3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 05:39:24 +01:00
Commit Graph

3844 Commits

Author SHA1 Message Date
James Prestwood
91df2ee364 scan: split full scans by band to enable 6GHz
The kernel's regulatory domain updates after some number of beacons
are processed. This triggers a regulatory domain update (and wiphy
dump) but only after a scan request. This means a full scan started
prior to the regdom being set will not include any 6Ghz BSS's even
if the regdom was unlocked during the scan.

This can be worked around by splitting up a large scan request into
multiple requests allowing one of the first commands to trigger a
regdom update. Once the regdom updates (and wiphy dumps) we are
hopefully still scanning and could append an additional request to
scan 6GHz.
2022-08-05 12:02:19 -05:00
James Prestwood
0bc44a038b util: add scan_freq_set_clone
This creates a new scan_freq_set from an input set which only contains
frequencies from bands included in the mask.
2022-08-05 11:49:18 -05:00
Denis Kenzior
8c01edf74b scan: Don't crash on external scans
In the case of an external scan, we won't have a scan_request object,
sr.  Make sure to not crash in this case.

Also, since scan_request can no longer carry the frequency set in all
cases, add a new member to scan_results in order to do so.

Fixes: 27d8cf4ccc ("scan: track scanned frequencies for entire request")
2022-08-05 11:17:56 -05:00
Denis Kenzior
3d691038bc station: Fix memory leak
Make sure that the known frequency set is always cleaned up on error.

Fixes: bb604b92f1 ("station: fallback to periodic scan if regdom unset")
2022-08-05 11:17:41 -05:00
Denis Kenzior
82f873a025 util: Allow scan_freq_set to be autodestructed 2022-08-05 09:27:59 -05:00
James Prestwood
bb604b92f1 station: fallback to periodic scan if regdom unset
The kernel handles setting the regulatory domain by receiving beacons
which set the country IE. Presumably since most regulatory domains
disallow 6GHz the default (world) domain also disables it. This means
until the country is set, 6GHz is disabled.

This poses a problem for IWD's quick scanning since it only scans a few
frequencies and this likely isn't enough beacons for the firmware to
update the country, leaving 6Ghz inaccessable to the user without manual
intervention (e.g. iw scan passive, or periodic scans by IWD).

To try and work around this limitation the quick scan logic has been
updated to check if a 6GHz AP has been connected to before and if that
frequency is disabled (but supported). If this is the case IWD will opt
for a full passive scan rather than scanning a limited set of
frequencies.
2022-08-04 14:16:51 -05:00
James Prestwood
911572f09a wiphy: don't re-dump wiphy if the regdom didn't change
For whatever reason the kernel will send regdom updates even if
the regdom didn't change. This ends up causing wiphy to dump
which isn't needed since there should be no changes in disabled
frequencies.

Now the previous country is checked against the new one, and if
they match the wiphy is not dumped again.
2022-08-04 14:03:28 -05:00
James Prestwood
1709148484 wiphy: add wiphy_regdom_is_updating
This allows a module to check the current status of the regdom
in case it misses the wiphy event (e.g. registers after the
STARTED event).
2022-08-04 14:03:15 -05:00
James Prestwood
83a5f6edd1 wiphy: dump wiphy's on regulatory domain change
A change in regulatory domain can result in frequencies being
enabled or disabled depending on the domain. This effects the
frequencies stored in wiphy which other modules depend on
such as scanning, offchannel work etc.

When the regulatory domain changes re-dump the wiphy in order
to update any frequency restrictions.
2022-08-04 14:02:39 -05:00
James Prestwood
dfcba7c83c wiphy: track GET_REG ID
Keep track of the GET_REG call so it can be canceled if the wiphy
goes down.
2022-08-04 14:02:25 -05:00
James Prestwood
544aafb675 wiphy: add wiphy_country_is_unknown
A helper to check whether the country code corresponds to a
real country, or some special code indicating the country isn't
yet set. For now, the special codes are OO (world roaming) and
XX (unknown entity).
2022-08-04 11:48:08 -05:00
James Prestwood
aa0d8f1283 wiphy: add two regulatory domain state events
Events to indicate when a regulatory domain wiphy dump has
started and ended. This is important because certain actions
such as scanning need to be delayed until the dump has finished.
2022-08-04 10:30:46 -05:00
James Prestwood
9b628dd02d wiphy: use nl80211_parse_supported_frequencies
Removes the parser in wiphy and uses the helper instead
2022-08-04 10:25:58 -05:00
James Prestwood
471d34704f wiphy: track self-managed flag
Check if the SELF_MANAGED_REG flag is set and set into wiphy.
2022-08-04 10:25:52 -05:00
James Prestwood
907a2fd7b9 nl80211util: add nl80211_parse_supported_frequencies
A helper function to parse supported and disabled frequencies.
2022-08-04 10:25:45 -05:00
James Prestwood
27d8cf4ccc scan: track scanned frequencies for entire request
The NEW_SCAN_RESULTS handling was written to only parse the frequency
list if there were no additional scan commands to send. This results in
the scan callback containing frequencies of only the last CMD_TRIGGER.

Until now this worked fine because a) the queue is only used for hidden
networks and b) frequencies were never defined by any callers scanning
for hidden networks (e.g. dbus/periodic scans).

Soon the scan command queue will be used to break up scan requests
meaning only the last scan request frequencies would be used in the
callback, breaking the logic in station.

Now the NEW_SCAN_RESULTS case will parse the frequencies for each scan
command rather than only the last.
2022-08-04 10:21:31 -05:00
James Prestwood
f555e5dda2 wiphy: fix runtime error from bit shift
The compiler treated the '1' as an int type which was not big enough
to hold a bit shift of 31:

runtime error: left shift of 1 by 31 places cannot be represented in
		type 'int'

Instead of doing the iftype check manually, refactor
wiphy_get_supported_iftypes by adding a subroutine which just parses
out iftypes from a mask into a char** list. This removes the need to
case each iftype into a string.
2022-08-04 10:20:59 -05:00
Alexander Kobel
cfd2fe7d33 manager: Fix typo 2022-08-04 09:15:50 -05:00
Michael Johnson
6b87d3e7e2 netdev: Add logging for CQM messages
Add extra logging around CQM events to help track wifi status. This is
useful for headless systems that can only be accessed over the network
and so information in the logs is invaluable for debugging outages.

Prior to this change, the only log for CQM messages is saying one was
received. This adds details to what attributes were set and the
associated data with them.

The signal strength log format was chosen to roughly match
wpa_supplicant's which looks like this:

CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-60 noise=-96 txrate=6000
2022-08-02 11:11:18 -05:00
Michael Johnson
f4c3278a7b station: Log scan results during a roam
Provides useful information on why a roam might have failed, such as
failing to find the BSS or the BSS being ranked lower, and why that
might be.

The output format is the same as station_add_seen_bss for consistency.
2022-08-01 10:17:23 -05:00
James Prestwood
d9a16fee56 nl80211util: add nested attribute support
Adds support for nested attributes in nl80211_parse_attrs
2022-07-26 15:31:37 -05:00
James Prestwood
f2961cd63a wiphy: constrain scan set by disabled frequencies
With the addition of disabled_freqs, wiphy_constrain_freq_set needs
to also remove any frequencies which are disabled.
2022-07-26 15:31:31 -05:00
James Prestwood
98620ecd11 wiphy: add disabled_freqs list
If a frequency is disabled IWD should keep track and disallow any
operations on that channel such as scanning. A new list has been added
which contains only disabled frequencies.
2022-07-26 15:31:08 -05:00
James Prestwood
081b0af2d6 util: add scan_freq_set_subtract
Removes any frequencies from one set that are found in the other.
2022-07-26 13:13:11 -05:00
James Prestwood
3f1d72e545 util: make scan_freq_set_get_bands const 2022-07-26 13:13:04 -05:00
James Prestwood
b52ed27b72 scan: make scan_freq_set const in scan_passive
The scan_passive API wasn't using a const struct scan_freq_set as it
should be since it's not modifying the contents. Changing this to
const did require some additional changes like making the scan_parameters
'freqs' member const as well.

