Jouni Malinen [Sun, 3 Feb 2019 10:24:49 +0000 (12:24 +0200)]
tests: Replace str.translate() with str.replace()
This is needed for python3 since the two argument version of
str.translate() is not available for unicode. Furthermore, these cases
of delete colons from the string are simple enough for replace.
Jouni Malinen [Sat, 2 Feb 2019 10:49:23 +0000 (12:49 +0200)]
wpaspy: Convert to/from str to bytes as needed for python3
The control interface commands use mostly ASCII or UTF-8 strings, so
convert input/output to strings/bytes as needed for the socket
operations with python3.
Jouni Malinen [Fri, 1 Feb 2019 22:01:29 +0000 (00:01 +0200)]
PEAP: Explicitly clear temporary keys from memory when using CMK
The case of PEAPv0 with crypto binding did not clear some of the
temporary keys from stack/heap when those keys were not needed anymore.
Clear those explicitly to avoid unnecessary caching of keying material.
Jouni Malinen [Fri, 1 Feb 2019 21:52:28 +0000 (23:52 +0200)]
EAP-PEAP: Derive EMSK and use 128-octet derivation for MSK
Derive EMSK when using EAP-PEAP to enable ERP. In addition, change the
MSK derivation for EAP-PEAP to always derive 128 octets of key material
instead of the 64 octets to cover just the MSK. This is needed with the
PRF used in TLS 1.3 since the output length is mixed into the PRF
context.
Johannes Berg [Fri, 1 Feb 2019 20:31:59 +0000 (21:31 +0100)]
tests: wpasupplicant: Refactor code duplication in wait_global_event()
This code is identical to the wait_event() code, except for the
mon/global_mon instance. Create a _wait_event() function that
encapsulates this, and use it for both.
While at it, fix the bug in wait_global_event() where in the case
of not having a global_mon it always returns None.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Wed, 30 Jan 2019 10:28:43 +0000 (12:28 +0200)]
DPP: Clear dpp_listen_freq on remain-on-channel failure
If the DPP_LISTEN command failed due to the driver rejecting the
remain-on-channel request, wpa_s->dpp_listen_freq was left set to the
requested listen frequency and this resulted in the next DPP_LISTEN for
the same frequency reporting "DPP: Already listening on .." even when
the driver was not really listening on that frequency. Fix this by
clearing wpa_s->dpp_listen_freq in the error case.
P2P: Allow the avoid channels for P2P discovery/negotiation
The avoid channels are notified through
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY allow minimal traffic, so
enhance the P2P behavior accordingly by considering these avoid
frequencies for P2P discovery/negotiation as long as they are not in
disallowed frequencies list.
Additionally, do not return failure when none of social channels are
available as operation channel, rather, mark the op_channel/op_reg_class
to 0 as this would anyway get selected during the group formation in
p2p_prepare_channel.
Jouni Malinen [Mon, 29 Oct 2018 19:10:27 +0000 (21:10 +0200)]
tests: WNM-Sleep Mode Request bounds checking for empty contents
The wnm_sleep_mode_proto test case was already covering number of
invalid WNM-Sleep Mode Request frame cases, but it was missing the
shortest possible case with a missing Dialog Token field. Add that as a
regression test case for bounds checking in
ieee802_11_rx_wnmsleep_req().
Jouni Malinen [Mon, 29 Oct 2018 18:48:07 +0000 (20:48 +0200)]
WNM: Fix WNM-Sleep Mode Request bounds checking
ieee802_11_rx_wnmsleep_req() might have been called for a short frame
that has no more payload after the Public Action field, i.e., with len
== 0. The bounds checking for the payload length was done only for the
information elements while the one octet Dialog Token field was read
unconditionally. In the original implementation, this could have
resulted in reading one octet beyond the end of the received frame data.
This case has not been reachable after the commit e0785ebbbd18 ("Use
more consistent Action frame RX handling in both AP mode paths"), but it
is better to address the specific issue in ieee802_11_rx_wnmsleep_req()
as well for additional protection against accidential removal of the
check and also to have something that can be merged into an older
version (pre-v2.7) if desired. The comments below apply for such older
versions where the case could have been reachable.
Depending on driver interface specific mechanism used for fetching the
frame, this could result in reading one octet beyond the end of a
stack/hash buffer or reading an uninitialized octet from within a
buffer. The actual value that was read as the Dialog Token field is not
used since the function returns immediately after having read this value
when there is no information elements following the field.
