Jouni Malinen [Sun, 12 Feb 2017 15:40:34 +0000 (17:40 +0200)]
WNM: Remove unused code from BSS TM Req generation
The url argument to ieee802_11_send_bss_trans_mgmt_request() was
hardcoded to NULL in the only caller, so this code cannot be reached.
wnm_send_bss_tm_req() construct the same frame with more generic
parameters, including option for including the URL, so
ieee802_11_send_bss_trans_mgmt_request() can be simplified.
Jouni Malinen [Sun, 12 Feb 2017 09:43:54 +0000 (11:43 +0200)]
WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.
Jouni Malinen [Sun, 12 Feb 2017 09:15:49 +0000 (11:15 +0200)]
PeerKey: Remove dead code related to STSL negotiation state
The struct wpa_stsl_negotiation seemed to have been for some kind of
tracking of state of PeerKey negotiations within hostapd. However,
nothing is actually adding any entries to wpa_auth->stsl_negotiations or
using this state. Since PeerKey does not look like something that would
be deployed in practice, there is no justification to spend time on
making this any more complete. Remove the dead code now instead of
trying to figure out what it might be used for.
Jouni Malinen [Sat, 11 Feb 2017 08:21:56 +0000 (10:21 +0200)]
Sync android.config with wpa_supplicant defconfig changes
This adds new edits from defconfig to android.config. No new build
options are enabled, i.e., this is only bringing in comment updates and
new parameters in commented out form.
vamsi krishna [Tue, 15 Nov 2016 09:42:44 +0000 (15:12 +0530)]
Add support to sched scan to report relatively better BSSs
Add support to set sched scan relative RSSI parameters so that the
drivers can report BSSs after relative comparision with the current
connected BSS. This feature is applicable only when in connected mode.
The below commands can be used to configure relative RSSI parameters
SET relative_rssi <disable|rssi_value>
disable - to disable the feature
rssi_value - amount of relative RSSI in dB
SET relative_band_adjust <band:adjust_value>
band - "2G" or "5G" for 2.4 GHz or 5 GHz respectively
adjust_value - amount of RSSI to be adjusted in dB
Issue: When 2 peers are running MACsec in PSK mode with CA
established, if the interface goes down and comes up after
time > 10 seconds, CA does not get re-established.
Root cause: This is because retry_count of both the peers
would have reached MAX_RETRY_CNT and stays idle for other to
respond. This is clear deadlock situation where peer A waits
for MKA packets from peer B to wake up and vice-versa.
Fix: If MACsec is running in PSK mode, we should send MKPDUs
forever for every 2 seconds.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
Jouni Malinen [Fri, 10 Feb 2017 16:55:26 +0000 (18:55 +0200)]
EAP: Call deinit_for_reauth() for Phase 2 EAP methods
EAP-TTLS/PEAP/FAST were previously doing this for init_for_reauth(), but
not for deinit_for_reauth(). Add the deinit_for_reauth() call as well to
cover cases like EAP-AKA cleaup of AT_CHECKCODE data.
Jouni Malinen [Fri, 10 Feb 2017 16:54:20 +0000 (18:54 +0200)]
EAP-AKA: Don't use anonymous identity in phase2
This adds the same changes to EAP-AKA that were previous done for
EAP-SIM to allow functionality within an EAP-TTLS/PEAP/FAST tunnel
without causing issues to the phase 1 identity string.
Paul Stewart [Thu, 9 Feb 2017 01:47:57 +0000 (17:47 -0800)]
EAP-SIM: Don't use anonymous identity in phase2
The "anonymous_identity" configuration field has more than one
semantic meaning. For tunneled EAP methods, this refers to the
outer EAP identity. For EAP-SIM, this refers to the pseudonym
identity. Also, interestingly, EAP-SIM can overwrite the
"anonymous_identity" field if one is provided to it by the
authenticator.
When EAP-SIM is tunneled within an outer method, it makes sense
to only use this value for the outer method, since it's unlikely
that this will also be valid as an identity for the inner EAP-SIM
method. Also, presumably since the outer method protects the
EAP-SIM transaction, there is no need for a pseudonym in this
usage.
Similarly, if EAP-SIM is being used as an inner method, it must
not push the pseudonym identity using eap_set_anon_id() since it
could overwrite the identity for the outer EAP method.
Paul Stewart [Thu, 9 Feb 2017 00:46:41 +0000 (16:46 -0800)]
EAP peer: Cache decrypted requests for EAP-SIM/AKA/AKA'
Add an internal flag which indicates to tunneled EAP methods (FAST,
PEAP, TTLS) that they should cache decrypted EAP-SIM/AKA/AKA' requests.
This allows EAP-SIM/AKA/AKA' to be tunneled within these outer methods
while using an external SIM authenticator over the control interface.
