Commit graph

10896 commits

Author SHA1 Message Date
Jouni Malinen
8854f90bad mesh: Simplify wpa_auth_pmksa_set_to_sm()
pmksa->pmk or pmksa->pmkid cannot be NULL since they are arrays. Remove
the unnecessary NULL checks and use the provided pmksa pointer directly
to simplify the implementation. (CID 138519)

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-22 20:38:44 +02:00
Jouni Malinen
32d4fe9549 privsep: Fix a compiler warning on unsigned/signed comparison
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-22 17:41:37 +02:00
Roy Marples
2e997eece5 Add interface matching support with -M, guarded by CONFIG_MATCH_IFACE
The new wpa_supplicant command line argument -M can be used to describe
matching rules with a wildcard interface name (e.g., "wlan*").

This is very useful for systems without udev (Linux) or devd (FreeBSD).

Signed-off-by: Roy Marples <roy@marples.name>
2016-03-22 17:41:37 +02:00
Roy Marples
45e3fc72c6 Find correct driver for interface additions/removals
Interface additions/removals are not guaranteed to be for the driver
listening to the kernel events. As such, send the events to
wpa_supplicant_event_global() which can then pick the correct interface
registered with wpa_supplicant to send the event to.

Signed-off-by: Roy Marples <roy@marples.name>
2016-03-22 17:41:37 +02:00
Jouni Malinen
90377029c6 wpa_supplicant: Fix CONFIG_IBSS_RSN=y build without CONFIG_AP=y
Commit 1889af2e0f ('VLAN: Separate station
grouping and uplink configuration') added an ap_sta_set_vlan() function
that gets called from pmksa_cache_auth.c. This broke CONFIG_IBSS_RSN=y
build if src/ap/sta_info.c did not get included in the build, i.e., if
CONFIG_AP=y was not set.

Fix this by making the ap_sta_set_vlan() call conditional on
CONFIG_NO_VLAN being undefined and define this for CONFIG_IBSS_RSN=y
builds. This is fine for wpa_supplicant since CONFIG_AP=y case was
already defining this. For hostapd, this function call is not needed for
CONFIG_NO_VLAN case either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-21 21:12:20 +02:00
Jouni Malinen
71666dc33a tests: Allow RC4-SHA failure in ap_wpa2_eap_fast_cipher_suites
This needs to be allowed with OpenSSL 1.1.0 since the RC4-based cipher
has been disabled by default.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-21 13:12:10 +02:00
Janusz Dziedzic
d4944fad72 tests: Improve debug logs in hostapd/wpasupplicant with remote commands
Show more info when we are using remote wpaspy and UDP-based control
interface.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-20 21:49:35 +02:00
Janusz Dziedzic
8ce4855b23 tests: hostapd.py/wpasupplicant.py use Host when executing commands
Execute commands using the Host class. This enables use of remote hosts
as well.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-20 21:49:26 +02:00
Janusz Dziedzic
2fa2671573 tests: Add remotehost.py and Host class
This class allows execution of commands on a remote hosts/machine. This
is based on ssh with authorized keys, so you should be able to execute
such commands without any password:

ssh <user>@<hostname> id

By default user is root.

Support for sync and async calls is included.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-20 21:49:24 +02:00
Janusz Dziedzic
5ae65de0b7 wpa_supplicant: Fix p2p_group_add when UDP-based ctrl_iface is used
While p2p_group_add ctrl_interface name could be derived from the main
interface (simple p2p_group_add command), we failed to bind the same UDP
port. Fix this problem and also update the correct ctrl_interface name
(port decrement).

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-20 21:41:40 +02:00
Jouni Malinen
24bce46e9c FST: Fix a compiler warning
FST_MAX_PRIO_VALUE is unsigned (u32) and some gcc versions warning about
comparisong to long int val at least on 32-bit builds. Get rid of this
warning by type casesing val to unsigned long int after having verified
that it is positive.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 21:38:45 +02:00
Jouni Malinen
e567c582a7 Fix nfc_pw_token build with CONFIG_FST=y
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 20:18:55 +02:00
Jouni Malinen
557b52bf4a tests: Add CONFIG_VLAN_NETLINK=y to hostapd build configuration
This is needed for ap_vlan_tagged_wpa2_radius_id_change to pass. The
ioctl-based vlan_add() function does not use the vlan_if_name parameter
at all.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 19:54:57 +02:00
Masashi Honma
d774c46aae mesh: Use appropriate BLOCKED state duration
Previously, BLOCKED state duration slightly increased up to 3600. Though
the BLOCKED state could be canceled by ap_handle_timer(). Because the
timer timeouts in ap_max_inactivity(default=300sec) and remove STA
objects (the object retains BLOCKED state).

