Jouni Malinen [Sun, 23 Nov 2014 19:08:13 +0000 (21:08 +0200)]
WPA: Use more explicit WPA/RSN selector count validation
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).
Jouni Malinen [Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)]
WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.
Jouni Malinen [Sun, 23 Nov 2014 18:51:26 +0000 (20:51 +0200)]
PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).
Jouni Malinen [Sun, 23 Nov 2014 18:39:52 +0000 (20:39 +0200)]
EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)
Jouni Malinen [Sun, 23 Nov 2014 18:36:17 +0000 (20:36 +0200)]
EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.
Jouni Malinen [Sun, 23 Nov 2014 18:31:08 +0000 (20:31 +0200)]
EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.
Jouni Malinen [Sun, 23 Nov 2014 18:23:35 +0000 (20:23 +0200)]
radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)
Jouni Malinen [Sun, 23 Nov 2014 18:04:29 +0000 (20:04 +0200)]
HS 2.0: Clarify OSU Server URI length validation
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)
Jouni Malinen [Sun, 23 Nov 2014 16:43:59 +0000 (18:43 +0200)]
Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)
Jouni Malinen [Sun, 23 Nov 2014 16:32:04 +0000 (18:32 +0200)]
PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)
Jouni Malinen [Sun, 23 Nov 2014 15:48:34 +0000 (17:48 +0200)]
TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)
Jouni Malinen [Sun, 23 Nov 2014 15:06:24 +0000 (17:06 +0200)]
RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)
Jouni Malinen [Sun, 23 Nov 2014 14:37:16 +0000 (16:37 +0200)]
IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Assaf Krauss [Wed, 5 Nov 2014 08:42:51 +0000 (03:42 -0500)]
wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.
Assaf Krauss [Wed, 5 Nov 2014 08:42:48 +0000 (03:42 -0500)]
SME: Add RRM support to association request
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.
Assaf Krauss [Wed, 5 Nov 2014 08:42:45 +0000 (03:42 -0500)]
driver: Add RRM-related definitions to driver interface
Add definitions for RRM (Radio Resource Measurement) support:
1. Flags that specify the RRM capabilities of the underlying driver
2. Flag for RRM in Capability Info field in Management frames
3. Indication in association parameters regarding an RRM connection
Jouni Malinen [Sat, 22 Nov 2014 18:12:12 +0000 (20:12 +0200)]
WNM: Use recent scan results on BSS transition request
If the last scans are recent (for now, less than ten seconds old), use
them instead of triggering a new scan when a BSS Transition Management
Request frame is received. As a fallback, allow a new scan to be
triggered if no matches were found.
Jouni Malinen [Sat, 22 Nov 2014 17:50:16 +0000 (19:50 +0200)]
WNM: Optimize BSS transition management scans
When the list of preferred transition candidates is received, use the
identified channels to optimize the following scan so that no time is
wasted on other channels.
Jouni Malinen [Sat, 22 Nov 2014 17:48:08 +0000 (19:48 +0200)]
Add generic operating class and channel to frequency function
ieee80211_chan_to_freq() is a generic function that replaces and extends
the previous P2P-specific p2p_channel_to_freq(). The new function
supports both the global operating class table as well as the additional
US, EU, JP, and CN operating class tables.
Jouni Malinen [Sat, 22 Nov 2014 16:28:22 +0000 (18:28 +0200)]
tests: Fix wnm_bss_tm_req status code expectation
The implementation of WNM BSS transition management was extended to be
able to return a reject status code based on whether a matching entry is
found. The test case wnm_bss_tm_req was trying to enforce a different
status code to be used here based on old implementation.
Jouni Malinen [Sat, 22 Nov 2014 15:01:26 +0000 (17:01 +0200)]
WNM: Allow BSS transition request in same ESS even if RSSI is worse
This allows an AP to steer us to another BSS within the ESS even if that
results in reduced signal strength as long as the signal strength with
the target BSS is expected to provide some connectivity.
Jouni Malinen [Sat, 22 Nov 2014 13:37:27 +0000 (15:37 +0200)]
WNM: Simplify how candidate subelements are stored
There is no need to use a separately allocated data structures for this.
A bitfield indicating which information is present and variables within
struct neighbor_report are simpler to use and more efficient.
This implements minimal RSN 4-way handshake Supplicant in Python and
uses that to test hostapd Authenticator implementation in various
possible protocol sequencies.
Jouni Malinen [Fri, 21 Nov 2014 15:02:00 +0000 (17:02 +0200)]
AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.
This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)
Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).
This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.
Javier Lopez [Mon, 1 Sep 2014 04:23:35 +0000 (00:23 -0400)]
tests: Add test_wpas_mesh test cases
This wpa_supplicant tests include basic tests for:
- Mesh scan
- Mesh group add/remove
- Mesh peer connected/disconnected
- Add/Set/Remove to test mesh mode network
- Open mesh connectivity test
- Secure mesh connectivity test
- no_auto_peer
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
[no_auto_peer test by: Javier Cardona <javier@cozybit.com> Signed-off-by: Javier Lopez <jlopex@gmail.com>
Jouni Malinen [Thu, 20 Nov 2014 14:25:00 +0000 (16:25 +0200)]
nl80211: Do not try to change STA capability on NL80211_CMD_SET_STATION
cfg80211 will reject any of these attributes regardless of whether the
values actually change or not when NL80211_CMD_SET_STATION is used for
something else than TDLS. This path is hit at least when setting up
mesh, so filter out the attributes from NL80211_CMD_SET_STATION to match
the rules in cfg80211.
