The WSC 2.0 specification moved to use another design for the new
attributes to avoid backwards compatibility issues with some
deployed implementations.
If CONFIG_WPS_STRICT is set, validate WPS IE(s) in management frames and
reject the frames if any of the mandatory attributes is missing or if an
included attribute uses an invalid value. In addition, verify that all
mandatory attributes are included and have valid values in the WSC
messages.
If all the device information attributes use their maximum lengths,
a single WPS IE is not enough to fit in all the data and as such,
we must be able to fragment the data. In addition, the wpabuf needs
to be allocated larger to fit in maximum data.
Instead of using 0x00 as the extra character, use space (' ') to
avoid failing tests that verify that the variable length string
attributes are not null terminated. In addition, this workaround
can now be disabled by defining CONFIG_WPS_STRICT for the build.
This can be done by adding following line to .config:
CFLAGS += -DCONFIG_WPS_STRICT
However, it should be noted that such a build may not interoperate
with some deployed WPS 1.0 -based implementations and as such, is
mainly designed for testing.
Whenever wpa_supplication is using Request Type Enrollee, it is trying
to enroll into a network. Indicate this with the explicit inclusion of
Request to Enroll attribute with value TRUE.
Advertize list of authorized enrollee MAC addresses in Beacon and
Probe Response frames and use these when selecting the AP. In order
to provide the list, the enrollee MAC address should be specified
whenever adding a new PIN. In addition, add UUID-R into
SetSelectedRegistrar action to make it potentially easier for an AP
to figure out which ER sent the action should there be multiple ERs
using the same IP address.
This adds definitions and parsing of the new attributes that were added
in WPS 2.0. In addition, the version negotiation is updated to use the
new mechanism, i.e., accept everything received and use the new Version2
attribute in transmitted messages.
While this is not strictly speaking required based on dynamic
configuration (i.e., dot11ShortPreambleOptionImplemented is static
value based on implementation, not runtime configuration), it is better
to follow local configuration parameter for short preamble in addition
to the associated station capabilities.
This function is not really needed in case of drivers that build the
HT IEs internally. However, since this can get called if ieee80211n=1
is set in hostapd.conf, we better not segfault even if the driver
does not provide hw info (hapd->iface->current_mode == NULL).
Commit 5a1cc30f1a added code that was
assuming CONFIG_WPS_UPNP is enabled whenever CONFIG_WPS is. Fix this
by making the UPnP calls conditional on CONFIG_WPS_UPNP define.
Prior to commit 6195adda9b the sm->user
dereference did not exist here. While this is in practice non-NULL,
better use more defensive construction here to avoid NULL pointer
dereference should this ever change.
Some NDIS drivers require a workaround to allow them to associate
with a WPS AP that is already using protection (Privacy field = 1).
Let driver_ndis.c know if the AP is already using Privacy and if so,
configure a dummy WEP key to force the driver to associate.
When using overlapped write, we must have the provided memory
areas available during the operation and cannot just use stack
unless we wait for the completion within the function. In the case
of TX here, we can easily wait for the completion since it is likely
to happen immediately. In addition, this provides more reliable
success/failure return value for l2_packet_send(). [Bug 328]
hostapd simply used its own STBC configuration in the STA's HT caps. This
resulted in TX STBC being used for STAs not supporting RX STBC, which in
turn resulted in the STA not receiving anything.
Fix this by handling the STBC flags in the same way mac80211 does. Mask
out RX STBC if we don't support TX STBC and vice versa.
Tested only with the nl80211 driver and a STBC incapable STA.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
This patch adds support for wired IEEE 802.1X client on the Solaris.
I have tested with these:
OS : OpenSolaris 2009.06
EAP : EAP-MD5
Switch : Cisco Catalyst 2950
The arithmetic on void pointer exists in trace routine. On GNU C, it
works because void pointer size is 1, but not all compilers behave like
this. So this patch specifies the size of the pointer.
There is no need to process the public key and generate keys if
the AP is going to reject this M2 anyway. This limits effect of
potential CPU DoS attacks in cases where AP PIN is disabled.
A new hostapd_cli command, wps_ap_pin, can now be used to manage
AP PIN at runtime. This can be used to generate a random AP PIN and
to only enable the AP PIN for short period (e.g., based on user
action on the AP device). Use of random AP PIN that is only enabled
for short duration is highly recommended to avoid security issues
with a static AP PIN.
As a compromise between usability and security, do not disable
AP PIN permanently based on failed PIN validations. Instead, go to
AP Setup Locked state for increasing amount of time between each
failure to slow down brute force attacks against the AP PIN.
