3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-13 23:49:23 +01:00
Commit Graph

3817 Commits

Author SHA1 Message Date
Andrew Zaborowski
a8c30cd25e autotests: Accept a list of passphrases in PSKAgent
Allow passing a list of passphrases for subsequent agent requests to the
PSKAgent constructor.  This also makes existing tests stricter because
a spurious agent request will not receive the same passphrase.
2018-04-19 14:09:52 -05:00
Andrew Zaborowski
2382dc7ffa network: Validate 8021x settings and request passwords
Use eap_check_settings directly from network.c before we start the
connection attempt at netdev.c level, to obtain all of the required
passwords/passphrases through the agent.  This is in network.c because
here we can decide the policies for whether to call the agent in
autoconnect or only if we had a request from the user, also whether we
want to save any of that for later re-use (either password data or
kernel-side key serial), etc.

In this patch we save the credentials for the lifetime of the network
object in memory, and we skip the network if it requires any passphrases
we don't have while in autoconnect, same as with PSK networks where the
PSK isn't given in the settings.  Note that NetworkManager does pop up
the password window for PSK or EAP passwords even in autoconnect.

If EAP needs multiple passwords we will call the agent sequentially for
each.
2018-04-19 14:05:20 -05:00
Andrew Zaborowski
7541b595f9 eap-peap: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.  Then also call eap_check_settings to validate the inner
method's settings.
2018-04-19 13:23:03 -05:00
Andrew Zaborowski
86aa4e8af1 eap-gtc: Implement .check_settings
Only do the same validation that .load_settings would do for GTC.
2018-04-19 13:14:37 -05:00
Andrew Zaborowski
8650bddcfe eap-aka: Implement .check_settings
Also it seems aka->identity could not have been set at the time
it was used in the error message so I changed that error message
slightly.
2018-04-19 13:14:25 -05:00
Andrew Zaborowski
200312c4e5 eap-sim: Implement .check_settings 2018-04-19 13:13:58 -05:00
Andrew Zaborowski
d27b0d5b1e eap-ttls: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.  Then also call eap_check_settings to validate the inner
method's settings.
2018-04-19 13:13:07 -05:00
Andrew Zaborowski
8eea2c39d1 eap-tls: Implement .check_settings
Confirm that the PEM file paths that we'll be passing to the l_tls
object are loading Ok and request/validate the private key passphrase
if needed.
2018-04-19 13:11:39 -05:00
Andrew Zaborowski
3b2b194170 eap-mschapv2: Implement .check_settings
Move the settings validation from .load_settings plus allow the
username/password to be supplied in the secrets l_queue instead of
in the l_settings.
2018-04-19 13:01:58 -05:00
Andrew Zaborowski
9134743a97 eap-md5: Implement .check_settings
Only do the same validation that .load_settings would do for MD5.
2018-04-19 13:00:44 -05:00
Andrew Zaborowski
246e76c7b0 eap: Validate settings, report passwords needed
With the goal of requesting the required passwords/passphrases, such as
the TLS private key passphrase, from the agent, add a static method
eap_check_settings to validate the settings and calculate what passwords
are needed for those settings, if any.  This is separate from
eap_load_settings because that can only be called later, once we've
got an eap state machine object.  We need to get all the needed EAP
credentials from the user before we even start connecting.

While we do this, we also validate the settings and output any error
messages through l_error (this could be changed so the messages go
somewhere else in the future), so I removed the error messages from
eap_load_settings and that method now assumes that eap_check_settings
has been called before.

eap_check_settings calls the appropriate method's .check_settings method
if the settings are complete enough to contain the method name.  The
policy is that any data can be provided inside the l_settings object
(from the network provisioning/config file), but some of the more
sensitive fields, like private key passwords, can be optionally omitted
and then the UI will ask for them and iwd will be careful with
caching them.

