thirdparty/hostap.git
18 hours agotests: EAP-IKEV2 server local errors and protocol testing master pending
Jouni Malinen [Sat, 20 Apr 2019 18:00:16 +0000 (21:00 +0300)]
tests: EAP-IKEV2 server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
30 hours agotests: EAP-MD5 server local errors and protocol testing
Jouni Malinen [Sat, 20 Apr 2019 08:28:31 +0000 (11:28 +0300)]
tests: EAP-MD5 server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
30 hours agotests: EAP-PAX server local errors and protocol testing
Jouni Malinen [Fri, 19 Apr 2019 21:20:32 +0000 (00:20 +0300)]
tests: EAP-PAX server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
41 hours agoEAP-PAX server: Fix message length checks for MSGDUMP level hexdump
Jouni Malinen [Fri, 19 Apr 2019 21:19:02 +0000 (00:19 +0300)]
EAP-PAX server: Fix message length checks for MSGDUMP level hexdump

EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
41 hours agoEAP-PAX server: Check hash function results
Jouni Malinen [Fri, 19 Apr 2019 21:08:00 +0000 (00:08 +0300)]
EAP-PAX server: Check hash function results

While these local failure cases are mostly theoretical, it is better to
check for the errors explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
41 hours agotests: EAP-PSK server local errors and protocol testing
Jouni Malinen [Fri, 19 Apr 2019 20:46:00 +0000 (23:46 +0300)]
tests: EAP-PSK server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
47 hours agotests: EAP-GPSK server local errors and protocol testing
Jouni Malinen [Fri, 19 Apr 2019 14:09:09 +0000 (17:09 +0300)]
tests: EAP-GPSK server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agoEAP-GPSK server: Fix memory freeing on error path
Jouni Malinen [Fri, 19 Apr 2019 14:08:27 +0000 (17:08 +0300)]
EAP-GPSK server: Fix memory freeing on error path

Allocated struct wpabuf was freed with incorrect freeing function. Fix
this by using the appropriate function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agotests: Additional EAP-SAKE peer error path coverage
Jouni Malinen [Fri, 19 Apr 2019 13:57:50 +0000 (16:57 +0300)]
tests: Additional EAP-SAKE peer error path coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agotests: EAP-SAKE server local errors and protocol testing
Jouni Malinen [Fri, 19 Apr 2019 09:48:13 +0000 (12:48 +0300)]
tests: EAP-SAKE server local errors and protocol testing

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agoEAP-SAKE: Report hash function failures to callers
Jouni Malinen [Fri, 19 Apr 2019 13:50:42 +0000 (16:50 +0300)]
EAP-SAKE: Report hash function failures to callers

While this is mostly theoretical, the hash functions can fail and it is
better for the upper layer code to explicitly check for such failures.

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agoEAP-SAKE server: Fix memory freeing on error path
Jouni Malinen [Fri, 19 Apr 2019 13:43:14 +0000 (16:43 +0300)]
EAP-SAKE server: Fix memory freeing on error path

Allocated struct wpabuf was freed with incorrect freeing function. Fix
this by using the appropriate function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agotests: FT and PTK rekeying
Jouni Malinen [Fri, 19 Apr 2019 08:45:27 +0000 (11:45 +0300)]
tests: FT and PTK rekeying

Signed-off-by: Jouni Malinen <j@w1.fi>
2 days agoFT: Derive PTK properly for rekeying with FT protocol
Jouni Malinen [Thu, 18 Apr 2019 15:17:07 +0000 (18:17 +0300)]
FT: Derive PTK properly for rekeying with FT protocol

Do not try to derive a PMK-R0 and PMK-R1 again for the case where an
association was started with FT protocol and PTK is rekeyed using 4-way
handshake. Instead, use the previously derived PMK-R1 to allow a new PTK
to be derived.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFT: Do not add bogus PMKID in msg 1/4 for FT protocol PTK rekeying
Jouni Malinen [Thu, 18 Apr 2019 15:17:07 +0000 (18:17 +0300)]
FT: Do not add bogus PMKID in msg 1/4 for FT protocol PTK rekeying

Do not try to derive a PMKID for EAPOL-key msg 1/4 when going through
4-way handshake to rekey PTK during an association that was started
through FT protocol.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFT: Maintain PMK-R1 for a connected STA
Jouni Malinen [Thu, 18 Apr 2019 15:17:07 +0000 (18:17 +0300)]
FT: Maintain PMK-R1 for a connected STA

