Jouni Malinen [Wed, 9 Mar 2016 17:38:26 +0000 (19:38 +0200)]
tests: Fix root_ocsp() for multi-OCSP test cases
Incorrect path and file name was used in the openssl command to generate
one of the OCSP responses. Also fix
ap_wpa2_eap_tls_intermediate_ca_ocsp_multi to expect success rather than
failure due to OCSP response. Based on the test description, this was
supposed to succeed, but apparently that root_ocsp() bug prevented this
from happening.
Zefir Kurtisi [Mon, 7 Mar 2016 11:47:01 +0000 (12:47 +0100)]
hostapd: Handle running out of DFS channels
In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.
The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
detected
2) hostapd is started while all channels are unavailable
In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.
This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().
Dedy Lansky [Mon, 7 Mar 2016 13:22:54 +0000 (15:22 +0200)]
FST: Fix session setup failure with peer without MB IE
Upon receiving FST setup request on old band, the peer is searched on
new band. The assumption is that MB IE from this peer on new band
previously received either in assoc event or in FST setup request.
There are cases in which above assumption doesn't work, peer is not
found and session setup fails. For example:
- STA connects over 11ac. Due to driver limitation, MB IE is not included
in assoc event
- STA connects over 11ad. MB IE included in assoc event.
- FST session established on 11ac band, with AP as initiator. i.e. FST
setup request sent in AP=>STA direction. STA searches for peer's (AP)
MB IE on 11ad band which exists.
- FST switch occur
- FST session established on 11ad band, with STA as initiator. i.e. FST
setup request sent in STA=>AP direction. AP searches for peer's (STA)
MB IE on 11ac band which are absent.
For fixing the above, consider also peers without MB IE as candidates in
the search algorithm.
Lior David [Thu, 18 Feb 2016 13:20:03 +0000 (15:20 +0200)]
P2P: Add optional op_class argument to P2P_SET listen_channel
The existing implementation in p2p_ctrl_set used a hard-coded operating
class 81 which is only suitable for the social channels in the 2.4 GHz
band, and will not work for the social channel in the 60 GHz band.
Extend this by adding an optional op_class argument to P2P_SET
listen_channel. If not specified, use the default value of 81 to match
existing behavior.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Lior David [Wed, 24 Feb 2016 15:02:29 +0000 (17:02 +0200)]
P2P: Adjust service discovery maximum fragment size for 60 GHz
In the 60 GHz band, service discovery management frames are sent over
the control PHY and have a smaller maximum frame size (IEEE Std
802.11ad-2012, 21.4.3.2). Fix the code to use sufficiently small
fragment size when operating in the 60 GHz band.
The 60 GHz fragment size (928) is derived from the maximum frame size
for control PHY (1023) and subtracting 48 bytes of header size, and some
spare so we do not reach frames with the absolute maximum size.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Naveen Singh [Thu, 3 Mar 2016 18:48:09 +0000 (10:48 -0800)]
D-Bus: Add association response status code property for failure cases
(Re)Association Response frame with status code other than 0 is now
notified over DBUS as a part of PropertiesChanged signal. This can be
used by application in case AP is denying association with status code
17 (band steering) so that it does not interfere in the BSSID selection
logic of wpa_supplicant.
Eliad Peller [Sun, 6 Mar 2016 09:42:37 +0000 (11:42 +0200)]
hostapd: Allow use of driver-generated interface addresses
Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.
Eliad Peller [Sun, 6 Mar 2016 09:29:16 +0000 (11:29 +0200)]
AP: Save EAPOL received before Association Response ACK
There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.
Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.
Janusz Dziedzic [Fri, 4 Mar 2016 09:20:29 +0000 (10:20 +0100)]
hostapd: Add INTERFACES ctrl_iface command
Return a list of the available interfaces (the main BSS) and optionally
with ctrl_iface when the optional "ctrl" parameter is included. This is
useful when using UDP ctrl_iface and add interfaces using the ADD
command. After that we need to know which UDP port was assigned for the
control interface for the added interface.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Fri, 4 Mar 2016 09:20:28 +0000 (10:20 +0100)]
hostapd: Update ctrl_interface for UDP to include the selected port
Set up the real ctrl_interface for UDP after having selected the port.
