Commit graph

15000 commits

Author SHA1 Message Date
Nils Nieuwejaar
ba4f3224ae Allow remote RADIUS authentication with local VLAN management
The documentation in the hostapd.conf file says that the dynamic_vlan
variable is used to control whether VLAN assignments are accepted from a
RADIUS server. The implication seems to be that a static VLAN assignment
will come from the accept_mac_file if dynamic_vlan is set to 0, and a
dynamic assignment will come from the RADIUS server if dynamic_vlan is
set to 1. Instead, I'm seeing that the static settings from the
accept_mac_file are ignored if dynamic_vlan is set to 0, but used if
dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS
server does not provide a VLAN, then the accept_mac_file assignment is
overridden and the STA is assigned to the default non-VLANed interface.

If my understanding of the expected behavior is correct, then I believe
the problem is in ap_sta_set_vlan(). That routine checks the
dynamic_vlan setting, but has no way of determining whether the incoming
vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from
a RADIUS server).

I've attached a patch that gets hostapd working as I believe it's meant
to, and updates the documentation to make the implicit behavior
explicit.

The functional changes are:

- hostapd_allowed_address() will always extract the vlan_id from the
  accept_macs file. It will not update the vlan_id from the RADIUS cache
  if dynamic_vlan is DISABLED.

- hostapd_acl_recv_radius() will not update the cached vlan_id if
  dynamic_vlan is DISABLED.

- ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan
  is DISABLED.

More cosmetic:

Most of the delta is just moving code out of ieee802_1x_receive_auth()
into a new ieee802_1x_update_vlan() routine. While I initially did this
because the new DISABLED check introduced excessive indentation, it has
the added advantage of eliminating the vlan_description allocation and
os_memset() call for all DYNAMIC_VLAN_DISABLED configs.

I've done a couple rounds of review offline with Michael Braun (who has
done much of the work in this part of the code) and incorporated his
feedback.

If dynamic_vlan=0 (disabled), vlan assignments will be managed using the
local accept_mac_file ACL file, even if a RADIUS server is being used
for user authentication. This allows us to manage users and devices
independently.

Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
2019-01-02 23:27:49 +02:00
Jouni Malinen
ed87f6a80e Use a helper function for checking Extended Capabilities field
The new ieee802_11_ext_capab() and wpa_bss_ext_capab() functions can be
used to check whether a specific extended capability bit is set instead
of having to implement bit parsing separately for each need.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 18:13:19 +02:00
Jouni Malinen
2e2f0f45de tests: [UTF-8] flag in scan results
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 17:58:42 +02:00
Jouni Malinen
e6b0898da3 Add [FST] and [UTF-8] flags to BSS command output
These flags were used in SCAN_RESULTS command output, but not BSS. Make
these consistent by adding the flags to BSS as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 17:58:31 +02:00
Jouke Witteveen
1f2c42cc7f Show [UTF-8] flag if the SSID is reported as UTF-8
Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
2019-01-02 17:58:05 +02:00
Mikael Kanstrup
e5904cf464 crypto internal: Make MD4 PADDING array const
The PADDING array used when adding padding bits in MD4 never change
so can be made const. Making it const puts the array in .rodata
section and can save a few bytes of RAM for systems running without
virtual memory.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2019-01-02 17:26:57 +02:00
Markus Theil
6ca4949ae1 RRM: Update own neighbor report on channel switch
After performing a successful channel switch, the AP should update its
own neighbor report element, so do this from src/ap/drv_callbacks.c
after a successful switch.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2019-01-02 16:47:12 +02:00
Markus Theil
0998d9bd41 RRM: Move neighbor report functions
Move functions corresponding to neighbor report elements to
src/ap/neighbor_db.[c,h] in preparation to using them after channel
switch from src/ap/drv_callbacks.c.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2019-01-02 16:47:09 +02:00
Jouni Malinen
dc67982381 hostapd: Fix a typo in function name
This was supposed to use "hostapd_" prefix.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 16:40:34 +02:00
Ilan Peer
6ec02d77d6 crypto: Reduce the size of sha512_compress() stack frame
The function sha512_compress() has a local variable that consumes 640
bytes. This is very heavy for embedded devices that have limited stack
resources. Handle this by replacing the static allocation with a dynamic
one.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-01-02 16:31:19 +02:00
Avraham Stern
d6e7d4dede hostapd_cli: Add option to send beacon report request
This new 'req_beacon' command is useful for testing.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 16:26:11 +02:00
Avraham Stern
8d09cf52a5 tests: Beacon report last frame indication
Verify that the beacon report contains the last beacon report
indication subelement when requested in the beacon request.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 16:26:11 +02:00
Avraham Stern
ecef0687dc RRM: Support for Last Beacon Report Indication subelement
IEEE P802.11-REVmd/D2.0, 9.4.2.20.7 (Beacon request) and 9.4.2.21.7
(Beacon report) add the Last Beacon Report Indication subelement to
Beacon Request and Beacon Report elements.

