Jouni Malinen [Wed, 10 Oct 2012 14:38:06 +0000 (17:38 +0300)]
WPS: Limit number of active wildcard PINs to one
Previously, WPS Registrar allowed multiple wildcard PINs to be
configured. This can get confusing since these PINs get assigned to any
Enrollee that does not have a specific PIN and as such, cannot really be
used with different PIN values in reasonable ways. To avoid confusion
with multiple enabled PINs, invalidate any previously configured
wildcard PIN whenever adding a new one.
Jouni Malinen [Wed, 10 Oct 2012 14:22:35 +0000 (17:22 +0300)]
WPS: Allow PIN timeout to be specified with wpa_supplicant AP/GO
Extend the wpa_cli wps_pin command to support specification of the PIN
expiration time in seconds similarly to hostapd_cli wps_pin command when
using wpa_supplicant for AP mode (including P2P GO).
Jouni Malinen [Wed, 10 Oct 2012 10:08:23 +0000 (13:08 +0300)]
P2P: Allow P2P functionality to be disabled per interface
By default, P2P is enabled globally for all virtual interfaces and this
makes wpa_supplicant include WSC and P2P IEs in Probe Request frames for
all scans even if this is for a non-P2P station connection to speed up
device discovery. If an interface is dedicated for non-P2P station mode
operations, it is now possible to disable addition of WSC and P2P IEs
into Probe Request frames with a per-interface p2p_disabled parameter.
This can be set either in the configuration file (p2p_disabled=1) or at
run time ("wpa_cli -i wlan0 set p2p_disabled 1"). Unlike the previous
mechanism ("wpa_cli p2p_set disabled 1"), the new parameter changes the
behavior only for the specified interface while other interfaces
continue to follow the global P2P enabled/disabled state.
Jouni Malinen [Tue, 9 Oct 2012 10:06:37 +0000 (13:06 +0300)]
Do not clear PMKSA cache on all network block parameter changes
The bssid and priority parameters in a network block do not have any
effect on the validity of a PMKSA cache entry, so avoid flushing the
PMKSA cache when only these parameters are changed. This is mainly
to allow forced roaming or network selection changes without causing
a disconnection if the changes are done during RSN association that
used EAP.
Jouni Malinen [Mon, 8 Oct 2012 14:49:54 +0000 (17:49 +0300)]
Filter out unlikely "pre-shared key may be incorrect" messages
Add a function to filter out known cases of disconnection during 4-way
handshake that are caused by something else than mismatch in PSK. This
commit adds the case where the local end determines a mismatch in
WPA/RSN element between Beacon/Probe Response frames and EAPOL-Key msg
3/4.
This can avoid some potentially confusing "WPA: 4-Way Handshake failed -
pre-shared key may be incorrect" ctrl_iface messages.
Jouni Malinen [Sun, 7 Oct 2012 17:18:10 +0000 (20:18 +0300)]
EAP-TLS: Add extra validation for TLS Message Length
While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).
Jouni Malinen [Sun, 7 Oct 2012 17:06:29 +0000 (20:06 +0300)]
EAP-TLS server: Fix TLS Message Length validation
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
Message Length value properly and could end up trying to store more
information into the message buffer than the allocated size if the first
fragment is longer than the indicated size. This could result in hostapd
process terminating in wpabuf length validation. Fix this by rejecting
messages that have invalid TLS Message Length value.
This would affect cases that use the internal EAP authentication server
in hostapd either directly with IEEE 802.1X or when using hostapd as a
RADIUS authentication server and when receiving an incorrectly
constructed EAP-TLS message. Cases where hostapd uses an external
authentication are not affected.
Thanks to Timo Warns for finding and reporting this issue.
Jouni Malinen [Sat, 6 Oct 2012 16:30:54 +0000 (19:30 +0300)]
SAE: Add Finite Cyclic Group negotiation and Send-Confirm
This replaces the previously used bogus test data in SAE messages with
the first real field. The actual SAE authentication mechanism is still
missing and the Scaler, Element, and Confirm fields are not included.
