Commit graph

13541 commits

Author SHA1 Message Date
Jouni Malinen
182a0b4dae tests: EAP-pwd local error case in eap_pwd_perform_confirm_exchange()
This is a regression test case for a memory leak on these error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-16 12:22:58 +03:00
Nishant Chaprana
391d922bcf EAP-pwd peer: Fix memory leak in eap_pwd_perform_confirm_exchange()
hash variable is allocated memory using eap_pwd_h_init(), but there are
couple of error case code paths which skips deallocation of hash. The
memory of hash is deallocated using eap_pwd_h_final(). Fix this by
calling eap_pwd_h_final() at the end of the function if execution got
there through one of those error cases.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2018-10-16 12:11:32 +03:00
Jouni Malinen
30a67736dc tests: VHT with 80 MHz channel width reconfigured to 2.4 GHz HT
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-16 00:51:21 +03:00
Sathishkumar Muruganandam
72a09d43fe Fix 5 GHz to 2.4 GHz channel switch with hostapd through DISABLE/ENABLE
When moving a 5 GHz VHT AP to 2.4 GHz band with VHT disabled through the
hostapd control interface DISABLE/reconfig/ENABLE commands, enabling of
the AP on 2.4 GHz failed due to the previously configured VHT capability
being compared with hardware VHT capability on 2.4 GHz band:

hw vht capab: 0x0, conf vht capab: 0x33800132
Configured VHT capability [VHT_CAP_MAX_MPDU_LENGTH_MASK] exceeds max value supported by the driver (2 > 0)
ap: interface state DISABLED->DISABLED

Since VHT (ieee80211ac) config is already disabled for the 2.4 GHz band,
add fix this by validating vht_capab only when VHT is enabled.

Fixes: c781eb8428 ("hostapd: Verify VHT capabilities are supported by driver")
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2018-10-16 00:50:40 +03:00
Jouni Malinen
349c49bac4 tests: OWE group negotiation with PMF
Verify that PMF does not end up reporting unexpected status code 30
(temporary rejection; SA Query).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-16 00:33:20 +03:00
Ashok Kumar
edb28006c4 PMF: Do not start SA Query procedure if there is no association
Previous implementation ended up triggering PMF check for previous
association and SA Query procedure incorrectly in cases where there is a
STA entry in hostapd, but that STA is not in associated state. This
resulted in undesired temporary rejection of the association with status
code 30.

This ended up breaking OWE group negotiation when PMF is in use since
the check for the OWE group would have happened only after this earlier
PMF check and rejection (i.e., the station got status code 30 instead of
the expected 77).

For example, when the AP is configured with OWE group 21 and a station
tries groups 19, 20, and 21 (in this sequence), the first two
Association Request frames should be rejected with status code 77.
However, only the first one got that status code while the second one
got status code 30 due to that issue with PMF existing association
check.

Furthermore, hostapd was continuing with SA Query procedure with
unencrypted Action frames in this type of case even though there was no
existing association (and obviously, not an encryption key either).

Fix this by checking that the STA entry is in associated state before
initiating SA Query procedure based on the PMF rules.

Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
2018-10-16 00:33:20 +03:00
Jouni Malinen
97e27300f4 tests: Maximum number of cred roaming_consortiums
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 20:48:32 +03:00
Andrei Otcheretianski
ac0ac1ddfd wpa_supplicant: Fix buffer overflow in roaming_consortiums
When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-10-14 20:47:35 +03:00
Johannes Berg
40432e6eb3 nl80211: Implement netlink extended ACK support
Implement netlink extended ACK support to print out the error
message (if any).

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2018-10-14 20:20:11 +03:00
Jouni Malinen
c481e1cbb7 tests: SAE and MFP enabled without sae_require_mfp
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 20:14:30 +03:00
Hauke Mehrtens
74eebe93d0 SAE: Do not ignore option sae_require_mfp
Without this patch sae_require_mfp is always activate, when ieee80211w
is set to optional all stations negotiating SAEs are being rejected when
they do not support PMF. With this patch hostapd only rejects these
stations in case sae_require_mfp is set to some value and not null.

