes to ignore DNS information obtained.
2022-05-20 10:03:42 -05:00
Michael Johnson
2c9c5b6602 docs: Show new usage of IWD_DHCP_DEBUG 2022-05-19 09:47:36 -05:00
Michael Johnson
28d13f9a43 netconfig: Add multiple levels to IWD_DHCP_DEBUG
Allows granularly specifying the DHCP logging level. This allows the
user to tailor the output to what they need. By default, always display
info, errors and warnings to match the rest of iwd.

Setting `IWD_DHCP_DEBUG` to "debug", "info", "warn", "error" will limit
the logging to that level or higher allowing the default logging
verbosity to be reduced.

Setting `IWD_DHCP_DEBUG` to "1" as per the current behavior will
continue to enable debug level logging.
2022-05-19 09:47:31 -05:00
Denis Kenzior
ee3a044b75 eapol: authenticator: Drop unencrypted EAPoL frames
After the initial handshake, once the TK has been installed, all frames
coming to the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to various attacks.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAPoL frames
received after the initial handshake has been completed.
2022-05-10 16:04:29 -05:00
Denis Kenzior
ccdea73df2 eapol: Drop unexpectedly unencrypted EAP frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAP-Failure frame generated by
an adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAP frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 16:03:41 -05:00
Denis Kenzior
5b42cb6cda eapol: Drop unexpectedly unencrypted PTK 1/4 frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an
adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted PTK 1/4 frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 12:22:03 -05:00
Denis Kenzior
1ef97e5cbc eapol: Silently discard invalid EAPoL frames
Do not fail an ongoing handshake when an invalid EAPoL frame is
received.  Instead, follow the intent of 802.11-2020 section 12.7.2:
"EAPOL-Key frames containing invalid field values shall be silently
discarded."

This prevents a denial-of-service attack where receipt of an invalid,
unencrypted EAPoL 1/4 frame generated by an adversary results in iwd
terminating an ongoing connection.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 10:01:08 -05:00
Denis Kenzior
1409364371 scan: Sort scan_requests by wiphy work item priority
Periodic scan requests are meant to be performed with a lower priority
than normal scan requests.  They're thus given a different priority when
inserting them into the wiphy work queue.  Unfortunately, the priority
is not taken into account when they are inserted into the
sr->requests queue.  This can result in the scanning code being confused
since it assumes the top of the queue is always the next scheduled or
currently ongoing scan.  As a result any further wiphy_work might never be
started properly.

Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_timeout() 1
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 4
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_done() Work item 3 done
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_notify() Scan notification Trigger Scan(33)
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_request_triggered() Passive scan triggered for wdev 1
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_triggered() Periodic scan triggered for wdev 1

In the above log, scan request 5 (triggered by dbus) is started before
scan request 4 (periodic scan).  Yet the scanning code thinks scan
request 4 was triggered.

Fix this by using the wiphy_work priority to sort the sr->requests queue
so that the scans are ordered in the same manner.

Reported-by: Alvin Šipraga <ALSI@bang-olufsen.dk>
2022-05-02 09:18:30 -05:00
James Prestwood
b27ab1270c dpp: wait before retransmitting frames with no-ACK
The upstream code immediately retransmitted any no-ACK frames.
This would work in cases where the peer wasn't actively switching
channels (e.g. the ACK was simply lost) but caused unintended
behavior in the case of a channel switch when the peer was not
listening.

If either IWD or the peer needed to switch channels based on the
authenticate request the response may end up not getting ACKed
because the peer is idle, or in the middle of the hardware changing
channels. IWD would get no-ACK and immediately send the frame again
and most likely the same behavior would result. This would very
quickly increment frame_retry past the maximum and DPP would fail.

Instead when no ACK is received wait 1 second before sending out
the next frame. This can re-use the existing frame_pending buffer
and the same logic for re-transmitting.
2022-04-15 12:15:52 -05:00
James Prestwood
14217e6ca4 dpp: print error if CMD_FRAME fails 2022-04-15 12:15:44 -05:00
James Prestwood
07197e24fc dpp: handle sending a frame after ROC ends
There is a potential corner case of an offchannel frame callback
being called after ROC has ended.

This could happen in theory if a received frame is queued right as
the ROC session expires. If the ROC cancel event makes it to user
space before the frame IWD will schedule another ROC then receive
the frame. This doesn't prevent IWD from sending out another
frame since OFFCHANNEL_TX_OK is used, but it will prevent IWD from
receiving a response frame since no dwell duration is used with DPP.

To handle this an roc_started bool was added to the dpp_sm which
tracks the ROC state. If dpp_send_frame is called when roc_started
is false the frame will be saved and sent out once the ROC session
is started again.
2022-04-15 12:12:49 -05:00
Denis Kenzior
8a877d8692 station/network: avoid use-after-free
ConnectHiddenNetwork creates a temporary network object and initiates a
connection with it.  If the connection fails (due to an incorrect
passphrase or other reasons), then this temporary object is destroyed.
Delay its destruction until network_disconnected() since
network_connect_failed is called too early.  Also, re-order the sequence
in station_reset_connection_state() in order to avoid using the network
object after it has been freed by network_disconnected().

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 15:12:30 -05:00
Denis Kenzior
867c68c05b network: close settings prior to network removal
station_hide_network will remove and free the network object, so calling
network_close_settings will result in a crash.  Make sure this is done
prior to network object's destruction.

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 11:23:28 -05:00
James Prestwood
cb76f219fb netdev: move ocvc setting to after connected check
We cannot check 'handshake' until first checking that IWD is
connected.
2022-04-05 13:30:30 -05:00
James Prestwood
f7dc05969f netdev: check for connected in FT frame event
This frame could come unsolicited and cause a NULL dereference
if IWD is not connected.
2022-04-05 13:30:11 -05:00
Denis Kenzior
dc7e12ac0c station: Ignore AP directed roams if already trying to roam 2022-04-05 11:41:03 -05:00
Denis Kenzior
92ef3da714 station: Sanitize AP directed roam addresses
Make sure the BSS Transition Management Request frames come from our
conected AP.  Ignore and print a message if the addresses do not match.
2022-04-05 11:36:39 -05:00
Denis Kenzior
3fad65e5df station: ignore AP directed roams if not connected 2022-04-05 10:09:08 -05:00
Emmanuel VAUTRIN
85d9d6461f network: Hide hidden networks on connection error
If a user connection fails on a freshly scanned psk or open hidden
network, during passphrase request or after, it shall be removed from
the network list.  Otherwise, it would be possible to directly connect
to that known network, which will appear as not hidden.
2022-04-05 09:31:44 -05:00
James Prestwood
f59e69c6c4 rrm: use ULL for static values 2022-03-31 18:13:04 -05:00
Andrew Zaborowski
ce94013bae p2p: Fix Device Address updates from Probe Requests
p2p_peer_update_existing may be called with a scan_bss struct built from
a Probe Request frame so it can't access bss->p2p_probe_resp_info even
if peer->bss was built from a Probe Response.  Check the source frame
type of the scan_bss struct before updating the Device Address.

This fixes one timing issue that would make the autotest fail often.
2022-03-30 14:43:37 -05:00
James Prestwood
6f7743426b eapol: zero entire buffer when creating frame
Since l_malloc is used the frame contents are not zero'ed automatically
which could result in random bytes being present in the frame which were
expected to be zero. This poses a problem when calculating the MIC as the
crypto operations are done on the entire frame with the expectation of
the MIC being zero.

Fixes: 83212f9b23 ("eapol: change eapol_create_common to support FILS")
2022-03-28 17:35:03 -05:00
Fabrice Fontaine
d78950e039 storage: fix build with uclibc
explicit_bzero is used in src/storage.c since commit
01cd858760 but src/missing.h is not
included, as a result build with uclibc fails on:

/home/buildroot/autobuild/instance-0/output-1/host/lib/gcc/powerpc-buildroot-linux-uclibc/10.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: src/storage.o: in function `storage_init':
storage.c:(.text+0x13a4): undefined reference to `explicit_bzero'

Fixes:
 - http://autobuild.buildroot.org/results/2aff8d3d7c33c95e2c57f7c8a71e69939f0580a1
2022-03-28 12:39:51 -05:00
James Prestwood
dbca7fcc02 dpp: set new_freq when configuring as initiator
This is used to hold the current BSS frequency which will be
used after IWD receives a presence announcement. Since this was
not being set, the logic was always thinking there was a channel
mismatch (0 != current_freq) and attempting to go offchannel to
'0' which resulted in -EINVAL, and ultimately protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
ad1e5252f3 dpp: fail if disconnected during DPP protocol
If the connected BSS is NULL IWD was disconnected and this should
trigger a protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
9f6576be05 json: call va_end in error case
Caught by static analysis
2022-03-18 11:32:47 -05:00
James Prestwood
ed81351f15 dpp-util: move up va_end before possible error case
This was caught by static analysis
2022-03-18 11:32:39 -05:00
James Prestwood
7bbcb67892 station: replace old BSS with 'best_bss' on roam scan
The logic here assumed any BSS's in the roam scan were identical to
ones in station's bss_list with the same address. Usually this is true
but, for example, if the BSS changed frequency the one in station's
list is invalid.

Instead when a match is found remove the old BSS and re-insert the new
one.
2022-03-08 11:37:25 -06:00
James Prestwood
1c5a2da046 knownnetworks: use band_freq_to_channel to verify known freqs
With the addition of 6GHz '6000' is no longer the maximum frequency
that could be in .known_network.freq. For more robustness
band_freq_to_channel is used to validate the frequency.
2022-03-03 13:58:45 -06:00
Denis Kenzior
778dacd262 wiphy: Use an inline function in favor of a macro 2022-03-02 13:57:00 -06:00
Denis Kenzior
a8f3098115 wiphy: Use anonymous enum in favor of #defines 2022-03-02 13:55:26 -06:00
Denis Kenzior
86f34a394b ie: Use static inline functions in favor of macros 2022-03-02 13:51:56 -06:00
James Prestwood
d4e9cda0c0 ap: add support for scanning while in AP mode
Scanning while in AP mode is somewhat of an edge case, but it does
have some usefulness specifically with onboarding new devices, i.e.
a new device starts an AP, a station connects and provides the new
device with network credentials, the new device switches to station
mode and connects to the desired network.

In addition this could be used later for ACS (though this is a bit
overkill for IWD's access point needs).

Since AP performance is basically non-existant while scanning this
feature is meant to be used in a limited scope.

Two DBus API's were added which mirror the station interface: Scan and
GetOrderedNetworks.

Scan is no different than the station variant, and will perform an active
scan on all channels.

GetOrderedNetworks diverges from station and simply returns an array of
dictionaries containing basic information about networks:

{
    Name: <ssid>
    SignalStrength: <mBm>
    Security: <psk, open, or 8021x>
}

Limitations:
 - Hidden networks are not supported. This isn't really possible since
   the SSID's are unknown from the AP perspective.