This is needed to allow PTK rekeying to be performed through 4-way
handshake in an association started through FT protocol.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoWPA: Clear authenticator keys for a STA on deinit/disconnection
Jouni Malinen [Thu, 18 Apr 2019 15:17:07 +0000 (18:17 +0300)]
WPA: Clear authenticator keys for a STA on deinit/disconnection

Do not leave keys in heap memory after they are no longer needed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoWPA: Stop WPA statement on STA disassociation
Jouni Malinen [Thu, 18 Apr 2019 15:17:07 +0000 (18:17 +0300)]
WPA: Stop WPA statement on STA disassociation

This is needed to avoid leaving some timers (e.g., for PTK rekeying)
running afrer a STA has disassociated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFT: Start PTK rekey timer on FT protocol completion
Jouni Malinen [Thu, 18 Apr 2019 22:11:41 +0000 (01:11 +0300)]
FT: Start PTK rekey timer on FT protocol completion

This is needed to trigger PTK rekeying properly for associations started
with FT protocol.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFT: Remove unused pmk argument from wpa_auth_derive_ptk_ft()
Jouni Malinen [Thu, 18 Apr 2019 21:23:43 +0000 (00:23 +0300)]
FT: Remove unused pmk argument from wpa_auth_derive_ptk_ft()

FT rules for PTK derivation do not use PMK. Remove the unused argument
to the PTK derivation function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID
Jouni Malinen [Thu, 18 Apr 2019 21:17:52 +0000 (00:17 +0300)]
FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID

There is no PMK/PMKID when going through 4-way handshake during an
association started with FT protocol, so need to allow the operation to
proceed even if there is no selected PMKSA cache entry in place.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agotests: PMKSA caching and PTK rekey triggered by AP
Jouni Malinen [Wed, 17 Apr 2019 19:54:41 +0000 (22:54 +0300)]
tests: PMKSA caching and PTK rekey triggered by AP

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agotests: FILS and PTK rekeying
Jouni Malinen [Wed, 17 Apr 2019 19:54:23 +0000 (22:54 +0300)]
tests: FILS and PTK rekeying

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agoFILS: Fix PTK rekeying
Jouni Malinen [Wed, 17 Apr 2019 19:52:23 +0000 (22:52 +0300)]
FILS: Fix PTK rekeying

The PMK and PMKID information from FILS ERP and FILS PMKSA caching needs
to be stored within struct wpa_state_machine for PTK to work. Without
this, PTK derivation would fail and attempt to go through rekeying would
result in disconnection. Furthermore, wpa_rekey_ptk() timer needs to be
started at the completion of FILS association since the place where it
was done for non-FILS cases at the end of 4-way handshake is not reached
when FILS authentication is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2 days agonl80211: Check nla_put_flag() failure for ext auth
Jouni Malinen [Thu, 18 Apr 2019 18:54:13 +0000 (21:54 +0300)]
nl80211: Check nla_put_flag() failure for ext auth

All nla_put*() operations should be verified to succeed, so check this
recently added one for NL80211_ATTR_EXTERNAL_AUTH_SUPPORT.

Fixes: 236e793e7b8b ("nl80211: External authentication in driver-based AP SME mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: EAP-pwd protocol testing for the server
Jouni Malinen [Wed, 17 Apr 2019 10:23:56 +0000 (13:23 +0300)]
tests: EAP-pwd protocol testing for the server

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoEAP-pwd server: Remove unused srandom() call
Jouni Malinen [Tue, 16 Apr 2019 23:04:17 +0000 (02:04 +0300)]
EAP-pwd server: Remove unused srandom() call

Commit 4b16c15bbc8b ("EAP-pwd server: Use os_get_random() for
unpredictable token") replaced use of os_random(), i.e., of random(),
with os_get_random(), but forgot to remove the now unused srandom()
call. Clean up the implementation and remove that unneeded code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: EAP-pwd protocol tests - unexpected more-fragment frame
Jouni Malinen [Tue, 16 Apr 2019 23:22:51 +0000 (02:22 +0300)]
tests: EAP-pwd protocol tests - unexpected more-fragment frame

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoEAP-pwd peer: Fix reassembly buffer handling
Jouni Malinen [Tue, 16 Apr 2019 23:21:20 +0000 (02:21 +0300)]
EAP-pwd peer: Fix reassembly buffer handling

Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: EAP-pwd local error cases on server
Jouni Malinen [Tue, 16 Apr 2019 23:01:38 +0000 (02:01 +0300)]
tests: EAP-pwd local error cases on server

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoEAP-pwd server: Fix reassembly buffer handling
Jouni Malinen [Tue, 16 Apr 2019 22:55:32 +0000 (01:55 +0300)]
EAP-pwd server: Fix reassembly buffer handling

data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoEAP-pwd server: Fix a memory leak on error path
Jouni Malinen [Tue, 16 Apr 2019 22:28:31 +0000 (01:28 +0300)]
EAP-pwd server: Fix a memory leak on error path

eap_pwd_h_final() needs to be called to free the value from
eap_pwd_h_init() even in error cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Addition WPS local error case coverage
Jouni Malinen [Tue, 16 Apr 2019 21:55:16 +0000 (00:55 +0300)]
tests: Addition WPS local error case coverage

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: OWE invalid Association Response frame contents
Jouni Malinen [Tue, 16 Apr 2019 19:37:18 +0000 (22:37 +0300)]
tests: OWE invalid Association Response frame contents

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Opportunistic Wireless Encryption - local errors on supplicant
Jouni Malinen [Tue, 16 Apr 2019 19:02:39 +0000 (22:02 +0300)]
tests: Opportunistic Wireless Encryption - local errors on supplicant

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: WPA2-PSK and local error cases on supplicant
Jouni Malinen [Tue, 16 Apr 2019 18:35:04 +0000 (21:35 +0300)]
tests: WPA2-PSK and local error cases on supplicant

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Additional coverage for EAP-MSCHAPv2 local error cases
Jouni Malinen [Tue, 16 Apr 2019 18:25:27 +0000 (21:25 +0300)]
tests: Additional coverage for EAP-MSCHAPv2 local error cases

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoEAP-MSCHAPv2: Propagate GetAsymetricStartKey() failures up from getKey()
Jouni Malinen [Tue, 16 Apr 2019 18:21:35 +0000 (21:21 +0300)]
EAP-MSCHAPv2: Propagate GetAsymetricStartKey() failures up from getKey()

Report failure from getKey() if MSK cannot be derived due to unexpected
sha1_vector() local failure.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Milenage local error cases
Jouni Malinen [Tue, 16 Apr 2019 18:09:50 +0000 (21:09 +0300)]
tests: Milenage local error cases

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Previously missed aes_s2v() error path
Jouni Malinen [Tue, 16 Apr 2019 17:54:25 +0000 (20:54 +0300)]
tests: Previously missed aes_s2v() error path

This targets the omac1_aes_vector() call from within the 0..num_elem-1
loop in aes_s2v().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: AES-EAX error cases that were previously missed in EAP-PSK
Jouni Malinen [Tue, 16 Apr 2019 17:39:45 +0000 (20:39 +0300)]
tests: AES-EAX error cases that were previously missed in EAP-PSK

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agotests: Protocol testing for supplicant PMF/IGTK KDE handling
Jouni Malinen [Tue, 16 Apr 2019 09:08:35 +0000 (12:08 +0300)]
tests: Protocol testing for supplicant PMF/IGTK KDE handling

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoRSN: Ignore IGTK configuration errors with swapped KeyID values
Jouni Malinen [Tue, 16 Apr 2019 09:06:28 +0000 (12:06 +0300)]
RSN: Ignore IGTK configuration errors with swapped KeyID values

There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.

Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
4 days agoRSN: Report completion only after IGTK configuration
Jouni Malinen [Tue, 16 Apr 2019 08:51:43 +0000 (11:51 +0300)]
RSN: Report completion only after IGTK configuration

Previously wpa_supplicant_key_neg_complete() was called before the
attempt to configure the IGTK received from the authenticator. This
could resulted in somewhat surprising sequence of events if IGTK
configuration failed since completion event would be followed by
immediate disconnection event. Reorder these operations so that
completion is reported only if GTK and IGTK are configurated
successfully.

Furthermore, check for missing GTK KDE in case of RSN and handle that
with an explicit disconnection instead of waiting for the AP to deliver
the GTK later.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agoautoscan: Disable when we move above WPA_SCANNING state
Wiktor Drewniak [Mon, 18 Mar 2019 17:12:16 +0000 (18:12 +0100)]
autoscan: Disable when we move above WPA_SCANNING state

In case of drivers that don't use wpa_supplicant as SME, autoscan
feature was never disabled.