Jouni Malinen [Fri, 5 Oct 2012 17:37:49 +0000 (20:37 +0300)]
P2P: Fix network removal on P2P connect to select correct block
If wpa_s->current_ssid is not set (e.g., after disconnection that
did not result in immediate group removal), an incorrect group could
have been removed since the network block iteration here could select
the network block that is used to store persistent group credentials.
Fix this by verifying that disabled != 2 to avoid picking the network
block that could not have been the temporary P2P group.
Sunil Dutt [Thu, 4 Oct 2012 18:11:04 +0000 (21:11 +0300)]
WPS: Reenable the networks disabled during wpa_wpas_reassoc
During the association for the WPS handshake all the other configured
networks are disabled. This patch makes wpa_supplicant reenable the
disabled networks after the success/failure of the WPS handshake.
Jouni Malinen [Wed, 3 Oct 2012 11:17:41 +0000 (14:17 +0300)]
Interworking: Unshare ANQP results on explicit ANQP requests
When ANQP_GET or HS20_ANQP_GET is used to request ANQP information,
unshare the ANQP information (i.e., create a per-BSS copy of it) to
make sure the information from the specified BSS is available in case
the APs provide different information within HESSID.
Jouni Malinen [Wed, 3 Oct 2012 10:58:56 +0000 (13:58 +0300)]
HS 2.0: Include parsed WAN Metrics in RX-HS20-ANQP event
This adds parsed version of WAN Metrics information to the control
event message as follows:
RX-HS20-ANQP 02:00:00:00:01:00 WAN Metrics 01:8000:1000:80:240:3000
format: <WAN Info>:<DL Speed>:<UL Speed>:<DL Load>:<UL Load>:<LMD>
WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity
(encoded as two hex digits)
Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps;
1..4294967295; 0 = unknown
Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps
1..4294967295; 0 = unknown
Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%)
Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%)
Load Measurement Duration: Duration for measuring downlink/uplink load in
tenths of a second (1..65535); 0 if load cannot be determined
Jouni Malinen [Mon, 1 Oct 2012 13:07:07 +0000 (16:07 +0300)]
Fix build without CONFIG_WPS=y
Commit 620c783753bddd37988269314862dc7e4a62f700 modified
wpas_wps_ssid_bss_match() prototype but forgot to update the non-WPS
wrapper inline function. Fix that to match with the new bss parameter
type.
P2P: Add a conf parameter to start a GO as HT40 if allowed
When specified in the conf file this parameter will make all invocations
of p2p_group_add, p2p_connect, and p2p_invite behave as if "ht40" has
been specified on the command line. This shouldn't do harm since
regulatory constraints and driver capabilities are consulted anyway
before starting HT40 mode.
These values are used with WAPI and CCX and reserving the definitions
here reduces the number of merge conflicts with repositories that
include these functions.
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).
Dan Williams [Sat, 29 Sep 2012 16:06:30 +0000 (19:06 +0300)]
dbus: Add global capabilities property
Otherwise it's difficult to determine if the supplicant was built with
CONFIG_AP, CONFIG_IBSS_RSN, CONFIG_P2P, etc. CONFIG_AP and CONFIG_P2P
can be inferred from the introspection data of the Interface object,
but CONFIG_IBSS_RSN does not change the introspection data at all and
thus it's impossible to determine whether the supplicant supports it
without knowing its compile-time options.
Signed-hostap: Dan Williams <dcbw@redhat.com>
intended-for: hostap-1
P2P: Fix p2p_cancel processing during group formation
The wpa_s->p2p_in_provisioning flag did not get cleared in some cases
where p2p_cancel command is used to stop group formation. This can result
in some operations (like p2p_find) failing afterwards. Fix this by using
wpas_group_formation_completed() when processing p2p_cancel for a group
that has not yet completed group formation.
The pending GAS entry must be removed from the list when it is removed.
This fixes an issue with potential segfault due to freed memory being
accessed if the driver fails to accept a GAS query.