Jouni Malinen [Thu, 9 Feb 2017 11:23:00 +0000 (13:23 +0200)]
RRM: Fix Range Request max age parsing
This 16-bit field uses little endian encoding and it must be read with
WPA_GET_LE16() instead of assuming host byte order is little endian. In
addition, this could be misaligned, so using a u16 pointer here was not
appropriate.
Jouni Malinen [Wed, 8 Feb 2017 15:37:50 +0000 (17:37 +0200)]
Fix MAC ACL query freeing on deinit
hapd->acl_cache and hapd->acl_queries were not reset back to NULL in
hostapd_acl_deinit() when cached results and pending ACL queries were
freed. This left stale pointers to freed memory in hapd. While this was
normally followed by freeing of the hapd data, it is possible to re-use
that hapd when disabling and re-enabling an interface. That sequence
could result in use of freed memory if done while there were cached
results or pending ACL operations with a RADIUS server (especially, if
that server did not reply).
Fix this by setting hapd->acl_queries to NULL when the pending entries
are freed.
Jouni Malinen [Wed, 8 Feb 2017 11:53:11 +0000 (13:53 +0200)]
tests: Make ap_wps_er_http_proto less likely to fail
The test step for concurrent HTTP connections seems to be failing quite
frequently when running in a virtual machine with run-tests.py (but not
that much with kvm and vm-run.sh). The failures are due to only 8 or 9
sockets getting a response from the HTTP server. This is sufficient for
testing purposes, to drop the pass criterium from 10 to 8 concurrent
connections. This avoids unnecessary test failures and also allows the
rest of the test case to be performed.
Sunil Dutt [Thu, 2 Feb 2017 12:49:45 +0000 (18:19 +0530)]
Serialize scan/p2p-scan if already scheduled on the same interface
The current implementation of QCA vendor scan does not handle the
simultaneous scan/p2p-scan operations on the same interface due to
missing support for tracking multiple scan cookie values. Hence
serialize such operations on the same interface for now.
Jouni Malinen [Tue, 7 Feb 2017 21:03:35 +0000 (23:03 +0200)]
tests: Clear country code at the end of wpas_config_file
This test case was mistakenly leaving the country code FI configured at
the end which could result in issues with the following test cases. Fix
this by explicitly clearing the country code back to world roaming 00 at
the end of wpas_config_file.
Jouni Malinen [Tue, 7 Feb 2017 20:48:20 +0000 (22:48 +0200)]
P2P: Clear driver scan cache after BSS_FLUSH
The only_new_results=1 scan parameter was previously set on other scan
cases, but not on the two P2P specific scan triggers. Set this also for
those P2P cases to get consistent behavior after BSS_FLUSH.
This was showing up with number of hwsim P2P test cases maintaining
unexpected scan results from previous test cases due to the flush
operation not really working correctly since the cfg80211 BSS table was
not explicitly cleared.
Jouni Malinen [Tue, 7 Feb 2017 18:50:33 +0000 (20:50 +0200)]
FILS: Clean up HLP resize check
The "!wpabuf_resize(...) == 0" condition does not make any sense. It
happens to work, but this is really supposed to simple check with
wpabuf_resize() returns non-zero and "wpabuf_resize(...)" is the
cleanest way of doing so.
Vamsi Krishna [Thu, 8 Dec 2016 16:21:25 +0000 (21:51 +0530)]
GAS: Add support to randomize transmitter address
Add support to send GAS requests with a randomized transmitter address
if supported by the driver. The following control interface commands
(and matching configuration file parameters) can be used to configure
different types of randomization:
"SET gas_rand_mac_addr 0" to disable randomizing TX MAC address,
"SET gas_rand_mac_addr 1" to randomize the complete TX MAC address,
"SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI.
A new random MAC address will be generated for every
gas_rand_addr_lifetime seconds and this can be configured with
"SET gas_rand_addr_lifetime <timeout>".
Vamsi Krishna [Thu, 8 Dec 2016 16:21:25 +0000 (21:51 +0530)]
nl80211: Add support for mgmt_tx with random TA
This adds support for specifying a random TA for management frame
transmission commands and driver capability flags for indicating whether
this is supported in not-connected and connected states.
Jouni Malinen [Tue, 7 Feb 2017 15:46:29 +0000 (17:46 +0200)]
GAS: Fix OSU Providers List response with invalid configuration
If the OSU Providers configuration was invalid (included osu_server_uri
but not osu_method_list), it was possible for the GAS response
generation to hit a NULL dereference. Fix this by checking for the
invalid configuration before trying to fill in the OSU methods.
