Avoid implicit conversion errors when constructing bytes objects or
passing a str object to a function that needs a bytes object.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
The wpas_config_file_key_mgmt fails with this error if wpa_supplicant is
built without CONFIG_SUITEB192=y:
Exception: SET_NETWORK failed
Exception: SET_NETWORK failed
Skip the WPA-EAP-SUITE-B-192 case if it is not supported in
wpa_supplicant so that the rest of the key_mgmt test coverage is
included.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This is needed in cases the hexlify() output is used to concatenate with
a string or used in string comparisons.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
The control interface commands use mostly ASCII or UTF-8 strings, so
convert input/output to strings/bytes as needed for the socket
operations with python3.
Signed-off-by: Jouni Malinen <j@w1.fi>
This patch is made by using 2to3 command with some modifications.
$ find . -name *.py | xargs 2to3 -f imports -w -n
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
These were not used at all and caused unnecessary operations and in some
cases, compatibility issues with python3.
Signed-off-by: Jouni Malinen <j@w1.fi>
The case of PEAPv0 with crypto binding did not clear some of the
temporary keys from stack/heap when those keys were not needed anymore.
Clear those explicitly to avoid unnecessary caching of keying material.
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive EMSK when using EAP-PEAP to enable ERP. In addition, change the
MSK derivation for EAP-PEAP to always derive 128 octets of key material
instead of the 64 octets to cover just the MSK. This is needed with the
PRF used in TLS 1.3 since the output length is mixed into the PRF
context.
Signed-off-by: Jouni Malinen <j@w1.fi>
This code is identical to the wait_event() code, except for the
mon/global_mon instance. Create a _wait_event() function that
encapsulates this, and use it for both.
While at it, fix the bug in wait_global_event() where in the case
of not having a global_mon it always returns None.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This is useful when running a test multiple times, looking at
log output etc. to not have to pick out the right directory
each and every time.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the DPP_LISTEN command failed due to the driver rejecting the
remain-on-channel request, wpa_s->dpp_listen_freq was left set to the
requested listen frequency and this resulted in the next DPP_LISTEN for
the same frequency reporting "DPP: Already listening on .." even when
the driver was not really listening on that frequency. Fix this by
clearing wpa_s->dpp_listen_freq in the error case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The avoid channels are notified through
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY allow minimal traffic, so
enhance the P2P behavior accordingly by considering these avoid
frequencies for P2P discovery/negotiation as long as they are not in
disallowed frequencies list.
Additionally, do not return failure when none of social channels are
available as operation channel, rather, mark the op_channel/op_reg_class
to 0 as this would anyway get selected during the group formation in
p2p_prepare_channel.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The wnm_sleep_mode_proto test case was already covering number of
invalid WNM-Sleep Mode Request frame cases, but it was missing the
shortest possible case with a missing Dialog Token field. Add that as a
regression test case for bounds checking in
ieee802_11_rx_wnmsleep_req().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ieee802_11_rx_wnmsleep_req() might have been called for a short frame
that has no more payload after the Public Action field, i.e., with len
== 0. The bounds checking for the payload length was done only for the
information elements while the one octet Dialog Token field was read
unconditionally. In the original implementation, this could have
resulted in reading one octet beyond the end of the received frame data.
This case has not been reachable after the commit e0785ebbbd ("Use
more consistent Action frame RX handling in both AP mode paths"), but it
is better to address the specific issue in ieee802_11_rx_wnmsleep_req()
as well for additional protection against accidential removal of the
check and also to have something that can be merged into an older
version (pre-v2.7) if desired. The comments below apply for such older
versions where the case could have been reachable.
Depending on driver interface specific mechanism used for fetching the
frame, this could result in reading one octet beyond the end of a
stack/hash buffer or reading an uninitialized octet from within a
buffer. The actual value that was read as the Dialog Token field is not
used since the function returns immediately after having read this value
when there is no information elements following the field.
