Commit graph

11408 commits

Author SHA1 Message Date
Johannes Berg
e3429c0b15 nl80211: Fix control port protocol no-encrypt setting
Previously, driver_nl80211 sets NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT in
AP mode, to get EAPOL frames out unencrypted when using IEEE 802.1X/WEP.
However, due to the way nl80211/cfg80211 is implemented, this attribute
is ignored by the kernel if NL80211_ATTR_CONTROL_PORT_ETHERTYPE isn't
specified as well. Fix this by including
NL80211_ATTR_CONTROL_PORT_ETHERTYPE set to ETH_P_PAE. This can be done
unconditionally, since the kernel will allow ETH_P_PAE to be set even
when the driver didn't advertise support for arbitrary ethertypes.

Additionally, the params->pairwise_ciphers appear to not be set at
this point, so relax the check and allow them to be zero.

In client mode, this whole thing was missing, so add it. Again, the
pairwise suite can be WPA_CIPHER_NONE, so allow that case as well.

This fixed IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames which is the de facto way of implementing this
in wireless networks.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-08-17 13:40:40 +03:00
Jouni Malinen
e5d3e13a5c tests: Fix ap_wps_er_http_proto max concurrent requests case
Commit 2d6a526ac3 ('tests: Make
ap_wps_er_http_proto more robust') tried to work around the timeouts
here, but that was not really the best approach since the one second
timeout that was used here for connect() ended up being very close to
the limit even before the kernel change. The longer connect() time is
caused by a sequence where the listen() backlog ignores the connection
instead of accept() followed by close() within the wpa_supplicant ER
HTTP connection handling. The time to retransmit the SYN changed a bit
in the kernel from 1.0 sec to about 1.03 sec. This was enough to push
that over the one second timeout.

Fix this by using a sufficiently long timeout (10 sec) to allow SYN
retransmission to occur to recover from the listen() backlog case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-17 13:37:25 +03:00
Jouni Malinen
50348c5c32 tests: More coverage for IBSS RSN OOM
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-14 00:22:50 +03:00
Jouni Malinen
b97a541087 IBSS: Fix a memory leak on RSN error path
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-13 21:29:53 +03:00
Roshan Pius
5f040be4ff Move disconnect command handling to a common place
Move out the disconnect command handling from |ctrl_iface.c| to
|wpa_supplicant.c| so that it can be reused across the different
control interfaces (socket, dbus & binder).

Signed-off-by: Roshan Pius <rpius@google.com>
2016-08-13 21:11:04 +03:00
David Benjamin
478441bf81 OpenSSL: Fix OpenSSL 1.1.0 compatibility functions
To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.

OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.

Signed-off-by: David Benjamin <davidben@google.com>
2016-08-13 21:07:05 +03:00
Jouni Malinen
a412157262 tests: IBSS RSN group rekeying
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-13 16:29:07 +03:00
Jouni Malinen
6c33ca9f95 Add group_rekey parameter for IBSS
The new network profile parameter group_rekey can now be used to specify
the group rekeying internal in seconds for IBSS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-13 16:29:01 +03:00
Felix Fietkau
79931efa0d hostapd: Fix parsing the das_client option
The musl implementation of inet_aton() returns an error if there are any
characters left after the IP address. When parsing the das_client, split
the string at the whitespace separator to be able to parse the address
successfully.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-13 10:48:28 +03:00
Felix Fietkau
4fe726e2d7 nl80211: Do not switch interface to station mode when using mesh
This fixes issues with adding mesh interfaces to a bridge.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-13 10:44:11 +03:00
Nick Lowe
8468189e90 Do not include NAS-Port attribute with AID 0
Do not include a NAS-Port attribute in Access-Request and
Accounting-Request packets where the Association ID (AID) is 0, i.e.,
not yet assigned or known.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-13 10:28:01 +03:00
Manish Shukla
86a318f34a atheros: Accept Public Action frames sent to Wildcard BSSID
Previously, the check for mgmt->bssid matching own address (= BSSID)
ended up rejecting the case where Public Action frames are using
Wildcard BSSID in the Address 3 field. This could result in GAS queries
being dropped. Fix this by allowing both the own address (= AP BSSID)
and Wildcard BSSID in Action frame Address 3 field.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-11 16:08:30 +03:00
Jouni Malinen
e07adb7faa Fix EAP state machine reset with offloaded roaming and authorization
If the driver indicates a roamed event with already completed
authorization, altAccept = TRUE could have resulted in the EAP state
machine ending up in the FAILURE state from the INITIALIZE state. This
is not correct behavior and similar cases were already addressed for FT
and WPA-PSK. Fix the offloaded roamed+authorized (EAP/PMKSA caching)
case by doing similar changes to EAPOL/EAP state variable updates during
association event handling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-11 16:05:45 +03:00
Jouni Malinen
2d6a526ac3 tests: Make ap_wps_er_http_proto more robust
It looks like connect() for a TCP socket can time out at least with a
recent kernel. Handle that case more gracefully by ignoring that socket
while allowing the test to continue.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-11 15:58:13 +03:00
Jouni Malinen
f27b9277d5 tests: Make FST config tests more robust and easier to debug
It looks like it is possible for the separate started wpa_supplicant
process to remain running after a test case like fst_sta_config_default.
This would result in failures to run any following test case that uses
the wlan5 interface. Try to kill the process more thoroughly by waiting
for the PID file to show up and write more details into the logs to make
it easier to debug issues in this area.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-10 17:55:20 +03:00
Yingying Tang
6fe3b9d451 QCA vendor command to get hardware capabilities
This commit introduces a new vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GET_HW_CAPABILITY and the associated
attributes to get Wi-Fi hardware capabilities.

