path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* EAP-PAX: Check hmac_sha1_vector() return valueJouni Malinen2016-01-062-16/+28
| | | | | | | | This function can fail at least in theory, so check its return value before proceeding. This is mainly helping automated test case coverage to reach some more error paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Add a missing space to a debug messageJouni Malinen2016-01-061-1/+1
| | | | | | | The "nl80211: New peer candidate" debug message did not have a space before the MAC address. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAPJouni Malinen2016-01-051-2/+7
| | | | | | | | | | | | | | | | | | This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC in cryptobinding TLV". It turns out that the server decided to go through inner EAP method (EAP-MSCHAPv2 in the reported case) even when using PEAP fast-reconnect. This seems to be against the [MS-PEAP] specification which claims that inner EAP method is not used in such a case. This resulted in a different CMK being derived by the server (used the version that used ISK) and wpa_supplicant (used the version where IPMK|CMK = TK without ISK when using fast-reconnect). Fix this interop issue by making wpa_supplicant to use the fast-reconnect version of CMK derivation only when using TLS session resumption and the server having not initiated inner EAP method before going through the cryptobinding exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Try SD Query with each non-ACK peer only once per search iterationJouni Malinen2016-01-043-5/+48
| | | | | | | | | | | | | | | | | | | The previous behavior of bursting out all retry attempts of an SD Query frame during a single search/listen iteration does not look very helpful in the case where the peer does not ACK the query frame. Since the peer was found in the search, but is not ACKing frames anymore, it is likely that it left its listen state and we might as well do something more useful to burst out a significant number of frames in hopes of seeing the peer. Modify the SD Query design during P2P Search to send out only a single attempt (with likely multiple link-layer retries, if needed) per search/listen iteration to each peer that has pending SD queries. Once no more peers with pending queries remain, force another Listen and Search phase to go through before continuing with the pending SD queries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix wpa_supplicant AP mode P2P IE handling if P2P is disabledJouni Malinen2016-01-012-3/+3
| | | | | | | | | | | | If P2P support is included in wpa_supplicant build (CONFIG_P2P=y), but P2P functionality is explicitly disabled (e.g., "P2P_SET disabled 1"), couple of AP management frame processing steps did not check against hapd->p2p_group being NULL and could end up dereferencing a NULL pointer if a Probe Request frame or (Re)Association Request frame was received with a P2P IE in it. Fix this by skipping these steps if hapd->p2p_group is NULL. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix wpa_supplicant build with CONFIG_L2_PACKET=pcapJouni Malinen2016-01-011-0/+12
| | | | | | | | | | | Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux packet socket regression') forgot to add the l2_packet_init_bridge() wrapper for l2_packet_pcap.c while updating all the other l2_packet options. This resulted in wpa_supplicant build failing due to missing l2_packet_init_bridge() function when using CONFIG_L2_PACKET=pcap in wpa_supplicant/.config. Fix this by adding the wrapper function. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Testing mechanism to force auth/encr type flagsJouni Malinen2016-01-013-3/+29
| | | | | | | | | | The new wps_force_{auth,encr}_types parameters can be used in test build (CONFIG_WPS_TESTING) to force wpa_supplicant to use the specified value in the Authentication/Encryption Type flags attribute. This can be used to test AP behavior on various error cases for which there are workarounds to cover deployed device behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Add a workaround for WPA2PSK missing from Enrollee auth flagsJouni Malinen2016-01-011-0/+17
| | | | | | | | | | | Some deployed implementations seem to advertise incorrect information in this attribute. A value of 0x1b (WPA2 + WPA + WPAPSK + OPEN, but no WPA2PSK) has been reported to be used. Add WPA2PSK to the list to avoid issues with building Credentials that do not use the strongest actually supported authentication option (that device does support WPA2PSK even when it does not claim it here). Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Do not build Credential with unsupported encr combination on APJouni Malinen2016-01-013-7/+40
| | | | | | | | | | | | | | | | | It was possible for the Registrar code to generate a Credential with auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee claimed support for WPAPSK and not WPA2PSK while the AP was configured in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs. rsn_pairwise) was set since encr type was selected from the union of wpa_pairwise and rsn_pairwise. This could result in the Enrollee receiving a Credential that it could then not use with the AP. Fix this by masking the encryption types separately on AP based on the wpa_pairwise/rsn_pairwise configuration. In the example case described above, the Credential would get auth=WPAPSK encr=TKIP instead of auth=WPAPSK encr=AES. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Postpone WNM-Notification sending by 100 msJouni Malinen2015-12-314-29/+50