This patch re-designs my commit bf51f4f82b
('mesh: Fix remaining BLOCKED state after SAE auth failure') to replace
mesh_auth_block_duration by ap_max_inactivity and remove incremental
duration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 18:24:29 +02:00
Jouni Malinen
5a34d359cd tests: Secure mesh network and PMKSA caching
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 18:24:29 +02:00
Jouni Malinen
865fa1e9ea tests: PMKSA cache control interface operations
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 18:06:03 +02:00
Masashi Honma
9f2cf23e2e mesh: Add support for PMKSA caching
This patch add functionality of mesh SAE PMKSA caching. If the local STA
already has peer's PMKSA entry in the cache, skip SAE authentication and
start AMPE with the cached value.

If the peer does not support PMKSA caching or does not have the local
STA's PMKSA entry in the cache, AMPE will fail and the PMKSA cache entry
of the peer will be removed. Then STA retries with ordinary SAE
authentication.

If the peer does not support PMKSA caching and the local STA uses
no_auto_peer=1, the local STA can not retry SAE authentication because
NEW_PEER_CANDIDATE event cannot start SAE authentication when
no_auto_peer=1. So this patch extends MESH_PEER_ADD command to use
duration(sec). Throughout the duration, the local STA can start SAE
authentication triggered by NEW_PEER_CANDIDATE even though
no_auto_peer=1.

This commit requires commit 70c93963ed
('SAE: Fix PMKID calculation for PMKSA cache'). Without that commit,
chosen PMK comparison will fail.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:56:38 +02:00
Masashi Honma
4c522c7798 PMKSA: Flush AP/mesh PMKSA cache by PMKSA_FLUSH command
This extends the wpa_supplicant PMKSA_FLUSH control interface command to
allow the PMKSA list from the authenticator side to be flushed for AP
and mesh mode. In addition, this adds a hostapd PMKSA_FLUSH control
interface command to flush the PMKSA entries.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Masashi Honma
b8daac18a4 PMKSA: Show AP/mesh PMKSA list in PMKSA command
This extends the wpa_supplicant PMKSA control interface command to allow
the PMKSA list from the authenticator side to be listed for AP and mesh
mode. In addition, this adds a hostapd PMKSA control interface command
to show the same list for the AP case.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Masashi Honma
2604edbfbd mesh: Add MESH_PEER_ADD command
This allows a mesh peer connection to be initiated manually in
no_auto_peer mesh networks.

Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Masashi Honma
e174ef341b mesh: Add MESH_PEER_REMOVE command
This command allows the specified mesh peer to be disconnected.

Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Jouni Malinen
f7648c8679 P2P: Advertise IP Address Allocation only if it is enabled on GO
This group capability bit was previously added unconditionally which
could result in the P2P Client assuming the functionality is available
even though the GO would always reject the request (not reply to it with
an assigned IP address) during the 4-way handshake.

Fix this by advertising the capability only if the GO configuration
allow IP address assignment to be completed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 17:37:53 +02:00
Roy Marples
7f46ad9ee5 BSD: Only down the interface once we are sure we can work with it
Signed-off-by: Roy Marples <roy@marples.name>
2016-03-20 11:24:30 +02:00
Daisuke Niwa
192964ddc3 Handle OSEN IE in Assoc Request info if req_ies exists
The 4-way handshake fails with the error "WPA: No wpa_ie set - cannot
generate msg 2/4" while connecting to OSEN network with drivers that
indicate used Association Request frame elements because OSEN IE is not
handled in wpa_supplicant_event_associnfo() if data->assoc_info.req_ies
is not NULL.

