Jouni Malinen [Mon, 27 Nov 2017 10:43:40 +0000 (12:43 +0200)]
DPP: Add DPP_CONFIGURATOR_SIGN support to hostapd
Configurator signing its own Connector was previously supported only in
wpa_supplicant. This commit extends that to hostapd to allow an AP
acting as a Configurator to self-configure itself.
Jouni Malinen [Mon, 27 Nov 2017 11:22:32 +0000 (13:22 +0200)]
DPP: Move hostapd Configurator/bootstrap data into global context
This moves the Configurator and Bootstrapping Information data from
struct hostapd_data (per-BSS) to struct hapd_interfaces (per-hostapd
process). This allows the information to be maintained over interface
restarts and shared between interfaces.
Jouni Malinen [Sun, 26 Nov 2017 15:41:22 +0000 (17:41 +0200)]
DPP: Auto-generate Initiator bootstrapping info if needed
Instead of using the all-zeros Initiator Bootstrapping Key Hash when no
local bootstrapping key is configuref for the Initiator, automatically
generate a temporary bootstrapping key for the same curve that the
Responder uses. If the Responder indicates that it wants to do mutual
authentication, provide the URI for the auto-generated bootstrapping key
in the DPP-RESPONSE-PENDING event for upper layers to display the QR
Code.
Jouni Malinen [Sun, 26 Nov 2017 11:27:25 +0000 (13:27 +0200)]
tests: Split ap_vht160 into two test cases (ap_vht160 and ap_vht160b)
These VHT160 with DFS cases were in a single test case to optimize test
execution time with parallel wait for the 60 second CAC. However, this
design has become difficult to support with the kernel changes that
allow radar events to be shared between interfaces. To avoid need for
more workarounds here just for testing purposes, split this into two
test cases so that conflicting events from another interface do not
cause the test case to fail.
Jouni Malinen [Sun, 26 Nov 2017 10:57:27 +0000 (12:57 +0200)]
tests: Split dfs_radar into two test cases (dfs_radar1 and dfs_radar2)
These DFS radar detection cases were in a single test case to optimize
test execution time with parallel wait for the 60 second CAC. However,
this design has become difficult to support with the kernel changes that
allow radar events to be shared between interfaces. To avoid need for
more workarounds here just for testing purposes, split this into two
test cases so that conflicting events from another interface do not
cause the test case to fail.
Sriram R [Mon, 20 Nov 2017 12:48:41 +0000 (18:18 +0530)]
nl80211: Filter global events based on wiphy
Avoid same interface processing nl80211 events when at least one of
IFIDX, WDEV, or WIPHY index attribute is available in the nl80211 event
message.
Previously, a same interface processes events when ifidx and wdev id
attribute were not available in the nl80211 message. This is extended to
check the presence of wiphy index attribute as well since some radar
notifications include only WIPHY index attrbute in the nl80211 message.
Signed-off-by: Sriram R <srirrama@qti.qualcomm.com>
Lubomir Rintel [Mon, 16 Oct 2017 07:32:47 +0000 (09:32 +0200)]
tests: Enable dynamic debugging for mac80211_hwsim
mac80211_hwsim module typically dumps a lot of details into the kernel
message buffer. While it's probably okay in a dedicated VM, it's way too
chatty in other setups.
The kernel allows fine-tuning logging via the dynamic debugging
facility. Let's enable all logging locations in the mac80211_hwsim
module so that we don't loose debugging output when the kernel adopts
the dynamic debug mechanism for the driver.
Jouni Malinen [Fri, 24 Nov 2017 10:21:18 +0000 (12:21 +0200)]
FILS: Do not leave error value in left counter
If fils_decrypt_assoc() were to fail on the AP side, the previous
implementation could have continued through the response generation
using left = -1. That could have resulted in unexpected processing if
this value were to be used as the length of the remaining (unencrypted)
IEs. Fix this by not updating left in the failure case.
Fixes: 78815f3dde6e ("FILS: Decrypt Association Request elements and check Key-Auth (AP)") Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 24 Nov 2017 10:13:26 +0000 (12:13 +0200)]
WPA: Check wpa_eapol_key_mic() result on TX
Verify that nothing unexpected happened with EAPOL-Key Key MIC
calculation when transmitting EAPOL-Key frames from the Authenticator.