 - Sharing scan results with station is not supported. This would be a
   convenient improvement in the future with respect to onboarding new
   devices. The scan could be performed in AP mode, then switch to
   station and connect immediately without needing to rescan. A quick
   hack could better this situation by not flushing scan results in
   station (if the kernel retains these on an iftype change).
2022-02-28 13:23:01 -06:00
James Prestwood
70fc6ea262 scan: add support for scanning on AP interface type
This adds a new flag, force_ap to the scan parameters. When enabled
this will set NL80211_SCAN_FLAG_AP.
2022-02-28 13:22:54 -06:00
James Prestwood
1974a67b30 scan: check flush feature before using flag 2022-02-28 11:42:43 -06:00
James Prestwood
9224575a83 station: replace station_parse_bss_security
Replaces this with scan_bss_get_security
2022-02-28 11:42:26 -06:00
James Prestwood
27bf997545 scan: add scan_bss_get_security
This was already implemented in station but with no dependency on
that module at all. AP will need this for a scanning API so its
being moved into scan.c.
2022-02-28 11:42:07 -06:00
James Prestwood
d38b7f2406 network: add 6GHz restrictions to network_can_connect_bss
The 802.11ax standards adds some restrictions for the 6GHz band. In short
stations must use SAE, OWE, or 8021x on this band and frame protection is
required.
2022-02-28 11:31:39 -06:00
James Prestwood
1024384ffd ie: add IE_AKM_IS_8021X 2022-02-25 17:54:33 -06:00
James Prestwood
6e660032c1 station: use IE_AKM_IS_FILS
Use this macro instead of manually checking
2022-02-25 17:54:27 -06:00
James Prestwood
44b3e7a8bb ie: update IE_AKM_IS_FILS to be bitwise
Currently nothing actually uses this macro, but switching it to a bitwise
comparison makes it more useful and consistent with the others.
2022-02-25 17:54:22 -06:00
James Prestwood
5627ef4141 ie: update IE_AKM_IS_SAE to bitwise comparison
All uses of this macro will work with a bitwise comparison which is
needed for 6GHz checks and somewhat more flexible since it can be
used to compare RSN info, not only single AKM values.
2022-02-25 17:54:09 -06:00
James Prestwood
c20828f252 station: enforce MFPR=1 for 6GHz frequencies
This adds checks if MFP is set to 0 or 1:

0 - Always fail if the frequency is 6GHz
1 - Fail if MFPC=0 and the frequency is 6GHz.
    If HW is capable set MFPR=1 for 6GHz
2022-02-25 17:11:39 -06:00
James Prestwood
2f50038363 station: check supported frequencies in neighbor report
If the report has an unsupported frequency don't add it to the list.
2022-02-25 17:11:36 -06:00
James Prestwood
111e13cad6 band: keep 6GHz frequencies out of 40mhz special case
There is no 40MHz upper/lower concept for 6GHz so avoid this special
handling.
2022-02-25 13:10:45 -06:00
James Prestwood
7882621ca9 wiphy: add 6Ghz support 2022-02-25 13:04:33 -06:00
James Prestwood
5b6f1e3662 util: add 6GHz support to scan_freq_set* APIs
The 6GHz channels are stored and accessed identically to 5GHz,
just using a separate uintset object.
2022-02-25 13:01:20 -06:00
James Prestwood
1343cb928f band: add 6GHz support to {channel,freq}_to_{freq,channel}
Adds support for the channels and frequencies defined in the
802.11ax spec.
2022-02-25 13:00:26 -06:00
James Prestwood
ff6961fbc4 band: add BAND_FREQ_6_GHZ
This is a new band defined in the WiFi 6E (ax) amendment. A completely
new value is needed due to channel reuse between 2.4/5 and 6GHz.

util.c needed minimal updating to prevent compile errors which will
be fixed later to actually handle this band. WSC also needed a case
added for 6GHz but the spec does not outline any RF Band value for
6GHz so the 5GHz value will be returned in this case.
2022-02-25 12:59:34 -06:00
James Prestwood
417b6fd022 band: remove unneeded line break
This fits within 80 characters
2022-02-25 12:59:27 -06:00
James Prestwood
650cac7979 band: add operating clases for 802.11ax
Obtained from the IEEE 802.11ax amendment, Table E-4
2022-02-25 12:57:45 -06:00
James Prestwood
6fce08c301 sae: define _GNU_SOURCE for reallocarray definition
sae.c was failing to build on some platforms:

error: implicit declaration of function 'reallocarray'; did you mean 'realloc'?
	[-Werror=implicit-function-declaration]
2022-02-24 12:14:46 -06:00
James Prestwood
d3f7458e26 netdev: fail connection if the link goes down
In certain rare cases IWD gets a link down event before nl80211 ever sends
a disconnect event. Netdev notifies station of the link down which causes
station to be freed, but netdev remains in the same state. Then later the
disconnect event arrives and netdev still thinks its connected, calls into
(the now freed) station object and causes a crash.

To fix this netdev_connect_free() is now called on any link down events
which will reset the netdev object to a proper state.

src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/netdev.c:netdev_mlme_notify() MLME notification Del Station(20)
src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/netdev.c:netdev_mlme_notify() MLME notification Deauthenticate(39)
src/netdev.c:netdev_deauthenticate_event()
src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/station.c:station_free()
src/netconfig.c:netconfig_destroy()
src/resolve.c:resolve_systemd_revert() ifindex: 16
src/station.c:station_roam_state_clear() 16
src/netdev.c:netdev_mlme_notify() MLME notification Disconnect(48)
src/netdev.c:netdev_disconnect_event()
Received Deauthentication event, reason: 3, from_ap: false

0 0x472fa4 in station_disconnect_event src/station.c:2916
1 0x472fa4 in station_netdev_event src/station.c:2954
2 0x43a262 in netdev_disconnect_event src/netdev.c:1213
3 0x43a262 in netdev_mlme_notify src/netdev.c:5471
4 0x6706eb in process_multicast ell/genl.c:1029
5 0x6706eb in received_data ell/genl.c:1096
6 0x65e630 in io_callback ell/io.c:120
7 0x65a94e in l_main_iterate ell/main.c:478
8 0x65b0b3 in l_main_run ell/main.c:525
9 0x65b0b3 in l_main_run ell/main.c:507
10 0x65b5cc in l_main_run_with_signal ell/main.c:647
11 0x4124d7 in main src/main.c:532
2022-02-22 16:27:02 -06:00
James Prestwood
82b808cdfe dpp: add support for initiating as a configurator
The difference between the existing code is that IWD will send the
authentication request, making it the initiator.

This handles the use case where IWD is provided a peers URI containing
its bootstrapping key rather than IWD always providing its own URI.
A new DBus API was added, ConfigureEnrollee().

Using ConfigureEnrollee() IWD will act as a configurator but begin by
traversing a channel list (URI provided or default) and waiting for
presence announcements (with one caveat). When an announcement is
received IWD will send an authentication request to the peer, receive
its reply, and send an authentication confirm.

As with being a responder, IWD only supports configuration to the
currently connected BSS and will request the enrollee switch to this
BSS's frequency to preserve network performance.

The caveat here is that only one driver (ath9k) supports multicast frame
registration which prevents presence frame from being received. In this
case it will be required the the peer URI contains a MAC and channel
information. This is because IWD will jump right into sending auth
requests rather than waiting for a presence announcement.
2022-02-22 16:25:47 -06:00
James Prestwood
de411818f0 dpp: manually register for some frame watches
The frame watch which covers the presence procedure (and most
frames for that matter) needs to support multicast frames for
presence to work. Doing this in frame-xchg seems like the right
choice but only ath9k supports multicast frame registration.
Because of this limited support DPP will register for these frames
manually.
2022-02-22 16:24:47 -06:00
James Prestwood
f7f602e1b1 dpp-util: add URI parsing
Parses K (key), M (mac), C (class/channels), and V (version) tokens
into a new structure dpp_uri_info. H/I are not parsed since there
currently isn't any use for them.
2022-02-22 16:23:52 -06:00
James Prestwood
c819903a7c dpp: check return of aes_siv_encrypt
This was caught by static analysis. As is common this should never
happen in the real world since the only way this can fail (apart from
extreme circumstances like OOM) is if the key size is incorrect, which
it will never be.
2022-02-18 14:45:45 -06:00
James Prestwood
5ca7948dfb main: remove unneeded stat call
Static analysis flagged that 'path' was never being checked (which
should not ever be NULL) but during that review I noticed stat()
was being called, then fstat afterwards.
2022-02-18 14:45:39 -06:00
James Prestwood
0fe054076f doc: Add warning to SystemdEncrypt as highly experimental 2022-02-16 16:11:01 -06:00
James Prestwood
1157e0a184 doc: document SystemdEncrypt 2022-02-15 17:44:20 -06:00
James Prestwood
e8e9c68dea main: add SystemdEncrypt option, and initialize key
Recently systemd added the ability to pass secret credentials to
services via LoadCredentialEncrypted/SetCredentialEncrypted. Once
set up the service is able to read the decrypted credentials from
a file. The file path is found in the environment variable
CREDENTIALS_DIRECTORY + an identifier. The value of SystemdEncrypt
should be set to the systemd key ID used when the credential was
created.

When SystemdEncrypt is set IWD will attempt to read the decrypted
secret from systemd. If at any point this fails warnings will be
printed but IWD will continue normally. Its expected that any failures
will result in the inability to connect to any networks which have
previously encrypted the passphrase/PSK without re-entering
the passphrase manually. This could happen, for example, if the
systemd secret was changed.

Once the secret is read in it is set into storage to be used for
profile encryption/decryption.
2022-02-15 17:38:51 -06:00
James Prestwood
64f225df6e hotspot: implement hotspot profile encryption
Using storage_decrypt() hotspot can also support profile encyption.
The hotspot consortium name is used as the 'ssid' since this stays
consistent between hotspot networks for any profile.
2022-02-15 17:22:21 -06:00
James Prestwood
01cd858760 storage: implement network profile encryption
Some users don't like the idea of storing network credentials in
plaintext on the file system.  This patch implements an option to
encrypt such profiles using a secret key.  The origin of the key can in
theory be anything, but would typically be provided by systemd via
'LoadEncryptedCredential' setting in the iwd unit file.

The encryption operates on the entire [Security] group as well as all
embedded groups. Once encrypted the [Security] group will be replaced
with two key/values:

EncryptedSalt - A random string of bytes used for the encryption
EncryptedSecurity - A string of bytes containing the encrypted
                    [Security] group, as well as all embedded groups.

After the profile has been encrypted these values should not be
modified.  Note that any values added to [Security] after encryption
has no effect.  Once the profile is encrypted there is no way to modify
[Security] without manually decrypting first, or just re-creating it
entirely which effectively treated a 'new' profile.

The encryption/decryption is done using AES-SIV with a salt value and
the network SSID as the IV.

Once a key is set any profiles opened will automatically be encrypted
and re-written to disk.  Modules using network_storage_open will be
provided the decrypted profile, and will be unaware it was ever
encrypted in the first place.  Similarly when network_storage_sync is
called the profile will by automatically encrypted and written to disk
without the caller needing to do anything special.

A few private storage.c helpers were added to serve several purposes:

storage_init/exit():
This sets/cleans up the encryption key direct from systemd then uses
extract and expand to create a new fixed length key to perform
encryption/decryption.

__storage_decrypt():
Low level API to decrypt an l_settings object using a previously set
key and the SSID/name for the network.  This returns a 'changed' out
parameter signifying that the settings need to be encrypted and
re-written to disk.  The purpose of exposing this is for a standalone
decryption tool which does not re-write any settings.

storage_decrypt():
Wrapper around __storage_decrypt() that handles re-writing a new
profile to disk. This was exposed in order to support hotspot profiles.

__storage_encrypt():
Encrypts an l_settings object and returns the full profile as data
2022-02-15 17:19:33 -06:00
James Prestwood
429eabf042 dpp: unregister interface on exit
This fixes a cleanup issue where DPP tries to cleanup both on
dpp_exit() and when netdev goes down.
2022-02-15 15:13:52 -06:00
James Prestwood
06ec2a2e32 dpp-util: fix dpp_point_from_asn1
This got merged without a few additional fixes, in particular an
over 80 character line and incorrect length check.

