3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-23 06:02:37 +01:00
Commit Graph

347 Commits

Author SHA1 Message Date
James Prestwood
01cd858760 storage: implement network profile encryption
Some users don't like the idea of storing network credentials in
plaintext on the file system.  This patch implements an option to
encrypt such profiles using a secret key.  The origin of the key can in
theory be anything, but would typically be provided by systemd via
'LoadEncryptedCredential' setting in the iwd unit file.

The encryption operates on the entire [Security] group as well as all
embedded groups. Once encrypted the [Security] group will be replaced
with two key/values:

EncryptedSalt - A random string of bytes used for the encryption
EncryptedSecurity - A string of bytes containing the encrypted
                    [Security] group, as well as all embedded groups.

After the profile has been encrypted these values should not be
modified.  Note that any values added to [Security] after encryption
has no effect.  Once the profile is encrypted there is no way to modify
[Security] without manually decrypting first, or just re-creating it
entirely which effectively treated a 'new' profile.

The encryption/decryption is done using AES-SIV with a salt value and
the network SSID as the IV.

Once a key is set any profiles opened will automatically be encrypted
and re-written to disk.  Modules using network_storage_open will be
provided the decrypted profile, and will be unaware it was ever
encrypted in the first place.  Similarly when network_storage_sync is
called the profile will by automatically encrypted and written to disk
without the caller needing to do anything special.

A few private storage.c helpers were added to serve several purposes:

storage_init/exit():
This sets/cleans up the encryption key direct from systemd then uses
extract and expand to create a new fixed length key to perform
encryption/decryption.

__storage_decrypt():
Low level API to decrypt an l_settings object using a previously set
key and the SSID/name for the network.  This returns a 'changed' out
parameter signifying that the settings need to be encrypted and
re-written to disk.  The purpose of exposing this is for a standalone
decryption tool which does not re-write any settings.

storage_decrypt():
Wrapper around __storage_decrypt() that handles re-writing a new
profile to disk. This was exposed in order to support hotspot profiles.

__storage_encrypt():
Encrypts an l_settings object and returns the full profile as data
2022-02-15 17:19:33 -06:00
James Prestwood
52fafd8f5b dpp-util: use ell/asn1-private.h for ASN1 generation
ASN1 parsing will soon be required which will need some utilities in
asn1-private.h. To avoid duplication include this private header and
replace the OID's with the defined structures as well as remove the
duplicated macros.
2022-01-20 13:59:37 -06:00
Denis Kenzior
04fccea63b doc: Add sample main.conf file
This file is meant as a sample and contains only the most typically
changed settings.  For other settings users should refer to the
iwd.config manual page.
2022-01-03 14:24:19 -06:00
Denis Kenzior
1dcab170b6 hwsim: Keep track of interface types 2021-12-27 23:25:24 -06:00
James Prestwood
ba040219ce client: add DPP client commands
Two commands were added:

dpp <iface> start-enrollee
dpp <iface> start-configurator
dpp <iface> stop

In addition there is support for using the qrencode utility for displaying
the QR code after DPP is started (enrollee or configurator. If qrencode is
found on the system the QR code will be displayed. Otherwise only the URI
will be printed to the console.
2021-12-20 18:13:44 -06:00
James Prestwood
992deb36d4 dpp-util: add dpp_parse_configuration_object
This parses the configuration JSON object from the configuration
response. Only a minimal configuration object is supported for
now.
2021-12-16 14:29:18 -06:00
James Prestwood
acfbc34909 dpp: initial skeleton DPP module 2021-12-16 13:53:29 -06:00
James Prestwood
e04c363d9f unit: add JSON unit test 2021-12-10 17:33:47 -06:00
James Prestwood
abfd749335 json: introduce JSON module
This is a minimal wrapper around jsmn.h to make things a bit easier
for iterating through a JSON object.

To use, first parse the JSON and create a contents object using
json_contents_new(). This object can then be used to initialize a
json_iter object using json_iter_init().

The json_iter object can then be parsed with json_iter_parse by
passing in JSON_MANDATORY/JSON_OPTIONAL arguments. Currently only
JSON_STRING and JSON_OBJECT types are supported. Any JSON_MANDATORY
values that are not found will result in an error.

If a JSON_OPTIONAL string is not found, the pointer will be NULL.
If a JSON_OPTIONAL object is not found, this iterator will be
initialized but 'start' will be -1. This can be checked with a
convenience macro json_object_not_found();
2021-12-10 17:33:47 -06:00
James Prestwood
43037a94cf unit: add unit test for DPP crypto operations 2021-12-06 16:36:15 -06:00
James Prestwood
cdf05183b9 dpp-util: Introduce dpp-util, and add crypto operations 2021-12-06 15:54:37 -06:00
James Prestwood
bc36aca98e offchannel: introduce new offchannel module
This module provides a convenient wrapper around both
CMD_[CANCEL_]_REMAIN_ON_CHANNEL APIs.

