Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Hu Wang [Wed, 14 Aug 2019 09:31:19 +0000 (17:31 +0800)]
DFS offload: Fix hostapd state and CAC info in STATUS output
With DFS offloaded to the driver, hostapd state and CAC info was not
updated in DFS-CAC-START event, so STATUS output showed wrong info. Fix
this by updating the CAC related state when processing the driver event.
EAP-TEAP peer: Add support for machine credentials using certificates
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.
ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of
MinGW, so make this workaround conditional on what is defined in the
header files.
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.
EAP server: Configurable maximum number of authentication message rounds
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.
EAP peer: Move certificate configuration params into shared struct
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.
Sven Eckelmann [Tue, 13 Aug 2019 13:50:52 +0000 (15:50 +0200)]
mesh: Do not enable HE on 5 GHz without VHT
The commit ad9a1bfe788e ("nl80211: Share VHT channel configuration for
HE") always enforced that VHT is enabled when HE was enabled. This broke
the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq()
isn't setting up the VHT parameters for 2.4 GHz.
This problem was resolved for 2.4 GHz by commit df4f959988b6 ("nl80211:
Don't force VHT channel definition with HE"), but it is still possible
to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would
result in the same problem as seen on 2.4 GHz.
The code enabling HE for IBSS/mesh must now make sure that it doesn't
enable HE when VHT could be enforced by the nl80211 driver code but
disabled by the user.
Fixes: 3459c54ac78b ("mesh: Add support for HE mode") Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
John Crispin [Tue, 13 Aug 2019 13:10:46 +0000 (15:10 +0200)]
HE: Fix HE Capabilities element size
Set the max value of optional bytes inside the data structure. This
requires us to calculate the actually used size when copying the
HE capabilities and generating the IE.
Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Jouni Malinen [Fri, 30 Aug 2019 12:41:58 +0000 (15:41 +0300)]
HS 2.0: Do not add two copies of OSEN element into Beacon/Probe Resp
OSEN element was getting added both through the Authenticator IEs
(before some non-vendor elements) and separately at the end of the
frames with other vendor elements. Fix this by removing the separate
addition of the OSEN element and by moving the Authenticator IE addition
for OSEN to match the design used with WPA so that the vendor element
gets added in the proper place in the sequence of IEs.
Jouni Malinen [Fri, 30 Aug 2019 12:22:42 +0000 (15:22 +0300)]
HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU network
Even though the station is not supposed to include Hotspot 2.0
Indication element in the Association Request frame when connecting to
the open OSU BSS, some station devices seem to do so. With the strict
PMF-required-with-Hotspot-2.0-R2 interpretation, such connection
attempts were rejected. Relax this to only perform the PMF check if the
local AP configuration has PMF enabled, i.e., for the production BSS.
Jouni Malinen [Sat, 24 Aug 2019 19:52:52 +0000 (22:52 +0300)]
tests: Make nfc_wps more robust by avoiding race conditions
The hostapd side operations and data connectivity test were executed
without explicitly waiting for hostapd to report connection as having
been completed. This could result in trying to transmit data before
EAPOL-Key msg 4/4 was processed especially when using UML time-travel.
Make this more robust by waiting for hostapd to be ready before the data
test.
Jouni Malinen [Sat, 24 Aug 2019 16:20:40 +0000 (19:20 +0300)]
tests: Fix ap_ft_reassoc_replay for case where wlantest has the PSK
This test case was failing if wlantest was able to decrypt the CCMP
protected frames. Fix the tshark filter string to include only the
actually encrypted frames for PN comparison.
Jouni Malinen [Sat, 24 Aug 2019 13:55:26 +0000 (16:55 +0300)]
EAP-TEAP peer: Fix protected indication of inner EAP method failure
Need to leave EAP-TEAP methodState == MAY_CONT when marking decision =
FAIL based on inner EAP method failure since this message will be
followed by protected failure indication.
Jouni Malinen [Sat, 24 Aug 2019 13:48:34 +0000 (16:48 +0300)]
EAP-TEAP server: Add support for requiring user and machine credentials
The new eap_teap_id=5 hostapd configuration parameter value can be used
to configure EAP-TEAP server to request and require user and machine
credentials within the tunnel. This can be done either with Basic
Password Authentication or with inner EAP authentication methods.