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
2016-03-20 11:17:39 +02:00
Jouni Malinen
2b5488a4e1 tests: Return result from WpaSupplicant::global_request() in all cases
The no self.global_iface case was not returning the result from the
self.request() case. While this is not really a path that is supposed to
be used, make it return the response since it is at least theoretically
possible to get here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-20 11:08:12 +02:00
Jouni Malinen
29eddc3d8c nl80211: Fix error path in if_indices_reason reallocation
Commit 732b1d20ec ('nl80211: Clean up
ifidx properly if interface in a bridge is removed') added
drv->if_indices_reason array similarly to the previously used
drv->if_indices. However, it had a copy-paste error here on the error
path where a reallocation failure after at least one successful
reallocation would result in the drv->if_indices being overridden
instead of restoring drv->if_indices_reason to the old value. Fix this
by setting the correct variable on the error path. (CID 138514)

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-18 16:25:35 +02:00
Jouni Malinen
8c9aa2bc8d tests: wpa_supplicant AP mode - open network and HT disabled
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-18 16:18:32 +02:00
Jouni Malinen
ee298f1b1f nl80211: Do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
SMPS mode is applicable only for HT and including an attribute to
configure it when HT is disabled could result in the AP start operation
failing. Fix this by adding the attribute only in cases where HT is
enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-18 16:16:40 +02:00
Sunil Dutt
4ca16b5fd7 Assign QCA vendor command and attribute for Tx/Rx aggregation
Assign nl80211 vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_TXRX_AGGREGATION and corresponding
attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-17 20:53:25 +02:00
Jouni Malinen
64ce5905f8 libxml2: Check for xmlDocDumpFormatMemory() error case
Since this function needs to allocate memory, it might fail. Check that
the returned memory pointer is not NULL before trying to parse the
output.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:49:28 +02:00
Jouni Malinen
8b827c342f BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()
While this function could return NULL if the parameter issued to it were
NULL, that does not really happen here. Anyway, since this can result in
a warning from a static analyzer that does can see the return NULL
without fully understanding what it means here, check the return value
explicitly against NULL to avoid false warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:34:01 +02:00
Jouni Malinen
42a95533a8 hs20-osu-client: Fix pol_upd command line parsing
This command was documented as having the Server URL parameter as
optional, but the implementation did not match that. Allow this
parameter to be left out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:25:11 +02:00
Jouni Malinen
ec1eae849e hs20-osu-client: Remove dead code from sub_rem command line parsing
The error print could not have been reached since the exact same
condition was verified above and exit(0) is called if the command line
is invalid.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:19:19 +02:00
Jouni Malinen
6c7fed4683 tests: EAP-SIM and check fast reauth with bssid change
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 19:46:27 +02:00
Jouni Malinen
c3dc68e844 Do not invalidate EAP session cache on all network block parameter changes
The bssid and priority parameters in a network block do not have any
effect on the validity of an EAP session entry, so avoid flushing the
cached session when only these parameters are changed. This is mainly to
allow forced roaming or network selection changes without causing fast
reauthentication to be disabled if the changes are done during RSN
association that used EAP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 19:44:32 +02:00
Jouni Malinen
9231c2476f wlantest: Fix bip_protect() memory allocation
The addition operator is of higher precedence than the ternary
conditional and the construction here needs to use parentheses to
calculate the buffer length properly when generating test frames with
BIP protection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-14 18:42:46 +02:00
Jouni Malinen
c6c29be1bd Interworking: Add credential realm to EAP-TLS identity
If the configured credential includes a username without '@' (i.e., no
realm) in it and a realm, combine these to form the EAP-Request/Identity
value as "<username>@<realm>" for EAP-TLS. This was already done for
EAP-TTLS as part of the anonymous NAI conversion, but EAP-TLS could have
ended up using a username without any realm information which would be
unlikely to work properly with roaming cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-11 21:06:15 +02:00
Jouni Malinen
8b29661192 tests: Accept "user@example.com" as user identity similarly to "user"
This is needed to allow updated Interworking behavior that adds the
realm to the EAP-Response/Identity value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-11 21:06:15 +02:00
Dedy Lansky
f2d6c17aa0 nl80211: Support network hierarchy of a master interface under bridge
Since commit cb05808c46 ('nl80211: Generic
Linux master interface support for hostapd'), hostapd is listening for
EAPOL frames on any master which the interface is enslaved under.