Masashi Honma [Tue, 7 Feb 2017 02:50:57 +0000 (11:50 +0900)]
VHT: Fill VHT capability with hardware capability
Previously, VHT capability was default value (=0x0000). This makes
VHT Capabilities Info in VHT Capabilities IE in mesh peering
open/confirm frame 0x0000. This patch fills it with hardware capability.
Jouni Malinen [Tue, 7 Feb 2017 09:08:24 +0000 (11:08 +0200)]
tests: Make go_search_non_social more robust
Try the initial scan on the operating channel twice before claiming a
test failure. It is possible for an active scan to fail to see the GO
especially if running the test under heavy load.
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.
Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).
Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.
Issue:
------
The test setup has 2 peers running MACsec in PSK mode, Peer A with
MAC address higher than MAC Address of peer B. Test sequence is
1. Peer B starts with actor_priority 255
2. Peer A starts with priority 16, becomes key server.
3. Peer A stops..
4. Peer A restarts with priority 255, but because of the stale values
participant->is_key_server(=TRUE) and participant->is_elected(=TRUE)
it continues to remain as Key Server.
5. For peer B, key server election happens and since it has lower MAC
address as compared to MAC address of A, it becomes the key server.
Now we have 2 key servers in CA and is not correct.
Root-cause & fix:
-----------------
When number of live peers become 0, the flags such lrx, ltx, orx,
otx, etc. need to be cleared. In MACsec PSK mode, these stale values
create problems while re-establishing CA.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
mka: Fix an incorrect update of participant->to_use_sak
API ieee802_1x_mka_decode_dist_sak_body() wrongly puts
participant->to_use_sak to TRUE, if Distributed SAK Parameter Set of
length 0 is received. In MACsec PSK mode, this stale incorrect value can
create problems while re-establishing CA. In MACsec PSK mode, CA goes
down if interface goes down and ideally we should be able to
re-establish the CA once interface comes up.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
Masashi Honma [Mon, 6 Feb 2017 11:07:44 +0000 (20:07 +0900)]
hs20-osu-client: Hide a trivial compiler warning
This patch hides a compiler warning:
osu_client.c: In function ‘cmd_osu_select’:
osu_client.c:2200:2: warning: ‘osu_count’ may be used uninitialized in this function [-Wmaybe-uninitialized]
for (i = 0; i < osu_count; i++) {
^
osu_count is actually initialized in parse_osu_providers() if non-NULL
value is returned.
Eduardo Abinader [Tue, 17 Jan 2017 10:59:03 +0000 (11:59 +0100)]
hw_features: Clean center freq for falling back HT40 channels
Some channels fail to be set, when falling back to 20 MHz, due to
remaining VHT info of center freq. As we are going to 20 MHz, reset the
VHT center frequency segment information as well.
Sunil Dutt [Tue, 31 Jan 2017 18:57:06 +0000 (00:27 +0530)]
P2P: Override P2P_PEER group_capab with 0 if no matching BSS entry found
Relying on the group_capab from the P2P peer information can result in
improper information on whether the peer is currently operating as a GO.
However, there is a known implementation in Android that does this.
To reduce issues from this misuse in upper layer to try to determine
whether a specific peer is operationg a group, override the group_capab
value in P2P_PEER output with 0 if there are no BSS entries with the
peer P2P Device as a GO. This is not a perfect information since there
may not have been a recent scan on all channels, but this results in
less issues than trying to decide between new group formation and
joining an existing group based on stale or incorrect information.
Since no upper layer application is really supposed to use the
group_capab field value in P2P_PEER command, this change should not
cause any impact for properly design components and the possibility of
regressions is limited to cases that are already known to work
incorrectly in number of identifiable cases.
Jouni Malinen [Sun, 5 Feb 2017 19:52:26 +0000 (21:52 +0200)]
Fix estimated throughput based skip-roam case
Commit 8d1e693186336f85bf5d86bd094b5c9bd6f8fd02 ('Use estimated
throughput to avoid signal based roaming decision') added a check for
the current BSS estimated throughput being significantly higher than the
selected BSS estimated throughput. However, this case for skipping a
roam used "return 1" which actually allows the roam. Fix this by
returning 0 in this case.
Dedy Lansky [Sun, 5 Feb 2017 10:52:09 +0000 (12:52 +0200)]
nl80211: Fix error while enabling AP mode with driver-SME
Following commit a70cd0db876b2ffad7e3d608e3f9a2fcf2e7a879 ('Don't
register for Beacon frames for IEEE 802.11ad AP'),
nl80211_get_wiphy_data_ap() is unconditionally called when starting AP.
This function tries to register for Beacon frames RX which fails for
some driver which don't support such registration and do not need it in
case the driver implements AP mode SME functionality.
Jouni Malinen [Sun, 5 Feb 2017 14:40:15 +0000 (16:40 +0200)]
FILS: Fix send_assoc_resp() HLP extension to cover sta == NULL
Commit 91d91abf6f9bf420643a9245b63f5ac8c6bbb18a ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.
