Allow hostapd to be configured to perform SAE reflection attack for SAE
testing purposes with sae_reflection_attack=1 configuration parameter.
This is included only in CONFIG_TESTING_OPTIONS=y builds.
Jouni Malinen [Thu, 24 Aug 2017 20:59:44 +0000 (23:59 +0300)]
DPP: Derive PMKID using SHA256() for all curves
This was previously defined inconsistently (H() vs. SHA256()), but it is
now clarified in the draft tech spec to use SHA256(), so update
implementation to do that.
Jouni Malinen [Thu, 24 Aug 2017 20:30:20 +0000 (23:30 +0300)]
nl80211: Fix auth_alg selection with FILS in the connect command
NL80211_ATTR_AUTH_TYPE needs to be skipped if multiple auth_alg options
are included. The previous list missed the new FILS auth_alg here and
ended up not doing so if OPEN and FILS were included.
Jouni Malinen [Wed, 23 Aug 2017 12:55:46 +0000 (15:55 +0300)]
tests: Make dpp_qr_code_auth_initiator_enrollee more robust
Wait for the configuration step to complete before forcefully
terminating DPP listen. Previous version was causing failures for this
test case sequence:
dpp_qr_code_auth_initiator_enrollee dpp_pkex_config2
Jouni Malinen [Wed, 23 Aug 2017 09:49:22 +0000 (12:49 +0300)]
DPP: Use Transaction ID in Peer Discovery Request/Response frames
DPP tech spec changed the contents of these frames by replacing the
public key hash attributes with a Transaction ID attribute that gets
copied from the request to the response to identify the transaction in a
simpler manner.
Sunil Dutt [Wed, 23 Aug 2017 04:35:21 +0000 (10:05 +0530)]
Introduce QCA_NL80211_VENDOR_SUBCMD_HANG
This is an event indicating to the user space that the driver has
detected an internal failure. The driver is expected to recover from
such a failure automatically, e.g., by resetting the device. This event
carries the information indicating the reason that triggered this
detection.
Jouni Malinen [Mon, 14 Aug 2017 18:07:09 +0000 (21:07 +0300)]
WPS: Interpret zero length ap_pin hostapd.conf parameter as "unset"
hostapd allows arbitrary AP PIN to be used in WPS. This means that
setting ap_pin to a zero length string ends up enabling AP PIN so that
external registrars can use this specific zero lenth ap_pin value. There
are apparently some APs that have used this invalid configuration with
unintended results. While the proper fix for that is to fix the
component that generates the invalid configuration, hostapd can also
reject such values since the likelihood of a real world use case for
zero length AP PIN (Device Password) is minimal.
Start interpreting zero length ap_pin parameter value as a request to
"unset" the previously set value in hostapd.conf (or if not previously
set, leave it unset). With this, a hostapd.conf file including the
"ap_pin=" line will end up getting interpretted just like that same file
with the ap_pin parameter completely removed, i.e., with AP PIN being
disabled.
Sven Eckelmann [Fri, 9 Jun 2017 09:39:51 +0000 (11:39 +0200)]
hw_features: Fix check of supported 802.11ac channel width
The two channel width bits in the VHT capability field can be decoded in
following values (IEEE Std 802.11ac-2013 8.4.2.160.2 VHT Capabilities
Info field):
* 0: no 160 or 80+80 MHz support
* 1: 160 MHz support
* 2: 160 and 80+80 MHz support
* 3: (reserved)
The check must therefore not be done bitwise but instead it must checked
whether the capabilities announced by the driver are at least the ones
requested by the user.
Fixes: c781eb842852 ("hostapd: Verify VHT capabilities are supported by driver") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
tests: Make wnm_bss_tm_req_with_mbo_ie more robust
On slow machines or inside VM it may take some time for "DISCONNECTED"
event to arrive. Since the retry delay counter is started already, it
may result in less than 5 seconds time between "DISCONNECTED" and
"CONNECTED" events.
Fix the test by taking more accurate timestamps between the events.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Avraham Stern [Mon, 12 Jun 2017 06:29:27 +0000 (09:29 +0300)]
WNM: Differentiate between WNM for station and for AP in build
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.
Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.
Avraham Stern [Sun, 11 Jun 2017 12:41:23 +0000 (15:41 +0300)]
RRM: Remove duplicate frequencies from beacon report scan request
When setting the frequencies for beacon report request scan, it is
possible that a frequency is added twice (e.g., when the same channel
appears both in the channel field and in the AP channel report
subelement). This may cause the scan request to fail.
Make sure the frequencies array contains no duplications before
requesting the scan.
Avraham Stern [Sun, 11 Jun 2017 12:41:21 +0000 (15:41 +0300)]
RRM: Send response when Beacon report request is not supported/refused
Send Radio Measurement response with measurement mode set to reject
in the following cases:
1. Reporting conditions is not supported.
2. No valid channels found for the measurement
Sending a response with an incapable indication will stop the AP from
sending other measurement requests of the same type as specified
in IEEE Std 802.11-2016, 11.11.6.
Avraham Stern [Sun, 11 Jun 2017 12:41:20 +0000 (15:41 +0300)]
RRM: Send Radio Measurement response when beacon report scan fails
When failing to trigger scan for beacon report (e.g., when the
requested duration is not supported by the driver), send a
Radio Measurement response with the mode set to refused and don't
retry the scan.
