Jouni Malinen [Tue, 9 Jun 2020 19:32:38 +0000 (22:32 +0300)]
SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.
Jouni Malinen [Tue, 9 Jun 2020 09:48:13 +0000 (12:48 +0300)]
WPS UPnP: Support build on OS X
Define MAC address fetching for OS X (by reusing the existing FreeBSD
implementation) to allow full compile testing of the WPS implementation
on a more BSD-like platform.
Jouni Malinen [Tue, 9 Jun 2020 09:43:53 +0000 (12:43 +0300)]
WPS UPnP: Fix FreeBSD build
struct ifreq does not include the ifr_netmask alternative on FreeBSD, so
replace that more specific name with ifr_addr that works with both Linux
and FreeBSD.
Fixes: 5b78c8f961f2 ("WPS UPnP: Do not allow event subscriptions with URLs to other networks") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Mon, 8 Jun 2020 21:55:13 +0000 (00:55 +0300)]
HS 2.0: Use global pmf=2 for the created network block
Previously, PMF support was enabled in optional mode (ieee80211w=1) for
Hotspot 2.0 network blocks automatically. This did not consider the
global PMF parameter and unconditionally changed that value to optional.
Since the newly added network block had an explicit ieee80211w
parameter, this overrode the global parameter. To make this less
surprising, use the global pmf parameter value to select whether to add
network blocks for Hotspot 2.0 with PMF being optionally enabled (pmf=0
or pmf=1) or required (pmf=2).
Subrat Dash [Sat, 6 Jun 2020 07:50:34 +0000 (13:20 +0530)]
Allow TX queue parameters to be configured for wpa_supplicant AP/P2P GO
Allow user to configure the TX queue parameters through the
wpa_supplicant configuration file similarly to the way these can be set
in hostapd.
Parse the tx_queue_* parameters in the wpa_supplicant configuration file
and update the TX queue configuration to the AP/P2P GO interface in the
function wpa_supplicant_create_ap().
Jouni Malinen [Mon, 8 Jun 2020 21:21:06 +0000 (00:21 +0300)]
Remove unused enum values
The last user of these was removed in commit 17fbb751e174 ("Remove user
space client MLME") and there is no need to maintain these unused values
anymore.
Jouni Malinen [Mon, 8 Jun 2020 18:40:56 +0000 (21:40 +0300)]
Do not try to connect with zero-length SSID
It was possible to find a BSS to local network profile match for a BSS
entry that has no known SSID when going through some of the SSID
wildcard cases. At leas the OWE transition mode case without BSSID match
could result in hitting this. Zero-length SSID (i.e., wildcard SSID) is
not valid in (Re)Association Request frame, so such an association will
fail. Skip such a BSS to avoid known-to-be-failing association attempts.
Jouni Malinen [Thu, 4 Jun 2020 18:24:04 +0000 (21:24 +0300)]
WPS UPnP: Handle HTTP initiation failures for events more properly
While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.
These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.
Jouni Malinen [Wed, 3 Jun 2020 19:41:02 +0000 (22:41 +0300)]
WPS UPnP: Fix event message generation using a long URL path
More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.
Jouni Malinen [Wed, 3 Jun 2020 20:17:35 +0000 (23:17 +0300)]
WPS UPnP: Do not allow event subscriptions with URLs to other networks
The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).
Jouni Malinen [Mon, 8 Jun 2020 11:00:28 +0000 (14:00 +0300)]
SAE-PK: Testing functionality to allow behavior overrides
The new sae_commit_status and sae_pk_omit configuration parameters and
an extra key at the end of sae_password pk argument can be used to
override SAE-PK behavior for testing purposes.
Jouni Malinen [Sun, 7 Jun 2020 13:49:07 +0000 (16:49 +0300)]
SAE-PK: Select SAE-PK network over SAE without PK
If there is an acceptable BSS with SAE-PK enabled in the same ESS,
select that over a BSS that does not enable SAE-PK when the network
profile uses automatic SAE-PK selection.
Jouni Malinen [Sun, 7 Jun 2020 13:30:32 +0000 (16:30 +0300)]
Clean up wpa_scan_res_match()
Move the BSS-against-SSID matching into a separate helper function to
make this overly long function a bit more readable and to allow that
helper function to be used for other purposes.
Jouni Malinen [Sun, 7 Jun 2020 08:53:26 +0000 (11:53 +0300)]
SAE-PK: Allow automatic SAE-PK to be disabled
This replaces the previously used sae_pk_only configuration parameter
with a more generic sae_pk that can be used to specify how SAE-PK is
negotiated. The default behavior (sae_pk=0) is to automatically
negotiate SAE-PK whenever the AP supports it and the password is in
appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2
disables SAE-PK completely.
wpa_cli: Add all_bss command to print all scan results (BSS entries)
The wpa_supplicant control interface returns maximum of 4 kB of response
data and, thus, limits maximum number of scan entries as part of
SCAN_RESULTS to approximately 60. Add a new all_bss command to use a
more robust iteration of the BSS table entries with the BSS command to
to get all scan entries and print them in the same format as the
scan_results command.