Fixes: d8116e8828 ("dpp-util: add dpp_point_from_asn1()")
2022-02-14 16:22:43 -06:00
Denis Kenzior
3a91efd3a8 manager: Refine filtered dumps
When we detect a new phy being added, we schedule a filtered dump of
the newly detected WIPHY and associated INTERFACEs.  This code path and
related processing of the dumps was mostly shared with the un-filtered
dump of all WIPHYs and INTERFACEs which is performed when iwd starts.
This normally worked fine as long as a single WIPHY was created at a
time.  However, if multiphy new phys were detected in a short amount of
time, the logic would get confused and try to process phys that have not
been probed yet.  This resulted in iwd trying to create devices or not
detecting devices properly.

Fix this by only processing the target WIPHY and related INTERFACEs
when the filtered dump is performed, and not any additional ones that
might still be pending.

While here, remove a misleading comment:
manager_wiphy_check_setup_done() would succeed only if iwd decided to
keep the default interfaces created by the kernel.
2022-02-14 16:02:23 -06:00
James Prestwood
32465396eb station: fix >80 character lines 2022-02-10 16:22:00 -06:00
James Prestwood
91caecedec station: only log station_autoconnect_start if autoconnecting
This debug print was before any checks which could bail out prior to
autoconnect starting. This was confusing because debug logs would
contain multiple "station_autoconnect_start()" prints making you think
autoconnect was started several times.
2022-02-10 16:21:21 -06:00
James Prestwood
2c355db7fa scan: remove periodic scans from queue on abort
The periodic scan code was refactored to make normal scans and
periodic scans consistent by keeping both in the same queue. But
that change left out the abort path where periodic scans were not
actually removed from the queue.

This fixes a rare crash when a periodic scan has been triggered and
the device goes down. This path never removes the request from the
queue but still frees it. Then when the scan context is removed the
stale request is freed again.

0 0x4bb65b in scan_request_cancel src/scan.c:202
1 0x64313c in l_queue_clear ell/queue.c:107
2 0x643348 in l_queue_destroy ell/queue.c:82
3 0x4bbfb7 in scan_context_free src/scan.c:209
4 0x4c9a78 in scan_wdev_remove src/scan.c:2115
5 0x42fecd in netdev_free src/netdev.c:965
6 0x445827 in netdev_destroy src/netdev.c:6507
7 0x52beb9 in manager_config_notify src/manager.c:765
8 0x67084b in process_multicast ell/genl.c:1029
9 0x67084b in received_data ell/genl.c:1096
10 0x65e790 in io_callback ell/io.c:120
11 0x65aaae in l_main_iterate ell/main.c:478
12 0x65b213 in l_main_run ell/main.c:525
13 0x65b213 in l_main_run ell/main.c:507
14 0x65b72c in l_main_run_with_signal ell/main.c:647
15 0x4124e7 in main src/main.c:532
2022-02-07 16:11:23 -06:00
James Prestwood
2e0a7d265c netdev: fix crash from not cancelling netdev_get_oci
If netdev_connect_failed is called before netdev_get_oci_cb() the
netdev's handshake will be destroyed and ultimately crash when the
callback is called.

This patch moves the cancelation into netdev_connect_free rather than
netdev_free.

++++++++ backtrace ++++++++
0  0x7f4e1787d320 in /lib64/libc.so.6
1  0x42634c in handshake_state_set_chandef() at src/handshake.c:1057
2  0x40a11b in netdev_get_oci_cb() at src/netdev.c:2387
3  0x483d7b in process_unicast() at ell/genl.c:986
4  0x480d3c in io_callback() at ell/io.c:120
5  0x48004d in l_main_iterate() at ell/main.c:472 (discriminator 2)
6  0x4800fc in l_main_run() at ell/main.c:521
7  0x48032c in l_main_run_with_signal() at ell/main.c:649
8  0x403e95 in main() at src/main.c:532
9  0x7f4e17867b75 in /lib64/libc.so.6
+++++++++++++++++++++++++++
2022-02-07 13:51:04 -06:00
James Prestwood
672098118d netdev: fix bug setting OWE IE length
The length was being set to whatever the last nl80211 attribute was,
not the length for the RESP_IE iteration.
2022-02-03 11:40:08 -06:00
Denis Kenzior
8a5b3f6880 handshake: Do not crash if handshake is destroyed
Commit 4d2176df29 ("handshake: Allow event handler to free handshake")
introduced a re-entrancy guard so that handshake_state objects that are
destroyed as a result of the event do not cause a crash.  It rightly
used a temporary object to store the passed in handshake.  Unfortunately
this caused variable shadowing which resulted in crashes fixed by commit
d22b174a73 ("handshake: use _hs directly in handshake_event").
However, since the temporary was no longer used, this fix itself caused
a crash:

 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
1236				handshake_event(sm->handshake,
(gdb) bt
 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
 #1  0x00005555f0bab118 in eapol_key_handle (unencrypted=<optimized out>, frame=<optimized out>, sm=0x5555f2b4a920) at src/eapol.c:2343
 #2  eapol_rx_packet (proto=<optimized out>, from=<optimized out>, frame=<optimized out>, unencrypted=<optimized out>, user_data=0x5555f2b4a920) at src/eapol.c:2665
 #3  0x00005555f0bac497 in __eapol_rx_packet (ifindex=62, src=src@entry=0x5555f2b62574 "x\212 J\207\267", proto=proto@entry=34958, frame=frame@entry=0x5555f2b62588 "\002\003",
   len=len@entry=121, noencrypt=noencrypt@entry=false) at src/eapol.c:3017
 #4  0x00005555f0b8c617 in netdev_control_port_frame_event (netdev=0x5555f2b64450, msg=0x5555f2b62588) at src/netdev.c:5574
 #5  netdev_unicast_notify (msg=msg@entry=0x5555f2b619a0, user_data=<optimized out>) at src/netdev.c:5613
 #6  0x00007f60084c9a51 in dispatch_unicast_watches (msg=0x5555f2b619a0, id=<optimized out>, genl=0x5555f2b3fc80) at ell/genl.c:954
 #7  process_unicast (nlmsg=0x7fff61abeac0, genl=0x5555f2b3fc80) at ell/genl.c:973
 #8  received_data (io=<optimized out>, user_data=0x5555f2b3fc80) at ell/genl.c:1098
 #9  0x00007f60084c61bd in io_callback (fd=<optimized out>, events=1, user_data=0x5555f2b3fd20) at ell/io.c:120
 #10 0x00007f60084c536d in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #11 0x00007f60084c543e in l_main_run () at ell/main.c:525
 #12 l_main_run () at ell/main.c:507
 #13 0x00007f60084c5670 in l_main_run_with_signal (callback=callback@entry=0x5555f0b89150 <signal_handler>, user_data=user_data@entry=0x0) at ell/main.c:647
 #14 0x00005555f0b886a4 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This happens when the driver does not support rekeying, which causes iwd to
attempt a disconnect and re-connect.  The disconnect action is
taken during the event callback and destroys the underlying eapol state
machine.  Since a temporary isn't used, attempting to dereference
sm->handshake results in a crash.

Fix this by introducing a UNIQUE_ID macro which should prevent shadowing
and using a temporary variable as originally intended.

Fixes: d22b174a73 ("handshake: use _hs directly in handshake_event")
Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
Reported-By: Toke Høiland-Jørgensen <toke@toke.dk>
Tested-by: Toke Høiland-Jørgensen <toke@toke.dk>
2022-02-03 09:44:08 -06:00
Denis Kenzior
fe2272c112 dbus: netdev/wheel do not use .Agent interface
There is no need to punch the holes for netdev/wheel groups to send to
the .Agent interface.  This is only done by the iwd daemon itself and
the policy for user 'root' already takes care of this.
2022-01-31 14:06:20 -06:00
James Prestwood
6ff99f1766 scan: parse BSS_SIGNAL_UNSPEC, fix potential zero signal
A select few drivers send this instead of SIGNAL_MBM. The docs say this
value is the signal 'in unspecified units, scaled to 0..100'. The range
for SIGNAL_MBM is -10000..0 so this can be scaled to the MBM range easy
enough...

Now, this isn't exactly correct because this value ultimately gets
returned from GetOrderedNetworks() and is documented as 100 * dBm where
in reality its just a unit-less signal strength value. Its not ideal, but
this patch at least will fix BSS ranking for these few drivers.
2022-01-31 13:40:19 -06:00
Diederik de Haas
010b0e27f9 dbus: Remove 'at_console', add 'netdev' settings
The 'at_console' D-Bus policy setting has been deprecated for more then
10 years and could be ignored at any time in the future. Moreover, while
the intend was to allow locally logged on users to interact with iwd, it
didn't actually do that.
More info at https://www.spinics.net/lists/linux-bluetooth/msg75267.html
and https://gitlab.freedesktop.org/dbus/dbus/-/issues/52
Therefor remove the 'at_console' setting block.

On Debian (based) systems, there is a standard defined group which is
allowed to manage network interfaces, and that is the 'netdev' group.
So add a D-Bus setting block to grant the 'netdev' group that access.
2022-01-26 14:03:27 -06:00
James Prestwood
d4b93220c5 sae: fix missing reallocarray definition
Building on GCC 8 resulted in this compiler error.

src/sae.c:107:25: error: implicit declaration of function 'reallocarray';
	did you mean 'realloc'? [-Werror=implicit-function-declaration]
	sm->rejected_groups = reallocarray(NULL, 2, sizeof(uint16_t));
2022-01-26 13:21:52 -06:00
Denis Kenzior
b47ada02bf treewide: Fix compiler warnings
src/erp.c:134:10: error: comparison of integer expressions of different
signedness: 'unsigned int' and 'int' [-Werror=sign-compare]

src/eap-ttls.c:378:10: error: comparison of integer expressions of different signedness: 'uint32_t' {aka 'unsigned int'} and 'int' [-Werror=sign-compare]
2022-01-26 13:21:52 -06:00
James Prestwood
d22b174a73 handshake: use _hs directly in handshake_event
Fixes the following crash:
 #0  0x000211c4 in netdev_connect_event (msg=<optimized out>, netdev=0x2016940) at src/netdev.c:2915
 #1  0x76f11220 in process_multicast (nlmsg=0x7e8acafc, group=<optimized out>, genl=<optimized out>) at ell/genl.c:1029
 #2  received_data (io=<optimized out>, user_data=<optimized out>) at ell/genl.c:1096
 #3  0x76f0da08 in io_callback (fd=<optimized out>, events=1, user_data=0x200a560) at ell/io.c:120
 #4  0x76f0ca78 in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #5  0x76f0cb74 in l_main_run () at ell/main.c:525
 #6  l_main_run () at ell/main.c:507
 #7  0x76f0cdd4 in l_main_run_with_signal (callback=callback@entry=0x18c94 <signal_handler>, user_data=user_data@entry=0x0)
   at ell/main.c:647
 #8  0x00018178 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This crash was introduced in commit:
4d2176df29 ("handshake: Allow event handler to free handshake")

The culprit seems to be that 'hs' is being used both in the caller and
in the macro.  Since the macro defines a variable 'hs' in local block
scope, it overrides 'hs' from function scope.  Yet (_hs) still evaluates
to 'hs' leading the local variable to be initialized with itself.  Only
the 'handshake_event(hs, HANDSHAKE_EVENT_SETTING_KEYS))' is affected
since it is the only macro invocation that uses 'hs' from function
scope.  Thus, the crash would only happen on hardware supporting handshake
offload (brcmfmac).

Fix this by removing the local scope variable declaration and evaluate
(_hs) instead.

Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
2022-01-26 13:20:00 -06:00
James Prestwood
b2d0bb08a0 network: fix double whitespace 2022-01-24 16:39:45 -06:00
Denis Kenzior
30b04bc3bb json: Tighten up json_iter_get_int/get_uint
- Ensure that input isn't an empty string

- Ensure that EINVAL errno (which could be optionally returned by
  strto{ul|l} is also checked.