Certain protocols require going offchannel to send frames, and/or
wait for a response. The frame-xchg module somewhat does this but
has some limitations. For example you cannot just go offchannel;
an initial frame must be sent out to start the procedure. In addition
frame-xchg does not work for broadcasts since it expects an ACK.

This module is much simpler and only handles going offchannel for
a duration. During this time frames may be sent or received. After
the duration the caller will get a callback and any included error
if there was one. Any offchannel request can be cancelled prior to
the duration expriring if the offchannel work has finished early.
2021-12-06 14:10:39 -06:00
James Prestwood
cd15a1698b build: update unit tests with util.c/band.c dependency 2021-11-30 12:29:49 -06:00
James Prestwood
6ea58f9fde sysfs: introduce sysfs module
Netconfig was the only user of sysfs but now other modules will
also need it.

Adding existing API for IPv6 settings, a IPv4 and IPv6 'supports'
checker, and a setter for IPv4 settings.
2021-11-03 17:44:00 -05:00
Denis Kenzior
48b0a95528 client: Print daemon information at startup 2021-10-25 17:24:51 -05:00
Denis Kenzior
5d9e0401fc build: Add cleanup.h 2021-10-14 16:54:58 -05:00
Denis Kenzior
923f7b6a11 build: Add band.h for tests requiring handshake.[ch] 2021-09-21 15:39:31 -05:00
Denis Kenzior
a3b9967c13 build: Fixup due to handshake dependency on erp
and iwmon doesn't need handshake.[ch]
2021-08-03 16:35:30 -05:00
Denis Kenzior
64211c292d unit: Fix SAE unit test failure
The SAE unit test was written when group 19 was preferred by default for
all SAE connections.  However, we have now started to prefer higher
security groups.  Trick the test into using group 19 by wrapping
l_ecc_supported_ike_groups implementation to return just curve 19 as a
supported curve.
2021-07-27 14:01:12 -05:00
Denis Kenzior
2686baae69 unit: Add unit test for VHT RX data rate estimation 2021-06-04 10:14:04 -05:00
Denis Kenzior
e41bee377d band: Add band.[ch]
Move the band definition out of wiphy.c and into band.[ch].  This is
done to make certain utilities that depend on band information capable
of being tested from unit tests.

The band concept will most likely grow over time.  For now, the only
user will be wiphy.c and unit tests, so the structures are kept public.
2021-06-04 10:14:04 -05:00
Andrew Zaborowski
6e5b26ba64 ip-pool: Track IPv4 addresses in use
Add the ip-pool submodule that tracks IPv4 addresses in use on the
system for use when selecting the address for a new AP.  l_rtnl_address
is used internally because if we're going to return l_rtnl_address
objects it would be misleading if we didn't fill in all of their
properties like flags etc.
2021-06-01 10:03:00 -05:00
Marcel Holtmann
d87b580c20 build: Create directory for ell/useful.h 2021-04-29 10:16:32 +02:00
Marcel Holtmann
ed05585063 build: Always link in the ell/useful.h header file 2021-03-11 21:52:12 +01:00
Denis Kenzior
e84f257bff build: Add ell's useful.h header 2021-03-10 14:09:25 -06:00
Denis Kenzior
17a4cd4be0 build: Add ell's main-private.h header 2021-03-10 13:41:06 -06:00
Marcel Holtmann
a2f1389efa build: Remove mentions of --enable-sim-hardcoded 2021-02-15 19:20:58 +01:00
James Prestwood
11d1d860f0 client: implement diagnostic module
For now this module serves as a helper for printing diagnostic
dictionary values. The new API (diagnostic_display) takes a
Dbus iterator which has been entered into a dictionary and
prints out each key and value. A mapping struct was defined
which maps keys to types and units. For simple cases the mapping
will consist of a dbus type character and a units string,
e.g. dBm, Kbit/s etc. For more complex printing which requires
processing the value the 'units' void* cant be set to a
function which can be custom written to handle the value.
2021-01-22 15:01:05 -06:00
James Prestwood
b5d927ec3b diagnostic: commonize the building of diagnostic dict
AP mode will use the same structure for its diagnostic interface
and mostly the same dictionary keys. Apart from ConnectedBss and
Address being different, the remainder are the same so the
diagnostic_station_info to DBus dictionary conversion has been made
common so both station and AP can use it to build its diagnostic
dictionaries.
2021-01-22 14:41:20 -06:00
Denis Kenzior
d5c364a4e4 build: Update to ell's pkcs5 restructure 2021-01-07 14:05:40 -06:00
Fabrice Fontaine
62d31539d6 configure.ac: fix static build with readline
Retrieve the dependencies of readline through pkg-config (and fallback
to -lreadline) to avoid the following build failure:

/nvme/rc-buildroot-test/scripts/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /nvme/rc-buildroot-test/scripts/instance-0/output-1/host/bin/../x86_64-buildroot-linux-uclibc/sysroot/usr/lib/libreadline.a(display.o): in function `cr':
display.c:(.text+0x1ab): undefined reference to `tputs'