Signed-off-by: Wiktor Drewniak <wiktor.drewniak@gmail.com>
5 days agoSAE: Use open authentication to reassociate for PMKSA caching
Sergey Matyukevich [Fri, 29 Mar 2019 11:22:32 +0000 (11:22 +0000)]
SAE: Use open authentication to reassociate for PMKSA caching

For reassociation with the same AP wpa_supplicant attempts to use cached
PMKSA. For this purpose PMKID is passed in RSNE in (Re)Association
Request frame. In the case of SAE AP, open authentication shall be used
during reassociation. Otherwise cached PMKID becomes invalid after full
SAE authentication.

The previous implementation correctly handles SME-in-wpa_supplicant
cases. However SME-in-driver cases, complete SAE authentication is
performed. As a result, first reassociation attempt fails.

Fix SME-in-driver behavior by reseting authentication algorithm to
WPA_AUTH_ALG_OPEN when reassociating with SAE AP with an existing PMKSA
cache entry.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
5 days agoFix FILS ERP association event with 4-way HS offload drivers
Avraham Stern [Wed, 3 Apr 2019 10:36:30 +0000 (13:36 +0300)]
Fix FILS ERP association event with 4-way HS offload drivers

When FILS authentication is used with ERP, no EAPOL frames are expected
after association. However, for drivers that set the
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X capability flag, the EAP state
machine was not configured correctly and was waiting for EAPOL frames,
which leads to disconnection.

Fix this by reordering the if branches to set the EAPOL/EAP state
machines to success when FILS authentication was already completed.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
5 days agonl80211: Handle NL80211_CMD_PROBE_CLIENT command response
Ilan Peer [Wed, 3 Apr 2019 15:17:12 +0000 (18:17 +0300)]
nl80211: Handle NL80211_CMD_PROBE_CLIENT command response

When processing the NL80211_CMD_PROBE_CLIENT command response, the
nl80211 layer in the kernel sends a response containing the cookie
associated with the client probe request. This response was not handled
by driver_nl80211.c when sending the command, and it was mistakenly
handled as an asynchronous event. This incorrect event did not include
the MAC/ACK attributes, so it was ignored in practice, but nevertheless,
the command response should not be processed as an event.

Fix this by reading the response as part of the sending the command
flow.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
5 days agotests: AP with open mode and STA poll without ACK
Jouni Malinen [Mon, 15 Apr 2019 22:03:56 +0000 (01:03 +0300)]
tests: AP with open mode and STA poll without ACK

Signed-off-by: Jouni Malinen <j@w1.fi>
5 days agonl80211: More detailed PROBE_CLIENT debug print
Jouni Malinen [Mon, 15 Apr 2019 22:02:12 +0000 (01:02 +0300)]
nl80211: More detailed PROBE_CLIENT debug print

Include the MAC address of the peer, knowledge of whether the poll was
ACKed, and cookie into the debug message to make this more useful.

Signed-off-by: Jouni Malinen <j@w1.fi>
5 days agotests: SA Query timeout
Jouni Malinen [Mon, 15 Apr 2019 21:36:40 +0000 (00:36 +0300)]
tests: SA Query timeout

Verify wpa_supplicant behavior on SA Query timeout and
disconnection/reconnection.

Signed-off-by: Jouni Malinen <j@w1.fi>
5 days agoDo not clear FT IEs twice in sme_deinit()
Andrei Otcheretianski [Wed, 3 Apr 2019 15:17:14 +0000 (18:17 +0300)]
Do not clear FT IEs twice in sme_deinit()

Remove FT IEs clearing from sme_deinit() as it is done twice. The
sme_clear_on_disassoc() call to sme_update_ft_ies() takes care of this.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
5 days agoStop SA Query on disconnection
Andrei Otcheretianski [Wed, 3 Apr 2019 15:17:14 +0000 (18:17 +0300)]
Stop SA Query on disconnection

SA Query wasn't stopped after disconnection, which could potentially
result in an unexpected SA timeout firing later when already connected
to another AP. Fix that by stopping SA Query when an association is
terminated.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
5 days agoAdd debug print on stopping SA Query procedure
Jouni Malinen [Mon, 15 Apr 2019 21:42:09 +0000 (00:42 +0300)]
Add debug print on stopping SA Query procedure