This commit allows hostapd to support network hierarchy in which the
interface is enslaved under some master which in turn is enslaved under
a bridge.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-03-09 21:03:41 +02:00
Jouni Malinen
71fd685fb8 tests: Set ocsp_stapling_response_multi in as2.conf
This keeps the as.conf and as2.conf more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-09 19:49:24 +02:00
Jouni Malinen
40ae4a2ff2 tests: Fix root_ocsp() for multi-OCSP test cases
Incorrect path and file name was used in the openssl command to generate
one of the OCSP responses. Also fix
ap_wpa2_eap_tls_intermediate_ca_ocsp_multi to expect success rather than
failure due to OCSP response. Based on the test description, this was
supposed to succeed, but apparently that root_ocsp() bug prevented this
from happening.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-09 19:48:35 +02:00
Jouni Malinen
f85399f396 Reserve QCA vendor specific nl80211 commands 116..118
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-08 23:08:45 +02:00
Zefir Kurtisi
3bd58861ae hostapd: Handle running out of DFS channels
In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.

The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
   detected
2) hostapd is started while all channels are unavailable

In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.

This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2016-03-08 12:16:37 +02:00
Dedy Lansky
cc1af6faed FST: Fix session setup failure with peer without MB IE
Upon receiving FST setup request on old band, the peer is searched on
new band. The assumption is that MB IE from this peer on new band
previously received either in assoc event or in FST setup request.

There are cases in which above assumption doesn't work, peer is not
found and session setup fails. For example:
- STA connects over 11ac. Due to driver limitation, MB IE is not included
in assoc event
- STA connects over 11ad. MB IE included in assoc event.
- FST session established on 11ac band, with AP as initiator. i.e. FST
setup request sent in AP=>STA direction. STA searches for peer's (AP)
MB IE on 11ad band which exists.
- FST switch occur
- FST session established on 11ad band, with STA as initiator. i.e. FST
setup request sent in STA=>AP direction. AP searches for peer's (STA)
MB IE on 11ac band which are absent.

For fixing the above, consider also peers without MB IE as candidates in
the search algorithm.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-03-07 18:04:47 +02:00
Lior David
dfe0745c9a P2P: Add optional op_class argument to P2P_SET listen_channel
The existing implementation in p2p_ctrl_set used a hard-coded operating
class 81 which is only suitable for the social channels in the 2.4 GHz
band, and will not work for the social channel in the 60 GHz band.
Extend this by adding an optional op_class argument to P2P_SET
listen_channel. If not specified, use the default value of 81 to match
existing behavior.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-03-07 13:51:01 +02:00
Lior David
e4a1469cec P2P: Adjust service discovery maximum fragment size for 60 GHz
In the 60 GHz band, service discovery management frames are sent over
the control PHY and have a smaller maximum frame size (IEEE Std
802.11ad-2012, 21.4.3.2). Fix the code to use sufficiently small
fragment size when operating in the 60 GHz band.

The 60 GHz fragment size (928) is derived from the maximum frame size
for control PHY (1023) and subtracting 48 bytes of header size, and some
spare so we do not reach frames with the absolute maximum size.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-03-07 13:47:01 +02:00
Johannes Berg
890fd60f7d tests: Add tests for HS 2.0 frame filtering
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-03-07 11:07:58 +02:00
Bob Copeland
fa7f9570f2 tests: Add a test for mesh gate forwarding
This test checks that mesh nodes forward frames for unknown
destinations to the mesh gates.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2016-03-07 11:05:22 +02:00
Jouni Malinen
dbd183c717 tests: D-Bus AssocStatusCode
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-06 20:54:16 +02:00
Naveen Singh
c7fb678f31 D-Bus: Add association response status code property for failure cases
(Re)Association Response frame with status code other than 0 is now
notified over DBUS as a part of PropertiesChanged signal. This can be
used by application in case AP is denying association with status code
17 (band steering) so that it does not interfere in the BSSID selection
logic of wpa_supplicant.

Signed-off-by: Naveen Singh <nasingh@google.com>
2016-03-06 20:44:51 +02:00