Commit graph

4304 commits

Author SHA1 Message Date
Jouni Malinen
40aaa64f9f WPA auth: Clear temporary MSK storage from stack explicitly
This reduces the duration of time a key may remain unnecessarily in
memory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 22:24:27 +02:00
Jouni Malinen
01b481aff3 Convert couple of remaining printf to wpa_printf in ap_list
This type of error reporting cases should use wpa_printf() to get
consistent debug logging behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 21:12:51 +02:00
Jouni Malinen
bfaefd5174 EAP-PEAP server: Fix Phase 2 TLV length in error case
The payload length in a Phase 2 TLV message reporting error was not set
correctly. Fix this to not include the TLVs that are included only in
success case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 16:15:58 +02:00
Jouni Malinen
467775c5ac tests: Pending EAP peer processing with VENDOR-TEST
This extends the VENDOR-TEST EAP method peer implementation to allow
pending processing case to be selected at run time. The
ap_wpa2_eap_vendor_test test case is similarly extended to include this
option as the second case for full coverage.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Jouni Malinen
ba4226130e Simplify eapol_sm_notify_pmkid_attempt()
Drop the unneeded 'attempt' argument. This was originally used for
indicating an aborted PMKID caching attempt, but a fix in 2006 removed
the only such user and since that time, only attempt == 1 has been used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Jouni Malinen
993a865407 Add eap_session_id to wpa_supplicant STATUS output
This makes the current EAP Session-Id available for external programs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
fee31f76cd OpenSSL: Remove support for versions older than 0.9.8
These have reached out-of-life status in the OpenSSL project and there
is no need to maintain support for them in hostapd/wpa_supplicant
either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
8bf3030af6 OpenSSL: Use a common helper function for HMAC
There is no need to duplicate this construction for each hash algorithm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
983c6a606b OpenSSL: Replace internal HMAC-MD5 implementation
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
fa38860c5e nl80211: Fix build with libnl 1.1
Commit 630b3230c8 ('nl80211: Increase
netlink receive buffer size') added unconditional use of
nl_socket_set_buffer_size() which was not included in libnl 1.1. Fix use
of that old version by making this conditional on CONFIG_LIBNL20.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:50:02 +02:00
Jouni Malinen
399e61353a Add Suite B AKMs to key_mgmt capability list
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
5e3b5197cc Add Suite B 192-bit AKM
WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into
use as the key management method.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:52 +02:00
Jouni Malinen
97ae35a848 Add HMAC-SHA384
For now, this is only implemented with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:51 +02:00
Jouni Malinen
98cd3d1c3b Preparations for variable length KCK and KEK
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:49 +02:00
Jouni Malinen
30bff1d0f4 Extend AES-CMAC routines to support 256-bit keys
omac1_aes_256() and omac1_aes_vector() can now be used to perform
256-bit CMAC operations similarly to the previously supported 128-bit
cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-24 19:37:42 +02:00
Jouni Malinen
86f9b1c706 nl80211: Fix default group key management index configuration
The correct nl80211 flag for group key management cipher was set only
for BIP (AES-CMAC-128). The same flag needs to be used with the newer
ciphers BIP-CMAC-256, BIP-GMAC-128, and BIP-GMAC-256.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-24 19:37:42 +02:00
Ben Greear
400de9b1fe hostapd: Debug messages for dodgy RADIUS servers
These were helpful when tracking down why hostapd did not work
properly with a RADIUS server.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2015-01-23 01:48:27 +02:00
Ola Olsson
bff162ac76 P2P: Fix NULL pointer dereference with SD query cancellation
A NULL pointer crash was caused by commit
7139cf4a4f ('P2P: Decrement
sd_pending_bcast_queries when sd returns'). p2p->sd_query can be cleared
to NULL whenever a query is cancelled, even in case the request had
already been transmitted. As such, need to be prepared for the query not
remaining when processing TX status callback for the frame.