This issue was initially added in commit d32d94dbf47a ("WNM: Add
WNM-Sleep Mode implementation for AP") (with CONFIG_IEEE80211V=y build
option) and it remained in place during number of cleanup and fix
changes in this area and renaming of the build parameter to
CONFIG_WNM=y. The impacted function was not included in any default
build without one of the these optional build options being explicitly
enabled. CONFIG_WNM=y is still documented as "experimental and not
complete implementation" in hostapd/defconfig. In addition, commit 114f2830d2c2 ("WNM: Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0
case") made this function exit before the impact read if WNM-Sleep Mode
support was not explicitly enabled in runtime configuration
(wnm_sleep_mode=1 in hostapd.conf). Commit e0785ebbbd18 ("Use more
consistent Action frame RX handling in both AP mode paths") made this
code unreachable in practice.
Add an explicit check that the frame has enough payload before reading
the Dialog Token field in ieee802_11_rx_wnmsleep_req().
Jared Bents [Wed, 16 Jan 2019 15:15:01 +0000 (09:15 -0600)]
crl_reload_interval: Add CRL reloading support
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.
This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Daniel Golle [Wed, 23 Jan 2019 05:18:25 +0000 (06:18 +0100)]
Write multi_ap_backhaul_sta to wpa_supplicant config
The network configration option multi_ap_backhaul_sta was added without
adding it to wpa_config_write_network(). Hence the value of this option
was not included when writing the configuration file. Fix this by
including it in wpa_config_write_network().
Fixes: 5abc7823b ("wpa_supplicant: Add Multi-AP backhaul STA support") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Lior David [Mon, 21 Jan 2019 16:28:42 +0000 (18:28 +0200)]
Check supported types in wpas_mac_addr_rand_scan_set()
When setting scan with randomized MAC, check the requested scan type
against supported types, to ensure callers will not set an unsupported
type, since this can cause scan/connect failures later. It is better to
do this in wpas_mac_addr_rand_scan_set() instead of control interface
specific code to apply the constraint on all possible interfaces using
this setting.
Lior David [Tue, 22 Jan 2019 15:24:35 +0000 (17:24 +0200)]
Fix test compilation error related to sme_event_unprot_disconnect()
sme_event_unprot_disconnect() is only defined with CONFIG_IEEE80211W, so
the CONFIG_TESTING_OPTIONS command UNPROT_DEAUTH can be defined only
with builds that enable IEEE 802.11w support.
Jouni Malinen [Tue, 22 Jan 2019 23:03:46 +0000 (01:03 +0200)]
HS 2.0 server: Alternative subrem updateNode for certificate credentials
The new subrem field in the users database can now be used to issue an
alternative subscription remediation updateNode for clients using
certificate credentials. The data file for this case is similar to the
policy update files, but it starts with the managementTreeURI value in
the first line.
Jouni Malinen [Tue, 22 Jan 2019 21:31:06 +0000 (23:31 +0200)]
HS 2.0 server: Use noMOUpdate in client certificate subrem
There is no point in trying to update the Credential node with the
existing contents in case of subscription remediation using a client
certificate instead of a username/password credential, so use the
noMOUpdate in that case.
Jouni Malinen [Tue, 22 Jan 2019 11:33:48 +0000 (13:33 +0200)]
FILS: Remove notes about experimental implementation
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.
Commit 2564184440d9 ("mesh: Apply channel attributes before setup
interface") triggers some channel configurations to result in leaking
memory. This seems to be caused by hapd->started not getting set when
going through a callback to start hostapd operation (e.g., when using
HT40 coex scan) due to hostapd_setup_bss() not getting called. This
results in hostapd_free_hapd_data() not clearing allocated
hapd->wpa_auth. This can be reproduced with the hwsim test case
mesh_secure_ocv_mix_legacy.
A more complete cleanup of the pending mesh patch for DFS support seems
to be needed to fix this properly, so the best approach for now is to
revert this patch and bring it back once rest of the mesh changes are
ready to be applied.
Ian Archer [Fri, 18 Jan 2019 12:40:15 +0000 (12:40 +0000)]
hostapd: Add support for setting pbss option from config file
There is currently no support for setting hostapd_bss_config.pbss from a
config file, i.e., it was used only based on automatic logic in
wpa_supplicant. This patch adds a key naturally called "pbss" which can
be used to set it.
Cc: Antony King <antony.king@bluwirelesstechnology.com> Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>
Amit Khatri [Wed, 16 Jan 2019 17:46:46 +0000 (23:16 +0530)]
D-Bus: Fix P2P Flush method to clear pending Action frames
If we call p2p_flush from ctrl_iface, before calling p2p_flush() it
calls wpas_p2p_stop_find(). Add the same call to the matching D-Bus
method to clear all pending operations.
Signed-off-by: Amit Khatri <amit7861234@gmail.com>
Jimmy Chen [Tue, 13 Nov 2018 07:19:57 +0000 (15:19 +0800)]
P2P: Support random device address
To enhance privacy, generate a random device address for P2P interface.
If there is no saved persistent group, it generate a new random MAC
address on bringing up p2p0. If there is saved persistent group, it will
use last MAC address to avoid breaking group reinvoke behavior.
