Commit graph

3580 commits

Author SHA1 Message Date
Jouni Malinen
d0b251d2e8 wlantest: Fix handling of PTK rekeying
Use a temporary PTK buffer during 4-way handshake when rekeying PTK
so that the new EAPOL-Key frame MIC values are checked against the
new PTK and frames are decrypted using the old PTK. Take the new
PTK into use once msg 4/4 is processed and clear RSC counters at
that point (including moving of RSC update to avoid setting RSC
based on the msg 4/4).

In addition, add a workaround to handle supplicant implementations that
set Secure bit to one during PTK rekeying 4-way handshake in msg 2/4.
This was previously assumed to be msg 4/4, but the key data contents
can be used to figure out whether this is msg 2/4 even if the Secure
bit is set to one.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2011-11-14 22:36:02 +02:00
Jouni Malinen
adc33680e3 Do not add P2P IE into Beacon/Probe Response if P2P is disabled
P2P IE was incorrectly added in wpa_supplicant AP mode even if P2P
function was not actually enabled.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2011-11-14 16:26:45 +02:00
Jouni Malinen
04ed4e984e AP: Only enable WPS for open and WPA/WPA2-Personal configuration
When wpa_supplicant AP mode is used, WPS was enabled by default
regardless of security mode. This is not desired for WEP, so change
the AP configuration to enable WPS only for open and WPA/WPA2-Personal
networks.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2011-11-14 16:16:29 +02:00
Jouni Malinen
16476dd124 Fix P2P IE configuration for GO mode
Commit c2ff13c533 broke this with a
copy-paste typo that ended up adding the Probe Request P2P IE into the
Beacon frame (i.e., Beacon frame had two P2P IEs while Probe Response
had none).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2011-11-14 16:10:54 +02:00
Jouni Malinen
8f2e2e369b Make crypto_hash_init() easier for static analyzers
Avoid zero-length memset at the end of the buffer. This is not really
needed, but it makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 23:24:08 +02:00
Jouni Malinen
911e10eac6 Make crypto_hash_init() easier for static analyzers
Avoid zero-length memset at the end of the buffer. This is not really
needed, but it makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 23:19:19 +02:00
Jouni Malinen
16cc7a4304 Make radius_msg_add_attr_user_password() easier for static analyzers
Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 23:14:57 +02:00
Jouni Malinen
a9ea17491a Make fips186_2_prf() easier for static analyzers
Explicitly validate seed_len to skip memset call with zero length
of copied data at the end of the buffer. This is not really needed,
but it makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:59:33 +02:00
Jouni Malinen
7adc3c1296 Make phase2_method initialization easier for static analyzers
data->phase2_method cannot really be NULL if
eap_fast_init_phase2_method() returns success, but this construction
seems to be too difficult for some static analyzers. While this change
is not really needed in practice, it makes it easier to go through
warnings from such analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:47:14 +02:00
Jouni Malinen
4c8a333b54 Make time_adv use easier for static analyzers
hapd->time_adv cannot really be NULL if hostapd_update_time_adv()
returns success, but this construction seems to be too difficult
for some static analyzers. While this change is not really needed
in practice, it makes it easier to go through warnings from such
analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:45:16 +02:00
Jouni Malinen
a5c696adb4 nl80211: Verify that global driver pointer is not NULL
driver_nl80211.c assumes that global driver pointer is set, so better
make this more consistent.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:39:57 +02:00
Jouni Malinen
99c01af9aa P2P: Verify that assoc req IEs are available for group update
Do not call p2p_group_notif_assoc() if the driver did not return
IEs from the association request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:33:32 +02:00
Jouni Malinen
a17539ebcd Remove unnecessary include file inclusion
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 22:13:04 +02:00
Jouni Malinen
6ec64015f5 Use shared SHA-256 define for the block size
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 21:43:31 +02:00
Jouni Malinen
7f6400ed19 Make sha256_process() easier for static analyzers
md->curlen cannot indicate full buffer size here since the buffered
data is processed whenever the full block size of data is available.
Avoid invalid warnings from static analyzers on memcpy() outside the
buffer length by verifying that curlen is smaller than block size.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 21:36:23 +02:00
Jouni Malinen
94a9ebb0b2 TLS: Fix double-free on error path
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 20:57:32 +02:00
Jouni Malinen
c660b0c257 dbus: Remove unused default string for bridge_ifname
wpa_s->bridge_ifname is an array and cannot be NULL.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 20:54:44 +02:00
Jouni Malinen
9482426ede Add REAUTHENTICATE ctrl_iface command
This can be used to trigger EAPOL reauthentication which can be useful
for testing purposes.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 19:47:51 +02:00
Jouni Malinen
9d77a392c7 Use a pre-processor macro to simplify event_to_string()
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 19:06:37 +02:00
Ben Greear
6c3771d7d5 Print human readable driver event names
This makes it easier to understand the event related logs.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2011-11-13 19:01:38 +02:00
Jouni Malinen
aea855d752 Move wpa_scan_results_free() into shared C file
Replace the inline helper function with a new C file that can be used
for common driver API related function.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 18:56:26 +02:00
Fu Yingang
a4cef16279 Correct a spelling mistake
The word "targer" in the comments for pending_bssid of
wpa_supplicant data structure should be "target".
2011-11-13 18:35:15 +02:00
Jouni Malinen
3724ddc0c1 PEAP: Verify peap_prfplus() result
This function can fail in theory since the SHA-1 functions are
allowed to return an error. While this does not really happen in
practice (we would not get this far if SHA-1 does not work), it is
cleaner to include the error handling here to keep static analyzers
happier. [Bug 421]

