Chen, Yi [Wed, 2 Sep 2015 15:55:01 +0000 (21:25 +0530)]
WPS: Fix num_probereq_cb clearing on DISABLE to avoid segfault
Reset hapd->num_probereq_cb to 0 on an interface deinit to avoid
unexpected behavior if the same interface is enabled again without fully
freeing the data structures. hostapd_register_probereq_cb() increments
hapd->num_probereq_cb by one and leaves all old values unchanged. In
this deinit+init case, that would result in the first entry in the list
having an uninitialized pointer and the next Probe Request frame
processing would likely cause the process to terminate on segmentation
fault.
This issue could be hit when hostapd was used with WPS enabled (non-zero
wps_state configuration parameter) and control interface command DISABLE
and ENABLE were used.
This adds a Python-based minimal WSC protocol implementation to allow
more testing coverage to be reached for various error cases in protected
attributes. The wps_ext test case completes successful exchange in both
the Enrollee and Registrar roles acting in the middle of AP and STA. The
other test cases cover error cases.
Masashi Honma [Wed, 26 Aug 2015 08:32:38 +0000 (17:32 +0900)]
mesh: Fix segfault on error path
When wpa_init() in __mesh_rsn_auth_init() failed, empty rsn->auth caused
segmentation fault due to NULL pointer dereference when wpa_deinit() was
called. Fix this by checking the pointer before executing deinit steps.
Masashi Honma [Mon, 31 Aug 2015 07:58:10 +0000 (16:58 +0900)]
mesh: Add RSN IE to Mesh Peering Open/Confirm frames
The RSN IE is required by IEEE Std 802.11-2012 on SAE use case:
Table 8-262 Mesh Peering Open frame Action field format
Table 8-263 Mesh Peering Confirm frame Action field format
TDLS: Use proper IE parsing routine for non-EAPOL-Key cases
wpa_supplicant_parse_ies() was never supposed to be used as a generic IE
parser, i.e., it is for the specific purpose of parsing EAPOL-Key Key
Data IEs and KDEs. TDLS used this function for parsing generic AP IEs
and while that works, it resulted in confusing "WPA: Unrecognized
EAPOL-Key Key Data IE" debug messages. Clean this up by using
ieee802_11_parse_elems() for the cases where generic IEs are being
parsed.
Add station tracking based on other management frame subtypes
This extends the previous tracking design to add a station entry based
on other management frames than Probe Request frames. For example, this
covers a case where the station is using passive scanning.
wpa_gui: Increase control interface message buffer for LIST_NETWORKS
Double the buffer length from 2048 to 4096 to match the length used
currently in wpa_supplicant. This allows wpa_gui to retrieve information
for more networks than previously.
Add option to reject authentication on 2.4 GHz from dualband STA
The new no_auth_if_seen_on=<ifname> parameter can now be used to
configure hostapd to reject authentication from a station that was seen
on another radio.
This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to reject
authentication attempts from a station that has been detected to be
capable of operating on another band, e.g., to try to reduce likelihood
of the station selecting a 2.4 GHz BSS when the AP operates both a 2.4
GHz and 5 GHz BSS concurrently.
Note: Enabling this can cause connectivity issues and increase latency for
connecting with the AP.
Indicate CTRL-EVENT-AUTH-REJECT event on authentication rejection
This allows control interface monitors to get more detailed information
in cases where wpa_supplicant-based SME receives an Authentication frame
with non-zero status code.
Add option to ignore Probe Request frames on 2.4 GHz from dualband STA
The new no_probe_resp_if_seen_on=<ifname> parameter can now be used to
configure hostapd to not reply to group-addressed Probe Request from a
station that was seen on another radio.
This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to restrict Probe
Request frame handling from replying to group-addressed Probe Request
frames from a station that has been detected to be capable of operating
on another band, e.g., to try to reduce likelihood of the station
selecting a 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz
BSS concurrently.
