Jouni Malinen [Fri, 27 Mar 2020 12:03:04 +0000 (14:03 +0200)]
DPP2: Configurator Connectivity indication
Add a new hostapd configuration parameter
dpp_configurator_connectivity=1 to request Configurator connectivity to
be advertised for chirping Enrollees.
Jouni Malinen [Fri, 27 Mar 2020 10:42:00 +0000 (12:42 +0200)]
DPP2: Chirping in wpa_supplicant Enrollee
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.
Jouni Malinen [Fri, 27 Mar 2020 15:28:59 +0000 (17:28 +0200)]
DPP: Add DPP_BOOTSTRAP_SET command
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.
Jouni Malinen [Fri, 27 Mar 2020 15:14:06 +0000 (17:14 +0200)]
DPP: Allow per-peer configurator parameters to be set
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.
Jouni Malinen [Wed, 18 Mar 2020 10:41:46 +0000 (12:41 +0200)]
Update STA flags to the driver immediately on disconnection
hostapd (and wpa_supplicant in AP mode) was internally updating the STA
flags on disconnection cases to remove authorization and association.
However, some cases did not result in immediate update of the driver STA
entry. Update all such cases to send out the update to the driver as
well to reduce risk of race conditions where new frames might be
accepted for TX or RX after the port authorization or association has
been lost and configured keys are removed.
Jouni Malinen [Wed, 18 Mar 2020 21:15:18 +0000 (23:15 +0200)]
tests: Use frame injection in monitor_iface_unknown_sta
The previously used normal data TX depends on undefined driver behavior
after all keys have been removed. That may not be available, so do this
more properly with frame injection through a monitor interface.
Jouni Malinen [Wed, 25 Mar 2020 22:10:16 +0000 (00:10 +0200)]
Process Transition Disable KDE in station mode
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.
Jouni Malinen [Wed, 25 Mar 2020 22:08:26 +0000 (00:08 +0200)]
Allow hostapd AP to advertise Transition Disable KDE
The new hostapd configuration parameter transition_disable can now be
used to configure the AP to advertise that use of a transition mode is
disabled. This allows stations to automatically disable transition mode
by disabling less secure network profile parameters.
Noam Shaked [Tue, 24 Mar 2020 00:19:36 +0000 (17:19 -0700)]
Add ACS support for 60 GHz channel bonding
hostapd will trigger EDMG auto channel selection by setting
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED. The 60 GHz driver will be
called to start an auto channel selection and will return the
primary channel and the EDMG channel.
Noam Shaked [Tue, 10 Mar 2020 01:16:02 +0000 (18:16 -0700)]
nl80211: Fix offloaded ACS regression for the 60 GHz band
Addition of chan_2ghz_or_5ghz_to_freq() broke 60 GHz ACS, because it
assumes reported ACS channel is on either 2.4 or 5 GHz band. Fix this
by converting chan_2ghz_or_5ghz_to_freq() to a more generic
chan_to_freq(). The new function uses hw_mode to support 60 GHz.
Fixes: 41cac481a889 ("ACS: Use frequency params in ACS (offload) completed event interface") Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
Wu Gao [Sun, 28 Aug 2016 02:56:33 +0000 (10:56 +0800)]
Extend vendor attributes to support enhanced CFR capture
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.
Alexander Wetzel [Fri, 20 Mar 2020 19:04:32 +0000 (20:04 +0100)]
STA: Support Extended Key ID
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Alexander Wetzel [Fri, 20 Mar 2020 19:04:31 +0000 (20:04 +0100)]
AP: Support Extended Key ID
Support Extended Key ID in hostapd according to IEEE Std 802.11-2016.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing an AP to serve STAs with and without Extended Key
ID support in the same BSS.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Jouni Malinen [Sun, 22 Mar 2020 17:52:38 +0000 (19:52 +0200)]
tests: Fix bgscan_learn_beacon_loss with REPORTS_TX_ACK_STATUS
Stopping the AP from beaconing will also stop it from acknowledging
frames and that resulted in bgscan_learn_beacon_loss failing when
mac80211_hwsim is registering REPORTS_TX_ACK_STATUS. Work around this by
moving to using PMF so that the station ignores the unprotected
deauthentiation frames from the AP and also disabling SA Query. This
allows the AP to be stopped and restarted with large enough Beacon
interval to allow the station to detect beacon loss.
