Commit Graph

12186 Commits

Author SHA1 Message Date
Jouni Malinen
d3c43e5855 privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:02:49 +02:00
Jouni Malinen
0771e912ae wpa_priv: Document reduced functionality
wpa_priv has never really been fully up-to-date with the wpa_supplicant
driver interface extensions. This does not seem like something that
would change in the future either, so document this reduced
functionality as a potential drawback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:49:37 +02:00
Jouni Malinen
6d97561dcd wpa_priv: Handler driver global_deinit() on termination path
This avoids a theoretical resource leak on exit path if wpa_priv is
killed while there is a wpa_supplicant process using it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
ce0f899a3d wpa_priv: Explicitly clear padding in message structures
This avoids some valgrind warnings about use of uninitialized memory in
cases where a struct may have padding octets between the fields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
e0641772a3 wpa_priv: Use fromlen instead sizeof(struct sockaddr_un)
This gets rid of some dependencies on how extra octets at the end of the
struct sockaddr_un get "uninitialized" consistently by only using the
exact length of the address data from the recvfrom() call. This resolves
number of valgrind warnings about use of uninitialized memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:28:18 +02:00
Jouni Malinen
128d3c69fc wpa_priv: Add support for multiple l2_packet connections
This is needed to be able to work with many wpa_supplicant use cases,
e.g., due to use of TDLS or RSN pre-authentication needing a separate
l2_packet socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 11:37:41 +02:00
Jouni Malinen
82fff2c711 tests: P2P provision discovery while GO/CLI
These test cases verify that there is no duplicate processing of P2P
Action frames while operating in a P2P group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 10:58:39 +02:00
Jouni Malinen
c8fef7869d nl80211: Split nl80211_check_bss_status() into a separate function
This allows a single scan result to be checked at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 20:54:49 +02:00
Jouni Malinen
e35e137298 nl80211: Separate channel noise fetch from scan result processing
This untangles the NL80211_CMD_GET_SURVEY handler loop from
NL80211_CMD_GET_SCAN processing so that the per-channel noise
information can be fetched with a common function to a local data
structure that can then be easily used to update individual scan results
(a single BSS) instead of having to go through a full set of scan
results. This is a step towards optimizing scan result fetching without
having to allocate memory for all entries at the same time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 20:48:43 +02:00
Jouni Malinen
f0b6d1edfb tests: WDS 4addr behavior on reassociation and with open and WEP
This extends the ap_wds_sta test case to cover post-reassociation case
(both with and without Authentication frame exchange) and add similar
test cases to cover open and WEP cases in addition to this existing
WPA2-PSK test case.

These cover functionality testing for the previous fix in
reassociation-without-new-authentication case. In addition, these find a
new mac80211 issue for the WEP + 4addr combination.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 12:53:07 +02:00
Jouni Malinen
cb2b666670 Fix 4addr reassociation-without-deauthentication on AP
Data connection was lost if a station reassociated without the STA entry
being cleaned up on the AP side. Fix this by moving reconfiguration of
the STA WDS parameters in association response callback to happen only
after the STA flags have been updated to associated stated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 12:51:16 +02:00
Jouni Malinen
8c0ed37b64 wired: Mark some common helper functions static
These are used only within driver_wired_common.c now at the end of the
refactoring changes, so there is no need to make these helper functions
available outside driver_wired_common.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-30 20:08:39 +02:00
Sabrina Dubroca
ba5ea11687 mka: Remove references to macsec_qca from wpa_supplicant.conf
Make the documentation generic, as this is no longer the only macsec
driver.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 20:08:39 +02:00
Sabrina Dubroca
f014d9dbf0 macsec_linux: Add a driver for macsec on Linux kernels
This uses libnl3 to communicate with the macsec module available on
Linux. A recent enough version of libnl is needed for the macsec.h file
(which is not yet available in a formal libnl release at the time of
this commit).