Add disallow_aps parameter to disallow BSSIDs/SSIDs
External programs can use this new parameter to prevent wpa_supplicant
from connecting to a list of BSSIDs and/or SSIDs. The disallowed BSSes
will still be visible in scan results and it is possible to run ANQP
operations with them, but BSS selection for connection will skip any
BSS that matches an entry in the disallowed list.
The new parameter can be set with the control interface SET command
using following syntax:
For example:
wpa_cli set disallow_list "ssid 74657374 bssid 001122334455 ssid 68656c6c6f"
wpa_cli set disallow_list
(the empty value removes all entries)
P2P: Fix ignoring of PD Response due to dialog token mismatch
Commit 6b56cc2d97fe9efd1feea8d418714b4658b056f1 added clearing of the
p2p->pending_action_state too early in this function. This should not
be done if we are going to silently ignore the frame due to dialog
token mismatch. Fix this by moving the code around to check the dialog
token first.
This issue resulted in PD Request retries getting stopped too early if
the peer is sending out an unexpected PD Response (e.g., because of it
being excessively slow with the response so that the response is
received only after the next TX attempt with a new dialog token).
It is possible for the P2P client group to be removed while waiting for
a pending scan operation (e.g., when p2p_group_idle timeout hits after
getting disconnected from the GO with something else than
Deauthentication with reason code 3). If this happens with a P2P
interface that is used both for P2P Device and group roles, scan state
could get stuck while waiting for the next scan to complete since no
more station (P2P client) mode scans are scheduled. Fix this by clearing
sta_scan_pending when removing the temporary group network block.
P2P: Allow peer to propose channel in invitation process
Make Invitation process for re-invoking a persistent group behave
similarly to GO Negotiation as far as channel negotiation is concerned.
The Operating Channel value (if present) is used as a starting point if
the local device does not have a forced operating channel (e.g., due to
concurrent use). Channel lists from devices are then compared to check
that the selected channel is in the intersection. If not, channel is
selected based on GO Negotiation channel rules (best channel preferences
etc.). Invitation Request is rejected if no common channel can be
selected.
P2P: Fix pending-sta-scan processing for concurrent operation cases
If two P2P_FIND commands and a station mode SCAN command are issued in a
sequence with the second P2P_FIND and SCAN commands started before the
initial scan from the first P2P_FIND command has completed,
sta_scan_pending may be left set without an automatic way of getting it
cleared. This can get P2P search stuck if no further station mode scan
operations are run.
Fix this by clearing the sta_scan_pending flag whenever station mode scans
are stopped due to no enabled networks resulting in INACTIVE mode getting
entered. In addition, avoid setting sta_scan_pending flag when a special
scan_res_handler is set so that this does not get enabled on the P2P
Device interface during a P2P search operation.
If there are any disabled networks, show a debug print with the count
of those networks when no enabled networks are found. This can be
helpful in trying to figure out why scans are being skipped.
The ASCII hexdump is somewhat difficult to search for (especially on
Android builds), so make the debug log easier to parse by printing the
full control interface command as a text string. In addition, use
wpa_dbg() to get the interface name printed so that multi-interface
cases can be debugged.
Setting just ssid->passphrase is not enough to complete the network
block for the GO entry. Also the PSK needs to be derived so that the
network is considered enabled by wpas_network_disabled(). The previous
version worked as long as something else allowed the scan request to be
performed (this is needed even though the actual scan is skipped when
starting GO).
The first GO start was allowed because wpa_s->scan_req is initialized to
1 in wpa_supplicant_alloc(). However, other attempts may fail if
wpa_s->scan_req is cleared. This failure shows up as "No enabled
networkas - do not scan" in debug log followed by state change to
INACTIVE when trying to start GO.
Fix this by deriving PSK from the passphrase for GO mode.
