This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL
versions to be able to use the new openssl_tls_prf() implementation for
OpenSSL 1.1.0 with all supported versions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
SSL_get_client_random() and SSL_get_server_random() will be added in
OpenSSL 1.1.0. Provide compatibility wrappers for older versions to
simplify the tls_connection_get_random() implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 1.0.0 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 1.0.0 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for the p2p->pending_listen_freq to be left indicating
that there is a pending ROC for a listen operation if a P2P_FIND command
was timed to arrive suitably between a previous Listen operation issuing
a ROC request and the kernel code starting that request. This could
result in the P2P state machine getting stuck unable to continue the
find ("P2P: p2p_listen command pending already").
Fix this by clearing p2p->pending_listen_freq when starting P2P_FIND
command execution.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new optional group_ssid=<hexdump> argument in the P2PS-PROV-DONE
event can be used to help in identifying the exact group if there have
been multiple groups with the same P2P Interface Address in short period
of time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When we receive FST Setup Request when session already exists, the
following validations take place:
1. we drop the frame if needed according to MAC comparison
2. we drop the frame if the session is "not pending", i.e., if FST
Setup Response was already exchanged (sent or received).
There are two issues with the above:
1. MAC comparison is relevant only before the Setup Response exchange.
In other words, Setup Request should not be dropped due to MAC
comparison after Setup Response has been exchanged.
2. Receiving Setup Request after Setup Response exchange most likely
means that FST state machine is out of sync with the peer. Dropping
the Setup Request will not help solve this situation.
The fix is:
1. do MAC comparison only if session is "pending", i.e., Setup Response
was not yet exchanged.
2. In case Setup Response was already exchanged, reset our session and
handle the Setup Request as if it arrived when session doesn't exist.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Explicitly check for the failure event to include a certificate before
trying to build the event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While this could in theory be claimed to be ready for something to be
added to read a field following the server_write_IV, it does not look
likely that such a use case would show up. As such, just remove the
unused incrementing of pos at the end of the function to get rid of a
useless static analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
As a dedicated P2P Device interface does not have a network
interface associated with it, trying to call linux_iface_up()
on it would always fail so this call can be skipped for
such an interface.
Getting interface nlmode can be done only after bss->wdev_id is
set, so move this call to wpa_driver_nl80211_finish_drv_init(),
and do it only in case the nlmode != NL80211_IFTYPE_P2P_DEVICE.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
IEEE Std 802.11-2012 11.3.5.4 specifies the PMKID for SAE-derived keys
as:
L((commit-scalar + peer-commit-scalar) mod r, 0, 128)
This is already calculated in the SAE code when the PMK is derived, but
not saved anywhere. Later, when generating the PMKID for plink action
frames, the definition for PMKID from 11.6.1.3 is incorrectly used.
Correct this by saving the PMKID when the key is generated and use it
subsequently.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Let's reuse hostapd code for such handling. This will be useful to get
ACS support into wpa_supplicant where this one needs to handle the
survey event so it fills in the result ACS subsystem will require.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
The data->state == WAIT_FRAG_ACK case is already handling all cases
where data->out_buf could be non-NULL, so this additional check after
the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead
code.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP
profile parameter fragment_size can be used to override this.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows RADIUS failover to be performed if send() return EACCES
error which is what happens after a recent Linux kernel commit
0315e382704817b279e5693dca8ab9d89aa20b3f ('net: Fix behaviour of
unreachable, blackhole and prohibit') for a local sender when route type
is prohibit.
This fixes the hwsim test case radius_failover when running against a
kernel build that includes that commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).
This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".
Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a minimal support for using status_request_v2 extension and
ocsp_multi format (OCSPResponseList instead of OCSPResponse) for
CertificateStatus. This commit does not yet extend use of OCSP stapling
to validate the intermediate CA certificates.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This message is sent at MSG_INFO level and it is supposed to go out even
even debug messages were to be removed from the build. As such, use
wpa_msg() instead of wpa_dbg() for it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This error case in own buffer lengths being too short was not handled
properly. While this should not really happen since the wpabuf
allocation is made large for the fixed cases that are currently
supported, better make eap_eke_prot() safer if this functionally ever
gets extended with a longer buffer need.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the five second timeout was added at the beginning of the
full GAS query and it was not replenished during fragmented exchanges.
