Jouni Malinen [Sat, 9 Mar 2019 10:21:27 +0000 (12:21 +0200)]
Fix AP MLME in driver handling of FT and SA Query Action frames
hostapd_action_rx() was pointing at incorrect field (Action vs.
Category) for the wpa_ft_action_rx() call and the length check for SA
Query Action frames. This resulted in those frames getting dropped as
invalid (FT) or ignored as truncated (SA Query). Fix this by pointing to
the correct place at the beginning of the frame body.
This issue had a long history. These were broken during cleanup in
commit dbfb8e82ff69 ("Remove unnecessary EVENT_RX_ACTION") which
actually fixed the initial reason for the error accidentally. It was
just that that error was needed to cancel out another earlier error..
One of the errors came from misuse of the EVENT_RX_ACTION API in commit deca6eff7441 ("atheros: Add new IEEE 802.11r driver_ops"). That pointed
struct rx_action data/len to cover the Action frame from the Category
field to the end of the frame body while the API was documented to cover
Action field to the end of the frame body. This error was cancelled by
another error in commit 88b32a99d308 ("FT: Add FT AP support for drivers
that manage MLME internally") that called wpa_ft_action_rx() with the
struct rx_action::data field as the second argument. That argument needs
to point to the Category field, but that struct rx_action field was
supposed to point to the Action field.
Number of the Action frame handlers added into hostapd_action_rx() had
been fixed more or less accidentally after this in various other
commits, but the FT and SA Query handlers had ended up maintaining the
incorrect operations. This is now fixing those.
This seems to fix at least some cases of FT-over-DS with drivers that
use driver-based AP MLME. Such drivers might use internal SA Query
processing, so it is not clear whether that part actually fixes any real
issues.
Jouni Malinen [Sat, 9 Mar 2019 09:33:49 +0000 (11:33 +0200)]
tests: Use run_ap_ft_pmf_bip_over_ds() for ap_ft_pmf_over_ds
No need to duplicate this functionality when all the ap_ft_pmf_*_over_ds
test cases are doing practically the same thing and the
no-specific-cipher-configuration case can be addressed easily with the
same helper function.
Masashi Honma [Sun, 3 Mar 2019 00:52:22 +0000 (09:52 +0900)]
EAP-pwd server: Fix memory leak with salted passwords
The struct hostapd_eap_user changes with a new allocated variable were
not covered in the RADIUS server code. Fix this by using eap_user_free()
instead of custom memory freeing operation in radius_server.c.
The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1,
ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered
these memory leaks.
Fixes: d52ead3db7b2 ("EAP-pwd server: Add support for salted password databases") Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Jouni Malinen [Fri, 8 Mar 2019 14:21:03 +0000 (16:21 +0200)]
SAE: Add Finite Cyclic Group field in status code 77 response
Copy the Finite Cyclic Group field value from the request to the
response Authentication frame if we end up rejecting the request due to
unsupported group.
IEEE Std 802.11-2016 has conflicting statements about this behavior.
Table 9-36 (Presence of fields and elements in Authentication frames)
indicates that the Finite Cyclic Group field is only included with
status code values 0 (success) and 76 (anti-clogging token request)
while SAE protocol description implying that the Finite Cyclic Group
field is set to the rejected group (12.4.8.6.3 and 12.4.8.6.4).
The standard language needs to cleaned up to describe this
unambiguously, but since it looks safe to add the field into the
rejection case and since there is desire to have the field present to be
able to implement what exactly is stated in 12.4.8.6.4, it looks
reasonable to move ahead with the AP mode implementation change. There
is no change in wpa_supplicant for now to modify its behavior based on
whether this field is present, i.e., wpa_supplicant will continue to
work with both the old and new hostapd behavior for SAE group
negotiation.
