Commit graph

4120 commits

Author SHA1 Message Date
Dmitry Shmidt
f2bc344808 wpa_supplicant: Fix global control interface for STA/STA-FIRST/STA-NEXT
update_stations(ctrl_conn) is stuck in never-ending loop:

sendto(3, "STA-FIRST", 9, 0, NULL, 0)   = 9
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995833})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24

Direct STA, STA-FIRST, and STA-NEXT commands from the global control
interface to a per-interface control interface to avoid this.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-01-30 01:54:22 +02:00
Jouni Malinen
0da355235e FST: Remove WPA_ASSERT from wpas_fst_send_action_cb()
It was possible to hit this WPA_ASSERT when FST-MANAGER SESSION_REMOVE
command is exececuted when in not-associated state. In
CONFIG_EAPOL_TEST=y builds, this would result in the wpa_supplicant
process being terminated. Convert this WPA_ASSERT to a check that does
not terminate the process, but only rejects the command if wpa_s->bssid
does not match the da argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-29 19:22:14 +02:00
Andrejs Cainikovs
6a5425fd60 Increase delayed EAPOL RX frame timeout
Increase the EAPOL RX frame timeout from 100 to 200 ms. This fixes lack
of optimization (i.e., first EAPOL frame dropped) in occasional roaming
and authentication cases on EAP networks if the kernel events can be
reordered and delayed a bit longer.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2017-01-29 18:41:29 +02:00
Johannes Berg
cef8fac04b wpa_auth: Make struct wpa_auth_callbacks const
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:41:26 +02:00
Johannes Berg
30eddf3529 Fix or supress various sparse warnings
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:33:10 +02:00
Jouni Malinen
b301f54e55 IBSS/mesh: Skip VHT channel setup with vht_disabled=1
If the VHT capability override vht_disabled=1 is used in the network
profile, skip VHT configuration of the local channel.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-29 18:31:54 +02:00
Masashi Honma
adc6a5d81a mesh: Check remote peer HT Operation element
The remote mesh STA which had configuration disable_ht40=1 could have HT
Capabilities element which includes Supported Channel Width Set = 1
(both 20 MHz and 40 MHz operation is supported) even though it had HT
Operation element which includes STA Channel Width = 0 (20 MHz channel
width only). Previously, local peer recognized such a remote peer as 40
MHz band width enabled STA because local peer only checked HT
Capabilities element. This could cause disconnection between
disable_ht40=1 mesh STA and disable_ht40=0 mesh STA. They could
establish a mesh BSS but could not ping with ath9k_htc device. This
commit fixes the issue by refering HT Operation element.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-29 18:04:21 +02:00
Masashi Honma
9eb5757a86 Define helper function set_disable_ht40()
This functionality can be used outside wpa_set_disable_ht40(), so move
the generic part to a helper function.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-29 18:04:21 +02:00
Saurav Babu
6b585f420a mesh: Fix crash on removing virtual mesh interface
If a virtual mesh interface has been created and is still operational
when the main interface is removed (e.g., Wi-Fi hardware ejected), the
following crash occurred with the below backtrace:

WPA_TRACE: eloop SIGSEGV - START
[1]: /usr/local/sbin/wpa_supplicant() [0x44ef7e]
     eloop_sigsegv_handler() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:123
[2]: /lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7f4c395cfd40]
[3]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_remove_iface+0xd0) [0x57f500]
     wpa_supplicant_remove_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5338
[4]: /usr/local/sbin/wpa_supplicant() [0x57fbef]
     wpa_supplicant_deinit_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5069
[5]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_remove_iface+0xc5) [0x57f4f5]
     wpa_supplicant_remove_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5343
[6]: /usr/local/sbin/wpa_supplicant(wpas_dbus_handler_remove_interface+0x8d) [0x55baad]
     wpas_dbus_handler_remove_interface() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_handlers.c:679
[7]: /usr/local/sbin/wpa_supplicant() [0x5560cb]
     msg_method_handler() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_helpers.c:354
     message_handler() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_helpers.c:410
[8]: /lib/x86_64-linux-gnu/libdbus-1.so.3(+0x1be86) [0x7f4c39979e86]
[9]: /lib/x86_64-linux-gnu/libdbus-1.so.3(dbus_connection_dispatch+0x381) [0x7f4c3996ca21]
[10]: /usr/local/sbin/wpa_supplicant() [0x567148]
     dispatch_data() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:36
[11]: /usr/local/sbin/wpa_supplicant() [0x5674a7]
     process_watch() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:75
     process_watch_read() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:90
[12]: /usr/local/sbin/wpa_supplicant() [0x44f297]
     eloop_sock_table_dispatch() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:598
[13]: /usr/local/sbin/wpa_supplicant(eloop_run+0x1fe) [0x44ff1e]
     eloop_run() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:1219
[14]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_run+0x77) [0x57fd87]
     wpa_supplicant_run() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5608
[15]: /usr/local/sbin/wpa_supplicant(main+0x3a8) [0x43ba88]
     main() home/saurav/hostap/wpa_supplicant/main.c:392
WPA_TRACE: eloop SIGSEGV - END
Aborted (core dumped)

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-01-29 17:42:02 +02:00
Jouni Malinen
5732b770f4 FILS: Allow FILS HLP requests to be added
The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and
FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be
added to the (Re)Association Request frame whenever FILS authentication
is used.

FILS_HLP_REQ_ADD parameters use the following format:
<destination MAC address> <hexdump of payload starting from ethertype>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 14:32:17 +02:00
Jouni Malinen
afe731004b Fix CONFIG_SAE build without CONFIG_SME
The control interface code was using wpa_s->sme in an area that was not
within ifdef CONFIG_SME.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-28 11:58:26 +02:00
Jouni Malinen
34e8bfd7a9 Skip EVENT_ACS_CHANNEL_SELECTED also without CONFIG_AP
CONFIG_ACS alone should not refer to wpa_s->ap_iface to avoid potential
compilation issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-28 11:57:23 +02:00
vamsi krishna
53b38209f4 GAS: Cancel gas_query_timeout when AP responds with comeback delay
When AP responds with comeback delay for initial GAS query sent by STA,
gas_query_timeout should be cancelled to avoid GAS failures when
comeback delay is more than GAS_QUERY_TIMEOUT_PERIOD. The
gas_query_timeout is getting registered again when tx_status is received
for GAS comeback request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-23 07:02:30 +02:00
Masashi Honma
4d77d80edd mesh: Add MESH_PMKSA_GET/ADD commands
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.

The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.

The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>

The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180

This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-14 18:07:46 +02:00
Jouni Malinen
117875db33 D-Bus: Add GroupMgmt entry into the interface Capabilities dict
This can be used to determine whether the driver supports PMF and if so,
with which group management cipher suites. In addition, add the missing
pairwise and group cipher suite values to the documentation while adding
this new entry there as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 17:41:20 +02:00
Stijn Tintel
3cdb4ac074 D-Bus: Add pmf to global capabilities
This indicates that the wpa_supplicant binary has been compiled with PMF
support.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:29:22 +02:00
Stijn Tintel
adf8f45f8a D-Bus: Implement Pmf property
The Pmf property is documented in doc/dbus.doxygen, but does not exist,
so implement it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:28:00 +02:00
Jouni Malinen
b98706c14b RSN IBSS: Fix TK clearing on Authentication frame RX
When wpa_supplicant was processing a received Authentication frame (seq
1) from a peer STA for which there was already a TK configured to the
driver, debug log claimed that the PTK gets cleared, but the actual
call to clear the key was actually dropped due to AUTH vs. SUPP set_key
selection. Fix this by explicitly clearing the TK in case it was set
and an Authentication frame (seq 1) is received.