Avraham Stern [Sun, 11 Jun 2017 12:41:19 +0000 (15:41 +0300)]
RRM: Send reject/refuse response only to unicast measurement request
IEEE Std 802.11-2016, 11.11.6 specifies that a station that is unable to
make a requested measurement or refuses to make a measurement shall
respond only if the measurement request was received within an
individually addressed radio measurement request frame, but shall not
respond if such a request was received in a group addressed frame.
Dmitry Shmidt [Mon, 22 May 2017 21:38:58 +0000 (21:38 +0000)]
wpa_cli: Fix global control interface for STA-FIRST/STA-NEXT
If global control interface is used and wlan doesn't support P2P,
wpa_s->global->p2p == NULL, and log shows:
wpa_supplicant: Failed to create interface p2p-dev-wlan0: -5 (I/O error)
wpa_supplicant: nl80211: Failed to create a P2P Device interface p2p-dev-wlan0
wpa_supplicant: P2P: Failed to enable P2P Device interface
Then STA-FIRST/STA-NEXT is not going to redirect to any interface,
making update_stations(ctrl_conn) is stuck in never-ending loop:
X509_ALGOR_get0() was modified to use const ** pointer as the first
argument in OpenSSL 1.1.0, so need to use different type here to avoid
compilation issues.
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.
OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
FILS: Fix issuing FILS connect to a non-FILS AP in driver-FILS case
If an AP is not FILS capable and wpa_supplicant has a saved network
block for the network with FILS key management and a saved erp info,
wpa_supplicant might end up issuing a FILS connection to a non-FILS AP.
Fix this by looking for the presence of FILS AKMs in wpa_s->key_mgmt,
i.e., after deciding on the AKM suites to use for the current
connection.
Introduce a vendor attribute to represent the PNO/EPNO Request ID
This request ID was wrongly referred from the REQUEST_ID in
enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
Hence define a different attribute to represent the request ID
for PNO Config.
Avraham Stern [Thu, 8 Jun 2017 08:17:56 +0000 (11:17 +0300)]
RRM: Filter scan results by parent TSF only if driver supports it
Scan results with parent TSF older than the scan start TSF are not added
to the beacon report since they are considered as scan results from
previous scans. However, for drivers that report the scan start TSF but
not the parent TSF of each scan result, the parent TSF will be zero so
valid scan results will be dropped.
Fix this by filtering scan results by the parent TSF only if the
driver supports reporting the parent TSF for each scan result.
In case of incorrect HT40 configuration as part of an attempt to create
a 80 MHz AP, iface->conf->vht_oper_centr_freq_seg0_idx and
iface->conf->vht_oper_centr_freq_seg1_idx are zero'ed, but
iface->conf->vht_oper_chwidth remains VHT_CHANWIDTH_80MHZ. This causes
the logic in dfs_get_start_chan_idx to fail.
Fix this by setting iface->conf->vht_oper_chwidth to
VHT_CHANWIDTH_USE_HT when zero'ing the center frequency parameters.
Adiel Aloni [Thu, 22 Jun 2017 07:58:44 +0000 (10:58 +0300)]
tests: Use global control interface in test_p2p_channel.py
Previously p2p_channel_drv_pref_* tests would fail
if dedicated P2P device is used, since the SET commands
were sent to incorrect interface.
Fix this by using a global control interface instead.
Johannes Berg [Tue, 30 May 2017 14:29:56 +0000 (16:29 +0200)]
tests: Print higher debug level on console
We capture the dmesg that contains everything, but if a test
causes a kernel crash we will miss all logging at higher levels
like debug. Change the printk level to catch all of that too.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 30 May 2017 14:29:50 +0000 (16:29 +0200)]
tests: Catch various lockdep warnings
Lockdep no longer prints "INFO:" but now prints "WARNING:".
Also add the "*** DEADLOCK ***" string it usually prints so
if it changes again we can keep finding that string.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
dpp.h file requires openssl in order to compile, which breaks
compilation on systems without it.
Move DPP_OUI_TYPE to ieee802_11_defs.h and don't include dpp.h when
not really needed.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Sunil Dutt [Tue, 13 Jun 2017 11:52:02 +0000 (17:22 +0530)]
P2P: Allow auto GO on DFS channels if driver supports this
If a DFS forced frequency is provided in 'p2p_group_add' and the driver
supports DFS offload, the frequency was rejected in
wpas_p2p_init_go_params(). However, it was accepted in
wpas_p2p_select_go_freq() and wpas_p2p_group_add(). To make the behavior
consistent, the DFS frequency is now accepted in
wpas_p2p_init_go_params() similar to the way done in
wpas_p2p_select_go_freq().
Redundant check in wpas_p2p_group_add() for DFS forced frequency is
removed.
FILS: Advertize FILS capability based on driver capability
Add changes to control interface command get_capability to advertize
FILS capability, FILS AKMs suites, and FILS Authentication algorithms
based on the driver capabilities.
hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.
tests: Clear ignore_old_scan_res after sigma_dut test cases
sigma_dut can end up setting ignore_old_scan_res=1 and that can result
in some of the consecutive test cases failing. Fix this by explicitly
clearing ignore_old_scan_res after sigma_dut cases that may have ended
up setting the parameter.
Update default wpa_group_rekey to once-per-day when using CCMP/GCMP
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.
This implements genric PKEX functionality in src/common/dpp.c and glue
code to use this in wpa_supplicant (i.e, hostapd DPP implementation does
not yet support PKEX).
DPP: Add helper functions for running hash operations
Use helper functions to cover all three different hash algorithm options
for DPP operations instead of having separate calls to each function at
every location a hash operation based on the curve is needed.
projects / thirdparty / hostap.git / log