Jouni Malinen [Wed, 6 Mar 2019 22:27:12 +0000 (00:27 +0200)]
EAP-pwd: Fix a memory leak in hunting-and-pecking loop
tmp2 (y^2) was derived once in each iteration of the loop and only freed
after all the loop iterations. Fix this by freeing the temporary value
during each iteration.
Jouni Malinen [Wed, 6 Mar 2019 19:44:06 +0000 (21:44 +0200)]
WPS: Allow SAE configuration to be added automatically for PSK
The new wpa_supplicant configuration parameter wps_cred_add_sae=1 can be
used to request wpa_supplicant to add SAE configuration whenever WPS is
used to provision WPA2-PSK credentials and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and also with PMF enabled.
Jouni Malinen [Wed, 6 Mar 2019 19:41:44 +0000 (21:41 +0200)]
WPS: Allow AP SAE configuration to be added automatically for PSK
The new hostapd configuration parameter wps_cred_add_sae=1 can be used
to request hostapd to add SAE configuration whenever WPS is used to
configure the AP to use WPA2-PSK and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and PMF enabled for PSK
and required for SAE associations.
Sunil Dutt [Thu, 28 Feb 2019 09:39:29 +0000 (15:09 +0530)]
Vendor attribute to indicate a set_blacklist of BSSID only as a hint
The current/default behavior of set blacklist BSSID QCA vendor command
is a mandate to the driver - do not consider this BSSID for connect/roam
till reset.
There are use cases where this need not be a mandate and thus could
provide the flexibility for the driver to consider this BSSID if there
are no better ones. Such use cases can use this new flag attribute to
only hint the blacklist of a BSSID to the driver.
Jouni Malinen [Sun, 3 Mar 2019 14:56:14 +0000 (16:56 +0200)]
SAE: Reuse previously generated PWE on a retry with the same STA
Do not start SAE authentication from scratch if a STA starts a new
attempt for the same group while we still have previously generated PWE
available. Instead, use the previously generated PWE as-is and skip
anti-clogging token exchange since the heavy processing is already
completed. This saves unnecessary processing on the AP side in case the
STA failed to complete authentication on the first attempt (e.g., due to
heavy SAE load on the AP causing a timeout) and makes it more likely for
a valid STA to be able to complete SAE authentication during a DoS
attack.
Jouni Malinen [Sun, 3 Mar 2019 14:23:19 +0000 (16:23 +0200)]
SAE: Reuse previously generated PWE on a retry with the same AP
Do not start SAE authentication from scratch when the AP requests
anti-clogging token to be used. Instead, use the previously generated
PWE as-is if the retry is for the same AP and the same group. This saves
unnecessary processing on the station side in case the AP is under heavy
SAE authentiation load.
Jouni Malinen [Fri, 1 Mar 2019 20:05:52 +0000 (22:05 +0200)]
SAE: Enforce single use for anti-clogging tokens
Add a 16-bit token index into the anti-clogging token. This can be used
to enforce only a single use of each issued anti-clogging token request.
The token value is now token-index |
last-30-octets-of(HMAC-SHA256(sae_token_key, STA-MAC-address |
token-index)), i.e., the first two octets of the SHA256 hash value are
replaced with the token-index and token-index itself is protected as
part of the HMAC context data.
Track the used 16-bit token index values and accept received tokens only
if they use an index value that has been requested, but has not yet been
used. This makes it a bit more difficult for an attacker to perform DoS
attacks against the heavy CPU operations needed for processing SAE
commit since the attacker cannot simply replay the same frame multiple
times and instead, needs to request each token separately.
While this does not add significant extra processing/CPU need for the
attacker, this can be helpful in combination with the queued processing
of SAE commit messages in enforcing more delay during flooding of SAE
commit messages since the new anti-clogging token values are not
returned before the new message goes through the processing queue.
Jouni Malinen [Fri, 1 Mar 2019 17:54:51 +0000 (19:54 +0200)]
SAE: Process received commit message through a queue
This allows better control of processing new SAE sessions so that other
operations can be given higher priority during bursts of SAE requests,
e.g., during a potential DoS attack. The receive commit messages are
queued (up to maximum of 15 entries) and processed from eloop callback.