| | | | | | | | | | | | | | This makes it somewhat easier for the station to be able to receive and process the encrypted WNM-Notification frames that the AP previously sentt immediately after receiving EAPOL-Key msg 4/4. While the station is supposed to have the TK configured for receive before sending out EAPOL-Key msg 4/4, not many actual implementations do that. As such, there is a race condition in being able to configure the key at the station and the AP sending out the first encrypted frame after EAPOL-Key 4/4. The extra 100 ms time here makes it more likely for the station to have managed to configure the key in time. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSLJouni Malinen2015-12-314-4/+16
| | | | | | | This extends the list of TLS cipher suites enabled for EAP-FAST to include AES256-based suites. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Share a single openssl_tls_prf() implementationJouni Malinen2015-12-311-69/+13
| | | | | | | | Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL versions to be able to use the new openssl_tls_prf() implementation for OpenSSL 1.1.0 with all supported versions. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Clean up function to fetch client/server randomJouni Malinen2015-12-311-13/+27
| | | | | | | | SSL_get_client_random() and SSL_get_server_random() will be added in OpenSSL 1.1.0. Provide compatibility wrappers for older versions to simplify the tls_connection_get_random() implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Drop support for OpenSSL 1.0.0Jouni Malinen2015-12-311-11/+1
| | | | | | | | | The OpenSSL project will not support version 1.0.0 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 1.0.0 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Drop support for OpenSSL 0.9.8Jouni Malinen2015-12-312-31/+0
| | | | | | | | | The OpenSSL project will not support version 0.9.8 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 0.9.8 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Fix P2P_FIND while waiting for listen ROC to start in the driverJouni Malinen2015-12-301-0/+4
| | | | | | | | | | | | | | It was possible for the p2p->pending_listen_freq to be left indicating that there is a pending ROC for a listen operation if a P2P_FIND command was timed to arrive suitably between a previous Listen operation issuing a ROC request and the kernel code starting that request. This could result in the P2P state machine getting stuck unable to continue the find ("P2P: p2p_listen command pending already"). Fix this by clearing p2p->pending_listen_freq when starting P2P_FIND command execution. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2PS: Add group SSID, if known, to the P2PS-PROV-DONE eventJouni Malinen2015-12-303-11/+21
| | | | | | | | | The new optional group_ssid=<hexdump> argument in the P2PS-PROV-DONE event can be used to help in identifying the exact group if there have been multiple groups with the same P2P Interface Address in short period of time. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FST: Fix handling of Rx FST Setup Request when session already existsDedy Lansky2015-12-291-15/+19
| | | | | | | | | | | | | | | | | | | | | | | | When we receive FST Setup Request when session already exists, the following validations take place: 1. we drop the frame if needed according to MAC comparison 2. we drop the frame if the session is "not pending", i.e., if FST Setup Response was already exchanged (sent or received). There are two issues with the above: 1. MAC comparison is relevant only before the Setup Response exchange. In other words, Setup Request should not be dropped due to MAC comparison after Setup Response has been exchanged. 2. Receiving Setup Request after Setup Response exchange most likely means that FST state machine is out of sync with the peer. Dropping the Setup Request will not help solve this situation. The fix is: 1. do MAC comparison only if session is "pending", i.e., Setup Response was not yet exchanged. 2. In case Setup Response was already exchanged, reset our session and handle the Setup Request as if it arrived when session doesn't exist. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Make tls_cert_chain_failure_event() more robustJouni Malinen2015-12-281-1/+1
| | | | | | | Explicitly check for the failure event to include a certificate before trying to build the event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Remove storing of never-read valueJouni Malinen2015-12-281-1/+0
| | | | | | | | | | While this could in theory be claimed to be ready for something to be added to read a field following the server_write_IV, it does not look likely that such a use case would show up. As such, just remove the unused incrementing of pos at the end of the function to get rid of a useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove unnecessary cleanup assignment in SHA1Final()Jouni Malinen2015-12-281-1/+0
| | | | | | | | | | | This makes some static analyzers complain about stored value never being read. While it is good to clear some other temporary variables, this local variable i has no security private information (it has a fixed value of 20 here) and trying to clear it to 0 does not add any value. Remove that part of the "wipe variables" to avoid one useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Don't call linux_iface_up() for a dedicated P2P DeviceIlan Peer2015-12-281-3/+5