This is identical to the earlier design change for
bgscan_simple_beacon_loss (somehow this bgscan_learn_beacon_loss test
case managed to pass at that time).
Jouni Malinen [Sun, 22 Mar 2020 16:51:41 +0000 (18:51 +0200)]
Limit scan frequency list to 100 entries
There is no real use case for the scan to be requested on more than 100
channels individually. To avoid excessively long lists with invalid
configuration, use 100 entry limit for the list before dropping to the
fallback scan-all-channels option.
Jouni Malinen [Sun, 22 Mar 2020 16:35:45 +0000 (18:35 +0200)]
loop: Use size_t for eloop.count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets/signals/events be registered.
Jouni Malinen [Sun, 22 Mar 2020 16:26:10 +0000 (18:26 +0200)]
eloop: Use size_t for socket table->count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets be registered (which is not really going to happen in practice).
Jouni Malinen [Sun, 22 Mar 2020 16:15:43 +0000 (18:15 +0200)]
eloop: Use size_t for signal_count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int (not that there would ever
be more that 32767 signal handlers getting registered).
Jouni Malinen [Sun, 22 Mar 2020 16:07:06 +0000 (18:07 +0200)]
Limit maximum number of pending SA Queries
There is no point in starting a huge number of pending SA Queries, so
limit the number of pending queries to 1000 to have an explicit limit
for how large sa_query_count can grow.
Jouni Malinen [Sun, 22 Mar 2020 15:46:45 +0000 (17:46 +0200)]
Use size_t instead of int or unsigned int for configuration items
While int and unsigned int are not going overflow in practice as 32-bit
values, these could at least in theory hit an integer overflow with
16-bit int. Use size_t to avoid such potential issue cases.
Jouni Malinen [Sun, 22 Mar 2020 15:30:23 +0000 (17:30 +0200)]
Use size_t instead of unsigned_int for last_scan_res
This avoids a theoretical unsigned integer overflow case with 32-bit
integers, but something that could potentially be hit with 16-bit int
(though, even that part looks pretty theoretical in this particular case
of number of BSSs in scan results).
Jouni Malinen [Sat, 21 Mar 2020 21:56:19 +0000 (23:56 +0200)]
tests: Wait longer for connection in radius_macacl_unreachable
It looks ike the authentication timeouts may continue a bit longer after
some kernel changes and that could result in temporarily disabling the
network profile. Give this test case more time to complete the
connection to avoid reporting failures unnecessarily.
Matthew Wang [Mon, 16 Mar 2020 21:11:06 +0000 (14:11 -0700)]
Interpolate rate calculation functions
Make max_*_rate() functions and rate calculation at the beginning of
wpas_get_est_tpt() more continuous. In wpa_supplicant_need_to_roam(), we
compare these values to make a roaming decision. However, at certain
SNRs, we see unrealistically large jumps in estimated throughput
according to these functions, leading us to make incorrect roaming
decisions. Perform linear interpolation where applicable to more
accurately reflect actual throughput.
Example:
wlan0: Current BSS: 88:3d:24:b4:95:d2 freq=2412 level=-69 snr=20 est_throughput=54000
wlan0: Selected BSS: 88:3d:24:b4:89:9e freq=2417 level=-67 snr=22 est_throughput=63500
wlan0: Using signal poll values for the current BSS: level=-69 snr=20 est_throughput=54000
wlan0: Allow reassociation - selected BSS has better estimated throughput
2 dB increase in RSSI likely isn't responsible for a 17% increase in
throughput.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Matthew Wang [Mon, 16 Mar 2020 21:11:05 +0000 (14:11 -0700)]
Adjust max bitrate SNR floors
These values were defined in commit a1b790eb9d75 ("Select AP based on
estimated maximum throughput") with no justification. Other sources
[0,1,2] give a different (consistent) set of SNR floors per MCS index.
