Sunil Dutt [Thu, 1 Feb 2018 07:15:41 +0000 (12:45 +0530)]
nl80211: Introduce the interface for external authentication
This command/event interface can be used by host drivers that do not
define separate commands for authentication and association but rely on
wpa_supplicant for the authentication (SAE) processing.
Guisen Yang [Thu, 1 Feb 2018 09:05:19 +0000 (17:05 +0800)]
Add new QCA vendor commands for thermal shutdown
Add new QCA vendor commands and attributes to get thermal information
and send thermal shutdown related commands. Indicates the driver to
enter the power saving mode or resume from the power saving mode based
on the given temperature and thresholds.
Ashok Ponnaiah [Tue, 30 Jan 2018 11:24:39 +0000 (16:54 +0530)]
OWE: Use PMKSA caching if available with driver AP MLME
If a matching PMKSA cache entry is present for an OWE client, use it and
do not go through DH while processing Association Rquest frame.
Association Response frame will identify the PMKID in such a case and DH
parameters won't be present.
Ashok Ponnaiah [Mon, 29 Jan 2018 16:11:03 +0000 (18:11 +0200)]
hostapd: Send broadcast Public Action frame with wildcard BSSID address
Send Public Action frames with wildcard BSSID when destination was
broadcast address. This is required for DPP PKEX where the recipients
may drop the frames received with different BSSID than the wildcard
address or the current BSSID.
Jouni Malinen [Sun, 21 Jan 2018 22:07:44 +0000 (00:07 +0200)]
FILS: Fix extended capability bit setting for FILS in AP mode
FILS capability bit setting could have ended up setting boths biths 72
(correct) and 64 (incorrect; part of Max Number of MSDUs In A-MSDU). Fix
this by adding the missing break to the switch statement.
Fixed: f55acd909e37 ("FILS: Set FILS Capability bit in management frames from AP") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 8 Dec 2017 15:05:40 +0000 (17:05 +0200)]
EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).
Jouni Malinen [Sat, 13 Jan 2018 02:12:46 +0000 (04:12 +0200)]
DPP: Track M.x/N.x/L.x availability for ke derivation
This prevents an issue where duplicated Authentication Response frame
could have resulted in deriving a new ke value after M.x had already
been cleared. This would result in the following configuration exchange
failing. This could happen since many driver do not filter out
retransmitted Public Action frames and link layer. Furthermore, this
could have been used as a denial-of-service attack agains the DPP
exchange.
Jouni Malinen [Sat, 13 Jan 2018 01:56:26 +0000 (03:56 +0200)]
OWE: Allow station in transition mode to connect to an open BSS
If the OWE network profile matches an open network which does not
advertise OWE BSS, allow open connection. The new owe_only=1 network
profile parameter can be used to disable this transition mode and
enforce connection only with OWE networks.
Sunil Dutt [Thu, 21 Dec 2017 12:08:01 +0000 (17:38 +0530)]
Extend NUD Stats to collect the data packet statistics
This commit extends the existing QCA vendor specific NUD_STATS_GET/SET
interface to also collect the statistics of the data packets. The
intention here is to get more comprehensive information to detect the
network unreachability.
Jouni Malinen [Fri, 12 Jan 2018 18:55:33 +0000 (20:55 +0200)]
Copy WLAN-Reason-Code value from Access-Reject to Deauthentication
This makes hostapd use the WLAN-Reason-Code value from Access-Reject
when disconnecting a station due to IEEE 802.1X authentication failure.
If the RADIUS server does not include this attribute, the default value
23 (IEEE 802.1X authentication failed) is used. That value was the
previously hardcoded reason code.
Jouni Malinen [Fri, 12 Jan 2018 18:45:12 +0000 (20:45 +0200)]
RADIUS: Add WLAN-Reason-Code attribute to Access-Reject
Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all
Access-Reject messages generated based on EAP-Failure from the EAP
server. For now, the reason code value is set to 23 (IEEE 802.1X
authentication failed). This can be extending in future commits to cover
addition failure reasons.
HS 2.0: Set appropriate permission(s) for cert file/folders on Android
This commit adds additional permission to 'SP' and 'Cert' folders
which is needed to copy certificates from Cert to SP. Additionally,
this associates AID_WIFI group id with these folders.
Jouni Malinen [Thu, 11 Jan 2018 23:12:00 +0000 (01:12 +0200)]
Replace RSNE group key management mismatch status/reason codes
Use "cipher out of policy" value instead of invalid group cipher (which
is for the group data frame cipher) and management frame policy
violation (which is used for MFPC/MFPR mismatch).