After changing scan_parameters, p2p needed updating since it was using
scan_parameters.freqs directly. This was changed to using a separate
scan_freq_set pointer, then setting to scan_parameters.freqs when needed.
2022-07-26 13:12:38 -05:00
James Prestwood
1efbe1637f manager: unregister nl80211 config watch
For consistency unregister the config watch when manager exits
2022-07-26 13:11:22 -05:00
James Prestwood
4e55447a60 wiphy: use HE element for data rate estimation
If an HE element is found, prefer using this for the rate estimation
since it will likely yield the fastest rate.
2022-07-20 17:19:25 -05:00
James Prestwood
43db085ef1 band: add band_estimate_he_rx_rate
Similar to the HT/VHT APIs, this estimates the data rate based on the
HE Capabilities element, in addition to our own capabilities. The
logic is much the same as HT/VHT. The major difference being that HE
uses several MCS tables depending on the channel width. Each width
MCS set is checked (if supported) and the highest estimated rate out
of all the MCS sets is used.
2022-07-20 17:19:07 -05:00
James Prestwood
53988a7285 ie: add validation for HE Capabilities element
This makes sure the width set bits are sane, and validates the length
depending on which MCS sets are enabled.
2022-07-20 17:18:35 -05:00
James Prestwood
a3521ff172 wiphy: fix strange compiler bug with gcc 11.2
There appears to be a compiler bug with gcc 11.2 which thinks the vht_mcs_set
is a zero length array, and the memset of size 8 is out of bounds. This is only
seen once an element is added to 'struct band'.

In file included from /usr/include/string.h:519,
                 from src/wiphy.c:34:
In function ‘memset’,
    inlined from ‘band_new_from_message’ at src/wiphy.c:1300:2,
    inlined from ‘parse_supported_bands’ at src/wiphy.c:1423:11,
    inlined from ‘wiphy_parse_attributes’ at src/wiphy.c:1596:5,
    inlined from ‘wiphy_update_from_genl’ at src/wiphy.c:1773:2:
/usr/include/bits/string_fortified.h:59:10: error: ‘__builtin_memset’ offset [0, 7] is out of the bounds [0, 0] [-Werror=array-bounds]
   59 |   return __builtin___memset_chk (__dest, __ch, __len,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   60 |                                  __glibc_objsize0 (__dest));
      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-07-19 17:45:19 -05:00
James Prestwood
6c6bfb3d16 scan: increase max data rate, now for HE
This increases the maximum data rate which now is possible with HE.
A few comments were also updated, one to include 6G when adjusting
the rank for >4000mhz, and the other fixing a typo.
2022-07-19 16:25:42 -05:00
James Prestwood
a7ed0e6ba5 band: add find_best_mcs_nss
This is a general way of finding the best MCS/NSS values which will work
for HT, VHT, and HE by passing in the max MCS values for each value which
the MCS map could contain (0, 1, or 2).
2022-07-19 15:51:17 -05:00
James Prestwood
9baaaebd38 wiphy: parse HE capabilities from band info
The HE capabilities information is contained in
NL80211_BAND_ATTR_IFTYPE_DATA where each entry is a set of attributes
which define the rules for one or more interface types. This patch
specifically parses the HE PHY and HE MCS data which will be used for
data rate estimation.

Since the set of info is per-iftype(s) the data is stored in a queue
where each entry contains the PHY/MCS info, and a uint32 bit mask where
each bit index signifies an interface type.
2022-07-19 15:47:35 -05:00
James Prestwood
3d48d147ca wiphy: make MCS info print more generic
With the addition of HE, the print function for MCS sets needs to change
slightly. The maps themselves are the same format, but the values indicate
different MCS ranges. Now the three MCS max values are passed in.
2022-07-19 15:46:49 -05:00
James Prestwood
bdcbccbb9f wiphy: use a 16 bit tag for extended IEs
If an extended IE is needed a uint8_t tag would overflow.
2022-07-19 15:46:44 -05:00
James Prestwood
d46fac6e93 wiphy: set band->freq when parsing band info
This sets the band into the 'band' structure in order to support
HE data rates.
2022-07-19 15:46:10 -05:00
James Prestwood
fce1449a87 band: add he_capabilities queue
This queue will hold iftype(s) specific data for HE capabilities. Since
the capabilities may differ per-iftype the data is stored as such. Iftypes
may share a configuration so the band_he_capabilities structure has a
mask for each iftype using that configuration.
2022-07-19 15:45:58 -05:00
James Prestwood
62bdd1bea5 band: add band_freq
HE has different rules depending on the frequency, so the band
structure also needs to track the frequency for any rate information
to have context.
2022-07-19 15:45:47 -05:00
James Prestwood
d8fe443363 ie: add IE's from 802.11ax amendment 2022-07-19 15:45:28 -05:00
James Prestwood
e089ab2de2 scan: add colocated scan flag 2022-07-19 15:45:18 -05:00
Denis Kenzior
b84b71042b iwd: Add missing module dependencies
Certain module dependencies were missing, which could cause a crash on
exit under (very unlikely) circumstances.

  #0  l_queue_peek_head (queue=<optimized out>) at ../iwd-1.28/ell/queue.c:241
  #1  0x0000aaaab752f2a0 in wiphy_radio_work_done (wiphy=0xaaaac3a129a0, id=6)
      at ../iwd-1.28/src/wiphy.c:2013
  #2  0x0000aaaab7523f50 in netdev_connect_free (netdev=netdev@entry=0xaaaac3a13db0)
      at ../iwd-1.28/src/netdev.c:765
  #3  0x0000aaaab7526208 in netdev_free (data=0xaaaac3a13db0) at ../iwd-1.28/src/netdev.c:909
  #4  0x0000aaaab75a3924 in l_queue_clear (queue=queue@entry=0xaaaac3a0c800,
      destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:107
  #5  0x0000aaaab75a3974 in l_queue_destroy (queue=0xaaaac3a0c800,
      destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:82
  #6  0x0000aaaab7522050 in netdev_exit () at ../iwd-1.28/src/netdev.c:6653
  #7  0x0000aaaab7579bb0 in iwd_modules_exit () at ../iwd-1.28/src/module.c:181

In this particular case, wiphy module was de-initialized prior to the
netdev module:

Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/wiphy.c:wiphy_free() Freeing wiphy phy0[0]
Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/netdev.c:netdev_free() Freeing netdev wlan0[45]
2022-07-18 10:58:06 -05:00
James Prestwood
80f9374440 ap: remove diagnostic interface when netdev goes down
This fixes a crash associated with toggling the iftype to AP mode
then calling GetDiagnostics. The diagnostic interface is never
cleaned up when netdev goes down so DBus calls can still be made
which ends up crashing since the AP interface objects are no longer
valid.

Running the following iwctl commands in a script (once or twice)
triggers this crash reliably:

iwctl device wlp2s0 set-property Mode ap
iwctl device wlp2s0 set-property Mode station
iwctl device wlp2s0 set-property Mode ap
iwctl ap wlp2s0 start myssid secret123
iwctl ap wlp2s0 show

++++++++ backtrace ++++++++
0  0x7f8f1a8fe320 in /lib64/libc.so.6
1  0x451f35 in ap_dbus_get_diagnostics() at src/ap.c:4043
2  0x4cdf5a in _dbus_object_tree_dispatch() at ell/dbus-service.c:1815
3  0x4bffc7 in message_read_handler() at ell/dbus.c:285
4  0x4b5d7b in io_callback() at ell/io.c:120
5  0x4b489b in l_main_iterate() at ell/main.c:476
6  0x4b49a6 in l_main_run() at ell/main.c:519
7  0x4b4cd9 in l_main_run_with_signal() at ell/main.c:645
8  0x404f5b in main() at src/main.c:600
9  0x7f8f1a8e8b75 in /lib64/libc.so.6
+++++++++++++++++++++++++++
2022-07-01 11:58:06 -05:00
Jesse Lentz
125c9b195c dpp: Add Started, Role, and URI properties to API
Add three new properties to the DeviceProvisioning API: Started, Role,
and URI.
2022-06-27 11:07:13 -05:00
James Prestwood
7fad6590bd eapol: allow 'secure' to be set on rekeys
About a month ago hostapd was changed to set the secure bit on
eapol frames during rekeys (bc36991791). The spec is ambiguous
about this and has conflicting info depending on the sections you
read (12.7.2 vs 12.7.6). According to the hostapd commit log TGme
is trying to clarify this and wants to set secure=1 in the case
of rekeys. Because of this, IWD is completely broken with rekeys
since its disallows secure=1 on PTK 1/4 and 2/4.