This makes it easier to debug SA Query behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
5 days agoP2PS: Cleanup pending_p2ps_group flag
Andrei Otcheretianski [Wed, 3 Apr 2019 15:17:19 +0000 (18:17 +0300)]
P2PS: Cleanup pending_p2ps_group flag

pending_p2ps_group flag is not always cleaned, which may later result
in an unexpected GO bring up, after PD response is transmitted in
wpas_prov_disc_resp_cb().
This can be seen when running the following hwsim tests together:
 - p2ps_channel_sta_connected_disallow_freq_mcc
 - p2ps_channel_active_go_and_station_different_mcc
Fix this by clearing pending_p2ps_group flag also when processing new
PD requests. In addition, set this flag only when really needed.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
5 days agomka: Avoid memory leak in unexpected case in RECEIVE
Jouni Malinen [Mon, 15 Apr 2019 19:50:06 +0000 (22:50 +0300)]
mka: Avoid memory leak in unexpected case in RECEIVE

It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.

Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agomesh: Fix random llid generation in an error case
Jouni Malinen [Mon, 15 Apr 2019 19:24:49 +0000 (22:24 +0300)]
mesh: Fix random llid generation in an error case

If os_get_random() fails, llid must not be read/used since it could be
uninitialized. Handle that special case by clearing llid explicitly to 0
to continue iteration.

Fixes: 5f92659d88f1 ("mesh: Add mesh peering manager")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agomesh: Fix operations after SAE state machine removing the STA
Jouni Malinen [Mon, 15 Apr 2019 19:09:12 +0000 (22:09 +0300)]
mesh: Fix operations after SAE state machine removing the STA

It is possible for the SAE state machine to remove the STA and free the
sta pointer in the mesh use cases. handle_auth_sae() could have
dereferenced that pointer and used freed memory in some cases. Fix that
by explicitly checking whether the STA was removed.

Fixes: bb598c3bdd06 ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agomesh: Fix SAE reauthentication processing
Jouni Malinen [Mon, 15 Apr 2019 18:57:58 +0000 (21:57 +0300)]
mesh: Fix SAE reauthentication processing

ap_free_sta() frees the sta entry, so sta->addr cannot be used after
that call. Fix the sequence of these two calls to avoid use of freed
memory to determine which PMKSA cache entry to remove.

Fixes: 9f2cf23e2e0d ("mesh: Add support for PMKSA caching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agoFix hostapd BSS_TM_REQ handling of bss_term parameter
Jouni Malinen [Mon, 15 Apr 2019 18:11:46 +0000 (21:11 +0300)]
Fix hostapd BSS_TM_REQ handling of bss_term parameter

The TSF field in BSS termination information was not cleared correctly.
It was supposed to be cleared to all zeros, but the memset call did not
point at offset 2; instead, it cleared it with 0x02 octets and also
cleared the subelement header with 0x02 octets while leaving two last
octets uninitialized.

Fixes: a30dff07fb18 ("Add BSS_TM_REQ command to send BSS Transition Management Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agoFix debug print in GET_PREF_FREQ_LIST handler
Jouni Malinen [Mon, 15 Apr 2019 17:54:12 +0000 (20:54 +0300)]
Fix debug print in GET_PREF_FREQ_LIST handler

Do not use the buf argument to wpas_ctrl_iface_get_pref_freq_list() in
the debug print since it points to the response buffer ("OK\n" without
null termination). This was supposed to print the cmd argument instead.
The previous version ended up using uninitialized heap memory from the
response buffer.

Fixes: 983422088f00 ("nl80211: Add means to query preferred channels")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agoD-Bus: Fix P2P GroupStarted signal not to use uninitialized IP buffer
Jouni Malinen [Mon, 15 Apr 2019 17:27:52 +0000 (20:27 +0300)]
D-Bus: Fix P2P GroupStarted signal not to use uninitialized IP buffer