Within struct eap_secret_info, "id" is mainly for the EAP method to
locate the info in the list.  "value" is the actual value returned
by agent.  "parameter" is an optional string to be passed to the agent.
For a private key passphrase it may be the path to the key file, for a
password it may be the username for which the password is requested.
2018-04-19 13:00:12 -05:00
Andrew Zaborowski
15a037f633 agent: Add new request types
Add new agent.h methods and corresponding DBus methods to request
the 3 different EAP credential types from user.
2018-04-19 11:49:41 -05:00
Andrew Zaborowski
b4b2a45583 doc: Add new Agent request types 2018-04-19 11:49:37 -05:00
Andrew Zaborowski
b862fd8fe1 agent: Check if callback has sent a new request
In agent_receive_reply we first call the callback for the pending
request (agent_finalize_pending) then try to send the next request
in the queue.  Check that the next request has not been sent already
which could happen if it has been just queued by the callback.
2018-04-19 11:45:03 -05:00
Andrew Zaborowski
c6e3140b38 device: Handle disconnect by AP and by SME events same way
The difference in the handlers was that in the
NETDEV_EVENT_DISCONNECT_BY_AP case we would make sure to reply
to a pending dbus Connect call.  We also need to do that for
NETDEV_EVENT_DISCONNECT_BY_SME.  This happens if another process
sends an nl80211 disconnect command while we're connecting.
2018-04-19 10:36:18 -05:00
Denis Kenzior
ab9c5670f7 build: Add new ell files 2018-04-19 10:23:54 -05:00
Andrew Zaborowski
32d846470b device: Use active scans when connected
When we're connected we're advertising our hardware address anyway so
there's no benefit from using passive scanning.
2018-04-10 00:19:33 -05:00
Andrew Zaborowski
d9ae78b780 device: Drop unsupported bands from roam scan frequency set
The kernel will reject the TRIGGER_SCAN commands that include
frequencies not supported by the wiphy.
2018-04-10 00:19:30 -05:00
Denis Kenzior
6de76f97b4 build: Add net.[ch] from ell 2018-04-10 00:18:11 -05:00
James Prestwood
ad93f4d203 doc: add list of EAP methods to features.txt 2018-04-06 10:30:50 -05:00
James Prestwood
4c6eda3eb3 TODO: remove EAP-GTC from TODO 2018-04-06 10:30:46 -05:00
James Prestwood
7c77bf33c7 auto-t: add EAP-GTC autotest 2018-04-04 09:42:31 -05:00
James Prestwood
c0739c1965 eap-gtc: add EAP-GTC method implementation 2018-04-04 09:42:28 -05:00
James Prestwood
d1c7f360d2 eap: add EAP_TYPE_GTC (6) type 2018-04-04 09:40:05 -05:00
Denis Kenzior
979380aaf3 nl80211: Update to the latest header
This includes the recently merged CONTROL_PORT patches
2018-04-04 09:38:46 -05:00
James Prestwood
f67505c5df test-runner: fix warning in gdb patch 2018-04-03 15:34:51 -05:00
James Prestwood
cb1ed123e4 doc: add new eapol setting to doc/main.conf 2018-04-02 13:54:25 -05:00
James Prestwood
88a1520dbd main: set eapol config 2018-04-02 13:54:25 -05:00
James Prestwood
50eae9bf87 eapol: process config setting for handshake timeout
The eapol handshake timeout can now be configured in main.conf
(/etc/iwd/main.conf) using the key eapol_handshake_timeout. This
allows the user to configure a long timeout if debugging.
2018-04-02 13:54:25 -05:00
James Prestwood
592d60c28e TODO: Mark SA Query related tasks as done 2018-04-02 13:35:33 -05:00
James Prestwood
e889452dde auto-t: disable timeouts in IWD class when debugging
If --gdb is used with test-runner, all the timeouts in the
IWD class must be turned off otherwise the test will fail.
Inside test-runner, a environment variable (IWD_TEST_TIMEOUTS)
is set to either 'on' or 'off'. Then the IWD class (and any
others) can handle the timeouts accordingly. Note that this
does not turn off dbus timeouts, rather it ignores timeout
failures. This does mean that ultimately the test will most
likely fail due to a dbus timeout, but it at least gives you
unlimited debugging time.
2018-04-02 12:49:52 -05:00
James Prestwood
461b39f206 test-runner: add feature to debug processes with gdb
Specifying the --gdb <process> option to test runner will run gbd on
the given process. Using this option will turn off all timeouts in
test-runner.
2018-04-02 12:49:09 -05:00
Tim Kourt
5c765bc886 client: switch to network argument parser 2018-03-28 14:43:58 -05:00
Tim Kourt
68800c5422 gitignore: add unit/test-client 2018-03-28 14:43:56 -05:00
Tim Kourt
7501d9372b unit: network args parser validation 2018-03-28 14:33:00 -05:00
Tim Kourt
f1c5134448 client: add network args parser 2018-03-28 14:32:57 -05:00
Andrew Zaborowski
9e1578d6a9 autotests: Add a FT + 8021x roaming test 2018-03-21 14:25:34 -05:00
Andrew Zaborowski
90366ba0c4 test-runner: Kill hwsim after failed hostapd setup
Without this subsequent tests may be affected by hwsim not being
restarted.