Now, a bool is passed to the verify functions which signifies if
the PTK has been negotiated already. If secure differs from this
the key frame is not verified.
2022-06-24 18:11:56 -05:00
James Prestwood
a276243e9a storage: warn user on badly named provisioning file
The man pages (iwd.network) have a section about how to name provisioning
files containing non-alphanumeric characters but not everyone reads the
entire man page.

Warning them that the provisioning file was not read and pointing to
'man iwd.network' should lead someone in the right direction.
2022-06-24 10:40:11 -05:00
Denis Kenzior
16739cb4e6 eap: Fix EAP-Success handling
EAP-Success might come in with an identifier that is incremented by 1
from the last Response packet.  Since identifier field is a byte, the
value might overflow (from 255 -> 0.)  This overflow isn't handled
properly resulting in EAP-Success/Failure packets with a 0 identifier
due to overflow being erroneously ignored.  Fix that.
2022-06-23 16:20:28 -05:00
Andrew Zaborowski
032a3d1473 station: Move netconfig_reset() to common path
To avoid repetition, call netconfig_reset in
station_reset_connection_state.
2022-06-17 14:09:55 -05:00
Andrew Zaborowski
e88a0757ab storage: Log a message on network file parse errors
Most users of storage_network_open don't log errors when the function
returns a NULL and fall back to defaults (empty l_settings).
storage_network_open() itself only logs errors if the flie is encrypted.
Now also log an error when l_settings_load_from_file() fails to help track
down potential syntax errors.
2022-06-17 14:09:38 -05:00
Andrew Zaborowski
ba1253df3b netconfig: Fix address format validation
Drop the wrong negation in the error check.  Check that there are no extra
characters after prefix length suffix.  Reset errno 0 before the strtoul
call, as recommended by the manpage.
2022-06-17 14:04:07 -05:00
James Prestwood
f2fe9206c6 p2p: fix warning for uninitialized variable (clang)
This is actually a false positive only because
p2p_device_validate_conn_wfd bails out if the IE is NULL which
avoids using wfd_data_length. But its subtle and without inspecting
the code it does seem like the length could be used uninitialized.

src/p2p.c:940:7: error: variable 'wfd_data_len' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
                if (dev->conn_own_wfd)
                    ^~~~~~~~~~~~~~~~~
src/p2p.c:946:8: note: uninitialized use occurs here
                                                        wfd_data_len))
                                                        ^~~~~~~~~~~~
src/p2p.c:940:3: note: remove the 'if' if its condition is always true
                if (dev->conn_own_wfd)
                ^~~~~~~~~~~~~~~~~~~~~~
src/p2p.c:906:23: note: initialize the variable 'wfd_data_len' to silence this warning
                ssize_t wfd_data_len;
                                    ^
                                     = 0
2022-06-10 14:44:18 -05:00
James Prestwood
8a8c2fbe38 storage: remove unused variables
The auto macros apparently made it difficult for gcc to
detect, but clang was able to find them.
2022-06-10 14:44:10 -05:00
James Prestwood
39b36f8e21 fils: pragma false positive for uninitialized variable
On musl-gcc the compiler is giving a warning for igtk_key_index
and gtk_key_index being used uninitialized. This isn't possible
since they are only used if gtk/igtk are non-NULL so pragma to
ignore the warning.

src/fils.c: In function 'fils_rx_associate':
src/fils.c:580:17: error: 'igtk_key_index' may be used uninitialized
	in this function [-Werror=maybe-uninitialized]
  580 |                 handshake_state_install_igtk(fils->hs,
					igtk_key_index,igtk + 6,
					igtk_len - 6, igtk);

(same error for gtk_key_index)
2022-06-10 13:59:01 -05:00
James Prestwood
2ad5e48314 network: fix handling of AlwaysRandomizeAddress/AddressOverride
For network configuration files the man pages (iwd.network) state
that [General].{AlwaysRandomizeAddress,AddressOverride} are only
used if main.conf has [General].AddressRandomization=network.

This actually was not being enforced and both iwd.network settings
were still taken into account regardless of what AddressRandomization
was set to (even disabled).

The handshake setup code now checks the AddressRandomization value
and if anything other than 'network' skips the randomization.
2022-06-03 15:52:06 -05:00
James Prestwood
19693f587f dpp,dpp-util: cast size_t for constant arguments to va_arg
There were a few places in dpp/dpp-util which passed a single byte but
was being read in with va_arg(va, size_t). On some architectures this was
causing failures presumably from the compiler using an integer type
smaller than size_t. As we do elsewhere, cast to size_t to force the
compiler to pass a properly sized iteger to va_arg.
2022-06-03 11:54:58 -05:00
Andrew Zaborowski
eb8362bf76 eap-tls: Keep l_tls instance for reauthentication
After one of the eap-tls-common-based methods succeeds keep the TLS
tunnel instance until the method is freed, rather than free it the
moment the method succeeds.  This fixes repeated method runs where until
now each next run would attempt to create a new TLS tunnel instance
but would have no authentication data (CA certificate, client
certificate, private key and private key passphrase) since those are
were by the old l_tls object from the moment of the l_tls_set_auth_data()
call.

Use l_tls_reset() to reset the TLS state after method success, followed
by a new l_tls_start() when the reauthentication starts.
2022-05-26 11:23:46 -05:00
James Prestwood
7104e12667 ft: remove frame type check in FT
A user reported that IWD was failing to FT in some cases and this was
due to the AP setting the Retry bit in the frame type. This was
unexpected by IWD since it directly checks the frame type against
0x00b0 which does not account for any B8-B15 bits being set.

IWD doesn't need to verify the frame type field for a few reasons:
First mpdu_validate checks the management frame type, Second the kernel
checks prior to forwarding the event. Because of this the check was
removed completely.

Reported-By: Michael Johnson <mjohnson459@gmail.com>
2022-05-23 13:01:10 -05:00
Jesse Lentz
ce227e7b94 station: Provide SignalLevelAgent update while connecting
When a station enters the "connecting" state, if a SignalLevelAgent is
registered, provide an initial signal level via a "Changed" method call.
2022-05-23 12:56:55 -05:00
Jesse Lentz
38e2d4383a station: Simplify usage of station_signal_agent_notify()
station_signal_agent_notify() has been refactored so that its usage is
simpler. station_rssi_level_changed() has been replaced by an inlined
call to station_signal_agent_notify().
2022-05-23 12:38:41 -05:00
Jesse Lentz
6cea51b79f netdev: Initialize signal level during connection attempt
The call to netdev_rssi_level_init() in netdev_connect_common() is
currently a no-op, because netdev->connected has not yet been set at
this stage of the connection attempt. Because netdev_rssi_level_init()
is only used twice, it's been replaced by two inlined calls to
netdev_set_rssi_level_idx().
2022-05-23 12:36:00 -05:00
Jesse Lentz
3d27d0d80a station: send initial signal level notification
After registration of a SignalLevelAgent, make iwd inform the client of
the initial signal level via a "Changed" method call.
2022-05-20 16:56:59 -05:00
Jesse Lentz
0b9e7eb120 Allow SignalLevelAgent method calls in dbus policy
The SignalLevelAgent API is currently broken by the system bus's
security policy, which blocks iwd's outgoing method call messages. This
patch punches a hole for method calls on the
net.connman.iwd.SignalLevelAgent interface.
2022-05-20 14:50:54 -05:00
Denis Kenzior
d459509087 manpage: describe 'none' in NameResolvingService 2022-05-20 10:14:17 -05:00
Denis Kenzior
b96bbb35e0 resolve: Add "none" method
There may be situations where DNS information should not be set (for
example in auto-tests where the resolver daemon is not running) or if a
user wishes to ignore DNS information obtained.
2022-05-20 10:03:42 -05:00
Michael Johnson
2c9c5b6602 docs: Show new usage of IWD_DHCP_DEBUG 2022-05-19 09:47:36 -05:00
Michael Johnson
28d13f9a43 netconfig: Add multiple levels to IWD_DHCP_DEBUG
Allows granularly specifying the DHCP logging level. This allows the
user to tailor the output to what they need. By default, always display
info, errors and warnings to match the rest of iwd.