This avoids problems with some external Registrars that may try
to use the same PIN multiple times without user input. Now, the
user will still be able to fix the PIN and try again later while
a real attack is delayed enough to make it impractical.
This can happen on the AP if the AP PIN is not configured and
the client tries to go through the protocol instead of just using
Registrar mode to receive M1 from the AP. It is cleaner to send
out the WSC_NACK instead of just stopping the protocol.
This indicates that the peer identity is associated with the
credential and will be required to match with the identity used
during authentication when the PAC is used (RFC 5422, 4.2.4).
When passing several authentication algorithms through auth_alg, we
should try all of them when the first one fails. The wext driver goes
through the connect nl80211 command and the retries are then handled by
the kernel. The nl80211 doesn't and we have to handle that from
userspace.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
DEAUTH messages can come from a number of different sources. The one
that's hurting us currently is DEAUTH netlink messages coming to us
from compat-wireless in response to local_state_change DEAUTH messages
we sent as a part of cleaning up state in driver_nl80211's
clear_state_mismatch() function. However, DEAUTH messages can come
from a variety of unwanted sources, including directed denial-of-service
attacks (although MAC verification doesn't place that high a barrier),
so this validation is actually generically useful, I think.
The downside to this method is that without a kernel based approach
"iw dev wlan0 link" no longer works correctly after clear_state_mismatch()
is done. This will be pursued with the kernel folks.
cfg80211/mac80211 seems to be unwilling to change interface mode in
some cases. Make these less likely to cause problems by trying the
changes up to 10 times with 100 msec intervals.
In theory, this should not really be needed, but Windows 7 uses
Registrar mode to probe AP's WPS capabilities before trying to use
Enrollee and fails if the AP does not allow that probing to happen.
This allows the AP to start as an Enrollee and send M1, but refuse
to continue beyond that (M3 will not be sent if AP PIN is not known).
This makes it easier (and a bit faster) to handle multiple local
radios with FT. There is no need to depend on l2_packet in that
case since the frame can be delivered as a direct function call.
If the station does not include WSC IE in Association Request, it
is marked with WLAN_STA_MAYBE_WPS flag. We can update that to
WLAN_STA_WPS if the station uses either of the WPS identity strings.
This enables some workarounds for WPS stations.
This works around issues with EAP-Failure getting lost for some reason.
Instead of waiting up to 60 seconds on a timeout, 30 second timeout is
now used and whenever the provisioning step has been completed (either
successfully or unsuccessfully), this timeout is reduced to 2 seconds.
The pairwise cipher field is supposed to be little endian, but the
message building functions did not swap the bytes on big endian
hosts while the message processing functions did. Fix this by using
little endian byte order in both places.
It looks like 10.6.3 and 10.6.4 do not like to receive Network Key
with WPA passphrase while PSK format still works. Use peer information
from M1 to figure out whether the Enrollee is likely to be OS X and
if so, force PSK format to be used for Network Key.
Some frequent debug prints are of limited use and make debug output
difficult to read. Make them use a new debug level so that -dd
provides more readable output (-ddd can now be used to enable
the excessive debug prints).
The length of the prime was used incorrectly and this resulted
in WPS DH operation failing whenever the public key ended up having
leading zeros (i.e., about every 1/256th time).
The AP configuration may change after provisioning, so it is better
not to use the current security policy to prioritize results. Instead,
use WPS Selected Registrar attribute as the main sorting key and use
signal strength next without considering security policy or rate sets.
The non-WPS provisioning case remains as-is, i.e., this change applies
only when trying to find an AP for WPS provisioning.
Some deployed implementations do not include the mandatory Network
Key attribute when a WPS Credential is for an open network. Allow
this to improve interoperability since the actual key value is not
really needed for open networks.
Replace use of rfkill block event with rtnetlink ifdown. This makes
the design more robust since the rfkill event could have been for
another interface while the rtnetlink events are already filtered
based of ifindex. In addition, the new design handles other than
rfkill-triggered ifdown/ifup events, too. rfkill unblocked event
is still needed to try to set the interface back up. If the unblock
was for another interface, ifup will fail and the driver state is
not changed.
Some of the driver wrappers need to get set_ieee8021x() call before
they can configure keys. Reorder the operations in the reloading
of configuration case to match with that expectation.