This should not be able to happen in practice, but if if it does, there
is no point in sending out the frame without the correct Key MIC value.
Jouni Malinen [Thu, 23 Nov 2017 18:20:39 +0000 (20:20 +0200)]
DPP: Fix error return value in dpp_auth_conf_rx()
Commit 03abb6b5416d472d473c7017802236f8397d0278 ('DPP: Reject unexpected
Req/Resp message based on Auth/PKEX role') used incorrect type of error
value (NULL vs. -1). Fix that.
Hu Wang [Wed, 25 Oct 2017 11:51:09 +0000 (19:51 +0800)]
hostapd: Disassoc STA without WPA/RSN IE if AP proto is WPA/RSN
With the AP proto configured being WPA/RSN and SME in the
driver, the previous implementation in hostapd is to not
process hostapd_notif_assoc() due to "No WPA/RSN IE from STA",
if the (Re)Association Request frame is without the WPA/RSN IEs.
Enhance that to disassociate such station provided the AP is not using
WPS.
hostapd: Add wpa_msg_ctrl() to report Probe Request frames from STA
This allows external applications to get event indication for Probe
Request frames. Extend ctrl iface cmd "ATTACH" to enable this event on
per-request basis. For example, user has to send ctrl iface cmd "ATTACH
probe_rx_events=1" to enable the Probe Request frame events.
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
Jouni Malinen [Thu, 23 Nov 2017 11:08:45 +0000 (13:08 +0200)]
DPP: Fix number of Authentication Request retry cases
Previous implementation did not handle number of sequences correctly.
Make sure the iteration continues in both unicast and broadcast cases
until the five attempts have been made. In addition, improve timing by
checking 10 second time from the beginning of each iteration round and
not the last channel on which the Auth Req frame has been transmitted.
Jouni Malinen [Wed, 22 Nov 2017 22:42:20 +0000 (00:42 +0200)]
DPP: Take response wait time into account for init retries
Previously, the Authentication Request frame was retried after 2+10 = 12
seconds since the wait for the response was not accounted for. Substract
that wait from the 10 second wait time to start the retries more quickly
based on the 10 second timer described in the tech spec.
Jouni Malinen [Wed, 22 Nov 2017 22:22:13 +0000 (00:22 +0200)]
DPP: Stop Authentication Request attempts if no response after ACK
If unicast Authentication Request frame is used and the peer ACKs such a
frame, but does not reply within the two second limit, there is no need
to continue trying to retransmit the request frames since the peer was
found, but not responsive.
Jouni Malinen [Wed, 22 Nov 2017 19:04:41 +0000 (21:04 +0200)]
DPP: Add akm=sae and akm=psk+sae support in Enrollee role
This allows DPP to be used for enrolling credentials for SAE networks in
addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK
and FT-SAE cases automatically.
Jouni Malinen [Wed, 22 Nov 2017 13:54:35 +0000 (15:54 +0200)]
DPP: Retry PKEX Exchange Request frame up to five times
Retransmit the PKEX Exchange Request frame if no response from a peer is
received. This makes the exchange more robust since this frame is sent
to a broadcast address and has no link layer retries.
Jouni Malinen [Sun, 19 Nov 2017 14:02:07 +0000 (16:02 +0200)]
tests: Fix ap_cipher_tkip_countermeasures_sta2
hostapd implementation was changed to use a valid Status Code when
rejecting the connection. This test case was forgotten at the time, but
it needs a matching change to allow the new value (1 instead of 14).
Jouni Malinen [Sat, 18 Nov 2017 15:08:11 +0000 (17:08 +0200)]
Stronger GTK derivation routine
If the build include SHA384, use that to derive GTK from GMK. In
addition, add more random bytes bytes to the PRF-X() context data for
longer GTK to reduce dependency on the randomness of the GMK.
GMK is 256 bits of random data and it was used with SHA256, so the
previous design was likely sufficient for all needs even with 128 bits
of additional randomness in GTK derivation. Anyway, adding up to 256
bits of new randomness and using SHA384 can be helpful extra protection
particularly for the cases using GCMP-256 or CCMP-256 as the group
cipher.