wpas_p2p_completed() used wpa_sm_get_p2p_ip_addr() return value properly
for filling in the ip_addr[] string only if the IP addresses got
assigned, but the raw ip[] array was passed to
wpas_dbus_signal_p2p_group_started() regardless of whether the IP
addresses were assigned. This could result in using uninitialized stack
memory for constructing the GroupStarted signal values. Fix this by
filling those in only if the IP addressed are actually available.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
5 days agotests: Avoid confusing "DETACH failed" exception prints in D-Bus tests
Jouni Malinen [Mon, 15 Apr 2019 17:13:28 +0000 (20:13 +0300)]
tests: Avoid confusing "DETACH failed" exception prints in D-Bus tests

dbus_p2p_go_neg_init, dbus_p2p_group_idle_timeout, and
dbus_p2p_group_termination_by_go could end up print a "DETACH failed"
exception as a warning from WpaSupplicant.__del__ for the dev1 instance
used within the TestDbusP2p class. This did not cause the test cases to
fail, but the output is a bit confusing, so clean this up be explicitly
closing the control interface monitor sockets and furthermore by
ignoring the "DETACH failed" exception within __del__.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
6 days agoRemove hwsim_test
Jouni Malinen [Mon, 15 Apr 2019 09:44:41 +0000 (12:44 +0300)]
Remove hwsim_test

This external tool was used for testing data connectivity with
mac80211_hwsim. However, the last user for it was removed in 2014 by
commit 1131a1c8d29c ("tests: Replace last remaining hwsim_test uses with
DATA_TEST"), so there is not point in maintaining this forgotten test
tool in the repository anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: Unsupported WNM Action
Jouni Malinen [Sun, 14 Apr 2019 14:34:54 +0000 (17:34 +0300)]
tests: Unsupported WNM Action

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: WNM Collocated Interference Reporting errors
Jouni Malinen [Sun, 14 Apr 2019 14:32:03 +0000 (17:32 +0300)]
tests: WNM Collocated Interference Reporting errors

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: WNM BSS Transition Management and steering timeout
Jouni Malinen [Sun, 14 Apr 2019 14:21:13 +0000 (17:21 +0300)]
tests: WNM BSS Transition Management and steering timeout

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: WNM BSS Transition Management query - TM disabled on AP
Jouni Malinen [Sun, 14 Apr 2019 14:00:23 +0000 (17:00 +0300)]
tests: WNM BSS Transition Management query - TM disabled on AP

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: WNM Sleep Mode disabled on AP
Jouni Malinen [Sun, 14 Apr 2019 13:56:00 +0000 (16:56 +0300)]
tests: WNM Sleep Mode disabled on AP

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: Use helper function for starting WNM AP
Jouni Malinen [Sun, 14 Apr 2019 13:44:14 +0000 (16:44 +0300)]
tests: Use helper function for starting WNM AP

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: WNM Sleep Mode - RSN with OCV - local failure
Jouni Malinen [Sun, 14 Apr 2019 13:02:54 +0000 (16:02 +0300)]
tests: WNM Sleep Mode - RSN with OCV - local failure

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: nl80211 freq reporting in station mode
Jouni Malinen [Sun, 14 Apr 2019 09:41:26 +0000 (12:41 +0300)]
tests: nl80211 freq reporting in station mode

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agonl80211: Update assoc_freq and bss->freq based on real association info
Jouni Malinen [Sun, 14 Apr 2019 09:37:41 +0000 (12:37 +0300)]
nl80211: Update assoc_freq and bss->freq based on real association info

Move event.assoc_info.freq selection to be after the
nl80211_get_assoc_ssid() call so that the current cfg80211 information
on the operating channel can be used should anything unexpected have
happened between the association request and completion of association.
Furthermore, update bss->freq based on assoc_freq to make that
information a bit more useful for station mode. It was already updated
after channel switches during association, but not at the beginning of
association.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agonl80211: Clear bss->freq on station mode disconnection
Jouni Malinen [Sun, 14 Apr 2019 09:33:37 +0000 (12:33 +0300)]
nl80211: Clear bss->freq on station mode disconnection

This fixes some issues where bss->freq could have been used to replace
the current operating channel when sending out a management frame.
bss->freq has not been consistently used to track the current operating
channel in station mode, so it should not be trusted for this type of
uses. Clearing it makes this a bit more robust by at least avoiding the
cases of information from past association being used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: eap_pwd_perform_confirm_exchange() local failure
Jouni Malinen [Sat, 13 Apr 2019 15:35:47 +0000 (18:35 +0300)]
tests: eap_pwd_perform_confirm_exchange() local failure

