Commit graph

4605 commits

Author SHA1 Message Date
Jouni Malinen
cc4cdefc7f UBSan: Avoid unnecessary warning
elems->mic might be NULL here, so do not try to decrement it by 2 even
if the result is not used anywhere due to a latter check for elems->mic
being NULL.

mesh_rsn.c:646:20: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffffe

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
c4fccfc7a5 UBSan: Avoid memcmp(ptr, NULL, 0)
Skip the memcmp() call if ssid_len == 0 and entry->ssid might be NULL to
avoid an UBSan warning.

wpa_supplicant.c:3956:9: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
e3b5bd81bd UBSan: Fix RRM beacon processing attempt without scan_info
Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.

events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:43:11 +02:00
Jouni Malinen
01d01a311c UBSan: Avoid size_t variable overflow in control interface
The loop "if (i-- == 0) break" style construction works in practice fine
since the check against 0 is done before decrementation. However, this
hits an UBSan warning, so split that decrementation to happen as a
separate step after the check and break from the loop.

ctrl_iface.c:5086:9: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:42:50 +02:00
Jouni Malinen
ec2e7c4cfa UBSan: Avoid unsigned integer overflow is throughput estimation
wpa_scan_result_compar() would return wb->est_throughput -
wa->est_throughput in case the comparison is done based on the
throughput estimates. While the return value from this function is a
signed integer, these est_throughput values are unsigned integers and
need to be explicitly typecast to avoid an UBSan warning.

scan.c:1996:30: runtime error: unsigned integer overflow: 54000 - 135000 cannot be represented in type 'unsigned int'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:42:48 +02:00
Lior David
2c129a1b71 Fix cipher suite selector default value in RSNE for DMG
According to IEEE Std 802.11-2016, 9.4.2.25 when fields of an RSNE are
not included, the default values are used. The cipher suite defaults
were hardcoded to CCMP in the previous implementation, but the default
is actually different for DMG: GCMP (per 9.4.2.25.2).

It is not possible to find out from the RSNE if the network is non-DMG
or DMG, so callers of wpa_parse_wpa_ie_rsn() need to handle this case
based on context, which can be different for each caller.

In order to fix this issue, add flags to the wpa_ie_data indicating
whether pairwise/group ciphers were included in the RSNE. Callers can
check these flags and fill in the appropriate ciphers. The
wpa_parse_wpa_ie_rsn() function still initializes the ciphers to CCMP by
default so existing callers will not break. This change also fixes some
callers which need to handle the DMG network case.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-02-21 12:42:24 +02:00
Davina Lu
83ebf55865 wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS
The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a
backhaul STA through WPS. To enable this, the backhaul STA needs to add
a Multi-AP IE to the WFA vendor extension element in the WSC M1 message
that indicates it supports the Multi-AP backhaul STA role. The Registrar
(if it support Multi-AP onboarding) will respond to that with a WSC M8
message that also contains the Multi-AP IE, and that contains the
credentials for the backhaul SSID (which may be different from the SSID
on which WPS is performed).

Introduce a new parameter to wpas_wps_start_pbc() and allow it to be
set via control interface's new multi_ap=1 parameter of WPS_PBC call.
multi_ap_backhaul_sta is set to 1 in the automatically created SSID.
Thus, if the AP does not support Multi-AP, association will fail and
WPS will be terminated.

Only wps_pbc is supported.

This commit adds the multi_ap argument only to the control socket
interface, not to the D-Bus interface.

Since WPS associates with the fronthaul BSS instead of the backhaul BSS,
we should not drop association if the AP announces fronthaul-only BSS.
Still, we should only do that in the specific case of WPS. Therefore,
add a check to multi_ap_process_assoc_resp() to allow association with a
fronthaul-only BSS if and only if key_mgmt contains WPS.

Signed-off-by: Davina Lu <ylu@quantenna.com>
Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
2019-02-18 22:35:41 +02:00
Jouni Malinen
0f9632ceb8 mesh: More consistent checking of wpa_s->ifmsh in completion handler
It does not look like wpa_s->ifmsg could be NULL here, but better be
more consistent anyway to keep static analyzers happier by avoiding
dereference of wpa_s->ifmsh in the function before the NULL check for
it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-18 18:46:40 +02:00
Jouni Malinen
947b5a1532 P2P: Stop listen state if Action frame TX is needed on another channel
This speeds up P2P responses to frames received on an operating channel
in case there is an ongoing P2P listen operation on another channel.
This is applicable to drivers that support multiple channels in
concurrently.

