Michal Kazior [Thu, 1 Feb 2018 11:03:28 +0000 (12:03 +0100)]
hostapd: Fix wpa_psk_file support for FT-PSK
For FT-PSK sm->xxkey was populated with only the first password on the
linked list (i.e., last matching password in the wpa_psk_file) in
INITPSK. This caused only that password to be recognized and accepted.
All other passwords were not verified properly and subsequently
prevented clients from connecting.
Hostapd would report:
Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: sending 1/4 msg of 4-Way Handshake
Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: received EAPOL-Key frame (2/4 Pairwise)
Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: invalid MIC in msg 2/4 of 4-Way Handshake
Jan 30 12:55:45 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: EAPOL-Key timeout
Signed-off-by: Michal Kazior <michal@plumewifi.com>
Jouni Malinen [Sun, 4 Feb 2018 10:20:13 +0000 (12:20 +0200)]
wpa_supplicant: Fix parsing errors on additional config file
If the -I<config> argument is used and the referenced configuration file
cannot be parsed, wpa_config_read() ended up freeing the main
configuration data structure and that resulted in use of freed memory in
such an error case. Fix this by not freeing the main config data and
handling the error case in the caller.
Dmitry Shmidt [Thu, 1 Feb 2018 00:34:54 +0000 (00:34 +0000)]
wpa_supplicant: Free config only if it was allocated in same call
If option -I:config points to a non-existing file, the the previously
allocated config must not be freed. Avoid use of freed memory in such an
error case by skipping the incorrect freeing operation.
Adiel Aloni [Tue, 30 Jan 2018 11:10:10 +0000 (13:10 +0200)]
tests: Enable device PS before sending PS-Poll
Linux kernel commit c9491367b759 ("mac80211: always update the PM state
of a peer on MGMT / DATA frames") enforces the AP to check only
mgmt/data frames PM bit, and to update station's power save accordingly.
When sending only a PS-Poll (control frame) the AP will ignore the PM
bit. As the result, the partial virtual bitmap will not be updated, and
the test ap_open_disconnect_in_ps will fail on tshark check. Since the
test needs only the TIM to be updated, setting PS enabled will send NDP
that will signal that the station is sleeping. Sending PS-Poll to enable
power save is not correct, according to the following standard
statement: "A PS-Poll frame exchange does not necessarily result in an
Ack frame from the AP, so a non-AP STA cannot change power management
mode using a PS-Poll frame."
Jouni Malinen [Sun, 4 Feb 2018 09:55:01 +0000 (11:55 +0200)]
OWE: Fix association IEs for transition mode open AP connection
The special case of returning from wpa_supplicant_set_suites() when OWE
transition mode profile is used for an open association did not clear
the wpa_ie buffer length properly. This resulted in trying to use
corrupted IEs in the association request and failed association
(cfg80211 rejects the request or if the request were to go out, the AP
would likely reject it).
Simon Dinkin [Thu, 1 Feb 2018 15:12:03 +0000 (17:12 +0200)]
common: Fix the description of wpa_ctrl_request() function
The blocking timeout of this function was changed from 2 seconds to 10
seconds in this commit 1480633f ("Use longer timeout in
wpa_ctrl_request()"), but the description was never changed accordingly.
Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
David Messer [Wed, 31 Jan 2018 16:01:00 +0000 (11:01 -0500)]
Fix compiler issue with CONFIG_TESTING_OPTIONS
Use the preprocessor conditional "ifdef" instead of "if" before
CONFIG_TESTING_OPTIONS to prevent an issue on build systems that treat
undefined preprocessor identifiers as an error.
Signed-off-by: David Messer <david.messer@garmin.com>
Jouni Malinen [Sat, 3 Feb 2018 10:08:09 +0000 (12:08 +0200)]
wpa_cli: Fix cred_fields[] declaration
This was supposed to be an array of const-pointers to const-char; not
something duplicating const for char and resulting in compiler warnings
with more recent gcc versions.
Sunil Dutt [Thu, 1 Feb 2018 11:31:28 +0000 (17:01 +0530)]
SAE: Support external authentication offload for driver-SME cases
Extend the SME functionality to support the external authentication.
External authentication may be used by the drivers that do not define
separate commands for authentication and association
(~WPA_DRIVER_FLAGS_SME) but rely on wpa_supplicant's SME for the
authentication.
Sunil Dutt [Thu, 1 Feb 2018 07:15:41 +0000 (12:45 +0530)]
nl80211: Introduce the interface for external authentication
This command/event interface can be used by host drivers that do not
define separate commands for authentication and association but rely on
wpa_supplicant for the authentication (SAE) processing.
Guisen Yang [Thu, 1 Feb 2018 09:05:19 +0000 (17:05 +0800)]
Add new QCA vendor commands for thermal shutdown
Add new QCA vendor commands and attributes to get thermal information
and send thermal shutdown related commands. Indicates the driver to
enter the power saving mode or resume from the power saving mode based
on the given temperature and thresholds.
