3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-25 16:42:37 +01:00
Commit Graph

7342 Commits

Author SHA1 Message Date
John Brandt
5fb3ac5937 eapol: include IGTK in 4-way handshake as AP
When SAE with MFP is being used, include the IGTK in message 3 of the
4-way handshake.
2024-05-07 11:19:51 -05:00
John Brandt
9274f70fec handshake: add functions to save and set IGTK
To add MFP support in the AP mode, add utility functions to save the
IGTK and to add the IGTK to handshake messages.
2024-05-07 11:15:25 -05:00
John Brandt
78bdb26296 eapol: encrypt key data for AKM-defined ciphers
Support encrypting key data when the cipher is AKM-defined. This is
needed to support SAE in AP mode.
2024-05-07 11:03:45 -05:00
John Brandt
3132e9f595 eapol: support PTK derivation with SHA256
Support PTK derivation in case the negotiated AKM requires SHA256. This
is needed to support SAE in AP mode.
2024-05-07 10:52:20 -05:00
John Brandt
b9e4dfbd40 sae: support reception of Confirm frame by AP
Experimental AP-mode support for receiving a Confirm frame when in the
COMMITTED state. The AP will reply with a Confirm frame.

Note that when acting as an AP, on reception of a Commit frame, the AP
only replies with a Commit frame. The protocols allows to also already
send the Confirm frame, but older clients may not support simultaneously
receiving a Commit and Confirm frame.
2024-05-07 10:50:39 -05:00
John Brandt
2e80a09184 sae: refactor and add function sae_calculate_keys
Refactor code by moving code to the new function sae_calculate_keys.
This will make it easier in the next commits to add SAE support for AP
mode.
2024-05-07 10:50:39 -05:00
John Brandt
49cddea10b unit: fix SAE unit tests
Don't mark either client as being the authenticator. In the current unit
tests, both instances act as clients to test functionality. This ensures
the unit does not show an error during the following commits where SAE
for AP mode is added.
2024-05-07 10:50:39 -05:00
Marcel Holtmann
be3f6a2ca0 udev: Add module for checking interface renaming actions 2024-04-16 14:57:57 +02:00
James Prestwood
88d3261bc2 unit: fix test-band with new rate estimation returns
-ENETUNREACH is the correct return to check as this indicates either
the RSSI was too low or the local capabilities were not compatible.
2024-04-15 16:51:54 -05:00
James Prestwood
e5816b024f band: return -ENETUNREACH for HE rate estimation
This was overlooked in a prior patch and causes warnings to be
printed when the RSSI is too low to estimate an HE data rate or
due to incompatible local capabilities (e.g. MCS support).

Similar to the other estimations, return -ENETUNREACH if the IE
was valid but incompatible.
2024-04-15 16:51:54 -05:00
James Prestwood
9cdc726dc1 wiphy: handle -ENETUNREACH for rate estimation
If the RSSI is too low or the local capabilities were not
compatible to estimate the rate don't warn but instead treat
this the same as -ENOTSUP and drop down to the next capability
set.
2024-04-15 16:51:54 -05:00
James Prestwood
e196cb1178 wiphy: include MAC of BSS with invalid HE capabilities
The prior print was not very descriptive, and now will log the
MAC of the offending BSS.
2024-04-15 16:51:54 -05:00
Marcel Holtmann
468cecdbca Release 2.17 2024-03-29 00:26:29 +01:00
Marcel Holtmann
546dea11b6 build: Require at least version 0.64 when building with external ELL 2024-03-29 00:03:13 +01:00
Ed Smith
da13aab419 Register EAPOL frame listeners earlier
If we register the main EAPOL frame listener as late as the associate
event, it may not observe ptk_1_of_4. This defeats handling for early
messages in eapol_rx_packet, which only sees messages once it has been
registered.

If we move registration to the authenticate event, then the EAPOL
frame listeners should observe all messages, without any possible
races. Note that the messages are not actually processed until
eapol_start() is called, and we haven't moved that call site. All
that's changing here is how early EAPOL messages can be observed.
2024-03-28 17:41:07 -05:00
James Prestwood
ccd702f7da netdev: use CMD_DEAUTHENTICATE when needed on disconnect
netdev_disconnect() was unconditionally sending CMD_DISCONNECT which
is not the right behavior when IWD has not associated. This means
that if a connection was started then immediately canceled with
the Disconnect() method the kernel would continue to authenticate.