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 20:08:36 +02:00
Sabrina Dubroca
8618313b6e drivers: Move driver_wired_get_ssid() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
d27c42baea drivers: Move driver_wired_get_bssid() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
9281e5c5ce drivers: Move driver_wired_get_capa() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
ec9cfb96c2 drivers: Move driver_wired_deinit_common() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
ed5ae61193 drivers: Move driver_wired_init_common() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
5a55ec38ed drivers: Move driver_wired_get_ifstatus() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
d718a5d975 drivers: Move driver_wired_set_ifflags() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
567b7d4ec2 drivers: Move driver_wired_get_ifflags() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
693124a1e4 drivers: Move driver_wired_multi() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
b0906ef770 drivers: Move wired_multicast_membership() to a common file
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sabrina Dubroca
0abc8d10cc drivers: Move common definitions for wired drivers out
Refactor the common parts of wired drivers code into a shared file, so
that they can be reused by other drivers. The macsec_qca driver already
contains a lot of code duplication from the wired driver, and the
macsec_linux driver would do the same. A structure to hold data common
to all wired drivers is added and used in all these drivers.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 19:33:43 +02:00
Sunil Dutt
bf88401d23 Add support to abort vendor scan
This commit enhances the existing implementation of abort scan to also
abort concurrent active vendor scans. This is achieved by passing the
the scan_cookie to the driver interface with the intention to abort
the specific scan request. This scan_cookie is returned from the driver
interface when the scan request is scheduled.

This scan_cookie is 0 if the scan is triggered through the upstream
cfg80211 interface. Thus, the scan_cookie is used to determine whether
to abort the cfg80211 or vendor scan request.

Also, the previous implementation of relying on scan_work/p2p_scan_work
for the active work to trigger the abort scan is enhanced to check for
the started state of either of these work operations. This should also
help to abort the concurrent active scan/p2p-scan operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-30 19:33:43 +02:00
Sunil Dutt
eeb34a432e nl80211: Enhance abort scan to also abort the vendor scan
This commit enhances the abort scan implementation to also abort the
vendor scan, if one was used to trigger the scan.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-30 19:33:39 +02:00
Sunil Dutt
1a793f5c2b Define a QCA vendor command to abort vendor scan
The new QCA_NL80211_VENDOR_SUBCMD_ABORT_SCAN command can be used to
abort an ongoing scan that was started with
QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-30 17:11:01 +02:00
Jouni Malinen
86f938ddea tests: PMF and Authentication frame injection
Verify that AP does not break PMF-enabled connection due to injected
Authentication frame. This is a regression test for
NL80211_FEATURE_FULL_AP_CLIENT_STATE changes resulting in dropping the
key in such a case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-29 16:26:00 +02:00
Jouni Malinen
47d74bf010 Add MGMT_RX_PROCESS test command for hostapd
This makes it easier to write hwsim test cases to verify management
frame processing sequences with dropped or modified frames. When
ext_mgmt_frame_handling is used, this new command can be used to request
hostapd to process a received a management frame, e.g., based on
information reported in the MGMT-RX events.

This is more or less identical to the earlier wpa_supplicant commit
4de70e2330 ('Add MGMT_RX_PROCESS test
command for wpa_supplicant'), but for hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-29 16:26:00 +02:00
Jouni Malinen
2ab09656ae AP: Do not drop STA entry if PMF is used with full AP client state
This fixes a regression from commit
bb598c3bdd ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.

It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-29 16:26:00 +02:00
Jouni Malinen
c85fcff2b1 tests: WPA2-PSK-FT AP with WPA2-PSK enabled and unexpected MDE
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-26 11:39:44 +02:00
Will Glynn
209dad066e FT: Explicitly check for MDE not present in non-FT association
IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").

wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.

Signed-off-by: Will Glynn <will@willglynn.com>
2016-11-26 11:39:44 +02:00
Jouni Malinen
bacbb62294 tests: Beacon frame TX rate configuration
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-26 00:36:50 +02:00
Purushottam Kushwaha
d4f3003c56 nl80211: Configure Beacon frame TX rate if driver advertises support
If the driver advertises support for setting Beacon frame data rate,
allow the user to configure this rate as part of starting the AP. Only
one Beacon frame TX rate is allowed.

