Ilan Peer [Sun, 22 Nov 2015 13:57:50 +0000 (15:57 +0200)]
P2P: Set p2p_go_wait_client in invitation_result() cb
When an invitation to join an existing group is accepted by the
peer device, set p2p_go_wait_client to the current time so
that wpas_p2p_in_progress() would return != 0, thus preventing
P2P CSA, scanning etc., that would interfere with the peer
device connection.
Jouni Malinen [Sun, 22 Nov 2015 19:28:49 +0000 (21:28 +0200)]
tests: Make dbus_p2p_group_idle_timeout more robust
This test case was failing if a PropertiesChanged signal for P2P peer
gets delivered from a previous test case. Avoid that by waiting for the
new group to be formed before processing any PropertiesChanged signals.
This failure was triggered by the following test case sequence:
dbus_p2p_two_groups dbus_p2p_group_idle_timeout
Android: Give user the option for selecting browser for HS 2.0 OSU
When built with browser-android.c, hs20-osu-client used to always launch
the native/stock Android browser for OSU user interaction. This browser
is not present in all devices. It is better to give the option to the
user to select his/her browser.
Here the user will be shown a pop up to select the browser that he/she
wants.
Jouni Malinen [Sun, 22 Nov 2015 18:14:06 +0000 (20:14 +0200)]
tests: Make ap_open_select_twice less likely to fail
It looks like a previous P2P test case can cause the initial single
channel scan in ap_open_select_twice take more than five seconds in some
cases. While that is not really expected behavior, this test case should
not fail. Increase the timeout to avoid reporting false failures here.
This could be triggered with the following test case sequence:
p2p_msg_unexpected_go_neg_resp ap_open_select_twice
Avraham Stern [Tue, 3 Nov 2015 14:30:10 +0000 (16:30 +0200)]
Add an option to create interface of a certain type with INTERFACE_ADD
Some drivers do not support having two station interfaces, so the fact
that wpa_supplicant always creates a new interface in station mode, even
if it will be used as another type of interface, may prevent
wpa_supplicant from creating new interfaces. Allow setting the interface
type when a new interface is created so that interfaces of supported
types can be created.
Currently supported types are station ("sta") and AP ("ap"). If the
interface type is not specified, a station interface will be created.
Avraham Stern [Tue, 3 Nov 2015 14:30:09 +0000 (16:30 +0200)]
driver: Make setting up AP optional when creating AP interface
When an AP interface it created, it is also setup and subscribes
for management frames etc. However, when the interface is added by
wpa_supplicant, setting up for AP operations is redundant because
it will be done by wpa_supplicant on wpa_drv_init() when setting
the interface mode to AP.
In addition, it may cause wpa_supplicant to fail initializing the
interface as it will try to subscribe for management frames on this
interface but the interface is already registered.
Change this, so when adding an AP interface, make setting up the AP
optional, and use it only when the interface is added by hostapd but not
when it is added by wpa_supplicant.
Jouni Malinen [Sat, 21 Nov 2015 17:04:12 +0000 (19:04 +0200)]
tests: Clear scan cache at the start of ap_vht80*
These test cases depend on the HT40 co-ex scans not swapping PRI/SEC
channels. It was possible for a test case to fail, e.g., in the
following sequence: ap_ht40_5ghz_match ap_vht80b.
Avraham Stern [Tue, 3 Nov 2015 14:25:01 +0000 (16:25 +0200)]
P2P: Clear send action work without waiting on find/stop/listen
When clearing pending TX action to start a new P2P operation like
P2P_FIND or P2P_LISTEN, wpas_p2p_action_tx_clear() was used to clear
the send action work. However, in cases where the action work has wait
time, it is not cleared immediately but only after the wait time ends.
This may cause delay in starting the P2P operation.
Fix that by always clearing the send action work immediately on these
P2P commands that result in immediate P2P state change and practically
stopping a previous operation, if one was pending.
