Commit Graph

3510 Commits

Author SHA1 Message Date
Jouni Malinen
bb52293e71 OpenSSL: Detect and prevent TLS heartbeat attack
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.

This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-09 14:58:48 +03:00
Jouni Malinen
1aa6f953bb WNM: Fix neighbor report subelement parser
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-08 01:01:55 +03:00
Jouni Malinen
5583b8d1eb Document and rename HT Capability/Operation fields
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:45:11 +03:00
Jouni Malinen
1dde5b5cdd Remove PSMP option from ht_capab
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:02:14 +03:00
Amarnath Hullur Subramanyam
4a16a0bd55 nl80211: Add QCA vendor subcmd for NAN
QCA vendor extension is used for NAN functionality. This defines the
subcommand and attribute to address this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 17:13:08 +03:00
Jouni Malinen
dc39004318 WPS: Remove unused WEP related functionality
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 12:31:45 +03:00
Jouni Malinen
9437c2d0ea EAP-pwd peer: Fix fragmentation of PWD-Confirm-Resp
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:51:00 +03:00
Jouni Malinen
48f668eecf EAP-pwd: Fix memory leak on error path with fragmentation
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:34:30 +03:00
Jouni Malinen
9ff4de6de4 Move DROP_SA command to be within ifdef CONFIG_TESTING_OPTIONS
This is a test command and has no use in production builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 23:59:31 +03:00
Jouni Malinen
e1a273a61d Remove used KDE addition code from EAPOL-Key msg 4/4
EAPOL-Key msg 4/4 has no specified KDE use, so remove the unused code to
simplify the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 23:30:16 +03:00
Jouni Malinen
76d3fb1eeb Remove unused wpa_sm_get_param() function
This function was not used anywhere and was not up-to-date with
full tet of parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 20:42:12 +03:00
Jouni Malinen
ed429931a0 TDLS: Add test mode for MIC failure testing
"SET tdls_testing 0x800" can be used to enable a special test mode that
forces the FTIE MIC in TDLS setup messages to be incorrect.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-05 20:42:12 +03:00
Jouni Malinen
1619e9d512 Interworking: Add ctrl_iface events on cred block modifications
Following events are now sent to ctrl_iface monitors to indicate if
credential blocks have been added, modified, or removed:

CRED-ADDED <id>
CRED-MODIFIED <id> <field>
CRED-REMOVE <id>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-04 19:10:47 +03:00
Jouni Malinen
21611ea9fd edit: Increase buffer size to 4096 bytes
wpa_supplicant and wpa_cli had already moved to allowing up to 4096 byte
buffer size to be used for control interface commands. This was limited
by the line edit buffer in interactive mode. Increase that limit to
match the other buffers to avoid artificially truncating long commands.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-31 12:30:50 +03:00
Jouni Malinen
1e03c6cb7d XML: Remove forgotten, unused definition of debug_print_func
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-31 12:25:13 +03:00
Jouni Malinen
8943cc998a RADIUS server: Add support for MAC ACL
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 19:31:56 +02:00
Jouni Malinen
dc87541e1e Clean up debug print for PSK file search
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 09:50:51 +02:00
Janusz Dziedzic
bbbacbf2f8 DFS: Print CAC info in ctrl_iface STATUS command
Print CAC time and CAC left time in control interface STATUS command.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-03-28 23:02:45 +02:00
Maxime Bizon
5c9da160a5 nl80211: Set all BSS interfaces down when tearing down AP in MBSS mode
If the interface was not added by hostapd, it could have been left up
when disabling the AP.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-27 16:45:25 +02:00
Avraham Stern
3ae8b7b7a2 hostapd: Add vendor command support
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]

The 3rd argument will be converted to binary data and then passed as
argument to the sub command.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2014-03-27 15:28:44 +02:00
Pawel Kulakowski
74a1319e50 Fix issue with incorrect secondary_channel in HT40/HT80
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.

Proceed as for other settings that should not be changed and don't
allow to overwrite.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-27 15:22:39 +02:00
Sunil Dutt
96ecea5eb1 Pass TDLS peer capability information in tdls_mgmt
While framing the TDLS Setup Confirmation frame, the driver needs to
know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the
VHT/HT operation / WMM parameter elements accordingly. Supplicant
determines if the TDLS peer is VHT/HT/WMM capable based on the presence
of the respective IEs in the received TDLS Setup Response frame.

The host driver should not need to parse the received TDLS Response
frame and thus, should be able to rely on the supplicant to indicate
the capability of the peer through additional flags while transmitting
the TDLS Setup Confirmation frame through tdls_mgmt operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-27 15:18:48 +02:00
Jouni Malinen
78cd7e69de Sync with wireless-testing.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2014-03-25.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-27 14:50:39 +02:00
Maxime Bizon
b36935be1a nl80211: Fix EAPOL frames not being delivered
When hostapd choose to reuse an existing interface, it does not add it
to the set of interfaces from which we accept EAPOL packets.

