Commit graph

3916 commits

Author SHA1 Message Date
Jouni Malinen
34ef46ce54 WEP shared key: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
3e4b77c9bd EAP-GTC: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
a6eae3f7a1 EAP-MSCHAPv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
30411b351c EAP-TTLS: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
a564d9ca36 EAP-MD5: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
4685482552 EAP-PSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
cba0f8698b EAP-PEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
7b1e745870 EAP-LEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
8f92826b15 EAP-GPSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
e1550d4be8 EAP-PAX: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
c434503f5e EAP-FAST: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dddf7bbd4e EAP-EKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dfb5608139 EAP-SAKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
05c79d6acd EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
675ddad1c2 EAP-IKEv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
2049a3c874 TLS: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
a79aea531e Milenage: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
05f916eeed AES-GCM: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
87a5c93bec AES-CCM: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
7c24f53c88 EAPOL supplicant: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
870834a19b RSN authenticator: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
0d15b69f0a RSN supplicant: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
72619ce61b MACsec: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
c2371953f8 RADIUS: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
ce9c9bcc38 WPS: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
afc3c8b07f Add constant time memory comparison function os_memcmp_const
This function is meant for comparing passwords or hash values where
difference in execution time could provide external observer information
about the location of the difference in the memory buffers. The return
value does not behave like os_memcmp(), i.e., os_memcmp_const() cannot
be used to sort items into a defined order. Unlike os_memcmp(),
execution time of os_memcmp_const() does not depend on the contents of
the compared memory buffers, but only on the total compared length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
ee352f1e5a EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a fragmented
EAP-pwd message explicitly to 15000 bytes. None of the supported groups
use longer messages, so it is fine to reject any longer message without
even trying to reassemble it. This will hopefully also help in reducing
false warnings from static analyzers (CID 68124).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
b2b8a4cb10 EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()
This makes it easier for static analyzers to figure out which code paths
are possible within eap_sim_msg_finish() for EAP-SIM. This will
hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
f107d00cf6 PeerKey: Clean up EAPOL-Key Key Data processing
This extends the earlier commit e6270129f6
('Clean up EAPOL-Key Key Data processing') design to be used with
PeerKey EAPOL-key processing as well. This avoids false warnings from
static analyzer (CID 62860, CID 62861, CID 62862).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:46 +03:00
Tomasz Bursztyka
36716eef89 P2P: Add a utility function to run a method on every known peer
This will be useful in wpa_supplicant part to signal if a peer got its
group changed.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2014-06-29 17:27:27 +03:00
Tomasz Bursztyka
bf035663c9 dbus: Remove GroupMember object type and use Peer instead
GroupMember is unusable in itself and all the necessary informations are
stored in Peer objects, thus replace the use of GroupMember by Peer.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2014-06-29 17:19:12 +03:00
Tomasz Bursztyka
c6386e5c71 P2P Add a utility to run a callback on all available groups
This will be useful in wpa_supplicant to match group's SSIDs against a
specific one.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2014-06-29 16:56:57 +03:00
Tomasz Bursztyka
8e76f48abd P2P: Add a utility function to get the group configuration
This will be useful for finding the interface related to this group
after formation based on the group SSID.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2014-06-29 16:52:06 +03:00
Jouni Malinen
37d8a27401 TDLS: Clean up add/set peer operations
Use a helper function to avoid multiple copies of the same long list of
argument parameters to wpa_sm_tdls_peer_addset() from the peer entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 13:44:15 +03:00
Arik Nemtsov
bcd2baa0fa TDLS: Tear down connection on malformed Setup Confirm
Otherwise the peer will erroneously assume we have a working direct
link.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-29 13:44:14 +03:00
Arik Nemtsov
81905409b5 TDLS: Abort local setup when failing to add STA
The driver might not always be able to add the new station. Abort the
setup when this happens.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-29 13:44:14 +03:00
Arik Nemtsov
1dce7a216f TDLS: Update peer STA as soon as full peer info is available
Update the peer STA with full info sending TDLS Setup Response/Confirm
frames instead of after the full setup exchange. This makes it easier
for some drivers to properly negotiate QoS and HT information on the
direct link.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-29 13:44:14 +03:00
Arik Nemtsov
819c943a3b TDLS: Remove peer from global peer-list on free
There is no need to keep the peer entry in memory after the link has
been removed.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Tested-by: Ilan Peer <ilan.peer@intel.com>
2014-06-29 13:44:14 +03:00
Michal Kazior
5841958f26 hostapd: Use channel switch fallback on error
It's worth giving a try to fallback to re-starting BSSes at least once
hoping it works out instead of just leaving BSSes disabled.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:13:11 +03:00
Michal Kazior
8974620e3e hostapd: Perform multi-BSS CSA for DFS properly
Currently hostapd data structures aren't ready for multi-channel BSSes,
so make DFS work now at least with single-channel multi-BSS channel
switching.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:08:16 +03:00
Michal Kazior
6782b6846b hostapd: Move CSA parameters to hostapd_data
This prepares CSA structure and logic in hostapd for multi-BSS channel
switching.

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:02:39 +03:00
Christopher Wiley
3c5d34e30b Change channel before IBSS associations
Fix a bug where changing the mode of the interface to IBSS
fails because the interface is sitting on a channel where IBSS is
disallowed because of a previous association.

Signed-off-by: Christopher Wiley <wiley@chromium.org>
2014-06-28 10:46:33 +03:00
Christopher Wiley
ebffdbc493 nl80211: Refactor mode switch logic
In preparation for another wrinkle around switching into IBSS mode,
refactor existing mode switch logic for simplicity at the expense
of some brevity.

Signed-off-by: Christopher Wiley <wiley@chromium.org>
2014-06-28 10:42:05 +03:00
Pontus Fuchs
f95a4524c2 nl80211: Improve debug output by printing SA and DA in frames
Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
2014-06-22 00:54:06 +03:00
Pontus Fuchs
dedfa440ed Print frame type name in debug output
"stype=4" becomes "stype=4 (WLAN_FC_STYPE_PROBE_REQ)" etc.

Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
2014-06-22 00:51:39 +03:00
Johannes Berg
57a8f8af38 nl80211: Use low-priority scan for OBSS scan
Some drivers may support low-priority scans, if they do then
use that for OBSS scanning.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-06-22 00:47:06 +03:00
Jouni Malinen
1b928f96b6 P2P: Allow passphrase length to be configured
Previously, eight character random passphrase was generated
automatically for P2P GO. The new p2p_passphrase_len parameter can be
used to increase this length to generate a stronger passphrase for cases
where practicality of manual configuration of legacy devices is not a
concern.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-22 00:15:53 +03:00
Jouni Malinen
f3c6b230dd EAP-SIM': Fix AT_KDF parser to avoid infinite loop
Hitting maximum number of AT_KDF attributes could result in an infinite
loop due to the attribute parser not incrementing the current position
properly when skipping the extra KDF.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-21 12:20:52 +03:00
Jouni Malinen
79122f9f9c EAP-SIM/AKA: Remove unused RESULT_FAILURE state
This was not set anywhere, so remove the unnecessary code trying to
handle the unused state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-21 00:26:29 +03:00
Jouni Malinen
4075e2fe77 EAP-GPSK: Clean up CSuite_List length validation (CID 62854)
Use a local variable and size_t in length comparison to make this easier
for static analyzers to understand. In addition, set the return list and
list_len values at the end of the function, i.e., only in success case.
These do not change the actual behavior of the only caller for this
function, but clarifies what the helper function is doing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 17:14:59 +03:00
Jouni Malinen
2dbc959699 EAP-FAST: Clean up TLV length validation (CID 62853)
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 16:45:03 +03:00
Jouni Malinen
35cbadbb14 VHT: Remove useless validation code from Operating Mode Notification
This was added by commit 8a45811638
('hostapd: Add Operating Mode Notification support'), but the validation
steps cannot be true either for the channel width (which is a two-bit
subfield that cannot encode more than the list four values) or Rx NSS
(which cannot encode a value larger 7). Furthermore, the VHT_CHANWIDTH_*
defines do not match the definition of the Channel Width subfield
values.

