Commit graph

3211 commits

Author SHA1 Message Date
Ben Greear
99805a0ea1 Interworking: Convert wpa_printf() to wpa_msg()
Also adds a few messages that helped me track down why things
were not working as expected.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-02-01 01:32:25 +02:00
Roger Zanoni
b42f539ed2 Add a variable to handle extra CFLAGS values
Some packages don't install its headers in the default directory
(e.g.: In Arch Linux libiberty and libn13 includes are installed)
in their own subdirectory under /usr/include) and the build fails
trying to find the headers.

This patch will allow passing extra CFLAGS values without discarding
the assignments made in the Makefile. The CFLAGS values in the Makefile
are ignored, if defined directly in the make command line.

Signed-off-by: Roger Zanoni <roger.zanoni@openbossa.org>
2015-02-01 00:26:17 +02:00
Jouni Malinen
e6dd8196e5 Work around Linux packet socket regression
Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596 ('bridge:
respect RFC2863 operational state') from 2012 introduced a regression
for using wpa_supplicant with EAPOL frames and a station interface in a
bridge. Since it does not look like this regression is going to get
fixed any time soon (it is already two years from that commit and over
1.5 from a discussion pointing out the regression), add a workaround in
wpa_supplicant to avoid this issue.

The wpa_supplicant workaround uses a secondary packet socket to capture
all frames (ETH_P_ALL) from the netdev that is in a bridge. This is
needed to avoid the kernel regression. However, this comes at the price
of more CPU load. Some of this is avoided with use of Linux socket
filter, but still, this is less efficient than a packet socket bound to
the specific EAPOL ethertype. The workaround gets disabled
automatically, if the main packet socket interface on the bridge
interface turns out to be working for RX (e.g., due to an old kernel
version being used or a new kernel version having a fix for the
regression). In addition, this workaround is only taken into use for the
special case of running wpa_supplicant with an interface in a bridge.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-31 17:21:58 +02:00
Bob Copeland
745d93695b mesh: Create new station entry on popen frames
Currently, there is a race in open mesh networks where mesh STA A
receives a beacon from B and sends a peering open frame to initiate
peering. STA B, having not yet received a beacon from A and thus
created the corresponding station entry, will ignore all such open
frames. If the beacon interval is sufficiently long then peering
will not succeed as a result.

In fact B can simply create the station entry when the popen is
received, as is done in Linux's in-kernel MPM, avoiding the issue.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-28 13:09:31 +02:00
Bob Copeland
41bff862d9 mesh: Always free the station if peering failed
Previously, we would only free the station entry if a peering close
frame was received (freeing the station entry causes the kernel to
start sending peer candidate events again when suitable beacons are
received, triggering peering or authentication to restart).

The end result is the same in any case regardless of close reason:
if we leave holding state then peering has started again, so go
ahead and remove the station in all cases.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-28 13:09:31 +02:00
Masashi Honma
871ff0b746 mesh: Sync plink state with kernel
The plink_state exists both wpa_supplicant and kernel. Synchronize them
with wpa_mesh_set_plink_state().