P2P: Fix p2p_group_idle in no-group-interface P2P client case
Commit 30ee769235f3170d9bf6b62c11c6e018e97deb84 started skipping P2P
group removal if wpa_s->current_ssid is not set and commit 0d30cc240fa36905b034dc9676f9d8da0ac18e56 started clearing
wpa_s->current_ssid on disconnection. This combination broke
p2p_group_idle timeout on P2P client interface in a case where no
separate P2P group interface is used and when the disconnection is
triggered by something else than an explicit indication of GO
terminating the group.
Fix this by relaxing network block matching rules when figuring out
whether any of the configured network blocks could be in P2P use. The
p2p_group flag alone should be enough for this since temporary P2P group
network blocks are removed once the P2P group is terminated.
Dan Williams [Sun, 23 Sep 2012 10:55:58 +0000 (13:55 +0300)]
wpa_supplicant: Set state to DISCONNECTED on AP creation errors
If the AP creation failed (missing freq= or driver error) the supplicant
would previously stay in SCANNING state forever. Instead, it should
handle the error a bit better and drop back to DISCONNECTED so clients
know something went wrong.
Signed-hostap: Dan Williams <dcbw@redhat.com>
intended-for: hostap-1
Felix Fietkau [Sun, 23 Sep 2012 10:23:16 +0000 (13:23 +0300)]
hostapd: Clear WLAN_STA_ASSOC_REQ_OK if sending the assoc response failed
As long as WLAN_STA_ASSOC_REQ_OK is set in sta->flags, Class 3 frames do
not trigger a disassoc/deauth. If it is still set even after the assoc
response tx has already failed, it may take somewhat longer for clients
to realize that the connection wasn't fully established.
P2P: Remove channel 14 from supported P2P channels
Channel 14 is available only in Japan and is DSSS-only according to
IEEE 802.11-2012 19.4.3 and MIC Equipment Ordinance (EO)
for Regulating Radio Equipment article 49.20.
At the same time, P2P should avoid using DSSS modulation in normal
operation according to P2P specification v1.2 2.4.1.
P2P: Fix p2p_ctrl_invite_persistent() to parse peer parameter
Commit 4d32c0c44db43d496f45c5094a9b6ae60c35115e added another use for the
local pos variable and that broke the mechanism used to determine wheter
the peer address was provided. Fix this by using a separate pointer to the
peer address.
Do not inform other virtual interfaces of scan results in all cases
If a connection operation is started on an interface based on scan
results, other virtual interfaces should not be information about the
results to avoid potential concurrent operations during the association
steps. Since the sibling notification of scan results received was added
as an optimization, skipping it for this type of cases is the simplest
way of avoiding unnecessary concurrent operations.
P2P: Check all interfaces for pending scan for p2p_scan failures
Driver could reject the new scan based on any virtual interface
running a concurrent scan. As such, mark the pending scan callback
for P2P based on any interfaces instead of just the one used for
the p2p_scan operation.
P2P: Move p2p_cb_on_scan_complete to global context
Since we have a global P2P module, the flag to trigger scan completion
events to it needs to be in similar context. The previous design
maintained this separately for each virtual interface and if P2P module
did not run its scan operation on the virtual interface that completed
the scan, P2P module would not be allowed to restart operations
properly.
Fix last_scan_res update existing BSS entry is update
The BSS pointer may change if the entry needs to be reallocated
and the new pointer has to be added to the last_scan_res array
to avoid using pointers to freed memory.
This is a generic AES CCM implementation that can be used for other
purposes than just implementing CCMP, so it fits better in a separate
file in src/crypto.
Enable 256-bit key AES in internal TLS implementation
Now that the internal AES implementation supports 256-bit keys, enable
use of the TLS cipher suites that use AES-256 regardless of which crypto
implementation is used.
AES uses the same 128-bit block size with 128, 192, 256 bit keys, so use
the fixed block size definition instead of trying to dynamically set the
block size based on key length. This fixes use of 192-bit and 256-bit
AES keys with crypto_cipher_*() API when using the internal AES
implementation.
Add support for using 192-bit and 256-bit keys with AES-GCM
This adds 192-bit and 256-bit key support to the internal AES
implementation and extends the AES-GCM functions to accept key length to
enable longer AES key use.