Add the Last Beacon Report Indication subelement to all Beacon Report
elements if the Beacon Request indicated that this subelement is
requested.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 16:26:11 +02:00
Avraham Stern
ec5b899040 tests: Beacon report frame body fragmentation
Verify that when the frame body subelement causes the
measurement report element to exceed the maximum element size,
the beacon report is fragmented and the frame body fragment ID
subelement is added with the correct fragment number.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 16:26:11 +02:00
Jouni Malinen
aa7386e92a tests: Update rrm_beacon_req_table_rsne to expect full RSNE
Now that wpa_supplicant is sending out full RSNE instead of the
fragmented one, update this test case to match.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 16:26:11 +02:00
Avraham Stern
3ec118780a RRM: Add support for beacon report fragmentation
When the frame body subelement would cause the measurement report
element to exceed the maximum element size, the frame body subelement
used to be truncated. In addition, some elements were always truncated
in order to keep the reported frame body short (e.g. RSN IE).

Alternatively, IEEE P802.11-REVmd/D2.0, 9.4.2.21.7 extension to Beacon
reporting can be used: The frame body subelement is fragmented across
multiple beacon report elements, and the reported frame body fragment ID
subelement is added.

Use beacon report fragmentation instead of truncating the frame body
as this method gives the AP a more complete information about the
reported APs.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 15:54:55 +02:00
Jouni Malinen
6a94fdf21a tests: D-Bus P2P peer information - VSIE
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 13:00:57 +02:00
Nishant Chaprana
46efa3dae0 dbus: Add vendor specific information element in peer properties
Make vendor specific information elements (VSIE) available in peer
properties, so that VSIE of a specific peer can be retrieved using
peer's object path.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2019-01-02 13:00:57 +02:00
Jouni Malinen
e3523cece4 tests: Fix p2p_ext_discovery_go to write to logger, not stdout
The error case debug print should go to logger.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 13:00:57 +02:00
Jouni Malinen
720a2e7906 tests: Data connectivity after REAUTHENTICATE
Verify that not updating GTK (i.e., only update PTK) in the driver does
not break connectivity. This case is different after the check for
"already in-use GTK" and rejection of GTK reinstallation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 12:28:16 +02:00
Jouni Malinen
7814838f92 eloop: Fix kqueue event deletion filter
EV_SET() for EV_ADD used a specific filter type, but that same filter
type was not provided to the matching EV_DELETE case. This resulted in
the kernel rejecting the deletion with "Invalid argument". Fix this by
setting the same filter type for both operations.

Fixes: f9982b3212 ("Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 12:11:52 +02:00
Jouni Malinen
7153bd4674 eloop: Fix fd_table allocation for epoll and kqueue
The previous implementation did not work if the first registered socket
had fd > 16 or if the fd was more than double the largest value used in
previous registrations. Those cases could result in too small a memory
allocation being used and writes/reads beyond the end of that buffer.

This fix is applicable to CONFIG_ELOOP_EPOLL=y and CONFIG_ELOOP_KQUEUE=y
builds.

Fixes: f0356ec85c ("eloop: Add epoll option for better performance")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 11:57:00 +02:00
Lubomir Rintel
89a7cdd690 crypto: Add option to use getrandom()
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:

"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."

An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.

It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-02 01:24:18 +02:00
Ben Greear
2a54979695 wpa_ctrl: Make wpa_cli ping/pong work more reliably
In 2013 or so, IFNAME=foo was prepended to at least the Unix socket
communication from wpa_supplicant to wpa_cli. This broke the (fragile)
logic that made ping/pong work more often when wpa_supplicant is busy
sending logging info to wpa_cli.

Adding check for IFNAME=foo makes this work better.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-02 00:45:59 +02:00
Isaac Boukris
658c39809b OpenSSL: Load chain certificates from client_cert file
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2019-01-02 00:43:26 +02:00
Sergey Matyukevich
fb60dbdcec vlan: Use new bridge ioctl()
Legacy ioctl() through SIOCDEVPRIVATE are deprecated. Follow the
approach taken by bridge-utils and make use of new bridge ioctl's
whenever possible.

For example, using legacy ioctl() breaks dynamic VLAN mode on 32-bit
Linux systems running 64-bit kernels.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2019-01-02 00:23:43 +02:00
Jouni Malinen
cc58a35735 Update copyright notices for the new year 2019
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 23:38:56 +02:00
Jouni Malinen
b9c33e3fba tests: Use different country in p2p_go_move_reg_change
Use of country=00 (world roaming) seemed to not work anymore with the
current cfg80211 regulatory implementation since the existing channel is
left enabled when moving to country=00. Use a specific country code that
does enforce the selected channel from being used anymore to make this
test case pass again.

The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd
("cfg80211: Prevent regulatory restore during STA disconnect in
concurrent interfaces").