Signed-off-by: Kenzoh Nishikawa <Kenzoh.Nishikawa@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
ba4226130e Simplify eapol_sm_notify_pmkid_attempt()
Drop the unneeded 'attempt' argument. This was originally used for
indicating an aborted PMKID caching attempt, but a fix in 2006 removed
the only such user and since that time, only attempt == 1 has been used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Jouni Malinen
993a865407 Add eap_session_id to wpa_supplicant STATUS output
This makes the current EAP Session-Id available for external programs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
983c6a606b OpenSSL: Replace internal HMAC-MD5 implementation
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
3f56a2b746 Ignore pmf=1 default if driver does not support PMF
Connection with a PMF enabled AP will fail if we try to negotiate PMF
while the local driver does not support this. Since pmf=1 does not
require PMF for a successful connection, it can be ignored in such a
case to avoid connectivity issues with invalid configuration. This makes
it somewhat easier to allow upper layer programs to use pmf=1 default
regardless of driver capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 12:38:52 +02:00
Jouni Malinen
937403b581 Update copyright notices for the new year 2015
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
399e61353a Add Suite B AKMs to key_mgmt capability list
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
5e3b5197cc Add Suite B 192-bit AKM
WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into
use as the key management method.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:52 +02:00
Jouni Malinen
97ae35a848 Add HMAC-SHA384
For now, this is only implemented with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:51 +02:00
Jouni Malinen
98cd3d1c3b Preparations for variable length KCK and KEK
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:49 +02:00
Jouni Malinen
b5f045deee Show supported group_mgmt capabilities
This extends GET_CAPABILITY command to allow the supported group
management frame cipher suites to be listed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-24 19:37:42 +02:00
Ben Greear
893e152e64 Interworking: More debug messages
And convert some wpa_printf to wpa_msg.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-01-24 19:37:42 +02:00
Ben Greear
f45bae5b81 Interworking: Add logging to track nai_realm_find_eap failures
There are lots of reasons we can fail to match an EAP credential, so add
logging to help determine why it is happening in various cases.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-01-24 19:37:42 +02:00
Jouni Malinen
5a5aab7f40 Interworking: Remove unnecessary NULL check
nai_realm_find_eap() is called only in cases where the cred pointer is
not NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-24 19:37:42 +02:00
Adrian Nowicki
ad905e4a79 wpa_gui: Sort frequency and signal numerically in the scan results dialog
Signal strength was sorted lexically rather than numerically, which
put "-100 dBm" before "-50 dBm" if sorted in descending order.
This change fixes that. It also treats frequency in the same
manner, preparing it for the IEEE 802.11ah.

Signed-off-by: Adrian Nowicki <adinowicki@gmail.com>
2015-01-23 01:24:25 +02:00
Jouni Malinen
c35e35ed81 Add passive_scan configuration parameter
This new wpa_supplicant configuration parameter can be used to force
passive scanning to be used for most scanning cases at the cost of
increased latency and less reliably scans. This may be of use for both
testing purposes and somewhat increased privacy due to no Probe Request
frames with fixed MAC address being sent out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-22 20:50:01 +02:00
ASHUTOSH NARAYAN
fb09ed3389 Interworking: Notify the ANQP parsing status
The ANQP verification/parsing is done only after the GAS_DONE indication
is sent over the control interface. This means that in case the ANQP
parsing fails there is no indication to the upper layers. Add an
ANQP-QUERY-DONE event that reports the status of the ANQP parsing.

Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
2015-01-20 02:26:21 +02:00
ASHUTOSH NARAYAN
d10b01d299 HS20: Provide appropriate permission to the OSU related files
The icon files and the osu-providers.txt that are generated may not have
proper permission for external programs to access. Set the access
permissions to the same as the permissions for osu_dir.

Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
2015-01-20 02:26:16 +02:00
Ilan Peer
dd09e424c2 Fix memory leak in wpa_supplicant global bgscan configuration
Global bgscan configuration parameter was not freed when config was
freed.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-01-20 02:10:05 +02:00
Eytan Lifshitz
30f459c098 wpa_cli: Fix NULL dereference on printf string argument
In wpa_cli_cmd_interface(), try_connection(), and main(), ctrl_ifname
may be NULL and could be dereferenced depending on the printf()
implementation.

Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
2015-01-20 02:08:58 +02:00
Ilan Peer
b72b2ad39e P2P: Stop p2p_listen/find on wpas_p2p_invite
Stop any ongoing P2P listen/find flow before starting invitation flow.
This was partially handled in p2p_invite() that called p2p_find(), but
this did not cleanly handle cases such as long_listen.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-01-20 01:57:59 +02:00
Ilan Peer
7e608d1def P2P: Use the correct wpa_s interface to handle P2P state flush
A control interface call to flush the current state used the
current wpa_s to clear the P2P state even though it might not
be the interface controlling the P2P state.

Fix it by using the correct interface to flush the P2P state.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-01-20 01:57:59 +02:00
Eyal Shapira
fd83335f29 AP: Enable HT Tx STBC for AP/GO if supported by driver
Publish support for Tx STBC in the HT capabilities of a GO and AP
controlled by wpa_supplicant in case the hardware supports it.