Jouni Malinen [Mon, 8 Jan 2018 03:19:05 +0000 (05:19 +0200)]
DPP: Authentication exchange retries and channel iteration in hostapd
This extends hostapd with previoiusly implemented wpa_supplicant
functionality to retry DPP Authentication Request/Response and to
iterate over possible negotiation channels.
Jouni Malinen [Mon, 8 Jan 2018 01:37:48 +0000 (03:37 +0200)]
Report offchannel RX frame frequency to hostapd
Not all code paths for management frame RX reporting delivered the
correct frequency for offchannel RX cases. This is needed mainly for
Public Action frame processing in some special cases where AP is
operating, but an exchange is done on a non-operational channel. For
example, DPP Initiator role may need to do this.
Jouni Malinen [Thu, 4 Jan 2018 15:06:40 +0000 (17:06 +0200)]
tests: Enable and require PMF in SAE and OWE test cases with sigma_dut
All SAE and OWE associations are expected to require PMF to be
negotiated, so enable or require PMF in AP and STA configurations
accordingly to match the new sigma_dut behavior.
Jouni Malinen [Fri, 29 Dec 2017 10:01:22 +0000 (12:01 +0200)]
tests: GnuTLS configuration of intermediate CA certificate
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.
Jouni Malinen [Thu, 28 Dec 2017 16:46:28 +0000 (18:46 +0200)]
GnuTLS: Suite B validation
This allows OpenSSL-style configuration of Suite B parameters to be used
in the wpa_supplicant network profile. 128-bit and 192-bit level
requirements for ECDHE-ECDSA cases are supported. RSA >=3K case is
enforced using GnuTLS %PROFILE_HIGH special priority string keyword.
Jouni Malinen [Thu, 28 Dec 2017 11:18:15 +0000 (13:18 +0200)]
GnuTLS: Make debug prints clearer for cert/key parsing
Indicate more clearly when the parsing succeeds to avoid ending the
debug prints with various internal GnuTLS internal error messages even
when the parsing actually succeeded in the end.
Jouni Malinen [Wed, 27 Dec 2017 19:06:02 +0000 (21:06 +0200)]
OWE: Try all supported DH groups automatically on STA
If a specific DH group for OWE is not set with the owe_group parameter,
try all supported DH groups (currently 19, 20, 21) one by one if the AP
keeps rejecting groups with the status code 77.
Jouni Malinen [Wed, 27 Dec 2017 16:38:12 +0000 (18:38 +0200)]
Fix MFP-enabled test for disallowed TKIP
The test against use of TKIP was done only in MFP-required
(ieee80211w=2) configuration. Fix this to check the pairwise cipher for
MFP-enabled (ieee80211w=1) case as well.
Jouni Malinen [Wed, 27 Dec 2017 16:26:31 +0000 (18:26 +0200)]
SAE: Add option to require MFP for SAE associations
The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to
enforce negotiation of MFP for all associations that negotiate use of
SAE. This is used in cases where SAE-capable devices are known to be
MFP-capable and the BSS is configured with optional MFP (ieee80211w=1)
for legacy support. The non-SAE stations can connect without MFP while
SAE stations are required to negotiate MFP if sae_require_mfp=1.
Jouni Malinen [Wed, 27 Dec 2017 10:27:33 +0000 (12:27 +0200)]
tests: Set PMK length in eapol-fuzzer
Commit b488a12948751f57871f09baa345e59b23959a41 ('Clear PMK length and
check for this when deriving PTK') started rejecting PTK derivation
based on PMK length. This reduced coverage from the eapol-fuzzer, so set
the default length when initializing the state machine in the fuzzer to
reach the previously used code paths.
Jouni Malinen [Wed, 27 Dec 2017 10:17:44 +0000 (12:17 +0200)]
SAE: Set special Sc value when moving to Accepted state
Set Sc to 2^16-1 when moving to Accepted state per IEEE Std 802.11-2016,
12.4.8.6.5 (Protocol instance behavior - Confirmed state). This allows
the peer in Accepted state to silently ignore unnecessary
retransmissions of the Confirm message.
Jouni Malinen [Wed, 27 Dec 2017 10:14:41 +0000 (12:14 +0200)]
SAE: Add Rc variable and peer send-confirm validation
This implements the behavior described in IEEE Std 802.11-2016,
12.4.8.6.6 (Protocol instance behavior - Accepted state) to silently
discard received Confirm message in the Accepted state if the new
message does not use an incremented send-confirm value or if the special
2^16-1 value is used. This avoids unnecessary processing of
retransmitted Confirm messages.
