Jouni Malinen [Sat, 6 Jun 2020 09:08:37 +0000 (12:08 +0300)]
SAE: Move H2E and PK flags to main sae_data
This maintains knowledge of whether H2E or PK was used as part of the
SAE authentication beyond the removal of temporary state needed during
that authentication. This makes it easier to use information about which
kind of SAE authentication was used at higher layer functionality.
Jouni Malinen [Sat, 6 Jun 2020 08:47:12 +0000 (11:47 +0300)]
Document more network profile parameters
Some of the recently added wpa_supplicant network profile parameters
were not documented in wpa_supplicant.conf. Add these there based on the
documentation in config_ssid.h.
Jouni Malinen [Thu, 4 Jun 2020 18:04:59 +0000 (21:04 +0300)]
WPS UPnP: Do not update Beacon frames unnecessarily on subscription removal
There is no need to update the WPS IE in Beacon frames when a
subscription is removed if that subscription is not for an actual
selected registrar. For example, this gets rids of unnecessary driver
operations when a subscription request gets rejected when parsing the
callback URLs.
Jouni Malinen [Wed, 3 Jun 2020 22:36:50 +0000 (01:36 +0300)]
SAE-PK: Increment the minimum password length to 9
While this is not explicitly defined as the limit, lambda=8 (i.e., 9
characters with the added hyphen) is needed with Sec=5 to reach the
minimum required resistance to preimage attacks, so use this as an
implicit definition of the password length constraint.
Jouni Malinen [Wed, 3 Jun 2020 14:30:36 +0000 (17:30 +0300)]
SAE-PK: Determine hash algorithm from K_AP group instead of SAE group
While the current implementation forces these groups to be same, that is
not strictly speaking necessary and the correct group to use here is
K_AP, not the SAE authentication group.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: STA functionality
This adds STA side functionality for SAE-PK. This version enables SAE-PK
automatically based on the configured SAE password value if the selected
AP advertises support for SAE-PK.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: AP functionality
This adds AP side functionality for SAE-PK. The new sae_password
configuration parameters can now be used to enable SAE-PK mode whenever
SAE is enabled.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: Extend SAE functionality for AP validation
This adds core SAE functionality for a new mode of using SAE with a
specially constructed password that contains a fingerprint for an AP
public key and that public key being used to validate an additional
signature in SAE confirm from the AP.
Jouni Malinen [Mon, 1 Jun 2020 19:24:00 +0000 (22:24 +0300)]
wpaspy: Be a bit more careful on detaching the control interface
Check that the client socket is still open before trying to detach the
control interface to avoid undesired exceptions on cleanup paths on
unexpected errors due to the socket getting closed.
Jouni Malinen [Fri, 29 May 2020 21:24:15 +0000 (00:24 +0300)]
OCV: Report OCI validation failures with OCV-FAILURE messages (STA)
Convert the previously used text log entries to use the more formal
OCV-FAILURE prefix and always send these as control interface events to
allow upper layers to get information about unexpected operating channel
mismatches.
Jouni Malinen [Fri, 29 May 2020 21:04:53 +0000 (00:04 +0300)]
OCV: Allow OCI channel to be overridden for testing (AP)
Add hostapd configuration parameters oci_freq_override_* to allow the
OCI channel information to be overridden for various frames for testing
purposes. This can be set in the configuration and also updated during
the runtime of a BSS.
Jouni Malinen [Fri, 29 May 2020 18:07:45 +0000 (21:07 +0300)]
OSEN: Do not send the actual BIGTK to OSEN STAs
OSEN STAs are not authenticated, so do not send the actual BIGTK for
them so that they cannot generate forged protected Beacon frames. This
means that OSEN STAs cannot enable beacon protection.
Jouni Malinen [Fri, 29 May 2020 18:23:09 +0000 (21:23 +0300)]
FT: Do not expose GTK/IGTK in FT Reassociation Response frame in OSEN
Do not include the actual GTK/IGTK value in FT protocol cases in OSEN or
with DGAF disabled (Hotspot 2.0). This was already the case for the
EAPOL-Key cases of providing GTK/IGTK, but the FT protocol case was
missed. OSEN cannot really use FT, so that part is not impacted, but it
would be possible to enable FT in a Hotspot 2.0 network that has DGAF
disabled.
Jouni Malinen [Fri, 29 May 2020 18:04:40 +0000 (21:04 +0300)]
WNM: Do not expose GTK/IGTK in WNM Sleep Mode Response frame in OSEN
Do not include the actual GTK/IGTK value in WNM Sleep Mode Response
frame if WNM Sleep Mode is used in OSEN or in a network where use of GTK
is disabled. This was already the case for the EAPOL-Key cases of
providing GTK/IGTK, but the WNM Sleep Mode exit case was missed.