Setting IEEE80211_PARAM_AUTHMODE to IEEE80211_AUTH_AUTO ends up enabling
Privacy mode in the driver. We need to clear that to allow hostapd to be
reconfigured into open mode.
wps_er_config can now be used to configure an AP. It is similar to
wps_er_learn, but instead of only learning the current AP settings,
it continues to send M8 with the new settings for the AP.
wps_er_start command now takes an optional parameter that can be used
to configure a filter to only allow UPnP SSDP messages from the
specified IP address. In practice, this limits the WPS ER operations
to a single AP and filters out all other devices in the network.
When starting the protocol run with an Enrollee, clone the AP Settings
and replace the AP MAC Address with the Enrollee MAC Address so that the
correct value is then used in the Credential attribute in M8.
If the associating station indicates that it is intents to use WPS
by including WPS IE in (Re)Association Request frame, include WPS IE
in (Re)Association Response frame.
There may be more than one attribute of same type (e.g., multiple DC
attributes), so the code needs to be able to handle that. Replace the
fixed structure with an array of attributes.
Previous version driver_bsd.c switches the channel in
wpa_driver_bsd_associate(). This patch changes it to use set_freq().
I have tested this patch on FreeBSD 8.0/NetBSD 5.0.2 with hostapd,
wpa_supplicant(AP) and wpa_supplicant(STA).
Add a new wpa_supplicant state: interface disabled. This can be used
to allow wpa_supplicant to be running with the network interface even
when the driver does not actually allow any radio operations (e.g.,
due to rfkill).
Allow driver_nl80211.c and driver_wext.c to start while rfkill is in
blocked state (i.e., when ifconfig up fails) and process rfkill
events to block/unblock WLAN.
Vendor-specific IEs are supposed to be in the end of the frame, so move
WMM into the end of Beacon, Probe Response, and (Re)Association Response
frames. In addition, move HT IEs to be later in (Re)Association
Response to match the correct order.
hostapd_eid_wpa() adds multiple IEs and the end result may not always be
correct. If WPA is enabled, WPA IE (vendor-specific) gets added in the
middle of the frame and not in the end. This would require a larger
change to spliut the IEs from WPA module into separate locations when
constructing Beacon and Probe Response frames. This is not yet addressed.
Commit 83935317a7 added forced
disconnection in case of 4-way handshake failures. However, it should
not have changed the case where the supplicant is requesting fallback
to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is
not know. This case needs to send an EAPOL-Start frame instead of
EAPOL-Key message 2/4.
This works around a problem with APs that try to force PMKSA caching
even when the client does not include PMKID in (re)association request
frame to request it. [Bug 355]
Commit c02d52b405 removed direct calls
to the WPA authenticator, but the change here was incorrect.
EAPOL_SM_USES_WPA was supposed to be set based on sta->wpa_sm being
set, i.e., no need to check for PMKSA entries for that.
While this could potentially change EAPOL Key TX state machine behavior,
no clear problems have been identified so far. Anyway, better fix this
to get the correct flags set for EAPOL authenticator state machine.
When using WPS, we may end up here if the STA manages to re-associate
without the previous STA entry getting removed. Consequently, we need to
make sure that the WPA state machines gets initialized properly at this
point.
62477841a1 tried to address fragmentation
issues, but it did not address the case where the final EAP-TNC
message gets fragmented. Move the state update to the correct place
to address this case, too.
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
Both the wildcard VLAN entry and the statically configured VLAN
interfaces should behave in the same way. Initializing the
full dynamic VLAN code before adding the statically configured VLAN
interfaces allows the same processing to be applied to both statically
and dynamically added VLAN interface (i.e., also the statically
configured ones will be added to a bridge).
The WPS IE was overriding the WPA/RSN IE in driver based MLME case
(hostapd_notif_assoc), but the MLME code here was not using WPS IE
correctly, i.e., it allowed the WPA/RSN IE override the operation.
The returned buffer length was hardcoded to be the prime length
which resulted in shorter results being padded in the end. However,
the results from DH code are supposed to be unpadded (and when used
with WPS, the padding is done in WPS code and it is added to the
beginning of the buffer). This fixes WPS key derivation errors
in about 1/256 of runs ("WPS: Incorrect Authenticator") when using
the internal crypto code.
This adds more details into the CTRL-EVENT-DISCONNECTED event to
make it easier to figure out which network was disconnected in some
race conditions and to what could have been the reason for
disconnection. The reason code is currently only available with
the nl80211 driver wrapper.
There is no absolute requirement for separating address allocation
into separate functions, so simplify the driver wrapper interface
to use just if_add and if_remove instead of adding the new
alloc_interface_addr() and release_interface_addr() functions.
if_add() can now indicate if the driver forced a different interface
name or address on the virtual interface.
