The EAP peer state machine moved from IDLE to FAILURE state when the
EAPOL Authenticator triggered reauthentication with an
EAP-Request/Identity in a case where the associated started with FT
protocol or offloaded PMKSA cache use (4-way handshake using a
previously acquired PMK). This happened due to the altSuccess=TRUE
setting being left behind and not cleared when processing the restart of
authentication. Fix this by clearing altAccept and eapSuccess when going
through SUPP_PAE RESTART state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This avoids issues with following test cases failing due to unexpected
starting state. This issue showed up with the following hwsim test case
sequence:
fst_setup_mbie_diff fst_dynamic_iface_attach
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Mesh Points themselves have capability to support VHT as long as
hardware supports it. However, supporting VHT in mesh mode was disabled
because no one had clearly tested and confirmed its functionality. Since
VHT80 has now been verified to work with ath10k QCA988X driver and
mac80211_hwsim, enable VHT support in mesh mode.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
Set WLAN_STA_WMM flag to Mesh STA by default since Mesh STAs are QoS
STAs. Mesh STA's HT capabilities won't be parsed properly without the
flag.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
It was possible for the WPS PBC state to get cached through to the
following test cases and that would trigger false failures. Fix this by
explicitly clearing the scan cache at the end of ap_wps_per_station_psk.
This issue was triggered with the following test case sequence:
ap_wps_per_station_psk autogo_pbc
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a memory allocation fails while parsing driver capabilities, drop all
mode/channel/rate information instead of returning possibly partial
information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed since the forced OOM may have forced the cached
information to be invalid or dropped. This issue was hit with the
following hwsim test case sequence:
ap_interworking_scan_filtering fst_sta_config_llt_large dbus_connect_oom
wpas_ctrl_enable_disable_network
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If "STA_AUTOCONNECT 0" has been used to disable automatic connection on
disconnection event and the driver indicates a failure for the data
connection after successful WPS handshake, it is possible to hit a case
where wpa_s->disconnected is set to 1 and further attempts to connect
shall stop.
While "STA_AUTOCONNECT 0" is used to disable automatic reconnection
attempts in general, this specific WPS case can benefit from trying
again even with that configuration for a short period of time. Extend
the wpa_supplicant re-enable-networks-after-WPS 10 second timeout to
apply for ignoring disabled STA_AUTOCONNECT immediately after a WPS
provisioning step.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Free the message after message send in
wpas_dbus_signal_p2p_invitation_received() to avoid leaking memory.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_sm_key_mgmt_set_pmk() was checking for proactive_key_caching to be
enabled before setting the PMK to the driver. This check is not required
and would mandate configuration setting of okc or proactive_key_caching
for cases which were not necessary.
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@qca.qualcomm.com>
The new attribute can be used with
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH to indicate whether the IP
subnet was detected to have changed when processing offloaded roam/key
management.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The upstream wpa_supplicant uses the dbus-1 library when it is compiled
with D-Bus support. In Android, we imported the D-Bus shared libraries
under the name "libdbus", so use this shared library instead of dbus-1
when compiling wpa_supplicant with D-Bus support.
Signed-off-by: Samuel Tan <samueltan@google.com>
This is similar to SAVE_CONFIG on control interface, which allow users
to update the configuration file.
Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)
Signed-off-by: Jouni Malinen <j@w1.fi>
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)
Signed-off-by: Jouni Malinen <j@w1.fi>
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)
Signed-off-by: Jouni Malinen <j@w1.fi>
The AP is not expected to send out a WNM-Sleep Mode Response frame
without the STA trying to use WNM-Sleep Mode. Drop such unexpected
responses to reduce unnecessary processing of the frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
Signed-off-by: Jouni Malinen <j@w1.fi>
Using "STATUS" command triggers CTRL-EVENT-STATE-CHANGE and
CTRL-EVENT-CONNECTED (if connected to some AP) events. These events
cause problems in Android WifiStateMachine in Marshmallow. Due to these
events WifiStateMachine sometimes disconnects the OSU SSID connection,
while hs20-osu-client waits for IP address.
Signed-off-by: Somdas Bandyopadhyay <somdas.bandyopadhyay@intel.com>
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake
or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte
order (or by some other corrupted way). Thus, after a successful
EAPOL-Key exchange the TSC values of received multicast packets, such as
DHCP, don't match the RSC one and as a result these packets are dropped
on replay attack TSC verification. An example of such AP is Sapido
RB-1732.
Work around this by setting RSC octets to 0 on GTK installation if the
AP RSC value is identified as a potentially having the byte order issue.
This may open a short window during which older (but valid)
group-addressed frames could be replayed. However, the local receive
counter will be updated on the first received group-addressed frame and
the workaround is enabled only if the common invalid cases are detected,
so this workaround is acceptable as not decreasing security
significantly. The wpa_rsc_relaxation global configuration property
allows the GTK RSC workaround to be disabled if it's not needed.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
The SCAN TYPE=ONLY results do not trigger a connection operation
automatically. As such, there was no explicit operation that would
change wpa_state after such a scan-only operation and WPA_SCANNING state
could have been left in effect until the next operation is triggered by
an external command. This is not desirable, so restore the wpa_state
that was in use when the scan was started in case WPA_SCANNING state is
still set when the scan operation completes.
This was triggered by the following mac80211_hwsim test sequence:
dbus_wps_oom scan_trigger_failure
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, wnm_deallocate_memory() was called only if we decided to
move to another BSS at the completion of an accepted BSS Transition
Management Request. This resulted in the candidate information being
left in effect for the following scan operation if we were already
associated with the preferred candidate. This could result in unexpected
behavior in the following connection attempt.
Fix this by clearing the candidate information even if we do not need to
roam to another BSS.
This was triggered with mac80211_hwsim test cases in this sequence:
wnm_bss_tm ap_track_sta_force_2ghz
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for dev[2] to be left with non-default config_methods
parameter at the end of the test case and that could result issues in
following test cases. This hit a failure in the following sequence:
wpas_ctrl_set_wps_params p2ps_channel_active_go_and_station_same
Signed-off-by: Jouni Malinen <j@w1.fi>
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom
Signed-off-by: Jouni Malinen <j@w1.fi>
libwpa_test1 and libwpa_test2 targets can now be used to check
libwpa_client linking for static and shared library cases respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
Building libwpa_client requires src/utils/common.c for bin_clear_free()
else loading the library fails with:
Error relocating /usr/lib/libwpa_client.so: bin_clear_free: symbol not found
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().
Signed-off-by: Jouni Malinen <j@w1.fi>