Fixes:
 - http://autobuild.buildroot.org/results/8fb1341f2f5094c346456b43b4fc04996c2e1485
2020-12-17 20:30:13 -06:00
James Prestwood
3f686da550 build: add ell/acd.{c,h} to makefile 2020-12-08 15:15:31 -06:00
James Prestwood
39ca2c3e05 doc: add man pages for AP provisioning files 2020-11-04 13:37:18 -06:00
Denis Kenzior
1db3aa6092 build: Add DHCP6 & pre-requisite files 2020-10-30 15:38:56 -05:00
James Prestwood
017d5f56df build: add ELL dhcp-server.c to build 2020-10-20 13:31:26 -05:00
Denis Kenzior
9c72d2f546 build: Add dhcp-util.c from ell 2020-10-19 17:21:36 -05:00
Denis Kenzior
cbd73f8067 build: Add net-private.h 2020-09-29 13:09:05 -05:00
Denis Kenzior
766257c5d6 build: Drop ell/plugin.[ch]
l_plugin_* APIs were removed from ell
2020-09-16 17:06:41 -05:00
Denis Kenzior
6b99b33974 build: Add time-private.h
This file was added to ell and compilation fails without it
2020-09-16 16:44:30 -05:00
James Prestwood
bbcfde8743 plugins: remove dependency on ELL plugins
There has been a desire to remove the ELL plugin dependency from
IWD which is the only consumer of the plugin API. This removes
the dependency and prepares the tree for converting the existing
ofono plugin into a regular module.

sim_hardcoded was removed completely. This was originall implemented
before full ofono support purely to test the IWD side of EAP-SIM/AKA.
Since the ofono plugin (module-to-be) is now fully implemented there
really isn't a need for sim_hardcoded.
2020-09-16 14:30:14 -05:00
James Prestwood
17955fcf5a tools: post test-runner rewrite cleanup
Removed test-runner.c, and renamed py_runner to test-runner. Removed
tools/test-runner from .gitignore.

This was done as a separate commit to avoid a nasty diff between the
existing test runner, and the new python version
2020-09-10 17:59:49 -05:00
Andrew Zaborowski
30933423fd ap: Put a public api between AP logic and DBus code
Separate AP logic from DBus code, add a public API to make the AP
logic reusable from other files.
2020-08-04 10:41:42 -05:00
Denis Kenzior
46215a6624 build: Remove eap-wsc and wscutil from eap_sources
With the previous commit, wscutil now depends on ie.h.  Unfortunately,
wired also includes eap-wsc and wscutil in the build, but not ie, which
results in a link-time failure.

Fix this by droppig eap-wsc and wscutil from wired.  There's no reason
that ethernet authentication would ever use the WiFi Protected Setup
authentication.
2020-04-23 14:47:30 -05:00
Andrew Zaborowski
326a8cd6ee Add minimal p2p.c and p2p.h
Add the functions to be called by manager.c and a minimal DBus API.
2020-04-10 06:31:19 -05:00
Marcel Holtmann
b95b9955f1 build: Remove ell/genl-private.h from source requirements 2020-03-25 09:53:15 +01:00
Andrew Zaborowski
c41eb6b2b0 tools: Add utility to tx Probe Requests 2020-03-20 10:18:04 -05:00
Marcel Holtmann
af2147fbde build: Fix rst2man invocation from Makefile 2020-03-14 09:25:42 +01:00
Khem Raj
9dccec8566 Makefile.am: Avoid redirection of input and output files
Ensure that directory is created before its written to

This can cause a build race in a highly parallelised build where a directory is not yet created but
output file is being written using redirection e.g.

rst2man.py --strict --no-raw --no-generator --no-datestamp < ../git/monitor/iwmon.rst > monitor/iwmon.1
/bin/sh: monitor/iwmon.1: No such file or directory
make[1]: *** [Makefile:3544: monitor/iwmon.1] Error 1

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-03-09 22:20:41 -05:00
Daniel Wagner
a40503427e rtnlutil: Remove used rtnlutil
The rtnl code has been added to ELL. There is caller left in iwd,
therefore remove the rtnlutil file.
2020-02-17 09:08:50 -06:00
Andrew Zaborowski
6484b7dbb6 Add a new frame watch API
This new API is independent of netdev.c and allows actually
unregistering from receiving notifications of frames, although with some
quirks.  The current API only allowed the callback for a registration to
be forgotten but our process and/or the kernel would still be woken up
when matching frames were received because the kernel had no frame
unregister call.  In the new API you can supply a group-id paramter when
registering frames.  If it is non-zero the frame_watch_group_remove() call
can be used to remove all frame registrations that had a given group-id
by closing the netlink socket on which the notifications would be
received.  This means though that it's a slightly costly operation.

The file is named frame-xchg.c because I'm thinking of also adding
utilities for sending frames and waiting for one of a number of replies
and handling the acked/un-acked information.
2020-01-13 11:49:08 -06:00