Since this check cannot ever match, it is better to remove it to make
the code easier to understand and to avoid getting complaints about dead
code from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 00:45:48 +03:00
Arik Nemtsov
bed7eb6808 TDLS: Do not bail when failing to process IEs in Discovery Request
Some APs (Cisco) may tack on a weird IE to the end of a TDLS Discovery
Request packet. This needn't fail the response, since the required IEs
are verified separately.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-17 17:08:42 +03:00
Arik Nemtsov
7e0f4f470a TDLS: Do not reject TPK M3 when failing to process IEs
Some APs (Cisco) may tack on a weird IE to the end of the TDLS confirm
packet, which can fail negotiation. As an interoperability workaround,
ignore IE parser failures and reject the frame only if any of the
mandatory IEs are not included.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-17 17:05:23 +03:00
Jouni Malinen
7efc7f66b1 TDLS: Fix TPK M1 error case (CID 68214)
Commit 342bce63cd introduced a possibility
of a NULL pointer dereference on the error path if a new peer entry
fails to get added (i.e., memory allocation failure). Fix that by
skipping the wpa_tdls_peer_free() call if necessary.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-17 01:57:35 +03:00
Jithu Jance
d1bb7aeda4 nl80211: Fix non-hostapd interface addition to not call add_ifidx()
Commit b36935be1a ('nl80211: Fix EAPOL
frames not being delivered') and commit
147848ec4d ('nl80211: Do not add all
virtual interfaces to drv->if_indices') were not fully in sync and it
was possible for some non-hostapd use cases to end up adding undesired
ifindexes into the list of interfaces from which events and EAPOL frames
are processed on the parent interface. This could result, e.g., in P2P
Device management interface on getting unexpected events, including
RTM_NEWLINK event that could end up getting interpreted as an
indication of the interface being down and unavailable.

Make both add_ifidx() calls use the same criteria for adding interfaces
to the local list. This is not really a complete solution, but it is
good enough for now to fix the most visible side effects of this issue.

Signed-off-by: Jithu Jance <jithu@broadcom.com>
2014-06-17 01:35:07 +03:00
Arik Nemtsov
342bce63cd TDLS: Bail on STA add failure in tpk_m1 processing
The driver might not be able to add the TDLS STA. Fail if this happens.
Also fix the error path to always reset the TDLS peer data.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-16 23:36:42 +03:00
Arik Nemtsov
947f900fb8 TDLS: Handle unreachable link teardown for external setup
If a link is unreachable, the specification mandates we should send a
teardown packet via the AP with a specific teardown reason. Force this
by first disabling the link and only then sending the teardown packet
for the LOW_ACK event.

Rename the TDLS LOW_ACK event handler to better reflect its purpose.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-16 23:34:06 +03:00
Amarnath Hullur Subramanyam
cf1600ace4 hostapd: Configure driver ACL even if MAC address list is empty
Earlier commit related to MAC address based access control list
offloaded to the driver was not sending ACL configuration to the driver
if the MAC address list was empty. Remove this check as empty access
control list is a valid use case and sending ACL parameters should not
be dependent on whether the list is empty.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-16 16:22:36 +03:00
Ilan Peer
e3bd6e9dc0 P2P: Use another interface operating channel as listen channel
Performing a P2P Device flow such as p2p_listen or
p2p_find, can degrade the performance of an active interface
connection, if the listen frequency is different than the
frequency used by that interface.

To reduce the effect of P2P Device flows on other interfaces,
try changing the listen channel of the P2P Device to match the
operating channel of one of the other active interfaces. This change
will be possible only in case that the listen channel is not forced
externally, and will be delayed to a point where the P2P Device
state machine is idle.

The optimization can be configured in the configuration file and
is disabled by default.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-06-15 00:46:11 +03:00
Ilan Peer
751b00ba28 P2P: Modify p2p_get_pref_freq
In p2p_get_pref_freq, if the channels argument is NULL, select a
preferred channel that is also one of the P2P Device configured
channels.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-06-15 00:21:41 +03:00
Jouni Malinen
e6270129f6 Clean up EAPOL-Key Key Data processing
Use a single location in wpa_sm_rx_eapol() for preparing the pointer to
the Key Data field and to its validated length instead of fetching that
information in number of processing functions separately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 19:02:46 +03:00
Jouni Malinen
d56d7e56e3 Clean up EAPOL-Key processing
Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header
validation steps using the original message buffer and re-allocate and
copy the frame only if this is a valid EAPOL frame that contains an
EAPOL-Key. This makes the implementation easier to understand and saves
unnecessary memory allocations and copying should other types of EAPOL
frames get here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:31:14 +03:00
Jouni Malinen
8605eabd54 EAP-EKE: Fix typos in debug message
These error messages had an incorrect frame name (likely copy-pasted
from the commit message handler) and couple of typos.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:26:52 +03:00
Jouni Malinen
ac79fcfa76 wext: Verify set_ssid results consistently (CID 62842)
Note in debug log if SSID clearing to stop pending cfg80211 association
attempts fail.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:53 +03:00
Jouni Malinen
305000e160 WPS: Check wps_build_wfa_ext() return value consistently (CID 68104)
While this call cannot really fail, check the return value to be more
consistent with all the other wps_build_wfa_ext() calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:52 +03:00
Jouni Malinen
2485835ba3 EAP-MSCHAPv2: Check hash function results more consistently (CID 68105)
While the hash functions would be very unlikely to fail in practice,
they do have option of returning an error. Check that return value more
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:45 +03:00
Jouni Malinen
b7c61c9d4e Fix validation of EAPOL-Key length with AES key wrap (CID 62859)
The additional eight octet field was removed from keydatalen without
proper validation of the Key Data Length field. It would have been
possible for an invalid EAPOL-Key frame to be processed in a way that
ends up reading beyond the buffer. In theory, this could have also
resulted in writing beyond the EAPOL-Key frame buffer, but that is
unlikely to be feasible due to the AES key wrap validation step on
arbitrary memory contents.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 00:20:04 +03:00
Jouni Malinen
6590b6400f EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 16:03:45 +03:00
Jouni Malinen
da995b2e11 WNM: Use cleaner way of generating pointer to a field (CID 68099)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
062833c67c GAS server: Fix request frame length validation (CID 68098)
There seemed to be an off-by-one error in the validation of GAS request
frames. If a Public Action frame without the Action code field would
have reached this function, the length could have been passed as
(size_t) -1 which would likely have resulted in a crash due to reading
beyond the buffer. However, it looks like such frame would not be
delivered to hostapd at least with mac80211-based drivers. Anyway, this
function better be more careful with length validation should some other
driver end up reporting invalid Action frames.

In addition, the Action code field is in a fixed location, so the
IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid
false reports from static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
5ce3ae4c8f HT: Use cleaner way of generating pointer to a field (CID 68097)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
c02f35fb59 WPS: Clean up indentation level (CID 68109)
The implementation here was doing what it was supposed to, but the code
was indented in a way that made it quite confusing in the context of a
single line if statement body.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 19:45:31 +03:00
Philippe De Swert
68e2b8882a TNC: Fix minor memory leak (CID 62848)
In tncc_read_config(), the memory allocted for the config
did not get freed if an error occured.

Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
2014-06-12 19:44:58 +03:00
Jouni Malinen
a0ab408d3b P2P: Fix SD and DevDisc to limit maximum wait time per driver support
The driver may reject offchannel TX operation if the requested wait time
is longer than what the driver indicates as the maximum
remain-on-channel time. Two of the P2P action frame cases used long
enough wait times (1000 ms for DevDisc and 5000 ms for SD) that could go
beyond the limit with some drivers. Fix these to limit the maximum wait
to what the driver indicates as supported.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-12 10:49:19 +03:00
Ashok Kumar Ponnaiah
3dacd3ece7 atheros: Add support for new GCMP/CCMP/CMAC/GMAC cipher suites
Extend the set of supported cipher suites to include CCMP-256, GCMP,
GCMP-256, CMAC-256, GMAC, and GMAC-256 when ATH_GCM_SUPPORT=y is set in
the build configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-09 19:21:48 +03:00
Jouni Malinen
737754dc2b EAP-IKEv2: Remove obsolete ccns.pl project workarounds
It does not look like there is going to be any additional use for this
old build option that could be used to build the EAP-IKEv2 peer
implementation in a way that interoperates with the eap-ikev2.ccns.pl
project. Remove the workarounds that matches incorrect implementation in
that project to clean up implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-08 12:28:36 +03:00
Jouni Malinen
aa6bf6dabc eap_proxy: Check sm != NULL more consistently
While it does not look like that eapol_sm_get_key() would ever be called
with sm == NULL, the current implementation is inconsistent on whether
that is allowed or not. Check sm != NULL consistently to avoid warnings
from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:26:41 +03:00
Jouni Malinen
4f4d51e059 TDLS: Add extra validation step for responder RSN IE length
The following kde.rsn_ie_len != peer->rsnie_i_len was already taking
care of enforcing the length to be within the target buffer length.
Anyway, this explicit check makes this clearer and matches the design in
TPK M1 processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:21:48 +03:00
Jouni Malinen
1fde15a20a GAS server: Explicitly check that home realm is available
This makes the code easier to understand for static analyzers to avoid
false reports.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:05:33 +03:00
Jouni Malinen
aff0bee78a GAS server: Remove unused function parameter
This parameter was not used at all, so just remove the argument instead
of passing NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:04:17 +03:00
Jouni Malinen
86388afa56 WPS: Check for theoretical gmtime() failure
In theory, gmtime() could return NULL if the year value would not fit
into an integer. However, that cannot really happen with the current
time() value in practice. Anyway, clean up static analyzer reports by
checking for this corner case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 17:39:51 +03:00
Jouni Malinen
d75a5ae018 WPS ER: Fix UDN parser to handle missing field
Must check that UDN was present before trying to parse it. Avoid a NULL
pointer dereference by checking the result before using os_strstr() when
parsing device description from an AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 17:35:22 +03:00
Jouni Malinen
bc32bb70d7 Make a code path easier for static analyzers to understand
prev cannot be NULL here in the hostapd_eid_country_add() call since
prev is set whenever start becomes non-NULL. That seems to be a bit too
difficult for some static analyzers, so check the prev pointer
explicitly to avoid false warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 15:37:31 +03:00
Jouni Malinen
2a57c33e25 Reserve QCA vendor specific nl80211 commands 20..33
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-05 17:03:17 +03:00
Amar Singhal
84df167554 nl80211: Add vendor attribute for interface index
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-05 16:57:52 +03:00
Jouni Malinen
9949483c2f The master branch is now used for v2.3 development
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-05 00:51:02 +03:00
Jouni Malinen
b63b9a7bc9 Change version information for the 2.2 release
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-04 16:09:59 +03:00
Darshan Paranji Sri
95b6bca66d Add rsn_pairwise bits to set_ieee8021x() driver_ops
This fixes an issue where a driver using the deprecated set_ieee8021x()
callback did not include rsn_pairwise bits in the driver configuration
even if mixed WPA+WPA2 configuration was used. This could result, e.g.,
in CCMP not being enabled properly when wpa_pairwise=TKIP and
rsn_pairwise=CCMP was used in the configuration. Fix this by using
bitwise OR of the wpa_pairwise and rsn_pairwise values to allow the
driver to enable all pairwise ciphers.

In addition, make the newer set_ap() driver_ops use the same bitwise OR
design instead of picking between rsn_pairwise and wpa_pairwise. This
makes the code paths consistent and can also fix issues with mixed mode
configuration with set_ap().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-03 13:59:22 +03:00
Jouni Malinen
95f6f6a49d RADIUS/EAP server: Use longer username buffer to avoid truncation
If the peer provides a username with large part of it being non-ASCII
characters, the previously used buffers may not have been long enough to
include the full string in debug logs and database search due to forced
truncation of the string by printf_encode(). Avoid this by increasing
the buffer sizes to fit in the maximum result.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 17:36:51 +03:00
Jouni Malinen
ee54e4010e tests: printf_encode unit test for bounds checking
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 17:36:51 +03:00
Stuart Henderson
5dff6dff63 Fix off-by-one bounds checking in printf_encode()
The off-by-one error in printf_encode() bounds checking could have
allowed buffer overflow with 0x00 being written to the memory position
following the last octet of the target buffer. Since this output is used
as \0-terminated string, the following operation would likely read past
the buffer as well. Either of these operations can result in the process
dying either due to buffer overflow protection or by a read from
unallowed address.

This has been seen to cause wpa_supplicant crash on OpenBSD when control
interface client attaches (debug print shows the client socket address).
Similarly, it may be possible to trigger the issue in RADIUS/EAP server
implementation within hostapd with a suitable constructed user name.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
2014-06-02 17:36:18 +03:00
Ashok Kumar Ponnaiah
801e117376 Fix validation of RSN EAPOL-Key version for GCMP with PMF
If PMF was enabled, the validation step for EAPOL-Key descriptor version
ended up rejecting the message if GCMP had been negotiated as the
pairwise cipher. Fix this by making the GCMP check skipped similarly to
the CCMP case if a SHA256-based AKM is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 17:03:33 +03:00
Jouni Malinen
3d4d2348c0 FT: Fix GTK rekeying after FT protocol
Move to PTKINITDONE state and mark PTK valid after successful completion
of FT protocol. This allows the AP/Authenticator to start GTK rekeying
when FT protocol is used. Previously, the station using FT protocol did
not get the new GTK which would break delivery of group addressed
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-01 13:21:40 +03:00
Jithu Jance
d3d048310c nl80211: Work around error case prints for nl_recvmsgs on Android
I got the below prints on a particular Android platform:

I/wpa_supplicant( 2637): nl80211: send_and_recv->nl_recvmsgs failed: 20
I/wpa_supplicant( 2637): nl80211: send_and_recv->nl_recvmsgs failed: 20

In JellyBean libnl_2 code, I see that the nl_recvmsgs returns postive values
too. In some cases, nl_recvmgs return the output of nl_recv function. nl_recv
function can return Number of bytes read, 0 or a negative error code.

Looks like this positive return value for nl_recvmsgs may be specific to
Android. While this is not how the API is supposed to work, this does no
harm with upstream libnl which returns only 0 or -1 from the function.

Signed-off-by: Jithu Jance <jithu@broadcom.com>
2014-06-01 11:25:02 +03:00
Jouni Malinen
8a387a269d P2P NFC: Fix use of freed memory
The dev_found() callback from NFC connection handover message processing
ended up using the p2p_dev_addr pointer that points to the parsed
message. However, that parsed data was freed just before the call. Fix
this by reordering the calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 23:10:33 +03:00
Jouni Malinen
13c330385a SAE: Fix memory leak in random number generation
If the randomly generated bignum does not meet the validation steps, the
iteration loop in sae_get_rand() did not free the data properly. Fix the
memory leak by freeing the temporary bignum before starting the next
attempt at generating the value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 22:24:31 +03:00
Jouni Malinen
d92bdf9602 hostapd: Make sure hapd->drv_priv gets cleared on driver deinit
Couple of code paths in hostapd.c could have left hapd->drv_priv
pointing to memory that was freed in driver_nl80211.c when a secondary
BSS interface is removed. This could result in use of freed memory and
segfault when the next driver operation (likely during interface
deinit/removal). Fix this by clearing hapd->drv_priv when there is
reason to believe that the old value is not valid within the driver
wrapper anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 17:11:04 +03:00
Jouni Malinen
438e13339d hostapd: Use helper function to avoid duplicate deinit calls
These three calls were used already in three different paths. Use a
helper function to avoid adding even more copies of this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 15:57:36 +03:00
Michal Kazior
ac1a224092 hostapd: Clean up if interface setup fails
If for some reason interface setup fails mid-way when setting up
multi-BSS AP it was possible to get segmentation fault because driver
was not properly cleaned up.

One possible trigger, when using nl80211 driver, was udev renaming an
interface created by hostapd causing, e.g., linux_set_iface_flags() to
fail.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:53:56 +03:00
Michal Kazior
81c4fca100 hostapd: Reset hapd->interface_add properly
This variable is updated when calling hostapd_if_add(), so it makes
sense to do the same thing when calling hostapd_if_remove().