If the queue has multiple pending entries, more wait time is used to go
through the each new entry to reduce heavy CPU load from SAE processing.
Enable anti-clogging token use also based on the pending commit message
queue and not only based on the already started sessions.
Jouni Malinen [Tue, 5 Mar 2019 15:23:58 +0000 (17:23 +0200)]
SAE: Enable only groups 19, 20, and 21 in station mode
Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP
Group) from the default SAE groups in station mode since those groups
are not as strong as the mandatory group 19 (NIST P-256).
In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.
Jouni Malinen [Tue, 5 Mar 2019 15:18:11 +0000 (17:18 +0200)]
SAE: Enable only group 19 by default in AP mode
Change the AP mode default for SAE to enable only the group 19 instead
of enabling all ECC groups that are supported by the used crypto library
and the SAE implementations. The main reason for this is to avoid
enabling groups that are not as strong as the mandatory-to-support group
19 (i.e., groups 25 and 26). In addition, this disables heavier groups
by default.
In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.
Jouni Malinen [Tue, 5 Mar 2019 15:05:03 +0000 (17:05 +0200)]
Add explicit checks for peer's DH public key
Pass the group order (if known/specified) to crypto_dh_derive_secret()
(and also to OpenSSL DH_generate_key() in case of Group 5) and verify
that the public key received from the peer meets 1 < pubkey < p and
pubkey^q == 1 mod p conditions.
While all these use cases were using only ephemeral DH keys, it is
better to use more explicit checks while deriving the shared secret to
avoid unexpected behavior.
Jouni Malinen [Mon, 25 Feb 2019 19:58:28 +0000 (21:58 +0200)]
tests: More robust connect command testing
Avoid an invalid failure case due to scan results being left behind from
connect_cmd_bssid_hint when executing connect_cmd_reject_assoc by
explicitly clearing the scan results from dev5. This fixes an error case
that happened with the following test case sequence:
connect_cmd_bssid_hint connect_cmd_reject_assoc
Jouni Malinen [Mon, 25 Feb 2019 19:40:23 +0000 (21:40 +0200)]
tests: Make MACsec test cases clear monitor socket more thoroughly
The wpas (dev5) control interface socket did not always get cleared in
the MACsec test cases and this could result in issues with following
test cases if the dev5 message queue hit the maximum limit.
Lubomir Rintel [Tue, 19 Feb 2019 13:44:15 +0000 (14:44 +0100)]
defconfig: Enable RSN on IBSS networks (wpa_supplicant)
Fedora and Debian enable this. NetworkManager actually rejects such
configurations citing kernel bugs, but that actually might not be the
right thing to do anymore.
Jouni Malinen [Mon, 25 Feb 2019 17:29:02 +0000 (19:29 +0200)]
defconfig: Remove obsolete notes about OpenSSL requirements for EAP-FAST
OpenSSL 0.9.8 reached its end-of-life long time ago, so remove these old
notes about need of a newer OpenSSL version for EAP-FAST since all
current OpenSSL versions include the needed functionality.
Lubomir Rintel [Tue, 19 Feb 2019 13:44:14 +0000 (14:44 +0100)]
defconfig: Enable a handful of EAP methods (wpa_supplicant)
Fedora uses AKA, FAST, GPSK_SHA256, GPSK, IKEV2, PAX, SAKE and TNC. I
don't know why these in particular. AKA wouldn't work, because
CONFIG_PCSC is off anyways; let's enable all the other ones, and also
PWD (openSUSE enabled it because users demanded it).
Debian enables all of the above uses, but also PWD, AKA_PRIME, SIM, PSK
and EKE.
