3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-19 19:19:39 +01:00
Commit Graph

6417 Commits

Author SHA1 Message Date
Denis Kenzior
f3c633e222 auto-t: Add EAPoL spoofing test
Make sure that unencrypted EAPoL packets received after the initial
handshake is complete do not break the connection.
2022-05-11 17:23:54 -05:00
Denis Kenzior
e44ccf3daa auto-t: Rework spoofing code
Use scapy library which allows one to easily construct and fudge various
network packets.  This makes constructing spoofed packets much easier
and more readable compared to hex-encoded, hand-crafted frames.
2022-05-11 17:20:30 -05:00
Denis Kenzior
2019823443 auto-t: Fix TA/BSSID addresses of spoofed disassoc
The TA/BSSID addresses of spoofed disassociate frames were set
incorrectly.  They should be using the 02:00:00:XX:XX:XX address, but
instead were being converted over to 42:00:00:XX:XX:XX address
2022-05-11 14:05:51 -05:00
Denis Kenzior
ee3a044b75 eapol: authenticator: Drop unencrypted EAPoL frames
After the initial handshake, once the TK has been installed, all frames
coming to the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to various attacks.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAPoL frames
received after the initial handshake has been completed.
2022-05-10 16:04:29 -05:00
Denis Kenzior
ccdea73df2 eapol: Drop unexpectedly unencrypted EAP frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAP-Failure frame generated by
an adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAP frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 16:03:41 -05:00
Denis Kenzior
5b42cb6cda eapol: Drop unexpectedly unencrypted PTK 1/4 frames
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an
adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted PTK 1/4 frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 12:22:03 -05:00
Denis Kenzior
1ef97e5cbc eapol: Silently discard invalid EAPoL frames
Do not fail an ongoing handshake when an invalid EAPoL frame is
received.  Instead, follow the intent of 802.11-2020 section 12.7.2:
"EAPOL-Key frames containing invalid field values shall be silently
discarded."

This prevents a denial-of-service attack where receipt of an invalid,
unencrypted EAPoL 1/4 frame generated by an adversary results in iwd
terminating an ongoing connection.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-10 10:01:08 -05:00
Denis Kenzior
1409364371 scan: Sort scan_requests by wiphy work item priority
Periodic scan requests are meant to be performed with a lower priority
than normal scan requests.  They're thus given a different priority when
inserting them into the wiphy work queue.  Unfortunately, the priority
is not taken into account when they are inserted into the
sr->requests queue.  This can result in the scanning code being confused
since it assumes the top of the queue is always the next scheduled or
currently ongoing scan.  As a result any further wiphy_work might never be
started properly.

Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 3
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_timeout() 1
Apr 27 16:34:40 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 4
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_done() Work item 3 done
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/wiphy.c:wiphy_radio_work_next() Starting work item 5
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_notify() Scan notification Trigger Scan(33)
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_request_triggered() Passive scan triggered for wdev 1
Apr 27 16:34:43 iwd[5117]: ../iwd-1.26/src/scan.c:scan_periodic_triggered() Periodic scan triggered for wdev 1

In the above log, scan request 5 (triggered by dbus) is started before
scan request 4 (periodic scan).  Yet the scanning code thinks scan
request 4 was triggered.

Fix this by using the wiphy_work priority to sort the sr->requests queue
so that the scans are ordered in the same manner.

Reported-by: Alvin Šipraga <ALSI@bang-olufsen.dk>
2022-05-02 09:18:30 -05:00
Marcel Holtmann
099700a154 Release 1.27 2022-04-21 17:01:56 +02:00
Marcel Holtmann
126883ae79 build: Require at least version 0.50 when building with external ELL 2022-04-21 16:55:52 +02:00
James Prestwood
5caeb82d61 auto-t: disable update_config for testDPP
update_config=1 lets wpa_supplicant write config changes
to the config file. In the real world this is what you want
so your DPP credentials are persistant. But for testing this
is not correct since multiple tests use the same config file
and expect it to be pristine.

Occationally wpa_supplicant was connecting to the AP without
running DPP because the config already had the network
credentials.
2022-04-15 12:17:29 -05:00
James Prestwood
b27ab1270c dpp: wait before retransmitting frames with no-ACK
The upstream code immediately retransmitted any no-ACK frames.
This would work in cases where the peer wasn't actively switching
channels (e.g. the ACK was simply lost) but caused unintended
behavior in the case of a channel switch when the peer was not
listening.

If either IWD or the peer needed to switch channels based on the
authenticate request the response may end up not getting ACKed
because the peer is idle, or in the middle of the hardware changing
channels. IWD would get no-ACK and immediately send the frame again
and most likely the same behavior would result. This would very
quickly increment frame_retry past the maximum and DPP would fail.

Instead when no ACK is received wait 1 second before sending out
the next frame. This can re-use the existing frame_pending buffer
and the same logic for re-transmitting.
2022-04-15 12:15:52 -05:00
James Prestwood
14217e6ca4 dpp: print error if CMD_FRAME fails 2022-04-15 12:15:44 -05:00
James Prestwood
07197e24fc dpp: handle sending a frame after ROC ends
There is a potential corner case of an offchannel frame callback
being called after ROC has ended.

