Commit graph

4219 commits

Author SHA1 Message Date
Jouni Malinen
cbc210de09 RADIUS DAS: Allow PMKSA cache entry to be removed without association
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 15:55:39 +02:00
Jouni Malinen
4e871ed1c3 RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 13:09:44 +02:00
Jouni Malinen
b52c0d453f Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 13:07:14 +02:00
Jouni Malinen
861beb7269 RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
1fef85c7c5 nl80211: Fix AP-scan-in-STA-mode error path behavior
If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 00:59:14 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
dd5f902584 Get rid of a compiler warning
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:38:26 +02:00
Jouni Malinen
d29fa3a767 Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:12:56 +02:00
Yanbo Li
e7d0e97bdb hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2015-01-14 00:59:22 +02:00
Jouni Malinen
3e7f1c7980 GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0eb2ed067f GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0e1bb94b91 GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
d4d1f5cb33 GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
594d1fc084 GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
79b1dd9aad GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
1068bdb90c tests: Fix crypto module test build without EAP-FAST
Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
a16514516b Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
c3bb84b415 GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
8ddcd6b9d4 GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
4bc13bf709 GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
e0d431a515 GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
65ec7f4c12 GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:20 +02:00
Jouni Malinen
7c8245798f GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.

In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:18:57 +02:00
Jouni Malinen
e1d63f6aea GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:13:20 +02:00
Jouni Malinen
ae0a23a0ca GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:11:03 +02:00
Jouni Malinen
db4cf40b92 GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:49:09 +02:00
Jouni Malinen
224104ddf6 TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:35:54 +02:00
Jouni Malinen
6dbbef9603 Define host_to_le32() for Windows builds
This define had been forgotten at some point in time and wpa_supplicant
compilation for Windows failed with some recently added code that
depended on this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
7d28e46a6c Fix os_win32 build
Addition of os_memcmp_const() in commit
afc3c8b07f had forgotten to include
common.h into os_win32.c to get u8 defined.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
0b402479bf Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
d16694761a schannel: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with schannel.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with schannel instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
59051f8ecf TLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented in the internal
TLS implementation. Instead of ignoring them silently, reject the
configuration to avoid giving incorrect impression of the parameters
being used if wpa_supplicant is built with the internal TLS
implementation instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:37:21 +02:00
Jouni Malinen
f8717ac8b3 GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:33:48 +02:00
Jouni Malinen
e24aef10cf Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
394b54732e Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
8a42a076aa trace: Fix out-of-memory testing logic
data.function needs to be set for the return value to be of any use and
strcmp won't work with NULL pointer either. (CID 99907)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Stefan Tomanek
79cd993a62 Add address masks to BSSID lists
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).

This change expands the data structures used by MAC lists to include a
mask indicating the significant (non-masked) portions of an address and
extends the list parser to recognize mask suffixes.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
2015-01-10 17:35:53 +02:00
Jouni Malinen
21c74e8462 nl80211: Use a helper function to put mesh_id
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
85e1fad8a5 nl80211: Use a helper function for putting beacon interval
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
6dfc55723d Remove mesh_ht_mode network block parameter
There should not be a mesh-specific mechanism for setting up channel
parameters since that will just result in duplicated code. IBSS, mesh,
and AP mode can use the same data structures and parameters for setting
up such parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
f7e889fa2d mesh: Convert channel configuration to use common routines
Use struct hostapd_freq_params just like other modes do instead of
mesh-specific freq and ht_mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
1fc4ab2367 nl80211: Move debug prints into nl80211_put_freq_params()
This way all callers can get the benefit of the same debug prints.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Jouni Malinen
cae87abd13 nl80211: Add a helper function for putting basic rates
There is no need for maintaining two more or less identical copies of
this functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
a828f626af Make check_40mhz_2g4 common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
fdd989d17a Make check_20mhz_bss common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
0e550fe496 Make check_40mhz_5g common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
6d5d098f77 Make get_pri_sec_chan() common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
514427437a Introduce common allowed_ht40_channel_pair()
This can be used from hostapd/wpa_supplicant.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
5f10b7f498 Use common hw_get_freq/hw_get_chan helpers in hostapd
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00