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:49:38 +03:00
Michal Kazior
3fbd036ea9 hostapd: Prevent double interface disabling from segfaulting
Performing, e.g. `wpa_cli -p /var/run/hostapd raw DISABLE` twice led to
hostapd segmentation fault if multiple BSSes were configured. Fix this
by checking if there is anything to disable at all before trying.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:46:45 +03:00
Michal Kazior
ea39367c1b nl80211: Fix wpa_driver_nl80211_if_add() failure paths
Make sure to not remove interfaces that were not created by
hostapd/wpa_supplicant. This was already done on number of the error
paths, but not all.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 13:43:27 +03:00
Jouni Malinen
b523973611 RADIUS client: Trigger failover more quickly if socket is not valid
It is possible for the connect() call to fail (e.g., due to unreachable
network based on local routing table), so the current auth/acct_sock may
be left to -1. Use that as an addition trigger to allow server failover
operation to be performed more quickly if it is known that the
retransmission attempt will not succeed anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:52:08 +03:00
Jouni Malinen
09844c0984 RADIUS client: Do not flush pending messages if server did not change
The re-open socket to the current RADIUS server code path did not work
in the expected way here. The pending authentication messages do not
need to be flushed in that case and neither should the retransmission
parameters be cleared. Fix this by performing these operations only if
the server did actually change as a part of a failover operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:46:20 +03:00
Jouni Malinen
5d67bf1566 hostapd: Fix configuration of multiple RADIUS servers with SET
The current RADIUS server pointer was updated after each SET command
which broke parsing of multiple RADIUS servers over the control
interface. Fix this by doing the final RADIUS server pointer updates
only once the full configuration is available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:40:11 +03:00
Jouni Malinen
70d4084885 RADIUS client: Fix socket close/re-open on server change
Both IPv4 and IPv6 sockets were not closed consistently in the paths
that tried to change RADIUS servers. This could result in leaking
sockets and leaving behind registered eloop events to freed memory on
interface removal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:09:42 +03:00
Jerry Yang
d045cc8e4c RADIUS client: Fix crash issue in radius_client_timer()
While iterating through RADIUS messages in radius_client_timer(), one
message entry may get flushed by "radius_client_retransmit -->
radius_client_handle_send_error --> radius_client_init_auth -->
radius_change_server --> radius_client_flush". This could result in
freed memory being accessed afterwards.

Signed-off-by: Jerry Yang <xyang@sonicwall.com>
2014-05-30 18:08:59 +03:00
Jouni Malinen
c1fb75a6e2 RADIUS client: Handle ENETUNREACH similarly to other failure cases
This is one more possible send() error that should trigger RADIUS server
change if multiple servers are configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:08:54 +03:00
Jouni Malinen
9ed4076673 RADIUS client: Do not try to send message without socket
It is possible for the RADIUS authentication/accounting socket to not be
open even if partial RADIUS server configuration has been done through
the control interface SET commands. Previously, this resulted in send()
attempt using fd=-1 which fails with bad file descriptor. Clean this up
by logging this as a missing configuration instead of trying to send the
message when that is known to fail.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:08:37 +03:00
Jouni Malinen
114153b975 P2P: Debug print channel lists for invitation processing
This makes invitation process more consistent with GO Negotiation as far
as the debug log entries are concerned and the resulting log is more
helpful for understanding channel selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-29 16:46:28 +03:00
Jouni Malinen
4eb3b76b0f OpenSSL: Fix OCSP certificate debug print to use wpa_printf
Instead of using X509_print_fp() to print directly to stdout, print the
certificate dump to a memory BIO and use wpa_printf() to get this into
the debug log. This allows redirection of debug log to work better and
avoids undesired stdout prints when debugging is not enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-29 15:37:18 +03:00
Jouni Malinen
f6fb1926bb HS 2.0R2: Fix subscr_remediation_method for RADIUS server
This configuration parameter was not used at all in the RADIUS server
implementation and instead, hard coded 0 was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-28 00:56:13 +03:00
Jouni Malinen
2d2dd488be tests: Add module tests for src/common
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-28 00:56:13 +03:00
Jouni Malinen
74879f320d Remove extra newline from a debug print
"Unknown WFA information element ignored" debug message had an extra
newline at the end.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-27 23:39:46 +03:00
Jouni Malinen
147848ec4d nl80211: Do not add all virtual interfaces to drv->if_indices
Commit 04eff7d5ba or something around that
timeframe may have caused a regression on how drv->if_indices gets used
with wpa_supplicant. Most (curretly likely all) wpa_supplicant virtual
interface use cases should not actually use this. This could result in
issues with P2P group interfaces delivering events to incorrect
interface (parent rather than the group interface). The previous commit
removed some of the issues, but more complete fix is to undo some of
those merged hostapd/wpa_supplicant operations.

Filter add_ifidx() uses based on hostapd vs. wpa_supplicant and iftype
to get closer to the earlier wpa_supplicant behavior for the driver
events from virtual interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-27 18:47:41 +03:00
Jouni Malinen
de88430311 nl80211: Fix del_ifidx() with mixed parent interface cases
It is possible for a virtual interface to be added and removed by
different parent interfaces. This can happen, e.g., with P2P group
interfaces if the P2P parent interface does not happen to be the first
entry in the wpa_supplicant global interface list. That first entry is
used to remove the group interface while the addition would have
happened with the dedicated P2P management interface.

This can result in the interface that added a new virtual interface
getting stuck with an obsolete ifindex value in the drv->if_indeces list
and as such, deliver some extra events to incorrect destination wpa_s
instance. In particular, this can result in INTERFACE_DISABLED event
from deletion of a P2P group interface getting delivered incorrectly to
the parent wpa_s instance which would disable that interface even though
the interface remains in enabled state.

Fix this by clearing the removed interface from all if_indeces lists
instead of just the one that was used to delete the interface. This is
the simplest approach since the ifindex is unique and there is no need
to track which interface added the new virtual interface to always hit
the same one when removing the interface.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-27 18:16:58 +03:00
Jouni Malinen
f347935f0d tests: Unit tests for WPA_TRACE
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-27 00:03:06 +03:00
Jouni Malinen
a3fe74bde1 tests: Add unit tests for ext_password
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 23:57:32 +03:00
Boris Sorochkin
f7454c97df P2P: Add 60 GHz in channel to frequency conversion
Add regulatory classes for the 60GHz band.

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: Boris Sorochkin <qca_bsoroc@qca.qualcomm.com>
2014-05-26 23:35:52 +03:00
Jouni Malinen
fc3f1d1b4d Remove unused hostapd_ip_diff()
There are no users of this function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:44 +03:00
Jouni Malinen
3eb744a35a tests: int_array unit tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:44 +03:00
Jouni Malinen
8b0980af50 tests: Move bitfield unit tests into wpa_supplicant module test
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:44 +03:00
Jouni Malinen
8860e0f47c tests: Add printf encoding/decoding module tests
This replaces tests/test-printf.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:44 +03:00
Jouni Malinen
d73c7b9626 GAS: Send error response if no room for pending dialog context
Instead of silently dropping the response that requires fragmentation,
send an error response to the station to make it aware that no full
response will be available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:43 +03:00
Jouni Malinen
2396f02a43 Reserve QCA vendor specific nl80211 commands 14..19
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-22 16:29:48 +03:00
Jithu Jance
5661bd0f70 P2P: Avoid resetting pending_listen_freq if p2p_listen is pending
If p2p_listen is called while previous listen command's
remain_on_channel event is pending, the p2p_listen would fail
and it used to clear pending_listen_freq. Now when the remain-
on-channel event comes from the driver, the pending_listen_freq
doesn't match and gets ignored. This was leading to a case
where listen state was getting stuck (in case of WAIT_PEER_CONNECT
state).

Signed-off-by: Jithu Jance <jithu@broadcom.com>
2014-05-22 16:29:36 +03:00
Jithu Jance
8802326ff9 nl80211: Indicate SHA256-based AKM suites in CONNECT/ASSOCIATE
Previously, the NL80211_ATTR_AKM_SUITES was skipped if either of these
SHA256-based AKMs was negotiated.