This could result in timing out a query if it takes significant time to
go through the possibly multiple fragments and long comeback delay.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using default list of methods, reject a configuration with an
unsupported EAP method at the time the main TLS method is being
initialized.
Signed-off-by: Jouni Malinen <j@w1.fi>
When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was
decrypted using a temporary heap buffer with aes_unwrap(). That buffer
was not explicitly cleared, so it was possible for the group keys to
remain in memory unnecessarily until the allocated area was reused.
Clean this up by clearing the temporary allocation explicitly before
freeing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
IPMK and CMK are derived from TK when using TLS session resumption with
PEAPv0 crypto binding. The EAP-PEAP peer implementation already
supported this, but the server side did not.
Signed-off-by: Jouni Malinen <j@w1.fi>
eap_peap_parse_phase1() returned 0 unconditionally, so there was no need
for that return value or the code path that tried to address the error
case.
Signed-off-by: Jouni Malinen <j@w1.fi>
On systems that have multiple WLAN rfkill instances, the rfkill code
can become confused into thinking that the device was unblocked when
in fact it wasn't, because it only matches on the WLAN type.
Since it then stores the new (unblocked) state from the wrong rfkill
instance, it will never retry the failing IFF_UP operation and the
user has to toggle rfkill again, or otherwise intervene manually, in
this case to get back to operational state.
Fix this by using the existing (but unused) ifname argument when the
rfkill instance is created to match to a specific rfkill index only.
As a P2P Device interface does not have a netdev interface associated
with it, use the name of a sibling interface to initialize the rfkill
context for the P2P Device interface. For nl80211, as the wiphy index
is known only after getting the driver capabilities from the kernel,
move the initialization of the rfkill object to
wpa_driver_nl80211_finish_drv_init().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The rfkill processing in nl80211 driver assumes that the
INTERFACE_ENABLED/DISABLED will be also issued, so does not do much in
the rfkill callbacks. However, as a P2P Device interface is not
associated with a network interface, these events are not issued for it.
Handle rfkill events for the P2P_DEVICE interface by faking the
INTERFACE_ENABLED/DISABLED.
Signed-off-by: Moshe Benji <Moshe.Benji@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The Setup Response timer is relatively fast (500 ms) and there are
instances where it fires on the responder side after the initiator has
already sent out the TDLS Setup Confirm frame. Prevent the processing of
this stale TDLS Setup Response frame on the initiator side.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Fix mostly theoretical NULL pointer dereference in
wpa_debug_open_linux_tracing() if /proc/mounts were to return a
malformed line.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
This patch fixes an issue with an invalid phase2 parameter value
auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could
degrade security (though, only within a protected TLS tunnel). Now when
invalid or unsupported auth= phase2 parameter combinations are
specified, EAP-TTLS initialization throws an error instead of silently
doing something.
More then one auth= phase2 type cannot be specified and also both auth= and
autheap= options cannot be specified.
Parsing phase2 type is case sensitive (as in other EAP parts), so phase2
parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
[Use cstr_token() to get rid of unnecessary allocation; cleanup]
Signed-off-by: Jouni Malinen <j@w1.fi>
There are two types of memory processing functions in the file
atheros_driver.c, such as memory and os_memory. Unify the processing
functions into one type which has the prefix "os_".
Signed-off-by: Matt Woods <matt.woods@aliyun.com>
This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS
messages with 'bad certificate status response' for cases where no valid
OCSP response was received, but the network profile requires OCSP to be
used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This completes OCSP stapling support on the TLS client side. Each
SingleResponse value is iterated until a response matching the server
certificate is found. The validity time of the SingleResponse is
verified and certStatus good/revoked is reported if all validation step
succeed.
Signed-off-by: Jouni Malinen <j@w1.fi>