- Since strtoul allows '+' and '-' characters in input, ensure that
  input which is expected to be an unsigned number doesn't start with
  '-'
2022-01-23 11:22:34 -06:00
James Prestwood
26b7446178 sae: pass exact length to l_ecc_point_from_data
l_ecc_point_from_data now strictly enforces the buffer length.
2022-01-21 13:44:59 -06:00
James Prestwood
d8116e8828 dpp-util: add dpp_point_from_asn1()
Given an ASN1 blob of the right form, parse and create
an l_ecc_point object. The form used is specific to DPP
hence why this isn't general purpose and put into dpp-util.
2022-01-21 10:52:26 -06:00
Andrew Zaborowski
dfaf6e045f p2p: Fix ie_tlv_extract_wfd_payload call typo 2022-01-21 08:53:35 -06:00
Andrew Zaborowski
4d2176df29 handshake: Allow event handler to free handshake
Like in ap.c, allow the event callback to mark the handshake state as
destroyed, without causing invalid accesses after the callback has
returned.  In this case the crash was because try_handshake_complete
needed to access members of handshake_state after emitting the event,
as well as access the netdev, which also has been destroyed:

==257707== Invalid read of size 8
==257707==    at 0x408C85: try_handshake_complete (netdev.c:1487)
==257707==    by 0x408C85: try_handshake_complete (netdev.c:1480)
(...)
==257707==  Address 0x4e187e8 is 856 bytes inside a block of size 872 free'd
==257707==    at 0x484621F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==257707==    by 0x437887: ap_stop_handshake (ap.c:151)
==257707==    by 0x439793: ap_del_station (ap.c:316)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3411)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3399)
==257707==    by 0x454276: p2p_group_event (p2p.c:1006)
==257707==    by 0x439147: ap_event (ap.c:281)
==257707==    by 0x4393AB: ap_new_rsna (ap.c:390)
==257707==    by 0x4393AB: ap_handshake_event (ap.c:1010)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1485)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1480)
(...)
2022-01-21 08:51:49 -06:00
Andrew Zaborowski
079489bd66 ap: Don't defer ap_reset when ap_free called in event
Previously we added logic to defer doing anything in ap_free() to after
the AP event handler has returned so that ap_event() has a chance to
inform whoever called it that the ap_state has been freed.  But there's
also a chance that the event handler is destroying both the AP and the
netdev it runs on, so after the handler has returned we can't even use
netdev_get_wdev_id or netdev_get_ifindex.  The easiest solution seems to
be to call ap_reset() in ap_free() even if we're within an event handler
to ensure we no longer need any external objects.  Also make sure
ap_reset() can be called multiple times.

Another option would be to watch for NETDEV_WATCH_EVENT_DEL and remove
our reference to the netdev (because there's no need actually call
l_rtnl_ifaddr_delete or frame_watch_wdev_remove if the netdev was
destroyed -- frame_watch already tracks netdev removals), or to save
just the ifindex and the wdev id...
2022-01-21 08:51:04 -06:00
James Prestwood
76b6aa66b3 dpp: fix dpp_offchannel_start corner cases
The purpose of this was to have a single utility to both cancel an
existing offchannel operation (if one exists) and start a new one.

The problem was the previous offchannel operation was being canceled
first which opened up the radio work queue to other items. This is
not desireable as, for example, a scan would end up breaking the
DPP protocol most likely.

Starting the new offchannel then canceling is the correct order of
operations but to do this required saving the new ID, canceling, then
setting offchannel_id to the new ID so dpp_presence_timeout wouldn't
overwrite the new ID to zero.

This also removes an explicit call to offchannel_cancel which is
already done by dpp_offchannel_start.
2022-01-20 14:19:56 -06:00
James Prestwood
8ce491fbb2 dpp: use own/peer naming rather than i/r
Several members are named based on initiator/responder (i/r)
terminology. Eventually both initiator and responder will be
supported so rename these members to use own/peer naming
instead.
2022-01-20 14:11:44 -06:00
James Prestwood
52fafd8f5b dpp-util: use ell/asn1-private.h for ASN1 generation
ASN1 parsing will soon be required which will need some utilities in
asn1-private.h. To avoid duplication include this private header and
replace the OID's with the defined structures as well as remove the
duplicated macros.
2022-01-20 13:59:37 -06:00
James Prestwood
73cd3578d9 station: fix OWE scan logic with autoconnect
station_set_scan_results takes an autoconnect flag which was being
set true in both regular/quick autoconnect scans. Since OWE networks
are processed after setting the scan results IWD could end up
connecting to a network before all the OWE hidden networks are
populated.

To fix this regular/quick autoconnect results will set the flag to
false, then process OWE networks, then start autoconnect. If any
OWE network scans are pending station_autoconnect_start will fail
but will pick back up after the hidden OWE scan.
2022-01-20 13:54:14 -06:00
James Prestwood
ac78076663 eap-pwd: add length checks for fragmented packets 2022-01-20 13:49:32 -06:00
James Prestwood
f70c0cb2f9 dpp: free nl80211 object on exit 2022-01-19 17:17:26 -06:00
James Prestwood
2c6bb735ac station: send debug "roam-scan-triggered" event 2022-01-19 16:37:51 -06:00
Denis Kenzior
62978ef0fb scan: Allow scan_cancel for finished requests
scan_request_failed and scan_finished remove the finished scan_request
from the request queue right away, before calling the callback.  This
breaks those clients that rely on scan_cancel working on such requests
(i.e. to force the destroy callback to be invoked synchronously, see
a0911ca778 ("station: Make sure roam_scan_id is always canceled").

Fix this by removing the scan_request from the request queue after
invoking the callback.  Also provide a re-entrancy guard that will make
sure that the scan_request isn't removed in scan_cancel itself.
2022-01-19 16:37:21 -06:00
Denis Kenzior
bef550df81 scan: Simplify scan_finished
There are similar operations being performed but with different
callbacks and userdata, depending on whether 'sr' is NULL or not.
Optimize the function flow slightly to make if-else unnecessary.

While here, update the comment.  periodic scans are now scheduled only
based on the periodic timeout timer.
2022-01-19 16:37:21 -06:00
Denis Kenzior
1fd6aba43c scan: Remove redundant call
l_queue_remove is already called in scan_request_failed.
2022-01-19 16:37:21 -06:00
Denis Kenzior
c125d2b003 scan: Move triggered variable to scan_request 2022-01-19 16:37:21 -06:00
Denis Kenzior
6051a14952 scan: Don't callback on SCAN_ABORTED
If periodic scan is active and we receive a SCAN_ABORTED event, we would
still invoke the periodic scan callback with an error.  This is rather
pointless since the periodic scan callback cannot do anything useful
with this information.  Fix that.
2022-01-19 16:37:21 -06:00
Denis Kenzior
280620d7ac scan: Remove unreachable code
We should never reach a point where NEW_SCAN_RESULTS or SCAN_ABORTED are
received before a corresponding TRIGGER_SCAN is received.  Even if this
does happen, there's no harm from processing the commands anyway.
2022-01-19 16:37:21 -06:00
Denis Kenzior
c4c86ea1df scan: Move 'started' to scan_request
This makes it a little easier to book-keep the started variable.  Since
scan_request already has a 'passive' bit-field, there should be no
storage penalty.
2022-01-19 16:37:21 -06:00
Denis Kenzior
af375a1cde scan: Don't crash on scan_cancel
If scan_cancel is called on a scan_request that is 'finished' but with
the GET_SCAN command still in flight, it will trigger a crash as
follows:
Received Deauthentication event, reason: 2, from_ap: true
src/station.c:station_disconnect_event() 11
src/station.c:station_disassociated() 11
src/station.c:station_reset_connection_state() 11
src/station.c:station_roam_state_clear() 11
src/scan.c:scan_cancel() Trying to cancel scan id 6 for wdev 200000002
src/scan.c:scan_cancel() Scan is at the top of the queue, but not triggered
src/scan.c:get_scan_done() get_scan_done
Aborting (signal 11) [/home/denkenz/iwd-master/src/iwd]
++++++++ backtrace ++++++++
 #0  0x7f9871aef3f0 in /lib64/libc.so.6
 #1  0x41f470 in station_roam_scan_notify() at /home/denkenz/iwd-master/src/station.c:2285
 #2  0x43936a in scan_finished() at /home/denkenz/iwd-master/src/scan.c:1709
 #3  0x439495 in get_scan_done() at /home/denkenz/iwd-master/src/scan.c:1739
 #4  0x4bdef5 in destroy_request() at /home/denkenz/iwd-master/ell/genl.c:676
 #5  0x4c070b in l_genl_family_cancel() at /home/denkenz/iwd-master/ell/genl.c:1960
 #6  0x437069 in scan_cancel() at /home/denkenz/iwd-master/src/scan.c:842
 #7  0x41dc2e in station_roam_state_clear() at /home/denkenz/iwd-master/src/station.c:1594
 #8  0x41dd2b in station_reset_connection_state() at /home/denkenz/iwd-master/src/station.c:1619
 #9  0x41dea4 in station_disassociated() at /home/denkenz/iwd-master/src/station.c:1644

The happens because get_scan_done callback is still called as a result of
l_genl_cancel.  Add a re-entrancy guard in the form of 'canceled'
variable in struct scan_request.  If set, get_scan_done will skip invoking
scan_finished.

It isn't clear what 'l_queue_peek_head() == results->sr' check was trying
to accomplish.  If GET_SCAN dump was scheduled, then it should be
reported.  Drop it.
2022-01-19 16:37:21 -06:00
Denis Kenzior
e1593df4bd scan: Call scan_finished if results->sr is NULL
results->sr is set to NULL for 'opportunistic' scans which were
triggered externally.  See scan_notify() for details.  However,
get_scan_done would only invoke scan_finished (and thus the periodic
scan callback sc->sp.callback) only if the scan queue was empty.  It
should do so in all cases.
2022-01-19 16:37:21 -06:00
James Prestwood
188d09af42 dpp-util: fix dpp_point_to_asn1 compressed type
The point type was being hard coded to 0x3 (BIT1) which may have resulted
in the peer subtracting Y from P when reading in the point (depending on
if Y was odd or not).

Instead set the compressed type to whatever avoids the subtraction which
both saves IWD from needing to do it, as well as the peer.
2022-01-18 15:01:59 -06:00
Denis Kenzior
44a7bc640b scan: Remove work_started variable
With the introduction of wiphy_radio_work_is_running we no longer need
to track this separately.
2022-01-18 13:04:12 -06:00
Denis Kenzior
b20774a55f station: Add some additional debugs 2022-01-14 16:30:26 -06:00
Diederik de Haas
a5495978b7 dpp: fix 2 spelling errors 2022-01-14 12:46:56 -06:00
Diederik de Haas
8a09cd3472 doc: fix overriden -> overridden 2022-01-14 12:46:16 -06:00
Denis Kenzior
60e0a5073a anqputil: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
    'anqp + l_get_le16(anqp + 2)'
2022-01-14 12:08:01 -06:00
Denis Kenzior
d2ca0c4f18 dpp-util: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'iter->pos + len'
2022-01-14 12:07:57 -06:00
Denis Kenzior
eddcc4c5b6 erp: Fix off by one error
The intent of this check is to make sure that at least 2 bytes are
available for reading.  However, the unintended consequence is that tags
with a zero length at the end of input would be rejected.