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 23:33:17 +02:00
Jouni Malinen
fb643190dc tests: dot1xAuthSessionUserName
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 21:29:25 +02:00
Jouni Malinen
28ab9344b5 Use internal EAP server identity as dot1xAuthSessionUserName
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 21:27:54 +02:00
Jouni Malinen
a139ddb6cd browser: Replace deprecated gtk_window_set_wmclass()
Use gtk_window_set_role() instead of the deprecated
gtk_window_set_wmclass().

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 20:36:42 +02:00
Jouni Malinen
4b970ee572 HTTP (curl): Replace deprecated ASN1_STRING_data()
Use ASN1_STRING_get0_data() instead of the older ASN1_STRING_data() that
got deprecated in OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 20:29:34 +02:00
Ben Greear
22d1b2ecdb HTTP (curl): Fix build with newer OpenSSL versions
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-01 20:24:07 +02:00
Ben Greear
37f487bb41 HTTP (curl): Use DEFINE_STACK_OF() with newer OpenSSL versions
SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-01 20:14:53 +02:00
Ben Greear
9805bb1bdb HTTP (curl): Use SSL_get_SSL_CTX() helper
The direct ssl->ctx access are not allowed anymore in newer OpenSSL
versions, so use the SSL_get_SSL_CTX() helper for this.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-01 20:07:19 +02:00
Ben Greear
a898113823 HS 2.0: Fix EST compilation with OpenSSL 1.1.0 and newer
SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-01 19:56:19 +02:00
Jouni Malinen
b2f1e5458b hostap: Silence compiler warnings about IFNAMSIZ buffers
Report interface name truncation and reject such cases in Host AP driver
initialization of the AP interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 19:38:58 +02:00
Jouni Malinen
2ea1fce3d6 OCE: RSSI-based rejection to consider Authentication frames (AP)
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 18:18:53 +02:00
Beni Lev
7021d33c9e tests: Add RSSI based association rejection tests
Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:53 +02:00
Beni Lev
080035d1db tests: Add a command for setting TX power/RSSI
With this command, RSSI signal can be controlled. Due to restrictions in
kernel, only values in the range of [-30, -50] can be used. The command
is implemented by changing the TX power.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:53 +02:00
Beni Lev
076f1ea1d9 OCE: Add RSSI based association rejection support (AP)
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:50 +02:00
Beni Lev
19677b77c3 OCE: Add RSSI based association rejection support (STA)
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.

Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 17:56:25 +02:00
Jouni Malinen
2994ecfb5f tests: P2P cancel join-group using p2pdev and no separate group interface
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 16:58:11 +02:00
Aloni, Adiel
dc9b7d217c P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdev
When a dedicated P2P device interface is used, the
global->p2p_group_formation was not set in wpas_p2p_join_start() if no
separate group interface is used. This would cause that in case of a
failure in group formation, the cleaning of p2p_in_provisioning is done
on the wrong interface. Furthermore, P2P_CANCEL command could not be
used to stop such a group-join operation. Fix this by setting the
global->p2p_group_formation correctly in case that the group interface
is reusing wpa_s->parent.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
2019-01-01 16:56:22 +02:00
Jouni Malinen
7f90a850ff tests: Clear regdom state in go_neg_forced_freq_diff_than_bss_freq
Be more careful with cleaning up the regdom state in cfg80211.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 16:35:42 +02:00
Jouni Malinen
5a5529c9f4 tests: Make dpp_pkex_no_responder handle enabled 5 GHz channels
It was possible for the 5 GHz PKEX channels to be enabled, e.g., when
running "ap_ht40_csa2 dpp_pkex_no_responder" test sequence, and that
resulted in a failure in dpp_pkex_no_responder due to the unexpectedly
long wait needed for the DPP-FAIL event. Increase the wait time to allow
for 5 GHz PKEX channels to be probed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 16:17:13 +02:00
Jouni Malinen
32bb47faa1 Update wpa_supplicant channel list on FLUSH
Try to make sure the driver channel list state is synchronized with
wpa_supplicant whenever explicitly clearing state (e.g., between hwsim
test cases).

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 15:58:46 +02:00
Jouni Malinen
d8dda601f0 nl80211: Debug print channel list
This makes it a bit easier to figure out how channel list update from
the kernel is taken into use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 15:51:10 +02:00
Jouni Malinen
c55799e54c tests: Check per-wiphy specific country code between test cases
This allows more accurate logging of failures related to the cfg80211
country=98 (intersection) case. This version is trying to give some more
time to allow the country code to clear, but that does not seem to be
sufficient with the current cfg80211 implementation for country=98 (but
might be for other cases).

The additional check for country=98 at the beginning of each test case
is an attempt to force cfg80211 to restore world roaming state with a
new association and disconnection at the station side detected after the
AP side has already stopped. This is needed after the Linux kernel
commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA
disconnect in concurrent interfaces").

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 11:46:50 +02:00
Jouni Malinen
ba3146e154 tests: Wait a bit after 'iw reg set 00' at the end of test cases
This is needed to avoid leaving unexpected cfg80211 regulatory country
code in place at the point when a test case terminates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 11:46:50 +02:00