This addresses an issue showing up in the
p2ps_channel_active_go_and_station_different_mcc test case where the
Provision Discovery Request frame can be received on the operating
channel of a group instead of the Listen channel. The response was
delayed until the listen operation timed out and this took too long time
for the peer to receive the response.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-17 16:53:03 +02:00
Jouni Malinen
3f8ceff54c Indicate wifi_generation in wpa_supplicant STATUS output
This adds a wifi_generation=4/5/6 line to the STATUS output if the
driver reports (Re)Association Request frame and (Re)Association
Response frame information elements in the association or connection
event. Only the generations 4 (HT = 802.11n), 5 (VHT = 802.11ac), and 6
(HE = 802.11ax) are reported.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-15 02:09:41 +02:00
Jouni Malinen
dbfa691df4 VLAN assignment based on used WPA/WPA2 passphrase/PSK
Extend wpa_psk_file to allow an optional VLAN ID to be specified with
"vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the
particular wpa_psk_file entry is used for a station, that station is
bound to the specified VLAN. This can be used to operate a single
WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK.
This is similar to the WPA2-Enterprise case where the RADIUS server can
assign stations to different VLANs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-14 13:36:54 +02:00
Jouni Malinen
bbdb501460 Note HT overrides in debug log only if set
This makes the debug log cleaner by removing the mostly confusing prints
about HT override parameters if they are not actually used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 01:43:50 +02:00
Masashi Honma
73f285dad2 Add FT-PSK to GET_CAPABILITY key_mgmt
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-02-05 23:37:55 +02:00
Jouni Malinen
8f99a3c26a Clear config item writing buffer before freeing it
This buffer may be used to store items like passwords, so better clean
it explicitly to avoid possibility of leaving such items in heap memory
unnecessarily.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-05 20:26:22 +02:00
Jouni Malinen
a68e9b6980 D-Bus: Fix P2P DeleteService dict iteration
The previous implementation assumed the first entry coming out from the
dict is always service_type. That may not be the case, so properly
iterate over all dict entries in one loop instead of assuming what the
first entry is.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-04 17:13:54 +02:00
Jouni Malinen
0607346f12 D-Bus: Fix a memory leak in DeleteService handler
If the service_type string entry is not included, the dict entry was not
cleared.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-04 12:26:35 +02:00
Jouni Malinen
d8c20ec591 DPP: Clear dpp_listen_freq on remain-on-channel failure
If the DPP_LISTEN command failed due to the driver rejecting the
remain-on-channel request, wpa_s->dpp_listen_freq was left set to the
requested listen frequency and this resulted in the next DPP_LISTEN for
the same frequency reporting "DPP: Already listening on .." even when
the driver was not really listening on that frequency. Fix this by
clearing wpa_s->dpp_listen_freq in the error case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-01-30 12:28:43 +02:00
Purushottam Kushwaha
59fa205388 P2P: Allow the avoid channels for P2P discovery/negotiation
The avoid channels are notified through
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY allow minimal traffic, so
enhance the P2P behavior accordingly by considering these avoid
frequencies for P2P discovery/negotiation as long as they are not in
disallowed frequencies list.

Additionally, do not return failure when none of social channels are
available as operation channel, rather, mark the op_channel/op_reg_class
to 0 as this would anyway get selected during the group formation in
p2p_prepare_channel.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-01-30 12:15:19 +02:00
Masashi Honma
89896c0008 tests: Use python3 compatible print statement
This patch is made by using 2to3 command.

$ find . -name *.py | xargs 2to3 -f print -w -n

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-26 12:37:25 +02:00
Masashi Honma
bab493b904 tests: Use python3 compatible "except" statement
This patch is made by using 2to3 command.

$ find . -name *.py | xargs 2to3 -f except -w -n

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-26 12:11:35 +02:00
Daniel Golle
0dab477335 Write multi_ap_backhaul_sta to wpa_supplicant config
The network configration option multi_ap_backhaul_sta was added without
adding it to wpa_config_write_network(). Hence the value of this option
was not included when writing the configuration file. Fix this by
including it in wpa_config_write_network().

Fixes: 5abc7823b ("wpa_supplicant: Add Multi-AP backhaul STA support")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-01-24 00:27:12 +02:00
Lubomir Rintel
98251c6f21 dbus: Document more possible BSS/RSA/KeyMgmt values
This is probably not ideal, since it would be better if it ended up
being autogenerated somehow, but at least it's somewhat of an
improvement.