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 11:29:17 +02:00
Jouni Malinen
b6c8df695c Remove station functionality from hostap and madwifi driver wrappers
This has been obsoleted by the more generic Linux WEXT (driver_wext.c)
support. The hostap and madwifi driver wrappers can now be used only
with hostapd. The old station interface remains available in releases up
to 1.x.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 11:14:44 +02:00
Jouni Malinen
3962b65858 Remove unmaintained driver wrappers
The driver wrappers broadcom, iphone, osx, and ralink have not been
maintained for a while and it does not look like they will be in the
future either. As such, remove them from the development branch. The
previous versions will be included in older releases up to 1.x.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 10:57:46 +02:00
Jouni Malinen
d10b13982d Add test-https for testing internal TLS client functionality
This tool can be used to test the internal TLS client implementation
against HTTPS servers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 10:49:27 +02:00
Jouni Malinen
dbdcfa3979 TLS: Add preliminary support for partial message processing
Reassemble partial TLS records to make the internal TLS client
implementation more convenient for stream sockets.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 10:47:04 +02:00
Jouni Malinen
613522a40a TLS: Fix block cipher padding validation
The padding validation was done on the last padding-length octets in the
buffer which misses the first padding octet (the last octet is the
padding length). Fix the starting offset for the comparison loop to get
the first octet verified. [Bug 420]

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 10:42:06 +02:00
Jouni Malinen
c4a3480826 TLS: Clean up TLS record layer processing
Return number of user input bytes from tlsv1_record_receive() to
move this detail into the proper record layer processing. In addition,
ignore unknown content types at record layer and allow processing to
continue after warning level TLS alerts to provide minimal workaround
for closure alerts.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-05 13:04:02 +02:00
Jouni Malinen
edc95487aa Add random.c into libcrypto.a
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-05 13:02:31 +02:00
Jouni Malinen
717cc12f60 Fix test-x509v3 build
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-04 22:10:54 +02:00
Jouni Malinen
ae055af4f7 Move AP events for STA connected/disconnected into one function
Instead of trying to remember to add wpa_msg() calls for every possible
path where a STA becomes authorized or unauthorized, use
ap_sta_set_authorized() to send these events more consistently.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 22:17:41 +02:00
Jouni Malinen
3ec1e9020f Fix some recent wpa_msg() calls in hostapd use correct context
wpa_msg() has to use hapd->msg_ctx instead of hapd as the context
pointer to work properly in wpa_supplicant AP mode.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 22:04:17 +02:00
Nicolas Cavallari
6caaae1e48 hostapd: Send an event when an inactive station is removed
Currently, there is no events over the control interface
when a AP disconnects a station due to inactivity.  With
this patch, an "AP-STA-DISCONNECTED" event will be sent.