This could happen in theory if a received frame is queued right as
the ROC session expires. If the ROC cancel event makes it to user
space before the frame IWD will schedule another ROC then receive
the frame. This doesn't prevent IWD from sending out another
frame since OFFCHANNEL_TX_OK is used, but it will prevent IWD from
receiving a response frame since no dwell duration is used with DPP.

To handle this an roc_started bool was added to the dpp_sm which
tracks the ROC state. If dpp_send_frame is called when roc_started
is false the frame will be saved and sent out once the ROC session
is started again.
2022-04-15 12:12:49 -05:00
Denis Kenzior
8a877d8692 station/network: avoid use-after-free
ConnectHiddenNetwork creates a temporary network object and initiates a
connection with it.  If the connection fails (due to an incorrect
passphrase or other reasons), then this temporary object is destroyed.
Delay its destruction until network_disconnected() since
network_connect_failed is called too early.  Also, re-order the sequence
in station_reset_connection_state() in order to avoid using the network
object after it has been freed by network_disconnected().

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 15:12:30 -05:00
Denis Kenzior
867c68c05b network: close settings prior to network removal
station_hide_network will remove and free the network object, so calling
network_close_settings will result in a crash.  Make sure this is done
prior to network object's destruction.

Fixes: 85d9d6461f ("network: Hide hidden networks on connection error")
2022-04-08 11:23:28 -05:00
James Prestwood
c5f44f8d38 doc: Update the test-runner documentation
Includes instructions for UML, which is now the preferred way to use
test-runner.
2022-04-08 10:48:17 -05:00
James Prestwood
9353c7748b test-runner: resolve --kernel absolute path
This only posed a problem oddly if the kernel binary was in the same
directory as test-runner. Resolving the absolute path with the
argument parser resolves the issue.
2022-04-06 17:22:06 -05:00
James Prestwood
5453f71a7c test-runner: fix check for phonesim
This got changed to use which, but not updated to remove the
list argument.
2022-04-06 17:22:06 -05:00
James Prestwood
cec5fab9b3 test-runner: allow decode failure when writing IO
If this fails, e.g. an invalid utf-8 character it should not cause
the test to fail.
2022-04-06 14:47:58 -05:00
James Prestwood
9edb196395 test-runner: fix ctrl-c for UML
The TIOCSTTY ioctl was not shared between UML and QEMU which prevented
any console input from making it into UML. This fixes that, and now
ctrl-c can be used to stop UML test execution.
2022-04-06 14:47:52 -05:00
James Prestwood
5710cc097b test-runner: Unify QEMU/UML logging code
The MountInfo tuple was changed to explicitly take a source string. This
is redundant for UML and system mounts since the fstype/source are the same,
but it allows QEMU to specify the '9p' fstype and use MountInfo rather than
calling mount() explicitly.

This also moves logging cleanup into _prepare_mounts so both UML and QEMU
can use it.
2022-04-06 14:47:45 -05:00
James Prestwood
1a903001f9 auto-t: cleanup the few uses of is_verbose
These were used outside of run-tests in a couple places. Replace
these with Process.is_verbose()
2022-04-06 14:47:32 -05:00
James Prestwood
e70d7e0857 test-runner: write separators for transient processes
Many processes are not long running (e.g. hostapd_cli, ip, iw, etc)
and the separators written to log files don't show up for these which
makes debugging difficult. This is even true for IWD/Hostapd for tests
with start_iwd=0.

After writing separators for long running processes write them out for
any additional log files too.
2022-04-06 14:47:24 -05:00
James Prestwood
f199e3f40d test-runner: move BarChart into utils.py 2022-04-06 14:47:18 -05:00
James Prestwood
bc9dfee7cd test-runner: remove unused class members 2022-04-06 14:47:13 -05:00
James Prestwood
e993503c4d test-runner: simplify start_iwd handling
Replace two separate if blocks to handle the default value
with fallback=True.
2022-04-06 14:47:06 -05:00
James Prestwood
b731e121c9 test-runner: remove path_exists/find_binary
These are already implemented in the shutil module
2022-04-06 14:46:59 -05:00
James Prestwood
c74ac94c31 test-runner: isolate Process/Namespace into utils
Way too many classes have a dependency on the TestContext class, in
most cases only for is_verbose. This patch removes the dependency from
Process and Namespace classes.

For Process, the test arguments can be parsed in the class itself which
will allow for this class to be completely isolated into its own file.

The Namespace class was already relatively isolated. Both were moved
into utils.py which makes 'run-tests' quite a bit nicer to look at and
more fitting to its name.
2022-04-06 14:46:10 -05:00
James Prestwood
6003ad1527 test-runner: add logging, monitor, and results to UML
This commonizes some mounting code between QEMU and UML to allow exporting
of files to the host environment. UML does this with a hostfs mount while
QEMU still uses 9p.

The common code sanitizing the inputs has been put into _prepare_outfiles
and _prepare_mounts was modified to take an 'extra' arugment containing
additional mount points.