Hu Wang [Fri, 15 May 2020 06:20:32 +0000 (14:20 +0800)]
OWE: Skip beacon update of transition BSS if it is not yet enabled
When a single hostapd process manages both the OWE and open BSS for
transition mode, owe_transition_ifname can be used to clone the
transition mode information (i.e., BSSID/SSID) automatically. When both
BSSs use ACS, the completion of ACS on the 1st BSS sets state to
HAPD_IFACE_ENABLED and the OWE transition mode information is updated
for all the other BSSs. However, the 2nd BSS is still in the ACS phase
and the beacon update messes up the state for AP startup and prevents
proper ACS competion.
If 2nd BSS is not yet enabled (e.g., in ACS), skip beacon update and
defer OWE transition information cloning until the BSS is enabled.
Jouni Malinen [Tue, 26 May 2020 09:31:16 +0000 (12:31 +0300)]
tests: Enforce proper OCV behavior for SA Query Response from STA
Now that there is a pending mac80211 patch ("mac80211: allow SA-QUERY
processing in userspace") to allow wpa_supplicant to take care of SA
Query Request processing, start enforcing correct behavior for this in
ocv_sa_query and wpa2_ocv_sta_override_sa_query_resp.
Jouni Malinen [Mon, 25 May 2020 18:55:49 +0000 (21:55 +0300)]
OCV: Disconnect STAs that do not use SA Query after CSA
Verify that all associated STAs that claim support for OCV initiate an
SA Query after CSA. If no SA Query is seen within 15 seconds,
deauthenticate the STA.
Jouni Malinen [Mon, 25 May 2020 15:41:04 +0000 (18:41 +0300)]
OCV: Report validation errors for SA Query Request/Response in AP mode
Add a new OCV-FAILURE control interface event to notify upper layers of
OCV validation issues. This commit adds this for SA Query processing in
AP mode.
Jouni Malinen [Mon, 25 May 2020 15:33:00 +0000 (18:33 +0300)]
OCV: Move "OCV failed" prefix to callers
Make reporting of OCV validation failure reasons more flexible by
removing the fixed prefix from ocv_verify_tx_params() output in
ocv_errorstr so that the caller can use whatever prefix or encapsulation
that is most appropriate for each case.
Vamsi Krishna [Fri, 8 May 2020 17:59:04 +0000 (23:29 +0530)]
OCV: Add support to override channel info OCI element (STA)
To support the STA testbed role, the STA has to use specified channel
information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query
Request, and SA Query Response frames. Add override parameters to use
the specified channel while populating OCI element in all these frames.
Jouni Malinen [Mon, 25 May 2020 13:25:50 +0000 (16:25 +0300)]
Clear current PMKSA cache selection on association/roam
It was possible for the RSN state machine to maintain old PMKSA cache
selection (sm->cur_pmksa) when roaming to another BSS based on
driver-based roaming indication. This could result in mismatching state
and unexpected behavior, e.g., with not generating a Suite B PMKSA cache
entry.
Jouni Malinen [Sat, 23 May 2020 18:11:33 +0000 (21:11 +0300)]
wlantest: Handle FT over-the-DS association state update cleanly
It is expected for the STA entry on the target AP to move directly from
State 1 to State 3 when performing FT over-the-DS (i.e., FT Action
Request/Response frame exchange through the old AP followed by
Reassociation Request/Response frame exchange with the target AP).
Min Liu [Mon, 13 Apr 2020 13:36:48 +0000 (21:36 +0800)]
QCA vendor command for adding and deleting TSPEC
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_CONFIG_TSPEC
to add and delete TSPEC in STA mode.
The attributes defined in enum qca_wlan_vendor_attr_config_tspec
are used to encapsulate required information.
Add QCA vendor interface support to configure PHY modes
Add an attribute that can be used with
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION vendor command to
configure different PHY modes to the driver/firmware.
nl80211: Control the registration for RRM frame with driver_param
wpa_supplicant registered to process the Radio Measurement Request
frames unconditionally. This would prevent other location based
applications from handling these frames. Enable such a use case by
allowing wpa_supplicant to be configured not to register to process
these frames. This can now be done by adding "no_rrm=1" to the
driver_param configuration parameter.
In addition, wpa_driver_nl80211_init() does not have the provision to
take driver_params. Hence, resubscribe again with cfg80211 when this
driver parameter "no_rrm=1" is set after the initial setup steps.
HE: Add 6 GHz Band Capabilities element in Beacon and response frames
Construct HE 6 GHz Band Capabilities element (IEEE 802.11ax/D6.0,
9.4.2.261) from HT and VHT capabilities and add it to Beacon, Probe
Response, and (Re)Association Response frames when operating on the 6
GHz band.
HE: Remove VHT Operation Information from HE Operation element
The VHT Operation Information subfield is conditonally present, so do
not hardcoded it in struct ieee80211_he_operation. These members of the
struct are not currently used, so these can be removed without impact to
functionality.
Defines IEEE P802.11ax/D6.0, 9.4.2.261 HE 6 GHz Band Capabilities
element and 6 GHz Operation Information field of HE Operation element
(IEEE P802.11ax/D6.0, Figure 9-787k).
Some distros (e.g., Debian and Arch) already build wpa_supplicant with
support for TDLS, and Fedora is about to enable this feature as well.