Crashes on 2ee98 in following code
2ee90:       f7fc f8b6       bl      2b000 <p2p_dbg>
2ee94:       e02c            b.n     2eef0 <p2p_send_action_cb+0x348>
2ee96:       6c25            ldr     r5, [r4, #64]   ; 0x40
2ee98:       68ee            ldr     r6, [r5, #12]
2ee9a:       b166            cbz     r6, 2eeb6 <p2p_send_action_cb+0x30e>

Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
2015-01-22 15:49:37 +02:00
Jouni Malinen
630b3230c8 nl80211: Increase netlink receive buffer size
libnl uses a pretty small buffer (32 kB that gets converted to 64 kB) by
default. It is possible to hit that limit in some cases where operations
are blocked, e.g., with a burst of Deauthentication frames to hostapd
and STA entry deletion. Try to increase the buffer to make this less
likely to occur.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-22 13:51:15 +02:00
ASHUTOSH NARAYAN
fb09ed3389 Interworking: Notify the ANQP parsing status
The ANQP verification/parsing is done only after the GAS_DONE indication
is sent over the control interface. This means that in case the ANQP
parsing fails there is no indication to the upper layers. Add an
ANQP-QUERY-DONE event that reports the status of the ANQP parsing.

Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
2015-01-20 02:26:21 +02:00
Haim Dreyfuss
b62b0cb78a WNM: Fix possible memory leak by free buf
Buf is allocated and may not be freed on an error path.

Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
2015-01-20 02:14:19 +02:00
Ben
9bd0273931 EAP: Fix possible memory leak in eap_ttls_process_decrypted()
In case eap_peer_tls_encrypt() fails in eap_ttls_process_decrypted(),
free resp memory.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-01-20 02:13:15 +02:00
Haim Dreyfuss
b760e64276 eap_server: Avoid NULL pointer dereference in eap_fast_encrypt_phase2()
If TLS encryption fails, encr may be NULL and that would have resulted
in NULL pointer dereference..

Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
2015-01-20 02:11:59 +02:00
Avraham Stern
948d3a8731 hostapd: Remove unused variable from hostapd_get_hw_features
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2015-01-20 02:10:33 +02:00
Eytan Lifshitz
414f23d8b9 Avoid NULL string in printf on EAP method names in authenticator
In ieee802_1x_decapsulate_radius(), eap_server_get_name() may return
NULL, and it could be dereferenced depending on printf implementation.
Change it to return "unknown" instead for the case of no matching EAP
method found. This makes it easier for the callers to simply print this
in logs (which is the only use for this function).

Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
2015-01-20 02:07:22 +02:00
Luciano Coelho
7b7b4449a9 nl80211: Fix reading of the extended capabilities mask
We were copying the NL80211_ATTR_EXT_CAPA attribute into the
extended_capa_mask element, which is incorrect. Use
NL80211_ATTR_EXT_CAPA_MASK instead.

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
2015-01-20 01:57:59 +02:00
Jouni Malinen
6b46bfa751 WPS: Re-fix an interoperability issue with mixed mode and AP Settings
Commit ce7b56afab ('WPS: Fix an
interoperability issue with mixed mode and AP Settings') added code to
filter M7 Authentication/Encryption Type attributes into a single bit
value in mixed mode (WPA+WPA2) cases to work around issues with Windows
7. This workaround was lost in commit
d7a15d5953 ('WPS: Indicate current AP
settings in M7 in unconfigurated state') that fixed unconfigured state
values in AP Settings, but did not take into account the earlier
workaround for mixed mode.

Re-introduce filtering of Authentication/Encryption Type attributes for
M7 based on the current AP configuration. In other words, merge those
two earlier commits together to include both the earlier workaround the
newer fix.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-19 18:35:59 +02:00
Adrien Decostre
1648cc6427 ACS: Allow subset of channels to be configured
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.

Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
2015-01-19 02:35:43 +02:00
Janusz Dziedzic
95ff306988 nl80211: Allow HT/VHT to be disabled for IBSS
Allow HT/VHT overrides to be used for IBSS.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
7451a217be mesh: Return negative value on join failed
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
5a2a6de6a5 mesh: Make inactivity timer configurable
Current mesh code uses ap_max_inactivity as inactivity timer. This patch
makes it configurable.

