Jouni Malinen [Fri, 28 Feb 2020 20:54:36 +0000 (22:54 +0200)]
os_unix: Seed random() for os_random()
While the users of os_random() do not really need strong pseudo random
numebrs, there is no significant harm in seeding random() with data from
os_get_random(), i.e., /dev/urandom, to get different sequence of not so
strong pseudo random values from os_random() for each time the process
is started.
Jouni Malinen [Fri, 28 Feb 2020 15:41:07 +0000 (17:41 +0200)]
SAE: Do not use PMKSA entry after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for
caching after the reauthentication threshold has been reached. This
allows the PMK to be updated without having to force a disassociation
when the PMK expires if the station roams between the reauthentication
threshold and expiration timeout.
Jouni Malinen [Fri, 28 Feb 2020 15:26:36 +0000 (17:26 +0200)]
SAE: Do not clone PMKSA entry for OKC after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for OKC
after the reauthentication threshold has been reached. This allows the
PMK to be updated without having to force a disassociation when the PMK
expires if the station roams between the reauthentication threshold and
expiration timeout.
Jouni Malinen [Fri, 28 Feb 2020 14:37:28 +0000 (16:37 +0200)]
SAE: Fix PMKID derivation for OKC
SAE authentication derives PMKID differently from the EAP cases. The
value comes from information exchanged during SAE authentication and
does not bind in the MAC addresses of the STAs. As such, the same PMKID
is used with different BSSIDs. Fix both the hostapd and wpa_supplicant
to use the previous PMKID as is for OKC instead of deriving a new PMKID
using an incorrect derivation method when using an SAE AKM.
This fixes use of opportunistic key caching with SAE.
Jouni Malinen [Thu, 27 Feb 2020 22:31:33 +0000 (00:31 +0200)]
wlantest: Get STA IEs based on EAPOL-Key msg 2/4 before PTK derivation
The previous implementation tried to update STA IE information based on
EAPOL-Key msg 2/4 to be able to handle captures that do not include the
(Re)Association Request frame. This was not sufficient (OSEN was not
included) and was done too late (the parsed information is needed for
PMK-to-PTK derivation).
Move the IE update step to happen before trying to derive the PTK if no
(Re)Association Request frame has been seen.
Krishna Rao [Fri, 14 Feb 2020 12:25:40 +0000 (17:55 +0530)]
Add attribute for dwell time in QCA vendor scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SCAN_DWELL_TIME for specifying
dwell time in the QCA vendor scan command. This is a common value which
applies across all frequencies requested in the scan.
Jouni Malinen [Tue, 25 Feb 2020 11:08:00 +0000 (13:08 +0200)]
tests/fuzzing: Fix build after CONFIG_IEEE80211N=y removal
Commit f3bcd6960346 ("Remove CONFIG_IEEE80211N build option") broke
couple of fuzzing test tools due to missing wpa_scan_results_free(). Fix
that by pulling in driver_common.o.
Sunil Dutt [Thu, 20 Feb 2020 09:39:38 +0000 (15:09 +0530)]
Fix enum qca_wlan_vendor_attr_config value prefix
Couple of the attributes were defined with inconsistent prefix in the
name (missing "CONFIG_"). Fix these to use the common prefix for all
enum qca_wlan_vendor_attr_config values. Add defined values for the
incorrect names to avoid issues with existing users.
Jouni Malinen [Mon, 24 Feb 2020 18:04:21 +0000 (20:04 +0200)]
tests: WPS PBC session overlap detection with single BSSID selected
Update grpform_pbc_overlap not to require PBC session overlap to be
detected since in this sequence a single BSSID is specified and other
APs can be ignored while checking for session overlap. Add other test
cases to explicitly check for the PBC session overlap detection in
non-P2P and P2P cases when the BSSID is specified.
Jouni Malinen [Mon, 24 Feb 2020 17:53:49 +0000 (19:53 +0200)]
WPS: Ignore other APs if PBC is used with a specific BSSID
While the WSC specification requires the Enrollee to stop PBC
provisioning if the scan sees multiple APs in active PBC mode, this is
problematic due to some deployed devices continuing to advertise PBC
mode for extended duration (or even permanently). Such an environment
will still need to prevent wildcard AP selection with PBC since an
incorrect device could be selected. However, if the Enrollee device has
been explicitly requested to connect to a specific AP based on its
BSSID, the other APs in scan results can be ignored without affecting
which AP would be selected (only the one matching the specified BSSID is
acceptable).
Start filtering scan results for PBC session overlap check based on the
locally specified constraint on the BSSID, if one is set. This allows
PBC to be used with "WPS_PBC <BSSID>" command in environment where
another AP device is claiming to be in active PBC mode while "WPS_PBC"
command will still continue to reject provisioning since the correct AP
cannot be selected.
This will also cover the P2P cases where P2P_CONNECT is used to start or
authorize GO Negotiation and joining-a-GO with a specific P2P GO
Interface Address (BSSID).