This fixes some cases where EAPOL-Key frames were sent encrypted using
the old key when a peer STA restarted itself and lost the key and had to
re-join the IBSS. Previously, that state required timing out the 4-way
handshake and Deauthentication frame exchange to recover.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 13:56:18 +02:00
Johannes Berg
f09095d57b wpa_supplicant: Clarify group_rekey documentation
This is also used in mesh and AP modes.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
8f315d0505 Fix country code in wpa_supplicant AP mode Country element
country[2] needs to be set to ' ' instead of left to '\0' for the case
where wpa_supplicant sets up AP mode operations and includes the Country
element. Currently, this would be only for DFS channels. Without this,
the Beacon frames would go out with incorrect third octet in the country
code.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
e4a3e1d076 tests: Add DRIVER_EVENT SCAN_RES for scan result testing
This control interface command can be used to inject scan results from
test scripts to make it easier to test various scan result processing
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
29065686ac D-Bus: Fix BSS Mode getter for invalid DMG BSS
Previous version could have used uninitialized char* when a DMG with
invalid capabilities were added to BSS table from scan results.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
2901bc2725 bgscan: Remove unnecessary NULL check
The name argument to bgscan_init() cannot be NULL since the only caller
already checks this before the call.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:44:34 +02:00
Jouni Malinen
9d6eaad6b8 bgscan: Remove unnecessary NULL check
bgscan_init() is the only caller for the init() function and the
parameters argument is never NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:43:33 +02:00
Jouni Malinen
0f9b4a0f1d bgscan: Deliver beacon loss event to bgscan modules
This adds a call to the notify_beacon_loss() callback functions when
beacon loss is detected. In addition, a new CTRL-EVENT-BEACON-LOSS event
is made available through the wpa_supplicant control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:17:58 +02:00
Jouni Malinen
54736d8358 Store FST parameters to configuration file
This was forgotten when the parameters were added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
35c78f7b97 Store osu_dir to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1f539c78f4 Store autoscan to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
58ed9e31d1 Store filter_rssi to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1fb1bf99d6 Write sec_device_type to configuration file
This is more consistent with other global configuration parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
b4bdeadfaf Make "SET" behavior more consistent for dot11RSNA parameters
These parameters are global configuration parameters for wpa_supplicant
and the special control interface SET command handlers for them were
preventing the configuration update. Make this more consistent by
updating the configuration parameter as well since that is what all the
other SET <global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
e3394c0e2c Make "SET non_pref_chan .." behavior more consistent
non_pref_chan is a global configuration parameter for wpa_supplicant and
the special control interface SET command handler for it was preventing
the configuration update. Make this more consistent by updating the
configuration parameter as well since that is what all the other SET
<global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
f8c201862e Fix cert_in_cb parsing in wpa_supplicant.conf
Commit 483dd6a5e0 ('Include peer
certificate always in EAP events') added this wpa_supplicant global
configuration parameter, but forgot to add the actual parsing of it, so
there was no way of setting the value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
9284418d00 Fix writing of wpa_supplicant sae_groups configuration parameter
This integer array is zero terminated, so need to check the value is
greater than 0 when writing the parameter.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
7ba94fc4b0 RRM: Use wpa_hexdump_buf() instead of wpa_hexdump()
Simplify the code a bit by using the appropriate debugging function to
dump a wpabuf contents.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 18:47:37 +02:00
Jouni Malinen
33468e5320 RRM: Document Link Measurement Report frame construction steps
Add a comment to note which fields are expected to be updated by the
driver. In addition, reorder subfield writing to match the order in
which the fields are in the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 18:17:59 +02:00
Jouni Malinen
40e9a3f326 RRM: Fix beacon report scan channels for VHT 80, 80+80, 160 MHz cases
ieee80211_chan_to_freq() is not really meant for conversion of 20 MHz
primary channel numbers for wider VHT channels, so handle those as
special cases here for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:49:48 +02:00
Jouni Malinen
5cda350896 RRM: Move wpabuf_resize() call into wpas_rrm_report_elem()
wpabuf_resize() can handle the initial allocation of a wpabuf and all
the other callers of wpas_rrm_report_elem() were already using a pointer
to a pointer and a wpabuf_resize() call. Simplify this by resizing the
wpabuf (if needed) within wpas_rrm_report_elem() instead of having to
calculate the needed size in all the callers. Thsi is also fixing one of
the allocation sizes to use the correct size instead of a size of a
struct that has nothing to do with the allocation (but is larger than
the needed five octets, so does not break anything).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:13:20 +02:00
Jouni Malinen
f2058f4afa RRM: Remove unnecessary cb check
There is only a single caller for wpas_rrm_send_neighbor_rep_request()
and it unconditionally uses a callback function, so cb cannot be NULL
here and there is no need for additional complexity and extra code size
to check for it explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:11:49 +02:00
Beni Lev
e72faadb49 bgscan_simple: Fix short_scan_count comparison
Previously, the check was done after we reached the maximum and another
scan was already triggered.