Jouni Malinen [Wed, 19 Nov 2014 20:02:08 +0000 (22:02 +0200)]
tests: Fix regression in START line total count
The previous changes to enable stdin control broke the previous case of
showing the total number of test cases in the START lines. Fix that by
using a separate variable for the total number of test casess instead of
using length of the list of remaining test cases.
Rashmi Ramanna [Mon, 17 Nov 2014 10:37:24 +0000 (16:07 +0530)]
P2P: Do not change P2P state on GO Neg failure if it is P2P_SEARCH
Changing the P2P state to P2P_IDLE on GO Negotiation Failure would stop
the previously issued P2P_FIND operation without notifying the upper
layers. Leave the search operation running if in P2P_SEARCH state to
avoid unexpected behavior in case the upper layers issued a new P2P_FIND
while waiting for GO Negotiation to complete.
Kyeyoon Park [Sat, 1 Nov 2014 06:33:41 +0000 (23:33 -0700)]
AP: Add Neighbor Discovery snooping mechanism for Proxy ARP
This commit establishes the infrastructure, and handles the Neighbor
Solicitation and Neighbor Advertisement frames. This will be extended
in the future to handle other frames.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
Kyeyoon Park [Thu, 6 Nov 2014 00:15:46 +0000 (16:15 -0800)]
AP: Extend the BSS bridge neighbor entry management to support IPv6
This allows adding/deleting an IPv6 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
Jouni Malinen [Wed, 19 Nov 2014 00:03:39 +0000 (02:03 +0200)]
tests: Move parallel-vm.py test control to the host
This allows all VMs to be used at the end of a test sequence by
assigning test cases to VMs based on which VM is available for a new
test case rather than splitting the full task at the beginning and
potentially getting stuck with the last VM running long test cases for
significantly longer than another VM that gets shorter duration tests
assigned to it.
Jouni Malinen [Wed, 19 Nov 2014 00:01:27 +0000 (02:01 +0200)]
tests: Add run-tests.py -i to control execution from stdin
The new -i command line argument can be used to control test case
execution from stdin to run-tests.py and vm-run.sh. This can be used,
e.g., to run multiple repeated test sequences in a virtual machine
without havign to restart the VM between each iteration.
Jouni Malinen [Tue, 18 Nov 2014 22:41:45 +0000 (00:41 +0200)]
tests: Allow run-tests.py to be run from the vm directory
Some of the paths in run-tests.py are hardcoded and could not handle
tests/hwsim/vm as the working directory. Modify the design enough to
allow ../run-tests.py -L to be used from the vm directory.
Jouni Malinen [Tue, 18 Nov 2014 22:34:36 +0000 (00:34 +0200)]
tests: Make run-tests.py process test case selection arguments
This allows a list of matching test cases to be produced without having
to run the test cases. Previously, -L output included all defined test
cases regardless of what else was included on the command line.
Ilan Peer [Wed, 5 Nov 2014 08:50:34 +0000 (03:50 -0500)]
AP: Drop retransmitted auth/assoc/action frames
It is possible that a station device might miss an ACK for an
authentication, association, or action frame, and thus retransmit the
same frame although the frame is already being processed in the stack.
While the duplicated frame should really be dropped in the kernel or
firmware code where duplicate detection is implemented for data frames,
it is possible that pre-association cases are not fully addressed (which
is the case at least with mac80211 today) and the frame may be delivered
to upper layer stack.
In such a case, the local AP will process the retransmitted frame although
it has already handled the request, which might cause the station to get
confused and as a result disconnect from the AP, blacklist it, etc.
To avoid such a case, save the sequence control of the last processed
management frame and in case of retransmissions drop them.
This gets registered in tls_openssl.c from tls_init(), so there is no
need for EAP-pwd implementation to register explicitly. This avoids some
corner cases where OpenSSL resources do not get fully freed on exit.
Jouni Malinen [Sun, 16 Nov 2014 23:14:35 +0000 (01:14 +0200)]
DFS: Fix hostapd operation without hw_mode driver data
If DFS implementation was built in, some configurations with drivers
that do not provide mode information could end up dereferencing a NULL
pointer. Fix this by skipping DFS operations in such cases since not
having information about modes and channels means that hostapd could not
perform DFS anyway (i.e., either this is not a wireless driver or the
driver takes care of DFS internally).
Jouni Malinen [Sun, 16 Nov 2014 23:08:04 +0000 (01:08 +0200)]
Fix hostapd operation without hw_mode driver data
Commit 7f0303d5b0bb425f3e7318a7016b55ba9e67f9de ('hostapd: Verify VHT
160/80+80 MHz driver support') added couple of hapd->iface->current_mode
dereferences of which the one in hostapd_set_freq() can be hit with some
configuration files when using driver wrappers that do not have hw_mode
data, i.e., when current_mode is NULL. This could result in segmentation
fault when trying to use driver=wired. Fix this by checking that
current_mode is not NULL before dereferencing it to get vht_capab.
Johannes Berg [Wed, 22 Oct 2014 12:04:03 +0000 (08:04 -0400)]
WMM AC: Notify driver before sending DelTS
Switch the stop and sending DelTS to avoid sending data packets
for the session after the DelTS, which is otherwise possible.
This also helps the mac80211 implementation as it requires stopping the
traffic flow before sending the DelTS as it may modify the AC parameters
for the affected queue, and that may in turn affect management frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Moshe Benji [Wed, 22 Oct 2014 12:03:54 +0000 (08:03 -0400)]
WMM AC: Parse WMM IE on association
Initialize WMM AC data structures upon successful association
with an AP that publishes WMM support, and deinitialize the data
structure when the association is no longer valid.