The results and monitor parent directories are now passed into the environment
via arguments, and these are hidden from the help text (in addition to testhome)
2022-04-05 17:49:55 -05:00
James Prestwood
309760cbab test-runner: use type=os.path.abspath for argparse
This is a convenient type which automatically resolves the argument
to an absolute path. Use this for any arguments expected to be
paths.
2022-04-05 17:49:55 -05:00
James Prestwood
87345b4c14 doc: update hwsim documentation
This was quite dated and needed to be updated both to
reflect the API change to a dictionary argument, as well
as document NoVirtualInterface.
2022-04-05 13:50:40 -05:00
James Prestwood
96e8c0a3ab test-runner: fix --help and unknown options
If --help or unknown options were supplied to test-runner python
would thrown a maximum recusion depth exception. This was due to
the way ArgumentParser was subclassed.

To fix this call ArgumentParser.__init__() rather than using the
super() method. And do this also for the RunnerCoreArgParse
subclass as well. In addition the namespace argument was removed
from parse_args since its not used, and instead supplied directly
to the parents parse_args method.
2022-04-05 13:33:44 -05:00
James Prestwood
01efa0171d test-runner: enable scripts to be executed as init
This enables CONFIG_BINFMT_SCRIPT which allows the init process to
interpret #! and execute the script rather than requiring a binary
for init.
2022-04-05 13:33:41 -05:00
James Prestwood
5ef196f74d test-runner: resolve absolute path for --start argument 2022-04-05 13:33:38 -05:00
James Prestwood
197368dcfc auto-t: hwsim.py: set NoVirtualInterface by default
There is really no reason to have hwsim create interfaces automatically
for test-runner. test-runner already does this for wpa_supplicant and
hostapd, and IWD can create the interface itself.
2022-04-05 13:33:35 -05:00
James Prestwood
7b5f640931 hwsim: add NoVirtualInterface option to DBus API
This was available with --no-interface but no such option existed
for the DBus API.
2022-04-05 13:33:21 -05:00
James Prestwood
cb76f219fb netdev: move ocvc setting to after connected check
We cannot check 'handshake' until first checking that IWD is
connected.
2022-04-05 13:30:30 -05:00
James Prestwood
f7dc05969f netdev: check for connected in FT frame event
This frame could come unsolicited and cause a NULL dereference
if IWD is not connected.
2022-04-05 13:30:11 -05:00
Denis Kenzior
dc7e12ac0c station: Ignore AP directed roams if already trying to roam 2022-04-05 11:41:03 -05:00
Denis Kenzior
92ef3da714 station: Sanitize AP directed roam addresses
Make sure the BSS Transition Management Request frames come from our
conected AP.  Ignore and print a message if the addresses do not match.
2022-04-05 11:36:39 -05:00
Denis Kenzior
3fad65e5df station: ignore AP directed roams if not connected 2022-04-05 10:09:08 -05:00
Denis Kenzior
3169bfee19 AUTHORS: Mention Emmanuel's contributions 2022-04-05 09:33:58 -05:00
Emmanuel VAUTRIN
85d9d6461f network: Hide hidden networks on connection error
If a user connection fails on a freshly scanned psk or open hidden
network, during passphrase request or after, it shall be removed from
the network list.  Otherwise, it would be possible to directly connect
to that known network, which will appear as not hidden.
2022-04-05 09:31:44 -05:00
James Prestwood
57ae02ab71 auto-t: delay rekeys in extended key ID test
The test was rekeying in a loop which ends up confusing hostapd
depending on the timing of when it gets the REKEY command and any
responses from IWD. UML seemed to handle this fine but not QEMU.

Instead delay the rekey a bit to allow it to fully complete before
sending another.
2022-04-04 11:14:26 -05:00
James Prestwood
25db380833 test-runner: fix kernel panic on exit for UML
UML requires RB_POWER_OFF rather than RB_AUTOBOOT (Qemu) in order
to avoid a kernel panic from killing init.
2022-04-04 09:12:50 -05:00
James Prestwood
f59e69c6c4 rrm: use ULL for static values 2022-03-31 18:13:04 -05:00
James Prestwood
5c7f34d66b auto-t: iwd.py: use IO watch for station debug events
Similarly to hostapd.wait_for_event, IWD's variant needed to act on
an IO watch because events were being received prior to even calling
wait_for_event.
2022-03-31 18:13:02 -05:00
James Prestwood
31b5275c1f auto-t: hostapd.py: use IO watch for hostapd events
With how fast UML is hostapd events were being sent out prior to
ever calling wait_for_event. Instead set an IO watch on the control
socket and cache all events as they come. Then, when wait_for_event
is called, it can reference this list. If the event is found any
older events are purged from the list.

The AP-ENABLED event needed a special case because hostapd gets
started before the IO watch can be registered. To fix this an
enabled property was added which queries the state directly. This
is checked first, and if not enabled wait_for_event continues normally.
2022-03-31 18:12:59 -05:00
James Prestwood
dbd6ddfc95 auto-t: cleanup testRRM
This removes prints which were never supposed to make it upstream as
well as changes sleep() to wd.wait() as well as increase the wait
period to fix issues with how fast UML runs the tests.
2022-03-31 18:12:56 -05:00