Adjust the values accordingly.
Jouni Malinen [Sat, 21 Mar 2020 16:13:28 +0000 (18:13 +0200)]
tests: Fix bgscan_simple_beacon_loss with REPORTS_TX_ACK_STATUS
Stopping the AP from beaconing will also stop it from acknowledging
frames and that resulted in bgscan_simple_beacon_loss failing when
mac80211_hwsim is registering REPORTS_TX_ACK_STATUS. Work around this by
moving to using PMF so that the station ignores the unprotected
deauthentiation frames from the AP and also disabling SA Query. This
allows the AP to be stopped and restarted with large enough Beacon
interval to allow the station to detect beacon loss.
Jouni Malinen [Sat, 21 Mar 2020 16:12:02 +0000 (18:12 +0200)]
Allow SA Query to be disabled for testing purposes
The new wpa_supplicant control interface SET parameter disable_sa_query
can now be used to disable SA Query on receiving unprotected
disconnection event.
Ouden [Wed, 18 Mar 2020 09:58:37 +0000 (17:58 +0800)]
nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length
If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.
Sourav Mohapatra [Thu, 19 Mar 2020 13:51:34 +0000 (19:21 +0530)]
More details to the vendor specific driver internal failure reporting
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.
Jouni Malinen [Sat, 21 Mar 2020 13:57:37 +0000 (15:57 +0200)]
Ignore duplicated SSID element when parsing
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.
Jouni Malinen [Sat, 21 Mar 2020 10:57:37 +0000 (12:57 +0200)]
Check against integer overflow in int_array functions
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.
All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.
It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.
Jouni Malinen [Fri, 20 Mar 2020 22:23:01 +0000 (00:23 +0200)]
Allow RSNXE to be removed from Beacon frames for testing purposes
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.
Jouni Malinen [Fri, 20 Mar 2020 19:56:44 +0000 (21:56 +0200)]
FT: Omit RSNXE from FT protocol Reassociation Response when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.
Jouni Malinen [Fri, 20 Mar 2020 19:45:22 +0000 (21:45 +0200)]
FT: Omit RSNXE from FT protocol Reassociation Request when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.
Jouni Malinen [Fri, 20 Mar 2020 19:38:22 +0000 (21:38 +0200)]
FT: Verify that RSNXE is used consistently in Reassociation Response
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Jouni Malinen [Fri, 20 Mar 2020 19:33:02 +0000 (21:33 +0200)]
FT: Verify that RSNXE is used consistently in Reassociation Request
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Jouni Malinen [Fri, 20 Mar 2020 19:23:48 +0000 (21:23 +0200)]
FT: Set the new RSNXE Used subfield in FT reassociation
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.
Jouni Malinen [Sun, 15 Mar 2020 21:24:18 +0000 (23:24 +0200)]
Remove unnecessary and confusing length check from the PMKID KDE case
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.
This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.
Alexander Wetzel [Sun, 15 Mar 2020 19:04:19 +0000 (20:04 +0100)]
Add KEY_FLAG_MODIFY for Extended Key ID support
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a260352a ("Introduce and add key_flag") and then
removed with commit 82eaa3e6882f ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1d1 ("Validity checking
function for key_flag API").
Add it again and update check_key_flag() accordingly.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Jouni Malinen [Sun, 15 Mar 2020 19:18:16 +0000 (21:18 +0200)]
Indicate scan completion in active AP mode even when ignoring results
This is needed to avoid leaving external components (through control
interface or D-Bus) timing out while waiting for the scan completion
events. This was already taken care of for the scan-only case
("TYPE=only"), but the scan-and-allow-roaming case did not report the
scan completion event when operating in AP mode.