Ashok Ponnaiah [Tue, 30 Jan 2018 11:24:39 +0000 (16:54 +0530)]
OWE: Use PMKSA caching if available with driver AP MLME
If a matching PMKSA cache entry is present for an OWE client, use it and
do not go through DH while processing Association Rquest frame.
Association Response frame will identify the PMKID in such a case and DH
parameters won't be present.
Ashok Ponnaiah [Mon, 29 Jan 2018 16:11:03 +0000 (18:11 +0200)]
hostapd: Send broadcast Public Action frame with wildcard BSSID address
Send Public Action frames with wildcard BSSID when destination was
broadcast address. This is required for DPP PKEX where the recipients
may drop the frames received with different BSSID than the wildcard
address or the current BSSID.
Jouni Malinen [Sun, 21 Jan 2018 22:07:44 +0000 (00:07 +0200)]
FILS: Fix extended capability bit setting for FILS in AP mode
FILS capability bit setting could have ended up setting boths biths 72
(correct) and 64 (incorrect; part of Max Number of MSDUs In A-MSDU). Fix
this by adding the missing break to the switch statement.
Fixed: f55acd909e37 ("FILS: Set FILS Capability bit in management frames from AP") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 8 Dec 2017 15:05:40 +0000 (17:05 +0200)]
EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).
Jouni Malinen [Sat, 13 Jan 2018 02:12:46 +0000 (04:12 +0200)]
DPP: Track M.x/N.x/L.x availability for ke derivation
This prevents an issue where duplicated Authentication Response frame
could have resulted in deriving a new ke value after M.x had already
been cleared. This would result in the following configuration exchange
failing. This could happen since many driver do not filter out
retransmitted Public Action frames and link layer. Furthermore, this
could have been used as a denial-of-service attack agains the DPP
exchange.
Jouni Malinen [Sat, 13 Jan 2018 01:56:26 +0000 (03:56 +0200)]
OWE: Allow station in transition mode to connect to an open BSS
If the OWE network profile matches an open network which does not
advertise OWE BSS, allow open connection. The new owe_only=1 network
profile parameter can be used to disable this transition mode and
enforce connection only with OWE networks.
Sunil Dutt [Thu, 21 Dec 2017 12:08:01 +0000 (17:38 +0530)]
Extend NUD Stats to collect the data packet statistics
This commit extends the existing QCA vendor specific NUD_STATS_GET/SET
interface to also collect the statistics of the data packets. The
intention here is to get more comprehensive information to detect the
network unreachability.
Jouni Malinen [Fri, 12 Jan 2018 18:55:33 +0000 (20:55 +0200)]
Copy WLAN-Reason-Code value from Access-Reject to Deauthentication
This makes hostapd use the WLAN-Reason-Code value from Access-Reject
when disconnecting a station due to IEEE 802.1X authentication failure.
If the RADIUS server does not include this attribute, the default value
23 (IEEE 802.1X authentication failed) is used. That value was the
previously hardcoded reason code.
Jouni Malinen [Fri, 12 Jan 2018 18:45:12 +0000 (20:45 +0200)]
RADIUS: Add WLAN-Reason-Code attribute to Access-Reject
Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all
Access-Reject messages generated based on EAP-Failure from the EAP
server. For now, the reason code value is set to 23 (IEEE 802.1X
authentication failed). This can be extending in future commits to cover
addition failure reasons.
HS 2.0: Set appropriate permission(s) for cert file/folders on Android
This commit adds additional permission to 'SP' and 'Cert' folders
which is needed to copy certificates from Cert to SP. Additionally,
this associates AID_WIFI group id with these folders.
Jouni Malinen [Thu, 11 Jan 2018 23:12:00 +0000 (01:12 +0200)]
Replace RSNE group key management mismatch status/reason codes
Use "cipher out of policy" value instead of invalid group cipher (which
is for the group data frame cipher) and management frame policy
violation (which is used for MFPC/MFPR mismatch).
Jouni Malinen [Mon, 8 Jan 2018 03:19:05 +0000 (05:19 +0200)]
DPP: Authentication exchange retries and channel iteration in hostapd
This extends hostapd with previoiusly implemented wpa_supplicant
functionality to retry DPP Authentication Request/Response and to
iterate over possible negotiation channels.
Jouni Malinen [Mon, 8 Jan 2018 01:37:48 +0000 (03:37 +0200)]
Report offchannel RX frame frequency to hostapd
Not all code paths for management frame RX reporting delivered the
correct frequency for offchannel RX cases. This is needed mainly for
Public Action frame processing in some special cases where AP is
operating, but an exchange is done on a non-operational channel. For
example, DPP Initiator role may need to do this.
Jouni Malinen [Thu, 4 Jan 2018 15:06:40 +0000 (17:06 +0200)]
tests: Enable and require PMF in SAE and OWE test cases with sigma_dut
All SAE and OWE associations are expected to require PMF to be
negotiated, so enable or require PMF in AP and STA configurations
accordingly to match the new sigma_dut behavior.