Fixes ba3d435fe4 ("SAE: Add option to require MFP for SAE associations")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 20:13:16 +03:00
Jouni Malinen
dc1b1c8db7 Drop logging priority for handle_auth_cb no-STA-match messages
This message was printed and MSG_INFO level which would be more
reasonable for error cases where hostapd has accepted authentication.
However, this is not really an error case for the cases where
authentication was rejected (e.g., due to MAC ACL). Drop this to use
MSG_DEBUG level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 20:03:55 +03:00
Jouni Malinen
6588f71222 Reduce undesired logging of ACL rejection events from AP mode
When Probe Request frame handling was extended to use MAC ACL through
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
<addr> not allowed to authenticate") from that function ended up getting
printed even for Probe Request frames. That was not by design and it can
result in excessive logging and MSG_INFO level if MAC ACL is used.

Fix this by printing this log entry only for authentication and
association frames. In addition, drop the priority of that log entry to
MSG_DEBUG since this is not really an unexpected behavior in most MAC
ACL use cases.

Fixes: 92eb00aec2 ("Extend ACL check for Probe Request frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 19:57:22 +03:00
Jouni Malinen
4816bd3b22 tests: OWE transition mode and need for multiple scans
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-12 19:59:26 +03:00
Ilan Peer
c04562e67e OWE: Improve discovery of OWE transition mode AP
An OWE AP device that supports transition mode does not transmit the
SSID of the OWE AP in its Beacon frames and in addition the OWE AP does
not reply to broadcast Probe Request frames. Thus, the scan results
matching relies only on Beacon frames from the OWE open AP which can be
missed in case the AP's frequency is actively scanned.

To improve the discovery of transition mode APs, include their SSID in
the scan command to perform an active scan for the SSIDs learned from
the open mode BSSs.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2018-10-12 19:59:26 +03:00
Jouni Malinen
a5e6270f25 OWE: Use shorter scan interval during transition mode search
Start scans more quickly if an open BSS advertising OWE transition mode
is found, but the matching OWE BSS has not yet been seen.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-12 19:59:26 +03:00
Sunil Dutt
91073ccaaa OWE: Attempt more scans for OWE transition SSID if expected BSS not seen
This commit introduces a threshold for OWE transition BSS selection,
which signifies the maximum number of selection attempts (scans) done
for finding OWE BSS.

This aims to do more scan attempts for OWE BSS and eventually select the
open BSS if the selection/scan attempts for OWE BSS exceed the
configured threshold.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-12 19:59:26 +03:00
Purushottam Kushwaha
e8581183f9 HS 2.0: Use execve() with custom env PATH to launch browser using 'am'
With new restriction in Android, if PATH env variable doesn't have
correct path of 'am' binary, execv() fails to launch wpadebug browser
(am starts, but something seems to fail within its internal processing).

