Commit graph

11330 commits

Author SHA1 Message Date
Ayala Beker
443c8e18de OpenSSL: Fix possible null pointer dereference on an OCSP error path
Fix possible null pointer dereference in check_ocsp_resp() if an memory
allocation fails.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 00:58:32 +02:00
Roy Marples
a3cc64f3d2 Remove -w support from wpa_supplicant README
wpa_supplicant dropped the -w option long long time ago..

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-06 00:31:26 +02:00
Jouni Malinen
93aa1e1621 tests: EAP-FAST and binary PAC errors
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 00:28:16 +02:00
Jouni Malinen
e265838a43 EAP-FAST: Fix an error path in PAC binary format parsing
Need to clear the pac pointer for the first error case to avoid freeing
the previous PAC entry if the following entry has an invalid header.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 00:26:31 +02:00
John Ernberg
f91e11f465 D-Bus: Fix p2p interface capability message
If the config file for the interface says "p2p_disabled=1", don't report
p2p capabilities on this interface. This helps programs like Connman to
not enable p2p when it's been disabled in wpa_supplicant.

Signed-off-by: John Ernberg <john.ernberg@actia.se>
2016-02-05 18:09:38 +02:00
Nick Lowe
479f46c4c2 Do not send Acct-Authentic in Accounting-On/Off
Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-05 18:06:33 +02:00
Nick Lowe
696544efed RADIUS: Do not include Acct-Terminate-Cause in Accounting-On/Off
Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-05 17:59:07 +02:00
Eduardo Abinader
236053e532 Make fallback from HT40 to HT20 work
Ensure that if it is not possible to configure an allowed 20 MHz
channel pair, hostapd falls back to a single 20 MHz channel.

Signed-off-by: Eduardo Abinader <eabinader@ocedo.com>
2016-02-05 17:52:47 +02:00
Jouni Malinen
c599ddd124 tests: Allow fallback to 20 MHz in ap_ht40_5ghz_invalid_pair
This test case for enforcing that AP setup fails in case there is need
to fall back to 20 MHz channel due to invalid 40 MHz configuration.
Modify this to allow successful AP startup as long as 40 MHz channel
does not get enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-05 17:51:24 +02:00
Roy Marples
cb22e3b250 BSD: Zero ifindex on interface removal
If an interface is removed, zero the remembered ifindex.
Don't try to set properties on the interface when it is removed.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-05 17:40:45 +02:00
Rubin Xu
a8ef133f1d Android: Support multiple CA certs when connecting to EAP network
In the Android-specific case, make ca_cert directive parse a
space-separated list of hex-encoded CA certificate aliases following the
"keystores://" prefix. Server certificate validation should succeed as
long as the chain ends with one of them.