Instead if IWD has not yet associated it should send a deauth
command which causes the kernel to correctly cleanup its state and
stop trying to authenticate.

Below are logs showing the behavior. Autoconnect is started followed
immediately by a DBus Disconnect call, yet the kernel continues
sending authenticate events.

event: state, old: autoconnect_quick, new: connecting (auto)
src/scan.c:scan_cancel() Trying to cancel scan id 1 for wdev 7d
src/wiphy.c:wiphy_radio_work_done() Work item 1 done
src/wiphy.c:wiphy_radio_work_next() Starting work item 2
src/netdev.c:netdev_mlme_notify() MLME notification New Station(19)
src/station.c:station_dbus_disconnect()
src/station.c:station_reset_connection_state() 85
src/station.c:station_roam_state_clear() 85
event: state, old: connecting (auto), new: disconnecting
src/wiphy.c:wiphy_radio_work_done() Work item 2 done
src/station.c:station_connect_cb() 85, result: 5
src/station.c:station_disconnect_cb() 85, success: 1
event: state, old: disconnecting, new: disconnected
src/netdev.c:netdev_mlme_notify() MLME notification Authenticate(37)
src/netdev.c:netdev_authenticate_event()
Unexpected connection related event -- is another supplicant running?
src/netdev.c:netdev_mlme_notify() MLME notification Authenticate(37)
src/netdev.c:netdev_authenticate_event()
Unexpected connection related event -- is another supplicant running?
src/netdev.c:netdev_mlme_notify() MLME notification Authenticate(37)
src/netdev.c:netdev_authenticate_event()
Unexpected connection related event -- is another supplicant running?
src/netdev.c:netdev_mlme_notify() MLME notification Del Station(20)
src/netdev.c:netdev_mlme_notify() MLME notification Authenticate(37)
src/netdev.c:netdev_authenticate_event()
Unexpected connection related event -- is another supplicant running?
2024-03-28 17:16:37 -05:00
James Prestwood
6365c1f6de wiphy: add better handling for rate estimation errors
In most cases any failure here is likely just due to the AP not
supporting the feature, whether its HE/VHT/HE. This should result
in the estimation returning -ENOTSUP in which case we move down
the list. Any other non-zero return we will now warn to make it
clear the IEs did exist, but were not properly formatted.

All length check failures were changed to continue instead of
fail. This will now treat invalid lengths as if the IE did not
exist.

In addition HE specifically has an extra validation function which,
if failed, was bailing out of the estimation function entirely.
Instead this is now treated as if there was no HE capabilities and
the logic can move down to VHT, HT, or basic rates.
2024-03-28 10:21:08 -05:00
James Prestwood
2f2b5740da band: make HE/no-HT rate estimators return more descriptive
If the IEs were not provided return -ENOTSUP rather than -EINVAL
or -EBADMSG since this just means the AP doesn't support those
capabilities.
2024-03-28 10:20:53 -05:00
James Prestwood
6b94ab3889 iwmon: fix incorrect mask printing HE capabilities
This was changed from too large of a mask (0xff) in an earlier
commit but was masking 5 bits instead of 6.

Fixes: 121c2c5653 ("monitor: properly mask HE capabilities bitfield")
2024-03-15 08:46:56 -05:00
James Prestwood
6bedcb4622 client: fix two issues caught by static analysis
- va_end was not being called on an error condition
 - An uninitialized struct was being accessed if ioctl failed
2024-03-11 22:08:26 -05:00
James Prestwood
121c2c5653 monitor: properly mask HE capabilities bitfield
Caught by static analysis, the bitfield was incorrect and was masking
8 entries (0xff), not 5 (0x1f).
2024-03-11 22:08:19 -05:00
James Prestwood
eb3345b51b eap-mschapv2: Check Password-Hash exists when loading settings
Caught by static analysis, the Password-Hash was never validated so
it could end up memcpying from a NULL pointer.
2024-03-11 22:08:02 -05:00
James Prestwood
795f57e816 p2p: check connected peer before processing request
Caught by static analysis, the dev->conn_peer pointer was being
dereferenced very early on without a NULL check, but further it
was being NULL checked. If there is a possibility of it being NULL
the check should be done much earlier.
2024-03-11 22:07:37 -05:00
James Prestwood
71a7190ed2 eap-mschapv2: remove unneeded initialization 2024-03-04 13:48:08 -06:00
James Prestwood
405b897687 dpp: check wrapped data exists in authenticate response 2024-03-04 13:48:08 -06:00
James Prestwood
62e2a3535d files: remove unneeded initialization 2024-03-04 13:48:08 -06:00
James Prestwood
d9aaf6c842 ie: remove unneeded initialization 2024-03-04 13:48:08 -06:00
James Prestwood
b7559d68c7 client: remove unneeded initialization 2024-03-04 13:48:08 -06:00
Marcel Holtmann
8bb3e3c4fa Release 2.16 2024-03-04 08:51:22 +01:00
James Prestwood
c76f7eac05 auto-t: add ability to reserve radios not for IWD/hostapd/etc
If the test needs to do something very specific it may be useful to
prevent IWD from managing all the radios. This can now be done
by setting a "reserve" option in the radio settings. The value of
this should be something other than iwd, hostapd, or wpa_supplicant.