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: eap_pwd_perform_commit_exchange() local failures
Jouni Malinen [Sat, 13 Apr 2019 15:34:38 +0000 (18:34 +0300)]
tests: eap_pwd_perform_commit_exchange() local failures

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: EAP-pwd commit request error cases
Jouni Malinen [Sat, 13 Apr 2019 15:21:57 +0000 (18:21 +0300)]
tests: EAP-pwd commit request error cases

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agoRemove the unused crypto_ec_cofactor() function
Jouni Malinen [Sat, 13 Apr 2019 14:33:15 +0000 (17:33 +0300)]
Remove the unused crypto_ec_cofactor() function

All users of this wrapper function were removed, so the wrapper can be
removed as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agoEAP-pwd: Remove unused checks for cofactor > 1 cases
Jouni Malinen [Sat, 13 Apr 2019 14:30:22 +0000 (17:30 +0300)]
EAP-pwd: Remove unused checks for cofactor > 1 cases

None of the ECC groups supported in the implementation had a cofactor
greater than 1, so these checks are unreachable and for all cases, the
cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
of ECC groups with cofactor larger than 1, so this checks cannot be
needed for any curve that is compliant with the RFC.

Remove the unneeded group cofactor checks to simplify the
implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: EAP-pwd rejection of groups 25, 26, and 27
Jouni Malinen [Sat, 13 Apr 2019 14:16:04 +0000 (17:16 +0300)]
tests: EAP-pwd rejection of groups 25, 26, and 27

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agoEAP-pwd: Disallow ECC groups with a prime under 256 bits
Jouni Malinen [Sat, 13 Apr 2019 14:20:57 +0000 (17:20 +0300)]
EAP-pwd: Disallow ECC groups with a prime under 256 bits

Based on the SAE implementation guidance update to not allow ECC groups
with a prime that is under 256 bits, reject groups 25, 26, and 27 in
EAP-pwd.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: Remove testing of EAP-pwd groups 25, 26, and 27
Jouni Malinen [Sat, 13 Apr 2019 14:17:09 +0000 (17:17 +0300)]
tests: Remove testing of EAP-pwd groups 25, 26, and 27

This is in preparation of disallowing all use of these groups. Negative
test case for the groups will be added in a separate commit after the
implementation has been changed.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: EAP-pwd local failure in crypto_bignum_rand()
Jouni Malinen [Sat, 13 Apr 2019 14:00:55 +0000 (17:00 +0300)]
tests: EAP-pwd local failure in crypto_bignum_rand()

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agoOpenSSL: Fix server side openssl_ecdh_curves configuration with 1.0.2
Jouni Malinen [Sat, 13 Apr 2019 13:53:19 +0000 (16:53 +0300)]
OpenSSL: Fix server side openssl_ecdh_curves configuration with 1.0.2

It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.

This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 days agotests: EAP-pwd eap_pwd_get_element() local failures
Jouni Malinen [Sat, 13 Apr 2019 10:15:31 +0000 (13:15 +0300)]
tests: EAP-pwd eap_pwd_get_element() local failures

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: EAP-pwd compute_password_element() local failures
Jouni Malinen [Sat, 13 Apr 2019 10:01:04 +0000 (13:01 +0300)]
tests: EAP-pwd compute_password_element() local failures

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: CONFIG_TLS=linux build of wpa_supplicant
Jouni Malinen [Sat, 13 Apr 2019 09:57:42 +0000 (12:57 +0300)]
tests: CONFIG_TLS=linux build of wpa_supplicant

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: crypto_hash_finish() failure in eap_pwd_kdf()
Jouni Malinen [Sat, 13 Apr 2019 09:53:42 +0000 (12:53 +0300)]
tests: crypto_hash_finish() failure in eap_pwd_kdf()

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: EAP-EKE rejection of unsupported DH groups 2 and 5
Jouni Malinen [Sat, 13 Apr 2019 09:20:24 +0000 (12:20 +0300)]
tests: EAP-EKE rejection of unsupported DH groups 2 and 5

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: Make regdom clearing in WNM tests more robust
Jouni Malinen [Sat, 13 Apr 2019 09:06:25 +0000 (12:06 +0300)]
tests: Make regdom clearing in WNM tests more robust

It looks like the scan operation could end up reverting regdom back to
the previously configured one, so configure 00 country before starting
the disconnect-and-stop-scan operation to give some more time for the
regdom to be cleared.