Note: Enabling this can cause connectivity issues and increase latency
for discovering the AP.
hostapd: Add mechanism to track unconnected stations
hostapd can now be configured to track unconnected stations based on
Probe Request frames seen from them. This can be used, e.g., to detect
dualband capable station before they have associated. Such information
could then be used to provide guidance on which colocated BSS to use in
case of a dualband AP that operates concurrently on multiple bands under
the control of a single hostapd process.
For now, there is no support for passing extended_capa pointers through
the driver_privsep.c interface from wpa_priv. Avoid leaving bogus
pointers by explicitly clearing these on both wpa_priv and
wpa_supplicant sides.
Do not advertise DSSS/CCK support in 40 MHz for 5 GHz band
DSSS/CCK rate support in 40 MHz has to be set to 0 for 5 GHz band since
this mechanism is designed only for the 2.4 GHz band. Clear
HT_CAP_INFO_DSSS_CCK40MHZ in ht_capab when the configured mode is
neither 11b nor 11g.
Manikandan Mohan [Tue, 25 Aug 2015 04:34:03 +0000 (21:34 -0700)]
Allow wpa_cli/hostapd_cli client socket directory to be specified
This adds a new helper function wpa_ctrl_open2() that can be used
instead of wpa_ctrl_open() to override the default client socket
directory. Add optional -s<directory path> argument to hostapd_cli and
wpa_cli to allow the client socket directory to be specified.
Jouni Malinen [Sun, 30 Aug 2015 22:55:56 +0000 (01:55 +0300)]
tests: WPS ER Selected Registrar timeout
This extends ap_wps_pbc_timeout to cover another long WPS timeout:
ER-initiated SetSelectedRegistrar timeout on AP. Using the same test
case for this avoids the need for another 120 second test case.
Jouni Malinen [Sun, 30 Aug 2015 15:36:28 +0000 (18:36 +0300)]
EAP-WSC peer: Reject connection on unexpected failure
Previously, the EAP-WSC peer state machine ended up just ignoring an
error and waiting for a new message from the AP. This is not going to
recover the exchange, so simply force the connection to terminate
immediately.
Jouni Malinen [Sat, 29 Aug 2015 20:59:44 +0000 (23:59 +0300)]
Allow BSS to return information for AP that uses an invalid WSC IE
Previously, the BSS command returned an error if the WSC IE(s) in scan
results could not be parsed. This may be not ideal for all cases, to
instead of rejecting the command completely, return all other
information apart from the WPS information in such a case.
Jouni Malinen [Fri, 28 Aug 2015 13:32:14 +0000 (16:32 +0300)]
EAPOL auth: Avoid recursive wpa_sm_step() on WPA_DEAUTH case
It was possible for wpa_auth_sm_event(WPA_DEAUTH) to be called from
wpa_sm_step() iteration in the case the EAPOL authenticator state
machine ended up requesting the station to be disconnected. This
resulted in unnecessary recursive call to wpa_sm_step(). Avoid this by
using the already running call to process the state change.
It was possible to hit this sequence in the hwsim test case
ap_wpa2_eap_eke_server_oom.
Jouni Malinen [Fri, 28 Aug 2015 13:30:06 +0000 (16:30 +0300)]
EAPOL auth: clear keyRun in AUTH_PAE INITIALIZE
Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but it
looks like this would be logical thing to do here since the EAPOL-Key
exchange is not possible in this state. It is possible to get here on
disconnection event without advancing to the AUTHENTICATING state to
clear keyRun before the IEEE 802.11 RSN authenticator state machine runs
and that may advance from AUTHENTICATION2 to INITPMK if keyRun = TRUE
has been left from the last association. This can be avoided by clearing
keyRun here.
It was possible to hit this corner case in the hwsim test case
ap_wpa2_eap_eke_server_oom in the case getKey operation was forced to
fail memory allocation. The following association resulted in the
station getting disconnected when entering INITPMK without going through
EAP authentication.