Signed-off-by: Jithu Jance <jithu@broadcom.com>
2014-05-21 23:48:00 +03:00
Jouni Malinen
54ac6ff8c4 PKCS 1: Add function for checking v1.5 RSA signature
This could be used as a step towards replacing more specific functions
used in X.509 and TLS processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-20 19:52:18 +03:00
Jouni Malinen
d3811845f3 RSA: Add OID definitions and helper function for hash algorithms
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-19 23:27:30 +03:00
Jouni Malinen
ab6d047405 Add function for building RSA public key from n and e parameters
This is similar to the existing functionality that parsed ASN.1-encoded
RSA public key by generating a similar public key instance from already
parsed n and e parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-19 23:27:30 +03:00
Jouni Malinen
6c5be116dd PKCS #1: Enforce minimum padding for decryption in internal TLS
Follow the PKCS #1 v1.5, 8.1 constraint of at least eight octets long PS
for the case where the internal TLS implementation decrypts PKCS #1
formatted data. Similar limit was already in place for signature
validation, but not for this decryption routine.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-19 23:27:30 +03:00
Jouni Malinen
e6d83cc7ba PKCS #1: Allow only BT=01 for signature in internal TLS
Based on PKCS #1, v1.5, 10.1.3, the block type shall be 01 for a
signature. This avoids a potential attack vector for internal TLS/X.509
implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-19 23:27:30 +03:00
Jouni Malinen
9c29d48725 X.509: Fix internal TLS/X.509 validation of PKCS#1 signature
Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-19 23:27:30 +03:00
Jouni Malinen
dbd1e184e3 tests: TNC testing
This implements minimal IMC and IMV to allow TNC testing with PEAP (SoH)
and TTLS/FAST with EAP-TNC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
10b58b5029 TNC: Allow TNC to be enabled dynamically
Previously, hostapd had to be started with at least one of the
configuration files enabling TNC for TNC to be usable. Change this to
allow TNC to be enabled when the first interface with TNC enabled gets
added during runtime.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
0a626a5060 TNC: Move common definitions into a shared header file
No need to duplicate these in multiple places.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
4075e4e862 TNC: Allow tnc_config file path to be replaced
This is for enabling easier testing of TNCS/TNCC functionality as part
of the test scripts without having to use the fixed /etc/tnc_config
location that could be used by the main system and would require changes
within /etc.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Masashi Honma
f0356ec85c eloop: Add epoll option for better performance
This patch adds epoll option for the eloop implementation. This can be
selected with the CONFIG_ELOOP_EPOLL=y build option.

[merit]
See Table1.

Table1. comparison table
+--------+--------+-----------+------------+-------------+
|        | add fd | remove fd | prepare fd | dispatch fd |
+--------+--------+-----------+------------+-------------+
| select | O(1)   | O(1)      | O(N)       | O(N)        |
+--------+--------+-----------+------------+-------------+
| poll   | O(1)   | O(1)      | O(N)       | O(N)        |
+--------+--------+-----------+------------+-------------+
| epoll  | O(1)   | O(1)      | 0          | O(M)        |
+--------+--------+-----------+------------+-------------+
"add fd" is addition of fd by eloop_sock_table_add_sock().
"remove fd" is removal of fd by eloop_sock_table_remove_sock().
"prepare fd" is preparation of fds before wait in eloop_run().
"dispatch fd" is dispatchment of fds by eloop_sock_table_dispatch().
"N" is all watching fds.
"M" is fds which could be dispatched after waiting.

As shown in Table1, epoll option has better performance on "prepare fd" column.
Because select/poll option requires setting fds before every select()/poll().
But epoll_wait() doesn't need it.

And epoll option has also better performance on "dispatch fd" column.
Because select/poll option needs to check all registered fds to find out
dispatchable fds. But epoll option doesn't require checking all registered fds.
Because epoll_wait() returns dispatchable fd set.

So epoll option is effective for GO/AP functionality.

[demerit]
The epoll option requires additional heap memory. In case of P2P GO, it is
about 8K bytes.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-05-16 18:25:51 +03:00
Masashi Honma
da96a6f793 eloop: Separate event loop select/poll implementation
This allows yet another eloop.c option to be added.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-05-16 18:23:09 +03:00
Jouni Malinen
5cd0e228ac P2P: Iterate through full pref_chan list in search of a valid channel
p2p_get_pref_freq() went through the full list only if the channels
arguments was provided. If no channel list contraint was in place, the
first pref_chan item was picked regardless of whether it is valid
channel and as such, a later valid entry could have been ignored. Allow
this to loop through all the entries until a valid channel is found or
the end of the pref_chan list is reached. As an extra bonus, this
simplifies the p2p_get_pref_freq() implementation quite a bit.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-16 16:49:17 +03:00
Rajkumar Manoharan
f41d55da02 hostapd: Check for overlapping 20 MHz BSS before starting 20/40 MHz BSS
Before starting a 20/40 MHz BSS on the 2.4 GHz band, a 40-MHz-capable HT
AP is required by the rules defined in IEEE Std 802.11-2012 10.15.5 to
examine the channels of the current operational regulatory domain to
determine whether the operation of a 20/40 MHz BSS might unfairly
interfere with the operation of existing 20 MHz BSSs. The AP (or some of
its associated HT STAs) is required to scan all of the channels of the
current regulatory domain in order to ascertain the operating channels
of any existing 20 MHz BSSs and 20/40 MHz BSSs. (IEEE 802.11-2012 S.5.2
Establishing a 20/40 MHz BSS).

Add the check for an overlapping 20 MHz BSS to the initial AP scan for
the P == OT_i case in 10.15.3.2.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
2014-05-16 01:14:01 +03:00
Simon Baatz
c70c37500b SCARD: Fix GSM authentication on USIM
scard_gsm_auth() used SIM_CMD_GET_RESPONSE for both SIM and USIM. Convert
the command into USIM_CMD_GET_RESPONSE for USIM.

Since commit eb32460029 ("Fix switching from EAP-SIM to EAP-AKA/AKA'")
EAP-SIM is using the USIM if available. This triggers a probably ancient
bug in scard_gsm_auth(), which results in sending the wrong get response
command to the USIM. Thus, EAP-SIM stopped to work after this change on
USIMs that expect the proper command.

Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
2014-05-16 01:01:25 +03:00
Petar Koretic
c78c6b73fa WPS: Fix return value when context is not valid
If WPS isn't enabled, hostapd_cli returns 'OK' even though WPS doesn't
get activated because WPS context is not valid:

$ hostapd_cli wps_pbc
Selected interface 'wlan0'
OK

$ hostapd_cli wps_cancel
Selected interface 'wlan0'
OK

Fix this by returning appropriate error when WPS fails to activate:

$ hostapd_cli wps_pbc
Selected interface 'wlan0'
FAIL

$ hostapd_cli wps_cancel
Selected interface 'wlan0'
FAIL

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
2014-05-16 00:58:48 +03:00
Rashmi Ramanna
388444e8d6 P2P: Modify the timeout for GO Negotiation on no concurrent session
Peer should handle a GO Negotiation exchange correctly when the
responding device does not have WSC credentials available at the
time of receiving the GO Negotiation Request. WSC Credentials
(e.g., Pushbutton) can be entered within the 120 second timeout.