This issue was initially added in commit d32d94dbf4 ("WNM: Add
WNM-Sleep Mode implementation for AP") (with CONFIG_IEEE80211V=y build
option) and it remained in place during number of cleanup and fix
changes in this area and renaming of the build parameter to
CONFIG_WNM=y. The impacted function was not included in any default
build without one of the these optional build options being explicitly
enabled. CONFIG_WNM=y is still documented as "experimental and not
complete implementation" in hostapd/defconfig. In addition, commit
114f2830d2 ("WNM: Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0
case") made this function exit before the impact read if WNM-Sleep Mode
support was not explicitly enabled in runtime configuration
(wnm_sleep_mode=1 in hostapd.conf). Commit e0785ebbbd ("Use more
consistent Action frame RX handling in both AP mode paths") made this
code unreachable in practice.
Add an explicit check that the frame has enough payload before reading
the Dialog Token field in ieee802_11_rx_wnmsleep_req().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.
This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
The wpa_psk_file can now be modified and hostapd can be told to re-read
it with the control interface RELOAD_WPA_PSK command:
$ hostapd_cli reload_wpa_psk
It must be noted special care must be taken if WPS is configured
(wps_state=2, eap_server=1) because WPS appends PMKs to the
wpa_psk_file.
Signed-off-by: Michal Kazior <michal@plume.com>
It is now possible to optionally specify keyid for
each wpa_psk_file entry:
keyid=something 00:00:00:00:00:00 secretpassphrase
When station connects and the passphrase it used
has an associated keyid it will be appended to the
AP-STA-CONNECTED event string:
wlan0: AP-STA-CONNECTED 00:36:76:21:dc:7b keyid=something
It's also possible to retrieve it through the control interface:
$ hostapd_cli all_sta
Selected interface 'ap0'
00:36:76:21:dc:7b
...
keyid=something
New hostapd is able to read old wpa_psk_file. However, old hostapd will
not be able to read the new wpa_psk_file if it includes keyids.
Signed-off-by: Michal Kazior <michal@plume.com>
This doesn't change any behavior on its own. It's going to be used to
expose per-station keyids and allow reloading passphrases in runtime.
Signed-off-by: Michal Kazior <michal@plume.com>
This patch is made by using 2to3 command.
find . -name *.py | xargs 2to3 -f future -w -n
This was not really needed in this file for python2 compatibility.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The network configration option multi_ap_backhaul_sta was added without
adding it to wpa_config_write_network(). Hence the value of this option
was not included when writing the configuration file. Fix this by
including it in wpa_config_write_network().
Fixes: 5abc7823b ("wpa_supplicant: Add Multi-AP backhaul STA support")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is probably not ideal, since it would be better if it ended up
being autogenerated somehow, but at least it's somewhat of an
improvement.
Also added a comment that encourages keeping the docs in sync.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
When setting scan with randomized MAC, check the requested scan type
against supported types, to ensure callers will not set an unsupported
type, since this can cause scan/connect failures later. It is better to
do this in wpas_mac_addr_rand_scan_set() instead of control interface
specific code to apply the constraint on all possible interfaces using
this setting.
Signed-off-by: Lior David <liord@codeaurora.org>
sme_event_unprot_disconnect() is only defined with CONFIG_IEEE80211W, so
the CONFIG_TESTING_OPTIONS command UNPROT_DEAUTH can be defined only
with builds that enable IEEE 802.11w support.
Signed-off-by: Lior David <liord@codeaurora.org>
Support the new Extended Capabilities field bits 81 and 82 to indicate
whether SAe Password Identifiers are in use.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new subrem field in the users database can now be used to issue an
alternative subscription remediation updateNode for clients using
certificate credentials. The data file for this case is similar to the
policy update files, but it starts with the managementTreeURI value in
the first line.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no point in trying to update the Credential node with the
existing contents in case of subscription remediation using a client
certificate instead of a username/password credential, so use the
noMOUpdate in that case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.
Signed-off-by: Jouni Malinen <j@w1.fi>