thirdparty/hostap.git
7 months agotests: Fix ap_ft_reassoc_replay for case where wlantest has the PSK
Jouni Malinen [Sat, 24 Aug 2019 16:20:40 +0000 (19:20 +0300)] 
tests: Fix ap_ft_reassoc_replay for case where wlantest has the PSK

This test case was failing if wlantest was able to decrypt the CCMP
protected frames. Fix the tshark filter string to include only the
actually encrypted frames for PN comparison.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoIEEE 802.1X authenticator: Coding style cleanup
Jouni Malinen [Sat, 24 Aug 2019 14:31:39 +0000 (17:31 +0300)] 
IEEE 802.1X authenticator: Coding style cleanup

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoClean up IEEE 802.1X authentication debug messages for EAP code
Jouni Malinen [Sat, 24 Aug 2019 14:12:45 +0000 (17:12 +0300)] 
Clean up IEEE 802.1X authentication debug messages for EAP code

Merge the separate debug print with the text name of the EAP code into
the same debug line with the numerical value to clean up debug log.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: EAP-TEAP with user and machine credentials
Jouni Malinen [Sat, 24 Aug 2019 13:48:23 +0000 (16:48 +0300)] 
tests: EAP-TEAP with user and machine credentials

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Fix protected indication of inner EAP method failure
Jouni Malinen [Sat, 24 Aug 2019 13:55:26 +0000 (16:55 +0300)] 
EAP-TEAP peer: Fix protected indication of inner EAP method failure

Need to leave EAP-TEAP methodState == MAY_CONT when marking decision =
FAIL based on inner EAP method failure since this message will be
followed by protected failure indication.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Add support for requiring user and machine credentials
Jouni Malinen [Sat, 24 Aug 2019 13:48:34 +0000 (16:48 +0300)] 
EAP-TEAP server: Add support for requiring user and machine credentials

The new eap_teap_id=5 hostapd configuration parameter value can be used
to configure EAP-TEAP server to request and require user and machine
credentials within the tunnel. This can be done either with Basic
Password Authentication or with inner EAP authentication methods.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Remove unnecessary "config exists" debug prints from build.sh
Jouni Malinen [Sat, 24 Aug 2019 09:18:40 +0000 (12:18 +0300)] 
tests: Remove unnecessary "config exists" debug prints from build.sh

This is the common case and these prints do not really help and just
make the output from build.sh less clear.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Import helper functions directly from utils.py
Jouni Malinen [Fri, 23 Aug 2019 21:14:41 +0000 (00:14 +0300)] 
tests: Import helper functions directly from utils.py

These were moved from test_sae.py to utils.py, so import them from the
correct location instead of through test_sae.py that imports them from
utils.py.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agowlantest: Derive PMK-R1 and PTK for FT protocol cases
Jouni Malinen [Thu, 22 Aug 2019 19:14:47 +0000 (22:14 +0300)] 
wlantest: Derive PMK-R1 and PTK for FT protocol cases

Track PMK-R0/PMK-R0-Name from the initial mobility domain association
and derive PMK-R1/PTK when the station uses FT protocol. This allows
frames from additional roaming cases to be decrypted.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Configure wlantest for FT+PMF test cases
Jouni Malinen [Thu, 22 Aug 2019 19:13:02 +0000 (22:13 +0300)] 
tests: Configure wlantest for FT+PMF test cases

It is useful to get the encrypted frames decrypted in the sniffer
capture for these test cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: EAP-TEAP with machine username/password credential
Jouni Malinen [Tue, 20 Aug 2019 10:15:19 +0000 (13:15 +0300)] 
tests: EAP-TEAP with machine username/password credential

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Add support for machine authentication
Jouni Malinen [Tue, 20 Aug 2019 10:13:25 +0000 (13:13 +0300)] 
EAP-TEAP peer: Add support for machine authentication

This allows a separate machine credential to be used for authentication
if the server requests Identity-Type = 2 (machine).