Jouni Malinen [Tue, 26 Dec 2017 10:46:22 +0000 (12:46 +0200)]
SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.
Jouni Malinen [Mon, 25 Dec 2017 16:36:17 +0000 (18:36 +0200)]
tests: Make dpp_pkex_test_fail and dpp_pkex_alloc_fail more robust
Wait for test/allocation failure for longer than the wait_fail_trigger()
default two seconds to allow DPP (in particular, PKEX) retransmission to
occur. This removes some issues where the previous wait was more or less
exactly the same duration as the retransmission interval and the first
Listen operation not always starting quickly enough to receive the first
frame.
Jouni Malinen [Sun, 24 Dec 2017 15:41:48 +0000 (17:41 +0200)]
PAE: Remove OpenSSL header dependency
Instead of requiring OpenSSL headers to be available just for the
SSL3_RANDOM_SIZE definition, replace that macro with a fixed length (32)
to simplify dependencies.
Jouni Malinen [Sun, 24 Dec 2017 15:25:39 +0000 (17:25 +0200)]
crypto: Implement new crypto API functions for DH
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.
Peng Xu [Tue, 12 Dec 2017 17:00:01 +0000 (09:00 -0800)]
Add new QCA vendor attribute for getting preferred channel
A new vendor attribute QCA_WLAN_VENDOR_ATTR_GET_WEIGHED_PCL is added for
getting preferred channels with weight value and a flag to indicate how
the channels should be used in P2P negotiation process.
Sunil Dutt [Fri, 15 Dec 2017 09:28:48 +0000 (14:58 +0530)]
Vendor parameter for forcing RSNE override
Indicates the driver to use the RSNE as-is from the connect interface.
Exclusively used for the scenarios where the device is used as a testbed
device with special functionality and not recommended for production.
This helps driver to not validate the RSNE passed from user space and
thus allow arbitrary IE data to be used for testing purposes.
Jeff Johnson [Tue, 7 Nov 2017 19:15:50 +0000 (11:15 -0800)]
Define a QCA vendor command to retrieve SAR Power limits
Previously commit c79238b6a460ab6bc6ebc5e2453fd94716393105 ('Define a
QCA vendor command to configure SAR Power limits') implemented a vendor
command interface to allow a userspace entity to dynamically control the
SAR power limits. Now implement a command to retrieve the current SAR
power limits.
vamsi krishna [Thu, 14 Dec 2017 09:44:51 +0000 (15:14 +0530)]
FILS: Driver configuration to disable/enable FILS features
The new disable_fils parameter can be used to disable FILS functionality
in the driver. This is currently removing the FILS Capability bit in
Extended Capabilities and providing a callback to the driver wrappers.
driver_nl80211.c implements this using a QCA vendor specific command for
now.
hostapd: Add average channel utilization in STATUS
This allows external programs to get the average channel utilization.
The average channel utilization is calculated and reported through
STATUS command. Users need to configure chan_util_avg_period and
bss_load_update_period in hostapd config to get the average channel
utilization.
Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
hostapd: Update BSS load update period dynamically
Recalculate the timeout value for each event instead of calculating this
once and then not allowing the timeout configuration to be changed
without fully stopping and restarting the interface.
This allows the bss_load_update_period configuration parameter to be
modified while a BSS continues operating.
Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
Jouni Malinen [Mon, 11 Dec 2017 17:55:57 +0000 (19:55 +0200)]
hostapd_cli: Add dpp_listen and dpp_stop_listen
Now that hostapd exposes the DPP_LISTEN and DPP_STOP_LISTEN commands
similarly to wpa_supplicant, expose these through proper hostapd_cli
commands as well to match wpa_cli functionality.
Jouni Malinen [Mon, 11 Dec 2017 11:59:55 +0000 (13:59 +0200)]
OWE: Allow DH Parameters element overriding with driver SME
Commit 265bda34441da14249cb22ce8a459cebe8015a55 ('OWE: Allow DH
Parameters element to be overridden for testing purposes') provided
means for using "VENDOR_ELEM_ADD 13 <IE>" in OWE protocol testing, but
that commit covered only the sme.c case (i.e., drivers that use
wpa_supplicant SME). Extend this to cover drivers that use internal SME
(e.g., use the nl80211 Connect command).