According to the specification, Supported rates IE is supposed
to have a maximum length of eight rate bytes. In the wild an
Access Point is found to add 12 bytes of data instead of placing
excess rate bytes in an Extended Rates IE.
BSS: len 480
BSSID 44:39:C4:XX:XX:XX
Probe Response: true
TSF: 0 (0x0000000000000000)
IEs: len 188
...
Supported rates:
1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0 11.0(B) 12.0(B) 18.0 Mbit/s
24.0(B) 36.0 48.0 54.0 Mbit/s
82 84 8b 8c 12 96 98 24 b0 48 60 6c .......$.H`l
DSSS parameter set: channel 3
03
...
Any following IEs decode nicely, thus it seems that we can relax
Supported Rates IE length handling to support this thermostat.
After moving AP EAPoL code into eapol.c there were a few functions that
no longer needed to be public API's. These were changed to static's and
the header definition was removed.
Set an upper limit on a fragmented EAP-TLS request size similar to how
we do it in EAP-TTLS. While there make the code more similar to the
EAP-TTLS flag processing to keep them closer in sync. Note that the
spec suggests a 64KB limit but it's not clear if that is for the TLS
record or EAP request although it takes into account the whole TLS
negotiation so it might be good for both.
==24195== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==24195== at 0x4F3DBEF: sendto (in /lib64/libc-2.26.so)
==24195== by 0x13A453: can_write_data (netlink.c:119)
==24195== by 0x13866B: io_callback (io.c:149)
==24195== by 0x137365: l_main_iterate (main.c:389)
==24195== by 0x1374A3: l_main_run (main.c:436)
==24195== by 0x113524: main (main.c:832)
==24195== Address 0x5205f99 is 57 bytes inside a block of size 88 alloc'd
==24195== at 0x4C2D0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24195== by 0x133931: l_malloc (util.c:62)
==24195== by 0x13AEF3: l_netlink_send (netlink.c:411)
==24195== by 0x112351: rtm_interface_send_message (main.c:276)
==24195== by 0x1126F3: iwmon_interface_lookup (main.c:405)
==24195== by 0x11351F: main (main.c:830)
==24195== Uninitialised value was created by a heap allocation
==24195== at 0x4C2D0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24195== by 0x133931: l_malloc (util.c:62)
==24195== by 0x11217B: rtm_interface_send_message (main.c:234)
==24195== by 0x1126F3: iwmon_interface_lookup (main.c:405)
==24195== by 0x11351F: main (main.c:830)
Some of the TTLS server implementations set the L flag in the fragment
packets other than the first one. To stay interoperable with such devices,
iwd is relaxing the L bit check.
==23290== Invalid read of size 4
==23290== at 0x12D334: timeout_destroy (timeout.c:61)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d80 is 0 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
==23290==
==23290== Invalid read of size 8
==23290== at 0x12D33B: timeout_destroy (timeout.c:64)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d90 is 16 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
==23290==
==23290== Invalid write of size 4
==23290== at 0x12D33F: timeout_destroy (timeout.c:62)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d80 is 0 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
Switch EAP-MD5 to use the common password setting key nomenclature.
The key name has been changed from PREFIX-MD5-Secret to PREFIX-Password.
Note: The old key name is supported.
In addition, this patch adds an ability to request Identity and/or
Password from user.
testWPA was not verifying connectivity between the two interfaces. Funny
enough, doing this resulted in the same problems that adhoc had where
we were setting the connection as complete before the gtk/igtk were set.
This is fixed now so we can now use testutil in this test.
Adhoc was not waiting for BOTH handshakes to complete before adding the
new peer to the ConnectedPeers property. Actually waiting for the gtk/igtk
(in a previous commit) helps with this, but adhoc also needed to keep track
of which handshakes had completed, and only add the peer once BOTH were done.
This required a small change in netdev, where we memcmp the addresses from
both handshakes and only set the PTK on one.
Currently, netdev triggers the HANDSHAKE_COMPLETE event after completing
the SET_STATION (after setting the pairwise key). Depending on the timing
this may happen before the GTK/IGTK are set which will result in group
traffic not working initially (the GTK/IGTK would still get set, but group
traffic would not work immediately after DBus said you were connected, this
mainly poses a problem with autotests).
In order to fix this, several flags were added in netdev_handshake_state:
ptk_installed, gtk_installed, igtk_installed, and completed. Each of these
flags are set true when their respective keys are set, and in each key
callback we try to trigger the handshake complete event (assuming all the
flags are true). Initially the gtk/igtk flags are set to true, for reasons
explained below.
In the WPA2 case, all the key setter functions are called sequentially from
eapol. With this change, the PTK is now set AFTER the gtk/igtk. This is
because the gtk/igtk are optional and only set if group traffic is allowed.
If the gtk/igtk are not used, we set the PTK and can immediately trigger the
handshake complete event (since gtk_installed/igtk_installed are initialized
as true). When the gtk/igtk are being set, we immediately set their flags to
false and wait for their callbacks in addition to the PTK callback. Doing it
this way handles both group traffic and non group traffic paths.
WPA1 throws a wrench into this since the group keys are obtained in a
separate handshake. For this case a new flag was added to the handshake_state,
'wait_for_gtk'. This allows netdev to set the PTK after the initial 4-way,
but still wait for the gtk/igtk setters to get called before triggering the
handshake complete event. As a precaution, netdev sets a timeout that will
trigger if the gtk/igtk setters are never called. In this case we can still
complete the connection, but print a warning that group traffic will not be
allowed.