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP peer: Add a concept of a separate machine credential
Jouni Malinen [Tue, 20 Aug 2019 10:10:34 +0000 (13:10 +0300)] 
EAP peer: Add a concept of a separate machine credential

This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.

This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Update authsrv_oom to match implementation changes
Jouni Malinen [Mon, 19 Aug 2019 23:59:06 +0000 (02:59 +0300)] 
tests: Update authsrv_oom to match implementation changes

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoRADIUS server: Abort startup on allocation failures
Jouni Malinen [Mon, 19 Aug 2019 23:57:58 +0000 (02:57 +0300)] 
RADIUS server: Abort startup on allocation failures

Be more consistent on checking all parameter allocation and copying
steps within radius_server_init() and abort startup if anything fails
instead of trying to continue with other parts of the configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoRADIUS server: Use struct eap_config to avoid duplicated definitions
Jouni Malinen [Mon, 19 Aug 2019 23:32:05 +0000 (02:32 +0300)] 
RADIUS server: Use struct eap_config to avoid duplicated definitions

Use struct eap_config as-is within RADIUS server to avoid having to
duplicate all the configuration variables at each interface. This
continues cleanup on struct eap_config duplication in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Fix eap_teap_pac_no_inner configuration
Jouni Malinen [Mon, 19 Aug 2019 23:12:31 +0000 (02:12 +0300)] 
EAP-TEAP server: Fix eap_teap_pac_no_inner configuration

This was not passed correctly to the EAP server code when using hostapd
internal EAP server.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case
Jouni Malinen [Mon, 19 Aug 2019 23:11:31 +0000 (02:11 +0300)] 
EAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case

The Crypto-Binding TLV is included without Intermediate-Result TLV in
this sequence since the server is skipping all inner authentication
methods and is only sending out Result TLV with the Crypto-Binding TLV.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: EAP-TEAP Identity-Type
Jouni Malinen [Mon, 19 Aug 2019 22:37:18 +0000 (01:37 +0300)] 
tests: EAP-TEAP Identity-Type

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Allow a specific Identity-Type to be requested/required
Jouni Malinen [Mon, 19 Aug 2019 22:37:31 +0000 (01:37 +0300)] 
EAP-TEAP server: Allow a specific Identity-Type to be requested/required

The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Support Identity-Type TLV
Jouni Malinen [Mon, 19 Aug 2019 22:35:36 +0000 (01:35 +0300)] 
EAP-TEAP peer: Support Identity-Type TLV

Parse the received Identity-Type TLV and report the used Identity-Type
in response if the request included this TLV. For now, only the
Identity-Type 1 (User) is supported.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP: Add parsing and generation routines for Identity-Type TLV
Jouni Malinen [Mon, 19 Aug 2019 22:34:12 +0000 (01:34 +0300)] 
EAP-TEAP: Add parsing and generation routines for Identity-Type TLV

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: sigma_dut controlled SAE association and FT-over-DS
Jouni Malinen [Mon, 19 Aug 2019 21:15:20 +0000 (00:15 +0300)] 
tests: sigma_dut controlled SAE association and FT-over-DS

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: sigma_dut controlled AP FT-PSK (over-DS)
Jouni Malinen [Mon, 19 Aug 2019 20:54:29 +0000 (23:54 +0300)] 
tests: sigma_dut controlled AP FT-PSK (over-DS)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Make mbo_cell_capa_update_pmf more robust
Jouni Malinen [Mon, 19 Aug 2019 14:22:41 +0000 (17:22 +0300)] 
tests: Make mbo_cell_capa_update_pmf more robust

Wait for hostapd to report completion of connection so that the WNM
Notification Request frame does not get sent before the AP has processed
EAPOL-Key msg 4/4 and configured the TK. This could result in a race
condition especially when testing using UML with time-travel.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: sigma_dut and initial UOSC with TOD-STRICT/TOFU
Jouni Malinen [Mon, 19 Aug 2019 13:57:55 +0000 (16:57 +0300)] 
tests: sigma_dut and initial UOSC with TOD-STRICT/TOFU