While here, rework the check to be more resistant to potential
overflow conditions.
2022-01-14 10:22:41 -06:00
Denis Kenzior
938e056896 erp: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
5e9178b9de wscutil: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
22faf3482c eap-ttls: Avoid potential overflow
When checking that the length is valid, avoid potentially overflowing
'start + len'
2022-01-14 09:49:47 -06:00
Denis Kenzior
01960ec66e erp: Fix comment that is > 80 chars wide 2022-01-14 09:49:47 -06:00
James Prestwood
bbfcdf0ac7 dpp: stop periodic scanning when starting DPP 2022-01-12 12:46:18 -06:00
James Prestwood
34348fcb42 scan: don't print notification if sc is not found
If this scan is not for any IWD wdev's don't print
2022-01-12 12:46:15 -06:00
James Prestwood
ceb6da81b3 dpp: support retransmitting frames with no ACK
The DPP spec says nothing about how to handle re-transmits but it
was found in testing this can happen relatively easily for a few
reasons.

If the configurator requests a channel switch but does not get onto
the new channel quick enough the enrollee may have already sent the
authenticate response and it was missed. Also by nature of how the
kernel goes offchannel there are moments in time between ROC when
the card is idle and not receiving any frames.

Only frames where there was no ACK will be retransmitted. If the
peer received the frame and dropped it resending the same frame wont
do any good.
2022-01-12 12:45:05 -06:00
James Prestwood
2435adc33b nl80211util: support ATTR_FRAME in parse_attrs() 2022-01-12 12:44:56 -06:00
James Prestwood
9aae6e2c16 dpp: pass dpp_sm to dpp_send_frame
The SM has the wdev_id already, so rather than using that or looking
up just pass the dpp_sm directly.
2022-01-12 09:38:06 -06:00
James Prestwood
fc61e5fe46 dpp: rework order of operations after being configured
Now the result is sent immediately. Prior a connect attempt or
scan could have started, potentially losing this frame. In addition
the offchannel operation is cancelled after sending the result
which will allow the subsequent connect or scan to happen much
faster since it doesn't have to wait for ROC to expire.
2022-01-12 09:33:57 -06:00
James Prestwood
94afeabc18 dpp: put no station device print behind else if
The previous (incorrect) else was removed since it ended up
printing in most cases since the if clause returned. This should
have been an else if conditional from the start and only print if the
station device was not found.
2022-01-12 09:32:37 -06:00
James Prestwood
0c8d3f106a dpp: don't send StartEnrollee reply until offchannel starts
IWD may be in the middle of some long operation, e.g. scanning.
If the URI is returned before IWD is ready, a configurator could
start sending frames and IWD either wont receive them, or will
be unable to respond quickly.
2022-01-12 09:32:13 -06:00
James Prestwood
295430a47e frame-xchg: use work priorities rather than hard coding 2022-01-11 12:38:10 -06:00
James Prestwood
ae12132495 offchannel: use work priorities rather than hard coding
The offchannel priority was also changed to zero, which matches the
priority of frames. Currently there should be no interaction between
offchannel and connect (previous offchannel priority).
2022-01-11 12:37:59 -06:00
James Prestwood
87e1045b11 netdev: use work priorities rather than hard coding 2022-01-11 12:37:44 -06:00
James Prestwood
217bb6dc65 scan: don't special case periodic scan work
Periodic scans were handled specially where they were only
started if no other requests were pending in the scan queue.
This is fine, and what we want, but this can actually be
handled automatically by nature of the wiphy work queue rather
than needing to check the request queue explicitly.

Instead we can insert periodic scans at a lower priority than
other scans. This puts them at the end of the work queue, as
well as allows future requests to jump ahead if a periodic scan
has not yet started.

Eventually, once all pending scans are done, the peridoic scan
may begin. This is no different than the preivous behavior and
avoids the need for any special checks once scan requests
complete.

One check was added to address the problem of the periodic scan
timer firing before the scan could even start. Currently this
happened to be handled fine in scan_periodic_queue, as it checks
the queue length. Since this check was removed we must see check
for this condition inside scan_periodic_timeout.
2022-01-11 12:37:13 -06:00
James Prestwood
c7a6730d28 scan: set scan priority via scan_common
This adds a priority argument to scan_common rather than hard
coding it when inserting the work item and uses the newly
defined wiphy priority for scanning.
2022-01-11 12:36:36 -06:00
James Prestwood
6e5d1a540c wiphy: define work priorities in one place
Work priority was never explicitly defined anywhere, and a module
using wiphy_radio_work APIs needed to ensure it was not inserting
at a priority that would interfere with other work.

Now all the types of work have been defined with their own priority
and future priorities can easily be added before, after, or in
between existing priorities.
2022-01-11 12:36:22 -06:00
Denis Kenzior
372a1c05e6 scan: Simplify debug statement
l_debug will already print the function name, so including it in the
printed string is redundant
2022-01-11 11:07:33 -06:00
Denis Kenzior
5cb7591bc0 treewide: Use __func__ when possible
Instead of hard-coding the function name in l_warn/l_error statements,
use '__func__'
2022-01-11 11:07:33 -06:00
Denis Kenzior
8b9442efe0 treewide: Prefer not using assignment in if 2022-01-11 11:07:33 -06:00
Denis Kenzior
6ae1917733 netdev: Make code more readable
Introduce a new 'hs' variable to make the code a bit more compact and
readable.  Avoid splitting pointer dereferences on multiple lines.
2022-01-11 11:07:33 -06:00
Denis Kenzior
073346ee37 treewide: Remove unneeded else statements
The code is more readable without the unnecessary nesting
2022-01-11 11:07:33 -06:00
Denis Kenzior
b44460464e treewide: Add () around certain macros 2022-01-11 11:07:33 -06:00
Denis Kenzior
cba19d3bf5 treewide: Remove pointless return statement 2022-01-11 11:07:33 -06:00
Denis Kenzior
fe95cbe077 treewide: Various style fixups
- Mostly problems with whitespace:
	- Use of spaces instead of tabs
	- Stray spaces before closing ')
	- Missing spaces

- Missing 'void' from function declarations & definitions that
  take no arguments.

- Wrong indentation level
2022-01-11 11:07:05 -06:00
James Prestwood
967c95829f scan: fix double space 2022-01-11 08:57:05 -06:00
Peter Seiderer
6ce41f6211 dpp: fix implicit declaration of function explicit_bzero warning
- add missing src/missing.h include for explicit_bzero, fixes uclibc
  compile/linking

Fixes:

  src/dpp.c:166:2: warning: implicit declaration of function ‘explicit_bzero’ [-Wimplicit-function-declaration]
    166 |  explicit_bzero(dpp->r_nonce, dpp->nonce_len);
        |  ^~~~~~~~~~~~~~
2022-01-10 15:43:52 -06:00
James Prestwood
82818d7454 dpp: allow config response handling without station
If the device is not in station mode DPP can still write out
the credentials and finish without attempting to connect or
scan.
2022-01-10 10:59:15 -06:00
James Prestwood
e6ecc078a1 dpp: handle CHANNEL attribute in auth request
When this attribute is included, the initiator is requesting all
future frames be sent on this channel. There is no reason for a
configurator to act on this attribute (at least for now) so the
request frame will be dropped in this case. Enrollees will act
on it by switching to the new channel and sending the authentication
response.
2022-01-10 10:59:05 -06:00
James Prestwood
235042fcd5 dpp: refactor calls to offchannel_start into common function
This will aid in channel switching during authentication by allowing
an arbitrary channel to be passed in rather than dpp->current_freq.
2022-01-10 10:58:56 -06:00
James Prestwood
39020bf14d dpp: move r_auth into dpp_sm
In order to support channel switching during authentication r_auth
needs to be held onto in dpp_sm for after the ROC call starts.
2022-01-10 10:58:47 -06:00
James Prestwood
786e36eee6 dpp: don't allow StartEnrollee while connected
While connected the driver ends up choosing quite small ROC
durations leading to excessive calls to ROC. This also will
negatively effect any wireless performance for the current
network and possibly lead to missed DPP frames.
2022-01-10 10:58:17 -06:00
James Prestwood
0f7ea99605 dpp: don't allocate transient ssid strings
These can be kept on the stack and avoid the need for
allocated memory and unneeded auto-free functionality.
2022-01-10 10:52:41 -06:00
James Prestwood
847a8ba265 dpp: memset header to fix uninitialized buffer 2022-01-07 11:49:55 -06:00
James Prestwood
226fd5c0b8 dpp: unref DPP frame if sending fails 2022-01-07 11:49:44 -06:00
James Prestwood
6a421a1254 dpp: speed up connection after being configured
Currently the enrollee relied on autoconnect to handle connecting
to the newly configured network. This usually resulted in poor
performance since periodic scans are done at large intervals apart.

Instead first check if the newly configured network is already
in IWD's network queue. If so it can be connected to immediately.
If not, a full scan must be done and results given to station.
2022-01-06 17:37:14 -06:00
James Prestwood
1ec0fd75e1 dpp: parse configuration request values
With better JSON support the configuration request object
can now be fully parsed. As stated in the previous comment
there really isn't much use from the configurator side apart
from verifying mandatory values are included.

This patch also modifies the configuration result to handle
sending non 'OK' status codes in case of JSON parsing errors.
2022-01-06 17:36:19 -06:00
James Prestwood
67ded4c2fd json: restrict json_iter_{parse,next} to objects/arrays
json_iter_parse is only meant to work on objects while
json_iter_next is only meant to work on arrays.

This adds checks in both APIs to ensure they aren't being
used incorrectly.
2022-01-06 16:43:18 -06:00
James Prestwood
1f91c03bf6 json: add NULL check for container on get_container
In case the caller just wants to check an object is iterable,
without actually iterating it.
2022-01-06 16:43:18 -06:00
James Prestwood
790d431624 json: add json_iter_get_string 2022-01-06 16:43:18 -06:00
James Prestwood
0d7482e379 json: add json_iter_get_container
This allows getting an iterator for a container nested inside
an array.
2022-01-06 16:01:39 -06:00
James Prestwood
7991c861e1 json: add support for array iteration
Arrays can now be parsed using the JSON_ARRAY type (stored in
a struct json_iter) then iterated using json_iter_next. When
iterating the type can be checked with json_iter_get_type. For
each iteration the value can be obtained using any of the type
getters (int/uint/boolean/null).
2022-01-06 15:15:06 -06:00
James Prestwood
ebed84ab55 json: increase default token size to 60 2022-01-06 14:26:09 -06:00
James Prestwood
4f1cd8af93 json: add support for primitive types
This adds support for boolean, (unsigned) integers, and
null types. JSON_PRIMITIVE should be used as the type when
parsing and the value should be struct json_iter.

Once parsed the actual value can be obtained using one of
the primitive getters. If the type does not match they will
return false.

If using JSON_OPTIONAL with JSON_PRIMITIVE the resulting
iterator can be checked with json_iter_is_valid. If false
the key/value was not found or the type was not matching.
2022-01-06 14:10:26 -06:00
James Prestwood
23a1a66aee json: fix find_object_tokens
First, this was renamed to 'count_tokens_in_container' to be
more general purpose (i.e. include future array counting).

The way the tokens are counted also changed to be more intuitive.
While the previous way was correct, it was somewhat convoluted in
how it worked (finding the next parent of the objects parent).

Instead we can use the container token itself as the parent and
begin counting tokens. When we find a token with a parent index
less than the target we have reached the end of this container.
This also works for nested containers, including arrays since we
no longer rely on a key (which an array element would not have).