Setting `IWD_DHCP_DEBUG` to "debug", "info", "warn", "error" will limit
the logging to that level or higher allowing the default logging
verbosity to be reduced.

Setting `IWD_DHCP_DEBUG` to "1" as per the current behavior will
continue to enable debug level logging.
2022-05-19 09:47:31 -05:00
Denis Kenzior
ee3a044b75 eapol: authenticator: Drop unencrypted EAPoL frames
After the initial handshake, once the TK has been installed, all frames
coming to the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to various attacks.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAPoL frames
received after the initial handshake has been completed.
2022-05-10 16:04:29 -05:00
Denis Kenzior
ccdea73df2 eapol: Drop unexpectedly unencrypted EAP frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAP-Failure frame generated by
an adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAP frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 16:03:41 -05:00
Denis Kenzior
5b42cb6cda eapol: Drop unexpectedly unencrypted PTK 1/4 frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an
adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted PTK 1/4 frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 12:22:03 -05:00
Denis Kenzior
1ef97e5cbc eapol: Silently discard invalid EAPoL frames
Do not fail an ongoing handshake when an invalid EAPoL frame is
received.  Instead, follow the intent of 802.11-2020 section 12.7.2:
"EAPOL-Key frames containing invalid field values shall be silently
discarded."

This prevents a denial-of-service attack where receipt of an invalid,
unencrypted EAPoL 1/4 frame generated by an adversary results in iwd
terminating an ongoing connection.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 10:01:08 -05:00
Denis Kenzior
1409364371 scan: Sort scan_requests by wiphy work item priority
Periodic scan requests are meant to be performed with a lower priority
than normal scan requests.  They're thus given a different priority when
inserting them into the wiphy work queue.  Unfortunately, the priority
is not taken into account when they are inserted into the
sr->requests queue.  This can result in the scanning code being confused
since it assumes the top of the queue is always the next scheduled or
currently ongoing scan.  As a result any further wiphy_work might never be
started properly.

Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_timeout() 1
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 4
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_done() Work item 3 done
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_notify() Scan notification Trigger Scan(33)
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_request_triggered() Passive scan triggered for wdev 1
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_triggered() Periodic scan triggered for wdev 1

In the above log, scan request 5 (triggered by dbus) is started before
scan request 4 (periodic scan).  Yet the scanning code thinks scan
request 4 was triggered.

Fix this by using the wiphy_work priority to sort the sr->requests queue
so that the scans are ordered in the same manner.

Reported-by: Alvin Šipraga <ALSI@bang-olufsen.dk>
2022-05-02 09:18:30 -05:00
James Prestwood
b27ab1270c dpp: wait before retransmitting frames with no-ACK
The upstream code immediately retransmitted any no-ACK frames.
This would work in cases where the peer wasn't actively switching
channels (e.g. the ACK was simply lost) but caused unintended
behavior in the case of a channel switch when the peer was not
listening.

If either IWD or the peer needed to switch channels based on the
authenticate request the response may end up not getting ACKed
because the peer is idle, or in the middle of the hardware changing
channels. IWD would get no-ACK and immediately send the frame again
and most likely the same behavior would result. This would very
quickly increment frame_retry past the maximum and DPP would fail.

Instead when no ACK is received wait 1 second before sending out
the next frame. This can re-use the existing frame_pending buffer
and the same logic for re-transmitting.
2022-04-15 12:15:52 -05:00
James Prestwood
14217e6ca4 dpp: print error if CMD_FRAME fails 2022-04-15 12:15:44 -05:00
James Prestwood
07197e24fc dpp: handle sending a frame after ROC ends
There is a potential corner case of an offchannel frame callback
being called after ROC has ended.

This could happen in theory if a received frame is queued right as
the ROC session expires. If the ROC cancel event makes it to user
space before the frame IWD will schedule another ROC then receive
the frame. This doesn't prevent IWD from sending out another
frame since OFFCHANNEL_TX_OK is used, but it will prevent IWD from
receiving a response frame since no dwell duration is used with DPP.

To handle this an roc_started bool was added to the dpp_sm which
tracks the ROC state. If dpp_send_frame is called when roc_started
is false the frame will be saved and sent out once the ROC session
is started again.
2022-04-15 12:12:49 -05:00
Denis Kenzior
8a877d8692 station/network: avoid use-after-free
ConnectHiddenNetwork creates a temporary network object and initiates a
connection with it.  If the connection fails (due to an incorrect
passphrase or other reasons), then this temporary object is destroyed.
Delay its destruction until network_disconnected() since
network_connect_failed is called too early.  Also, re-order the sequence
in station_reset_connection_state() in order to avoid using the network
object after it has been freed by network_disconnected().

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 15:12:30 -05:00
Denis Kenzior
867c68c05b network: close settings prior to network removal
station_hide_network will remove and free the network object, so calling
network_close_settings will result in a crash.  Make sure this is done
prior to network object's destruction.

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 11:23:28 -05:00
James Prestwood
cb76f219fb netdev: move ocvc setting to after connected check
We cannot check 'handshake' until first checking that IWD is
connected.
2022-04-05 13:30:30 -05:00
James Prestwood
f7dc05969f netdev: check for connected in FT frame event
This frame could come unsolicited and cause a NULL dereference
if IWD is not connected.
2022-04-05 13:30:11 -05:00
Denis Kenzior
dc7e12ac0c station: Ignore AP directed roams if already trying to roam 2022-04-05 11:41:03 -05:00
Denis Kenzior
92ef3da714 station: Sanitize AP directed roam addresses
Make sure the BSS Transition Management Request frames come from our
conected AP.  Ignore and print a message if the addresses do not match.
2022-04-05 11:36:39 -05:00
Denis Kenzior
3fad65e5df station: ignore AP directed roams if not connected 2022-04-05 10:09:08 -05:00
Emmanuel VAUTRIN
85d9d6461f network: Hide hidden networks on connection error
If a user connection fails on a freshly scanned psk or open hidden
network, during passphrase request or after, it shall be removed from
the network list.  Otherwise, it would be possible to directly connect
to that known network, which will appear as not hidden.
2022-04-05 09:31:44 -05:00
James Prestwood
f59e69c6c4 rrm: use ULL for static values 2022-03-31 18:13:04 -05:00
Andrew Zaborowski
ce94013bae p2p: Fix Device Address updates from Probe Requests
p2p_peer_update_existing may be called with a scan_bss struct built from
a Probe Request frame so it can't access bss->p2p_probe_resp_info even
if peer->bss was built from a Probe Response.  Check the source frame
type of the scan_bss struct before updating the Device Address.

This fixes one timing issue that would make the autotest fail often.
2022-03-30 14:43:37 -05:00
James Prestwood
6f7743426b eapol: zero entire buffer when creating frame
Since l_malloc is used the frame contents are not zero'ed automatically
which could result in random bytes being present in the frame which were
expected to be zero. This poses a problem when calculating the MIC as the
crypto operations are done on the entire frame with the expectation of
the MIC being zero.