Signed-off-by: Rubin Xu <rubinxu@google.com>
2016-02-05 17:31:46 +02:00
Jouni Malinen
561536205a tests: WNM BSS Transition Management with invalid operating class
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-05 17:07:48 +02:00
Jouni Malinen
80ce804e88 WNM: Workaround for broken AP operating class behavior
Some APs do not advertise operating classes correctly for BSS Transition
Management. Try to determine the most likely operating frequency based
on the channel number (1..14 --> 2.4 GHz; 36..169 --> 5 GHz) if invalid
op_class == 0 is received in a BSS Transition Management Request. This
speeds up the following operating by avoiding a full scan due to an
unknown channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-05 17:06:06 +02:00
Roy Marples
af060932de BSD: Disable interface on down
Instead of removing the interface when downed, disable it. Enable it
when it comes back up again.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-05 12:37:25 +02:00
Roy Marples
dc0ad60314 BSD: Use correct ifindex from route messages
Use the interface index from the correct structure according to the
message instead of assuming rtm_index is correct.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-05 12:36:44 +02:00
Roy Marples
5f17b2c60e BSD: __FUNCTION__ -> __func__
Signed-off-by: Roy Marples <roy@marples.name>
2016-02-05 12:29:33 +02:00
Jouni Malinen
2088ecb970 OSU: Add debug printing of more LogotypeExtn fields
Couple of the image info fields were not printed previously in debug
log. Add those to make this more complete.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-05 00:24:49 +02:00
Jouni Malinen
0b905c8a87 Add the selector suite into wpa_parse_wpa_ie_rsn() "invalid group cipher"
This makes it easier to debug AP selection issues in case of a invalid
RSN element or use of customer cipher suites that are not supported by
wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-03 12:58:07 +02:00
Jouni Malinen
d4c2860b6b tests: P2P persistent group re-invocation with peer having dropped info
This verifies that the persistent group information gets dropped based
on peer response (unknown group) and that a new group formation can be
completed after such invitation failure.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 13:27:32 +02:00
Jouni Malinen
a89faedc22 tests: EAP-TLS error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-02 00:39:39 +02:00
Jouni Malinen
d4af4d275a tests: EAP-TLS protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-02 00:24:36 +02:00
Jouni Malinen
504108dbdf tests: Generate new certificates for Suite B test cases
The previous version expired in January. The new ones are from running
ec-generate.sh and ec2-generate.sh again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 00:09:20 +02:00
Jouni Malinen
03a72eacda VHT: Add an interoperability workaround for 80+80 and 160 MHz channels
Number of deployed 80 MHz capable VHT stations that do not support 80+80
and 160 MHz bandwidths seem to misbehave when trying to connect to an AP
that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation
element. To avoid such issues with deployed devices, modify the design
based on newly proposed IEEE 802.11 standard changes.

This allows poorly implemented VHT 80 MHz stations to connect with the
AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support
the new workaround mechanism to allow full bandwidth to be used.
However, there are more or less no impacted station with 80+80/160
capability deployed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 00:09:19 +02:00
Purushottam Kushwaha
e15dcf6d1b nl8021: Avoid potential memory leak on error path
The called function nl80211_ht_vht_overrides() was not freeing "msg"
resource in error cases.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
2016-01-15 20:27:38 +02:00
Jouni Malinen
c31302c038 tests: Verify that ip_addr_* gets written to config file
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 20:25:38 +02:00
Purushottam Kushwaha
17d32eb3d3 Allow re-write of ip_addr* configurations to conf file.
This patch keeps ip_addr* configuration in conf file while
 updating supplicant conf file either internally by supplicant or
 due to save_config command.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
2016-01-15 20:23:25 +02:00
Purushottam Kushwaha
bcce934755 dbus: Restrict DeviceName size to 32 characters in setter
The maximum WPS Device Name length is 32 characters and that limit was
already enforced for the control interface and configuration files.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
2016-01-15 20:16:13 +02:00
Roy Marples
7c70fe2c6e Sort options and reduce printf calls in wpa_supplicant usage text
Signed-off-by: Roy Marples <roy@marples.name>
2016-01-15 20:11:54 +02:00
Jouni Malinen
6b418ce862 Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=y
The PMKSA caching and RSN pre-authentication components were marked as
conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed
also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 20:04:41 +02:00
Jouni Malinen
5a38a7fe43 tests: Roam between two WPA2-PSK APs and try to hit a disconnection race
This is a regression test case for hostapd bug where the
disconnection/deauthentication TX status callback timeout could be
forgotten after new association if no ACK frame was received and the STA
managed to reconnect within two seconds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 19:34:58 +02:00
Jouni Malinen
03269d558a AP: Print interface name in more STA events
This makes it easier to follow a debug log from a hostapd process that
manages multiple interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 19:32:49 +02:00
Jouni Malinen
9e8fde2134 AP: Fix Deauth/Disassoc TX status timeout handling
The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to
clear a disconnecting STA from the kernel driver if the STA did not ACK
the Deauthentication/Disassociation frame from the AP within two
seconds. However, it was possible for a STA to not ACK such a frame,
e.g., when the disconnection happened due to hostapd pruning old
associations from other BSSes and the STA was not on the old channel
anymore. If that same STA then started a new authentication/association
with the BSS, the two second timeout could trigger during this new
association and result in the STA entry getting removed from the kernel.