Jouni Malinen [Sat, 6 Jun 2020 13:46:32 +0000 (16:46 +0300)]
FT: Do not add PMKID to the driver for FT-EAP if caching is disabled
wpa_supplicant disables PMKSA caching with FT-EAP by default due to
known interoperability issues with APs. This is allowed only if the
network profile is explicitly enabling caching with
ft_eap_pmksa_caching=1. However, the PMKID for such PMKSA cache entries
was still being configured to the driver and it was possible for the
driver to build an RSNE with the PMKID for SME-in-driver cases. This
could result in hitting the interop issue with some APs.
Fix this by skipping PMKID configuration to the driver fot FT-EAP AKM if
ft_eap_pmksa_caching=1 is not used in the network profile so that the
driver and wpa_supplicant behavior are in sync for this.
Tanmay Garg [Mon, 18 May 2020 10:22:44 +0000 (15:52 +0530)]
Add support for indicating missing driver AKM capability flags
Add support for missing driver AKM capability flags from the list of
RSN_AUTH_KEY_MGMT_* flags and make these available through the
'GET_CAPABILITY key_mgmt' control interface command.
Add vendor attributes to configure testing functionality for FT/OCV/SAE
Add new QCA vendor attributes to configure RSNXE Used (FTE), ignore CSA,
and OCI frequency override with QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_WIFI_TEST_CONFIGURATION for STA testbed role.
Jouni Malinen [Sat, 6 Jun 2020 09:08:37 +0000 (12:08 +0300)]
SAE: Move H2E and PK flags to main sae_data
This maintains knowledge of whether H2E or PK was used as part of the
SAE authentication beyond the removal of temporary state needed during
that authentication. This makes it easier to use information about which
kind of SAE authentication was used at higher layer functionality.
Jouni Malinen [Sat, 6 Jun 2020 08:47:12 +0000 (11:47 +0300)]
Document more network profile parameters
Some of the recently added wpa_supplicant network profile parameters
were not documented in wpa_supplicant.conf. Add these there based on the
documentation in config_ssid.h.
Jouni Malinen [Thu, 4 Jun 2020 18:04:59 +0000 (21:04 +0300)]
WPS UPnP: Do not update Beacon frames unnecessarily on subscription removal
There is no need to update the WPS IE in Beacon frames when a
subscription is removed if that subscription is not for an actual
selected registrar. For example, this gets rids of unnecessary driver
operations when a subscription request gets rejected when parsing the
callback URLs.
Jouni Malinen [Wed, 3 Jun 2020 22:36:50 +0000 (01:36 +0300)]
SAE-PK: Increment the minimum password length to 9
While this is not explicitly defined as the limit, lambda=8 (i.e., 9
characters with the added hyphen) is needed with Sec=5 to reach the
minimum required resistance to preimage attacks, so use this as an
implicit definition of the password length constraint.
Jouni Malinen [Wed, 3 Jun 2020 14:30:36 +0000 (17:30 +0300)]
SAE-PK: Determine hash algorithm from K_AP group instead of SAE group
While the current implementation forces these groups to be same, that is
not strictly speaking necessary and the correct group to use here is
K_AP, not the SAE authentication group.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: STA functionality
This adds STA side functionality for SAE-PK. This version enables SAE-PK
automatically based on the configured SAE password value if the selected
AP advertises support for SAE-PK.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: AP functionality
This adds AP side functionality for SAE-PK. The new sae_password
configuration parameters can now be used to enable SAE-PK mode whenever
SAE is enabled.
Jouni Malinen [Sat, 30 May 2020 20:30:42 +0000 (23:30 +0300)]
SAE-PK: Extend SAE functionality for AP validation
This adds core SAE functionality for a new mode of using SAE with a
specially constructed password that contains a fingerprint for an AP
public key and that public key being used to validate an additional
signature in SAE confirm from the AP.
Jouni Malinen [Mon, 1 Jun 2020 19:24:00 +0000 (22:24 +0300)]
wpaspy: Be a bit more careful on detaching the control interface
Check that the client socket is still open before trying to detach the
control interface to avoid undesired exceptions on cleanup paths on
unexpected errors due to the socket getting closed.
Jouni Malinen [Fri, 29 May 2020 21:24:15 +0000 (00:24 +0300)]
OCV: Report OCI validation failures with OCV-FAILURE messages (STA)
Convert the previously used text log entries to use the more formal
OCV-FAILURE prefix and always send these as control interface events to
allow upper layers to get information about unexpected operating channel
mismatches.
Jouni Malinen [Fri, 29 May 2020 21:04:53 +0000 (00:04 +0300)]
OCV: Allow OCI channel to be overridden for testing (AP)
Add hostapd configuration parameters oci_freq_override_* to allow the
OCI channel information to be overridden for various frames for testing
purposes. This can be set in the configuration and also updated during
the runtime of a BSS.