For example:

[rad1]
reserve=false
2024-03-01 08:42:02 -06:00
James Prestwood
c2ad0006eb ap: bail in ap_del_station if AP is going down
Caught by static analysis, if this condition is met the AP is going
down so we cannot continue further accessing the ap object.
2024-02-29 14:37:49 -06:00
James Prestwood
5fcfb430b2 ap: verify ATTR_MAC exists in NEW_STATION
Caught by static analysis, if ATTR_MAC was not in the message there
would be a memcpy with uninitialized bytes. In addition there is no
reason to memcpy twice. Instead 'mac' can be a const pointer which
both verifies it exists and removes the need for a second memcpy.
2024-02-29 14:37:42 -06:00
James Prestwood
3a17c8e3c5 nl80211util: check l_genl_attr_recurse return in extract_nested
Caught by static analysis, the recurse operation return was not being
checked.
2024-02-29 14:37:29 -06:00
James Prestwood
6febe5bed1 ap: allow va_end to get called in ap_handshake_event
Caught by static analysis, va_end was never being called since the
REKEY_COMPLETE event was returning early.
2024-02-29 14:37:19 -06:00
James Prestwood
338577bb3a ap: check that the last band_freq_attrs was set
Static analysis complains that 'last' could be NULL which is true.
This really could only happen if every frequency was disabled which
likely is impossible but in any case, check before dereferencing
the pointer.
2024-02-29 14:37:01 -06:00
James Prestwood
83c032a583 p2putil: check length of client info description
A length check was missing which could cause a out of bounds read.

Co-authored-by: Alex Radocea <alex@supernetworks.org>
2024-02-29 14:36:16 -06:00
James Prestwood
d34b4e16e0 p2putil: initialize all parsing structures to zero
Since these are all stack variables they are not zero initialized.
If parsing fails there may be invalid pointers within the structures
which can get dereferenced by p2p_clear_*
2024-02-29 14:33:23 -06:00
James Prestwood
52a47c9fd4 p2putil: fix crash/remove side effect parsing adv service info
The input queue pointer was being initialized unconditionally so if
parsing fails the out pointer is still set after the queue is
destroyed. This causes a crash during cleanup.

Instead use a temporary pointer while parsing and only after parsing
has finished do we set the out pointer.

Reported-By: Alex Radocea <alex@supernetworks.org>
2024-02-29 14:32:53 -06:00
James Prestwood
816d258cab auto-t: Add frame fuzzing test
Add a test to validate a crash found by Alex Radocea when sending
a fuzzed beacon frame.

Co-authored-by: Alex Radocea <alex@supernetworks.org>
2024-02-29 14:32:33 -06:00
James Prestwood
5067654a6d auto-t: end process_io on HUP signal, detect process crash
When HUP is received the IO read callback was never completing which
caused it to block indefinitely until waited for. This didn't matter
for most transient processes but for IWD, hostapd, wpa_supplicant
it would cause test-runner to hang if the process crashed.

Detecting a crash is somewhat hacky because we have no process
management like systemd and the return code isn't reliable as some
processes return non-zero under normal circumstances. So to detect
a crash the process output is being checked for the string:
"++++++++ backtrace ++++++++". This isn't 100% reliable obviously
since its dependent on how the binary is compiled, but even if the
crash itself isn't detected any test should still fail if written
correctly.