Signed-hostap: Nicolas Cavallari <nicolas.cavallari@lri.fr>
2011-11-03 21:58:22 +02:00
Jouni Malinen
39e7d718f6 ndis: Work around lack of C99 designated initializers in MSVC
Use a driver_ndis.c specific initialization function to fill in the
wpa_driver_ops information to make it easier to modify struct
wpa_driver_ops in the future. Being able to build driver_ndis.c
with MSVC was the only reason for having to maintain the same order
of function pointers in struct wpa_driver_ops and for having to
update driver_ndis.c for all changes in that structure.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 18:45:21 +02:00
Jouni Malinen
4877e1fcf9 wpa_cli: Fix compiler warnings on unused functions
Some of the parameter completion functions are only used if
CONFIG_P2P=y.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 18:02:28 +02:00
Jouni Malinen
d33ce0d5b5 Include time.h to fix Windows builds
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 18:00:57 +02:00
Jouni Malinen
67a5206482 Remove obsoleted Qt3-based wpa_gui
This code has not been maintained for years and there is no plan on
doing so either in the future. The Qt4-based wpa_gui-qt4 version can be
used as a replacement for this older wpa_gui version.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 17:48:31 +02:00
Jouni Malinen
c4a893c340 Remove kerneldoc2doxygen.pl from hostap.git
This is a separate tool for preparing source code files for Doxygen.
It does not need to be distributed with hostap.git and it can now be
downloaded separately from http://w1.fi/tools/kerneldoc2doxygen-hostap.pl
by anyone who wants to build the developers' documents with Doxygen.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 13:02:04 +02:00
Jouni Malinen
75b51fde2d Update version number to 2.0-devel
hostap.git is now a development branch for 2.0 with 1.x releases
having been forked to hostap-1.git.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-03 12:19:44 +02:00
Jouni Malinen
2cc5ebdd33 dbus: Fix some build combination without new D-Bus interface
Include common/defs.h to get full enum definitions to avoid compiler
errors without CONFIG_CTRL_IFACE_DBUS_NEW.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-02 10:48:26 +02:00
Jouni Malinen
406edc84cb Fix Android library configuration with OpenSSL build
Commit bf9d5518d5 did not split
LOCAL_SHARED_LIBRARIES properly and ended up removing the needed
libraries.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-01 10:39:49 +02:00
Jouni Malinen
1bbff09ec5 Process RSN pre-authentication candidates when skipping roam
wpa_supplicant_rsn_preauth_scan_results() needs to be called to
update RSN pre-authentication candidates. This cannot be done before
the wpa_supplicant_connect() call on the first association, but when
trying to figure out whether to roam, it is fine to do so for the
case when roaming is skipped.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-10-30 22:37:12 +02:00
Yoni Divinsky
9354e59480 Configure new GTK/IGTK to driver in case of TKIP countermeasures
The GTK is renewed in the hostapd after a MIC attack dissassociation
without informing the driver, causing decryption failures. This patch
sends the new GTK/IGTK to the driver after it is updated by the hostapd.

Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
2011-10-30 22:19:49 +02:00
Olivier Sobrie
6f75536fc9 WPS: Send the credential when learning AP params in registrar role
When the supplicant acts as a registrar to learn the access point
parameters send the credentials to the wpa_cli interface after
receiving the 7th message. This is needed for proper behavior with
wps_cred_processing set to 1 or 2.

Without this patch, after the 7th message you got the WPS-CRED-RECEIVED
notification without the credentials. This was because the cred_attr and
cred_attr_len were not filled in in the wps structure.

Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
2011-10-30 22:10:40 +02:00
Pavel Roskin
9339bd5cd2 random: Improve error messages about writing to entropy file 2011-10-30 21:50:22 +02:00
Jouni Malinen
aa820e02cc Clean up debug dump for scan results sorting
There is not much need for showing the interim qsort steps, so just show
the ordered results.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-10-30 21:08:34 +02:00
Gary Morain
577db0aedd Prefer 5 GHz networks over 2.4 GHz networks
In scan.c, merge a channel's noise value into the scan results. When
comparing scan results, compute the signal-to-noise ratio and use it
when available. Prefer a 5 GHz network if its SNR is really big (> 30)
or if its SNR is relatively close to the other network's.
2011-10-30 21:08:21 +02:00
Jouni Malinen
fbc72d32c6 Ignore Michael MIC failure reports if cipher is not TKIP
Some stations have been reported to send EAPOL-Key Error Reports
indicating Michael MIC failures even when the cipher is not TKIP
(e.g., when the network is using only CCMP). Ignore such reports
to avoid starting TKIP countermeasures unnecessarily. This can
prevent certaint types of denial of service attacks by insiders,
but mostly this is to work around invalid station implementations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-10-30 12:53:20 +02:00
Jouni Malinen
ec02780529 Move Michael MIC error report processing into separate function
Signed-hostap: Jouni Malinen <j@w1.fi>
2011-10-30 12:53:20 +02:00