Also added a comment that encourages keeping the docs in sync.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-24 00:24:09 +02:00
Lior David
1e591df063 Check supported types in wpas_mac_addr_rand_scan_set()
When setting scan with randomized MAC, check the requested scan type
against supported types, to ensure callers will not set an unsupported
type, since this can cause scan/connect failures later. It is better to
do this in wpas_mac_addr_rand_scan_set() instead of control interface
specific code to apply the constraint on all possible interfaces using
this setting.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-01-24 00:21:34 +02:00
Lior David
c85249aa15 Fix test compilation error related to sme_event_unprot_disconnect()
sme_event_unprot_disconnect() is only defined with CONFIG_IEEE80211W, so
the CONFIG_TESTING_OPTIONS command UNPROT_DEAUTH can be defined only
with builds that enable IEEE 802.11w support.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-01-24 00:21:28 +02:00
Jouni Malinen
13a200a92a FILS: Remove notes about experimental implementation
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-22 13:33:48 +02:00
Lubomir Rintel
86d4e05374 dbus: Expose support of SAE key management in BSS properties
This is going to be useful for NetworkManager and likely others.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-22 13:26:12 +02:00
Masashi Honma
3e949655cc Revert "mesh: Apply channel attributes before setup interface"
This reverts commit 2564184440.

Commit 2564184440 ("mesh: Apply channel attributes before setup
interface") triggers some channel configurations to result in leaking
memory. This seems to be caused by hapd->started not getting set when
going through a callback to start hostapd operation (e.g., when using
HT40 coex scan) due to hostapd_setup_bss() not getting called. This
results in hostapd_free_hapd_data() not clearing allocated
hapd->wpa_auth. This can be reproduced with the hwsim test case
mesh_secure_ocv_mix_legacy.

A more complete cleanup of the pending mesh patch for DFS support seems
to be needed to fix this properly, so the best approach for now is to
revert this patch and bring it back once rest of the mesh changes are
ready to be applied.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-21 23:43:12 +02:00
Amit Khatri
cc0f24196b D-Bus: Fix P2P Flush method to clear pending Action frames
If we call p2p_flush from ctrl_iface, before calling p2p_flush() it
calls wpas_p2p_stop_find(). Add the same call to the matching D-Bus
method to clear all pending operations.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-01-21 12:30:17 +02:00
Jimmy Chen
a95906f938 P2P: support random interface address
To enhance privacy, generate a random interface for each group.

There are two configurations are introduced:
* p2p_interface_random_mac_addr
  enable interface random MAC address feature, default disable.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2019-01-12 17:58:30 +02:00
Jimmy Chen
9359cc8483 P2P: Support random device address
To enhance privacy, generate a random device address for P2P interface.
If there is no saved persistent group, it generate a new random MAC
address on bringing up p2p0. If there is saved persistent group, it will
use last MAC address to avoid breaking group reinvoke behavior.

There are two configurations are introduced:
* p2p_device_random_mac_addr
  enable device random MAC address feature, default disable.
* p2p_device_persistent_mac_addr
  store last used random MAC address.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2019-01-12 17:55:42 +02:00
Peng Xu
5a3319ab1b P2P: Add 802.11ax support for P2P GO
An optional parameter "he" is added to p2p_connect, p2p_group_add, and
p2p_invite to enable 11ax HE support. The new p2p_go_he=1 configuration
parameter can be used to request this to be enabled by default.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-01-12 13:09:39 +02:00
Martin Stanislav
cfb01f58a6 eapol_test: Start the identifier at an initial random value
Start the (EAP request) identifier at an initial random value
as recommended by RFC 3748 in section 4.1 Request and Response
on page 21.

Signed-off-by: Martin Stanislav <ms@uakom.sk>
2019-01-08 13:40:33 +02:00
Arend van Spriel
d896874f86 nl80211: Indicate 802.1X 4-way handshake offload in connect
Upon issuing a connect request we need to indicate that we want the
driver to offload the 802.1X 4-way handshake for us. Indicate it if
the driver capability supports the offload.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-01-08 01:12:02 +02:00
Arend van Spriel
436ee2fd93 drivers: Add separate driver flags for 802.1X and PSK 4-way HS offloads
Allow drivers to indicate support for offloading 4-way handshake for
either IEEE 802.1X (WPA2-Enterprise; EAP) and/or WPA/WPA2-PSK
(WPA2-Personal) by splitting the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag
into two separate flags.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-01-08 01:12:02 +02:00
Ben Greear
b06d60a902 Use freq_list to constrain supported operating class information
If a station is configured to allow only a subset of frequencies for an
association, the supported operating classes may need to be more limited
than what the hardware supports.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-08 00:20:04 +02:00
Ben Greear
cb828507f5 Use disable_ht/vht to constrain supported operating class information
If user has disabled HT or VHT, those related operating classes
should not be advertised as supported.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-08 00:19:07 +02:00
Peter Oh
e5a9b1e8a3 mesh: Implement use of VHT20 config in mesh mode
Mesh in VHT mode is supposed to be able to use any bandwidth that VHT
supports, but there was no way to set VHT20 although there are
parameters that are supposed to be used. This commit along then previous
commit for VHT_CHANWIDTH_USE_HT makes mesh configuration available to
use any bandwidth with combinations of existing parameters like shown
below.