Jouni Malinen [Sun, 5 Feb 2017 11:52:43 +0000 (13:52 +0200)]
Set EAPOL-Key Key Length field to 0 for group message 1/2 in RSN
P802.11i/D3.0 described the Key Length as having value 16 for the group
key handshake. However, this was changed to 0 in the published IEEE Std
802.11i-2004 amendment (and still remains 0 in the current standard IEEE
Std 802.11-2016). We need to maintain the non-zero value for WPA (v1)
cases, but the RSN case can be changed to 0 to be closer to the current
standard.
Jouni Malinen [Sun, 5 Feb 2017 11:39:57 +0000 (13:39 +0200)]
Do not send GNonce in EAPOL-Key group message 1/2
While the IEEE Std 802.11-2016 is still indicating that GNonce would be
exchanged in EAPOL-Key messages (see, e.g., Figure 12-52 showing the
Send EAPOL-Key operation in the REKEYNEGOTIATING state or the sample
group key handshake in Figure 12-47), there are also examples of
describing this field as having value zero (e.g., 12.7.7.2 Group key
handshake message 1).
GNonce is used only with the Authenticator and the Supplicant does not
have any use for it, so it is better not to expose that internal value.
Hardcode the Key Nonce field to 0 in EAPOL-Key group message 1/2.
Jouni Malinen [Sun, 5 Feb 2017 11:28:42 +0000 (13:28 +0200)]
Fix EAPOL-Key Install bit in Group Key 1/2 with FT and FILS auth
sm->Pair needs to be initialized to TRUE since unicast cipher is
supported and this is an ESS. However, the normal place for setting this
(WPA_PTK::INITIALIZE) is skipped with using FT protocol or FILS
authentication, so need to do that separately when forcing PTKINITDONE.
Jouni Malinen [Sat, 4 Feb 2017 20:17:54 +0000 (22:17 +0200)]
mesh: Fix struct hostapd_data initialization
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.
This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.
Jouni Malinen [Sat, 4 Feb 2017 19:24:37 +0000 (21:24 +0200)]
mesh: Fix mesh interface removal fix
This wpa_drv_if_remove() call was previously modified to fix a different
issue, but that fix resulted in unconditional use of treed memory here
(wpa_supplicant_deinit_iface() frees wpa_s). Make a local copy of
wpa_s->parent to be able to use it after wpa_s is freed. The
mesh_if_created case has wpa_s->parent != wpa_s, so this should be
sufficient way of handling the wpa_drv_if_remove() call here.
Jouni Malinen [Sat, 4 Feb 2017 11:05:58 +0000 (13:05 +0200)]
FILS: Fix AES-SIV AAD for (Re)Association Request frame decryption
The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.
Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.
Jouni Malinen [Fri, 3 Feb 2017 12:41:39 +0000 (14:41 +0200)]
ERP: Use macro for EMSKname length instead of hardcoded integer value
While RFC 5295 uses "8" as the value to use in the length field in KDF
context when deriving EMSKname, it is clearer to use the macro defining
EMSKname as the value since the KDF design in RFC 5295 encodes the
length of the derived data in octets in that part of the context data.
This change is just making the implementation easier to understand while
not actually changing the behavior.
Jouni Malinen [Fri, 3 Feb 2017 12:37:30 +0000 (14:37 +0200)]
ERP: Fix rIK derivation
Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.
In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.
Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.
Jouni Malinen [Tue, 31 Jan 2017 19:21:24 +0000 (21:21 +0200)]
FILS: Parse and report received FILS HLP Containers from response
The new FILS-HLP-RX control interface event is now used to report
received FILS HLP responses from (Re)Association Response frame as a
response to the HLP requests configured with FILS_HLP_REQ_ADD.
Jouni Malinen [Tue, 31 Jan 2017 12:38:44 +0000 (14:38 +0200)]
FILS: DHCP relay for HLP requests
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.
The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.
Jouni Malinen [Tue, 31 Jan 2017 12:00:12 +0000 (14:00 +0200)]
FILS: Move HLP request handling into a separate file
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.
Jouni Malinen [Tue, 31 Jan 2017 11:52:58 +0000 (13:52 +0200)]
Move DHCP definitions into a common file
These can be reused for other purposes than just the DHCP snoofing for
Proxy ARP. In addition, use more complete definition of the parameters
based on the current IANA registry.
Dedy Lansky [Tue, 17 Jan 2017 12:51:02 +0000 (14:51 +0200)]
AP: Check ACL upon association request for 802.11ad
With device_ap_sme disabled, ACL was checked upon authentication
request. In 802.11ad there is no authentication phase so need to check
ACL upon association.
projects / thirdparty / hostap.git / log