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoOpenSSL: Write peer certificate chain details in debug log
Jouni Malinen [Mon, 19 Aug 2019 13:34:22 +0000 (16:34 +0300)] 
OpenSSL: Write peer certificate chain details in debug log

This makes it more convenient to debug TLS certificate validation
issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: ap_wpa2_eap_too_many_roundtrips to use shorter fragment
Jouni Malinen [Sun, 18 Aug 2019 14:46:34 +0000 (17:46 +0300)] 
tests: ap_wpa2_eap_too_many_roundtrips to use shorter fragment

This is needed with the increased maximum EAP round limit since the
server side sends out longer messages in this exchange and that prevent
the short message limit from being reached.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP: Increase the maximum number of message exchanges
Jouni Malinen [Sun, 18 Aug 2019 14:18:17 +0000 (17:18 +0300)] 
EAP: Increase the maximum number of message exchanges

Allow 100 rounds of EAP messages if there is data being transmitted.
Keep the old 50 round limit for cases where only short EAP messages are
sent (i.e., the likely case of getting stuck in ACK loop).

This allows larger EAP data (e.g., large certificates) to be exchanged
without breaking the workaround for ACK loop interop issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Update authsrv_oom match changed implementation
Jouni Malinen [Sun, 18 Aug 2019 14:39:58 +0000 (17:39 +0300)] 
tests: Update authsrv_oom match changed implementation

Need to take into account the additional memory allocation within
radius_server_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP server: Use struct eap_config to avoid duplicated definitions
Jouni Malinen [Sun, 18 Aug 2019 12:23:12 +0000 (15:23 +0300)] 
EAP server: Use struct eap_config to avoid duplicated definitions

Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Vendor EAP method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 13:12:23 +0000 (16:12 +0300)] 
tests: Vendor EAP method in Phase 2

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Support vendor EAP method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 13:12:09 +0000 (16:12 +0300)] 
EAP-TEAP peer: Support vendor EAP method in Phase 2

The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-PEAP server: Support vendor EAP types in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 13:11:20 +0000 (16:11 +0300)] 
EAP-PEAP server: Support vendor EAP types in Phase 2

This was already allowed with EAP-PEAP, but EAP-TEAP was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-FAST peer: Support vendor EAP method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 12:58:26 +0000 (15:58 +0300)] 
EAP-FAST peer: Support vendor EAP method in Phase 2

The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-FAST server: Support vendor EAP types in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 12:57:52 +0000 (15:57 +0300)] 
EAP-FAST server: Support vendor EAP types in Phase 2

This was already allowed with EAP-PEAP, but EAP-FAST was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-PEAP peer: Support vendor EAP method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 12:40:59 +0000 (15:40 +0300)] 
EAP-PEAP peer: Support vendor EAP method in Phase 2

The implementation was previously hardcoded to allow only the Microsoft
SoH expanded EAP method in Phase 2 in addition to non-expanded EAP
methods. Extend that to allow any vendor EAP method with an expanded
header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP peer: Allow VENDOR-TEST method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 09:12:57 +0000 (12:12 +0300)] 
EAP peer: Allow VENDOR-TEST method in Phase 2

This allows EAP methods to be tested for support of expanded EAP headers
in Phase 2.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TTLS peer: Support vendor EAP method in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 09:11:50 +0000 (12:11 +0300)] 
EAP-TTLS peer: Support vendor EAP method in Phase 2

The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TTLS server: Support vendor EAP types in Phase 2
Jouni Malinen [Sat, 17 Aug 2019 09:09:27 +0000 (12:09 +0300)] 
EAP-TTLS server: Support vendor EAP types in Phase 2

This was already allowed with EAP-PEAP, but EAP-TTLS was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoReplace EapType typedef with enum eap_type
Jouni Malinen [Sat, 17 Aug 2019 08:36:20 +0000 (11:36 +0300)] 
Replace EapType typedef with enum eap_type

