Commit graph

3991 commits

Author SHA1 Message Date
Jouni Malinen
a437378f98 proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-25 16:58:21 +02:00
Masashi Honma
a959a3b69d SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 16:08:53 +02:00
Masashi Honma
872b754512 mesh: Fix SAE anti-clogging functionality for mesh
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 15:33:04 +02:00
Jouni Malinen
649c0a6974 WPA: Use more explicit WPA/RSN selector count validation
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:08:13 +02:00
Jouni Malinen
adf96fb66b WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
5c6787a6ca PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
d36f416926 EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
c4de71cec5 EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
364182a80f EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
002a2495be radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
3e94937fa4 P2P: Make p2p_parse_p2p_ie() validation steps easier to analyze
Validation was fine, but a bit too complex for some static analyzers to
understand. (CID 68125)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
46a0352589 Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:29 +02:00
Jouni Malinen
e7306bcb59 PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 18:37:10 +02:00
Jouni Malinen
76874379d3 TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:48:34 +02:00
Jouni Malinen
b81e274cdf RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:41:13 +02:00
Jouni Malinen
f931374f30 IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 16:37:16 +02:00
Andrei Otcheretianski
70d1e72849 wpa_supplicant: Handle link measurement requests
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:45:07 +02:00
Andrei Otcheretianski
7dc0338806 nl80211: Register Link Measurement Request Action frame
Add link measurement request to registration of Action frames to be
handled by wpa_supplicant if the driver supports TX power value
insertation.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-11-22 21:38:30 +02:00
Assaf Krauss
f4b8bfae15 wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:28:52 +02:00
Assaf Krauss
d89c0701db wpa_supplicant: Add support for Neighbor Report
Add the ability to send a Neighbor Report Request (part of
RRM). Requester is then notified once the report arrives.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:23:14 +02:00
Assaf Krauss
2526ccd95a nl80211: Register Neighbor Report Response Action frame
Add Neighbor Report Response Action frame to registration of Action
frames to be handled by wpa_supplicant.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:16:25 +02:00
Assaf Krauss
b361d580ec SME: Add RRM support to association request
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:13:45 +02:00
Assaf Krauss
58162adf06 nl80211: Populate RRM flags in nl80211 driver
Set the RRM capability flags, based on the capabilities reported
by the underlying driver.

In addition, upon connection, notify the underlying driver regarding
RRM support.

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:06:32 +02:00
Assaf Krauss
0dc957b93d driver: Add RRM-related definitions to driver interface
Add definitions for RRM (Radio Resource Measurement) support:
1. Flags that specify the RRM capabilities of the underlying driver
2. Flag for RRM in Capability Info field in Management frames
3. Indication in association parameters regarding an RRM connection

Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
2014-11-22 21:05:55 +02:00
Jouni Malinen
533630625d Add generic operating class and channel to frequency function
ieee80211_chan_to_freq() is a generic function that replaces and extends
the previous P2P-specific p2p_channel_to_freq(). The new function
supports both the global operating class table as well as the additional
US, EU, JP, and CN operating class tables.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 20:17:47 +02:00
Jouni Malinen
5351480047 Add BSS-TM-RESP ctrl_iface event
This event allows external monitors to track STA response to BSS
Transition Management Request.

BSS-TM-RESP <STA addr> status_code=<#> bss_termination_delay=<#>
[target_bssid=<BSSID>]

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 16:34:34 +02:00
Jouni Malinen
a30dff07fb Add BSS_TM_REQ command to send BSS Transition Management Request
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 16:34:34 +02:00
Jouni Malinen
37df6a87dd Add names for assigned QCA nl80211 vendor subcmds
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 21:46:01 +02:00
Jouni Malinen
f23c5b17e1 AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.

This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)

Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).