Jouni Malinen [Sat, 18 Nov 2017 11:22:17 +0000 (13:22 +0200)]
DPP: Fix dpp_test_gen_invalid_key() with BoringSSL
Unlike OpenSSL, BoringSSL returns an error from
EC_POINT_set_affine_coordinates_GFp() is not on the curve. As such, need
to behave differently here depending on which library is used.
Jouni Malinen [Sat, 18 Nov 2017 10:19:43 +0000 (12:19 +0200)]
DPP: Build bootstrapping key DER encoding using custom routine
While the OpenSSL version of i2d_EC_PUBKEY() seemed to be able to use
the POINT_CONVERSION_COMPRESSED setting on the EC key, that did not seem
to work with BoringSSL. Since this is not exactly robust design, replace
use of i2d_EC_PUBKEY() with a custom routine that enforces the DPP rules
on SubjectPublicKeyInfo (compressed format of the public key,
ecPublicKey OID, parameters present and indicating the curve by OID).
Jouni Malinen [Sat, 18 Nov 2017 10:14:21 +0000 (12:14 +0200)]
DPP: Use a helper function to DER encode bootstrapping key
This routine was previously implemented twice using i2d_EC_PUBKEY().
There is no need to duplicate that implementation and especially since
it looks like this implementation needs to be replaced for BoringSSL,
start by using a shared helper function for both locations so that there
is only a single place that uses i2d_EC_PUBKEY() to build the special
DPP bootstrapping key DER encoding.
Jouni Malinen [Fri, 17 Nov 2017 19:03:04 +0000 (21:03 +0200)]
BoringSSL: Add AES support with 192-bit keys
BoringSSL restored the previously removed AES-192 ECB support in ("Add
AES-192 ECB.") commit. Since this is needed for DPP with the P-384
curve, restore support for this through EVP_aes_192_ecb().
Jouni Malinen [Fri, 17 Nov 2017 18:44:42 +0000 (20:44 +0200)]
BoringSSL: Add DPP special cases regardless of claimed version number
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide ECDSA_SIG_set0() or
ECDSA_SIG_get0(). For now, add the helper functions regardless of the
version BoringSSL claims to be. Similarly, include the X509_ALGOR_get0()
workaround unconditionally for BoringSSL.
Jouni Malinen [Fri, 17 Nov 2017 18:41:25 +0000 (20:41 +0200)]
BoringSSL: Implement crypto_ecdh_init()
BoringSSL does not provide some of the OpenSSL API that was used here,
so update this to use similar design to what was already done with DPP
key derivation.
Jouni Malinen [Fri, 17 Nov 2017 18:34:17 +0000 (20:34 +0200)]
BoringSSL: Comment out SSL_set_default_passwd_cb*() calls
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set_default_passwd_cb*(). For
now, comment out this regardless of the version BoringSSL claims to be.
Jouni Malinen [Fri, 17 Nov 2017 18:30:37 +0000 (20:30 +0200)]
BoringSSL: Comment out SSL_set1_sigalgs_list() call
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set1_sigalgs_list(). For now,
comment out this regardless of the version BoringSSL claims to be.
Jouni Malinen [Fri, 17 Nov 2017 18:24:46 +0000 (20:24 +0200)]
BoringSSL: Define RSA_bits() helper
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide RSA_bits(). For now, add this
backwards compatibility wrapper for BoringSSL regardless of the version
it claims to be.
Sriram R [Fri, 17 Nov 2017 09:43:36 +0000 (15:13 +0530)]
tests: Fix ap_config_reload_on_sighup test
Use absolute path name for configuration file to ensure the file can be
succesfully reloaded and read on SIGHUP signal. This is needed when
running the test case on host (i.e., not using a VM).
Signed-off-by: Sriram R <srirrama@qti.qualcomm.com>
Jouni Malinen [Fri, 17 Nov 2017 10:31:41 +0000 (12:31 +0200)]
Allow group cipher selection to be overridden
The new hostapd configuration parameter group_cipher can now be used to
override the automatic cipher selection based on enabled pairwise
ciphers. It should be noted that selecting an unexpected group cipher
can result in interoperability issues and this new capability is mainly
for testing purposes.
Jouni Malinen [Wed, 15 Nov 2017 00:12:20 +0000 (02:12 +0200)]
wlantest: Search bss/sta entry more thoroughly for 4-address frames
Previous design worked for the case where only one of the devices was
beaconing, but failed in one direction to find the PTK if both devices
beaconed. Fix this by checking the A1/A2 fields in both directions if
the first pick fails to find the sta entry.