Jouni Malinen [Fri, 29 May 2020 18:07:45 +0000 (21:07 +0300)]
OSEN: Do not send the actual BIGTK to OSEN STAs
OSEN STAs are not authenticated, so do not send the actual BIGTK for
them so that they cannot generate forged protected Beacon frames. This
means that OSEN STAs cannot enable beacon protection.
Jouni Malinen [Fri, 29 May 2020 18:23:09 +0000 (21:23 +0300)]
FT: Do not expose GTK/IGTK in FT Reassociation Response frame in OSEN
Do not include the actual GTK/IGTK value in FT protocol cases in OSEN or
with DGAF disabled (Hotspot 2.0). This was already the case for the
EAPOL-Key cases of providing GTK/IGTK, but the FT protocol case was
missed. OSEN cannot really use FT, so that part is not impacted, but it
would be possible to enable FT in a Hotspot 2.0 network that has DGAF
disabled.
Jouni Malinen [Fri, 29 May 2020 18:04:40 +0000 (21:04 +0300)]
WNM: Do not expose GTK/IGTK in WNM Sleep Mode Response frame in OSEN
Do not include the actual GTK/IGTK value in WNM Sleep Mode Response
frame if WNM Sleep Mode is used in OSEN or in a network where use of GTK
is disabled. This was already the case for the EAPOL-Key cases of
providing GTK/IGTK, but the WNM Sleep Mode exit case was missed.
Hu Wang [Fri, 15 May 2020 06:20:32 +0000 (14:20 +0800)]
OWE: Skip beacon update of transition BSS if it is not yet enabled
When a single hostapd process manages both the OWE and open BSS for
transition mode, owe_transition_ifname can be used to clone the
transition mode information (i.e., BSSID/SSID) automatically. When both
BSSs use ACS, the completion of ACS on the 1st BSS sets state to
HAPD_IFACE_ENABLED and the OWE transition mode information is updated
for all the other BSSs. However, the 2nd BSS is still in the ACS phase
and the beacon update messes up the state for AP startup and prevents
proper ACS competion.
If 2nd BSS is not yet enabled (e.g., in ACS), skip beacon update and
defer OWE transition information cloning until the BSS is enabled.
Jouni Malinen [Tue, 26 May 2020 09:31:16 +0000 (12:31 +0300)]
tests: Enforce proper OCV behavior for SA Query Response from STA
Now that there is a pending mac80211 patch ("mac80211: allow SA-QUERY
processing in userspace") to allow wpa_supplicant to take care of SA
Query Request processing, start enforcing correct behavior for this in
ocv_sa_query and wpa2_ocv_sta_override_sa_query_resp.
Jouni Malinen [Mon, 25 May 2020 18:55:49 +0000 (21:55 +0300)]
OCV: Disconnect STAs that do not use SA Query after CSA
Verify that all associated STAs that claim support for OCV initiate an
SA Query after CSA. If no SA Query is seen within 15 seconds,
deauthenticate the STA.
Jouni Malinen [Mon, 25 May 2020 15:41:04 +0000 (18:41 +0300)]
OCV: Report validation errors for SA Query Request/Response in AP mode
Add a new OCV-FAILURE control interface event to notify upper layers of
OCV validation issues. This commit adds this for SA Query processing in
AP mode.
Jouni Malinen [Mon, 25 May 2020 15:33:00 +0000 (18:33 +0300)]
OCV: Move "OCV failed" prefix to callers
Make reporting of OCV validation failure reasons more flexible by
removing the fixed prefix from ocv_verify_tx_params() output in
ocv_errorstr so that the caller can use whatever prefix or encapsulation
that is most appropriate for each case.
Vamsi Krishna [Fri, 8 May 2020 17:59:04 +0000 (23:29 +0530)]
OCV: Add support to override channel info OCI element (STA)
To support the STA testbed role, the STA has to use specified channel
information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query
Request, and SA Query Response frames. Add override parameters to use
the specified channel while populating OCI element in all these frames.
Jouni Malinen [Mon, 25 May 2020 13:25:50 +0000 (16:25 +0300)]
Clear current PMKSA cache selection on association/roam
It was possible for the RSN state machine to maintain old PMKSA cache
selection (sm->cur_pmksa) when roaming to another BSS based on
driver-based roaming indication. This could result in mismatching state
and unexpected behavior, e.g., with not generating a Suite B PMKSA cache
entry.
Jouni Malinen [Sat, 23 May 2020 18:11:33 +0000 (21:11 +0300)]
wlantest: Handle FT over-the-DS association state update cleanly
It is expected for the STA entry on the target AP to move directly from
State 1 to State 3 when performing FT over-the-DS (i.e., FT Action
Request/Response frame exchange through the old AP followed by
Reassociation Request/Response frame exchange with the target AP).
projects / thirdparty / hostap.git / log