The server may still reject authentication at this point, so better
use conditional success decision. This allows the potentially
following EAP-Failure message to be processed properly. [Bug 354]
hostapd does not implement UAPSD functionality. However, if U-APSD
functionality is implemented outside hostapd, add support to advertise
the functionality in beacon.
Signed-off-by: yogeshp@marvell.com
Instead of parsing the IEs in the callers, use the already existing
parser in wpa_ft.c to handle MDIE and FTIE from initial MD association
response. In addition, this provides more complete access to association
response IEs to FT code which will be needed to fix FT 4-way handshake
message 2/4.
ANonce, SNonce, R0KH-ID, and R1KH-ID must match with the values
used in the previous FT authentication sequence message per
IEEE Std 802.11r-2008, 11A.8.4.
This sets the FT Capability and Policy field in the MDIE to the values
received from the target AP (if available). This fixes the MDIE contents
during FT Protocol, but the correct value may not yet be used in initial
mobility domain association.
We do not have any keys set at this point so there is no point in
adding the MIC. In addition, IEEE Std 802.11r-2008, 11A.4.2
describes this frame to have MIC IE count of 0 and MIC of 0.
This removes transmission of some unnecessary Deauthentication
frames in cases where we only need to clear the local state. In
addition, this resolves issues for 802.11r FT-over-DS by allowing
authentication state to be set locally even when no actual
Authentication frame is to be transmitted.
IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain
association in an RSN to include PMKR1Name in the PMKID-List field
in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be
bitwise identical with the values used in Beacon, Probe Response,
(Re)association Request frames.
The previous versions of wpa_supplicant and hostapd did not add the
PMKR1Name value in EAPOL-Key frame and did not accept it if added
(due to bitwise comparison of RSN IEs). This commit fixes the
implementation to be compliant with the standard by adding the
PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and
by verifying that the received value matches with the value derived
locally.
This breaks interoperability with previous wpa_supplicant/hostapd
versions.
Running hostapd and wpa_supplicant on the same interface at the same
time is not expected to work, but it should not cause hostapd to crash.
Ignore station mode association events (no addr field) to avoid this.
IF WPA/RSN parameters were changed or WPA/RSN was disabled, the
WPA/RSN IE in Beacon/Probe Response frames was only update with
set_beacon(). We need to do this with set_generic_elem(), too, to
work with all driver wrappers.
Call ieee802_11_set_beacon() in addition to set_ap_wps_ie() when
processing WPS IE updates. This is needed with drivers that use
set_beacon() instead of set_ap_wps_ie() (i.e., nl80211).
Some ER implementation (e.g., some versions of Intel PROSet) seem to
use incorrect format for WLANEventMAC variable in PutWLANResponse.
Work around this by allowing various MAC address formats to be used
in this variable (debug message will be shown if the colon-deliminated
format specified in WFA WLANConfig 1.0 is not used).
This version of the MAC address parser allows number of different
string formats for the address (e.g., 00:11:22:33:44:55, 0011.2233.4455,
001122334455, 00-11-22-33-44-55). It returns the number of characters
used from the input string in case of success.
It turns out that this is needed for both FT-over-DS and FT-over-air
when using mac80211, so it looks easiest to just unconditionally
re-configure the keys after reassociation when FT is used.
This is needed to allow reassociation processing to skip 4-way handshake
when FT-over-DS is used with an AP that has a previous association state
with the STA.
This seems to be needed at least with mac80211 when a STA is using
FT-over-DS to reassociate back to the AP when the AP still has the
previous association state.
This makes the call simpler for driver wrappers since there is no need
to parse the IEs anymore before indicating association. In addition,
this allows association processing to be extended to use other IEs
in the future.
This avoids conflict with both Label and Display being included at
the same time (which would make it difficult to figure out which
PIN was actually used).
IGTK get_seqnum needs to be skipped in the same way as GTK one when
rekeying group keys. Previously, the old PN value (the one from the
previous key) was indicated and that resulted in MMIE replay detection
at the station.
This can be used to test 802.11w by sending a protected or unprotected
deauth/disassoc frame.
hostapd_cli deauth <dst addr> test=<0/1>
hostapd_cli disassoc <dst addr> test=<0/1>
test=0: unprotected
test=1: protected
Must update sm->pairwise when fetching PMK-R1 SA.
Add a workaround for drivers that cannot set keys before association
(e.g., cfg80211/mac80211): retry PTK configuration after association.
If the PTK configuration prior to association fails, allow reassociation
attempt to continue and configure PTK after association. This is a
workaround for drivers that do not allow PTK to be configured before
association (e.g., current cfg80211/mac80211).