Jouni Malinen [Fri, 21 Feb 2020 16:19:04 +0000 (18:19 +0200)]
nl80211: Beacon protection capability flag and default key type
Add a new capability flag based on the nl80211 feature advertisement and
start using the new default key type for Beacon protection. This enables
AP mode functionality to allow Beacon protection to be enabled. This is
also enabling the previously added ap_pmf_beacon_protection_* hwsim test
cases.
Jouni Malinen [Sun, 23 Feb 2020 15:38:23 +0000 (17:38 +0200)]
tests: Use proper temp files for dynamically created config
Replace the hardcoded /tmp filenames for generated ACL and BSS
configuration files with proper temporary files from tempfile.mkstemp()
to avoid conflicts with existing files or with parallel uses. Remove ACL
files from the local directory at the end of each test case. BSS files
are currently left behind, but can be cleaned up separately if needed
for non-VM testing (VM testing has those on ramdrive so they get dropped
automatically at the end) and for remote devices.
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:26 +0000 (23:02 +0100)]
tests: Extend wpas_ctrl_bssid_filter for remote testing
When this test case is ran in remote test environment, there could be
additional APs in scan results after bssid_filter has been disabled.
That breaks the check on SCAN_RESULTS output. Extend this to cover the
remote testing case by using bssid_filter with both known APs listed
instead of full wildcard.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:24 +0000 (23:02 +0100)]
tests: remote: Generate and send BSS configuration files
Instead of hardcoded bss-[1-6]*.conf files, generate them using the
correct BSSID for each AP device and send/install them on the remote
client as well if needed.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:23 +0000 (23:02 +0100)]
hostapd: Replace UDP ctrl_iface global cookies with per-instance ones
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')
hapd1->ping() did not work.
Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:22 +0000 (23:02 +0100)]
tests: Generate ACL files
Generate ACL files instead of using files with hardcoded values for the
STA MAC addresses. Send the generated files also to the remote client if
required.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:21 +0000 (23:02 +0100)]
tests: remotehost: Add send_file()
Some hostapd test cases use configuration files, e.g., ACLs in BSS
configuration. When executing remote tests (udp), we have to first send
these configuration files to the appropriate remote device. The new
send_file() helper can be used for that.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:20 +0000 (23:02 +0100)]
Use IFNAME= prefix for global UDP control interface events
There does not seem to be a good reason for using the different IFACE=
prefix on the UDP control interface. This got added when the UDP
interface in wpa_supplicant was extended in commit f0e5d3b5c6c7
("wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions")
and that was then extended to hostapd in commit e9208056856c ("hostapd:
Extend global control interface notifications").
Replace the IFACE= prefix in UDP case with IFNAME= to be consistent with
the UNIX domain socket based control interface.
This fixes a problem when at least one test case fail (hapd_ctrl_sta)
when remote/udp used. This also fixes test_connectivity().
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Janusz Dziedzic [Sun, 12 Jan 2020 22:02:18 +0000 (23:02 +0100)]
tests: remote: Allow hwsim test cases with more than two arguments
This allows more test cases to be run in remote setup. Previously, we
used to block all test cases that required more than two arguments
(i.e., that needed the params argument).
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Alexander Wetzel [Fri, 10 Jan 2020 22:19:09 +0000 (23:19 +0100)]
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Alexander Wetzel [Fri, 10 Jan 2020 22:19:08 +0000 (23:19 +0100)]
AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
nl80211: Add driver capability flag for CAN_REPLACE_PTK0
The CAN_REPLACE_PTK0 flag provided by nl80211 can be used to detect if
the card/driver is explicitly indicating capability to rekey STA PTK
keys using only keyid 0 correctly.
Check if the card/driver supports it and make the status available as a
driver flag.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Jouni Malinen [Sat, 22 Feb 2020 17:07:11 +0000 (19:07 +0200)]
Do not skip MBO PMF check with the WPS special case WPA check exception
The MBO PMF check for AP SME in the driver case was added into a
location that is skipped for WPS processing. That was not really the
correct place for this since the skip_wpa_check label was supposed to
remain immediately following the WPA checks. While this does not really
have much of a practical impact, move the check around so that the
skip_wpa_check label remains where it is supposed to be.
Fixes: 4c572281edaa ("MBO: Mandate use of PMF for WPA2+MBO association (AP)") Signed-off-by: Jouni Malinen <j@w1.fi>
Ouden [Fri, 21 Feb 2020 01:39:46 +0000 (09:39 +0800)]
Save RM enabled capability of station with AP SME
Save RM enabled capability element of an associating station when
hostapd use the device AP SME similarly to how this information is saved
with SME-on-hostapd cases. This allows radio measurement operations
(e.g., REQ_BEACON) to be used.
Jouni Malinen [Sat, 22 Feb 2020 16:49:01 +0000 (18:49 +0200)]
Make INTERWORKING_CONNECT more reliable in testing environment
Pick the most recently added BSS entry based on BSSID matching to avoid
issues in testing environment where the SSID of the AP may have changed
and both the old and new BSS is still present in the scan results.
Jouni Malinen [Sat, 22 Feb 2020 15:05:20 +0000 (17:05 +0200)]
Remove Secondary Channel Offset element from Beacon/Probe Response frames
This element is not used in Beacon or Probe Response frames (which is
the reason why the standard does not indicate where exactly it would be
in those frames..); HT Operation element has this information and so
does Extended CSA element.