Presently, if concurrent session is not active, the peer would wait for
GO Negotiation Request frame from the other device for approximately one
minute due to the earlier optimization change in commit
a2d6365760. To meet the two minute
requirement, replace this design based on number of iterations with a
more appropriate wait for the required number of seconds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-15 23:57:00 +03:00
Jouni Malinen
7e68be38e4 P2P: Refrain from performing extended listen during PD
Extend the previous commit 0f1034e388 to
skip extended listen also based on ongoing provision discovery operation
(which does not show up as a separate P2P module state and as such, was
not coveraged by the previous commit).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-15 22:19:37 +03:00
Jouni Malinen
c7caac56b7 nl80211: Fix send_frame freq for IBSS
bss->freq was not updated for IBSS, so whatever old value was stored
from a previous AP mode operation could end up having been used as the
channel when trying to send Authentication frames in an RSN IBSS. This
resulted in the frame not sent (cfg80211 rejects it) and potentially not
being able to re-establish connection due to 4-way handshake failing
with replay counter mismatches. Fix this by learning the operating
channel of the IBSS both when join event is received and when a
management frame is being transmitted since the IBSS may have changed
channels due to merges.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-15 16:56:49 +03:00
Jouni Malinen
f4626235de EAP-pwd server: Allow fragment_size to be configured
Previously, the fragment_size parameter was ignored and the default
value of 1020 was hardcoded.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 22:47:25 +03:00
Jouni Malinen
c876dcd70f EAP-IKEv2: Allow frag ack without integrity checksum
RFC 5106 is not exactly clear on the requirements for the "no data"
packet that is used to acknowledge a fragmented message. Allow it to be
processed without the integrity checksum data field since it is possible
to interpret the RFC as this not being included. This fixes reassembly
of fragmented frames after keys have been derived.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 22:47:25 +03:00
Jouni Malinen
0f73c642cc EAP-pwd: Fix processing of group setup failure
If invalid group was negotiated, compute_password_element() left some of
the data->grp pointer uninitialized and this could result in
segmentation fault when deinitializing the EAP method. Fix this by
explicitly clearing all the pointer with eap_zalloc(). In addition,
speed up EAP failure reporting in this type of error case by indicating
that the EAP method execution cannot continue anymore on the peer side
instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:24:05 +03:00
Jouni Malinen
13e2574f7d EAP-pwd peer: Export Session-Id through getSessionId callback
EAP-pwd was already deriving the EAP Session-Id, but it was not yet
exposed through the EAP method API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:22:55 +03:00
Jouni Malinen
251c53e084 RADIUS: Define EAP-Key-Name
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:10:03 +03:00
Jouni Malinen
04cad507e1 EAP-SIM peer: Fix counter-too-small message building
The extra data (nonce_s) used in this message was pointing to the
parsed, decrypted data and that buffer was previously freed just before
building the new message. This resulted in use of freed data and
possibly incorrect extra data value that caused the authentication
attempt to fail. Fix this by reordering the code to free the decrypted
data only after the new message has been generated. This was already the
case for EAP-AKA/AKA', but somehow missing from EAP-SIM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 17:57:28 +03:00
Jouni Malinen
144f10446a X.509: Fix v3 parsing with issuerUniqueID/subjectUniqueID present
The current position pointer was not updated when issuerUniqueID or
subjectUniqueID were present. This could result in extensions being
ignored.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-10 13:13:47 +03:00
Sunil Dutt
0f1034e388 P2P: Refrain from performing extended listen during P2P connection
Do not perform extended listen period operations when either a P2P
connection is in progress. This makes the connection more robust should
an extended listen timer trigger during such an operation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:42:44 +03:00
Hu Wang
8d0dd4eebc Add macsec_qca driver wrapper
This is based on driver_wired.c and provides driver interface for the
QCA MACsec driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:42:44 +03:00
Hu Wang
887d9d01ab MACsec: Add PAE implementation
This adds initial implementation of IEEE Std 802.1X-2010 PAE for MACsec.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:42:44 +03:00
Hu Wang
7baec808ef MACsec: Add driver_ops
This defines new driver_ops to be used with MACsec.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:05:28 +03:00
Hu Wang
4e9528cce3 MACsec: Add common IEEE 802.1X definitions
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:05:28 +03:00
Hu Wang
3bcfab8794 MACsec: Add define for EAPOL type MKA
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:05:28 +03:00
Hu Wang
0836c04b30 MACsec: Allow EAPOL version 3 to be configured
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:05:28 +03:00
Hu Wang
49be483b28 Add function to fetch EAP Session-Id from EAPOL supplicant
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:05:28 +03:00
Chandrasekaran, Manishekar
ea40a575ae nl80211: Use max associated STAs information in AP mode
Propagate max associated STAs in AP mode advertised by the driver to
core wpa_supplicant implemantion. This allows wpa_supplicant to update
the P2P GO group limit information automatically without having to
configure this limit manually. The information (if available) is also
used in the generic AP implementation to control maximum number of STA
entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 17:12:19 +03:00
Eliad Peller
e4fa8b120b wpa_supplicant: Add Wake-on-WLAN configuration support
Add a new wowlan_triggers option to wpa_supplicant.conf. The triggers in
this key will be used to configure the kernel wowlan configuration.

For now, support only simple flags. More complex triggers can be added
later on.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2014-04-29 18:59:12 +03:00
Dmitry Shmidt
959214b260 Android: Use extended P2P functionality (ANDROID_P2P) for all vendors
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-04-29 18:59:12 +03:00
Arik Nemtsov
9a41232165 TDLS: Fully tear down existing link before setup
Disabling the link only clears the local state. The remote peer will
still think we are connected and disallow the setup.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-04-29 18:59:12 +03:00
Arik Nemtsov
c04b4651f7 TDLS: Disable links during AP deauth in external flow
When de-authenticating from the AP, disable each TDLS link after
sending the teardown packet. Postpone the reset of the peer state
data until after the link disable request.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-04-29 18:59:12 +03:00
Jouni Malinen
b19719aa77 TDLS: Make wpa_tdls_send_teardown() static
This function was not used anywhere outside tdls.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 18:59:12 +03:00
Ilan Peer
52f5877afa nl80211: Take ownership of dynamically added interfaces
Indicate to cfg80211 that interfaces created by the wpa_supplicant
or hostapd are owned by them, and that in case that the socket that
created them closes, these interfaces should be removed.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-04-29 18:59:12 +03:00
Eduardo Abinader
e390df0553 nl80211: Cancel rfkill timeout on deinit
Got segfault, when freeing drv and there exists registered timeout for
blocked rfkill. This patch adds cancel timeout to avoid this.

Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
2014-04-29 17:55:27 +03:00
Pradeep Reddy POTTETI
bb24229b26 TDLS: Pass peer's capability info to the driver in open mode
Commit 96ecea5eb1 did not consider
to pass the VHT/HT/WMM capabilities of the peer for BSS with
open mode.
Address this issue by passing the capabilities irrespective of
the security mode.

Signed-off-by: Pradeep Reddy POTTETI <c_ppotte@qti.qualcomm.com>
2014-04-29 17:08:13 +03:00
Jouni Malinen
c0333c8dd5 Check rx_mgmt::frame more consistently against NULL
If a driver wrapper misbehaves and does not indicate a frame body in the
event, core hostapd code should handle this consistently since that case
was already checked for in one location.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
d6c6b1fb9d Make sta NULL-check easier for static analyzers
sta == NULL check is already done above based on category !=
WLAN_ACTION_PUBLIC, but that seems to be too complex for some static
analyzers, so avoid invalid reports by explicitly checking for this
again in the WLAN_ACTION_FT case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
0bceb8d6f4 Make dl_list_first() and dl_list_last() uses easier for static analyzers
The previous check for dl_list_len() or having an entry from the list is
sufficient, but some static analyzers cannot figure out that
dl_list_first() and dl_list_last() will return non-NULL in this type of
cases. Avoid invalid reports by explicitly checking for NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
5f693cb1b6 WPS HTTP: Remove unused assignment
bbp is not used in the code path that skips trailers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
ee4fefc015 Remove duplicated variable zeroing
It's enough to do this once as part of the for loop.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
4a9d0ebe4a Make PMKID check easier for static analyzers
Checking sm->pmksa is sufficient here, but that seems to be too
difficult for static analyzers to follow, so avoid false reports by
explicitly checking pmkid as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
06df2aa60a Remove floating constant suffix 'd' from test coee
clang scan-build does not seem to like the 'd' suffix on floating
constants and ends up reporting analyzer failures. Since this suffix
does not seem to be needed, get rid of it to clear such warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
d06e9ac5f5 P2P: Verify operating channel validity for NFC connection handover
p2p_freq_to_channel() could return an error if the GO or P2P Client
operating channel is not valid. Check for this before generating the NFC
handover message.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:10 +03:00
Jouni Malinen
13a524a30d nl80211: Remove unnecessary wpa_driver_nl80211_set_freq() wrapper
This is not of any real use anymore with nl80211_set_channel() taking
care of channel setting operation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:10 +03:00
Peng Xu
e87ef7517e nl80211: Add support for changing AP mode channel bandwidth
Configure driver with the new channel parameters (mainly, HT 20/40 MHz
bandwidth changes) as part of set_ap().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Jouni Malinen
30575183f6 Sync with mac80211-next.git nl80211.h
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:09 +03:00
Peng Xu
5f0bca77a8 Retry initial 20/40 MHz co-ex scan if the driver is busy
This makes the initial OBSS scans in AP mode before starting 40 MHz BSS
more robust. In addition, HT20 can be used as a backup option if none of
the scans succeed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
587d60d2b7 Add AP mode support for HT 20/40 co-ex Action frame
If a 2.4 GHz band AP receives a 20/40 Coexistence management frame from
a connected station with 20/40 BSS Intolerant Channel Report element
containing the channel list in which any legacy AP are detected or AP
with 40 MHz intolerant bit set in HT Cap IE is detected in the affected
range of the BSS, the BSS will be moved from 40 to 20 MHz channel width.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
9c47f6a2a6 hostapd: Extend support for HT 20/40 coexistence feature
Extend the minimal HT 20/40 co-ex support to include dynamic changes
during the lifetime of the BSS. If any STA connects to a 2.4 GHz AP with
40 MHz intolerant bit set then the AP will switch to 20 MHz operating
mode.