This is in format: udp:<port_no>. This is needed to get accurate
interface <-> udp_port mapping.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Fri, 4 Mar 2016 09:20:27 +0000 (10:20 +0100)]
wpa_supplicant: Add ctrl parameter to INTERFACES command
"INTERFACES ctrl" can now be used to fetch a list of network interfaces
and their control interfaces, e.g., to fetch the UDP port information
for the control interface.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Eliad Peller [Thu, 3 Mar 2016 16:18:30 +0000 (18:18 +0200)]
P2P: Respect p2p_ignore_shared_freq on p2p_group_add
Make sure wpas_p2p_init_go_params() respects the p2p_ignore_shared_freq
configuration option. Choose currently used frequencies only if this
option is not set, or if there are no unused channels left.
Ilan Peer [Mon, 29 Feb 2016 12:30:05 +0000 (14:30 +0200)]
P2P: Update peer listen channel from Probe Request frames
In case a Probe Request frame is received from a known peer P2P Device,
update the listen channel based on the P2P attributes in the Probe
Request frame. This can be useful for cases where the peer P2P Device
changed its listen channel, and the local P2P device is about to start a
GO Negotiation or invitation signaling with the peer.
Ayala Beker [Mon, 29 Feb 2016 12:30:03 +0000 (14:30 +0200)]
nl80211: Abort an ongoing scan upon scan timeout indication
Currently, when scan is stuck in the kernel/driver/fw,
the nl80211 driver tries to recover by faking a SCAN_RESULTS flow.
However, the scan is still stuck in the kernel/driver/fw.
To avoid that stuck request, abort it upon scan timeout.
Ilan Peer [Mon, 29 Feb 2016 12:30:02 +0000 (14:30 +0200)]
tests: Handle different delays in discovery_and_interface_disabled
Test different delay intervals between the INTERFACE_DISABLED event
and the INTERFACE_ENABLED event for discovery_and_interface_disabled.
Previously, only a delay of 1 second was used, in which case the
scan results for the P2P_FIND operation were received after the
interface was enabled again, and the case the scan results were
received while the interface was disabled was not covered.
Ilan Peer [Mon, 29 Feb 2016 12:30:01 +0000 (14:30 +0200)]
wpa_supplicant: Handle EVENT_SCAN_RESULTS when an interface is disabled
An interface can be disabled while it has an ongoing scan request.
In such a case, when the scan results notification is received,
it was being ignored (as the interface is already disabled) so the
scan state was not cleared. This can cause undetermined behavior
for the next scan request.
To handle this, clear the scan state when EVENT_SCAN_RESULTS is
received and the interface is disabled.
Avraham Stern [Mon, 29 Feb 2016 12:30:00 +0000 (14:30 +0200)]
WNM: Do not scan based on malformed BSS Transition Management Request
Verify that when the Candidate List Included bit is set in a BSS
Transition Management Request frame, the candidate list actually
includes at least one candidate. If no candidates are included, reject
the request without scanning.
Avraham Stern [Mon, 29 Feb 2016 12:29:59 +0000 (14:29 +0200)]
WNM: Fix candidates count in BSS Transition Management Request
In BSS Transition Management Request frame, it is possible that vendor
specific IEs are included after the candidate list. In this case the
candidates count was incremented for each IE although the candidate list
is already over which could result in adding all zeros candidates into
the neighbor list.
Fix that by incrementing the candidates count only for neighbor report
elements.
Ilan Peer [Mon, 29 Feb 2016 12:29:58 +0000 (14:29 +0200)]
wpa_cli: Support running action script on global control interface
In case wpa_cli is started with an option to execute an action script,
but no interface is specified, wpa_cli might crash in wpa_cli_exec() if
arg1 == NULL. Fix this be setting arg1 = "global".
Adam Langley [Fri, 23 Jan 2015 01:13:10 +0000 (17:13 -0800)]
Android: Remove superfluous OpenSSL include paths
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.
Daichi Ueura [Tue, 1 Mar 2016 18:26:38 +0000 (03:26 +0900)]
HS 2.0R2: Clear fetch_anqp_in_progress if fopen fails
Clear wpa_s->fetch_anqp_in_progress when osu-providers.txt can't be
opened. An issue happens, for instance, when wpa_supplicant doesn't
have correct access permission to the directory specified by osu_dir.