AP: Avoid 20/40 MHz co-ex scan if PRI/SEC switch is not allowed
When an AP is started on the 5.2 GHz band with 40 MHz bandwidth, a
scan is issued in order to handle 20/40 MHz coexistence. However,
the scan is issued even if iface->conf->no_pri_sec_switch is set,
which is redundant.
Fix this by checking iface->conf->no_pri_sec_switch before starting
the scan.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Ayala Beker [Tue, 3 Nov 2015 14:24:57 +0000 (16:24 +0200)]
nl80211: Clear ignore_next_local_deauth flag
The de-authentication flow in wpa_driver_nl80211_deauthenticate() can
result in a locally generated de-authentication event. To avoid getting
this extra event ignore_next_local_deauth flag is set, and should be
cleared when the next local deauth event is received. However, it is not
cleared when the event shows up after the wpa_supplicant has started a
connection with a new AP, and as a result it might ignore future
deauth event from the driver.
Fix this by clearing the flag if the event is locally generated.
Sara Sharon [Tue, 3 Nov 2015 14:24:56 +0000 (16:24 +0200)]
nl80211: Clear ignore_next_local_deauth and ignore_deauth_event
The authentication flow in wpa_driver_nl80211_authenticate() can
result in a locally generated de-authentication, in which both
next_local_deauth and ignore_next_local_deauth are set.
However, in mlme_event_deauth_disassoc(), when ignore_deauth_event is
set, the flag is cleared, but the flow immediately returns leaving
ignore_next_local_deauth set, which can result in ignoring future deauth
event from the driver, leaving the wpa_supplicant in an inconsistent
state.
Fix this by clearing both flags in case that next_local_deauth is set.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Ravi Joshi [Mon, 16 Nov 2015 06:05:05 +0000 (22:05 -0800)]
Add QCA vendor attribute and event to indicate subnet change status
This allows offloaded roaming to inform user space of the change in IP
subnet post roaming. The device may have roamed to a network which is in
a different subnet which will result in IP connectivity loss. Indicating
the change in subnet enables the user space to refresh the IP address or
to perform IP subnet validation if unknown status is indicated.
The driver indication is reported with a new event from wpa_supplicant
in the following format:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=<0/1/2>
where
0 = unknown
1 = IP subnet unchanged (can continue to use the old IP address)
2 = IP subnet changed (need to get a new IP address)
Jouni Malinen [Thu, 19 Nov 2015 22:48:25 +0000 (00:48 +0200)]
tests: AP with open mode and select network twice
This verifies that the second SELECT_NETWORK for the same network starts
a new scan immediately if the previous connection attempt is waiting for
the next scan iteration to start.
Jouni Malinen [Thu, 19 Nov 2015 22:45:40 +0000 (00:45 +0200)]
Skip SELECT_NETWORK steps only if already connected or connecting
Commit 2a6f78fbbefc34fec6685d08f46797c4ef4b2a6e ('Do not re-associate on
SELECT_NETWORK to current network') started skipping all SELECT_NETWORK
connection steps if the selected network had already been selected
previously. This happened regardless of whether the connection was
already established. This is not necessarily desirable for all cases
where there is no immediate action to even try to connect (e.g., long
wait for the next scan).
Speed this up by allowing the SELECT_NETWORK operation to get started if
there is no connection or ongoing connection attempt with the selected
network.
Jouni Malinen [Thu, 19 Nov 2015 19:01:45 +0000 (21:01 +0200)]
Fix EAPOL reauth after FT protocol or offloaded PMKSA cache use
The EAP peer state machine moved from IDLE to FAILURE state when the
EAPOL Authenticator triggered reauthentication with an
EAP-Request/Identity in a case where the associated started with FT
protocol or offloaded PMKSA cache use (4-way handshake using a
previously acquired PMK). This happened due to the altSuccess=TRUE
setting being left behind and not cleared when processing the restart of
authentication. Fix this by clearing altAccept and eapSuccess when going
through SUPP_PAE RESTART state.
Jouni Malinen [Thu, 19 Nov 2015 18:32:04 +0000 (20:32 +0200)]
FT auth: Fix EAPOL reauthentication after FT protocol run
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.