If for a period of time specified by OBSS delay factor and OBSS scan
interval AP does not have any information about 40 MHz intolerant STAs,
the BSS is switched from HT20 to HT40 mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
196c9c7cd2 Make channel parameters available in set_ap() driver operation
This provides information to allow the driver to be configured for
updated channel parameters, e.g., when dynamically changing HT20/HT40
bandwidth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:16:51 +03:00
Jouni Malinen
27b418715f WPS: Print setsockopt() failure in debug log
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-28 16:54:09 +03:00
Jouni Malinen
52cb20730a trace: Replace demangle.h with internal defines
It looks like the demangle.h from binutils-dev is not installed that
commonly anymore. Since we need only two defines from that file, replace
the header file with those defines to make it easier to build with
WPA_TRACE_BFD=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-25 19:27:48 +03:00
Jouni Malinen
0e80ea2c70 nl80211: Fix some coding style issues
Some trailing whitespace and spaces for indentation were present in the
driver wrapper and header files.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-25 19:27:07 +03:00
Jouni Malinen
a26582cb98 Make qca-vendor.h independent of other header files
Move the definitions that depended in common.h into a separate header
file so that qca-vendor.h can be copied and used as-is in other
projects.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-25 11:41:36 +03:00
Amar Singhal
4a64d5a9db nl80211: Allocate QCA vendor subcmd for extended statistics
This allocates a QCA vendor subcmd for extended statistics
functionality and also an attribute for delivering the payload
for extended statistics.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-25 11:36:11 +03:00
Ilan Peer
dcdce14741 radiotap: Fix compilation for systems without le16toh/le32toh
These functions are not standard and do not exist in all systems, e.g.,
variants of Android. Instead use the macros defined in common.h.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-04-24 12:15:32 +03:00
Maxime Bizon
2aa82e52da Interworking: Don't filter probe requests when interworking is disabled
With hidden SSID (ignore_broadcast_ssid), an IOS device trying to
connect to the AP will send a probe request with ANT == 2. If
interworking support is just compiled (not enabled), we will drop the
probe request since default ANT is 0.

Check that interworking is enabled before filtering based on ANT or
HESSID to match the behavior of code without CONFIG_INTERWORKING.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-04-24 12:15:32 +03:00
Naresh Jayaram
13f6a07efc Add SIM identifier to the network profile and cred block
This allows the specific SIM to be identified for authentication
purposes in multi-SIM devices. This SIM number represents the index of
the SIM slot. This SIM number shall be used for the authentication using
the respective SIM for the Wi-Fi connection to the corresponding
network.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-24 12:15:32 +03:00
Marek Puzyniak
8a0f3bf613 AP: Fix checking if DFS is required
Sometimes function hostapd_is_dfs_required() returns -1 which indicates
that it was not possible to check if DFS was required. This happens for
channels from the 2.4 GHz band where DFS checking should not happen.
This can be fixed by returning DFS-not-required for mode different from
IEEE80211A and when DFS support is not available (ieee80211h not set).

Signed-off-by: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-04-17 17:12:52 +03:00
Jouni Malinen
6d99bd8076 nl80211: Debug print HT/VHT capability override information
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-17 17:11:11 +03:00
Jouni Malinen
d2c33b91ad Reduce the amount of time PTK/TPTK/GTK is kept in memory
Some of the buffers used to keep a copy of PTK/TPTK/GTK in the
supplicant implementation maintained a copy of the keys longer than
necessary. Clear these buffers to zero when the key is not needed
anymore to minimize the amount of time key material is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 01:29:27 +03:00
Jouni Malinen
e47ee249bc l2_packet: Fix l2_packet_none (hostapd default)
The sample code here ended up trying to register an eloop socket with fd
== -1. This was not really ever supposed to be used, but it is now also
hitting an assert in eloop. Skip the unnecessary
eloop_register_read_sock() to avoid this.

This was causing issues for hostapd since CONFIG_L2_PACKET is not set by
default. If CONFIG_RSN_PREAUTH=y was not used for CONFIG_L2_PACKET was
not set in .config explicitly, the defaul use of l2_packet_none.c ended
up hitting the newly added assert() in eloop.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-14 23:04:55 +03:00
Johannes Berg
30476e4fe7 wlantest: Tag and ignore generated packets
Rather than ignoring packets with a minimal 8-byte radiotap
header, which may occur elsewhere, tag generated (decrypted)
packets with an empty vendor namespace tag and ignore those.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-04-13 23:54:25 +03:00
Johannes Berg
bacb984b2d radiotap: Update radiotap parser to library version
Update the radiotap parser to the latest version of the
http://git.sipsolutions.net/radiotap.git/ library to get
parsing for vendor namespaces.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-04-13 23:49:59 +03:00
Jouni Malinen
142817b2f9 Add a wpa_supplicant ctrl_iface event for regdom changes
CTRL-EVENT-REGDOM-CHANGE event provides an external notification of
regulatory domain (and any driver channel list) changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-13 16:32:38 +03:00
Jouni Malinen
d6a36f3956 nl80211: Mask out deauth even after own deauth request
This was already done for the disconnect event, but
SME-in-wpa_supplicant case needs to do same with the deauth event to
avoid getting extra events during WPS disconnect-and-reconnect sequence.
This can speed up WPS processing by removing unnecessary failures or
retries due to the extra event being processed during the next
association attempt.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-13 11:39:49 +03:00
Jouni Malinen
0cd860284c Add CTRL-EVENT-SIGNAL-CHANGE for bgscan signal update events
This allows external programs to monitor driver signal change events
through wpa_supplicant when bgscan is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-13 10:26:52 +03:00
Felix Fietkau
83c4cb5217 nl80211: Handle multiple interface combinations for P2P
The first combination may allow single-channel concurrency for
P2P + managed, but there may be others that allow multi-channel
concurrency. Parse all of them to find the maximum number of channels.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2014-04-11 19:22:00 +03:00
Nirav Shah
0e0e1e564f P2P: Add retry mechanism for GO Negotiation Confirmation
wpa_supplicant now retries for P2P_GO_NEG_CNF_MAX_RETRY_COUNT times if
it doesn't receive acknowledgement for GO Negotiation Confirmation
frame. Currently, P2P_GO_NEG_CNF_MAX_RETRY_COUNT is set to 1.

While this is not strictly speaking following the P2P specification,
this can improve robustness of GO Negotiation in environments with
interference and also with peer devices that do not behave properly
(e.g., by not remaining awake on the negotiation channel through the
full GO Negotiation).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-11 11:57:05 +03:00
Abhishek Singh
9392c9be7a nl80211: Use LEAVE_IBSS with driver-based-SME
NL80211_CMD_LEAVE_IBSS was used only with wpa_supplicant-based SME.
Extend this to drivers that implement SME internally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-10 19:51:51 +03:00
Jouni Malinen
bb52293e71 OpenSSL: Detect and prevent TLS heartbeat attack
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.