Jouni Malinen [Fri, 23 Aug 2019 21:14:41 +0000 (00:14 +0300)]
tests: Import helper functions directly from utils.py
These were moved from test_sae.py to utils.py, so import them from the
correct location instead of through test_sae.py that imports them from
utils.py.
Jouni Malinen [Thu, 22 Aug 2019 19:14:47 +0000 (22:14 +0300)]
wlantest: Derive PMK-R1 and PTK for FT protocol cases
Track PMK-R0/PMK-R0-Name from the initial mobility domain association
and derive PMK-R1/PTK when the station uses FT protocol. This allows
frames from additional roaming cases to be decrypted.
Jouni Malinen [Tue, 20 Aug 2019 10:10:34 +0000 (13:10 +0300)]
EAP peer: Add a concept of a separate machine credential
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.
This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.
Jouni Malinen [Mon, 19 Aug 2019 23:57:58 +0000 (02:57 +0300)]
RADIUS server: Abort startup on allocation failures
Be more consistent on checking all parameter allocation and copying
steps within radius_server_init() and abort startup if anything fails
instead of trying to continue with other parts of the configuration.
Jouni Malinen [Mon, 19 Aug 2019 23:32:05 +0000 (02:32 +0300)]
RADIUS server: Use struct eap_config to avoid duplicated definitions
Use struct eap_config as-is within RADIUS server to avoid having to
duplicate all the configuration variables at each interface. This
continues cleanup on struct eap_config duplication in hostapd.
Jouni Malinen [Mon, 19 Aug 2019 23:11:31 +0000 (02:11 +0300)]
EAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case
The Crypto-Binding TLV is included without Intermediate-Result TLV in
this sequence since the server is skipping all inner authentication
methods and is only sending out Result TLV with the Crypto-Binding TLV.
Jouni Malinen [Mon, 19 Aug 2019 22:35:36 +0000 (01:35 +0300)]
EAP-TEAP peer: Support Identity-Type TLV
Parse the received Identity-Type TLV and report the used Identity-Type
in response if the request included this TLV. For now, only the
Identity-Type 1 (User) is supported.
Jouni Malinen [Mon, 19 Aug 2019 14:22:41 +0000 (17:22 +0300)]
tests: Make mbo_cell_capa_update_pmf more robust
Wait for hostapd to report completion of connection so that the WNM
Notification Request frame does not get sent before the AP has processed
EAPOL-Key msg 4/4 and configured the TK. This could result in a race
condition especially when testing using UML with time-travel.
Jouni Malinen [Sun, 18 Aug 2019 14:46:34 +0000 (17:46 +0300)]
tests: ap_wpa2_eap_too_many_roundtrips to use shorter fragment
This is needed with the increased maximum EAP round limit since the
server side sends out longer messages in this exchange and that prevent
the short message limit from being reached.
Jouni Malinen [Sun, 18 Aug 2019 14:18:17 +0000 (17:18 +0300)]
EAP: Increase the maximum number of message exchanges
Allow 100 rounds of EAP messages if there is data being transmitted.
Keep the old 50 round limit for cases where only short EAP messages are
sent (i.e., the likely case of getting stuck in ACK loop).
This allows larger EAP data (e.g., large certificates) to be exchanged
without breaking the workaround for ACK loop interop issues.
Jouni Malinen [Sun, 18 Aug 2019 12:23:12 +0000 (15:23 +0300)]
EAP server: Use struct eap_config to avoid duplicated definitions
Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.