Jouni Malinen [Sat, 23 Feb 2019 16:54:54 +0000 (18:54 +0200)]
Fix a regression from VLAN assignment using WPA/WPA2 passphrase/PSK
This extension of VLAN assignment code had a bug in one of the code
paths where vlan_id could have been left uninitialized. This could
result in SAE authentication getting rejected in cases where VLAN
assignment is not used if the uninitialized stack memory had nonzero
value.
Fixes: dbfa691df4dc ("VLAN assignment based on used WPA/WPA2 passphrase/PSK") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 23 Feb 2019 15:57:23 +0000 (17:57 +0200)]
Avoid compiler warning about potentially unaligned pointer value
(&mgmt->u.deauth.reason_code + 1) is not exactly clean and now that we
have the u8 variable[] member in the struct after this field, use that
directly to avoid clang compiler warning:
ctrl_iface_ap.c:454:18: error: taking address of packed member
'reason_code' of class or structure 'ieee80211_mgmt::(anonymous
union)::(anonymous)' may result in an unaligned pointer value
[-Werror,-Waddress-of-packed-member]
Jouni Malinen [Sat, 23 Feb 2019 15:39:38 +0000 (17:39 +0200)]
UBSan: Define FST LLT macros without integer overflow
FST_MAX_LLT_MS definition depended on undefined behavior with unsigned
integer overflow. Avoid that and also optimize the
FST_LLT_{MS_TO_VAL,VAL_TO_MS} macros to handle larger values without
overflowing 32-bit unsigned integers.
fst_session.c:1274:52: runtime error: unsigned integer overflow: 4294967295 * 32 cannot be represented in type 'unsigned int'
Jouni Malinen [Sat, 23 Feb 2019 14:24:19 +0000 (16:24 +0200)]
UBSan: Avoid NULL pointer dereferences on an error path
hapd->conf might be NULL in case initialized failed, so better be
prepared for that when debug printing interface name in the deinit path.
hostapd.c:312:54: runtime error: member access within null pointer of type 'struct hostapd_bss_config'
hostapd.c:351:29: runtime error: member access within null pointer of type 'struct hostapd_bss_config'
hostapd.c:2158:18: runtime error: member access within null pointer of type 'struct hostapd_bss_config'
Jouni Malinen [Sat, 23 Feb 2019 14:03:47 +0000 (16:03 +0200)]
UBSan: Avoid unsigned integer overflow in utf8_{,un}escape()
Split the if/while loop condition into two independent steps so that
in_size-- happens only in the case in_size is nonzero. This gets rid of
unnecessary UBSan warnings.
common.c:1087:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
common.c:1076:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
common.c:1119:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
Jouni Malinen [Sat, 23 Feb 2019 12:03:59 +0000 (14:03 +0200)]
UBSan: Avoid unnecessary warning
elems->mic might be NULL here, so do not try to decrement it by 2 even
if the result is not used anywhere due to a latter check for elems->mic
being NULL.
mesh_rsn.c:646:20: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffffe
Jouni Malinen [Sat, 23 Feb 2019 11:57:51 +0000 (13:57 +0200)]
UBSan: Avoid an unsigned integer overflow warning
ext_supp_rates_len would be 0 here, so decrementing it by 2 will result
in unsigned integer overflow even if that result is not actually used
anywhere. Avoid that to get rid of the UBSan warning.
tdls.c:1597:27: runtime error: unsigned integer overflow: 0 - 2 cannot be represented in type 'unsigned long'
Jouni Malinen [Sat, 23 Feb 2019 11:54:33 +0000 (13:54 +0200)]
UBSan: Pack MACsec peer id structure
This is needed to avoid an UBSan warning and since this struct is used
as part of a message construction, it needs to be packed anyway to
guarantee correct functionality.
ieee802_1x_kay.c:1021:3: runtime error: member access within misaligned address 0x0000031921e2 for type 'struct ieee802_1x_mka_peer_id', which requires 4 byte alignment
Jouni Malinen [Sat, 23 Feb 2019 11:44:20 +0000 (13:44 +0200)]
UBSan: Use typecast to avoid unsigned integer overflow
iface->num_bss is unsigned integer, so need to explicit typecast it to
unsigned before decrementation by one even when the result is stored in
an unsigned integer.
