When we receive FST Setup Request when session already exists, the
following validations take place:
1. we drop the frame if needed according to MAC comparison
2. we drop the frame if the session is "not pending", i.e., if FST
Setup Response was already exchanged (sent or received).
There are two issues with the above:
1. MAC comparison is relevant only before the Setup Response exchange.
In other words, Setup Request should not be dropped due to MAC
comparison after Setup Response has been exchanged.
2. Receiving Setup Request after Setup Response exchange most likely
means that FST state machine is out of sync with the peer. Dropping
the Setup Request will not help solve this situation.
The fix is:
1. do MAC comparison only if session is "pending", i.e., Setup Response
was not yet exchanged.
2. In case Setup Response was already exchanged, reset our session and
handle the Setup Request as if it arrived when session doesn't exist.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Explicitly check for the failure event to include a certificate before
trying to build the event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While this could in theory be claimed to be ready for something to be
added to read a field following the server_write_IV, it does not look
likely that such a use case would show up. As such, just remove the
unused incrementing of pos at the end of the function to get rid of a
useless static analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This parameter is used only in couple of test cases and there is no need
to maintain the code to reset it in WpaSupplicant::reset().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This parameter is used only in couple of test cases and there is no need
to maintain the code to reset it in WpaSupplicant::reset().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This parameter is used only in couple of test cases and there is no need
to maintain the code to reset it in WpaSupplicant::reset().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This parameter is used only in couple of test cases and there is no need
to maintain the code to reset it in WpaSupplicant::reset().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This parameter is used only in couple of test cases and there is no need
to maintain the code to reset it in WpaSupplicant::reset().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
As a dedicated P2P Device interface does not have a network
interface associated with it, trying to call linux_iface_up()
on it would always fail so this call can be skipped for
such an interface.
Getting interface nlmode can be done only after bss->wdev_id is
set, so move this call to wpa_driver_nl80211_finish_drv_init(),
and do it only in case the nlmode != NL80211_IFTYPE_P2P_DEVICE.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Provide details on the pointers to the subfields and rename "pmk" to
"chosen_pmk" and use SAE_PMKID_LEN macro with it to make the code more
readable.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
From IEEE Std 802.11-2012 13.3.5:
If the incoming Mesh Peering Management frame is for AMPE and the
Chosen PMK from the received frame contains a PMKID that does not
identify a valid mesh PMKSA, the frame shall be silently discarded.
We were not checking the PMKID previously, and we also weren't parsing
it correctly, so fix both.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
IEEE Std 802.11-2012 11.3.5.4 specifies the PMKID for SAE-derived keys
as:
L((commit-scalar + peer-commit-scalar) mod r, 0, 128)
This is already calculated in the SAE code when the PMK is derived, but
not saved anywhere. Later, when generating the PMKID for plink action
frames, the definition for PMKID from 11.6.1.3 is incorrectly used.
Correct this by saving the PMKID when the key is generated and use it
subsequently.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
External programs are not aware of the creation of a
dedicated P2P Device interface, so it does not make sense
to wait for a monitor to connect on such an interface.
Fix this by not waiting on a dedicated P2P Device interface
for monitor to attach.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case an interface has started without a control interface
initialized, skip waiting for monitor to attach at the start of
wpa_supplicant (-W).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If LIBS is set with some global build system defaults, clone those for
LIBS_c, LIBS_h, LIBS_n, and LIBS_p to cover wpa_cli, wpa_passphrase,
hostapd_cli, hlr_auc_gw, and nt_password_hash as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible to hit a race condition between WPS_CANCEL and
immediately following WPS_PIN command. Wait for a disconnection event to
avoid that. This was seen with the following test case sequence:
ap_wpa2_psk_supp_proto_wrong_group_key_len ap_wps_probe_req_ie_oom
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Let's reuse hostapd code for such handling. This will be useful to get
ACS support into wpa_supplicant where this one needs to handle the
survey event so it fills in the result ACS subsystem will require.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
When running tests, make printk put all messages, including debug
messages, onto the serial console to go into the console file.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The data->state == WAIT_FRAG_ACK case is already handling all cases
where data->out_buf could be non-NULL, so this additional check after
the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead
code.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit f8a80e39b3 ('P2PS: Change
connection capability handling') added the identical P2PS_SETUP_CLIENT
check into two places within p2ps_group_capability(). However, only the
first one of these can be reached. In the second case, role can only
have values 0 or P2PS_SETUP_NEW and as such, the P2PS_SETUP_CLIENT case
is not possible. It looks like the first part of the commit is
sufficient, so remove the dead code added by the second part.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP
profile parameter fragment_size can be used to override this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for the AP-DISABLED and AP-ENABLED group events before reading the
current group operation frequency after P2P-REMOVE-AND-REFORM-GROUP.
This reduces a possibility of a race condition making a test case fail
with the returned frequency being 0 when reading this before the
reformed group is fully up. This may help avoid false error reports for
the following test cases: p2p_go_move_reg_change p2p_go_move_scm
p2p_go_move_scm_peer_supports p2p_go_move_scm_multi.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows RADIUS failover to be performed if send() return EACCES
error which is what happens after a recent Linux kernel commit
0315e382704817b279e5693dca8ab9d89aa20b3f ('net: Fix behaviour of
unreachable, blackhole and prohibit') for a local sender when route type
is prohibit.
This fixes the hwsim test case radius_failover when running against a
kernel build that includes that commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).
This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".
Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a minimal support for using status_request_v2 extension and
ocsp_multi format (OCSPResponseList instead of OCSPResponse) for
CertificateStatus. This commit does not yet extend use of OCSP stapling
to validate the intermediate CA certificates.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed for number of EAP test cases at least when using the
internal TLS server implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This message is sent at MSG_INFO level and it is supposed to go out even
even debug messages were to be removed from the build. As such, use
wpa_msg() instead of wpa_dbg() for it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This error case in own buffer lengths being too short was not handled
properly. While this should not really happen since the wpabuf
allocation is made large for the fixed cases that are currently
supported, better make eap_eke_prot() safer if this functionally ever
gets extended with a longer buffer need.
Signed-off-by: Jouni Malinen <j@w1.fi>