Signed-off-by: Eyal Shapira <eyalx.shapira@intel.com>
2015-01-20 01:57:59 +02:00
Ben Rosenfeld
d90bfa97f4 Move external_scan_running to wpa_radio
external_scan_running should be common to all interfaces that share a
radio. This fixes a case where external_scan_running was set on a single
interface, but did not block scan on other interfaces.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-01-20 01:57:59 +02:00
Ben
0c5f01fdf2 Clear reattach flag in fast associate flow
Clear the reattach flags, in case a connection request did not trigger a
scan. This needs to be done to avoid leaving the reattach flag set for
the next scan operation which may not have anything to do with the
specific request that could have been optimized using the single-channel
single-SSID scan.

Signed-off-by: Ben <ben.rosenfeld@intel.com>
2015-01-20 01:57:59 +02:00
David Spinadel
8ad8bc5c36 NFC: Redirect NFC commands on global control interface
Redirect NFC commands from global control interface to P2P device
interface.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2015-01-20 01:57:59 +02:00
David Spinadel
57ae1f5be9 P2P: Fix P2P invitation with NFC
Use interface's own NFC configuration instead of parent's one
to support a P2P device dedicated interface.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2015-01-20 00:51:36 +02:00
Matti Gottlieb
07565ab0f9 WNM: Fix the length of WNM_BSS_QUERY control interface command
The length should be 14 and not 10.
The current situation causes failure during parsing of the command.

Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
2015-01-20 00:47:41 +02:00
Jouni Malinen
2d9c99e37b Retry scan-for-connect if driver trigger fails
This restores some of the pre-radio work behavior for scanning by
retrying scan trigger if the driver rejects it (most likely returning
EBUSY in case of nl80211-drivers). Retry is indicated in the
CTRL-EVENT-SCAN-FAILED event with "retry=1".

For manual scans (e.g., triggered through "SCAN" control interface
command), no additional retries are performed. In other words, if upper
layers want to retry, they can do so based on the CTRL-EVENT-SCAN-FAILED
event.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-19 20:25:20 +02:00
Jouni Malinen
911942ee64 Add a test framework for various wpa_supplicant failure cases
For CONFIG_TESTING_OPTIONS=y builds, add a new test parameter than can
be used to trigger various error cases within wpa_supplicant operations
to make it easier to test error path processing. "SET test_failure
<val>" is used to set which operation fails. For now, 0 = no failures
and 1 = scan trigger fails with EBUSY. More operations can be added in
the future to extend coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-19 19:34:00 +02:00
Janusz Dziedzic
95ff306988 nl80211: Allow HT/VHT to be disabled for IBSS
Allow HT/VHT overrides to be used for IBSS.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
5a2a6de6a5 mesh: Make inactivity timer configurable
Current mesh code uses ap_max_inactivity as inactivity timer. This patch
makes it configurable.

There is another mesh inactivity timer in mac80211. The timer works even
if user_mpm=1. So this patch sets the max value to the timer for
workaround.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Jouni Malinen
0efcad2c30 Print in debug log whether attached monitor is for global interface
It is easier to debug issues related to the wpa_supplicant control
interfaces being left behind in attached state when the debug log file
can be used to determine whether a specific monitor socket was a global
or per-interface one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-18 16:23:43 +02:00
Jouni Malinen
8266e6c6b4 HS 2.0: Try to use same BSS entry for storing GAS results
Commit 17b8995cf5 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 17:47:32 +02:00
Jouni Malinen
6c69991382 Make wpa_supplicant FLUSH command more likely to clear all BSS entries
Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 15:39:48 +02:00
Jouni Malinen
2dbe63ad53 Write reason for scan only_new_results into debug log
This can be helpful in figuring out why the driver was requested to
flush its scan results prior to starting a new scan.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 13:54:16 +02:00
Jouni Malinen
242b83a380 eapol_test: Fix cert_cb() function arguments
altsubject[] was added here, but the callback implementation in
eapol_test.c was forgotten from the commit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 02:24:00 +02:00
Jouni Malinen
a8826b1848 Interworking: Avoid busy loop in scan result mismatch corner cases
It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.

Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 01:52:07 +02:00
Jouni Malinen
edd5939a26 Interworking: Start ANQP fetch from eloop callback
Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 01:51:47 +02:00
Jouni Malinen
783b2a977f Interworking: Fix INTERWORKING_CONNECT with zero-length SSID BSS entry
For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.

Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 12:24:18 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
98a4cd447e D-Bus: Clear cached EAP data on network profile changes
This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 13:24:09 +02:00
Jouni Malinen
483dd6a5e0 Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.

The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 12:24:52 +02:00