| | | | | | | | | | | | | As a dedicated P2P Device interface does not have a network interface associated with it, trying to call linux_iface_up() on it would always fail so this call can be skipped for such an interface. Getting interface nlmode can be done only after bss->wdev_id is set, so move this call to wpa_driver_nl80211_finish_drv_init(), and do it only in case the nlmode != NL80211_IFTYPE_P2P_DEVICE. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* mesh: Fix PMKID to match the standardBob Copeland2015-12-282-0/+2
| | | | | | | | | | | | | | | IEEE Std 802.11-2012 specifies the PMKID for SAE-derived keys as: L((commit-scalar + peer-commit-scalar) mod r, 0, 128) This is already calculated in the SAE code when the PMK is derived, but not saved anywhere. Later, when generating the PMKID for plink action frames, the definition for PMKID from is incorrectly used. Correct this by saving the PMKID when the key is generated and use it subsequently. Signed-off-by: Bob Copeland <me@bobcopeland.com>
* wpa_supplicant: Enable Automatic Channel Selection support for AP modeTomasz Bursztyka2015-12-242-2/+4
| | | | | | | | | | Since hostapd supports ACS now, let's enable its support in wpa_supplicant as well when starting AP mode. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> [u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master] [u.oelmann@pengutronix.de: adjusted added text in defconfig] Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
* Handle survey event properly in wpa_supplicantTomasz Bursztyka2015-12-242-4/+9
| | | | | | | | | | Let's reuse hostapd code for such handling. This will be useful to get ACS support into wpa_supplicant where this one needs to handle the survey event so it fills in the result ACS subsystem will require. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> [u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master] Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
* EAP-TNC peer: Remove dead code related to fragmentationJouni Malinen2015-12-241-5/+0
| | | | | | | | | The data->state == WAIT_FRAG_ACK case is already handling all cases where data->out_buf could be non-NULL, so this additional check after the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead code. Signed-off-by: Jouni Malinen <j@w1.fi>
* TNC: Print received IF-TNCCS message as debug ASCII hexdumpJouni Malinen2015-12-241-0/+2
| | | | | | This makes it easier to see what TNCC is processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TNC peer: Allow fragment_size to be configuredJouni Malinen2015-12-241-1/+6
| | | | | | | Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP profile parameter fragment_size can be used to override this. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Add EACCES to list of recognized send() errno valuesJouni Malinen2015-12-241-1/+1
| | | | | | | | | | | | | This allows RADIUS failover to be performed if send() return EACCES error which is what happens after a recent Linux kernel commit 0315e382704817b279e5693dca8ab9d89aa20b3f ('net: Fix behaviour of unreachable, blackhole and prohibit') for a local sender when route type is prohibit. This fixes the hwsim test case radius_failover when running against a kernel build that includes that commit. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix RADIUS Called-Station-Id to not escape SSIDJouni Malinen2015-12-241-6/+7
| | | | | | | | | | | | | | | | | | | | | Commit 986de33d5c3e11dd08a26ed65eacede8b75aa339 ('Convert remaining SSID routines from char* to u8*') started using wpa_ssid_txt() to print out the SSID for the Called-Station-Id attribute in RADIUS messages. This was further modified by commit 6bc1f95613cc2bedd8849564d30419bff82ed074 ('Use printf escaping in SSID-to-printable-string conversion') to use printf escaping (though, even without this, wpa_ssid_txt() would have masked characters). This is not desired for Called-Station-Id attribute. While it is defined as a "String", RFC 2865 indicates that "a robust implementation SHOULD support the field as undistinguished octets.". Copy the SSID as an array of arbitrary octets into Called-Station-Id to avoid any kind of masking or escaping behavior. This goes a step further from the initial implementation by allowing even the possible (but unlikely in practical use cases) 0x00 octet in the middle of an SSID. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Multi-OCSP check to cover intermediate CAsJouni Malinen2015-12-235-22/+81
| | | | | | | This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add ocsp=3 configuration parameter for multi-OCSPJouni Malinen2015-12-235-1/+22
| | | | | | | | | | ocsp=3 extends ocsp=2 by require all not-trusted certificates in the server certificate chain to receive a good OCSP status. This requires support for ocsp_multi (RFC 6961). This commit is only adding the configuration value, but all the currently included TLS library wrappers are rejecting this as unsupported for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Move variable declaration to the beginning of the blockJouni Malinen2015-12-231-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-222-39/+136
| | | | | | | | | This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-227-30/+148
