Commit graph

4012 commits

Author SHA1 Message Date
Jouni Malinen
9429bee4cc EAP-TLS server: Clear temporary buffer during EMSK derivation
Now that EMSK derivation is taken into use with ERP, it is better to
make sure the temporary MSK + EMSK buffer does not get left in heap
after use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:28:19 +02:00
Jouni Malinen
d1f89dd732 EAP server: Add getSessionId
This extends EAP server implementation to derive Session-Id similarly to
the existing EAP peer implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
d68f74c5ff EAP peer: Clean up TLS Session-Id derivation function
The comment about library not supporting Session-Id derivation was not
accurate and there is no need to check for master key that is not used
as part of derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
0a11409c00 Fix omac1_aes_128_vector() not to read beyond addr/len array
Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
631739b361 Clear WLAN_STA_ASSOC_REQ_OK on AP-initiated deauthentication
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:31:54 +02:00
Jouni Malinen
0ecff8d7c3 Add hostapd driver_params config parameter
This is mainly for development testing purposes to allow driver_nl80211
behavior to be modified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:24:42 +02:00
Jouni Malinen
ebd557288c Remove forgotten driver_test.c variables
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 12:49:55 +02:00
Jouni Malinen
bd26031b4b wext: Fix non-WPA/WPA2 connection with extra IEs
The associate() handler was not prepared for params->wpa_ie containing
some other IEs than WPA/RSN IE and ended up configuring security policy
incorrectly for open networks if such IEs were present. Fix this by
using wpa_proto parameter instead of IEs to determine security policy
for driver configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 23:02:30 +02:00
Johannes Berg
d306df7919 wext: Add very basic status command support
Just to make the test framework happy, it uses the driver
status command to obtain the interface MAC address.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-11-28 23:02:29 +02:00
Jouni Malinen
3c02cfdb3a proxyarp: Do not limit NDISC snoop packet size to 150
The RA, NS, and NA packets may be longer, so do not arbitrarily limit
the packet socket capture size to 150 bytes in the socket filter.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:41:26 +02:00
Jouni Malinen
bcb132e185 proxyarp: Validate IPv4 header total length value in dhcp_snoop
This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:41:26 +02:00
Jouni Malinen
8c5043b42c proxyarp: Relax frame length limit for RA and NA
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
ef3ea80c68 proxyarp: Fix x_snoop multicast-to-unicast debug print
l2_packet_send() returns >= 0 on success, i.e., non-zero value does not
mean failure. Fix this debug print to show up only on negative return
values.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
89052e9952 proxyarp: Add debug log entry on multicast-to-unicast conversion
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
df131d4597 proxyarp: Try multicast-to-unicast conversion only for authorized STAs
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:36:56 +02:00
Rashmi Ramanna
ac330cfd87 P2P: Reinvite with social operation channel if no common channels
If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-27 17:55:54 +02:00
Jouni Malinen
f33c82d23e nl80211: Change iftype to station on leaving mesh
This is needed to make following operations behave as expected since
mesh iftypes may prevent various operations (e.g., registering Probe
Request frame RX). Use same design as leave_ibss does to handle this
consistently.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-27 17:12:47 +02:00
Jouni Malinen
7a94120ea9 nl80211: Clear ignore_if_down_event if interface is up
It was possible for the ignore_if_down_event flag to remain set in some
cases where interface mode change required the interface to be set down
temporarily. If that happened, the following rfkill interface down could
have been ignored and device could have been left trying to scan or
connect (which would all fail due to the interface beign down). Clean
this up by clearing the ignore_if_down_event flag on the interface down
event regardless of whether the interface is up at the time this event
is processed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-27 14:59:28 +02:00
Jouni Malinen
8997613c90 nl80211: Fix br_ifindex storing when hostapd creates the bridge
Commit 6c6678e7a4 ('nl80211: Make
br_ifindex available in i802_bss') did not cover the case where
i802_check_bridge() ends up creating the bridge interface. That left
bss->br_ifindex zero and prevented neighbor addition. Extend that
functionality to update br_ifindex once the bridge netdev has been
added.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-26 01:16:35 +02:00
Jouni Malinen
a6b4ee217a proxyarp: Print learned IPv6 address in debug log
This makes it easier to debug issues related to IPv6 address snooping.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-26 01:09:54 +02:00
Jouni Malinen
a7fb5ea463 proxyarp: Fix DHCP and ND message structures
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-26 01:09:54 +02:00
Jouni Malinen
a437378f98 proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-25 16:58:21 +02:00
Masashi Honma
a959a3b69d SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 16:08:53 +02:00
Masashi Honma
872b754512 mesh: Fix SAE anti-clogging functionality for mesh
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 15:33:04 +02:00
Jouni Malinen
649c0a6974 WPA: Use more explicit WPA/RSN selector count validation
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:08:13 +02:00
Jouni Malinen
adf96fb66b WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
5c6787a6ca PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
d36f416926 EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
c4de71cec5 EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
364182a80f EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
002a2495be radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
3e94937fa4 P2P: Make p2p_parse_p2p_ie() validation steps easier to analyze
Validation was fine, but a bit too complex for some static analyzers to
understand. (CID 68125)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
46a0352589 Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:29 +02:00
Jouni Malinen
e7306bcb59 PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 18:37:10 +02:00
Jouni Malinen
76874379d3 TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:48:34 +02:00
Jouni Malinen
b81e274cdf RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:41:13 +02:00
Jouni Malinen
f931374f30 IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 16:37:16 +02:00
Andrei Otcheretianski
70d1e72849 wpa_supplicant: Handle link measurement requests
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:45:07 +02:00
Andrei Otcheretianski
7dc0338806 nl80211: Register Link Measurement Request Action frame
Add link measurement request to registration of Action frames to be
handled by wpa_supplicant if the driver supports TX power value
insertation.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:38:30 +02:00
Assaf Krauss
f4b8bfae15 wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:28:52 +02:00
Assaf Krauss
d89c0701db wpa_supplicant: Add support for Neighbor Report
Add the ability to send a Neighbor Report Request (part of
RRM). Requester is then notified once the report arrives.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:23:14 +02:00
Assaf Krauss
2526ccd95a nl80211: Register Neighbor Report Response Action frame
Add Neighbor Report Response Action frame to registration of Action
frames to be handled by wpa_supplicant.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:16:25 +02:00
Assaf Krauss
b361d580ec SME: Add RRM support to association request
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:13:45 +02:00
Assaf Krauss
58162adf06 nl80211: Populate RRM flags in nl80211 driver
Set the RRM capability flags, based on the capabilities reported
by the underlying driver.