If hs20_osu_fetch_done method returns without clearing the flag,
'FETCH_OSU' command will never work correctly.
Eliad Peller [Wed, 2 Mar 2016 12:38:41 +0000 (14:38 +0200)]
Fix CONFIG_WPA_TRACE=y compilation without CONFIG_WPA_TRACE_BFD=y
syms is defined only for WPA_TRACE_BFD:
../src/utils/trace.c: In function ‘wpa_trace_deinit’:
../src/utils/trace.c:372:7: error: ‘syms’ undeclared (first use in this function)
free(syms);
^
../src/utils/trace.c:372:7: note: each undeclared identifier is reported only once for each function it appears in
make: *** [../src/utils/trace.o] Error 1
make: *** Waiting for unfinished jobs....
Lior David [Sat, 20 Feb 2016 14:45:58 +0000 (16:45 +0200)]
P2P: Add Dev Info attribute to Probe Request frames in 60 GHz
When building P2P IE for Probe Request frames in P2P scan, add the
device information attribute if the 60 GHz band is included in the scan,
since this is required by the P2P specification.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Lior David [Sat, 20 Feb 2016 11:28:27 +0000 (13:28 +0200)]
P2P: Change order of P2P IE and frequencies set up
When setting up parameters for P2P scan, calculate the frequencies
for the scan before calculating the scan IE. This is because
the scan IE calculation may need information about the scan
frequencies in use.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Android: Allow wpa_supplicant to write files to osu-info dir
This commit allows any process running with group id of AID_WIFI to
read/write files to osu-info directory. Also, it allows other users to
read and search the osu-info directory.
This fixes issues with hs20-osu-client creating a directory for
wpa_supplicant use without wpa_supplicant actually having privileges to
write there on Android where the wpa_supplicant process does not run as
root.
Dedy Lansky [Thu, 25 Feb 2016 08:03:07 +0000 (10:03 +0200)]
FST: Enlarge State Transition Timeout (STT)
STT guards the exchange of FST Action frames with the peer station.
It was observed that sometimes Action frames sending is delayed at
driver/FW layers for few hundreds millisec.
Peng Xu [Tue, 1 Mar 2016 19:13:25 +0000 (11:13 -0800)]
Add error handling for offloaded ACS with vendor command failures
In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.
Jouni Malinen [Thu, 3 Mar 2016 09:04:38 +0000 (11:04 +0200)]
Fix scan rescheduling from wpas_stop_pno to check postponed case
Commit 02e122a995dea947a2ad2c0d85190d709f9128b7 ('Reschedule scan from
wpas_stop_pno if it was postponed') uses wpa_s->scanning as the only
condition for automatically starting a postponed scan request from
EVENT_SCHED_SCAN_STOPPED event handler. However, wpa_s->scanning may be
set for sched_scan and as such, this can result in unexpected extra
scans without there having been any real postponed request.
Make this more accurate by verifying that there really is a pending
request for a scan before speeding up its start.
Jouni Malinen [Mon, 29 Feb 2016 15:40:23 +0000 (17:40 +0200)]
RADIUS: Add Acct-Delay-Time into accounting messages
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).
For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.
Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.
Jouni Malinen [Mon, 29 Feb 2016 09:44:43 +0000 (11:44 +0200)]
RADIUS: Update full message for interim accounting updates
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.
Michael Braun [Wed, 24 Feb 2016 11:53:41 +0000 (12:53 +0100)]
FT: Check destination MAC address on RRB receive
As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.
If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:38 +0000 (12:53 +0100)]
RADIUS: Allow RADIUS server to provide PSK instead of passphrase
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.
This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:37 +0000 (12:53 +0100)]
Cache hashed passphrase in RADIUS-based PSK delivery
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:36 +0000 (12:53 +0100)]
Defer passphrase-to-PSK hashing out of 802.11 authentication ACL check
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.
This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:34 +0000 (12:53 +0100)]
FT: Use BSSID as r1_key_holder if no value is configured
r1_key_holder is an identifier that was always set to zero if unless
configured before.