Jouni Malinen [Sat, 17 Aug 2019 13:12:09 +0000 (16:12 +0300)]
EAP-TEAP peer: Support vendor EAP method in Phase 2
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Jouni Malinen [Sat, 17 Aug 2019 13:11:20 +0000 (16:11 +0300)]
EAP-PEAP server: Support vendor EAP types in Phase 2
This was already allowed with EAP-PEAP, but EAP-TEAP was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Jouni Malinen [Sat, 17 Aug 2019 12:58:26 +0000 (15:58 +0300)]
EAP-FAST peer: Support vendor EAP method in Phase 2
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Jouni Malinen [Sat, 17 Aug 2019 12:57:52 +0000 (15:57 +0300)]
EAP-FAST server: Support vendor EAP types in Phase 2
This was already allowed with EAP-PEAP, but EAP-FAST was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Jouni Malinen [Sat, 17 Aug 2019 12:40:59 +0000 (15:40 +0300)]
EAP-PEAP peer: Support vendor EAP method in Phase 2
The implementation was previously hardcoded to allow only the Microsoft
SoH expanded EAP method in Phase 2 in addition to non-expanded EAP
methods. Extend that to allow any vendor EAP method with an expanded
header to be used.
Jouni Malinen [Sat, 17 Aug 2019 09:11:50 +0000 (12:11 +0300)]
EAP-TTLS peer: Support vendor EAP method in Phase 2
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Jouni Malinen [Sat, 17 Aug 2019 09:09:27 +0000 (12:09 +0300)]
EAP-TTLS server: Support vendor EAP types in Phase 2
This was already allowed with EAP-PEAP, but EAP-TTLS was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Jouni Malinen [Fri, 16 Aug 2019 20:54:51 +0000 (23:54 +0300)]
EAP-TEAP server: Testing mechanism for Result TLV in a separate message
The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.
Jouni Malinen [Fri, 16 Aug 2019 20:39:33 +0000 (23:39 +0300)]
EAP-TEAP peer: Allow Result TLV without Crypto-Binding TLV
If the Crypto-Binding TLV for the last EAP method has been validated
successfully in a previous message exchange with Intermediate-Result TLV
and no new EAP method has been started, Result TLV can be accepted
without an additional Crypto-Binding TLV. This allows the server to go
through additional message exchanges after inner EAP method, if needed.
Jouni Malinen [Fri, 16 Aug 2019 20:11:28 +0000 (23:11 +0300)]
EAP-TEAP peer: Add Intermediate-Result TLV with Crypto-Binding TLV
Previously, only the Result TLV was added when writing Crypto-Binding
TLV response. This is not sufficient, since RFC 7170 require
Intermediate-Result TLV response to be included from the peer if the
server included Intermediate-Result TLV.
Jouni Malinen [Fri, 16 Aug 2019 12:51:40 +0000 (15:51 +0300)]
Extend server certificate TOD policy reporting to include TOD-TOFU
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).
Sunil Dutt [Fri, 16 Aug 2019 05:18:45 +0000 (10:48 +0530)]
SAE: Conditionally set PMKID while notifying the external auth status
This is needed for the drivers implementing SME to include the PMKID in
the Association Request frame directly following SAE authentication.
This commit extends the commit d2b208384391 ("SAE: Allow PMKID to be
added into Association Request frame following SAE") for drivers with
internal SME that use the external authentication mechanism.
Sunil Dutt [Fri, 16 Aug 2019 05:08:10 +0000 (10:38 +0530)]
SAE: Use BSSID stored in ext_auth_bssid for set_pmk
pending_bssid is cleared in the connected state and thus is not valid if
SAE authentication is done to a new BSSID when in the connected state.
Hence use the BSSID from ext_auth_bssid while configuring the PMK for
the external authentication case. This is required for roaming to a new
BSSID with driver-based-SME while the SAE processing happens with
wpa_supplicant.
OWE: Update connect params with new DH attributes to the driver
A new DH public key is sent through this interface to the driver after
every successful connection/roam to a BSS. This helps to do OWE roaming
to a new BSS with drivers that implement SME/MLME operations during
roaming.
This updated DH IEs are added in the subsequent (Re)Association Request
frame sent by the station when roaming. The DH IE from the roamed AP is
given to wpa_supplicant in the roam result event. wpa_supplicant shall
further process these DH IEs to generate the PMK for the 4-way
handshake.
Sunil Dutt [Fri, 16 Aug 2019 04:53:24 +0000 (10:23 +0530)]
nl80211: Request update connection params only for drivers with SME
Update Connection Params is intended for drivers that implement
internal SME and expect these updated connection params from
wpa_supplicant. Do not send this request for the drivers using
SME from wpa_supplicant.