This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-09 14:58:48 +03:00
Jouni Malinen
1aa6f953bb WNM: Fix neighbor report subelement parser
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-08 01:01:55 +03:00
Jouni Malinen
5583b8d1eb Document and rename HT Capability/Operation fields
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:45:11 +03:00
Jouni Malinen
1dde5b5cdd Remove PSMP option from ht_capab
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:02:14 +03:00
Amarnath Hullur Subramanyam
4a16a0bd55 nl80211: Add QCA vendor subcmd for NAN
QCA vendor extension is used for NAN functionality. This defines the
subcommand and attribute to address this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 17:13:08 +03:00
Jouni Malinen
dc39004318 WPS: Remove unused WEP related functionality
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 12:31:45 +03:00
Jouni Malinen
9437c2d0ea EAP-pwd peer: Fix fragmentation of PWD-Confirm-Resp
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:51:00 +03:00
Jouni Malinen
48f668eecf EAP-pwd: Fix memory leak on error path with fragmentation
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:34:30 +03:00
Jouni Malinen
9ff4de6de4 Move DROP_SA command to be within ifdef CONFIG_TESTING_OPTIONS
This is a test command and has no use in production builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 23:59:31 +03:00
Jouni Malinen
e1a273a61d Remove used KDE addition code from EAPOL-Key msg 4/4
EAPOL-Key msg 4/4 has no specified KDE use, so remove the unused code to
simplify the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 23:30:16 +03:00
Jouni Malinen
76d3fb1eeb Remove unused wpa_sm_get_param() function
This function was not used anywhere and was not up-to-date with
full tet of parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 20:42:12 +03:00
Jouni Malinen
ed429931a0 TDLS: Add test mode for MIC failure testing
"SET tdls_testing 0x800" can be used to enable a special test mode that
forces the FTIE MIC in TDLS setup messages to be incorrect.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 20:42:12 +03:00
Jouni Malinen
1619e9d512 Interworking: Add ctrl_iface events on cred block modifications
Following events are now sent to ctrl_iface monitors to indicate if
credential blocks have been added, modified, or removed:

CRED-ADDED <id>
CRED-MODIFIED <id> <field>
CRED-REMOVE <id>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-04 19:10:47 +03:00
Jouni Malinen
21611ea9fd edit: Increase buffer size to 4096 bytes
wpa_supplicant and wpa_cli had already moved to allowing up to 4096 byte
buffer size to be used for control interface commands. This was limited
by the line edit buffer in interactive mode. Increase that limit to
match the other buffers to avoid artificially truncating long commands.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-31 12:30:50 +03:00
Jouni Malinen
1e03c6cb7d XML: Remove forgotten, unused definition of debug_print_func
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-31 12:25:13 +03:00
Jouni Malinen
8943cc998a RADIUS server: Add support for MAC ACL
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 19:31:56 +02:00
Jouni Malinen
dc87541e1e Clean up debug print for PSK file search
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 09:50:51 +02:00
Janusz Dziedzic
bbbacbf2f8 DFS: Print CAC info in ctrl_iface STATUS command
Print CAC time and CAC left time in control interface STATUS command.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-03-28 23:02:45 +02:00
Maxime Bizon
5c9da160a5 nl80211: Set all BSS interfaces down when tearing down AP in MBSS mode
If the interface was not added by hostapd, it could have been left up
when disabling the AP.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-27 16:45:25 +02:00
Avraham Stern
3ae8b7b7a2 hostapd: Add vendor command support
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]

The 3rd argument will be converted to binary data and then passed as
argument to the sub command.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2014-03-27 15:28:44 +02:00
Pawel Kulakowski
74a1319e50 Fix issue with incorrect secondary_channel in HT40/HT80
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.

Proceed as for other settings that should not be changed and don't
allow to overwrite.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-27 15:22:39 +02:00
Sunil Dutt
96ecea5eb1 Pass TDLS peer capability information in tdls_mgmt
While framing the TDLS Setup Confirmation frame, the driver needs to
know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the
VHT/HT operation / WMM parameter elements accordingly. Supplicant
determines if the TDLS peer is VHT/HT/WMM capable based on the presence
of the respective IEs in the received TDLS Setup Response frame.

The host driver should not need to parse the received TDLS Response
frame and thus, should be able to rely on the supplicant to indicate
the capability of the peer through additional flags while transmitting
the TDLS Setup Confirmation frame through tdls_mgmt operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-27 15:18:48 +02:00
Jouni Malinen
78cd7e69de Sync with wireless-testing.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2014-03-25.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-27 14:50:39 +02:00
Maxime Bizon
b36935be1a nl80211: Fix EAPOL frames not being delivered
When hostapd choose to reuse an existing interface, it does not add it
to the set of interfaces from which we accept EAPOL packets.

Make sure we always add it to that set.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-26 16:37:42 +02:00
Jouni Malinen
6997f8baab nl80211: Set interface address even if using old interface
If an existing interface is allowed to be used, its address better be
updated to match the requested one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-26 16:33:03 +02:00
Jouni Malinen
9b4d9c8bbc nl80211: Print if_indices list in debug log
This makes it easier to debug dynamic interface addition/removal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-26 00:42:24 +02:00
Maxime Bizon
762c41ae99 eloop: Add assert() on negative fd when using select() code path
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-26 00:17:07 +02:00
Jouni Malinen
163f801ef2 nl80211: Indicate HS 2.0 OSEN AKM in connect/associate command
This allows drivers that build the WPA/RSN IEs internally to use similar
design for building the OSEN IE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 18:33:21 +02:00
Jouni Malinen
c201f93a9e WPS: Enable WSC 2.0 support unconditionally
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 18:33:21 +02:00
Rashmi Ramanna
41d5ce9e0b P2P: Optimize scan for GO during persistent group invocation
Scan for GO on the negotiated operating channel for few iterations
before searching on all the supported channels during persistent group
reinvocation. In addition, use the already known SSID of the group in
the scans. These optimizations reduce group formation time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 15:38:33 +02:00
Jouni Malinen
4d1e38be9e ACS: Fix number of error path issues
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 13:12:29 +02:00
Jouni Malinen
692ec3058b FT: Add support for postponing FT response
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-23 18:31:06 +02:00
Jouni Malinen
6ace13a9e5 P2P: Clean up channel selection code to use helper functions
This moves some of the p2p_prepare_channel_best() functionality into
separate helper functions to make the implementation easier to read.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-23 11:01:59 +02:00
Jouni Malinen
70c35233ae WPS: Comment out unused AP WEP config write with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds. This is similar to the earlier
commit that commented out in-memory update.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 23:31:39 +02:00
Arif Hussain
c3ba70f4d0 P2P: Update op_reg_class in random social channel case
Commit 94b84bc725 missed one path where
p2p->op_reg_class should have been updated. Set this to 81 during
operating channel selection from 2.4 GHz.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 22:44:53 +02:00
Amar Singhal
70634eec0c hostapd: Check driver DFS offload capability for channel disablement
If the driver supports full offloading of DFS operations, do not disable
a channel marked for radar detection. The driver will handle the needed
operations for such channels.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 21:31:15 +02:00
Amar Singhal
65d645ce43 nl80211: Fetch DFS offload capability from driver
This uses a QCA vendor extension to determine if the driver supports
fully offloaded DFS operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 21:20:32 +02:00
Jouni Malinen
a500f3102f WPS: Comment out unused AP WEP config update with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 19:22:10 +02:00
Jouni Malinen
1d4fe3bcbc Remove unnecessary parameter validation
This is dead code since this helper function is always called with
non-NULL pointer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 16:25:28 +02:00
Arif Hussain
94b84bc725 P2P: Avoid unsafe pre-configured channel as channel preference
Do not select pre-configured channel as operating channel preference if
it is unavailable maybe due to interference or possible known
co-existence constraints, and try to select random available channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 10:20:08 +02:00
Pawel Kulakowski
513dcec656 Don't overwrite channel on hostapd config reload
There was possibility that the current channel in Beacon information
element was incorrectly set. This problem was easily observed when
primary and secondary channel were switched and then some of hostapd
settings (for example password) were changed using WPS External
Registrar. This caused hostapd_reload_config() function overwrite the
current channel information from config file.

This patch prevents this situation and does not allow to overwrite
channel and some other settings when config is reloaded.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-21 23:30:57 +02:00
Jouni Malinen
20ff2642e1 WPS: Clear WPS data on init failure
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-21 13:23:23 +02:00
Jouni Malinen
f19e370e15 WPS: Do not advertise WPA/WPA2-Enterprise Auth Type Flags
While the device itself may support WPA/WPA2-Enterprise, enrollment of
credentials for EAP authentication is not supported through WPS. As
such, there is no need to claim support for these capabilities within
WPS information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-20 15:13:48 +02:00
Jouni Malinen
1b5df9e591 nl80211: Do not indicate scan started event on scan_for_auth
The scan_for_auth workaround for cfg80211 missing a BSS entry for the
target BSS during authentication uses a single channel scan controlled
within driver_nl80211.c. This operation does not indicate
EVENT_SCAN_RESULTS to the upper layer code. However, it did report
EVENT_SCAN_STARTED and this resulted in the radio work protection code
assuming that an external program triggered a scan, but that scan never
completed. This resulted in all new radio work items getting stuck
waiting for this scan to complete.

Fix this by handling the scan_for_auth situation consistently within
driver_nl80211.c by filtering both the EVENT_SCAN_STARTED and
EVENT_SCAN_RESULTS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 22:48:44 +02:00