This commit is a workaround to use execve() with custom environment PATH
which includes "/system/bin;/vendor/bin" to handle the cases where
hs20-osu-client fails to launch wpadebug browser through /system/bin/am.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-12 15:51:05 +03:00
Visweswara Tanuku
77fcd74753 QCA vendor subcommand and attributes to configure capture of CFR data
Add a subcommand for Channel Frequency Response (CFG) Capture
Configuration and define attributes for configuring CFR capture
parameters per peer and enabling/disabling CFR capture.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
44fa13b17f tests: SSID with 32 octets with nul at the end
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
cc5f797593 HS 2.0 server: Subscription remediation with user selected new password
Add support for user remediation to request a new password from the user
for username/password credentials that have been configured not use use
machine managed password.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
f718e5e22c HS 2.0 server: Show whether credential is machine managed
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
eb83e81e31 HS 2.0 server: Make user list more readable
Order the rows based on identity and use a bit smaller font for some of
the fields to make the table fit on the screen more easily.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
af284f8a8e HS 2.0 server: Clarify signup page options
Make it clearer that there are three different types of credentials that
can be provisioned.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
dd76afff65 HS 2.0 server: Do not perform subrem if not requested to
Instead of defaulting to machine remediation, reject a request to do
subscription remediation if that has not been configured to be required.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
7770a9dd6a RADIUS: Support last_msk with EAP-TLS
This extends the last_msk testing functionality in the RADIUS server to
work with EAP-TLS based on "cert-<serial_num>" form user names in the
database.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
063cbb87a6 EAP server: Add eap_get_serial_num()
This can be used to fetch the serial number of the peer certificate
during TLS-based EAP session.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
0ec3e77a13 TLS: Add tls_connection_peer_serial_num()
This can be used to fetch the serial number of the peer certificate in
the EAP server. For now, this is implemented only with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
18003b315b AS: Add an event_cb() callback handler
This provides debug log information on TLS events on the server side.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
2ff952a5dd OpenSSL: Make serial number of peer certificate available in event_cb
Add serial number to the event_cb() information for the peer certificate
chain.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
ee598e431b HS 2.0 server: Add last_msk into users table setup
This field is used for debugging purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-07 12:47:21 +03:00
Jouni Malinen
2fd8984b05 HS 2.0: Reject OSU connection for Single SSID case without OSU_NAI
The Single SSID case can only use OSEN, so reject the case where OSU_NAI
is not set and open OSU connection would be used since that connection
cannot succeed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 21:03:46 +03:00
Jouni Malinen
6bf62f7fc4 tests: OSU Providers NAI List ANQP-element
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:54:40 +03:00
Jouni Malinen
2f158bc194 HS 2.0: Use alternative OSU_NAI information in hs20-osu-client
Extend hs20-osu-client to support the new osu_nai2 value for OSU
connection with the shared BSS (Single SSID) case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:53:31 +03:00
Jouni Malinen
baf4c86379 HS 2.0: Request and process OSU Providers NAI List ANQP-element
Extend wpa_supplicant to use a separate OSU_NAI information from OSU
Providers NAI List ANQP-element instead of the OSU_NAI information from
OSU Providers list ANQP-element when connecting to the shared BSS
(Single SSID) for OSU.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:51:51 +03:00
Jouni Malinen
cad810a98f HS 2.0: OSU Provider NAI List advertisement
Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be
advertised in addition to the previously used OSU Providers list
ANQP-element. The new osu_nai2 configurator parameter option is used to
specify the OSU_NAI value for the shared BSS (Single SSID) case while
osu_nai remains to be used for the separate OSU BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:49:42 +03:00
Jouni Malinen
1dd66fc103 tests: Update server and user certificates (2018)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-04 01:16:55 +03:00
Jouni Malinen
953f689391 tests: Test connectivity within each step of FILS+FT
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-04 00:31:48 +03:00
vamsi krishna
edb509d49f Add QCA vendor event to report roam scan events
Driver/firmware does roam scan when it finds the need to roam to a
different BSS. Add a QCA vendor event to indicate such roam scan events
from driver/firmware to user space.

Please note that some drivers may not send these events in few cases,
e.g., if the host processor is sleeping when this event is generated in
firmware to avoid undesired wakeups.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-04 00:31:45 +03:00
Purushottam Kushwaha
cf94626c50 OWE: Do not try to enable PMF for non-RSN associations
Explicitly set the PMF configuration to 0 (NO_MGMT_FRAME_PROTECTION) for
non-RSN associations. This specifically helps with OWE transition mode
when the network block is configured with PMF set to required, but the
BSS selected is in open mode. There is no point to try to enable PMF for
such an association.