Fixes: 83212f9b23 ("eapol: change eapol_create_common to support FILS")
2022-03-28 17:35:03 -05:00
Fabrice Fontaine
d78950e039 storage: fix build with uclibc
explicit_bzero is used in src/storage.c since commit
01cd858760 but src/missing.h is not
included, as a result build with uclibc fails on:

/home/buildroot/autobuild/instance-0/output-1/host/lib/gcc/powerpc-buildroot-linux-uclibc/10.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: src/storage.o: in function `storage_init':
storage.c:(.text+0x13a4): undefined reference to `explicit_bzero'

Fixes:
 - http://autobuild.buildroot.org/results/2aff8d3d7c33c95e2c57f7c8a71e69939f0580a1
2022-03-28 12:39:51 -05:00
James Prestwood
dbca7fcc02 dpp: set new_freq when configuring as initiator
This is used to hold the current BSS frequency which will be
used after IWD receives a presence announcement. Since this was
not being set, the logic was always thinking there was a channel
mismatch (0 != current_freq) and attempting to go offchannel to
'0' which resulted in -EINVAL, and ultimately protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
ad1e5252f3 dpp: fail if disconnected during DPP protocol
If the connected BSS is NULL IWD was disconnected and this should
trigger a protocol termination.
2022-03-28 12:38:15 -05:00
James Prestwood
9f6576be05 json: call va_end in error case
Caught by static analysis
2022-03-18 11:32:47 -05:00
James Prestwood
ed81351f15 dpp-util: move up va_end before possible error case
This was caught by static analysis
2022-03-18 11:32:39 -05:00
James Prestwood
7bbcb67892 station: replace old BSS with 'best_bss' on roam scan
The logic here assumed any BSS's in the roam scan were identical to
ones in station's bss_list with the same address. Usually this is true
but, for example, if the BSS changed frequency the one in station's
list is invalid.

Instead when a match is found remove the old BSS and re-insert the new
one.
2022-03-08 11:37:25 -06:00
James Prestwood
1c5a2da046 knownnetworks: use band_freq_to_channel to verify known freqs
With the addition of 6GHz '6000' is no longer the maximum frequency
that could be in .known_network.freq. For more robustness
band_freq_to_channel is used to validate the frequency.
2022-03-03 13:58:45 -06:00
Denis Kenzior
778dacd262 wiphy: Use an inline function in favor of a macro 2022-03-02 13:57:00 -06:00
Denis Kenzior
a8f3098115 wiphy: Use anonymous enum in favor of #defines 2022-03-02 13:55:26 -06:00
Denis Kenzior
86f34a394b ie: Use static inline functions in favor of macros 2022-03-02 13:51:56 -06:00
James Prestwood
d4e9cda0c0 ap: add support for scanning while in AP mode
Scanning while in AP mode is somewhat of an edge case, but it does
have some usefulness specifically with onboarding new devices, i.e.
a new device starts an AP, a station connects and provides the new
device with network credentials, the new device switches to station
mode and connects to the desired network.

In addition this could be used later for ACS (though this is a bit
overkill for IWD's access point needs).

Since AP performance is basically non-existant while scanning this
feature is meant to be used in a limited scope.

Two DBus API's were added which mirror the station interface: Scan and
GetOrderedNetworks.

Scan is no different than the station variant, and will perform an active
scan on all channels.

GetOrderedNetworks diverges from station and simply returns an array of
dictionaries containing basic information about networks:

{
    Name: <ssid>
    SignalStrength: <mBm>
    Security: <psk, open, or 8021x>
}

Limitations:
 - Hidden networks are not supported. This isn't really possible since
   the SSID's are unknown from the AP perspective.

 - Sharing scan results with station is not supported. This would be a
   convenient improvement in the future with respect to onboarding new
   devices. The scan could be performed in AP mode, then switch to
   station and connect immediately without needing to rescan. A quick
   hack could better this situation by not flushing scan results in
   station (if the kernel retains these on an iftype change).
2022-02-28 13:23:01 -06:00
James Prestwood
70fc6ea262 scan: add support for scanning on AP interface type
This adds a new flag, force_ap to the scan parameters. When enabled
this will set NL80211_SCAN_FLAG_AP.
2022-02-28 13:22:54 -06:00
James Prestwood
1974a67b30 scan: check flush feature before using flag 2022-02-28 11:42:43 -06:00
James Prestwood
9224575a83 station: replace station_parse_bss_security
Replaces this with scan_bss_get_security
2022-02-28 11:42:26 -06:00
James Prestwood
27bf997545 scan: add scan_bss_get_security
This was already implemented in station but with no dependency on
that module at all. AP will need this for a scanning API so its
being moved into scan.c.
2022-02-28 11:42:07 -06:00
James Prestwood
d38b7f2406 network: add 6GHz restrictions to network_can_connect_bss
The 802.11ax standards adds some restrictions for the 6GHz band. In short
stations must use SAE, OWE, or 8021x on this band and frame protection is
required.
2022-02-28 11:31:39 -06:00
James Prestwood
1024384ffd ie: add IE_AKM_IS_8021X 2022-02-25 17:54:33 -06:00
James Prestwood
6e660032c1 station: use IE_AKM_IS_FILS
Use this macro instead of manually checking
2022-02-25 17:54:27 -06:00
James Prestwood
44b3e7a8bb ie: update IE_AKM_IS_FILS to be bitwise
Currently nothing actually uses this macro, but switching it to a bitwise
comparison makes it more useful and consistent with the others.
2022-02-25 17:54:22 -06:00
James Prestwood
5627ef4141 ie: update IE_AKM_IS_SAE to bitwise comparison
All uses of this macro will work with a bitwise comparison which is
needed for 6GHz checks and somewhat more flexible since it can be
used to compare RSN info, not only single AKM values.
2022-02-25 17:54:09 -06:00
James Prestwood
c20828f252 station: enforce MFPR=1 for 6GHz frequencies
This adds checks if MFP is set to 0 or 1:

0 - Always fail if the frequency is 6GHz
1 - Fail if MFPC=0 and the frequency is 6GHz.
    If HW is capable set MFPR=1 for 6GHz
2022-02-25 17:11:39 -06:00
James Prestwood
2f50038363 station: check supported frequencies in neighbor report
If the report has an unsupported frequency don't add it to the list.
2022-02-25 17:11:36 -06:00
James Prestwood
111e13cad6 band: keep 6GHz frequencies out of 40mhz special case
There is no 40MHz upper/lower concept for 6GHz so avoid this special
handling.
2022-02-25 13:10:45 -06:00
James Prestwood
7882621ca9 wiphy: add 6Ghz support 2022-02-25 13:04:33 -06:00
James Prestwood
5b6f1e3662 util: add 6GHz support to scan_freq_set* APIs
The 6GHz channels are stored and accessed identically to 5GHz,
just using a separate uintset object.
2022-02-25 13:01:20 -06:00
James Prestwood
1343cb928f band: add 6GHz support to {channel,freq}_to_{freq,channel}
Adds support for the channels and frequencies defined in the
802.11ax spec.
2022-02-25 13:00:26 -06:00
James Prestwood
ff6961fbc4 band: add BAND_FREQ_6_GHZ
This is a new band defined in the WiFi 6E (ax) amendment. A completely
new value is needed due to channel reuse between 2.4/5 and 6GHz.

util.c needed minimal updating to prevent compile errors which will
be fixed later to actually handle this band. WSC also needed a case
added for 6GHz but the spec does not outline any RF Band value for
6GHz so the 5GHz value will be returned in this case.
2022-02-25 12:59:34 -06:00
James Prestwood
417b6fd022 band: remove unneeded line break
This fits within 80 characters
2022-02-25 12:59:27 -06:00
James Prestwood
650cac7979 band: add operating clases for 802.11ax
Obtained from the IEEE 802.11ax amendment, Table E-4
2022-02-25 12:57:45 -06:00
James Prestwood
6fce08c301 sae: define _GNU_SOURCE for reallocarray definition
sae.c was failing to build on some platforms:

error: implicit declaration of function 'reallocarray'; did you mean 'realloc'?
	[-Werror=implicit-function-declaration]
2022-02-24 12:14:46 -06:00
James Prestwood
d3f7458e26 netdev: fail connection if the link goes down
In certain rare cases IWD gets a link down event before nl80211 ever sends
a disconnect event. Netdev notifies station of the link down which causes
station to be freed, but netdev remains in the same state. Then later the
disconnect event arrives and netdev still thinks its connected, calls into
(the now freed) station object and causes a crash.