Signed-off-by: Yingying Tang <yintang@qti.qualcomm.com>
2016-08-10 16:49:46 +03:00
Sunil Dutt
dc24a3616a Define an attribute QCA_WLAN_VENDOR_ATTR_CONFIG_QPOWER
This can be used to enable/disable QPOWER.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-09 19:23:25 +03:00
Nick Lowe
42d30e9ea0 Add a require_message_authenticator configuration option
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-08 00:36:17 +03:00
Jouke Witteveen
715ad3386e roboswitch: Add support for BCM63xx
These devices do not properly identify themselves.

Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
2016-08-08 00:25:31 +03:00
Rahul Bedarkar
a2072a29b9 utils: os_unix: Use access() for checking file existence
Trying to open file for checking file existence seems to be too much.
Instead use access system call which is meant for the same.

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
2016-08-08 00:24:07 +03:00
Sabrina Dubroca
cfe0a0194b mka: Fix use after free
We must cancel the timer when we delete an MKA instance.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:44:04 +03:00
Sabrina Dubroca
d68b73cfa5 mka: Add check for body length when decoding peers
The standard says that the body length must be a multiple of 16B.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:42:37 +03:00
Sabrina Dubroca
ad19e71e68 mka: Avoid reading past the end of mka_body_handler
body_type, used to index in mka_body_handler, can be any u8 value, but
we have only ARRAY_SIZE(mka_body_handler) elements.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:42:19 +03:00
Jouni Malinen
65b47738e8 mka: Return u8 from get_mka_param_body_type()
This uses a more accurate variable type for body_type and makes it
cleaner to compare this to other unsigned values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-07 11:42:03 +03:00
Sabrina Dubroca
ac285c007c mka: Add error handling around ieee802_1x_kay_move_live_peer()
ieee802_1x_kay_move_live_peer() can fail. In that case, we should not
proceed.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:36:17 +03:00
Sabrina Dubroca
90bff0e2aa mka: Avoid inconsistent state in ieee802_1x_kay_move_live_peer()
If the memory allocation in ieee802_1x_kay_init_receive_sc() fails, we
end up in an inconsistent state where the peer is moved to the live
peers list and its sci is setup, but we don't have an rxsc.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:34:50 +03:00
Sabrina Dubroca
12447457bf mka: Fix length when encoding SAK-use
The room we actually use is length. This could also mess up the
receiver, since it will advance by the actual length (as indicated by
the parameter body's length), which could differ from the offset at
which we stored the next item.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:32:23 +03:00
Sabrina Dubroca
71dc78904f mka: Fix memory leak in ieee802_1x_kay_create_live_peer() error path
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:31:41 +03:00
Sabrina Dubroca
099613e415 mka: Fix multiple key server election bugs
1. The comparison between SCI's of two servers with identical priority
   is broken, and would always return TRUE. Just use os_memcmp(), which
   provides the ordering we need.

2. If no peer can be key server but this instance can, then become the
   key server.

3. The ordering of blocks between peer as key server and ourself as key
   server overwrites settings. Simple reordering fixes this.

4. Default to being the key server, so that we advertise our ability in
   the MKPDUs we send. That's the only way peers can know we can be key
   server. Cleared automatically as soon as we find a better peer.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-08-07 11:31:17 +03:00
Roshan Pius
a1979469fd binder: Clang format the source code
Add a ".clang-format" file which is pretty close to the rest of
wpa_supplicant code base and reformat the binder codebase.