| | | | | | | | This allows hostapd with the internal TLS server implementation to support the extended OCSP stapling mechanism with multiple responses (ocsp_stapling_response_multi). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Server configuration for OCSP stapling with ocsp_multi (RFC 6961)Jouni Malinen2015-12-224-0/+8
| | | | | | | | | | | This adds a new hostapd configuration parameter ocsp_stapling_response_multi that can be used similarly to the existing ocsp_stapling_response, but for the purpose of providing multiple cached OCSP responses. This commit adds only the configuration parameter, but does not yet add support for this mechanism with any of the supported TLS implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP staplingJouni Malinen2015-12-226-1/+120
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build with the internal TLS implementation and OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* GnuTLS: OCSP stapling on the server sideJouni Malinen2015-12-221-0/+52
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build against GnuTLS with OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use wpa_msg() for the "RSN: PMKID mismatch" messageJouni Malinen2015-12-221-1/+1
| | | | | | | | This message is sent at MSG_INFO level and it is supposed to go out even even debug messages were to be removed from the build. As such, use wpa_msg() instead of wpa_dbg() for it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-EKE: Merge identical error return pathsJouni Malinen2015-12-211-30/+11
| | | | | | | There is no need to maintain multiple copies of the same error return path. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Reject too long Prot() data when building a frameJouni Malinen2015-12-211-0/+1
| | | | | | | | | | This error case in own buffer lengths being too short was not handled properly. While this should not really happen since the wpabuf allocation is made large for the fixed cases that are currently supported, better make eap_eke_prot() safer if this functionally ever gets extended with a longer buffer need. Signed-off-by: Jouni Malinen <j@w1.fi>
* GAS server: Replenish temporary STA entry timeout on comeback requestJouni Malinen2015-12-201-0/+1
| | | | | | | | | Previously, the five second timeout was added at the beginning of the full GAS query and it was not replenished during fragmented exchanges. This could result in timing out a query if it takes significant time to go through the possibly multiple fragments and long comeback delay. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TTLS/PEAP/FAST: Reject unsupported Phase 2 method in configurationJouni Malinen2015-12-201-0/+3
| | | | | | | | Instead of using default list of methods, reject a configuration with an unsupported EAP method at the time the main TLS method is being initialized. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TLS: Merge common error pathsJouni Malinen2015-12-201-4/+2
| | | | | | There is no need to keep these identical error paths separate. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP peer: Fix a memory leak on an error pathJouni Malinen2015-12-201-0/+1
| | | | | | | If memory allocation for adding SoH response fails, the SoH response was not freed properly on the error path. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPA: Explicitly clear the buffer used for decrypting Key DataJouni Malinen2015-12-201-2/+2
| | | | | | | | | | | When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP peer: Check SHA1 result when deriving Compond_MACJouni Malinen2015-12-191-1/+2
| | | | | | | This handles a mostly theoretical case where hmac_sha1_vector() might fail for some reason. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP server: Add support for fast-connect crypto bindingJouni Malinen2015-12-191-3/+15
| | | | | | | | IPMK and CMK are derived from TK when using TLS session resumption with PEAPv0 crypto binding. The EAP-PEAP peer implementation already supported this, but the server side did not. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP peer: Remove unused return value and error pathJouni Malinen2015-12-191-9/+4
| | | | | | | | eap_peap_parse_phase1() returned 0 unconditionally, so there was no need for that return value or the code path that tried to address the error case. Signed-off-by: Jouni Malinen <j@w1.fi>
* rfkill: Match only the correct expected wiphy rfkillJohannes Berg2015-12-184-19/+99
| | | | | | | | | | | | | | | | | | | | | | | | On systems that have multiple WLAN rfkill instances, the rfkill code can become confused into thinking that the device was unblocked when in fact it wasn't, because it only matches on the WLAN type. Since it then stores the new (unblocked) state from the wrong rfkill instance, it will never retry the failing IFF_UP operation and the user has to toggle rfkill again, or otherwise intervene manually, in this case to get back to operational state. Fix this by using the existing (but unused) ifname argument when the rfkill instance is created to match to a specific rfkill index only. As a P2P Device interface does not have a netdev interface associated with it, use the name of a sibling interface to initialize the rfkill context for the P2P Device interface. For nl80211, as the wiphy index is known only after getting the driver capabilities from the kernel, move the initialization of the rfkill object to wpa_driver_nl80211_finish_drv_init(). Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com>