To fix this netdev_connect_free() is now called on any link down events
which will reset the netdev object to a proper state.

src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/netdev.c:netdev_mlme_notify() MLME notification Del Station(20)
src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/netdev.c:netdev_mlme_notify() MLME notification Deauthenticate(39)
src/netdev.c:netdev_deauthenticate_event()
src/netdev.c:netdev_link_notify() event 16 on ifindex 16
src/station.c:station_free()
src/netconfig.c:netconfig_destroy()
src/resolve.c:resolve_systemd_revert() ifindex: 16
src/station.c:station_roam_state_clear() 16
src/netdev.c:netdev_mlme_notify() MLME notification Disconnect(48)
src/netdev.c:netdev_disconnect_event()
Received Deauthentication event, reason: 3, from_ap: false

0 0x472fa4 in station_disconnect_event src/station.c:2916
1 0x472fa4 in station_netdev_event src/station.c:2954
2 0x43a262 in netdev_disconnect_event src/netdev.c:1213
3 0x43a262 in netdev_mlme_notify src/netdev.c:5471
4 0x6706eb in process_multicast ell/genl.c:1029
5 0x6706eb in received_data ell/genl.c:1096
6 0x65e630 in io_callback ell/io.c:120
7 0x65a94e in l_main_iterate ell/main.c:478
8 0x65b0b3 in l_main_run ell/main.c:525
9 0x65b0b3 in l_main_run ell/main.c:507
10 0x65b5cc in l_main_run_with_signal ell/main.c:647
11 0x4124d7 in main src/main.c:532
2022-02-22 16:27:02 -06:00
James Prestwood
82b808cdfe dpp: add support for initiating as a configurator
The difference between the existing code is that IWD will send the
authentication request, making it the initiator.

This handles the use case where IWD is provided a peers URI containing
its bootstrapping key rather than IWD always providing its own URI.
A new DBus API was added, ConfigureEnrollee().

Using ConfigureEnrollee() IWD will act as a configurator but begin by
traversing a channel list (URI provided or default) and waiting for
presence announcements (with one caveat). When an announcement is
received IWD will send an authentication request to the peer, receive
its reply, and send an authentication confirm.

As with being a responder, IWD only supports configuration to the
currently connected BSS and will request the enrollee switch to this
BSS's frequency to preserve network performance.

The caveat here is that only one driver (ath9k) supports multicast frame
registration which prevents presence frame from being received. In this
case it will be required the the peer URI contains a MAC and channel
information. This is because IWD will jump right into sending auth
requests rather than waiting for a presence announcement.
2022-02-22 16:25:47 -06:00
James Prestwood
de411818f0 dpp: manually register for some frame watches
The frame watch which covers the presence procedure (and most
frames for that matter) needs to support multicast frames for
presence to work. Doing this in frame-xchg seems like the right
choice but only ath9k supports multicast frame registration.
Because of this limited support DPP will register for these frames
manually.
2022-02-22 16:24:47 -06:00
James Prestwood
f7f602e1b1 dpp-util: add URI parsing
Parses K (key), M (mac), C (class/channels), and V (version) tokens
into a new structure dpp_uri_info. H/I are not parsed since there
currently isn't any use for them.
2022-02-22 16:23:52 -06:00
James Prestwood
c819903a7c dpp: check return of aes_siv_encrypt
This was caught by static analysis. As is common this should never
happen in the real world since the only way this can fail (apart from
extreme circumstances like OOM) is if the key size is incorrect, which
it will never be.
2022-02-18 14:45:45 -06:00
James Prestwood
5ca7948dfb main: remove unneeded stat call
Static analysis flagged that 'path' was never being checked (which
should not ever be NULL) but during that review I noticed stat()
was being called, then fstat afterwards.
2022-02-18 14:45:39 -06:00
James Prestwood
0fe054076f doc: Add warning to SystemdEncrypt as highly experimental 2022-02-16 16:11:01 -06:00
James Prestwood
1157e0a184 doc: document SystemdEncrypt 2022-02-15 17:44:20 -06:00
James Prestwood
e8e9c68dea main: add SystemdEncrypt option, and initialize key
Recently systemd added the ability to pass secret credentials to
services via LoadCredentialEncrypted/SetCredentialEncrypted. Once
set up the service is able to read the decrypted credentials from
a file. The file path is found in the environment variable
CREDENTIALS_DIRECTORY + an identifier. The value of SystemdEncrypt
should be set to the systemd key ID used when the credential was
created.

When SystemdEncrypt is set IWD will attempt to read the decrypted
secret from systemd. If at any point this fails warnings will be
printed but IWD will continue normally. Its expected that any failures
will result in the inability to connect to any networks which have
previously encrypted the passphrase/PSK without re-entering
the passphrase manually. This could happen, for example, if the
systemd secret was changed.

Once the secret is read in it is set into storage to be used for
profile encryption/decryption.
2022-02-15 17:38:51 -06:00
James Prestwood
64f225df6e hotspot: implement hotspot profile encryption
Using storage_decrypt() hotspot can also support profile encyption.
The hotspot consortium name is used as the 'ssid' since this stays
consistent between hotspot networks for any profile.
2022-02-15 17:22:21 -06:00
James Prestwood
01cd858760 storage: implement network profile encryption
Some users don't like the idea of storing network credentials in
plaintext on the file system.  This patch implements an option to
encrypt such profiles using a secret key.  The origin of the key can in
theory be anything, but would typically be provided by systemd via
'LoadEncryptedCredential' setting in the iwd unit file.

The encryption operates on the entire [Security] group as well as all
embedded groups. Once encrypted the [Security] group will be replaced
with two key/values:

EncryptedSalt - A random string of bytes used for the encryption
EncryptedSecurity - A string of bytes containing the encrypted
                    [Security] group, as well as all embedded groups.

After the profile has been encrypted these values should not be
modified.  Note that any values added to [Security] after encryption
has no effect.  Once the profile is encrypted there is no way to modify
[Security] without manually decrypting first, or just re-creating it
entirely which effectively treated a 'new' profile.

The encryption/decryption is done using AES-SIV with a salt value and
the network SSID as the IV.

Once a key is set any profiles opened will automatically be encrypted
and re-written to disk.  Modules using network_storage_open will be
provided the decrypted profile, and will be unaware it was ever
encrypted in the first place.  Similarly when network_storage_sync is
called the profile will by automatically encrypted and written to disk
without the caller needing to do anything special.

A few private storage.c helpers were added to serve several purposes:

storage_init/exit():
This sets/cleans up the encryption key direct from systemd then uses
extract and expand to create a new fixed length key to perform
encryption/decryption.

__storage_decrypt():
Low level API to decrypt an l_settings object using a previously set
key and the SSID/name for the network.  This returns a 'changed' out
parameter signifying that the settings need to be encrypted and
re-written to disk.  The purpose of exposing this is for a standalone
decryption tool which does not re-write any settings.

storage_decrypt():
Wrapper around __storage_decrypt() that handles re-writing a new
profile to disk. This was exposed in order to support hotspot profiles.

__storage_encrypt():
Encrypts an l_settings object and returns the full profile as data
2022-02-15 17:19:33 -06:00
James Prestwood
429eabf042 dpp: unregister interface on exit
This fixes a cleanup issue where DPP tries to cleanup both on
dpp_exit() and when netdev goes down.
2022-02-15 15:13:52 -06:00
James Prestwood
06ec2a2e32 dpp-util: fix dpp_point_from_asn1
This got merged without a few additional fixes, in particular an
over 80 character line and incorrect length check.