Jouni Malinen [Fri, 29 Dec 2017 10:01:22 +0000 (12:01 +0200)]
tests: GnuTLS configuration of intermediate CA certificate
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.
Jouni Malinen [Thu, 28 Dec 2017 16:46:28 +0000 (18:46 +0200)]
GnuTLS: Suite B validation
This allows OpenSSL-style configuration of Suite B parameters to be used
in the wpa_supplicant network profile. 128-bit and 192-bit level
requirements for ECDHE-ECDSA cases are supported. RSA >=3K case is
enforced using GnuTLS %PROFILE_HIGH special priority string keyword.
Jouni Malinen [Thu, 28 Dec 2017 11:18:15 +0000 (13:18 +0200)]
GnuTLS: Make debug prints clearer for cert/key parsing
Indicate more clearly when the parsing succeeds to avoid ending the
debug prints with various internal GnuTLS internal error messages even
when the parsing actually succeeded in the end.
Jouni Malinen [Wed, 27 Dec 2017 19:06:02 +0000 (21:06 +0200)]
OWE: Try all supported DH groups automatically on STA
If a specific DH group for OWE is not set with the owe_group parameter,
try all supported DH groups (currently 19, 20, 21) one by one if the AP
keeps rejecting groups with the status code 77.
Jouni Malinen [Wed, 27 Dec 2017 16:38:12 +0000 (18:38 +0200)]
Fix MFP-enabled test for disallowed TKIP
The test against use of TKIP was done only in MFP-required
(ieee80211w=2) configuration. Fix this to check the pairwise cipher for
MFP-enabled (ieee80211w=1) case as well.
Jouni Malinen [Wed, 27 Dec 2017 16:26:31 +0000 (18:26 +0200)]
SAE: Add option to require MFP for SAE associations
The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to
enforce negotiation of MFP for all associations that negotiate use of
SAE. This is used in cases where SAE-capable devices are known to be
MFP-capable and the BSS is configured with optional MFP (ieee80211w=1)
for legacy support. The non-SAE stations can connect without MFP while
SAE stations are required to negotiate MFP if sae_require_mfp=1.
Jouni Malinen [Wed, 27 Dec 2017 10:27:33 +0000 (12:27 +0200)]
tests: Set PMK length in eapol-fuzzer
Commit b488a12948751f57871f09baa345e59b23959a41 ('Clear PMK length and
check for this when deriving PTK') started rejecting PTK derivation
based on PMK length. This reduced coverage from the eapol-fuzzer, so set
the default length when initializing the state machine in the fuzzer to
reach the previously used code paths.
Jouni Malinen [Wed, 27 Dec 2017 10:17:44 +0000 (12:17 +0200)]
SAE: Set special Sc value when moving to Accepted state
Set Sc to 2^16-1 when moving to Accepted state per IEEE Std 802.11-2016,
12.4.8.6.5 (Protocol instance behavior - Confirmed state). This allows
the peer in Accepted state to silently ignore unnecessary
retransmissions of the Confirm message.
Jouni Malinen [Wed, 27 Dec 2017 10:14:41 +0000 (12:14 +0200)]
SAE: Add Rc variable and peer send-confirm validation
This implements the behavior described in IEEE Std 802.11-2016,
12.4.8.6.6 (Protocol instance behavior - Accepted state) to silently
discard received Confirm message in the Accepted state if the new
message does not use an incremented send-confirm value or if the special
2^16-1 value is used. This avoids unnecessary processing of
retransmitted Confirm messages.
Jouni Malinen [Tue, 26 Dec 2017 10:46:22 +0000 (12:46 +0200)]
SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.
Jouni Malinen [Mon, 25 Dec 2017 16:36:17 +0000 (18:36 +0200)]
tests: Make dpp_pkex_test_fail and dpp_pkex_alloc_fail more robust
Wait for test/allocation failure for longer than the wait_fail_trigger()
default two seconds to allow DPP (in particular, PKEX) retransmission to
occur. This removes some issues where the previous wait was more or less
exactly the same duration as the retransmission interval and the first
Listen operation not always starting quickly enough to receive the first
frame.
Jouni Malinen [Sun, 24 Dec 2017 15:41:48 +0000 (17:41 +0200)]
PAE: Remove OpenSSL header dependency
Instead of requiring OpenSSL headers to be available just for the
SSL3_RANDOM_SIZE definition, replace that macro with a fixed length (32)
to simplify dependencies.
Jouni Malinen [Sun, 24 Dec 2017 15:25:39 +0000 (17:25 +0200)]
crypto: Implement new crypto API functions for DH
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.
Peng Xu [Tue, 12 Dec 2017 17:00:01 +0000 (09:00 -0800)]
Add new QCA vendor attribute for getting preferred channel
A new vendor attribute QCA_WLAN_VENDOR_ATTR_GET_WEIGHED_PCL is added for
getting preferred channels with weight value and a flag to indicate how
the channels should be used in P2P negotiation process.
projects / thirdparty / hostap.git / log