Jouni Malinen [Sun, 15 Mar 2020 15:07:52 +0000 (17:07 +0200)]
tests: Check more details in pmksa_cache_ap_expiration
It looks like this test case can fail if the STA goes to power save mode
and the Deauthentication frame from the AP after session timeout is not
actually sent at all. Check more details to make it clear that this is
indeed the reason behind the failure.
Jouni Malinen [Sun, 15 Mar 2020 15:06:35 +0000 (17:06 +0200)]
nl80211: Add more TX status details in debug log in AP mode
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.
Jouni Malinen [Sun, 15 Mar 2020 09:11:38 +0000 (11:11 +0200)]
Allow RSNE in EAPOL-Key msg 2/4 to be overridden for testing purposes
The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.
Jouni Malinen [Sat, 14 Mar 2020 21:57:39 +0000 (23:57 +0200)]
FT: Check RSNE/RSNXE match in FT protocol Reassociation Response frame
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.
Jouni Malinen [Sat, 14 Mar 2020 16:20:31 +0000 (18:20 +0200)]
wlantest: Do not report PMF failure without BSS supporting PMF
Previously, missing CCMP protection on Robust Management frames was
reported based on the STA having indicated MFPC=1. That is not accurate
since the AP/BSS may have MFPC=0. Report this failure only if both the
AP and STA have indicated MFPC=1, i.e., when PMF has been negotiated for
the association.
Multi-AP: Set 4-address mode after network selection
Split multi_ap_process_assoc_resp() to set 4-address mode after network
selection. Previously, wpa_s->current_ssid might have been NULL in some
cases and that would have resulted in 4-address mode not getting enabled
properly.
Ananya Barat [Tue, 10 Mar 2020 06:37:33 +0000 (12:07 +0530)]
Fill the current opclass in (Re)AssocRequest depending on HT/VHT IEs
The previous implementation was assuming a fixed 20 MHz channel
bandwidth when determining which operating class value to indicate as
the Current Operating Class in the Supported Operating Classes element.
This is not accurate for many HT/VHT cases.
Fix this by determining the current operating class (i.e., the operating
class used for the requested association) based on the HT/VHT operation
elements from scan results.
AP: Fix regression in frequency check for a usable EDMG channel
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.
Fix the frequency calculation so that EDMG channel 9 works again.
Fixes: 5f9b4afdfaf5 ("Use frequency in HT/VHT validation steps done before starting AP") Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
Arturo Buzarra [Mon, 9 Mar 2020 17:18:16 +0000 (18:18 +0100)]
mesh: Fix CONFIG_HT_OVERRIDES build without CONFIG_VHT_OVERRIDES
Commit e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode")
introduced the possibility to check the disable_vht param. However, this
entry is only available when CONFIG_VHT_OVERRIDES is enabled and as
such, this broke the build for some cases.
Fix this by encapsulating VHT property with the proper CONFIG entry.
Fixes: e5a9b1e8a3a5 ("mesh: Implement use of VHT20 config in mesh mode") Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Jouni Malinen [Tue, 10 Mar 2020 18:48:15 +0000 (20:48 +0200)]
WPS: Do not set auth_alg=OPEN for PSK+SAE case
When wps_cred_add_sae=1 is used, WPS_AUTH_WPA2PSK credential gets
converted to enabling both PSK and SAE AKMs. However, this case was
still hardcoded auth_alg=OPEN which is not really correct for SAE. While
the SME-in-wpa_supplicant case can handle that, the SME-in-driver case
might not. Remove the unnecessary auth_alg=OPEN configuration to get the
normal PSK+SAE configuration enabled for the network profile.
Janusz Dziedzic [Sun, 8 Mar 2020 13:27:04 +0000 (14:27 +0100)]
tests: Set device_name for WPS test cases
Set device_name in the test cases instead of relying on the
wpa_supplicant configuration file. This fixes problems when we run WPS
test cases in remote test environment.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
projects / thirdparty / hostap.git / log