In addition, select the proper rsc value (rsc_tods vs. rsc_fromds) based
on A2 (TA) value for ToDS+FromDS frames to avoid reporting incorrect
replay issues.
tinlin [Tue, 14 Nov 2017 03:37:03 +0000 (11:37 +0800)]
Add QCA_NL80211_VENDOR_SUBCMD_PEER_FLUSH_PENDING
Add sub-command QCA_NL80211_VENDOR_SUBCMD_PEER_FLUSH_PENDING to flush
pending packets in firmware. The attributes are listed in enum
qca_wlan_vendor_attr_flush_pending. The QCA_WLAN_VENDOR_ATTR_PEER_ADDR
specifies the peer MAC address and the QCA_WLAN_VENDOR_ATTR_AC specifies
the access category of the pending packets.
Signed-off-by: Lin Tingting <tinlin@qti.qualcomm.com>
Zhang Qian [Wed, 8 Nov 2017 08:49:04 +0000 (16:49 +0800)]
Add new QCA vendor attribute for LL stats
A new vendor attribute QCA_WLAN_VENDOR_ATTR_LL_STATS_WMM_AC_PENDING_MSDU
is added for vendor sub-command QCA_NL80211_VENDOR_SUBCMD_LL_STATS_GET.
This attribute is for pending MSDUs corresponding to respective AC.
atheros: Process SAE authentication frames using EVENT_RX_MGMT
This adds support for SAE in AP mode with the atheros driver interface.
EVENT_RX_MGMT includes SAE processing while EVENT_AUTH would require
more changes to make this work.
common: Avoid conflict with __bitwise macro from linux/types.h
Undefine the __bitwise macro before defining it to avoid conflicts
with the one from linux/types.h; the same is done some lines above
when __CHECKER__ is defined. Fixes the following warning:
In file included from ../src/l2_packet/l2_packet_linux.c:15:0:
hostap/src/utils/common.h:438:0: warning: "__bitwise" redefined
#define __bitwise
In file included from /usr/include/linux/filter.h:9:0,
from ../src/l2_packet/l2_packet_linux.c:13:
/usr/include/linux/types.h:21:0: note: this is the location of the previous definition
#define __bitwise __bitwise__
Masashi Honma [Thu, 9 Nov 2017 20:13:21 +0000 (05:13 +0900)]
DPP: Fix compiler warning of testing code
../src/common/dpp.c: In function 'dpp_test_gen_invalid_key':
../src/common/dpp.c:5531:10: warning: return makes integer from pointer without a cast [-Wint-conversion]
return NULL;
^
Jouni Malinen [Tue, 14 Nov 2017 10:55:48 +0000 (12:55 +0200)]
wlantest: Do not ignore RSN/WPA/OSEN element before full BSS info
wlantest used to ignore RSN/WPA/OSEN element in (Re)Association Request
frame if no Beacon frame had been seen from the AP before the
association exchange. This could result in not being able to derive keys
properly. Work around this by skipping that step if the BSS entry is not
yet complete.
Jouni Malinen [Tue, 14 Nov 2017 10:50:30 +0000 (12:50 +0200)]
Reject PMK-to-PTK derivation with unsupported cipher
There should be no wpa_pmk_to_ptk() calls with the cipher argument
indicating a cipher that is not allowed as a pairwise cipher. However,
it looks like that was possible to happen with wlantest. Check for this
corner case explicitly to avoid generating confusing debug logs.
Jouni Malinen [Mon, 13 Nov 2017 10:34:17 +0000 (12:34 +0200)]
DPP: Retransmit DPP Authentication Response frame if it is not ACKed
This extends wpa_supplicant DPP implementation to retransmit DPP
Authentication Response frame every 10 seconds up to 5 times if the peer
does not reply with DPP Authentication Confirm frame.
Jouni Malinen [Mon, 13 Nov 2017 10:12:08 +0000 (12:12 +0200)]
DPP: Stop authentication exchange of DPP_STOP_LISTEN
Previously, this command stopped listen operation immediately, but if
there was an ongoing authentication exchange, a new listen operation was
started. This is not really expected behavior, so stop the
authentication exchange first with this command to avoid restarting
listen operation.