Jouni Malinen [Fri, 16 Aug 2019 10:50:54 +0000 (13:50 +0300)]
FT: Reject over-the-DS response with MFPC=0 if PMF is required
If FT over-the-DS case is enforced through the "FT_DS <BSSID>" control
interface command, the PMF capability check during BSS selection is not
used and that could have allowed PMF to be disabled in the over-the-DS
case even if the local network profile mandated use of PMF. Check
against this explicitly to avoid unexpected cases if the APs within the
same mobility domain are not configured consistently.
Jouni Malinen [Fri, 16 Aug 2019 10:48:16 +0000 (13:48 +0300)]
RSN: Do not allow connection to proceed without MFPC=1 if PMF required
PMF capability check is done as part of BSS selection routines, but
those are not used when going through the enforced roaming operation
("ROAM <BSSID>" control interface command). While that mechanism is
mainly for testing purposes, extend it to do the same check for PMF to
prevent cases where forced roaming could end up disabling PMF against
the local profile requirement.
Jouni Malinen [Fri, 16 Aug 2019 10:23:06 +0000 (13:23 +0300)]
FT: Fix MFPR flag in RSNE during FT protocol
Commit e820cf952f29 ("MFP: Add MFPR flag into station RSN IE if 802.11w
is mandatory") added indication of MFPR flag in non-FT cases, but forgot
to do so for the FT protocol cases where a different function is used to
build the RSNE. Do the same change now for that FT specific case to get
consistent behavior on indicating PMF configuration state with MFPR.
An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.
HS 2.0: Match credentials based on required_roaming_consortium
When required_roaming_consortium is set in a credential, station
should match this against Roaming Consortium(s) for a BSS similar
to how it is matching for roaming_consortiums during Interworking
credentials availability check for roaming_consortium.
In the context of Hotspot 2.0 PPS MO, this means addressing matching
part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of
how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required
part is used as an independent check for the AP advertising the needed
information while the "credential can be used here and this is a home
network" part is shared).
Jouni Malinen [Wed, 14 Aug 2019 14:49:23 +0000 (17:49 +0300)]
SAE: Allow PMKID to be added into Association Request frame following SAE
IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.
Jouni Malinen [Wed, 14 Aug 2019 14:47:58 +0000 (17:47 +0300)]
Make wpa_insert_pmkid() more generic
This is not used only with FT, so make the comments less confusing and
include the function in all builds to make it available for
non-FT/non-FILS builds.
Sven Eckelmann [Fri, 12 Jul 2019 10:48:53 +0000 (12:48 +0200)]
tests: Fix wlan.mesh.config.cap workaround for test_wpas_mesh_max_peering
The wlan.mesh.config doesn't have to be the last element of beacon. Things
like VHT or HE oper/cap are usually follow the mesh configuration element.
The workaround must first get the position of a correct reference value in
wlan.mesh.config (ps_protocol) and then calculate the correct
wlan.mesh.config.cap offset based on that.
Reported-by: Johannes Berg <johannes@sipsolutions.net> Fixes: 2cbaf0de223b ("tests: Work around tshark bug in wpas_mesh_max_peering") Signed-off-by: Sven Eckelmann <sven@narfation.org>
Sven Eckelmann [Mon, 1 Jul 2019 13:34:08 +0000 (15:34 +0200)]
nl80211: Don't force VHT channel definition with HE
HE (802.11ax) is also supported on 2.4 GHz. And the 2.4 GHz band isn't
supposed to use VHT operations. Some codepaths in wpa_supplicant will
therefore not initialize the freq->bandwidth or the freq->center_freq1/2
members. As a result, the nl80211_put_freq_params() will directly return
an error (-1) or the kernel will return an error due to the invalid
channel definition.
Instead, the channel definitions should be created based on the actual
HT/VHT/none information on 2.4 GHz.
Fixes: ad9a1bfe788e ("nl80211: Share VHT channel configuration for HE") Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Matthew Wang [Thu, 8 Aug 2019 20:02:12 +0000 (13:02 -0700)]
Check for LEAP before doing FT
According to https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Cisco does not support EAP-LEAP with Fast Transition. Here,
we check for LEAP before selecting FT 802.1X key management
suite.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
projects / thirdparty / hostap.git / log