There is another mesh inactivity timer in mac80211. The timer works even
if user_mpm=1. So this patch sets the max value to the timer for
workaround.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
b9749bac81 AP: Expire STA without entry in kernel
If the inactivity check returns that there is no entry remaining for the
STA in the kernel, drop the STA in hostapd as well.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
a114c7235a AP: Remove redundant condition for STA expiration
This condition is always true because of surrounding if.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Jouni Malinen
0d787f0242 Fix RADIUS client with out-of-memory and missing shared secret
It was possible for an out-of-memory code path to trigger NULL pointer
dereference when preparing a RADIUS accounting report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-19 02:35:43 +02:00
Jouni Malinen
cbc210de09 RADIUS DAS: Allow PMKSA cache entry to be removed without association
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 15:55:39 +02:00
Jouni Malinen
4e871ed1c3 RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 13:09:44 +02:00
Jouni Malinen
b52c0d453f Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 13:07:14 +02:00
Jouni Malinen
861beb7269 RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
1fef85c7c5 nl80211: Fix AP-scan-in-STA-mode error path behavior
If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 00:59:14 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
dd5f902584 Get rid of a compiler warning
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:38:26 +02:00
Jouni Malinen
d29fa3a767 Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:12:56 +02:00
Yanbo Li
e7d0e97bdb hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2015-01-14 00:59:22 +02:00
Jouni Malinen
3e7f1c7980 GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0eb2ed067f GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0e1bb94b91 GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
d4d1f5cb33 GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
594d1fc084 GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
79b1dd9aad GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
1068bdb90c tests: Fix crypto module test build without EAP-FAST
Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
a16514516b Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
c3bb84b415 GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
8ddcd6b9d4 GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
4bc13bf709 GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
e0d431a515 GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
65ec7f4c12 GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:20 +02:00
Jouni Malinen
7c8245798f GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.

In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:18:57 +02:00
Jouni Malinen
e1d63f6aea GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:13:20 +02:00
Jouni Malinen
ae0a23a0ca GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:11:03 +02:00
Jouni Malinen
db4cf40b92 GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:49:09 +02:00
Jouni Malinen
224104ddf6 TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:35:54 +02:00
Jouni Malinen
6dbbef9603 Define host_to_le32() for Windows builds
This define had been forgotten at some point in time and wpa_supplicant
compilation for Windows failed with some recently added code that
depended on this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
7d28e46a6c Fix os_win32 build
Addition of os_memcmp_const() in commit
afc3c8b07f had forgotten to include
common.h into os_win32.c to get u8 defined.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
0b402479bf Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
d16694761a schannel: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with schannel.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with schannel instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
59051f8ecf TLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented in the internal
TLS implementation. Instead of ignoring them silently, reject the
configuration to avoid giving incorrect impression of the parameters
being used if wpa_supplicant is built with the internal TLS
implementation instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:37:21 +02:00
Jouni Malinen
f8717ac8b3 GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:33:48 +02:00
Jouni Malinen
e24aef10cf Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
394b54732e Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
8a42a076aa trace: Fix out-of-memory testing logic
data.function needs to be set for the return value to be of any use and
strcmp won't work with NULL pointer either. (CID 99907)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Stefan Tomanek
79cd993a62 Add address masks to BSSID lists
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).

This change expands the data structures used by MAC lists to include a
mask indicating the significant (non-masked) portions of an address and
extends the list parser to recognize mask suffixes.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
2015-01-10 17:35:53 +02:00
Jouni Malinen
21c74e8462 nl80211: Use a helper function to put mesh_id
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
85e1fad8a5 nl80211: Use a helper function for putting beacon interval
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
6dfc55723d Remove mesh_ht_mode network block parameter
There should not be a mesh-specific mechanism for setting up channel
parameters since that will just result in duplicated code. IBSS, mesh,
and AP mode can use the same data structures and parameters for setting
up such parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
f7e889fa2d mesh: Convert channel configuration to use common routines
Use struct hostapd_freq_params just like other modes do instead of
mesh-specific freq and ht_mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
1fc4ab2367 nl80211: Move debug prints into nl80211_put_freq_params()
This way all callers can get the benefit of the same debug prints.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
cae87abd13 nl80211: Add a helper function for putting basic rates
There is no need for maintaining two more or less identical copies of
this functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
a828f626af Make check_40mhz_2g4 common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
fdd989d17a Make check_20mhz_bss common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
0e550fe496 Make check_40mhz_5g common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
6d5d098f77 Make get_pri_sec_chan() common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
514427437a Introduce common allowed_ht40_channel_pair()
This can be used from hostapd/wpa_supplicant.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
5f10b7f498 Use common hw_get_freq/hw_get_chan helpers in hostapd
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
269dfe232b Introduce common hw features
Introduce wpa_supplicant/hostapd hw features.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
1830817ece IBSS: Add WPA_DRIVER_FLAGS_HT_IBSS
Add WPA_DRIVER_FLAGS_HT_IBSS driver feature flag. Some drivers could not
set this feature and next could fail when we will enable HT support for
IBSS with error message: nl80211: Join IBSS failed: ret=-22 (Invalid
argument).

