Commit Graph

4913 Commits

Author SHA1 Message Date
Avraham Stern
d8a3b66d7f driver: Make setting up AP optional when creating AP interface
When an AP interface it created, it is also setup and subscribes
for management frames etc. However, when the interface is added by
wpa_supplicant, setting up for AP operations is redundant because
it will be done by wpa_supplicant on wpa_drv_init() when setting
the interface mode to AP.

In addition, it may cause wpa_supplicant to fail initializing the
interface as it will try to subscribe for management frames on this
interface but the interface is already registered.

Change this, so when adding an AP interface, make setting up the AP
optional, and use it only when the interface is added by hostapd but not
when it is added by wpa_supplicant.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2015-11-22 17:42:59 +02:00
Marek Behún
36e820605f Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.

Signed-off-by: Marek Behun <kabel@blackhole.sk>
2015-11-22 12:00:53 +02:00
Alexander Bondar
6bdc43c4db AP: Avoid 20/40 MHz co-ex scan if PRI/SEC switch is not allowed
When an AP is started on the 5.2 GHz band with 40 MHz bandwidth, a
scan is issued in order to handle 20/40 MHz coexistence. However,
the scan is issued even if iface->conf->no_pri_sec_switch is set,
which is redundant.

Fix this by checking iface->conf->no_pri_sec_switch before starting
the scan.

Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
2015-11-21 18:42:53 +02:00
Ayala Beker
757785dab2 nl80211: Clear ignore_next_local_deauth flag
The de-authentication flow in wpa_driver_nl80211_deauthenticate() can
result in a locally generated de-authentication event. To avoid getting
this extra event ignore_next_local_deauth flag is set, and should be
cleared when the next local deauth event is received. However, it is not
cleared when the event shows up after the wpa_supplicant has started a
connection with a new AP, and as a result it might ignore future
deauth event from the driver.

Fix this by clearing the flag if the event is locally generated.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2015-11-21 18:00:33 +02:00
Sara Sharon
cb2a926df8 nl80211: Clear ignore_next_local_deauth and ignore_deauth_event
The authentication flow in wpa_driver_nl80211_authenticate() can
result  in a locally generated de-authentication, in which both
next_local_deauth and ignore_next_local_deauth are set.

However, in mlme_event_deauth_disassoc(), when ignore_deauth_event is
set, the flag is cleared, but the flow immediately returns leaving
ignore_next_local_deauth set, which can result in ignoring future deauth
event from the driver, leaving the wpa_supplicant in an inconsistent
state.

Fix this by clearing both flags in case that next_local_deauth is set.

Signed-off-by: Sara Sharon <sara.sharon@intel.com>
2015-11-21 18:00:33 +02:00
Ravi Joshi
f32227ed9e Add QCA vendor attribute and event to indicate subnet change status
This allows offloaded roaming to inform user space of the change in IP
subnet post roaming. The device may have roamed to a network which is in
a different subnet which will result in IP connectivity loss. Indicating
the change in subnet enables the user space to refresh the IP address or
to perform IP subnet validation if unknown status is indicated.