For example::

{
	"first":{"foo":"bar"},
	"second":{"foo2":"bar2"}
}

index 0		<overall object>
index 1		"first"		with parent 0
index 2         {"foo":"bar"}   with parent 1

Counting tokens inside "first"'s object we have:

index 3		"foo"		with parent 2
index 4		"bar"		with parent 3

If we continue counting we reach:

index 5		"second"	with parent 0

This terminates the counting loop since the parent index is
less than '2' (the index of {"foo":"bar"} object).
2022-01-06 14:10:21 -06:00
Denis Kenzior
f05e60f338 dpp: Fix compilation on 32 bit
In file included from ./ell/ell.h:15,
                 from ../../src/dpp.c:29:
../../src/dpp.c: In function ‘authenticate_request’:
../../ell/log.h:79:22: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 8 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   79 |   l_log(L_LOG_DEBUG, "%s:%s() " format, __FILE__, \
      |                      ^~~~~~~~~~
../../ell/log.h:54:16: note: in definition of macro ‘l_log’
   54 |      __func__, format "\n", ##__VA_ARGS__)
      |                ^~~~~~
../../ell/log.h:103:31: note: in expansion of macro ‘L_DEBUG_SYMBOL’
  103 | #define l_debug(format, ...)  L_DEBUG_SYMBOL(__debug_desc, format, ##__VA_ARGS__)
      |                               ^~~~~~~~~~~~~~
../../src/dpp.c:1235:3: note: in expansion of macro ‘l_debug’
 1235 |   l_debug("I-Nonce has unexpected length %lu", i_nonce_len);
      |   ^~~~~~~
2022-01-05 13:50:59 -06:00
Denis Kenzior
7c30fc2cbf netdev: do not leak auth_cmd
Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fa226fbf0f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8)
    #1 0x688c98 in l_malloc ell/util.c:62
    #2 0x6c2b19 in msg_alloc ell/genl.c:740
    #3 0x6cb32c in l_genl_msg_new_sized ell/genl.c:1567
    #4 0x424f57 in netdev_build_cmd_authenticate src/netdev.c:3285
    #5 0x425b50 in netdev_sae_tx_authenticate src/netdev.c:3385
2021-12-23 09:58:05 -06:00
Denis Kenzior
60366346fb handshake: Do not leak vendor_ies
Direct leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x7fd748ad00f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8)
    #1 0x688c21 in l_malloc ell/util.c:62
    #2 0x4beec7 in handshake_state_set_vendor_ies src/handshake.c:324
    #3 0x464e4e in station_handshake_setup src/station.c:1203
    #4 0x472a2f in __station_connect_network src/station.c:2975
    #5 0x473a30 in station_connect_network src/station.c:3078
    #6 0x4ed728 in network_connect_8021x src/network.c:1497

Fixes: f24cfa481b ("handshake: Add setter for vendor IEs")
2021-12-22 21:32:18 -06:00
James Prestwood
eeab42af03 dpp: init unwrapped pointer to NULL
Fixes possible issues with auto-free on error paths
2021-12-22 17:06:16 -06:00
James Prestwood
ce9188ee35 dpp: zero nonces/keys on dpp_reset 2021-12-22 17:06:16 -06:00
James Prestwood
1a9734d704 dpp: implement configurator role
This implements a configurator in the responder role. Currently
configuring an enrollee is limited to only the connected network.
This is to avoid the need to go offchannel for any reason. But
because of this a roam, channel switch, or disconnect will cause
the configuration to fail as none of the frames are being sent
offchannel.
2021-12-20 18:13:44 -06:00
James Prestwood
ec0f4e8826 dpp: add role definitions
Added both enrollee and configurator roles, as well as the needed
logic inside the authentication protocol to verify role compatibility.
The dpp_sm's role will now be used when setting capability bits making
the auth protocol agnostic to enrollees or configurators.
2021-12-20 18:13:44 -06:00
James Prestwood
8f711078b8 dpp: add timeout for auth/config protocols
This also allows the card to re-issue ROC if it ends in the middle of
authenticating or configuring as well as add a maximum timeout for
auth/config protocols.

IO errors were also handled as these sometimes can happen with
certain drivers but are not fatal.
2021-12-20 18:13:44 -06:00
James Prestwood
00fddaa868 dpp-util: add dpp_configuration_new/dpp_configuration_to_json
Allows creating a new configuration object based on settings, ssid,
and akm suite (for configurator role) as well as converting a
configuration object to JSON.
2021-12-20 17:04:26 -06:00
James Prestwood
d3fca54a7e dpp-util: pass actual ad_size, not hard coded '2'. 2021-12-20 17:04:21 -06:00
James Prestwood
c42080fe28 dpp: use frame data directly in unwrap for config response
Rather than hard coding ad0, use the actual frame data. There really
isn't a reason this would differ (only status attribute) but just
in case its better to use the frame data directly.
2021-12-20 17:03:55 -06:00
James Prestwood
d2240c4a62 dpp: handle protocol errors in ROC timeout
This is a standing TODO of properly handling these timeouts but
for now just treat any ROC timeout as an error if authenticating
or configuring.
2021-12-17 15:34:19 -06:00
James Prestwood
926c8bb9bd dpp: add support for configuration protocol
This is a minimal implementation only supporting legacy network
configuration, i.e. only SSID and PSK/passphrase are supported.

Missing features include:
 - Fragmentation/comeback delay support
 - DPP AKM support
 - 8021x/PKEX support
2021-12-17 15:33:46 -06:00
James Prestwood
59a5cf3de4 dpp: add DPP authentication protocol
This implements the DPP protocol used to authenticate to a
DPP configurator.

Note this is not a full implementation of the protocol and
there are a few missing features which will be added as
needed:

 - Mutual authentication (needed for BLE bootstrapping)
 - Configurator support
 - Initiator role
2021-12-17 14:19:20 -06:00
James Prestwood
84c095e787 dpp-util: add DPP attribute building APIs 2021-12-17 13:37:04 -06:00
James Prestwood
992deb36d4 dpp-util: add dpp_parse_configuration_object
This parses the configuration JSON object from the configuration
response. Only a minimal configuration object is supported for
now.
2021-12-16 14:29:18 -06:00
James Prestwood
683d3a3f04 dpp: send presence announcements on StartEnrollee
The presence procedure implemented is a far cry from what the spec
actually wants. There are two reason for this: a) the kernels offchannel
support is not at a level where it will work without rather annoying
work arounds, and b) doing the procedure outlined in the spec will
result in terrible discovery performance.

Because of this a simpler single channel announcement is done by default
and the full presence procedure is left out until/if it is needed.
2021-12-16 13:55:40 -06:00
James Prestwood
76d9a2e702 dpp: generate URI on StartEnrollee
Generates the required keys, hashes, and sets the Uri property
2021-12-16 13:53:56 -06:00
James Prestwood
acfbc34909 dpp: initial skeleton DPP module 2021-12-16 13:53:29 -06:00
James Prestwood
f06d0bd028 dbus: add DPP interface 2021-12-16 13:53:17 -06:00
James Prestwood
5ab6566a3b dpp-util: add dpp_point_to_asn1
Converts an l_ecc_point to the DPP ASN.1 structure.
2021-12-16 12:22:26 -06:00
James Prestwood
484dea8d7a offchannel: always use -ECANCELED for cancelation
info->error gets reset to zero on a successful ROC callback
which was getting used for cancelation.
2021-12-16 12:17:28 -06:00
James Prestwood
4a8a43965f offchannel: always call destroy right away on cancel
The main cancel code path was not calling destroy immediately which
was not consistent with other code paths/APIs.
2021-12-16 12:17:08 -06:00
James Prestwood
1a27cd1548 crypto: allow NULL 'ad' to aes_siv_decrypt 2021-12-16 12:16:31 -06:00
James Prestwood
53e68b64b2 crypto: allow NULL 'ad' to aes_siv_encrypt 2021-12-16 12:16:02 -06:00
James Prestwood
124b04fff6 dpp-util: add dpp status and attribute types 2021-12-14 15:36:12 -06:00
James Prestwood
1c1b63aae7 json: fix pointer arithmetic error
Subtracting the pointers is sufficient for counting the tokens,
they do not need to be modulus the size of jsmntok_t
2021-12-10 17:59:49 -06:00
James Prestwood
abfd749335 json: introduce JSON module
This is a minimal wrapper around jsmn.h to make things a bit easier
for iterating through a JSON object.

To use, first parse the JSON and create a contents object using
json_contents_new(). This object can then be used to initialize a
json_iter object using json_iter_init().

The json_iter object can then be parsed with json_iter_parse by
passing in JSON_MANDATORY/JSON_OPTIONAL arguments. Currently only
JSON_STRING and JSON_OBJECT types are supported. Any JSON_MANDATORY
values that are not found will result in an error.

If a JSON_OPTIONAL string is not found, the pointer will be NULL.
If a JSON_OPTIONAL object is not found, this iterator will be
initialized but 'start' will be -1. This can be checked with a
convenience macro json_object_not_found();
2021-12-10 17:33:47 -06:00
James Prestwood
d65aaf8740 dpp-util: check return of l_ecc_scalar_get_data
Static analysis was not happy since this return can be negative and
it was being fed into an unsigned argument. In reality this cannot
happen since the key buffer is always set to the maximum size supported
by any curves.
2021-12-10 15:41:53 -06:00
James Prestwood
669a92607c dpp-util: add DPP attribute iteration APIs 2021-12-06 16:32:09 -06:00
James Prestwood
c511e4be2a dpp-util: add URI generation API 2021-12-06 16:32:03 -06:00
James Prestwood
cdf05183b9 dpp-util: Introduce dpp-util, and add crypto operations 2021-12-06 15:54:37 -06:00
James Prestwood
bc36aca98e offchannel: introduce new offchannel module
This module provides a convenient wrapper around both
CMD_[CANCEL_]_REMAIN_ON_CHANNEL APIs.

Certain protocols require going offchannel to send frames, and/or
wait for a response. The frame-xchg module somewhat does this but
has some limitations. For example you cannot just go offchannel;
an initial frame must be sent out to start the procedure. In addition
frame-xchg does not work for broadcasts since it expects an ACK.

This module is much simpler and only handles going offchannel for
a duration. During this time frames may be sent or received. After
the duration the caller will get a callback and any included error
if there was one. Any offchannel request can be cancelled prior to
the duration expriring if the offchannel work has finished early.
2021-12-06 14:10:39 -06:00
James Prestwood
e6b4354530 wiphy: update wiphy_radio_work_is_running to return int
This differentiates between pending, running, and non-existent:
false, true, -ENOENT respectively
2021-12-06 14:10:03 -06:00
James Prestwood
94cdbb4669 scan: add scan_freq_set_to_fixed_array
This serializes a scan_freq_set into a uint32_t array.
2021-11-30 12:29:46 -06:00
James Prestwood
9c732cb32d scan: move scan_freq_set* into util
This will allow scan_freq_set utilities to be used in any
modules requiring unit testing
2021-11-30 12:29:06 -06:00
James Prestwood
24494e978c scan: remove scan APIs refactored into band.c 2021-11-29 17:08:32 -06:00
James Prestwood
56ea2c4d15 treewide: update scan utility usage to use band_* 2021-11-29 17:07:44 -06:00
James Prestwood
f3c9b66f08 band: move several scan utilities into band
This will allow unit testing modules which depend on these
APIs:

scan_channel_to_freq
scan_freq_to_channel
scan_oper_class_to_band
2021-11-29 17:07:10 -06:00
James Prestwood
945710fae1 scan: parse configurator connectivity element
This element has no data and indicates the AP supports configuring
stations via DPP while also serving current stations.
2021-11-29 17:03:31 -06:00
James Prestwood
5ab1a1298f ie: add DPP configurator connectivity element 2021-11-29 17:03:21 -06:00
James Prestwood
7103bda058 netdev: always honor disconnect events if issued by AP
The disconnect event handler was mistakenly bailing out if FT or
reassociation was going on. This was done because a disconnect
event is sent by the kernel when CMD_AUTH/CMD_ASSOC is used.