Jouni Malinen [Thu, 13 Aug 2015 13:03:23 +0000 (16:03 +0300)]
nl80211: Use nla_put_nested() to set NL80211_ATTR_MAC_ADDRS
This allows an empty nested list (i.e., no MAC addresses) to be included
in the NL80211_CMD_SET_MAC_ACL message unlike with
nla_nest_start()/nla_nest_end() where the current libnl implementation
removes the "empty" attribute and causes cfg80211 to reject the command.
Jiří Klimeš [Tue, 18 Aug 2015 11:33:59 +0000 (13:33 +0200)]
dbus: Do not quote scan_freq and freq_list in dbus_old_handlers.c
scan_freq and freq_list are not parsed correctly by
wpa_config_parse_int_array() if quoted.
Patch for dbus_old_handlers.c, the same change as done by Robert Shade
<robert.shade@gmail.com> for dbus_new_handlers.c in commit 99276998fa26d4299825eeafb6386fe1c51f6287 ('dbus: Do not quote scan_freq
and freq_list').
Jouni Malinen [Thu, 27 Aug 2015 17:42:14 +0000 (20:42 +0300)]
Fix key derivation for Suite B 192-bit AKM to use SHA384
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.
Mitchell Wills [Tue, 25 Aug 2015 00:24:30 +0000 (17:24 -0700)]
Make sure configuration is saved to storage device
Config file is written to a temp file and then it is renamed to the
original config file. However, it is possible that the rename operation
will be commited to storage while file data will be still in cache
causing original config file to be empty or partially written in case of
a system reboot without a clean shutdown. Make this less likely to occur
by forcing the data to be written to the storage device before renaming
the file.
Jingxiang Ge [Tue, 25 Aug 2015 17:31:40 +0000 (20:31 +0300)]
Do not mark BSS entry in use if SSID has changed
This allows a BSS entry to be expired if the AP has changed its SSID
while maintaining the same BSSID and we are associated with the BSS.
Previously, the same BSSID was enough to mark all BSS entries from the
BSSID as in use regardless of the SSID and as such, they could remain in
the wpa_supplicant BSS table indefinitely as long as the association
remaining.
Jouni Malinen [Mon, 24 Aug 2015 21:17:00 +0000 (00:17 +0300)]
WPS: Fix HTTP body length check
Commit 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e ('WPS: Check maximum
HTTP body length earlier in the process') added too strict check for
body length allocation. The comparison of new_alloc_nbytes against
h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was
added to previous allocation even if that ended up going beyond
h->max_bytes. This ended up rejecting some valid HTTP operations, e.g.,
when checking AP response to WPS ER setting selected registrar.
Fix this by taking HTTPREAD_BODYBUF_DELTA into account.
Jouni Malinen [Mon, 24 Aug 2015 16:36:34 +0000 (19:36 +0300)]
OpenSSL: Write PKCS#12 extra cert errors into debug log
Commit de2a7b796d82d92120aa9532450863f503e1885a ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).
Jouni Malinen [Sun, 23 Aug 2015 19:05:14 +0000 (22:05 +0300)]
EAP server: Set per-EAP method session context
This can be used to limit TLS session resumption within a TLS library
implementation to apply only for the cases where the same EAP method is
used. While the EAP server method matching will be enforced separately
by EAP server method implementations, this additional steps can optimize
cases by falling back to full authentication instead of having to reject
attempts after having completed session resumption successfully.
Jouni Malinen [Sun, 23 Aug 2015 19:01:37 +0000 (22:01 +0300)]
TLS: Add functions for managing cached session state
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.
Jouni Malinen [Sun, 23 Aug 2015 18:22:22 +0000 (21:22 +0300)]
EAP server: Disable TLS session ticket with EAP-TLS/TTLS/PEAP
The EAP server is not yet capable of using TLS session ticket to resume
a session. Explicitly disable use of TLS session ticket with
EAP-TLS/TTLS/PEAP to avoid wasting resources on generating a session
ticket that cannot be used for anything.
projects / thirdparty / hostap.git / log