This cleans up coding style of the EAP implementation by avoiding
typedef of an enum hiding the type of the variables.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: EAP-TEAP and separate message for Result TLV
Jouni Malinen [Fri, 16 Aug 2019 20:54:37 +0000 (23:54 +0300)] 
tests: EAP-TEAP and separate message for Result TLV

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Testing mechanism for Result TLV in a separate message
Jouni Malinen [Fri, 16 Aug 2019 20:54:51 +0000 (23:54 +0300)] 
EAP-TEAP server: Testing mechanism for Result TLV in a separate message

The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Allow Result TLV without Crypto-Binding TLV
Jouni Malinen [Fri, 16 Aug 2019 20:39:33 +0000 (23:39 +0300)] 
EAP-TEAP peer: Allow Result TLV without Crypto-Binding TLV

If the Crypto-Binding TLV for the last EAP method has been validated
successfully in a previous message exchange with Intermediate-Result TLV
and no new EAP method has been started, Result TLV can be accepted
without an additional Crypto-Binding TLV. This allows the server to go
through additional message exchanges after inner EAP method, if needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP: Add parsing of Error TLV
Jouni Malinen [Fri, 16 Aug 2019 20:25:31 +0000 (23:25 +0300)] 
EAP-TEAP: Add parsing of Error TLV

This TLV needs to be processed properly instead of NAK'ed as
unsupported.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP server: Require Intermediate-Result TLV even with Result TLV
Jouni Malinen [Fri, 16 Aug 2019 20:12:54 +0000 (23:12 +0300)] 
EAP-TEAP server: Require Intermediate-Result TLV even with Result TLV

It is not sufficient for the peer to include only the Result TLV if the
server included both the Intermediate-Result TLV and Result TLV.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP peer: Add Intermediate-Result TLV with Crypto-Binding TLV
Jouni Malinen [Fri, 16 Aug 2019 20:11:28 +0000 (23:11 +0300)] 
EAP-TEAP peer: Add Intermediate-Result TLV with Crypto-Binding TLV

Previously, only the Result TLV was added when writing Crypto-Binding
TLV response. This is not sufficient, since RFC 7170 require
Intermediate-Result TLV response to be included from the peer if the
server included Intermediate-Result TLV.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoEAP-TEAP: Fix TLS-PRF for TLS ciphersuites that use SHA384
Jouni Malinen [Fri, 16 Aug 2019 18:16:44 +0000 (21:16 +0300)] 
EAP-TEAP: Fix TLS-PRF for TLS ciphersuites that use SHA384

These need to be using the HMAC-based TLS-PRF with SHA384 instead of
SHA256 as the hash algorithm.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoAdd TLS-PRF using HMAC with P_SHA384 for TEAP
Jouni Malinen [Fri, 16 Aug 2019 18:15:32 +0000 (21:15 +0300)] 
Add TLS-PRF using HMAC with P_SHA384 for TEAP

This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: sigma_dut with TOD-TOFU
Jouni Malinen [Fri, 16 Aug 2019 13:39:08 +0000 (16:39 +0300)] 
tests: sigma_dut with TOD-TOFU

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: TOD-TOFU policy reporting
Jouni Malinen [Fri, 16 Aug 2019 13:25:14 +0000 (16:25 +0300)] 
tests: TOD-TOFU policy reporting

Also rename the previously added test case to use the TOD-STRICT name
for the earlier policy OID.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Update RSA 3k certificates before the previous ones expire
Jouni Malinen [Fri, 16 Aug 2019 13:21:38 +0000 (16:21 +0300)] 
tests: Update RSA 3k certificates before the previous ones expire

In addition, update the generation script to allow convenient update of
the server and user certificates without having to generate new keys.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Add a server certificate with TOD-TOFU policy
Jouni Malinen [Fri, 16 Aug 2019 12:59:43 +0000 (15:59 +0300)] 
tests: Add a server certificate with TOD-TOFU policy

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoExtend server certificate TOD policy reporting to include TOD-TOFU
Jouni Malinen [Fri, 16 Aug 2019 12:51:40 +0000 (15:51 +0300)] 
Extend server certificate TOD policy reporting to include TOD-TOFU

The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoSAE: Conditionally set PMKID while notifying the external auth status
Sunil Dutt [Fri, 16 Aug 2019 05:18:45 +0000 (10:48 +0530)] 
SAE: Conditionally set PMKID while notifying the external auth status

This is needed for the drivers implementing SME to include the PMKID in
the Association Request frame directly following SAE authentication.