While at it, remove an irrelevant comment that the previous change in
the logic here missed.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2017-01-05 16:36:14 +02:00
Purushottam Kushwaha
c167662d73 eap_proxy: On SIM error flush PMKSAs only for SIM/AKA/AKA' networks
Previously, SIM state change with SIM_STATE_ERROR cleared all PMKSA
entries (including non-SIM networks). Limit this to networks which use
SIM-based authentication methods to avoid unnecessarily removal of PMKSA
entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-04 21:56:43 +02:00
Jouni Malinen
6657bb158b Fix OOM handling in neighbor report response handling
The pending neighbor report state needs to be cleared on error path here
to avoid getting stuck with being unable to perform any additional
neighbor reports during the association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-03 19:53:03 +02:00
Jouni Malinen
7187e20930 Allow LCI request with no subelements
Allow shorter request since the subelements are optional to include.
Also print the hexdump of the subelements into debug log.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-03 19:53:03 +02:00
Jouni Malinen
d734201435 RRM: Enable beacon report with active/passive scan for all drivers
The requested behavior can be approximated for most use cases even if
the driver does not support reporting exact TSF values for frames.
Enable this capability for all drivers to make beacon report processing
more useful for a common use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 19:53:03 +02:00
Jouni Malinen
de6ec8b558 Enable Beacon Report using beacon table for all drivers
The special parameters for beacon report scan are not needed for the
beacon report when using the beacon table measurement mode. Advertise
support for this case regardless of whether the driver supports the scan
parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:56 +02:00
Jouni Malinen
6774c6a9fe Update copyright notices for the new year 2017
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Avraham Stern
76196ddb2b wpa_supplicant: Add support for Beacon Report Radio Measurement
Beacon Report Radio Measurement is defined in IEEE Std 802.11-2016,
11.11.9.1. Beacon Report is implemented by triggering a scan on the
requested channels with the requested parameters.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:30 +02:00
Avraham Stern
b3060bf99f common: Add helper function to convert RSSI to RCPI
This conversion will be done several times in the code, so add a helper
function that does this conversion.

Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
1ac4dba31a wpa_supplicant: Extend verify_channel() and make it global
Extend verify_channel() to return whether IR is allowed on the channel
or not, and make it a global function so it can be used in other files,
too. This makes this function useful for checking not only if a channel
is supported but also if it is allowed for active and passive scan.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
c16b9f8d33 driver: Add scan support to beacon report
Add the following parameters to scan request:
 1. Dwell time on each channel.
 2. Whether the specified dwell time is mandatory.

In addition, add to scan results info the time that the scan actually
started, and to each scan result the time the beacon/probe was received,
both in terms of TSF of the BSS that the interface that requested the
scan is connected to (if available).

Add flags to indicate whether the driver supports dwell time
configuration and scan information reporting.

This scan configuration and information is required to support beacon
report radio measurement.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00