Make sure we always add it to that set.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-26 16:37:42 +02:00
Jouni Malinen
6997f8baab nl80211: Set interface address even if using old interface
If an existing interface is allowed to be used, its address better be
updated to match the requested one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-26 16:33:03 +02:00
Jouni Malinen
9b4d9c8bbc nl80211: Print if_indices list in debug log
This makes it easier to debug dynamic interface addition/removal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-26 00:42:24 +02:00
Maxime Bizon
762c41ae99 eloop: Add assert() on negative fd when using select() code path
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-03-26 00:17:07 +02:00
Jouni Malinen
163f801ef2 nl80211: Indicate HS 2.0 OSEN AKM in connect/associate command
This allows drivers that build the WPA/RSN IEs internally to use similar
design for building the OSEN IE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 18:33:21 +02:00
Jouni Malinen
c201f93a9e WPS: Enable WSC 2.0 support unconditionally
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 18:33:21 +02:00
Rashmi Ramanna
41d5ce9e0b P2P: Optimize scan for GO during persistent group invocation
Scan for GO on the negotiated operating channel for few iterations
before searching on all the supported channels during persistent group
reinvocation. In addition, use the already known SSID of the group in
the scans. These optimizations reduce group formation time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 15:38:33 +02:00
Jouni Malinen
4d1e38be9e ACS: Fix number of error path issues
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 13:12:29 +02:00
Jouni Malinen
692ec3058b FT: Add support for postponing FT response
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-23 18:31:06 +02:00
Jouni Malinen
6ace13a9e5 P2P: Clean up channel selection code to use helper functions
This moves some of the p2p_prepare_channel_best() functionality into
separate helper functions to make the implementation easier to read.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-23 11:01:59 +02:00
Jouni Malinen
70c35233ae WPS: Comment out unused AP WEP config write with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds. This is similar to the earlier
commit that commented out in-memory update.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 23:31:39 +02:00
Arif Hussain
c3ba70f4d0 P2P: Update op_reg_class in random social channel case
Commit 94b84bc725 missed one path where
p2p->op_reg_class should have been updated. Set this to 81 during
operating channel selection from 2.4 GHz.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 22:44:53 +02:00
Amar Singhal
70634eec0c hostapd: Check driver DFS offload capability for channel disablement
If the driver supports full offloading of DFS operations, do not disable
a channel marked for radar detection. The driver will handle the needed
operations for such channels.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 21:31:15 +02:00
Amar Singhal
65d645ce43 nl80211: Fetch DFS offload capability from driver
This uses a QCA vendor extension to determine if the driver supports
fully offloaded DFS operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 21:20:32 +02:00
Jouni Malinen
a500f3102f WPS: Comment out unused AP WEP config update with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 19:22:10 +02:00
Jouni Malinen
1d4fe3bcbc Remove unnecessary parameter validation
This is dead code since this helper function is always called with
non-NULL pointer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 16:25:28 +02:00
Arif Hussain
94b84bc725 P2P: Avoid unsafe pre-configured channel as channel preference
Do not select pre-configured channel as operating channel preference if
it is unavailable maybe due to interference or possible known
co-existence constraints, and try to select random available channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 10:20:08 +02:00
Pawel Kulakowski
513dcec656 Don't overwrite channel on hostapd config reload
There was possibility that the current channel in Beacon information
element was incorrectly set. This problem was easily observed when
primary and secondary channel were switched and then some of hostapd
settings (for example password) were changed using WPS External
Registrar. This caused hostapd_reload_config() function overwrite the
current channel information from config file.

This patch prevents this situation and does not allow to overwrite
channel and some other settings when config is reloaded.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-21 23:30:57 +02:00
Jouni Malinen
20ff2642e1 WPS: Clear WPS data on init failure
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-21 13:23:23 +02:00
Jouni Malinen
f19e370e15 WPS: Do not advertise WPA/WPA2-Enterprise Auth Type Flags
While the device itself may support WPA/WPA2-Enterprise, enrollment of
credentials for EAP authentication is not supported through WPS. As
such, there is no need to claim support for these capabilities within
WPS information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-20 15:13:48 +02:00
Jouni Malinen
1b5df9e591 nl80211: Do not indicate scan started event on scan_for_auth
The scan_for_auth workaround for cfg80211 missing a BSS entry for the
target BSS during authentication uses a single channel scan controlled
within driver_nl80211.c. This operation does not indicate
EVENT_SCAN_RESULTS to the upper layer code. However, it did report
EVENT_SCAN_STARTED and this resulted in the radio work protection code
assuming that an external program triggered a scan, but that scan never
completed. This resulted in all new radio work items getting stuck
waiting for this scan to complete.

Fix this by handling the scan_for_auth situation consistently within
driver_nl80211.c by filtering both the EVENT_SCAN_STARTED and
EVENT_SCAN_RESULTS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 22:48:44 +02:00
Jouni Malinen
4d65deda7f HS 2.0R2: Clean up debug from libcurl
Do not truncate CURLINFO entries on first linefeed to get full IN/OUT
headers and data into debug log. Use wpa_hexdump_ascii() if any
non-displayable characters are included. Remove the separate header/data
debug dumps since all that information is now available from the debug
callback.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:35 +02:00
Jouni Malinen
f4e3860f8a Fix AP mode default TXOP Limit values for AC_VI and AC_VO
These were previous set to 3.0 and 1.5 ms which ended up using values 93
and 46 in 36 usec inits. However, the default values for these are
actually defined as 3.008 ms and 1.504 ms (94/47) and those values are
also listed in the hostapd.conf example.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-17 18:48:40 +02:00
Jouni Malinen
47bd94a09f TLS testing: Add new test cases for RSA-DHE primes
test-tls-4: Short 511-bit RSA-DHE prime
test-tls-5: Short 767-bit RSA-DHE prime
test-tls-6: Bogus RSA-DHE "prime" 15
test-tls-7: Very short 58-bit RSA-DHE prime in a long container
test-tls-8: Non-prime as RSA-DHE prime

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:49 +02:00
Jouni Malinen
f5bbb2f284 TLS client: Reject RSA-DHE prime if it shorter than 768 bits
Such short primes cannot really be considered secure enough for
authentication purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:37 +02:00
Jouni Malinen
817742f5aa TLS testing: Fix test_flags check for ApplData report
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 10:59:17 +02:00
Michal Kazior
c3722e1241 ACS: Fix VHT20
The center segment0 calculation for VHT20 ACS was incorrect. This caused
ACS to fail with: "Could not set channel for kernel driver".

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-03-15 19:04:31 +02:00