This commit extends the commit d2b208384391 ("SAE: Allow PMKID to be
added into Association Request frame following SAE") for drivers with
internal SME that use the external authentication mechanism.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoSAE: Use BSSID stored in ext_auth_bssid for set_pmk
Sunil Dutt [Fri, 16 Aug 2019 05:08:10 +0000 (10:38 +0530)] 
SAE: Use BSSID stored in ext_auth_bssid for set_pmk

pending_bssid is cleared in the connected state and thus is not valid if
SAE authentication is done to a new BSSID when in the connected state.
Hence use the BSSID from ext_auth_bssid while configuring the PMK for
the external authentication case. This is required for roaming to a new
BSSID with driver-based-SME while the SAE processing happens with
wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoOWE: Update connect params with new DH attributes to the driver
Sunil Dutt [Thu, 25 Jul 2019 06:40:57 +0000 (12:10 +0530)] 
OWE: Update connect params with new DH attributes to the driver

A new DH public key is sent through this interface to the driver after
every successful connection/roam to a BSS. This helps to do OWE roaming
to a new BSS with drivers that implement SME/MLME operations during
roaming.

This updated DH IEs are added in the subsequent (Re)Association Request
frame sent by the station when roaming. The DH IE from the roamed AP is
given to wpa_supplicant in the roam result event. wpa_supplicant shall
further process these DH IEs to generate the PMK for the 4-way
handshake.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agonl80211: Request update connection params only for drivers with SME
Sunil Dutt [Fri, 16 Aug 2019 04:53:24 +0000 (10:23 +0530)] 
nl80211: Request update connection params only for drivers with SME

Update Connection Params is intended for drivers that implement
internal SME and expect these updated connection params from
wpa_supplicant. Do not send this request for the drivers using
SME from wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Additional FT with PMF required testing coverage
Jouni Malinen [Fri, 16 Aug 2019 10:53:04 +0000 (13:53 +0300)] 
tests: Additional FT with PMF required testing coverage

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoFT: Reject over-the-DS response with MFPC=0 if PMF is required
Jouni Malinen [Fri, 16 Aug 2019 10:50:54 +0000 (13:50 +0300)] 
FT: Reject over-the-DS response with MFPC=0 if PMF is required

If FT over-the-DS case is enforced through the "FT_DS <BSSID>" control
interface command, the PMF capability check during BSS selection is not
used and that could have allowed PMF to be disabled in the over-the-DS
case even if the local network profile mandated use of PMF. Check
against this explicitly to avoid unexpected cases if the APs within the
same mobility domain are not configured consistently.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoRSN: Do not allow connection to proceed without MFPC=1 if PMF required
Jouni Malinen [Fri, 16 Aug 2019 10:48:16 +0000 (13:48 +0300)] 
RSN: Do not allow connection to proceed without MFPC=1 if PMF required

PMF capability check is done as part of BSS selection routines, but
those are not used when going through the enforced roaming operation
("ROAM <BSSID>" control interface command). While that mechanism is
mainly for testing purposes, extend it to do the same check for PMF to
prevent cases where forced roaming could end up disabling PMF against
the local profile requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoFT: Fix MFPR flag in RSNE during FT protocol
Jouni Malinen [Fri, 16 Aug 2019 10:23:06 +0000 (13:23 +0300)] 
FT: Fix MFPR flag in RSNE during FT protocol