../src/ap/hostapd.c:2185:26: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned long'
Jouni Malinen [Sat, 23 Feb 2019 10:59:10 +0000 (12:59 +0200)]
UBSan: Fix RRM beacon processing attempt without scan_info
Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.
events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'
Jouni Malinen [Sat, 23 Feb 2019 10:49:17 +0000 (12:49 +0200)]
UBSan: Avoid size_t variable overflow in control interface
The loop "if (i-- == 0) break" style construction works in practice fine
since the check against 0 is done before decrementation. However, this
hits an UBSan warning, so split that decrementation to happen as a
separate step after the check and break from the loop.
ctrl_iface.c:5086:9: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
Jouni Malinen [Sat, 23 Feb 2019 10:42:20 +0000 (12:42 +0200)]
UBSan: Avoid unsigned integer overflow is throughput estimation
wpa_scan_result_compar() would return wb->est_throughput -
wa->est_throughput in case the comparison is done based on the
throughput estimates. While the return value from this function is a
signed integer, these est_throughput values are unsigned integers and
need to be explicitly typecast to avoid an UBSan warning.
scan.c:1996:30: runtime error: unsigned integer overflow: 54000 - 135000 cannot be represented in type 'unsigned int'
Jouni Malinen [Sat, 23 Feb 2019 10:07:21 +0000 (12:07 +0200)]
Modify dl_list_for_each() to not use unaligned access with WPA_TRACE
UBSan testing with WPA_TRACE=y ended up hitting an unaligned access for
struct os_alloc_trace in os_program_deinit() because of the
dl_list_for_each() design that looked like dereferencing the member
element of the list head which is something that does not exist.
Get the first entry from the list using dl_list_first() so that the
empty list special case is covefred and compare item pointers instead of
struct dl_list pointers to check whether the end of the loop has been
reached.
Lior David [Wed, 6 Feb 2019 10:33:35 +0000 (12:33 +0200)]
Fix cipher suite selector default value in RSNE for DMG
According to IEEE Std 802.11-2016, 9.4.2.25 when fields of an RSNE are
not included, the default values are used. The cipher suite defaults
were hardcoded to CCMP in the previous implementation, but the default
is actually different for DMG: GCMP (per 9.4.2.25.2).
It is not possible to find out from the RSNE if the network is non-DMG
or DMG, so callers of wpa_parse_wpa_ie_rsn() need to handle this case
based on context, which can be different for each caller.
In order to fix this issue, add flags to the wpa_ie_data indicating
whether pairwise/group ciphers were included in the RSNE. Callers can
check these flags and fill in the appropriate ciphers. The
wpa_parse_wpa_ie_rsn() function still initializes the ciphers to CCMP by
default so existing callers will not break. This change also fixes some
callers which need to handle the DMG network case.
Add a vendor attribute for specifying ethernet protocol type
This new QCA vendor attribute adds provision to specify the
ethernet protocol id from userspace to the packets which are
offloaded to the driver/firmware (e.g., IPv4, IPv6).
Davina Lu [Tue, 12 Feb 2019 14:35:26 +0000 (15:35 +0100)]
hostapd: Support Multi-AP backhaul STA onboarding with WPS
The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a
backhaul STA through WPS. To enable this, the WPS Registrar offers a
different set of credentials (backhaul credentials instead of fronthaul
credentials) when the Multi-AP subelement is present in the WFA vendor
extension element of the WSC M1 message.
Add new configuration options to specify the backhaul credentials for
the hostapd internal registrar: multi_ap_backhaul_ssid,
multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are
only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or
3. When these options are set, pass the backhaul credentials instead of
the normal credentials when the Multi-AP subelement is present.
