Commit graph

8387 commits

Author SHA1 Message Date
Jouni Malinen
002a2495be radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
5d017065a0 GAS: Clean up Query Response length validation
Previous version was correct, but apparently too complex for some static
analyzers. (CID 68119)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
355e17eb1b HS 2.0: Clarify OSU Server URI length validation
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
5c58c0ce86 HS 2.0: More explicit hs20_osu_icon_fetch() length validation
The previous version was fine, but too much for some static analyzers to
understand as proper bounds checking. (CID 68122)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
3e94937fa4 P2P: Make p2p_parse_p2p_ie() validation steps easier to analyze
Validation was fine, but a bit too complex for some static analyzers to
understand. (CID 68125)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
46a0352589 Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:29 +02:00
Jouni Malinen
e7306bcb59 PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 18:37:10 +02:00
Jouni Malinen
fecc09edc3 WNM: Use a clearer validation step for key_len_total
The previous one based on pointer arithmetic was apparently too much for
some static analyzers (CID 68130).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 18:04:02 +02:00
Jouni Malinen
76874379d3 TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:48:34 +02:00
Jouni Malinen
43aee94899 Interworking: Clearer ANQP element length validation
The upper bound for the element length was already verified, but that
was not apparently noticed by a static analyzer (CID 68128).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:41:13 +02:00
Jouni Malinen
b81e274cdf RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:41:13 +02:00
Jouni Malinen
f931374f30 IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 16:37:16 +02:00
Jouni Malinen
f5f3728a81 WNM: Print debug message if Action frame sending fails
This makes wpa_drv_send_action() return value checking more consistent
(CID 75390).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 16:13:50 +02:00
Jouni Malinen
986ed3a9ca tests: NEIGHBOR_REP_REQUEST failure cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 21:49:45 +02:00
Andrei Otcheretianski
70d1e72849 wpa_supplicant: Handle link measurement requests
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:45:07 +02:00
Andrei Otcheretianski
7dc0338806 nl80211: Register Link Measurement Request Action frame
Add link measurement request to registration of Action frames to be
handled by wpa_supplicant if the driver supports TX power value
insertation.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:38:30 +02:00
Assaf Krauss
66d2143435 wpa_cli: Add optional ssid to neighbor report request
Add optional 'ssid' parameter to command "neighbor_rep_request".

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:37:49 +02:00
Assaf Krauss
4c4b230527 wpa_supplicant: Add an option to specify SSID in neighbor report requests
Allow supplying an SSID for the SSID IE. If not supplied, no SSID IE is
sent, and the request implies the current SSID.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:36:42 +02:00
Assaf Krauss
fad14af93a wpa_cli: Add neighbor_rep_request command
Add neighbor_rep_request command to send a Neighbor Report Request
to the associated AP.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:29:41 +02:00
Assaf Krauss
f4b8bfae15 wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:28:52 +02:00
Assaf Krauss
d89c0701db wpa_supplicant: Add support for Neighbor Report
Add the ability to send a Neighbor Report Request (part of
RRM). Requester is then notified once the report arrives.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:23:14 +02:00
Assaf Krauss
2526ccd95a nl80211: Register Neighbor Report Response Action frame
Add Neighbor Report Response Action frame to registration of Action
frames to be handled by wpa_supplicant.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:16:25 +02:00
Assaf Krauss
b361d580ec SME: Add RRM support to association request
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:13:45 +02:00
Assaf Krauss
f936b73c4f wpa_supplicant: Store driver's RRM capabilities
Store the RRM capability flags reported by the underlying driver.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:07:56 +02:00
Assaf Krauss
58162adf06 nl80211: Populate RRM flags in nl80211 driver
Set the RRM capability flags, based on the capabilities reported
by the underlying driver.