Doing this allows auto-tests to handle IWD crashes gracefully by
failing the test, printing the exception (event without debugging)
and continue with other tests.
2024-02-29 14:31:55 -06:00
Denis Kenzior
aef394895d netconfig: Fix copy-paste error
netconfig_domains_update() was setting dns_list instead of the domains
member.
2024-02-28 11:51:33 -06:00
James Prestwood
cdbd59103e auto-t: fix netconfig to handle resolvconf values out of order
The slaac_test was one that would occationally fail, but very rarely,
due to the resolvconf log values appearing in an unexpected order.

This appears to be related to a typo in netconfig-commit which would
not set netconfig-domains and instead set dns_list. This was fixed
with a pending patch:

https://lore.kernel.org/iwd/20240227204242.1509980-1-denkenz@gmail.com/T/#u

But applying this now leads to testNetconfig failing slaac_test
100% of the time.

I'm not familiar enough with resolveconf to know if this test change
is ok, but based on the test behavior the expected log and disk logs
are the same, just in the incorrect order. I'm not sure if this the
log order is deterministic so instead the check now iterates the
expected log and verifies each value appears once in the resolvconf
log.

Here is an example of the expected vs disk logs after running the
test:

Expected:

-a wlan1.dns
nameserver 192.168.1.2
nameserver 3ffe:501:ffff💯:10
nameserver 3ffe:501:ffff💯:50
-a wlan1.domain
search test1
search test2

Resolvconf log:

-a wlan1.domain
search test1
search test2
-a wlan1.dns
nameserver 192.168.1.2
nameserver 3ffe:501:ffff💯:10
nameserver 3ffe:501:ffff💯:50
2024-02-28 11:50:54 -06:00
Denis Kenzior
52c6a6b8ea eap-wsc: Zero authenticator bytes to fix static analysis warning
static analysis complains that authenticator is used uninitialized.
This isn't strictly true as memory region is reserved for the
authenticator using the contents of the passed in structure.  This
region is then overwritten once the authenticator is actually computed
by authenticator_put().  Silence this warning by explicitly setting
authenticator bytes to 0.

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
2024-02-28 09:13:30 -06:00
James Prestwood
42273fd122 station: warn on missing scan_bss in station_transition_start
This shouldn't be possible in theory since the roam_bss_list being
iterated is a subset of entire scan_bss list station/network has
but to be safe, and catch any issues due to future changes warn on
this condition.
2024-02-27 16:04:11 -06:00
James Prestwood
14aa333a39 crypto: fix uninitialized variable coverity warning
Same as for aes_siv_decrypt, check num_ads before calling memcpy.
2024-02-27 16:04:11 -06:00
James Prestwood
ee52968043 crypto: fix uninitialized variable coverity warning
For some encrypt operations DPP passes no AD iovecs (both are
NULL/0). But since the iovec itself is on the stack 'ad' is a
valid pointer from within aes_siv_encrypt. This causes memcpy
to be called which coverity complains about. Since the copy
length is zero it was effectively a no-op, but check num_ad to
prevent the call.
2024-02-27 14:33:33 -06:00
James Prestwood
d13af0a4a2 unit: fix memory leak in test-dpp 2024-02-27 14:33:29 -06:00
James Prestwood
9f18bf402c auto-t: add OWE test for auto default group 2024-02-27 13:55:37 -06:00
James Prestwood
9d4c34dc7a auto-t: Add test for new SAE default group behavior
Tests the 3 possible options to UseDefaultEccGroup behave as
expected:
 - When not provided use the "auto" behavior.
 - When false, always use higher order groups
 - When true, always use default group
2024-02-27 13:55:37 -06:00
James Prestwood
e296a61e3f auto-t: refactor/fix testSAE
The SAE test made some assumptions on certain conditions due to
there being no way of checking if those conditions were met
Mainly the use of H2E/hunt-and-peck.

We assumed that when we told hostapd to use H2E or hunt/peck it
would but in reality it was not. Hostapd is apparently not very
good at swapping between the two with a simple "reload" command.
Once H2E is enabled it appears that it cannot be undone.
Similarly the vendor elements seem to carry over from test to
test, and sometimes not which causes unintended behavior.

To fix this create separate APs for the specific scenario being
tested:
 - Hunt and peck
 - H2E
 - Special vendor_element simulating buggy APs

Another issue found was that if password identifies are used
hostapd automatically chooses H2E which was not intented, at
least based on the test names (in reality it wasn't causing any
problems).

The tests have also been improved to use hostapds "sta_status"
command which contains the group number used when authenticating,
so now that at least can be verified.
2024-02-27 13:55:37 -06:00