In practice, this reverts the functionality added in commit 76aab0305c1f
("Add secondary channel IE for CSA").
Jouni Malinen [Sat, 22 Feb 2020 14:22:18 +0000 (16:22 +0200)]
Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.
Jouni Malinen [Sat, 22 Feb 2020 14:07:17 +0000 (16:07 +0200)]
Fix location of MDE and RSNXE in Beacon and Probe Response frames
Split the IEs from WPA authenticator state machine into separately added
IEs so that the exact location between these and other elements can be
controlled. This fixes the location of MDE and RSNXE in Beacon and Probe
Response frames. In addition, this swaps the order of BSS Load and RM
Enabled Capabilities elements in Beacon frames to get them into the
correct order (which was already used for Probe Response frames).
Furthermore, this fixes the buffer end checks for couple of elements to
make the implementation more consistent (though, in practice, there is
no impact from this since the old size limit was smaller than needed,
but still sufficiently large to have room for these).
Jouni Malinen [Mon, 17 Feb 2020 15:43:11 +0000 (17:43 +0200)]
nl80211: Handle AKM suite selectors for AP configuration
Previously only couple of AKM suite selectors were converted into
NL80211_ATTR_AKM_SUITES. Add rest of the AKM suites here. However, since
the current kernel interface has a very small limit
(NL80211_MAX_NR_AKM_SUITES = 2), add the attribute only when no more
than that limit entries are included. cfg80211 would reject the command
with any more entries listed.
This needs to be extended in cfg80211/nl80211 in a backwards compatible
manner, so this seems to be the best that can be done for now in user
space. Many drivers do not use this attribute, so must not reject the
configuration completely when larger number of AKM suites is configured.
Such cases may not work properly with drivers that depend on
NL80211_ATTR_AKM_SUITES value.
Jouni Malinen [Mon, 17 Feb 2020 15:25:05 +0000 (17:25 +0200)]
nl80211: Add NLA_F_NESTED to nla_nest_start() with older libnl versions
This is needed to work around a missing attribute that would cause
cfg80211 to reject some nl80211 commands (e.g.,
NL80211_ATTR_VENDOR_DATA) with new kernel versions that enforce netlink
attribute policy validation.
Jouni Malinen [Sun, 16 Feb 2020 16:31:31 +0000 (18:31 +0200)]
webkit: Track gtk_main()/gtk_main_quit() calls
Avoid unnecessary warnings from webkit on calling gtk_main_quit() more
than once for a single gtk_main() call. This is also fixing an issue for
a corner case where the very first URL has special purpose (osu:// or
http://localhost:12345).
Jouni Malinen [Sun, 16 Feb 2020 15:33:58 +0000 (17:33 +0200)]
hs20-osu-client: Validate HTTPS server certificate by default (browser)
This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.
This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.
Jouni Malinen [Sun, 16 Feb 2020 15:28:58 +0000 (17:28 +0200)]
hs20_web_browser() to allow TLS server validation to be enabled
hs20_web_browser() was previously hardcoded to not perform strict TLS
server validation. Add an argument to this function to allow that
behavior to be configured. The hs20-osu-client users are still using the
old behavior, i.e., not validating server certificates, to be usable for
testing purposes.
Jouni Malinen [Sun, 16 Feb 2020 11:58:54 +0000 (13:58 +0200)]
HT: Remove SMPS in AP mode
SM Power Save was described in somewhat unclear manner in IEEE Std
802.11n-2009 as far the use of it locally in an AP to save power. That
was clarified in IEEE Std 802.11-2016 to allow only a non-AP STA to use
SMPS while the AP is required to support an associated STA doing so. The
AP itself cannot use SMPS locally and the HT Capability advertisement
for this is not appropriate.
Remove the parts of SMPS support that involve the AP using it locally.
In practice, this reverts the following commits: 04ee647d58a2 ("HT: Let the driver advertise its supported SMPS modes for AP mode") 8f461b50cfe4 ("HT: Pass the smps_mode in AP parameters") da1080d7215f ("nl80211: Advertise and configure SMPS modes")
John Crispin [Tue, 4 Feb 2020 08:04:54 +0000 (09:04 +0100)]
HE: Extend BSS color support
The HE Operation field for BSS color consists of a disabled, a partial,
and 6 color bits. The original commit adding support for BSS color
considered this to be a u8. This commit changes this to the actual
bits/values.
This adds an explicit config parameter for the partial bit. The disabled
is set to 0 implicitly if a bss_color is defined.
Interoperability testing showed that stations will require a BSS color
to be set even if the feature is disabled. Hence the default color is 1
when none is defined inside the config file.
Jouni Malinen [Sun, 16 Feb 2020 09:54:36 +0000 (11:54 +0200)]
WPS: Mark added PSK entry with wps=1 tag for per-Enrollee PSK case
Commit 2bab073dfe02 ("WPS: Add new PSK entries with wps=1 tag") added
this when writing the new entry into a file, but the in-memory update
did not get the tag. Add it there as well.
projects / thirdparty / hostap.git / log