Jouni Malinen [Thu, 19 Nov 2015 15:33:34 +0000 (17:33 +0200)]
tests: Clear FST sessions at the end of fst_setup_mbie_diff
This avoids issues with following test cases failing due to unexpected
starting state. This issue showed up with the following hwsim test case
sequence:
fst_setup_mbie_diff fst_dynamic_iface_attach
Peter Oh [Tue, 10 Nov 2015 19:01:20 +0000 (11:01 -0800)]
Add VHT support for Mesh
Mesh Points themselves have capability to support VHT as long as
hardware supports it. However, supporting VHT in mesh mode was disabled
because no one had clearly tested and confirmed its functionality. Since
VHT80 has now been verified to work with ath10k QCA988X driver and
mac80211_hwsim, enable VHT support in mesh mode.
Jouni Malinen [Wed, 18 Nov 2015 16:03:22 +0000 (18:03 +0200)]
tests: Clear scan cache at the end of ap_wps_per_station_psk
It was possible for the WPS PBC state to get cached through to the
following test cases and that would trigger false failures. Fix this by
explicitly clearing the scan cache at the end of ap_wps_per_station_psk.
This issue was triggered with the following test case sequence:
ap_wps_per_station_psk autogo_pbc
Jouni Malinen [Tue, 17 Nov 2015 17:01:15 +0000 (19:01 +0200)]
nl80211: Do not return incomplete hw capability info
If a memory allocation fails while parsing driver capabilities, drop all
mode/channel/rate information instead of returning possibly partial
information.
Jouni Malinen [Tue, 17 Nov 2015 17:00:21 +0000 (19:00 +0200)]
tests: Force hw capability re-fetch at the end of dbus_connect_oom
This is needed since the forced OOM may have forced the cached
information to be invalid or dropped. This issue was hit with the
following hwsim test case sequence:
ap_interworking_scan_filtering fst_sta_config_llt_large dbus_connect_oom
wpas_ctrl_enable_disable_network
Sunil Dutt [Mon, 16 Nov 2015 15:02:56 +0000 (20:32 +0530)]
WPS: Reconnect for a failed data connection when STA_AUTOCONNECT is 0
If "STA_AUTOCONNECT 0" has been used to disable automatic connection on
disconnection event and the driver indicates a failure for the data
connection after successful WPS handshake, it is possible to hit a case
where wpa_s->disconnected is set to 1 and further attempts to connect
shall stop.
While "STA_AUTOCONNECT 0" is used to disable automatic reconnection
attempts in general, this specific WPS case can benefit from trying
again even with that configuration for a short period of time. Extend
the wpa_supplicant re-enable-networks-after-WPS 10 second timeout to
apply for ignoring disabled STA_AUTOCONNECT immediately after a WPS
provisioning step.
Anton Nayshtut [Thu, 22 Oct 2015 16:48:04 +0000 (19:48 +0300)]
hostapd: Process MAC ACLs on a station association event (SME in driver)
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.
RSN: Remove check for proactive_key_caching while setting PMK offload
wpa_sm_key_mgmt_set_pmk() was checking for proactive_key_caching to be
enabled before setting the PMK to the driver. This check is not required
and would mandate configuration setting of okc or proactive_key_caching
for cases which were not necessary.
Ravi Joshi [Mon, 16 Nov 2015 17:00:35 +0000 (19:00 +0200)]
Extend QCA roam event with subnet change indication
The new attribute can be used with
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH to indicate whether the IP
subnet was detected to have changed when processing offloaded roam/key
management.
Samuel Tan [Thu, 5 Nov 2015 18:48:48 +0000 (10:48 -0800)]
Android: Use libdbus rather than dbus-1
The upstream wpa_supplicant uses the dbus-1 library when it is compiled
with D-Bus support. In Android, we imported the D-Bus shared libraries
under the name "libdbus", so use this shared library instead of dbus-1
when compiling wpa_supplicant with D-Bus support.