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Bob Copeland
f3b8ad4d78 SAE: Implement retransmission timer
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-10 17:35:52 +02:00
Bob Copeland
a206e2a175 SAE: Centralize function for sending initial COMMIT
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-10 11:43:29 +02:00
Imre Vadasz
28c91ee124 bsd: Fix parsing of ieee80211req_scan_result on FreeBSD and DragonFly
On FreeBSD and DragonFly BSD, we additionally need to skip the
isr_meshid_len bytes of the MESH ID, to get the correct address for
copying the IE data.

The isr_meshid_len field was added in the FreeBSD svn revision r195618
in 2009, so I don't think we need to check the FreeBSD version here.

Signed-off-by: Imre Vadász <imre@vdsz.com>
2015-01-10 11:43:29 +02:00
Jouni Malinen
27d9701dea Fix a memory leak on WPA authenticator error path
wpa_auth->group needs to be freed if PMK cache setup fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-08 02:34:08 +02:00
Jouni Malinen
c1c07dcb70 Fix hostapd interface addition error path
The local conf pointer needs to be cleared once it gets assigned to
hapd_iface to avoid double-free of the configuration data on error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-08 02:34:08 +02:00
Jouni Malinen
a156ffda61 Add support for testing memory allocation failures
The new control interface command TEST_ALLOC_FAIL and GET_ALLOC_FAIL can
now be used to trigger memory allocation failures for testing purposes.
TEST_ALLOC_FAIL sets a failure conditions with
<count>:func[;func][;func]... string and GET_ALLOC_FAIL returns the
current state using the same format. Whenever an allocation is made with
a matching backtrace of calling functions, the count is decremented by
one and once zero is reached, the allocation is forced to fail.

Function names can be prefixed with either '=' or '?' to get different
matching behavior. '=' requires this specific function to be the next
one in the backtrace (i.e., do not skip any other functions in the list
which is the default behavior). '?' allows the function to be optionally
present in the backtrace.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-07 13:19:43 +02:00
Jouni Malinen
52a80583ba TDLS: Fix an interface addition error path
It is possible for wpa_tdls_teardown_peers() to be called with sm ==
NULL in case interface addition fails before the WPA state machine is
initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-07 13:19:00 +02:00
Jouni Malinen
3d2e2d5d63 trace: Fix compiler warning on 32-bit builds with bfd support
With CONFIG_WPA_TRACE_BFD, the type cast from void* to integer was
generating a compiler warning due to the target integer being larger in
size in case of 32-bit builds. Type case to bfd_hostptr_t instead of
directly to bfd_vma to avoid this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
b9f6560f38 eloop: Fix WPA_TRACE tracking in case of realloc failure
The socket reference tracking entries need to be restored in case
os_realloc_array() fails when adding a new eloop socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
e10422c025 Fix memory leak on hostapd BSS addition error path
The per-BSS configuration information needs to be freed if hostapd fails
to add a new interface for a BSS added with "ADD bss_config=..."
command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
2801659268 Fix hostapd initialization error path on allocation failure
If hostapd_alloc_bss_data() failed to allocate the struct hostapd_data
instance, dynamic interface addition path ended up trying to dereference
freed memory due to incorrect cleanup steps. Fix this by decrementing
the interface count when the newly added interface is removed. In
addition, make the setup more robust by clearing all changes within
hostapd_data_alloc() if any of the allocations fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
d58ade2121 nl80211: Fix compilation with libnl 1.1 and 2.0
Unfortunately, libnl 3.0 has changed the API in a way that is not
backwards compatible by renaming nlmsg_len() to nlmsg_datalen() without
leaving the older nlmsg_len() defined. As such, there does not seem to
be any clean way of using this function without breaking the build with
some libnl versions. For now, replace this call with direct calculation
of the data length since it can be done with a simple one-liner that
compiles with all libnl versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
51f3427019 crypto: Clear temporary stack buffers after use
This reduces possibility of exposure of private keys should something
get access to stack memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 02:49:13 +02:00