This fixes issues with drivers that use the NL80211_ATTR_USE_MFP
attribute to set expectations for PMF use. The combination of non-RSN
connection with claimed requirement for PMF (NL80211_MFP_REQUIRED) could
cause such drivers to reject the connection in OWE transition mode.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-04 00:26:41 +03:00
Jouni Malinen
0fa415a835 tests: Suite B and PMKSA caching multiple times
This verifies that wpa_supplicant and hostapd behave consistently with
PMKSA caching when Suite B AKMs end up deriving a new PMKID from each
4-way handshake.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-27 11:43:58 +03:00
Jouni Malinen
17d4b77472 RSN: Do not replace existing Suite B PMKSA on 4-way handshake
PMKID derivation with the Suite B AKMs is a special case compared to
other AKMs since that derivation uses KCK instead of PMK as an input.
This means that the PMKSA cache entry can be added only after KCK has
been derived during 4-way handshake. This also means that PMKID would
change every time 4-way handshake is repeated even when maintaining the
same PMK (i.e., during PTK rekeying and new associations even if they
use PMKSA caching).

wpa_supplicant was previously replacing the PMKSA cache entry whenever a
new PMKID was derived. This did not match hostapd expectations on the AP
side since hostapd did not update the PMKSA cache entry after it was
created. Consequently, PMKSA caching could be used only once (assuming
no PTK rekeying happened before that). Fix this by making wpa_supplicant
behave consistently with hostapd, i.e., by adding the Suite B PMKSA
cache entries with the PMKID from the very first 4-way handshake
following PMK derivation and then not updating the PMKID.

IEEE Std 802.11-2016 is somewhat vague in this area and it seems to
allow both cases to be used (initial PMKID or any consecutive PMKID
derived from the same PMK). While both cases could be supported that
would result in significantly more complex implementation and need to
store multiple PMKID values. It looks better to clarify the standard to
explicitly note that only the first PMKID derived after PMK derivation
is used (i.e., match the existing hostapd implementation).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-27 11:37:19 +03:00
Jouni Malinen
4d1f7b6856 HS 2.0: Remove hs20-osu-client debug file Cert/est-resp.raw
This was used during initial EST development time testing, but the same
information is available in the debug log and since this separate file
is deleted automatically, just remove its generation completely to
simplify implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-26 12:59:41 +03:00
Jouni Malinen
f1e2d38166 tests: DPP_CONFIGURATOR_ADD error path
This is a regression test case for a memory leak on DPP_CONFIGURATOR_ADD
error path in dpp_keygen_configurator() when an unsupported curve is
specified.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-21 21:39:34 +03:00
Srikanth Marepalli
bd88ed60fa eap_proxy: Fix memory leaks when using eap_peer_erp_init()
The external session_id and emsk from eap_proxy_get_eap_session_id() and
eap_proxy_get_emsk() need to be freed consistently in all code paths
within eap_peer_erp_init() and outside it in the case ERP is not
initialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-21 21:34:08 +03:00
Ankita Bajaj
820ea0ba93 DPP: Fix a memory leak on Configurator keygen error path
The allocated configuration structure needs to be freed if the specified
curve is not supported.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-21 21:22:42 +03:00
Ankita Bajaj
5a052f92eb DPP: Fix a memory leak in L derivation
The temporary EC_POINT 'sum' needs to be freed at the end of the
function with the other OpenSSL allocations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-21 21:21:14 +03:00
Ankita Bajaj
bae282e3e8 DPP: Fix an error path memory leak in URI public key parsing
The allocated buffer from base64_decode() needs to be freed on the
sha256_vector() error path.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-21 21:20:06 +03:00
Srikanth Marepalli
e662260162 Free dh_ctx on failure in wps_nfc_gen_dh()
This is needed to avoid a memory leak on an error path.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-20 17:18:16 +03:00
Srinivas Dasari
50b77f50e8 DPP: Flush PMKSA if an assoc reject without timeout is received
Flush the PMKSA upon receiving assoc reject event without timeout
in the event data, to avoid trying the subsequent connections
with the old PMKID. Do not flush PMKSA if assoc reject is
received with timeout as it is generated internally from the
driver without reaching the AP.

This extends commit d109aa6cac ("SAE:
Flush PMKSA if an assoc reject without timeout is received") to handle
also the DPP AKM.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-18 13:15:20 +03:00