This attribute is supposed to indicate which methods the AP supports as
an Enrollee for adding external Registrars. It was left to 0 when the
AP code did not yet support external Registrars and was forgotten when
the ER support was added.
On NetBSD 5.0.2, wpa_supplicant build results in messages below.
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_get_ssid':
../src/drivers/driver_bsd.c:876: warning: passing argument 2 of 'bsd_get_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:876: warning: passing argument 3 of 'bsd_get_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:876: error: too many arguments to function
'bsd_get_ssid'
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_scan':
../src/drivers/driver_bsd.c:1125: warning: passing argument 2 of 'bsd_set_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:1125: warning: passing argument 3 of 'bsd_set_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:1125: error: too many arguments to function
'bsd_set_ssid'
gmake: *** [../src/drivers/driver_bsd.o] Error 1
This patch solves this issue.
This is a step in adding FT support with nl80211-based drivers.
driver_nl80211.c is now registering to handle the FT Action frames
and is able to transmit FT Request frame. Received FT Action frames
are not yet indicated as driver events.
This is needed to fix PTK derivation to use correct length. Previously,
64-octet PTK may have been derived if the authenticator did not already
have a STA entry. Now, the correct pairwise cipher suite is learned when
then PMK-R1 SA is received.
This was not supposed to have duplicate value with WPA_AUTH_ALG_LEAP.
The previous version was unable to set FT as the authentication
algorithm with nl80211.
With this patch, a client gets kicked out of the last BSS it was
attached to, when it is associating to a different one.
While mac80211 does allow a station to be present on multiple bss
interfaces, this does seem to cause problems both for the stack
and for hostapd.
This patch allows the nl80211 driver to create its own per-bss context
and pass it to the drv_priv pointer of the hostapd bss state.
With this and the following patch, stations can associate to and switch
between multiple BSS interfaces of a single wiphy.
This obsoletes a few instances of passing ifname to a callback, those
can be removed in a separate patch.
It might also be useful to move more fields from the driver data to the
per-bss data structure in the future.
This patch allows wpa_supplicant to compile on Debian's kfreebsd
architectures.
Patch by Stefan Lippers-Hollmann based on work done by Petr Salinger
and Emmanuel Bouthenot for 0.6.X (http://bugs.debian.org/480572).
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
wpa_supplicant can now be notified of suspend/resume events, e.g.,
from pm-action scripts. This allows wpa_supplicant to clear information
that may become invalid during a suspend operation.
The kernel side support for this was just added into
wireless-testing.git. This commit adds the driver wrapper code needed
to allow wpa_supplicant to use the new functionality.
Some drivers may need to use a specific ifname for the virtual
interface, so allow them to do this with a new parameter passed
to the alloc_interface_addr() handler.
TNC IF-T is somewhat unclear on this are, but
draft-hanna-nea-pt-eap-00.txt, which is supposed to define the same
protocol, is clearer on the Flags field being included.
This change breaks interoperability with the old implementation if
EAP-TNC fragmentation is used. The old version would not accept
the acknowledgement message with the added Flags octet while the
new version accepts messagss with with both options.
If the last message from the EAP-TNC server was fragmented, the
fragment processing lost the DONE/FAIL state and did not know how
to handle the final ACK from the peer. Fix this by remembering the
earlier DONE/FAIL state when fragmenting a frame.
TNC IF-T specification is unclear on the exact contents of the fragment
acknowledgement frame. An interoperability issue with the tncs@fhh
implementation was reported by Arne Welzel
<arne.welzel@stud.fh-hannover.de> due to the different interpretations
of the specification. Relax EAP-TNC server/peer validation rules to
accept fragmentation acknowledgement frames to include the Flags field
to avoid this issue.
This patch aggregates ioctls.
First is SIOCS80211. The SIOCS80211's arguments has 3 couples.
1-1. i_len, i_data
1-2. i_val
1-3. i_len, i_data, i_val (currently only IEEE80211_IOC_APPIE)
There were 3 routines for each cases. This patch aggregates these to
one.
Second is SIOCG80211. The SIOCG80211 returns 2 type of value.
2-1. i_len
2-2. i_val
There were 2 routines for each cases. This patch aggregates these to
one.
I have tested on both FreeBSD 8.0 and NetBSD 5.0.1 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
This patch enables FreeBSD channel control.
I have tested on FreeBSD 7.2 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
The attached patch unifies hostapd wpa_driver_bsd_ops and
wpa_supplicant wpa_driver_bsd_ops.
I have tested on NetBSD 5.0.1 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