This is a generic AES GCM and GMAC implementation that can be used for
other purposes than just implementing GCMP, so it fits better in a
separate file in src/crypto.
wlantest: Allow GHASH update calls to avoid extra allocation
There is no need to allocate a temporary buffer and build GHASH input
data into it. Instead, ghash() is trivial to split into update part that
can be called separately for each segment.
The conf doesn't contain any basic rates in some cases. Most notably,
when starting a P2P GO in 5 GHz. Use the iface rates which are
initialized in hostapd_prepare_rates() to the conf rates or set to
default values if no conf values exist. This fixes a bug introduced in
commit e5693c4775bae65faa960f80889f98b0a6cb2e1c.
Commit e5693c4775bae65faa960f80889f98b0a6cb2e1c added a copy of the
determined basic rate set into struct hostapd_iface, but did not
actually copy the terminating -1 value. This could be problematic if
something were to actually try to use this list since would be no way to
know what is the last entry in the list. Fix this by copying the
terminating value.
nl80211: Register read_sta_data() handler for station only builds
This driver_op can now be used in station mode, too, to fetch
information about the connection with the AP, so allow this to be used
even if wpa_supplicant is built without AP mode support.
WFD: Properly match group for WFD element in Invitation Response
The group matching should be done by comparing the P2P Interface Address
(which the group_bssid here is) to the group's BSSID and not the group
ID (which uses P2P Device Address and would have also needed the SSID).
Though, it should be noted that this case cannot really happen since a
GO in an active group would never be invited to join another group in
its GO role (i.e., if it receives an Invitation Request, it will reply
in P2P Device role). As such, this fix does not really change any
observable behavior, but anyway, it is good to keep the implementation
here consistent with the Invitation Request case.
WFD: Properly match group for WFD element in Invitation Request
When building the Invitation Request for WFD use cases, match the BSSID,
i.e., P2P Interface Address, of the group on the GO to avoid using
information from another group should the device be operating multiple
concurrent groups as GO.
Interworking: Move BSS ANQP information into separate struct
This is an initial step in allowing the ANQP responses to be shared
among multiple BSSes if the BSSes are determined to be operating under
identical configuration.
Fix REMOVE_NETWORK to not run operations with invalid current_ssid
If the REMOVE_NETWORK command is used to delete the currently connected
network, some operations were run between removing the network and
clearing of wpa_s->current_ssid. This left wpa_s->current_ssid pointing
to freed memory and should any operation end up using it before the
pointer gets cleared, freed memory could be references. Avoid this by
removing the network only after having completed the operations that
clear wpa_s->current_ssid.
Interworking: Fetch only the needed ANQP information
Use configured credentials to figure out which ANQP information needs to
be fetched and only fetch those when using Interworking network
selection. The fetch_anqp command is still fetching all ANQP
information.
Interworking: Skip extra scan after network auto-select
If the scan results from before ANQP fetch are fresh (less than five
seconds old), do not run a new scan when selecting the BSS after having
used Interworking network selection.
Use BSS entries instead of scan results for BSS selection
This allows the BSS selection functions to be called without having the
scan result data structure. This can be used to skip extra scans in
cases where previous results can be considered fresh.
Maintain list of BSS entries in last scan result order
This allows last results to be used even after they have been freed
since the information is copied to the BSS entries anyway and this new
array provides the order in which scan results were processed.
EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.
The EAP-SIM/AKA code is already validating the prefix and the following
lookup would not find matches if the prefix is incorrect, so there is no
need for the extra checks here.
EAP-AKA server: Skip AKA/Identity exchange if EAP identity recognized
If EAP-Response/Identity includes a known pseudonym or re-auth username,
skip the AKA/Identity exchange since we already know the permanent
username of the peer.
EAP-SIM server: Use Notification before EAP-Failure
RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after
Client-Error and Notification messages. Convert the direct jumps to the
FAILURE state with a notification round before sending out EAP-Failure.
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.
projects / thirdparty / hostap.git / log