Commit e820cf952f29 ("MFP: Add MFPR flag into station RSN IE if 802.11w
is mandatory") added indication of MFPR flag in non-FT cases, but forgot
to do so for the FT protocol cases where a different function is used to
build the RSNE. Do the same change now for that FT specific case to get
consistent behavior on indicating PMF configuration state with MFPR.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoOCE: Mandate PMF for WPA2 association with OCE AP
Ankita Bajaj [Tue, 30 Jul 2019 09:05:32 +0000 (14:35 +0530)] 
OCE: Mandate PMF for WPA2 association with OCE AP

An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoHS 2.0: Match credentials based on required_roaming_consortium
Purushottam Kushwaha [Fri, 26 Jul 2019 05:55:19 +0000 (11:25 +0530)] 
HS 2.0: Match credentials based on required_roaming_consortium

When required_roaming_consortium is set in a credential, station
should match this against Roaming Consortium(s) for a BSS similar
to how it is matching for roaming_consortiums during Interworking
credentials availability check for roaming_consortium.

In the context of Hotspot 2.0 PPS MO, this means addressing matching
part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of
how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required
part is used as an independent check for the AP advertising the needed
information while the "credential can be used here and this is a home
network" part is shared).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: SAE and PMKSA caching (PMKID in AssocReq after SAE)
Jouni Malinen [Wed, 14 Aug 2019 14:51:31 +0000 (17:51 +0300)] 
tests: SAE and PMKSA caching (PMKID in AssocReq after SAE)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoSAE: Allow PMKID to be added into Association Request frame following SAE
Jouni Malinen [Wed, 14 Aug 2019 14:49:23 +0000 (17:49 +0300)] 
SAE: Allow PMKID to be added into Association Request frame following SAE

IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoMake wpa_insert_pmkid() more generic
Jouni Malinen [Wed, 14 Aug 2019 14:47:58 +0000 (17:47 +0300)] 
Make wpa_insert_pmkid() more generic

This is not used only with FT, so make the comments less confusing and
include the function in all builds to make it available for
non-FT/non-FILS builds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agotests: Fix wlan.mesh.config.cap workaround for test_wpas_mesh_max_peering
Sven Eckelmann [Fri, 12 Jul 2019 10:48:53 +0000 (12:48 +0200)] 
tests: Fix wlan.mesh.config.cap workaround for test_wpas_mesh_max_peering

The wlan.mesh.config doesn't have to be the last element of beacon. Things
like VHT or HE oper/cap are usually follow the mesh configuration element.

The workaround must first get the position of a correct reference value in
wlan.mesh.config (ps_protocol) and then calculate the correct
wlan.mesh.config.cap offset based on that.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Fixes: 2cbaf0de223b ("tests: Work around tshark bug in wpas_mesh_max_peering")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
7 months agoHE: MCS size is always a minimum of 4 bytes
John Crispin [Mon, 1 Jul 2019 13:27:09 +0000 (15:27 +0200)] 
HE: MCS size is always a minimum of 4 bytes

The MCS set always has a minimal size of 4 bytes. Without this change
HE20 failed to work.

Signed-off-by: John Crispin <john@phrozen.org>
7 months agonl80211: Don't force VHT channel definition with HE
Sven Eckelmann [Mon, 1 Jul 2019 13:34:08 +0000 (15:34 +0200)] 
nl80211: Don't force VHT channel definition with HE

HE (802.11ax) is also supported on 2.4 GHz. And the 2.4 GHz band isn't
supposed to use VHT operations. Some codepaths in wpa_supplicant will
therefore not initialize the freq->bandwidth or the freq->center_freq1/2
members. As a result, the nl80211_put_freq_params() will directly return
an error (-1) or the kernel will return an error due to the invalid
channel definition.

Instead, the channel definitions should be created based on the actual
HT/VHT/none information on 2.4 GHz.