In addition, upon connection, notify the underlying driver regarding
RRM support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:06:32 +02:00
Assaf Krauss
0dc957b93d driver: Add RRM-related definitions to driver interface
Add definitions for RRM (Radio Resource Measurement) support:
1. Flags that specify the RRM capabilities of the underlying driver
2. Flag for RRM in Capability Info field in Management frames
3. Indication in association parameters regarding an RRM connection

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:05:55 +02:00
Jouni Malinen
533630625d Add generic operating class and channel to frequency function
ieee80211_chan_to_freq() is a generic function that replaces and extends
the previous P2P-specific p2p_channel_to_freq(). The new function
supports both the global operating class table as well as the additional
US, EU, JP, and CN operating class tables.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
5351480047 Add BSS-TM-RESP ctrl_iface event
This event allows external monitors to track STA response to BSS
Transition Management Request.

BSS-TM-RESP <STA addr> status_code=<#> bss_termination_delay=<#>
[target_bssid=<BSSID>]

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 16:34:34 +02:00
Jouni Malinen
a30dff07fb Add BSS_TM_REQ command to send BSS Transition Management Request
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 16:34:34 +02:00
Jouni Malinen
37df6a87dd Add names for assigned QCA nl80211 vendor subcmds
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 21:46:01 +02:00
Jouni Malinen
f23c5b17e1 AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.

This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)

Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).

This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 17:02:00 +02:00