Signed-off-by: Roshan Pius <rpius@google.com>
2016-08-07 11:21:45 +03:00
Roshan Pius
fe1d0771f7 binder: Expose an aidl interface module
Restructure the binder related makefile sections to expose a separate
|libwpa_binder_interface| which can be imported by clients/tests.

While there,
Change the name of the binder service to the name used in the selinux
permissions.

Signed-off-by: Roshan Pius <rpius@google.com>
2016-08-07 11:21:28 +03:00
Arran Cudbard-Bell
b84ce655d3 Link to, and adjust types for, the PCSC framework included with OSX
Signed-off-by: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
2016-08-07 11:20:33 +03:00
Johannes Berg
842c5af5d3 ap: Use is_broadcast_ether_addr()
There's no need to have a separate variable and open-code a more
complicated version of this, just use is_broadcast_ether_addr().

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-08-06 16:51:48 +03:00
Jouni Malinen
ac81b3948b cli: Share a common tokenize_cmd() implementation
wpa_cli and hostapd_cli had identical copies of this function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:46:39 +03:00
Jouni Malinen
a6d56a3965 wpa_cli: Replace str_match() with common str_starts()
str_match() was identical in behavior to str_starts().

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:44:51 +03:00
Jouni Malinen
980afcce53 cli: Share a common write_cmd() implementation
wpa_cli and hostapd_cli had identical copies of this function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:41:56 +03:00
Jouni Malinen
fcc84b48b2 cli: Share a common get_cmd_arg_num() implementation
wpa_cli and hostapd_cli had identical copies of this function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:39:56 +03:00
Jouni Malinen
e55df99ee6 Share a single str_starts() implementation
No need to define this as a static function in multiple files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:38:21 +03:00
Mikael Kanstrup
23c130e9b7 Use a common license string for hostapd_cli and wpa_cli
Move the license strings for hostapd_cli and wpa_cli to common.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:34:25 +03:00
Mikael Kanstrup
b90c13d934 hostapd_cli: Completion for interface command
Implement command completion for interface command

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:33:23 +03:00
Mikael Kanstrup
8b73c6aa11 hostapd_cli: Completion for disassociate and deauthenticate
Command completion routine for disassociate and deauthenticate
commands implemented. Tracks AP-STA-CONNECTED/AP-STA-DISCONNECTED
events for easy station MAC address lookup.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:29:19 +03:00
Mikael Kanstrup
1cef253aab hostapd_cli: Implement event handler
Add an empty event handler in preparation for additional command
completion routines that will need to dynamically build parameters
based on events received.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:28:54 +03:00
Mikael Kanstrup
977c0796f9 Move parts of wpa_cli to a new common file
In preparation for adding further command completion support
to hostapd_cli move some cli related utility functions out of
wpa_cli into a new common cli file.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:25:58 +03:00
Mikael Kanstrup
6cad0bff06 hostapd_cli: Add completion for help command
Implement command completion support for help command.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:18:07 +03:00
Mikael Kanstrup
01938838b5 hostapd_cli: Replace static usage string with print_help() function
Replace the static commands usage string with a print_help() function
that reads commands and help text from the array of defined cli
commands.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:17:37 +03:00
Mikael Kanstrup
1f927cd4cf hostapd_cli: Add command completion support
Add command completion support for hostapd_cli. Only completion
for available commands and basic building blocks in preparation for
per command parameter completion.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 11:32:59 +03:00
Mikael Kanstrup
003fe581a3 wpa_cli: Implement completion routine for get_capability
Add command completion routine for get_capability command.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 11:18:04 +03:00
Sunil Dutt
fed802c2e8 Define an attribute QCA_WLAN_VENDOR_ATTR_CONFIG_IFINDEX
This can be used to set the configuration parameters per netdev (instead
of wiphy).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-04 21:50:26 +03:00
Sunil Dutt
14b7612447 Define vendor command to support IE based access control
This commit defines QCA vendor subcommand and attributes for IE based
access control, i.e., the specific configured IE (full IE) is matched
with the frames originated by the Wi-Fi STA / AP to accept or deny the
connection. A specific IE can either be a whitelist or blacklist.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-04 21:50:22 +03:00
Vikram Kandukuri
4ac75cd01a QCA vendor command to configure GPIO pins
This commit introduces a new vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GPIO_CONFIG_COMMAND and associated
attributes to configure GPIO pins.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-03 16:46:30 +03:00