Jouni Malinen [Sun, 1 Nov 2015 17:35:44 +0000 (19:35 +0200)]
EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)
Jouni Malinen [Sun, 1 Nov 2015 16:24:16 +0000 (18:24 +0200)]
EAP-pwd server: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)
Jouni Malinen [Sun, 1 Nov 2015 16:18:17 +0000 (18:18 +0200)]
EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)
Jouni Malinen [Sun, 25 Oct 2015 21:02:14 +0000 (23:02 +0200)]
WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used
The AP is not expected to send out a WNM-Sleep Mode Response frame
without the STA trying to use WNM-Sleep Mode. Drop such unexpected
responses to reduce unnecessary processing of the frame.
Jouni Malinen [Sun, 25 Oct 2015 13:45:50 +0000 (15:45 +0200)]
WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
Use "STATUS-NO_EVENTS" instead of "STATUS" in get_wpa_status function
Using "STATUS" command triggers CTRL-EVENT-STATE-CHANGE and
CTRL-EVENT-CONNECTED (if connected to some AP) events. These events
cause problems in Android WifiStateMachine in Marshmallow. Due to these
events WifiStateMachine sometimes disconnects the OSU SSID connection,
while hs20-osu-client waits for IP address.
Max Stepanov [Wed, 14 Oct 2015 09:26:33 +0000 (12:26 +0300)]
wpa_supplicant: Add GTK RSC relaxation workaround
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake
or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte
order (or by some other corrupted way). Thus, after a successful
EAPOL-Key exchange the TSC values of received multicast packets, such as
DHCP, don't match the RSC one and as a result these packets are dropped
on replay attack TSC verification. An example of such AP is Sapido
RB-1732.
Work around this by setting RSC octets to 0 on GTK installation if the
AP RSC value is identified as a potentially having the byte order issue.
This may open a short window during which older (but valid)
group-addressed frames could be replayed. However, the local receive
counter will be updated on the first received group-addressed frame and
the workaround is enabled only if the common invalid cases are detected,
so this workaround is acceptable as not decreasing security
significantly. The wpa_rsc_relaxation global configuration property
allows the GTK RSC workaround to be disabled if it's not needed.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Jouni Malinen [Sun, 1 Nov 2015 18:26:35 +0000 (20:26 +0200)]
Restore previous wpa_state in scan-only result handler
The SCAN TYPE=ONLY results do not trigger a connection operation
automatically. As such, there was no explicit operation that would
change wpa_state after such a scan-only operation and WPA_SCANNING state
could have been left in effect until the next operation is triggered by
an external command. This is not desirable, so restore the wpa_state
that was in use when the scan was started in case WPA_SCANNING state is
still set when the scan operation completes.
This was triggered by the following mac80211_hwsim test sequence:
dbus_wps_oom scan_trigger_failure
Jouni Malinen [Sun, 1 Nov 2015 18:09:11 +0000 (20:09 +0200)]
WNM: Clear BSS TM data if already associated with preferred candidate
Previously, wnm_deallocate_memory() was called only if we decided to
move to another BSS at the completion of an accepted BSS Transition
Management Request. This resulted in the candidate information being
left in effect for the following scan operation if we were already
associated with the preferred candidate. This could result in unexpected
behavior in the following connection attempt.
Fix this by clearing the candidate information even if we do not need to
roam to another BSS.
This was triggered with mac80211_hwsim test cases in this sequence:
wnm_bss_tm ap_track_sta_force_2ghz
Jouni Malinen [Sat, 31 Oct 2015 17:45:59 +0000 (19:45 +0200)]
tests: Clear config_methods at the end of wpas_ctrl_set_wps_params
It was possible for dev[2] to be left with non-default config_methods
parameter at the end of the test case and that could result issues in
following test cases. This hit a failure in the following sequence:
wpas_ctrl_set_wps_params p2ps_channel_active_go_and_station_same
Jouni Malinen [Sat, 31 Oct 2015 17:39:23 +0000 (19:39 +0200)]
EAP peer: Clear ignore flag in INITIALIZE state
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom
Jouni Malinen [Sat, 31 Oct 2015 16:15:22 +0000 (18:15 +0200)]
TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().