Set CONFIG_TDLS=y in wpa_supplicant default build configuration.
Jouni Malinen [Sun, 17 May 2020 09:59:53 +0000 (12:59 +0300)]
tests: Avoid hapd reference before assignment on error cases
Couple of VHT test cases missed explicit setting of hapd to None before
trying to start hostapd. Add those to avoid unexpected exceptions in
case hostapd start fails.
Jouni Malinen [Sat, 16 May 2020 21:59:00 +0000 (00:59 +0300)]
tests: Fix ACS freqlist testing
The freqlist parameter uses comma, not space, separated values. Add
another test case for checking freqlist values that do not use the
preferred channel numbers to make sure the frequency list is actually
used as a constraint for selecting the channel.
Johannes Berg [Thu, 7 May 2020 08:26:51 +0000 (10:26 +0200)]
tests: Delayed group rekey retransmit test for IGTK
Add a test for delayed group rekey retransmission that checks that
the IGTK is protected against it by not resetting the IPN replay
counter when reinstalling such a key.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 7 May 2020 08:26:50 +0000 (10:26 +0200)]
tests: Reset the correct key's PN for group key handshake testing
While adding support for IGTK and BIGTK here, I tested this without
protections (i.e., with protections removed from both wpa_supplicant and
the driver), and while I got some bad resets on the debugfs values, it
should have failed with "unexpected connectivity".
Fix this to be correct - we need to reset the GTK PN, not the PTK PN in
this test.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sat, 16 May 2020 21:17:55 +0000 (00:17 +0300)]
Add a helper function for recognizing BIP enum wpa_alg values
Use a shared wpa_alg_bip() function for this and fix the case in
nl_add_key() to cover all BIP algorithms. That fix does not change any
behavior since the function is not currently used with any BIP
algorithm, but it is better to avoid surprises should it ever be needed
with IGTK.
Jouni Malinen [Sat, 16 May 2020 21:11:59 +0000 (00:11 +0300)]
Rename WPA_ALG_IGTK to use the correct cipher name for BIP
IGTK is the key that is used a BIP cipher. WPA_ALG_IGTK was the
historical name used for this enum value when only the AES-128-CMAC
based BIP algorithm was supported. Rename this to match the style used
with the other BIP options.
Jouni Malinen [Sat, 16 May 2020 18:46:24 +0000 (21:46 +0300)]
D-Bus: Increase introspection buffer size
It was apparently possible to hit the 20000 octet limit in some cases,
so increase the limit to avoid process termination due to insufficient
room for preparing a response to Introspect calls.
Jouni Malinen [Sat, 16 May 2020 18:07:45 +0000 (21:07 +0300)]
wolfssl: Do not hardcode include directory in wpa_supplicant build
This is not really appropriate for any kind of cross compilations and is
not really needed in general since system specific values can be set in
.config.
Jouni Malinen [Sat, 16 May 2020 18:02:17 +0000 (21:02 +0300)]
wolfssl: Fix crypto_bignum_rand() implementation
The previous implementation used mp_rand_prime() to generate a random
value in range 0..m. That is insanely slow way of generating a random
value since mp_rand_prime() is for generating a random _prime_ which is
not what is needed here. Replace that implementation with generationg of
a random value in the requested range without doing any kind of prime
number checks or loops to reject values that are not primes.
This speeds up SAE and EAP-pwd routines by couple of orders of
magnitude..
Thomas Pedersen [Fri, 1 May 2020 21:02:11 +0000 (14:02 -0700)]
tests: Flush scan results before checking alloc failure
When run after other tests, It was likely that the target
bss was already present in scan_fail, so the
scan_for_bss() wouldn't trip the allocation failure in
wpa_bss_add(). Flush the scan results before the scan to
ensure wpa_bss_add() is called and consistently pass
scan_fail.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Thomas Pedersen [Fri, 1 May 2020 21:02:07 +0000 (14:02 -0700)]
tests: sigma_dut: set regulatory inside try/except
If sigma_dut is not installed, start_sigma_dut() will
throw an exception. Call start_sigma_dut() inside the
try/except to correctly reset the regulatory domain.
This fixes several seemingly random failures due to
regulatory domain not being reset.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Petr Štetiar [Mon, 11 May 2020 08:16:51 +0000 (10:16 +0200)]
nl80211: Change AKM suite limit from warning to debug print
Commit dd74ddd0dff6 ("nl80211: Handle AKM suite selectors for AP
configuration") added warning log message "nl80211: Not enough room for
all AKM suites (num_suites=X > NL80211_MAX_NR_AKM_SUITES)" which in some
cases fills logs every 3 seconds, so fix this by increasing the log
message level to debug.
Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Ref: https://patchwork.ozlabs.org/project/openwrt/patch/20200504130757.12736-1-ynezz@true.cz/#2429246 Fixes: dd74ddd0dff6 ("nl80211: Handle AKM suite selectors for AP configuration") Signed-off-by: Petr Štetiar <ynezz@true.cz> Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
projects / thirdparty / hostap.git / log