Ignore the Multi-AP subelement if the backhaul config options are not
set. Note that for an SSID which is fronthaul and backhaul at the same
time (i.e., multi_ap == 3), this results in the correct credentials
being sent anyway.
The security to be used for the backaul BSS is fixed to WPA2PSK. The
Multi-AP Specification only allows Open and WPA2PSK networks to be
configured. Although not stated explicitly, the backhaul link is
intended to be always encrypted, hence WPA2PSK.
To build the credentials, the credential-building code is essentially
copied and simplified. Indeed, the backhaul credentials are always
WPA2PSK and never use per-device PSK. All the options set for the
fronthaul BSS WPS are simply ignored.
Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
Davina Lu [Tue, 12 Feb 2019 14:35:25 +0000 (15:35 +0100)]
wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS
The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a
backhaul STA through WPS. To enable this, the backhaul STA needs to add
a Multi-AP IE to the WFA vendor extension element in the WSC M1 message
that indicates it supports the Multi-AP backhaul STA role. The Registrar
(if it support Multi-AP onboarding) will respond to that with a WSC M8
message that also contains the Multi-AP IE, and that contains the
credentials for the backhaul SSID (which may be different from the SSID
on which WPS is performed).
Introduce a new parameter to wpas_wps_start_pbc() and allow it to be
set via control interface's new multi_ap=1 parameter of WPS_PBC call.
multi_ap_backhaul_sta is set to 1 in the automatically created SSID.
Thus, if the AP does not support Multi-AP, association will fail and
WPS will be terminated.
Only wps_pbc is supported.
This commit adds the multi_ap argument only to the control socket
interface, not to the D-Bus interface.
Since WPS associates with the fronthaul BSS instead of the backhaul BSS,
we should not drop association if the AP announces fronthaul-only BSS.
Still, we should only do that in the specific case of WPS. Therefore,
add a check to multi_ap_process_assoc_resp() to allow association with a
fronthaul-only BSS if and only if key_mgmt contains WPS.
Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Daniel Golle <daniel@makrotopia.org> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
The Multi-AP specification adds a new subelement to the WFA extension
element in the WPS exchange. Add an additional parameter to
wps_build_wfa_ext() to add this subelement. The subelement is only added
if the parameter is nonzero. Note that we don't reuse the existing
MULTI_AP_SUB_ELEM_TYPE definition here, but rather define a new
WFA_ELEM_MULTI_AP, to make sure the enum of WFA subelement types for WPS
vendor extension remains complete.
For now, all callers set the multi_ap_subelem parameter to 0.
tests: Update multi_ap_fronthaul_on_ap to match implementation
Now that the backhaul STA Multi-AP association is not rejected anymore
by the AP, update the test case to expect disconnection to be triggered
by the STA.
Multi-AP: Don't reject backhaul STA on fronthaul BSS
The Multi-AP specification only specifies that information elements have
to be added to the Association Request and Association Response frame;
it doesn't specify anything about what should be done in case they are
missing. Previously, we rejected non-backhaul associations on a
backhaul-only BSS, and non-fronthaul associations on a fronthaul-only
BSS.
However, this makes WPS fail when fronthaul and backhaul are separate
SSIDs. Indeed, WPS for the backhaul link is performed on the *fronthaul*
SSID. Thus, the Association Request frmae used for WPS *will* contain
the Multi-AP IE indicating a backhaul STA. Rejecting that association
makes WPS fail.
Therefore, accept a multi-AP backhaul STA Association Request frame on a
fronthaul-only BSS. Still issue a warning about it, but only at level
DEBUG intead of INFO. Also change the condition checking to make it
clearer.
While we're at it, also fix the handling of unexpected bits in the
Multi-AP IE. 4 bits are reserved in the specification, so these
certainly have to be ignored. The specification also doesn't say that
setting one of the other bits is not allowed. Therefore, only report
unexpected values in the Multi-AP IE, don't reject because of it. Note
that a malformed IE (containing more than one byte) still triggers a
rejection.