This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 17:02:00 +02:00
Jouni Malinen
db099951cb Print EAPOL-Key Replay Counter in Authenticator debug log
This makes it easier to debug issues relared to EAPOL-Key
retransmissions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 15:35:19 +02:00
Jouni Malinen
066371ad52 Reserve QCA vendor specific nl80211 commands 53
These is reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-20 20:36:59 +02:00
Jouni Malinen
e503861f4d nl80211: Do not try to change STA capability on NL80211_CMD_SET_STATION
cfg80211 will reject any of these attributes regardless of whether the
values actually change or not when NL80211_CMD_SET_STATION is used for
something else than TDLS. This path is hit at least when setting up
mesh, so filter out the attributes from NL80211_CMD_SET_STATION to match
the rules in cfg80211.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-20 16:31:05 +02:00
Rashmi Ramanna
9d11832090 P2P: Do not change P2P state on GO Neg failure if it is P2P_SEARCH
Changing the P2P state to P2P_IDLE on GO Negotiation Failure would stop
the previously issued P2P_FIND operation without notifying the upper
layers. Leave the search operation running if in P2P_SEARCH state to
avoid unexpected behavior in case the upper layers issued a new P2P_FIND
while waiting for GO Negotiation to complete.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-19 16:59:03 +02:00
Kyeyoon Park
47261405d7 AP: Add support for multicast-to-unicast conversion for DGAF Disable
When DGAF Disable is on, perform multicast-to-unicast for DHCP packets
and Router Advertisement packets. This is a requirement for Hotspot 2.0.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:47:06 +02:00
Kyeyoon Park
bd00c4311c AP: Add Neighbor Discovery snooping mechanism for Proxy ARP
This commit establishes the infrastructure, and handles the Neighbor
Solicitation and Neighbor Advertisement frames. This will be extended
in the future to handle other frames.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:47:06 +02:00
Kyeyoon Park
5c58944d08 AP: Add multicast-to-unicast conversion send for "x_snoop"
Multicast-to-unicast conversion send will be needed in various part of
Proxy ARP and DGAF Disable.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:25:13 +02:00
Kyeyoon Park
ed4ddb6d77 AP: Extend the BSS bridge neighbor entry management to support IPv6
This allows adding/deleting an IPv6 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:23:38 +02:00
Kyeyoon Park
7e4d893978 l2_packet: Add support for NDISC packet filter in l2_packet_linux
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:15:26 +02:00
Kyeyoon Park
1d783762cf AP: Convert "dhcp_snoop" to use the generic "x_snoop"
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:14:15 +02:00
Kyeyoon Park
c127355cb8 AP: Add a generic "x_snoop" infrastructure for Proxy ARP
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:14:02 +02:00
Ilan Peer
38cb0a2db6 AP: Drop retransmitted auth/assoc/action frames
It is possible that a station device might miss an ACK for an
authentication, association, or action frame, and thus retransmit the
same frame although the frame is already being processed in the stack.
While the duplicated frame should really be dropped in the kernel or
firmware code where duplicate detection is implemented for data frames,
it is possible that pre-association cases are not fully addressed (which
is the case at least with mac80211 today) and the frame may be delivered
to upper layer stack.

In such a case, the local AP will process the retransmitted frame although
it has already handled the request, which might cause the station to get
confused and as a result disconnect from the AP, blacklist it, etc.

To avoid such a case, save the sequence control of the last processed
management frame and in case of retransmissions drop them.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-11-19 15:20:47 +02:00
Jouni Malinen
453553698c EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registration
This gets registered in tls_openssl.c from tls_init(), so there is no
need for EAP-pwd implementation to register explicitly. This avoids some
corner cases where OpenSSL resources do not get fully freed on exit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:20:10 +02:00
Jouni Malinen
afbe57d981 DFS: Fix hostapd operation without hw_mode driver data
If DFS implementation was built in, some configurations with drivers
that do not provide mode information could end up dereferencing a NULL
pointer. Fix this by skipping DFS operations in such cases since not
having information about modes and channels means that hostapd could not
perform DFS anyway (i.e., either this is not a wireless driver or the
driver takes care of DFS internally).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:14:35 +02:00
Jouni Malinen
e9b783d58c Fix hostapd operation without hw_mode driver data
Commit 7f0303d5b0 ('hostapd: Verify VHT
160/80+80 MHz driver support') added couple of hapd->iface->current_mode
dereferences of which the one in hostapd_set_freq() can be hit with some
configuration files when using driver wrappers that do not have hw_mode
data, i.e., when current_mode is NULL. This could result in segmentation
fault when trying to use driver=wired. Fix this by checking that
current_mode is not NULL before dereferencing it to get vht_capab.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:08:04 +02:00
Jouni Malinen
01b24c52df wired: Fix deinit path to unregister eloop read_sock
The previous version was leaving behind registered eloop socket
instances.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 00:57:15 +02:00
Moshe Benji
71d263ea70 Add wpa_scnprintf() helper function
This provides a simpler version of snprintf that doesn't require further
error checks.

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-11-16 21:40:42 +02:00
Moshe Benji
dfa8787833 nl80211: Implement add_ts/del_ts ops
Add ops to notify about TSPECs to add/remove. Additionally, subscribe to
ADDTS/DELTS Action frames to be able to process WMM AC Action frames.

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-11-16 21:21:22 +02:00
Eliad Peller
1b640fd27c Add str_token() function
Add helper function to get the next token from a string.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2014-11-16 21:11:23 +02:00
Moshe Benji
d1f880013a WMM AC: Handle TSPEC action frames
Add the TSPEC to the driver on successful TSPEC ADDTS response. Delete
the TSPEC when receiving DELTS action.

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-11-16 21:07:08 +02:00
Moshe Benji
471cd6e10c WMM AC: Add add_tx_ts and del_tx_ts driver ops
Add add_tx_ts() and del_tx_ts() ops to notify the driver about
TSPEC add / delete.

Additionally, add wmm_ac_supported flag to indicate
whether the driver supports WMM AC.

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-11-16 20:47:36 +02:00