See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
"R1KH-ID is a MAC address of the holder of the PMK-R1 in the
Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
"Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
identifier within the mobility domain."
"The R1KH-ID shall be set to a MAC address of the physical entity
that stores the PMK-R1 ..."
Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:24 +0000 (12:53 +0100)]
tests: FT RRB internal delivery to non-WPA BSS
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL.
This test implements such a malicious request for regression testing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:25 +0000 (12:53 +0100)]
FT: Check hapd->wpa_auth before RRB internal delivery
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.
Fix this by checking hapd->wpa_auth before delivery.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:11 +0000 (12:53 +0100)]
FT: Fix R0KH-R1KH protocol data length values
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.
As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e55a01d02bf01f790a7c6fb9ea606098 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').
AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.
This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:10 +0000 (12:53 +0100)]
tests: RSN pre-auth and PMKSA caching with per_sta_vif
This adds new tests to verify pmksa_cache_preauth when
used with per_sta_vif and possibly vlans.
While at it it refactors the code such that the tests
pmksa_cache_preauth
pmksa_cache_preauth_vlan_enabled
pmksa_cache_preauth_vlan_used
pmksa_cache_preauth_per_sta_vif
pmksa_cache_preauth_vlan_enabled_per_sta_vif
pmksa_cache_preauth_vlan_used_per_sta_vif
share code where possible.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Wed, 24 Feb 2016 11:53:08 +0000 (12:53 +0100)]
tests: Verify correct VLAN operation after reconnect
This adds a test case ap_vlan_reconnect. It connects, disconnects, and
reconnects a station in a VLAN. This tests for a regression with
wpa_group entering the FATAL_FAILURE state as the AP_VLAN interface is
removed before the group was stopped.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Jouni Malinen [Fri, 26 Feb 2016 16:21:51 +0000 (18:21 +0200)]
tests: P2P group formation with driver using cfg80211 P2P Device
This extends the P2P Device testing coverage to include the newly
enabled option of using the primary interface (e.g., wlan0) for P2P
group operation instead of always forcing a separate group interface to
be created dynamically.
Lior David [Sun, 24 Jan 2016 15:36:49 +0000 (17:36 +0200)]
P2P: Support dedicated P2P_DEVICE without separate group interface
Add support for drivers with dedicated P2P_DEVICE interface, but without
group interface concurrency (only a single netdev is used). With such
devices, wpa_supplicant tried to use the p2p_dev interface instead of
the group interface and most P2P operations failed. Extend
wpa_supplicant to use the primary interface instead of a separate group
interface in such cases.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Lior David [Sun, 24 Jan 2016 15:36:49 +0000 (17:36 +0200)]
P2P: Add a separate pointer to the P2P Device instance
In many places in the code there was a reference to wpa_s->parent to get
from group interface to p2p_dev interface. These places can break if
P2P_DEVICE interface would need to be used with the primary interface as
the group interface, since the parent of the primary interface points to
itself and not the p2p_dev interface.
Fix this by adding a separate "p2pdev" pointer to wpa_supplicant,
it will be the same as parent pointer in most cases but whenever
the primary interface is used as a group interface, change it to
point to the correct p2p_dev interface.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Jouni Malinen [Sat, 27 Feb 2016 16:49:31 +0000 (18:49 +0200)]
GAS client: Make PMF check on RX more consistent
Use the SA field instead of BSSID in the received Action frame to
determine whether PMF has been negotiated with the transmitter. While
these fields are supposed to be same for Public Action frames from an
AP, it would be possible that a frame is received with different values.
The following operations in gas_query_rx() use SA, so do the same for
the PMF check.
Jouni Malinen [Fri, 26 Feb 2016 15:16:35 +0000 (17:16 +0200)]
WNM: Optimize a single BSS transition management candidate scan
If the BSS Transition Management Request frame includes only a single
candidate and we need to scan for the BSS to get up-to-date information,
use a scan for the known BSSID instead of wildcard BSSID. In addition,
set the SSID in the scan if it is known based on old scan results in the
BSS table. This removes unnecessary Probe Response frames when we are
interested in results from only a single BSS.
Jouni Malinen [Wed, 24 Feb 2016 10:20:31 +0000 (12:20 +0200)]
AP: Store STA supported operating classes information
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.