The driver indication is reported with a new event from wpa_supplicant
in the following format:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=<0/1/2>
where
0 = unknown
1 = IP subnet unchanged (can continue to use the old IP address)
2 = IP subnet changed (need to get a new IP address)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-20 11:03:06 +02:00
Jouni Malinen
25eb7fcbb4 Fix EAPOL reauth after FT protocol or offloaded PMKSA cache use
The EAP peer state machine moved from IDLE to FAILURE state when the
EAPOL Authenticator triggered reauthentication with an
EAP-Request/Identity in a case where the associated started with FT
protocol or offloaded PMKSA cache use (4-way handshake using a
previously acquired PMK). This happened due to the altSuccess=TRUE
setting being left behind and not cleared when processing the restart of
authentication. Fix this by clearing altAccept and eapSuccess when going
through SUPP_PAE RESTART state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-19 21:16:18 +02:00
Jouni Malinen
f68d491b0a FT auth: Fix EAPOL reauthentication after FT protocol run
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-19 21:16:06 +02:00
Peng Xu
9a8d9f7c62 Assign QCA vendor command and attribute for Tx power reduction in dB
Assign nl80211 vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_DECR_DB and corresponding
attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-19 11:34:31 +02:00
Jouni Malinen
747ba1067d nl80211: Do not return incomplete hw capability info
If a memory allocation fails while parsing driver capabilities, drop all
mode/channel/rate information instead of returning possibly partial
information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-17 19:50:34 +02:00
Anton Nayshtut
0603bcb7fe hostapd: Process MAC ACLs on a station association event (SME in driver)
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-17 12:38:32 +02:00
Amarnath Hullur Subramanyam
89a11ad38f RSN: Remove check for proactive_key_caching while setting PMK offload
wpa_sm_key_mgmt_set_pmk() was checking for proactive_key_caching to be
enabled before setting the PMK to the driver. This check is not required
and would mandate configuration setting of okc or proactive_key_caching
for cases which were not necessary.

Signed-off-by: Amarnath Hullur Subramanyam <amarnath@qca.qualcomm.com>
2015-11-16 19:05:01 +02:00
Ravi Joshi
d381963385 Extend QCA roam event with subnet change indication
The new attribute can be used with
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH to indicate whether the IP
subnet was detected to have changed when processing offloaded roam/key
management.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-16 19:00:35 +02:00
Ben Greear
68ac584a49 nl80211: Add debug message for passive scanning
This is more obvious than looking for the lack of 'Scan SSID' messages.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-11-15 19:20:35 +02:00
Purushottam Kushwaha
a3dff7dc0c P2P: Fix a typo in debug message
Signed-off-by: Dilshad Ahmad <dilshad.a@samsung.com>
2015-11-15 18:55:23 +02:00
Jouni Malinen
95577884ca EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
bef802ece0 EAP-pwd server: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
8057821706 EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Somdas Bandyopadhyay
fcdb35928c Use "STATUS-NO_EVENTS" instead of "STATUS" in get_wpa_status function
Using "STATUS" command triggers CTRL-EVENT-STATE-CHANGE and
CTRL-EVENT-CONNECTED (if connected to some AP) events. These events
cause problems in Android WifiStateMachine in Marshmallow. Due to these
events WifiStateMachine sometimes disconnects the OSU SSID connection,
while hs20-osu-client waits for IP address.

Signed-off-by: Somdas Bandyopadhyay <somdas.bandyopadhyay@intel.com>
2015-11-01 21:05:10 +02:00
Max Stepanov
73ed03f333 wpa_supplicant: Add GTK RSC relaxation workaround
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake
or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte
order (or by some other corrupted way). Thus, after a successful
EAPOL-Key exchange the TSC values of received multicast packets, such as
DHCP, don't match the RSC one and as a result these packets are dropped
on replay attack TSC verification. An example of such AP is Sapido
RB-1732.

Work around this by setting RSC octets to 0 on GTK installation if the
AP RSC value is identified as a potentially having the byte order issue.
This may open a short window during which older (but valid)
group-addressed frames could be replayed. However, the local receive
counter will be updated on the first received group-addressed frame and
the workaround is enabled only if the common invalid cases are detected,
so this workaround is acceptable as not decreasing security
significantly. The wpa_rsc_relaxation global configuration property
allows the GTK RSC workaround to be disabled if it's not needed.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-11-01 21:00:22 +02:00
Jouni Malinen
d129b02247 EAP-pwd: Add support for Brainpool Elliptic Curves
This allows the IKE groups 27-30 (RFC 6932) to be used with OpenSSL
1.0.2 and newer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-01 11:29:06 +02:00
Jouni Malinen
17b7032891 EAP peer: Clear ignore flag in INITIALIZE state
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 21:56:59 +02:00
Jouni Malinen
2e38079531 TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 18:15:22 +02:00
Frederic Leroy
7b0f5500b0 eap_sim_db: Implement eap_sim_db_expire_pending()
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).

Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
2015-10-31 16:28:16 +02:00
Jouni Malinen
45c3e72952 Add frequency to operating class determination for 5 GHz 100..140
This extends ieee80211_freq_to_channel_ext() with knowledge of the
operating classes for the 5 GHz channels 100..140.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-30 11:45:50 +02:00
Avichal Agarwal
c93b7e1888 RSN: Check result of EAPOL-Key frame send request
Provide information on whether EAPOL-Key frame was sent successfully to
kernel for transmittion. wpa_eapol_key_send() will return
>= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4,
wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED
only after verifying that the msg 4/4 was sent to kernel for
transmission successfully.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-28 22:42:16 +02:00
Srinivasa Duvvuri
053693d266 hostapd: Add feature to start all interfaces at the same time in sync
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.

This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().

This feature is turned on with '-S' commmand line option.

Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
2015-10-28 19:47:17 +02:00
Jouni Malinen
9578413455 Reserve QCA vendor specific nl80211 commands 110..114
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-27 00:10:29 +02:00
Peng Xu
5d4c508969 Assign QCA commands and attributes for Tx power scaling and OTA testing
Assign nl80211vendor commands QCA_NL80211_VENDOR_SUBCMD_OTA_TEST and
QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE as well as corresponding
attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-27 00:07:15 +02:00
Hu Wang
5d1d69a10f P2P: Filter control chars in group client device name similarly to peer
P2P device discovery can add peer entries based on a message directly
from a peer and from a Probe Response frame from a GO for all the P2P
Clients in the group. The former case for filtering out control
characters from the device name while the latter was not. Make this
consistent and filter both cases in the same way to avoid confusing
external programs using the device name of a P2P peer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-26 23:43:45 +02:00
Sunil Dutt
f67d1a0099 TDLS: Do not send error case of TPK M3 if TX fails
There is no point in sending TPK M3 (TDLS Setup Confirm) with a failure
status if the first transmission attempt fails. Instead, just return a
failure by disabling the link rather than retransmitting the TPK M3
frame with an error status.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-26 22:54:39 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Jouni Malinen
d8fd633ebb Do not write ERROR level log entries if debug file is not used
wpa_debug_reopen_file() used to write an error message at MSG_ERROR
level if it was called with last_path == NULL (the last debug log file
path not known). This is not a fatal error, but a normal case if
wpa_debug_open_file() has not been used. Remove the error message and
return success in such case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 20:45:02 +02:00
Mohammed Shafi Shajakhan
67deaa582d l2_packet: Add build option to disable Linux packet socket workaround
Linux packet socket workaround(*) has an impact in performance when the
workaround socket needs to be kept open to receive EAPOL frames. While
this is normally avoided with a kernel that has the issue addressed by
closing the workaround packet socket when detecting a frame through the
main socket, it is possible for that mechanism to not be sufficient,
e.g., when an open network connection (no EAPOL frames) is used.

Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the
workaround. This build option is disabled by default and can be enabled
explicitly on distributions which have an older kernel or a fix for the
kernel regression.

Also remove the unused variable num_rx.

(*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596
('bridge: respect RFC2863 operational state') from 2012 introduced a
regression for using wpa_supplicant with EAPOL frames and a station
interface in a bridge.

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
2015-10-25 19:56:53 +02:00
Jouni Malinen
ceb19ff7a6 privsep: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 19:37:16 +02:00
Jouni Malinen
45a283e6d0 wext: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 19:37:16 +02:00
Jouni Malinen
336869f05a nl80211: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
78c8ee488f ndis: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
d717126aa2 hostap: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
d034f498ce atheros: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
40762fcede PCSC: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
80c620dbd7 SAE: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
f88bcad015 GAS server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
1e72ba2e61 RSN auth: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
a5a2f252cb AP: Avoid undefined behavior in pointer arithmetic in IE parsing
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
de7fe64df5 RADIUS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
d2eb91e08f TLS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
2461724c05 RSN: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
3991cb7b3c EAP-IKEv2 peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
0421d47e34 EAP-IKEv2 server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00