Fixes: ad9a1bfe788e ("nl80211: Share VHT channel configuration for HE")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
7 months agoCheck for LEAP before doing FT
Matthew Wang [Thu, 8 Aug 2019 20:02:12 +0000 (13:02 -0700)] 
Check for LEAP before doing FT

According to https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Cisco does not support EAP-LEAP with Fast Transition. Here,
we check for LEAP before selecting FT 802.1X key management
suite.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
7 months agotests: DPP network introduction with expired netaccesskey
Jouni Malinen [Sun, 11 Aug 2019 13:45:43 +0000 (16:45 +0300)] 
tests: DPP network introduction with expired netaccesskey

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: SAE dot11RSNASAESync
Jouni Malinen [Sun, 11 Aug 2019 13:34:41 +0000 (16:34 +0300)] 
tests: SAE dot11RSNASAESync

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoFix a typo in hostapd config documentation
Jouni Malinen [Sun, 11 Aug 2019 13:32:27 +0000 (16:32 +0300)] 
Fix a typo in hostapd config documentation

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: OCE AP
Jouni Malinen [Sun, 11 Aug 2019 13:31:34 +0000 (16:31 +0300)] 
tests: OCE AP

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: WPS registrar configuring an AP using preconfigured AP password token
Jouni Malinen [Sun, 11 Aug 2019 13:25:48 +0000 (16:25 +0300)] 
tests: WPS registrar configuring an AP using preconfigured AP password token

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: HE AP parameters
Jouni Malinen [Sun, 11 Aug 2019 13:14:44 +0000 (16:14 +0300)] 
tests: HE AP parameters

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: OCV on 2.4 GHz with PMF getting enabled automatically
Jouni Malinen [Sun, 11 Aug 2019 13:06:49 +0000 (16:06 +0300)] 
tests: OCV on 2.4 GHz with PMF getting enabled automatically

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: acs_exclude_dfs=1
Jouni Malinen [Sun, 11 Aug 2019 13:02:43 +0000 (16:02 +0300)] 
tests: acs_exclude_dfs=1

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: FT RKH parameters
Jouni Malinen [Sun, 11 Aug 2019 10:25:33 +0000 (13:25 +0300)] 
tests: FT RKH parameters

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: FT PMK-R0/R1 expiration
Jouni Malinen [Sun, 11 Aug 2019 10:19:44 +0000 (13:19 +0300)] 
tests: FT PMK-R0/R1 expiration

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Server checking CRL with check_crl_strict=0
Jouni Malinen [Sun, 11 Aug 2019 08:04:13 +0000 (11:04 +0300)] 
tests: Server checking CRL with check_crl_strict=0

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoFix check_crl_strict documentation
Jouni Malinen [Sun, 11 Aug 2019 07:44:29 +0000 (10:44 +0300)] 
Fix check_crl_strict documentation

The OpenSSL error codes used here were for certificates, not CRLs. Fix
that to refer to CRL being expired or not yet valid.

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: private_key_passwd2 in hostapd configuration
Jouni Malinen [Sun, 11 Aug 2019 07:40:13 +0000 (10:40 +0300)] 
tests: private_key_passwd2 in hostapd configuration

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional hostapd configuration parser coverage
Jouni Malinen [Sat, 10 Aug 2019 21:24:38 +0000 (00:24 +0300)] 
tests: Additional hostapd configuration parser coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional dpp_controller parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 15:45:37 +0000 (18:45 +0300)] 
tests: Additional dpp_controller parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional sae_password parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 15:37:54 +0000 (18:37 +0300)] 
tests: Additional sae_password parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional tls_flags coverage
Jouni Malinen [Sat, 10 Aug 2019 14:22:32 +0000 (17:22 +0300)] 
tests: Additional tls_flags coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional operator_icon parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 14:06:40 +0000 (17:06 +0300)] 
tests: Additional operator_icon parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional osu_nai2 parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 14:04:27 +0000 (17:04 +0300)] 
tests: Additional osu_nai2 parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional venue_url parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 14:02:10 +0000 (17:02 +0300)] 
tests: Additional venue_url parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional eap_user_file parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 13:35:11 +0000 (16:35 +0300)] 
tests: Additional eap_user_file parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agotests: Additional vlan_file parsing coverage
Jouni Malinen [Sat, 10 Aug 2019 13:16:29 +0000 (16:16 +0300)] 
tests: Additional vlan_file parsing coverage

Signed-off-by: Jouni Malinen <j@w1.fi>
7 months agoAdd QCA vendor command for avoid frequency feature
Rajeev Kumar Sirasanagandla [Thu, 25 Jul 2019 17:27:17 +0000 (22:57 +0530)] 
Add QCA vendor command for avoid frequency feature

Add vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY_EXT
and attribute qca_wlan_vendor_attr_avoid_frequency_ext to send structured
avoid frequency data.