VHT80:
  default
  do not set any parameters
VHT40:
  max_oper_chwidth = 0
VHT20:
  max_oper_chwidth = 0
  disable_ht40 = 1
HT40:
  disable_vht = 1
HT20:
  disable_ht40 = 1
disable HT:
  disable_ht = 1

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-06 23:49:40 +02:00
Peter Oh
806db174fd mesh: Add VHT_CHANWIDTH_USE_HT to max_oper_chwidth
Channel width in VHT mode refers HT capability when the width goes down
to below 80 MHz, hence add checking HT channel width to its max
operation channel width. So that mesh has capability to select bandwidth
below 80 MHz.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-06 23:43:40 +02:00
Ben Greear
fd83a80815 wpa_supplicant: Allow disabling VHT SGI capability
This provides similar features to what was already available for HT
overrides. Probe Request frames look correct, and VHT capabilities shown
in debugfs look as expected.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-06 20:59:36 +02:00
Jouni Malinen
02f52ab6f5 Use lchown() instead of chown() for self-created files
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-06 20:28:04 +02:00
Jouni Malinen
441ba1a3e3 dbus: Fix build without CONFIG_WNM=y
wpa_s->bss_tm_status is within #ifdef CONFIG_WNM, so need to access it
through matching condition.

Fixes: 80d06d0ca9 ("dbus: Export BSS Transition Management status")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 18:44:17 +02:00
Jouni Malinen
cc9c4feccc OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.

Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.

In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.

In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 17:14:26 +02:00
Jouni Malinen
f808bd59e8 FT: Do not try to use FT-over-air if reassociation cannot be used
There is no point in going through FT authentication if the next step
would have to use association exchange which will be rejected by the AP
for FT, so only allow FT-over-air if previous BSSID is set, i.e., if
reassociation can be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-04 23:22:46 +02:00
Jouni Malinen
19c3a9a88d P2PS: Notify D-Bus about removal of a stale/empty persistent group
During P2PS PD Request processing wpa_supplicant removes stale and empty
persistent groups, but it did not notify D-Bus to unregister object. Fix
this by adding the missing notifications.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-04 13:19:20 +02:00
Amit Khatri
69dc9cabcc P2PS: Notify D-Bus about removal of a stale persistent group
During P2PS PD Request processing wpa_supplicant removes stale
persistent groups, but it did not notify D-Bus to unregister object.
This can result in leaving behind objects pointing to freed memory and
memory leaks. Sometime it can cause a crash in wpa_config_get_all()
function and DBUS_ERROR_OBJECT_PATH_IN_USE errors.

Fix this by adding the missed notification to D-Bus code to unregister
the object.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-01-04 13:19:12 +02:00
Peter Oh
0332c27e32 mesh: Consider mesh interface on DFS event handler
Once mesh starts supporting DFS channels, it has to handle DFS related
events from drivers, hence add mesh interface to the check list.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-03 13:31:55 +02:00
Peter Oh
fed51174d6 mesh: Reflect country setting to mesh configuration for DFS
wpa_supplicant configuration has country parameter that is supposed to
be used in AP mode to indicate supporting IEEE 802.11h and 802.11d.
Reflect this configuration to Mesh also since Mesh is required to
support 802.11h and 802.11d to use DFS channels.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:26:47 +02:00
Peter Oh
2564184440 mesh: Apply channel attributes before setup interface
This helps mesh interface initialization with correct channel
parameters.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:13:07 +02:00
Peter Oh
3ba4a25e5d mesh: Set interface type to mesh before setting interface
Correct interface type is required to start DFS CAC that can be
triggered during interface setup.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:02:56 +02:00
Peter Oh
c95619c211 mesh: Set mesh VHT center frequency
VHT center frequency value is required to compose the correct channel
info.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 12:59:25 +02:00