Drivers advertising such support should set corresponding flag via the
NL80211_ATTR_EXT_FEATURES attribute.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-26 00:36:27 +02:00
Purushottam Kushwaha
29483a5678 Add support for user configurable Beacon frame data rate for AP mode
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:

Legacy (CCK/OFDM rates):
	beacon_rate=<legacy rate in 100 kbps>
HT:
	beacon_rate=ht:<HT MCS>
VHT:
	beacon_rate=vht:<VHT MCS>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 23:12:30 +02:00
Jouni Malinen
dff690b859 tests: Random MAC address in scans while connected
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 22:52:39 +02:00
Srinivas Dasari
346b333d9a Use random MAC address for scanning only in non-connected state
cfg80211 rejects the scans issued with random MAC address if the STA is
in connected state. This resulted in failures when using MAC_RAND_SCAN
while connected (CTRL-EVENT-SCAN-FAILED ret=-95). Enable random MAC
address functionality only if the STA is not in connected state to avoid
this. The real MAC address of the STA is already revealed in the
association, so this is an acceptable fallback mechanism for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 22:52:39 +02:00
Jouni Malinen
afe280539b tests: D-Bus P2P and IP address parameters
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-21 14:45:13 +02:00
Nishant Chaprana
18f1611797 D-Bus: Send P2P IP address assignment info with GroupStarted event
This commit adds IP address information into GroupStarted event on the
P2P client side like it is sent over the control interface.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-11-21 14:45:13 +02:00
Nishant Chaprana
046fa6fd11 D-Bus: Add getter and setter for P2P IP address config parameters
This patch adds setter and getter for P2P IP address config parameters:
1. ip_addr_go
2. ip_addr_mask
3. ip_addr_start
4. ip_addr_end

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-11-20 12:41:39 +02:00
Jouni Malinen
d503eeead1 FT: Complete CONFIG_IEEE80211R_AP renaming for hostapd
Commit 4ec1fd8e42 ('FT: Differentiate
between FT for station and for AP in build') renamed all
CONFIG_IEEE80211R instances within src/ap/* to CONFIG_IEEE80211R_AP, but
it did not change hostapd/* files to match. While this does not cause
much harm for normal use cases, this broke some test builds where
wpa_supplicant build is used to build in hostapd/*.c files for analysis.
Fix this by completing CONFIG_IEEE80211R_AP renaming.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-20 00:35:35 +02:00
Sabrina Dubroca
e0d9fd344d wpa_supplicant: Allow configuring the MACsec port for MKA
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:31 +02:00
Sabrina Dubroca
1d3d0666a6 mka: Add enable_encrypt op and call it from CP state machine
This allows MKA to turn encryption on/off down to the driver.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:23 +02:00
Sabrina Dubroca
7b4d546e3d wpa_supplicant: Add macsec_integ_only setting for MKA
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:16 +02:00
Sabrina Dubroca
008e224dbb mka: Disable peer detection timeout for PSK mode
The first peer may take a long time to come up. In PSK mode we are
basically in a p2p system, and we cannot know when a peer will join the
key exchange. Wait indefinitely, and let the administrator decide if
they want to abort.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:11 +02:00
Sabrina Dubroca
ad51731abf wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA
This enables configuring key_mgmt=NONE + mka_ckn + mka_cak.
This allows wpa_supplicant to work in a peer-to-peer mode, where peers
are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers
can act as key server to distribute keys for the MACsec instances.

This is what some MACsec switches support, and even without HW
support, it's a convenient way to setup a network.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:08 +02:00
Jouni Malinen
5acbf22bb0 Fix hostapd usage entry style for -T
Remove the extra equals sign from the line since hostapd usage text does
not have it for other entries either (while wpa_supplicant does and this
was likely copy-pasted from there).

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-19 22:20:14 +02:00
Sergei Sinyak
611d67a16e Add doxygen ref to eap_method structure
doc/eap.doxygen was mentioning eap_method structure, but there was no
reference as in doc/eap_server.doxygen on a similar paragraph

Signed-off-by: Sergei Sinyak <serega.belarus@gmail.com>
2016-11-19 17:46:19 +02:00
Kenny Root
88f93c30ec Android: Remove BoringSSL guard
BoringSSL is the only supported version of SSL, so remove this guard so
we can continue to compile when the flavor.mk is removed.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-11-19 17:43:03 +02:00