Jouni Malinen [Sat, 31 Oct 2015 14:31:03 +0000 (16:31 +0200)]
tests: Fix wifi_display_parsing
Due to a typo in a function name, this test case ended up running
without the final cleanup. That could result in the following test cases
failing, e.g., when running this sequence:
wifi_display_parsing dbus_p2p_go_neg_auth
Avichal Agarwal [Tue, 27 Oct 2015 06:47:15 +0000 (06:47 +0000)]
RSN: Check result of EAPOL-Key frame send request
Provide information on whether EAPOL-Key frame was sent successfully to
kernel for transmittion. wpa_eapol_key_send() will return
>= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4,
wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED
only after verifying that the msg 4/4 was sent to kernel for
transmission successfully.
Matthias May [Mon, 26 Oct 2015 08:38:01 +0000 (09:38 +0100)]
Extend the range of values for the RTS threshold
Since we have HT rates the maximum framesize is no longer 2346. The
usual maximum size of an A-MPDU is 65535. To disable RTS, the value -1
is already internally used. Allow it in the configuration parameter.
Signed-off-by: Matthias May <matthias.may@neratec.com>
The previously used invalid values will become allowed with the
following commits, so change the test case to use values that both were
and will continue to be invalid to avoid unnecessary failures.
hostapd: Add feature to start all interfaces at the same time in sync
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.
This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().
This feature is turned on with '-S' commmand line option.
Hu Wang [Mon, 26 Oct 2015 21:40:59 +0000 (23:40 +0200)]
P2P: Filter control chars in group client device name similarly to peer
P2P device discovery can add peer entries based on a message directly
from a peer and from a Probe Response frame from a GO for all the P2P
Clients in the group. The former case for filtering out control
characters from the device name while the latter was not. Make this
consistent and filter both cases in the same way to avoid confusing
external programs using the device name of a P2P peer.
Sunil Dutt [Tue, 20 Oct 2015 04:20:51 +0000 (09:50 +0530)]
TDLS: Do not send error case of TPK M3 if TX fails
There is no point in sending TPK M3 (TDLS Setup Confirm) with a failure
status if the first transmission attempt fails. Instead, just return a
failure by disabling the link rather than retransmitting the TPK M3
frame with an error status.
Jouni Malinen [Sun, 25 Oct 2015 18:43:15 +0000 (20:43 +0200)]
Do not write ERROR level log entries if debug file is not used
wpa_debug_reopen_file() used to write an error message at MSG_ERROR
level if it was called with last_path == NULL (the last debug log file
path not known). This is not a fatal error, but a normal case if
wpa_debug_open_file() has not been used. Remove the error message and
return success in such case.
l2_packet: Add build option to disable Linux packet socket workaround
Linux packet socket workaround(*) has an impact in performance when the
workaround socket needs to be kept open to receive EAPOL frames. While
this is normally avoided with a kernel that has the issue addressed by
closing the workaround packet socket when detecting a frame through the
main socket, it is possible for that mechanism to not be sufficient,
e.g., when an open network connection (no EAPOL frames) is used.
Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the
workaround. This build option is disabled by default and can be enabled
explicitly on distributions which have an older kernel or a fix for the
kernel regression.
Also remove the unused variable num_rx.
(*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596
('bridge: respect RFC2863 operational state') from 2012 introduced a
regression for using wpa_supplicant with EAPOL frames and a station
interface in a bridge.
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
Jouni Malinen [Sun, 25 Oct 2015 13:12:58 +0000 (15:12 +0200)]
RSN: Do not try to connect if PMF disabled and AP requires it
Instead of trying to associate in configuration that is known to result
in the AP rejecting the association, reject the BSS candidate based on
the MFPR=1 RSN capability when STA configuration has PMF disabled.
Jouni Malinen [Sun, 25 Oct 2015 12:45:09 +0000 (14:45 +0200)]
WNM: Verify WNM Sleep Mode element length
This element is required to have at least four octets of actual payload.
This was not previously verified before use and the extra buffer data
after the IE might have been used instead if a received WNM-Sleep Mode
Response frame was invalid.