The problem is an AP could also disconnect IWD which should never
be ignored.

To fix this always parse the disconnect event and, if issued by
the AP, always notify watchers of the disconnect.
2021-11-23 12:18:08 -06:00
James Prestwood
aed383b037 wiphy: make wiphy work queue reentrancy safe
Now both the do_work and destroy callback can safely insert new
work items without causing problems.
2021-11-22 15:29:51 -06:00
James Prestwood
876fe9f210 crypto: use void* for hkdf_expand
This makes it more flexible for other storage types
2021-11-22 15:29:31 -06:00
James Prestwood
b735c90c42 crypto: use void* args for aes_siv_{encrypt,decrypt}
This makes these APIs more flexible for other storage types
2021-11-22 15:29:27 -06:00
Fangrui Song
fa1c12453b build: treewide: Set retain attribute
LLD 13 and GNU ld 2.37 support -z start-stop-gc which allows garbage
collection of C identifier name sections despite the __start_/__stop_
references. GNU ld before 2015-10 had the behavior as well. Simply set
the retain attribute so that GCC 11 (if configure-time binutils is 2.36
or newer)/Clang 13 will set the SHF_GNU_RETAIN section attribute to
prevent garbage collection.

Without the patch, there are linker errors with -z start-stop-gc
(LLD default) when -Wl,--gc-sections is used:

```
ld.lld: error: undefined symbol: __start___eap
>>> referenced by eap.c
>>>               src/eap.o:(eap_init)
```

The remain attribute will not be needed if the metadata sections are
referenced by code directly.
2021-11-11 14:27:33 -06:00
Andrew Zaborowski
6ac062d151 netconfig: Move FILS override checks to common functions 2021-11-10 11:54:51 -06:00
Andrew Zaborowski
5e7949c144 netconfig: Split ipv4 route setters
Split this function into two, one for setting the gateway route and one
for setting the subnet route.
2021-11-10 11:25:27 -06:00
Andrew Zaborowski
c473290b47 ap: Delay ap_free if called inside event handler
ap.c has been mostly careful to call the event handler at the end of any
externally called function to allow methods like ap_free() to be called
within the handler, but that isn't enough.  For example in
ap_del_station we may end up emitting two events: STATION_REMOVED and
DHCP_LEASE_EXPIRED.  Use a slightly more complicated mechanism to
explicitly guard ap_free calls inside the event handler.

To make it easier, simplify cleanup in ap_assoc_reassoc with the use of
_auto_.

In ap_del_station reorder the actions to send the STATION_REMOVED event
first as the DHCP_LEASE_EXPIRED is a consequence of the former and it
makes sense for the handler to react to it first.
2021-11-09 14:29:52 -06:00
Denis Kenzior
cfd191a803 eap: Silence uninitialized var warning
src/eap.c: In function 'eap_rx_packet':
src/eap.c:419:50: error: 'vendor_type' may be used uninitialized in this function [-Werror=maybe-uninitialized]
  419 |  (type == EAP_TYPE_EXPANDED && vendor_id == (id) && vendor_type == (t))
      |                                                  ^~
src/eap.c:430:11: note: 'vendor_type' was declared here
  430 |  uint32_t vendor_type;

It isn't clear why GCC complains about vendor_type, but not vendor_id.
But in all cases if type == EAP_TYPE_EXPANDED, then vendor_type and
vendor_id are set.  Silence this spurious warning.
2021-11-08 15:12:25 -06:00
Torsten Schmitz
5a111ac902 station: Prevent a NULL pointer access
There is an unchecked NULL pointer access in network_has_open_pair.
open_info can be NULL, when out of multiple APs in range that advertise
the same SSID some advertise OWE transition elments and some don't.
2021-11-08 13:51:34 -06:00
James Prestwood
ea23556a40 scan: use signal strength if bss ranks are equal
If two BSS's end up with the same rank sort them based on signal
strength so IWD still prefers the higher strength BSS.
2021-11-08 13:49:50 -06:00
James Prestwood
f85fc4202a anqp: return the request ID rather than true 2021-11-08 11:31:49 -06:00
Marc-Antoine Perennou
b3991c1a40 eap: Remove nested function use
This allows building iwd with clang
2021-11-08 11:12:37 -06:00
James Prestwood
ba5f4616d2 station: set sysfs options required by HS2.0 spec
The Hotspot 2.0 spec has some requirements that IWD was missing depending
on a few bits in extended capabilities and the HS2.0 indication element.
These requirements correspond to a few sysfs options that can be set in
the kernel which are now set on CONNECTED and unset on DISCONNECTED.
2021-11-04 14:30:00 -05:00
James Prestwood
d4e3ec52b2 scan: keep track of HS20 DGAF Disable bit in scan_bss 2021-11-04 14:29:46 -05:00
James Prestwood
6852cf0a3e ie: parse DGAF Disable bit from HS20 indication element 2021-11-04 14:29:25 -05:00
James Prestwood
fd85192a54 scan: parse Proxy ARP bit from extended capabilities 2021-11-04 14:27:55 -05:00
James Prestwood
b4c20ef81c netconfig: netconfig_reconfigure check bool for setting ARP
Only set the gateway to the ARP cache if the caller requests.
2021-11-03 17:47:03 -05:00
James Prestwood
873924a027 station: set evict_nocarrier sysfs option during roaming
If the kernel supports evict_nocarrier set this during the roam
to prevent packet delays post roam.
2021-11-03 17:44:25 -05:00
James Prestwood
25936b1365 netconfig: remove sysfs static functions 2021-11-03 17:44:11 -05:00
James Prestwood
6ea58f9fde sysfs: introduce sysfs module
Netconfig was the only user of sysfs but now other modules will
also need it.

Adding existing API for IPv6 settings, a IPv4 and IPv6 'supports'
checker, and a setter for IPv4 settings.
2021-11-03 17:44:00 -05:00
James Prestwood
3a47181a50 netdev: add SA Query delay with OCV enabled
The way a SA Query was done following a channel switch was slightly
incorrect. One because it is only needed when OCVC is set, and two
because IWD was not waiting a random delay between 0 and 5000us as
lined out by the spec. This patch fixes both these issues.
2021-10-26 17:16:38 -05:00
Andrew Zaborowski
0971eb4d0c netconfig: Convert netconfig_load_settings to use _auto_
As requested do the cleanup in netconfig_load_settings using ell's
private _auto_() macro.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
f0a85ddeb4 netconfig: Track local domains lists
Cache the latest v4 and v6 domain string lists in struct netconfig state
to be able to more easily detect changes in those values in future
commits.  For that split netconfig_set_domains's code into this function,
which now only commits the values in netconfig->v{4,6}_domain{,s} to the
resolver, and netconfig_domains_update() which figures out the active
domains string list and saves it into netconfig->v{4,6}_domain{,s}.  This
probably saves some cycles as the callers can now decide to only
recalculate the domains list which may have changed.

While there simplify netconfig_set_domains return type to void as the
result was always 0 anyway and was never checked by callers.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
2b1b8cce54 netconfig: Track DNS address string lists
Cache the latest v4 and v6 DNS IP string lists in struct netconfig state
to be able to more easily detect changes in those values in future
commits.  For that split netconfig_set_dns's code into this function,
which now only commit the values in netconfig->dns{4,6}_list to the
resolver, and netconfig_dns_list_update() which figures out the active
DNS IP address list and saves it in netconfig->dns{4,6} list.  This
probably saves some cycles as the callers can now decide to only
recalculate the dns_list which may have changed.

While there simplify netconfig_set_dns return type to void as the result
was always 0 anyway and was never checked by callers.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
7e38962d59 netconfig: Track gateway address strings
Cache the latest v4 and v6 gateway IP string in struct netconfig state
to be able to more easily detect changes in those values in future
commits and perhaps to simplify the ..._routes_install functions.
netconfig_ipv4_get_gateway's out_mac parameter can now be NULL.  While
editing that function fix a small formatting annoyance.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
ec634ad2a7 netconfig: trivial: Fix double-empty space 2021-10-22 12:12:17 -05:00
Andrew Zaborowski
cfde6c3f55 netconfig: Refactor netconfig_ipv4_get_gateway
Use a separate fils variable to make the code a bit prettier.

Also make sure that the out_mac parameter is not NULL prior to storing
the gateway_mac in it.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
927a3dc322 netconfig: Cache the IPv6 l_rtnl_address object
For symmetry with netconfig->v4_address add a netconfig->v6_address
so that we can track what the current address is at any time.
2021-10-22 12:12:17 -05:00
Denis Kenzior
d702e037c0 main: Simplify away l_dbus_message_builder use
Since the dictionary attributes are static, l_dbus_message_set_arguments
can be used instead.
2021-10-22 12:12:17 -05:00
Andrew Zaborowski
23799d0cb4 treewide: Parse EnableNetworkConfiguration in one place
Add netconfig_enabled() and use that in all places that want to know
whether network configuration is enabled.  Drop the enable_network_config
deprecated setting, which was only being handled in one of these 5 or so
places.
2021-10-22 12:12:02 -05:00
James Prestwood
e4b78d83d6 network: fix autoconnect for Open networks
This code path was never tested and used to ensure a OWE transition
candidate gets selected over an open one (e.g. if all the BSS's are
blacklisted). But this logic was incorrect and the path was being
taken for BSS's that did not contain the owe_trans element, basically
all BSS's. For RSN's this was somewhat fine since the final check
would set a candidate, but for open BSS's the loop would start over
and potentially complete the loop without ever returning a candidate.
If fallback was false, NULL would be returned.

To fix this only take the OWE transition path if its an OWE transition
BSS, i.e. inverse the logic.
2021-10-20 16:52:16 -05:00
Denis Kenzior
3dc724d734 rrm: Consider requests w/ Beacon Reporting
Normally Beacon Reporting subelements are present only if repeated
measurements are requested.  However, an all-zero Beacon Reporting
subelement is included by some implementations.  Handle this case
similarly to the absent case.
2021-10-20 11:49:13 -05:00
Denis Kenzior
ae0ee89d72 rrm: relax Reporting Detail subelement length check
Since Reporting Detail subelement is listed as 'extensible', make sure
that the length check is not overly restrictive.  We only interpret the
first field.
2021-10-20 11:48:26 -05:00
James Prestwood
42ab82c20c station: disable OCV if offloading is supported
It was seen during testing that several offload-capable cards
were not including the OCI in the 4-way handshake. This made
any OCV capable AP unconnectable.

To be safe disable OCV on any cards that support offloading.
2021-10-19 17:04:42 -05:00
James Prestwood
747cb00c31 wiphy: add wiphy_can_offload
This is a convenience method for detecting any supported offload
extended features (4way/1x/SAE).
2021-10-19 17:04:39 -05:00
James Prestwood
2b88840316 station: don't enable OCV unless MFPC is supported 2021-10-19 15:41:16 -05:00
Denis Kenzior
659a63ae20 netdev: Print if SA Query is in progress 2021-10-19 15:40:26 -05:00
James Prestwood
4b88607b19 netdev: start SA Query on channel switch event
802.11 requires an STA initiate the SA Query procedure on channel
switch events. This patch refactors sending the SA Query into its
own routine and starts the procedure when the channel switch event
comes in.