In addition, upon connection, notify the underlying driver regarding
RRM support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:06:32 +02:00
Assaf Krauss
0dc957b93d driver: Add RRM-related definitions to driver interface
Add definitions for RRM (Radio Resource Measurement) support:
1. Flags that specify the RRM capabilities of the underlying driver
2. Flag for RRM in Capability Info field in Management frames
3. Indication in association parameters regarding an RRM connection

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:05:55 +02:00
Jouni Malinen
13f8d51e2d tests: BSS Transition Management
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
75d65857d5 WNM: Use recent scan results on BSS transition request
If the last scans are recent (for now, less than ten seconds old), use
them instead of triggering a new scan when a BSS Transition Management
Request frame is received. As a fallback, allow a new scan to be
triggered if no matches were found.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
e1117c1c01 WNM: Optimize BSS transition management scans
When the list of preferred transition candidates is received, use the
identified channels to optimize the following scan so that no time is
wasted on other channels.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
533630625d Add generic operating class and channel to frequency function
ieee80211_chan_to_freq() is a generic function that replaces and extends
the previous P2P-specific p2p_channel_to_freq(). The new function
supports both the global operating class table as well as the additional
US, EU, JP, and CN operating class tables.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
73360424d9 tests: Fix a typo in function name
except_ack() was supposed to be verifying that the frame was ACK'ed,
i.e., it was really supposed to be called expect_ack().

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:40:03 +02:00
Jouni Malinen
ab4ee34306 tests: Fix wnm_bss_tm_req status code expectation
The implementation of WNM BSS transition management was extended to be
able to return a reject status code based on whether a matching entry is
found. The test case wnm_bss_tm_req was trying to enforce a different
status code to be used here based on old implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:40:03 +02:00
Jouni Malinen
d0b9ab69f6 WNM: Move transition candidate list processing to normal scan
This makes it easier to optimize transition request processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:40:03 +02:00
Jouni Malinen
279b5486a6 WNM: Fix TM candidate freeing if multiple requests are processed
The previously cached candidate list needs to be free properly through a
call to wnm_deallocate_memory() to ensure all subelements gets freed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:40:03 +02:00
Jouni Malinen
027454d2e9 WNM: Allow BSS transition request in same ESS even if RSSI is worse
This allows an AP to steer us to another BSS within the ESS even if that
results in reduced signal strength as long as the signal strength with
the target BSS is expected to provide some connectivity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:06:37 +02:00
Jouni Malinen
6900b6d96f WNM: Mark wnm_scan_response() static
This function is not used outside wnm_sta.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:06:37 +02:00
Jouni Malinen
ff2c5758bb WNM: Order BSS transmission candidate entries based on preference
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:06:37 +02:00
Jouni Malinen
093226783d WNM: Simplify how candidate subelements are stored
There is no need to use a separately allocated data structures for this.
A bitfield indicating which information is present and variables within
struct neighbor_report are simpler to use and more efficient.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:06:37 +02:00
Jouni Malinen
8c9af762f3 WNM: Calculate valid-until time for transition candidate list
This is of more use than the raw validity interval (number of beacon
intervals) that was recorded previously.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 18:06:27 +02:00
Jouni Malinen
4c381f0d1c WNM: Convert BSSID Info into a u32
This is more convenient to use than u8 array.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 17:03:15 +02:00
Jouni Malinen
8040dc53c2 WNM: Debug print WNM BSS Transition Candidate List
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 16:34:34 +02:00
Jouni Malinen
5351480047 Add BSS-TM-RESP ctrl_iface event
This event allows external monitors to track STA response to BSS
Transition Management Request.

BSS-TM-RESP <STA addr> status_code=<#> bss_termination_delay=<#>
[target_bssid=<BSSID>]

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 16:34:34 +02:00
Jouni Malinen
a30dff07fb Add BSS_TM_REQ command to send BSS Transition Management Request
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 16:34:34 +02:00
Jouni Malinen
64d04af5cc tests: Authenticator processing for various EAPOL-Key key info values
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 00:49:25 +02:00
Jouni Malinen
a52fd1c338 tests: WPA EAPOL 4-way handshake protocol testing
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 00:34:20 +02:00
Jouni Malinen
53b9bedb7a tests: WPA2 EAPOL-Key with incorrect type
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 00:16:41 +02:00
Jouni Malinen
37df6a87dd Add names for assigned QCA nl80211 vendor subcmds
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 21:46:01 +02:00
Jouni Malinen
821490f55f tests: Authenticator 4-way handshake protocol testing
This implements minimal RSN 4-way handshake Supplicant in Python and
uses that to test hostapd Authenticator implementation in various
possible protocol sequencies.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 20:50:41 +02:00
Jouni Malinen
f23c5b17e1 AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.

This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)

Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).

This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 17:02:00 +02:00
Jouni Malinen
db099951cb Print EAPOL-Key Replay Counter in Authenticator debug log
This makes it easier to debug issues relared to EAPOL-Key
retransmissions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 15:35:19 +02:00