There are two configurations are introduced:
* p2p_device_random_mac_addr
enable device random MAC address feature, default disable.
* p2p_device_persistent_mac_addr
store last used random MAC address.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Since 3bdc651a624, start.sh creates the logs/current symlink even if
LOGDIR was set in the environment, as is the case when using run-all.sh.
However, run-all.sh and start.sh use a separate 'date' invocation so the
resulting string may be different. Usually it is the same because the
two invocations immediately follow each other, *except* if run-all.sh
also does a build. In addition, if the user sets LOGDIR to something
else, the symlink is completely bogus.
Fix this by not relying on the 'date' invocation for creating the
symlink. Instead, use the basename of LOGDIR. To keep things consistent
with current behavior, only create the symlink if LOGDIR points to a
subdirectory of DIR/logs.
The following use cases now work reliably:
* run-all.sh with or without the -B option;
* manually calling start.sh followed by run-tests.py without setting
LOGDIR.
* manually calling start.sh with LOGDIR set to a subdirectory of logs
and calling run-tests.py without --logdir option (which makes it
default to logs/current).
* run-all.sh with LOGDIR set to a subdirectory of logs.
Stefan Strogin [Wed, 9 Jan 2019 11:19:53 +0000 (13:19 +0200)]
Fix build with LibreSSL
When using LibreSSL build fails with:
../src/crypto/tls_openssl.o: in function `tls_connection_client_cert':
../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1901: wpa_supplicant] Error 1
There is no such function in LibreSSL.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
Peng Xu [Fri, 21 Dec 2018 18:20:28 +0000 (10:20 -0800)]
P2P: Add 802.11ax support for P2P GO
An optional parameter "he" is added to p2p_connect, p2p_group_add, and
p2p_invite to enable 11ax HE support. The new p2p_go_he=1 configuration
parameter can be used to request this to be enabled by default.
Sunil Dutt [Tue, 8 Jan 2019 12:21:23 +0000 (17:51 +0530)]
Clarify documentation of avoid channels expectations
The vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY was defined
to carry the list of avoid frequencies that aim to avoid any
interference with other coexistencies. This recommendation was followed
strictly by trying to prevent WLAN traffic on the impacted channels.
This commit refines the expectation of the interface by defining this
avoid channel list to allow minimal traffic but not heavier one. For
example, P2P may still be able to use avoid list frequencies for P2P
discovery and GO negotiation if the actual group can be set up on a not
impact channel.
Jouni Malinen [Wed, 9 Jan 2019 22:47:04 +0000 (00:47 +0200)]
HS 2.0 server: Log new username in eventlog for cert reenroll
Make it easier to find the new username (and the new serial number from
it) when a user entry is renamed at the conclusion of client certificate
re-enrollment sequence.
Mike Siedzik [Tue, 8 Jan 2019 03:49:54 +0000 (22:49 -0500)]
mka: New MI should only be generated when peer's key is invalid
Two recent changes to MKA create a situation where a new MI is generated
every time a SAK Use parameter set is decoded. The first change moved
invalid key detection from ieee802_1x_decode_basic_body() to
ieee802_1x_kay_decode_mpkdu():
commit db9ca18bbff1 ("mka: Do not ignore MKPDU parameter set decoding failures")
The second change forces the KaY to generate a new MI when an invalid
key is detected:
commit a8aeaf41df95 ("mka: Change MI if key invalid")
The fix is to move generation of a new MI from the old invalid key
detection location to the new location.
Fixes: a8aeaf41df95 ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
nl80211: Indicate 802.1X 4-way handshake offload in connect
Upon issuing a connect request we need to indicate that we want the
driver to offload the 802.1X 4-way handshake for us. Indicate it if
the driver capability supports the offload.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
drivers: Add separate driver flags for 802.1X and PSK 4-way HS offloads
Allow drivers to indicate support for offloading 4-way handshake for
either IEEE 802.1X (WPA2-Enterprise; EAP) and/or WPA/WPA2-PSK
(WPA2-Personal) by splitting the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag
into two separate flags.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Zefir Kurtisi [Mon, 7 Jan 2019 10:58:08 +0000 (11:58 +0100)]
DFS: Restart pending CAC on interface enable
When an interface is re-enabled after it was disabled during CAC, it
won't ever get active since hostapd is waiting for a CAC_FINISHED while
kernel side is waiting for a CMD_RADAR_DETECT to start a CAC.
This commit checks for a pending CAC when an interface is enabled and if
so restarts its DFS processing.
Ben Greear [Fri, 24 Aug 2018 19:01:28 +0000 (12:01 -0700)]
Use freq_list to constrain supported operating class information
If a station is configured to allow only a subset of frequencies for an
association, the supported operating classes may need to be more limited
than what the hardware supports.
Signed-off-by: Ben Greear <greearb@candelatech.com>