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: Show ifname in country code not cleared messages
Jouni Malinen [Sat, 13 Apr 2019 09:06:09 +0000 (12:06 +0300)]
tests: Show ifname in country code not cleared messages

Signed-off-by: Jouni Malinen <j@w1.fi>
8 days agotests: Update rrm_beacon_req_last_frame_indication to match implementation
Avraham Stern [Wed, 3 Apr 2019 17:38:49 +0000 (20:38 +0300)]
tests: Update rrm_beacon_req_last_frame_indication to match implementation

The last beacon report indication was set in all the beacon report
elements in the last frame of the beacon report, while it should be set
only in the last beacon report element of the last frame. This is now
fixed in wpa_supplicant, so update the test case expectation to match
the fixed behavior.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
8 days agoRRM: Set last beacon report indication in the last element only
Avraham Stern [Wed, 3 Apr 2019 17:38:49 +0000 (20:38 +0300)]
RRM: Set last beacon report indication in the last element only

The last beacon report indication was set in all the beacon report
elements in the last frame of the beacon report, while it should be
set only in the last beacon report element of the last frame.

Fixes: ecef0687dc33 ("RRM: Support for Last Beacon Report Indication subelement")
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
8 days agoDocument BSS expiration configurables
Ben Greear [Wed, 10 Apr 2019 21:01:17 +0000 (14:01 -0700)]
Document BSS expiration configurables

Help the user be aware of the options to configure when
wpa_supplicant will remove a BSS due to expiration.

Signed-off-by: Ben Greear <greearb@candelatech.com>
8 days agobsd: Fix a typo in error message
Ryo ONODERA [Sat, 13 Apr 2019 00:50:56 +0000 (09:50 +0900)]
bsd: Fix a typo in error message

When SIOCG80211 failed, show error message with SIOCG80211
instead of SIOCS80211.

Signed-off-by: Ryo ONODERA <ryo@tetera.org>
8 days agotests: Fix trace-cmd recording with python3
Johannes Berg [Fri, 12 Apr 2019 11:20:19 +0000 (13:20 +0200)]
tests: Fix trace-cmd recording with python3

The change to python3 broke trace-cmd recording, two
strings need to be bytes instead. Fix that.

Also add a flush() that seems to be needed now.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
8 days agoRemove unnecessary copying of SSID and BSSID for external_auth
Jouni Malinen [Fri, 12 Apr 2019 17:38:08 +0000 (20:38 +0300)]
Remove unnecessary copying of SSID and BSSID for external_auth

The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
8 days agohostapd: Support external authentication offload in AP mode
Srinivas Dasari [Mon, 18 Mar 2019 09:34:04 +0000 (15:04 +0530)]
hostapd: Support external authentication offload in AP mode

Extend commit 5ff39c1380d9 ("SAE: Support external authentication
offload for driver-SME cases") to support external authentication
with drivers that implement AP SME by notifying the status of
SAE authentication to the driver after SAE handshake as the
driver acts as a pass through for the SAE Authentication frames.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
8 days agonl80211: External authentication in driver-based AP SME mode
Srinivas Dasari [Mon, 25 Feb 2019 12:22:05 +0000 (17:52 +0530)]
nl80211: External authentication in driver-based AP SME mode

This extends driver interface to nl80211 by introducing the following
changes,
1. Register for Authenication frames in driver-based AP SME mode.
2. Advertise NL80211_ATTR_EXTERNAL_AUTH_SUPPORT in set_ap when
   offloaded SAE authentication is supported.
3. Extend the NL80211_CMD_EXTERNAL_AUTH interface to also send PMKID
   so that the drivers can respond to the PMKSA cached connection
   attempts from the stations avoiding the need to contact user space
   for all PMKID-based connections.
4. Send external auth status to driver only if it is a driver based
   SME solution.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
8 days agoReset beacon_set_done on disabling interface
nakul kachhwaha [Wed, 3 Apr 2019 07:02:59 +0000 (12:32 +0530)]
Reset beacon_set_done on disabling interface

beacon_set_done did not get reset to zero on disabling interface using
DISABLE control interface command and the subsequent ENABLE command will
caused configuration of Beacon/Probe Response/Association Response frame
IEs twice. The unnecessary two step configuration can be avoided by
resetting beacon_set_done on DISABLE so that ENABLE can bring up the
interface in a single step with fully updated IEs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>