In addition the OCI needs to be verified, so the channel info is
parsed and set into the handshakes chandef.
2021-10-19 13:28:18 -05:00
James Prestwood
8f036c229e nl80211cmd: make CH_SWITCH_STARTED_NOTIFY name unique
There are several events for channel switching, and nl80211cmd was
naming two of them "Channel Switch Notify". Change
CH_SWITCH_STARTED_NOTIFY to "Channel Switch Started Notify" to
distinguish the two events.
2021-10-19 13:28:07 -05:00
James Prestwood
bf5afa52e5 netdev: add OCI elements to SA Query request/response frames
SA query is the final protocol that requires OCI inclusion and
verification. The OCI element is now included and verified in
both request and response frames as required by 802.11.
2021-10-19 13:26:57 -05:00
James Prestwood
7fed9f758f ie: add ie_parse_oci
This is a very minimal parser, more or less to put the type
and length checks into a single location.
2021-10-19 13:26:49 -05:00
Denis Kenzior
224721e7f0 netconfig: Make sure gw is not NULL
strcmp behavior is undefined if one of the parameters is NULL.
Server-id is a mandatory value and cannot be NULL.  Gateway can be NULL
in DHCP, so check that explicitly.

Reported-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
2021-10-18 10:43:41 -05:00
Denis Kenzior
2135a4f845 netconfig: Try to put gateway mac into ARP cache
In certain situations, it is possible for us to know the MAC of the
default gateway when DHCP finishes.  This is quite typical on many home
network and small network setups.  It is thus possible to pre-populate
the ARP cache with the gateway MAC address to save an extra round trip
at connection time.

Another advantage is during roaming.  After version 4.20, linux kernel
flushes ARP caches by default whenever netdev encounters a no carrier
condition (as is the case during roaming).  This can prevent packets
from going out after a roam for a significant amount of time due to
lost/delayed ARP responses.
2021-10-15 16:43:42 -05:00
Denis Kenzior
b6fd028fe7 ap: Use _u32 dhcp_lease getters 2021-10-13 17:56:51 -05:00
Denis Kenzior
f1b2bca6bd netconfig: Use l_dhcp_lease_get_prefix_length 2021-10-13 17:56:49 -05:00
Denis Kenzior
6b71a71e19 ap: Use l_dhcp_lease_get_prefix_length 2021-10-13 17:56:46 -05:00
James Prestwood
219e18323f station: limit extended key IDs to CCMP ciphers 2021-10-13 10:34:55 -05:00
James Prestwood
a205afe2de netdev: set TK index to zero for FT
Since FT re-uses the handshake the active TK index may be set to a
non-zero value.
2021-10-08 14:13:56 -05:00
Denis Kenzior
3d736d4c20 station: Only set our OCVC if the AP supports it 2021-10-08 13:33:11 -05:00
James Prestwood
1ec6c46a1d station: set extended key capability
If wiphy and the AP suppor it, set the Extended Key ID capability
bit in the RSN info.
2021-10-08 13:27:52 -05:00
James Prestwood
5ff7d113b9 netdev: support extended key IDs
This implements the new handshake callback for setting a TK with
an extended key ID. The procedure is different from legacy zero
index TKs.

First the new TK is set as RX only. Then message 4 should be sent
out (so it uses the existing TK). This poses a slight issue with
PAE sockets since message order is not guaranteed. In this case
the 4th message is stored and sent after the new TK is installed.
Then the new TK is modified using SET_KEY to both send and
receive.

In the case of control port over NL80211 the above can be avoided
and we can simply install the new key, send message 4, and modify
the TK as TX + RX all in sequence, without waiting for any callbacks.
2021-10-08 13:27:14 -05:00
James Prestwood
80135367cf handshake: update TK installer/builder to take key index 2021-10-08 13:26:25 -05:00
Denis Kenzior
a001740506 manager: Initialize all default interfaces
When UseDefaultInterface is set, iwd doesn't attempt to destroy and
recreate any default interfaces it detects.  However, only a single
default interface was ever remembered & initialized.  This is fine for
most cases since the kernel would typically only create a single netdev
by default.

However, some drivers can create multiple netdevs by default, if
configured to do so.  Other usecases, such as tethering, can also
benefit if iwd initialized & managed all default netdevs that were
detected at iwd start time or device hotplug.
2021-10-08 13:23:36 -05:00
Denis Kenzior
a584396147 eapol: Remove unneeded initialization
oci variable is always set during handshake_util_find_kde.  Do not
initialize it unnecessarily to help the compiler / static analysis find
potential issues.
2021-10-08 12:31:36 -05:00
Denis Kenzior
e519d1139a eapol: Remove unneeded assignment
gtk and igtk are already initialized to NULL at declaration time.
There's no need to set them to NULL here.
2021-10-08 12:31:10 -05:00
Denis Kenzior
80ed3ef5b2 eapol: Fix trying to include uninitialized data
If OCI is not used, then the oci array is never initialized.  Do not try
to include it in our GTK 2_of_2 message.

Fixes: ad4d639854 ("eapol: include OCI in GTK 2/2")
2021-10-08 12:31:10 -05:00
James Prestwood
24d4790537 eapol: support extended key IDs
802.11 added Extended Key IDs which aim to solve the issue of PTK
key replacement during rekeys. Since swapping out the existing PTK
may result in data loss because there may be in flight packets still
using the old PTK.

Extended Key IDs use two key IDs for the PTK, which toggle between
0 and 1. During a rekey a new PTK is derived which uses the key ID
not already taken by the existing PTK. This new PTK is added as RX
only, then message 4/4 is sent. This ensure message 4 is encrypted
using the previous PTK. Once sent, the new PTK can be modified to
both RX and TX and the rekey is complete.

To handle this in eapol the extended key ID KDE is parsed which
gives us the new PTK key index. Using the new handshake callback
(handshake_state_set_ext_tk) the new TK is installed. The 4th
message is also included as an argument which is taken care of by
netdev (in case waiting for NEW_KEY is required due to PAE socekts).
2021-10-08 08:52:52 -05:00
James Prestwood
cc850d3a3d nl80211util: set multicast on new group keys
This may not be required but setting the group key mode explicitly
to multicast makes things consistent, even if only for the benefit
of reading iwmon logs easier.
2021-10-08 08:48:58 -05:00
James Prestwood
63b0778c99 handshake: add callback for extended key IDs
The procedure for setting extended key IDs is different from the
single PTK key. The key ID is toggled between 0 and 1 and the new
key is set as RX only, then set to RX/TX after message 4/4 goes
out.

Since netdev needs to set this new key before sending message 4,
eapol can include a built message which netdev will store if
required (i.e. using PAE).
2021-10-08 08:40:29 -05:00
James Prestwood
fba3b90c11 handshake: add flags/key index for extended key IDs
ext_key_id_capable indicates the handshake has set the capability bit
in the RSN info. This will only be set if the AP also has the capability
set.

active_tk_index is the key index the AP chose in message 3. This is
now used for both legacy (always zero) and extended key IDs.
2021-10-08 08:39:27 -05:00
James Prestwood
898c7e636e wiphy: change wiphy_control_port_capable -> enabled
Move the reading of ControlPortOverNL80211 into wiphy itself and
renamed wiphy_control_port_capable to wiphy_control_port_enabled.
This makes things easier for any modules interested in control
port support since they will only have to check this one API rather
than read the settings and check capability.
2021-10-08 08:38:35 -05:00
Andrew Zaborowski
af47112a30 p2p: Add p2p.Peer.Address D-bus property
Expose the Device Address property for each peer.  The spec doesn't say
much about how permanent the address or the name are, although the
device address by definition lives longer than the interface addresses.
However the device address is defined to be unique and the name is not
so the address can be used to differentiate devices with identical name.
Being unique also may imply that it's assigned globally and thus
permanent.

Network Manager uses the P2P device address when saving connection
profiles (and will need it from the backend) and in this case it seems
better justified than using the name.

The address is already in the object path but the object path also
includes the local phy index which may change for no reason even when
the peer's address hasn't changed so the path is not useful for
remembering which device we've connected to before.  Looking at only
parts of the path is considered wrong.
2021-10-06 15:59:15 -05:00
James Prestwood
d2f52a6723 wiphy: add wiphy_supports_ext_key_id 2021-10-04 13:39:29 -05:00
Denis Kenzior
9766426b59 wiphy/netdev: Add & use wiphy_control_port_capable
Some drivers might not actually support control port properly even if
advertised by mac80211.  Introduce a new method to wiphy that will take
care of looking up any driver quirks that override the presence of
NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211
2021-10-01 09:38:38 -05:00
Denis Kenzior
6f925c4dae manager/wiphy: Move default if determination
Move the driver database into wiphy.c so it can be extended with other
potential driver quirks.
2021-10-01 09:28:56 -05:00
Denis Kenzior
c5890ac87f netconfig: Apply MDNS setting at _configure time 2021-09-29 16:08:12 -05:00
Denis Kenzior
7f55a241a4 netconfig: Allow consecutive calls to _load_settings()
Make consecutive calls to netconfig_load_settings() memory-leak safe by
introducing a netconfig_free_settings convenience method.  This method
will free any settings that are allocated as a result of
netconfig_load_settings() and will be called from netconfig_free() to
ensure that any settings are freed as a result of netconfig_destroy().
2021-09-29 16:03:39 -05:00
Andrew Zaborowski
3021472358 netconfig: Set netconfig_get_static6_gateway out param on success
Make sure to only set the netconfig_get_static6_gateway's out_mac
parameter on successful return and make sure to always set it, even if
to NULL.
2021-09-29 15:16:50 -05:00
Andrew Zaborowski
d71a604385 netconfig: Track the IPv6 route add netlink command
For symmetry with IPv4, save the command id for this netlink command so
we can later add logic to the callback as well as be able to cancel the
command.  No functional change in this commit alone.
2021-09-29 14:51:18 -05:00
James Prestwood
e6340996d7 eapol: netdev: allow rekeys using FT-FILS
Rekeying was overlooked when implementing FT-FILS and there were
many places where the AKM was never checked and the rekey was
failing.
2021-09-28 17:26:10 -05:00
James Prestwood
183a7a18a9 eapol: don't enforce PMKID on 1/4 if require_handshake is false
FT/FILS handle their own PMK derivation but rekeys still require
using the 4-way handshake. There is some ambiguity in the spec whether
or not the PMKID needs to be included in message 1/4 and it appears
that when rekeying after FT/FILS hostapd does not include a PMKID.
2021-09-28 17:26:10 -05:00
James Prestwood
ad4d639854 eapol: include OCI in GTK 2/2 2021-09-28 17:26:05 -05:00
James Prestwood
27be63fe65 ft: check authenticator_ie from ft_ds_info, not handshake
The handshake contains the current BSS's RSNE/WPA which may differ
from the FT-over-DS target. When verifying the target BSS's RSNE/WPA
IE needs to be checked, not the current BSS.
2021-09-28 17:24:59 -05:00
James Prestwood
ae358bd524 ft: netdev: store FT-over-DS target RSNE/WPA
Keep track of the target BSS's authenticator IE for verification.
It should not be assumed that the target BSS and original RSNE/WPA
IE matches.
2021-09-28 16:58:41 -05:00
James Prestwood
d0b0004c8c netdev: set result/status for deauth path
If the deauth path was triggered IWD would deauth but end up
calling the connect callback with whatever result netdev had
set, e.g. 'NETDEV_RESULT_OK'. This, of course, caused station
some confusion.
2021-09-28 16:53:25 -05:00
James Prestwood
7e9708ddbc station: start FT-over-DS actions after roaming
Once roamed IWD never sent out any FT Request frames. This prevented
FT-over-DS from being used after an initial roam.
2021-09-28 16:52:26 -05:00
James Prestwood
d68c9e69fa fils: support OCI in reassociation 2021-09-28 16:46:48 -05:00
James Prestwood
c4c14f3ac0 ft: set OCVC false for FT-over-DS
FT-over-DS cannot use OCV due to how the kernel works. This means
we could connect initially with OCVC set, but a FT-over-DS attempt
needs to unset OCVC. Set OCVC false when rebuilding the RSNE for
reassociation.
2021-09-28 11:51:52 -05:00