Fix this by canceling these eloop timeouts when receiving an indication
of a new authentication or association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 19:32:49 +02:00
Jouni Malinen
269f9d5d10 EAP peer: Use ifdef PCSC_FUNCS to get rid of compiler warnings
clang started warning about the use of || with constants that came from
PCSC_FUNCS not being enabled in the build. It seems to be easier to just
ifdef this block out completely since that has the same outcome for
builds that do not include PC/SC support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:41:30 +02:00
Jouni Malinen
c6e0b4bb86 FST: Get rid of gcc extensions in structure/array initialization
These constructions were causing warnings when build with clang.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:40:21 +02:00
Jouni Malinen
2e3a41a53f hs20-osu-client: Fix check for osu_nai being available
This is an array, so the pointer is never NULL; need to check that the
first character is not '\0' instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:39:03 +02:00
Jouni Malinen
fb3db14a6f tests: Fix EAP-SAKE error test case coverage
This was missing the second eap_sake_compute_mic() call in
eap_sake_process_confirm().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:18:25 +02:00
Jouni Malinen
5b0ec907c1 tests: More EAP-MSCHAPv2 error coverage
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 17:42:13 +02:00
Jouni Malinen
eaef5861d7 tests: Fix wpas_ctrl_oom
The OpenSSL memory allocation changes broke this test case. Fix this by
removing the cases that do not get triggered anymore and add a separate
wpas_ctrl_error test case to cover the fail_test() versions of errors.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 16:27:13 +02:00
Jouni Malinen
ac2053b103 OpenSSL: Clean up openssl_digest_vector() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:17:16 +02:00
Jouni Malinen
5c9a33702f OpenSSL: Clean up crypto_hash_*() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:14:07 +02:00
Jouni Malinen
587b0457e0 LibreSSL: Fix build with LibreSSL
The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is
defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer
than the current OpenSSL version even though it does not support the
current OpenSSL API.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:06:46 +02:00
Jouni Malinen
0daa9f6a13 EAP-TTLS peer: Fix success after fragmented final Phase 2 message
If the final Phase 2 message needed fragmentation, EAP method decision
was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in
the authentication failing when the EAP-Success message from the server
got rejected. Fix this by restoring the EAP method decision after
fragmentation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 13:37:15 +02:00
Jouni Malinen
1a6f86593b tests: Clean up eap_proto_ikev2
Use helper variable to indicate end of the test case instead of having
to use a fixed length of the loop.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 10:37:04 +02:00
Jouni Malinen
35372f6cd6 tests: EAP-IKEv2 with default fragment_size
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 10:36:41 +02:00
Jouni Malinen
7843ae4456 tests: More EAP-SIM and EAP-AKA local error coverage
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 01:15:11 +02:00
Jouni Malinen
7cbc8e6719 tests: fail_test instead of alloc_fail for aes_{encrypt,decrypt}_init
This is needed to fix ap_wpa2_eap_psk_oom, ap_wpa2_eap_sim_oom,
eap_proto_psk_errors, and ap_ft_oom with the new OpenSSL dynamic memory
allocation design.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 20:10:16 +02:00
Jouni Malinen
465196ebd2 tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL
Now the these functions cannot be made to fail by forcing the memory
allocation fail since the OpenSSL-internal version is used, add
TEST_FAIL check to allow OOM test cases to be converted to use the
TEST_FAIL mechanism without reducing coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:44:47 +02:00
Jouni Malinen
1eb87ae48d OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0
The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so
need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The
design here moves the older OpenSSL versions to use that dynamic
allocation design as well to minimize maintenance effort.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:30:24 +02:00
Jouni Malinen
3fb3bea8e9 OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API
The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0
pre-release 2 similarly to how this is in BoringSSL. Fix build with that
in preparation for supporting OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:28:33 +02:00
Jouni Malinen
72a4c5ceb6 tests: Additional EAP-pwd error case coverage
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 12:12:14 +02:00