This new command is alternative to existing command
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY since existing command is
using stream of bytes instead of structured data using vendor attributes.

Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
7 months agoUpdate QCA vendor attributes for 6 GHz band support
Rajeev Kumar Sirasanagandla [Thu, 1 Aug 2019 11:16:32 +0000 (16:46 +0530)] 
Update QCA vendor attributes for 6 GHz band support

As a part of P802.11ax amendment, 6 GHz band operation is added.

Since the 6 GHz channel numbers are overlapping with existing 2.4 GHz
and 5 GHz channel numbers, use frequency to identify unique channel
operation instead of channel number. Channel frequency is unique across
bands.

In the existing QCA vendor interface, wherever missing, add frequency
attributes to identify unique channel operation. In addition, add
comments to document some of the previously missed attributes/values.

Note: If both channel and frequency attributes are present in vendor
command/event and
(a) If both the driver and user-space application supports 6 GHz band
then channel related attributes are deprecated and use frequency
attributes.
(b) If either driver or user-space application or both doesn't
support 6 GHz band then use channel attributes.

Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
7 months agoAdd QCA vendor channel attribute to restart AP
Rajeev Kumar Sirasanagandla [Thu, 25 Jul 2019 15:37:02 +0000 (21:07 +0530)] 
Add QCA vendor channel attribute to restart AP

Add QCA_WLAN_VENDOR_ATTR_SAP_CONFIG_CHANNEL attribute in
enum qca_wlan_vendor_attr_sap_config to use with vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_SAP_CONFIG.

This new attribute is used to restart AP on given channel.

Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
7 months agoAdd QCA vendor command to configure ACS policy
Rajeev Kumar Sirasanagandla [Thu, 25 Jul 2019 15:24:43 +0000 (20:54 +0530)] 
Add QCA vendor command to configure ACS policy

Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_ACS_POLICY
with attributes enum qca_wlan_vendor_attr_acs_config and
enum qca_acs_dfs_mode to configure ACS policy.

Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
7 months agoAdd QCA vendor attributes to enhance roaming configuration
Srinivas Dasari [Tue, 6 Aug 2019 18:18:19 +0000 (23:48 +0530)] 
Add QCA vendor attributes to enhance roaming configuration

This enhances the existing vendor command QCA_NL80211_VENDOR_SUBCMD_ROAM
with the following configurations:
1. Set/get/clear roam control
2. Set/get the channels on which the roaming has to be triggered.
3. Set/get the roam scan period.
4. Configure the triggers for roaming.
5. Configure the candidate selection criteria.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoRename qca_wlan_vendor_attr_roam_subcmd to represent subcmds
Sunil Dutt [Tue, 6 Aug 2019 15:00:00 +0000 (20:30 +0530)] 
Rename qca_wlan_vendor_attr_roam_subcmd to represent subcmds

qca_wlan_vendor_attr_roam_subcmd is an enum associated with the
attribute QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD. It represents different
sub command values and these are not the attributes. Hence, rename the
enum to qca_wlan_vendor_roaming_subcmd. Accordingly, the members of this
enum are also renamed to suite the usage.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
7 months agoDocument the attributes used by QCA_NL80211_VENDOR_SUBCMD_ROAM
Sunil Dutt [Tue, 6 Aug 2019 10:13:29 +0000 (15:43 +0530)] 
Document the attributes used by QCA_NL80211_VENDOR_SUBCMD_ROAM

This commit documents the attributes used by
QCA_NL80211_VENDOR_SUBCMD_ROAM.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>