Fixes: d8116e8828 ("dpp-util: add dpp_point_from_asn1()")
2022-02-14 16:22:43 -06:00
Denis Kenzior
3a91efd3a8 manager: Refine filtered dumps
When we detect a new phy being added, we schedule a filtered dump of
the newly detected WIPHY and associated INTERFACEs.  This code path and
related processing of the dumps was mostly shared with the un-filtered
dump of all WIPHYs and INTERFACEs which is performed when iwd starts.
This normally worked fine as long as a single WIPHY was created at a
time.  However, if multiphy new phys were detected in a short amount of
time, the logic would get confused and try to process phys that have not
been probed yet.  This resulted in iwd trying to create devices or not
detecting devices properly.

Fix this by only processing the target WIPHY and related INTERFACEs
when the filtered dump is performed, and not any additional ones that
might still be pending.

While here, remove a misleading comment:
manager_wiphy_check_setup_done() would succeed only if iwd decided to
keep the default interfaces created by the kernel.
2022-02-14 16:02:23 -06:00
James Prestwood
32465396eb station: fix >80 character lines 2022-02-10 16:22:00 -06:00
James Prestwood
91caecedec station: only log station_autoconnect_start if autoconnecting
This debug print was before any checks which could bail out prior to
autoconnect starting. This was confusing because debug logs would
contain multiple "station_autoconnect_start()" prints making you think
autoconnect was started several times.
2022-02-10 16:21:21 -06:00
James Prestwood
2c355db7fa scan: remove periodic scans from queue on abort
The periodic scan code was refactored to make normal scans and
periodic scans consistent by keeping both in the same queue. But
that change left out the abort path where periodic scans were not
actually removed from the queue.

This fixes a rare crash when a periodic scan has been triggered and
the device goes down. This path never removes the request from the
queue but still frees it. Then when the scan context is removed the
stale request is freed again.

0 0x4bb65b in scan_request_cancel src/scan.c:202
1 0x64313c in l_queue_clear ell/queue.c:107
2 0x643348 in l_queue_destroy ell/queue.c:82
3 0x4bbfb7 in scan_context_free src/scan.c:209
4 0x4c9a78 in scan_wdev_remove src/scan.c:2115
5 0x42fecd in netdev_free src/netdev.c:965
6 0x445827 in netdev_destroy src/netdev.c:6507
7 0x52beb9 in manager_config_notify src/manager.c:765
8 0x67084b in process_multicast ell/genl.c:1029
9 0x67084b in received_data ell/genl.c:1096
10 0x65e790 in io_callback ell/io.c:120
11 0x65aaae in l_main_iterate ell/main.c:478
12 0x65b213 in l_main_run ell/main.c:525
13 0x65b213 in l_main_run ell/main.c:507
14 0x65b72c in l_main_run_with_signal ell/main.c:647
15 0x4124e7 in main src/main.c:532
2022-02-07 16:11:23 -06:00
James Prestwood
2e0a7d265c netdev: fix crash from not cancelling netdev_get_oci
If netdev_connect_failed is called before netdev_get_oci_cb() the
netdev's handshake will be destroyed and ultimately crash when the
callback is called.

This patch moves the cancelation into netdev_connect_free rather than
netdev_free.

++++++++ backtrace ++++++++
0  0x7f4e1787d320 in /lib64/libc.so.6
1  0x42634c in handshake_state_set_chandef() at src/handshake.c:1057
2  0x40a11b in netdev_get_oci_cb() at src/netdev.c:2387
3  0x483d7b in process_unicast() at ell/genl.c:986
4  0x480d3c in io_callback() at ell/io.c:120
5  0x48004d in l_main_iterate() at ell/main.c:472 (discriminator 2)
6  0x4800fc in l_main_run() at ell/main.c:521
7  0x48032c in l_main_run_with_signal() at ell/main.c:649
8  0x403e95 in main() at src/main.c:532
9  0x7f4e17867b75 in /lib64/libc.so.6
+++++++++++++++++++++++++++
2022-02-07 13:51:04 -06:00
James Prestwood
672098118d netdev: fix bug setting OWE IE length
The length was being set to whatever the last nl80211 attribute was,
not the length for the RESP_IE iteration.
2022-02-03 11:40:08 -06:00
Denis Kenzior
8a5b3f6880 handshake: Do not crash if handshake is destroyed
Commit 4d2176df29 ("handshake: Allow event handler to free handshake")
introduced a re-entrancy guard so that handshake_state objects that are
destroyed as a result of the event do not cause a crash.  It rightly
used a temporary object to store the passed in handshake.  Unfortunately
this caused variable shadowing which resulted in crashes fixed by commit
d22b174a73 ("handshake: use _hs directly in handshake_event").
However, since the temporary was no longer used, this fix itself caused
a crash:

 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
1236				handshake_event(sm->handshake,
(gdb) bt
 #0  0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236
 #1  0x00005555f0bab118 in eapol_key_handle (unencrypted=<optimized out>, frame=<optimized out>, sm=0x5555f2b4a920) at src/eapol.c:2343
 #2  eapol_rx_packet (proto=<optimized out>, from=<optimized out>, frame=<optimized out>, unencrypted=<optimized out>, user_data=0x5555f2b4a920) at src/eapol.c:2665
 #3  0x00005555f0bac497 in __eapol_rx_packet (ifindex=62, src=src@entry=0x5555f2b62574 "x\212 J\207\267", proto=proto@entry=34958, frame=frame@entry=0x5555f2b62588 "\002\003",
   len=len@entry=121, noencrypt=noencrypt@entry=false) at src/eapol.c:3017
 #4  0x00005555f0b8c617 in netdev_control_port_frame_event (netdev=0x5555f2b64450, msg=0x5555f2b62588) at src/netdev.c:5574
 #5  netdev_unicast_notify (msg=msg@entry=0x5555f2b619a0, user_data=<optimized out>) at src/netdev.c:5613
 #6  0x00007f60084c9a51 in dispatch_unicast_watches (msg=0x5555f2b619a0, id=<optimized out>, genl=0x5555f2b3fc80) at ell/genl.c:954
 #7  process_unicast (nlmsg=0x7fff61abeac0, genl=0x5555f2b3fc80) at ell/genl.c:973
 #8  received_data (io=<optimized out>, user_data=0x5555f2b3fc80) at ell/genl.c:1098
 #9  0x00007f60084c61bd in io_callback (fd=<optimized out>, events=1, user_data=0x5555f2b3fd20) at ell/io.c:120
 #10 0x00007f60084c536d in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #11 0x00007f60084c543e in l_main_run () at ell/main.c:525
 #12 l_main_run () at ell/main.c:507
 #13 0x00007f60084c5670 in l_main_run_with_signal (callback=callback@entry=0x5555f0b89150 <signal_handler>, user_data=user_data@entry=0x0) at ell/main.c:647
 #14 0x00005555f0b886a4 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This happens when the driver does not support rekeying, which causes iwd to
attempt a disconnect and re-connect.  The disconnect action is
taken during the event callback and destroys the underlying eapol state
machine.  Since a temporary isn't used, attempting to dereference
sm->handshake results in a crash.

Fix this by introducing a UNIQUE_ID macro which should prevent shadowing
and using a temporary variable as originally intended.

Fixes: d22b174a73 ("handshake: use _hs directly in handshake_event")
Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
Reported-By: Toke Høiland-Jørgensen <toke@toke.dk>
Tested-by: Toke Høiland-Jørgensen <toke@toke.dk>
2022-02-03 09:44:08 -06:00
Denis Kenzior
fe2272c112 dbus: netdev/wheel do not use .Agent interface
There is no need to punch the holes for netdev/wheel groups to send to
the .Agent interface.  This is only done by the iwd daemon itself and
the policy for user 'root' already takes care of this.
2022-01-31 14:06:20 -06:00
James Prestwood
6ff99f1766 scan: parse BSS_SIGNAL_UNSPEC, fix potential zero signal
A select few drivers send this instead of SIGNAL_MBM. The docs say this
value is the signal 'in unspecified units, scaled to 0..100'. The range
for SIGNAL_MBM is -10000..0 so this can be scaled to the MBM range easy
enough...