HS 2.0: Make hs20-osu-client SP and <FQDN> directories group writable
This updates SP/<FQDN> directory with following permissions on Android
to allow moving certificate at runtime from Cert/ to SP/<FQDN> folder:
- user:read/write/exec
- group:read/write/exec
(i.e., add group write permission)
Jouni Malinen [Mon, 18 Feb 2019 16:46:40 +0000 (18:46 +0200)]
mesh: More consistent checking of wpa_s->ifmsh in completion handler
It does not look like wpa_s->ifmsg could be NULL here, but better be
more consistent anyway to keep static analyzers happier by avoiding
dereference of wpa_s->ifmsh in the function before the NULL check for
it.
Jouni Malinen [Mon, 18 Feb 2019 16:24:52 +0000 (18:24 +0200)]
Fix wpa_psk_file parser error case handling
str_token() can return NULL for the name if the remaining token contains
only the delimiter. Fix this to avoid NULL pointer dereference with a
corner case of an invalid value used in the configuration.
Fixes: ec5c39a5574d ("AP: Allow identifying which passphrase station used with wpa_psk_file") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Mon, 18 Feb 2019 16:19:06 +0000 (18:19 +0200)]
tests: Mark log files to use utf-8 encoding
This seems to be needed when using python3 in VM for the ssid_utf8 test
case debug prints from the control interface requests. This breaks
python2 support for the same logging entries, but there does not seem to
be any easy way of addressing this in a manner that works for both
python versions, so move ahead with the python3-only support from now
on.
Jouni Malinen [Sun, 17 Feb 2019 15:22:37 +0000 (17:22 +0200)]
SAE: VLAN assignment based on SAE Password Identifier
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.
Jouni Malinen [Sun, 17 Feb 2019 14:55:50 +0000 (16:55 +0200)]
tests: Force diff chan in p2ps_channel_active_go_and_station_different_mcc
This test case was failing pretty frequently due to an issue in being
able to send out the Provision Discovery Response frame on the operating
channel. Now that wpa_supplicant has a fix for that issue, modify this
test case to hit this error condition every time. In addition, make sure
the possible exception from p2ps_exact_seek() does not get hidden with a
failing remove_group() call in the finally section.
Jouni Malinen [Sun, 17 Feb 2019 14:53:03 +0000 (16:53 +0200)]
P2P: Stop listen state if Action frame TX is needed on another channel
This speeds up P2P responses to frames received on an operating channel
in case there is an ongoing P2P listen operation on another channel.
This is applicable to drivers that support multiple channels in
concurrently.
This addresses an issue showing up in the
p2ps_channel_active_go_and_station_different_mcc test case where the
Provision Discovery Request frame can be received on the operating
channel of a group instead of the Listen channel. The response was
delayed until the listen operation timed out and this took too long time
for the peer to receive the response.
Jouni Malinen [Thu, 14 Feb 2019 20:24:16 +0000 (22:24 +0200)]
Indicate wifi_generation in wpa_supplicant STATUS output
This adds a wifi_generation=4/5/6 line to the STATUS output if the
driver reports (Re)Association Request frame and (Re)Association
Response frame information elements in the association or connection
event. Only the generations 4 (HT = 802.11n), 5 (VHT = 802.11ac), and 6
(HE = 802.11ax) are reported.
Jouni Malinen [Thu, 14 Feb 2019 20:01:20 +0000 (22:01 +0200)]
nl80211: (Re)Association Request frame IEs from association event
Process NL80211_ATTR_REQ_IE from the NL80211_CMD_ASSOCIATE event to
allow request IEs to be made available for the SME-in-wpa_supplicant
case similarly to how this is done with SME-in-driver with
NL80211_CMD_CONNECT.