Additionally in 4.13 the kernel will not use the registered hwsim
wmedium for wiphys created after the HWSIM_CMD_REGISTER call and
there's no way to re-register it without disconnecting from netlink
which is a bit of work.  It's a one line fix in 4.13, I've not yet
checked if this has changed in current git.
2018-03-21 14:25:30 -05:00
Andrew Zaborowski
4a7e228da8 test-runner: Run all APs as one hostapd instance
When running multiple BSSes in one ESS this solves the communication
between them (called RRB) for purposes like preauthentication,
FT key pull and push and FT-over-DS without complicated bridges.  At the
same time we're unlikely to have a scenario where we need the
communication to fail so there's no need for this to be configurable.

The supporting code for multiple hostapd processes is left in place so
that configure_hostapd_instances can decide how many processes to run
based on hw.conf and policies.  start_hostapd now uses "-i wln0,..."
which is no longer documented in hostapd manual page or usage() but
still supported in current git and required if interface names are not
provided in the config files (possibly unless -b is used which is also
undocumented.)
2018-03-21 14:25:11 -05:00
Andrew Zaborowski
b5c2cd0298 autotests: Check connectivity in TTLS test similar to TLS test 2018-03-15 11:40:34 -05:00
Andrew Zaborowski
b1356680b7 unit: Update handshake_state_set_pmk parameters 2018-03-15 11:40:17 -05:00
Andrew Zaborowski
5a17c2275f eapol: Make sure rsn_info is initialized in eapol_handle_ptk_1_of_4
After an EAP exchange rsn_info would be uninitialized and in the FT case
we'd use it to generate the step 2 IEs which would cause an RSNE
mismatch during FT handshake.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
8b534ba067 eapol: In FT-EAP use all 64 bytes of the MSK
Until now we'd save the second 32 bytes of the MSK as the PMK and use
that for the PMK-R0 as well as the PMKID calculation.  The PMKID
actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey
input maps to the second 32 bytes.  Add a pmk_len parameter to
handshake_state_set_pmk to handle that.  Update the eapol_eap_results_cb
802.11 quotes to the 2016 version.
2018-03-15 11:40:17 -05:00
Tim Kourt
436e95d599 peap: Postpone cleanup on phase two failure 2018-03-01 09:13:17 -06:00
Andrew Zaborowski
d2247c3a3f netdev: Avoid calling netdev_connect_ok twice in FT
handshake_state_install_ptk triggers a call to
netdev_set_pairwise_key_cb which calls netdev_connect_ok, so don't call
netdev_connect_ok after handshake_state_install_ptk.  This doesn't fix
any specific problem though.
2018-02-26 09:59:58 -06:00
Tim Kourt
2dd84f0114 auto-t: add tests for Protected EAP - type 25 2018-02-26 09:59:48 -06:00
Tim Kourt
9783e236a1 peap: handle completion of phase two 2018-02-23 15:19:52 -06:00
Tim Kourt
97980c0315 eap: allow to discard EAP-Success/EAP-Failure pkts 2018-02-23 12:48:40 -06:00
Tim Kourt
ad94752170 eap: add accessor for method success 2018-02-21 20:14:50 -06:00
Andrew Zaborowski
7fd6803c7a agent: Fix cancelling running request
If the request being cancelled by agent_request_cancel has already been
sent over dbus we need to reset pending_id, the timeout, call l_dbus_cancel
to avoid the agent_receive_reply callback (and crash) and perhaps start
the next request.  Alternatively we could only reset the callback and not
free the request, then wait until the agent method to return before starting
the next request.
2018-02-20 11:07:00 -06:00