Now, this isn't exactly correct because this value ultimately gets
returned from GetOrderedNetworks() and is documented as 100 * dBm where
in reality its just a unit-less signal strength value. Its not ideal, but
this patch at least will fix BSS ranking for these few drivers.
2022-01-31 13:40:19 -06:00
Diederik de Haas
010b0e27f9 dbus: Remove 'at_console', add 'netdev' settings
The 'at_console' D-Bus policy setting has been deprecated for more then
10 years and could be ignored at any time in the future. Moreover, while
the intend was to allow locally logged on users to interact with iwd, it
didn't actually do that.
More info at https://www.spinics.net/lists/linux-bluetooth/msg75267.html
and https://gitlab.freedesktop.org/dbus/dbus/-/issues/52
Therefor remove the 'at_console' setting block.

On Debian (based) systems, there is a standard defined group which is
allowed to manage network interfaces, and that is the 'netdev' group.
So add a D-Bus setting block to grant the 'netdev' group that access.
2022-01-26 14:03:27 -06:00
James Prestwood
d4b93220c5 sae: fix missing reallocarray definition
Building on GCC 8 resulted in this compiler error.

src/sae.c:107:25: error: implicit declaration of function 'reallocarray';
	did you mean 'realloc'? [-Werror=implicit-function-declaration]
	sm->rejected_groups = reallocarray(NULL, 2, sizeof(uint16_t));
2022-01-26 13:21:52 -06:00
Denis Kenzior
b47ada02bf treewide: Fix compiler warnings
src/erp.c:134:10: error: comparison of integer expressions of different
signedness: 'unsigned int' and 'int' [-Werror=sign-compare]

src/eap-ttls.c:378:10: error: comparison of integer expressions of different signedness: 'uint32_t' {aka 'unsigned int'} and 'int' [-Werror=sign-compare]
2022-01-26 13:21:52 -06:00
James Prestwood
d22b174a73 handshake: use _hs directly in handshake_event
Fixes the following crash:
 #0  0x000211c4 in netdev_connect_event (msg=<optimized out>, netdev=0x2016940) at src/netdev.c:2915
 #1  0x76f11220 in process_multicast (nlmsg=0x7e8acafc, group=<optimized out>, genl=<optimized out>) at ell/genl.c:1029
 #2  received_data (io=<optimized out>, user_data=<optimized out>) at ell/genl.c:1096
 #3  0x76f0da08 in io_callback (fd=<optimized out>, events=1, user_data=0x200a560) at ell/io.c:120
 #4  0x76f0ca78 in l_main_iterate (timeout=<optimized out>) at ell/main.c:478
 #5  0x76f0cb74 in l_main_run () at ell/main.c:525
 #6  l_main_run () at ell/main.c:507
 #7  0x76f0cdd4 in l_main_run_with_signal (callback=callback@entry=0x18c94 <signal_handler>, user_data=user_data@entry=0x0)
   at ell/main.c:647
 #8  0x00018178 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532

This crash was introduced in commit:
4d2176df29 ("handshake: Allow event handler to free handshake")

The culprit seems to be that 'hs' is being used both in the caller and
in the macro.  Since the macro defines a variable 'hs' in local block
scope, it overrides 'hs' from function scope.  Yet (_hs) still evaluates
to 'hs' leading the local variable to be initialized with itself.  Only
the 'handshake_event(hs, HANDSHAKE_EVENT_SETTING_KEYS))' is affected
since it is the only macro invocation that uses 'hs' from function
scope.  Thus, the crash would only happen on hardware supporting handshake
offload (brcmfmac).

Fix this by removing the local scope variable declaration and evaluate
(_hs) instead.

Fixes: 4d2176df29 ("handshake: Allow event handler to free handshake")
2022-01-26 13:20:00 -06:00
James Prestwood
b2d0bb08a0 network: fix double whitespace 2022-01-24 16:39:45 -06:00
Denis Kenzior
30b04bc3bb json: Tighten up json_iter_get_int/get_uint
- Ensure that input isn't an empty string

- Ensure that EINVAL errno (which could be optionally returned by
  strto{ul|l} is also checked.

- Since strtoul allows '+' and '-' characters in input, ensure that
  input which is expected to be an unsigned number doesn't start with
  '-'
2022-01-23 11:22:34 -06:00
James Prestwood
26b7446178 sae: pass exact length to l_ecc_point_from_data
l_ecc_point_from_data now strictly enforces the buffer length.
2022-01-21 13:44:59 -06:00
James Prestwood
d8116e8828 dpp-util: add dpp_point_from_asn1()
Given an ASN1 blob of the right form, parse and create
an l_ecc_point object. The form used is specific to DPP
hence why this isn't general purpose and put into dpp-util.
2022-01-21 10:52:26 -06:00
Andrew Zaborowski
dfaf6e045f p2p: Fix ie_tlv_extract_wfd_payload call typo 2022-01-21 08:53:35 -06:00
Andrew Zaborowski
4d2176df29 handshake: Allow event handler to free handshake
Like in ap.c, allow the event callback to mark the handshake state as
destroyed, without causing invalid accesses after the callback has
returned.  In this case the crash was because try_handshake_complete
needed to access members of handshake_state after emitting the event,
as well as access the netdev, which also has been destroyed:

==257707== Invalid read of size 8
==257707==    at 0x408C85: try_handshake_complete (netdev.c:1487)
==257707==    by 0x408C85: try_handshake_complete (netdev.c:1480)
(...)
==257707==  Address 0x4e187e8 is 856 bytes inside a block of size 872 free'd
==257707==    at 0x484621F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==257707==    by 0x437887: ap_stop_handshake (ap.c:151)
==257707==    by 0x439793: ap_del_station (ap.c:316)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3411)
==257707==    by 0x43EA92: ap_station_disconnect (ap.c:3399)
==257707==    by 0x454276: p2p_group_event (p2p.c:1006)
==257707==    by 0x439147: ap_event (ap.c:281)
==257707==    by 0x4393AB: ap_new_rsna (ap.c:390)
==257707==    by 0x4393AB: ap_handshake_event (ap.c:1010)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1485)
==257707==    by 0x408C7F: try_handshake_complete (netdev.c:1480)
(...)
2022-01-21 08:51:49 -06:00
Andrew Zaborowski
079489bd66 ap: Don't defer ap_reset when ap_free called in event
Previously we added logic to defer doing anything in ap_free() to after
the AP event handler has returned so that ap_event() has a chance to
inform whoever called it that the ap_state has been freed.  But there's
also a chance that the event handler is destroying both the AP and the
netdev it runs on, so after the handler has returned we can't even use
netdev_get_wdev_id or netdev_get_ifindex.  The easiest solution seems to
be to call ap_reset() in ap_free() even if we're within an event handler
to ensure we no longer need any external objects.  Also make sure
ap_reset() can be called multiple times.

Another option would be to watch for NETDEV_WATCH_EVENT_DEL and remove
our reference to the netdev (because there's no need actually call
l_rtnl_ifaddr_delete or frame_watch_wdev_remove if the netdev was
destroyed -- frame_watch already tracks netdev removals), or to save
just the ifindex and the wdev id...
2022-01-21 08:51:04 -06:00
James Prestwood
76b6aa66b3 dpp: fix dpp_offchannel_start corner cases
The purpose of this was to have a single utility to both cancel an
existing offchannel operation (if one exists) and start a new one.

The problem was the previous offchannel operation was being canceled
first which opened up the radio work queue to other items. This is
not desireable as, for example, a scan would end up breaking the
DPP protocol most likely.

Starting the new offchannel then canceling is the correct order of
operations but to do this required saving the new ID, canceling, then
setting offchannel_id to the new ID so dpp_presence_timeout wouldn't
overwrite the new ID to zero.

This also removes an explicit call to offchannel_cancel which is
already done by dpp_offchannel_start.
2022-01-20 14:19:56 -06:00
James Prestwood
8ce491fbb2 dpp: use own/peer naming rather than i/r
Several members are named based on initiator/responder (i/r)
terminology. Eventually both initiator and responder will be
supported so rename these members to use own/peer naming
instead.
2022-01-20 14:11:44 -06:00