Jouni Malinen [Sat, 16 May 2020 18:46:24 +0000 (21:46 +0300)]
D-Bus: Increase introspection buffer size
It was apparently possible to hit the 20000 octet limit in some cases,
so increase the limit to avoid process termination due to insufficient
room for preparing a response to Introspect calls.
Jouni Malinen [Sat, 16 May 2020 18:07:45 +0000 (21:07 +0300)]
wolfssl: Do not hardcode include directory in wpa_supplicant build
This is not really appropriate for any kind of cross compilations and is
not really needed in general since system specific values can be set in
.config.
Jouni Malinen [Sat, 16 May 2020 18:02:17 +0000 (21:02 +0300)]
wolfssl: Fix crypto_bignum_rand() implementation
The previous implementation used mp_rand_prime() to generate a random
value in range 0..m. That is insanely slow way of generating a random
value since mp_rand_prime() is for generating a random _prime_ which is
not what is needed here. Replace that implementation with generationg of
a random value in the requested range without doing any kind of prime
number checks or loops to reject values that are not primes.
This speeds up SAE and EAP-pwd routines by couple of orders of
magnitude..
Thomas Pedersen [Fri, 1 May 2020 21:02:11 +0000 (14:02 -0700)]
tests: Flush scan results before checking alloc failure
When run after other tests, It was likely that the target
bss was already present in scan_fail, so the
scan_for_bss() wouldn't trip the allocation failure in
wpa_bss_add(). Flush the scan results before the scan to
ensure wpa_bss_add() is called and consistently pass
scan_fail.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Thomas Pedersen [Fri, 1 May 2020 21:02:07 +0000 (14:02 -0700)]
tests: sigma_dut: set regulatory inside try/except
If sigma_dut is not installed, start_sigma_dut() will
throw an exception. Call start_sigma_dut() inside the
try/except to correctly reset the regulatory domain.
This fixes several seemingly random failures due to
regulatory domain not being reset.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Petr Štetiar [Mon, 11 May 2020 08:16:51 +0000 (10:16 +0200)]
nl80211: Change AKM suite limit from warning to debug print
Commit dd74ddd0dff6 ("nl80211: Handle AKM suite selectors for AP
configuration") added warning log message "nl80211: Not enough room for
all AKM suites (num_suites=X > NL80211_MAX_NR_AKM_SUITES)" which in some
cases fills logs every 3 seconds, so fix this by increasing the log
message level to debug.
Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Ref: https://patchwork.ozlabs.org/project/openwrt/patch/20200504130757.12736-1-ynezz@true.cz/#2429246 Fixes: dd74ddd0dff6 ("nl80211: Handle AKM suite selectors for AP configuration") Signed-off-by: Petr Štetiar <ynezz@true.cz> Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Jouni Malinen [Sat, 16 May 2020 09:16:34 +0000 (12:16 +0300)]
Ignore Management frames while AP interface is not fully enabled
It is possible for drivers to report received Management frames while AP
is going through initial setup (e.g., during ACS or DFS CAC). hostapd
and the driver is not yet ready for actually sending out responses to
such frames at this point and as such, it is better to explicitly ignore
such received frames rather than try to process them and have the
response (e.g., a Probe Response frame) getting dropped by the driver as
an invalid or getting out with some incorrect information.
Jouni Malinen [Sat, 16 May 2020 08:38:09 +0000 (11:38 +0300)]
Move deauthentication at AP start to be after beacon configuration
This allows nl80211-based drivers to get the frame out. The old earlier
location resulted in the driver operation getting rejected before the
kernel was not ready to transmit the frame in the BSS context of the AP
interface that has not yet been started.
While getting this broadcast Deauthentication frame transmitted at the
BSS start is not critical, it is one more chance of getting any
previously associated station notified of their previous association not
being valid anymore had they missed previous notifications in cases
where the AP is stopped and restarted.
Jouni Malinen [Fri, 15 May 2020 18:23:50 +0000 (21:23 +0300)]
nl80211: Remove AP mode interface from bridge for STA-mode-scan
Linux bridging code does not allow a station mode WLAN interface in a
bridge and this prevents the AP mode scan workaround from working if the
AP interface is in a bridge and scanning can be only done by moving to
STA mode. Extend this workaround to remove the interface from the bridge
temporarily for the duration of the scan, i.e., for the same duration as
the interface needs to be moved into the station.
Jouni Malinen [Fri, 15 May 2020 11:20:26 +0000 (14:20 +0300)]
dpp-nfc: Clean up debug prints when handover select is received
If the local device becomes the handover selector, make the debug log
entries about client functionality not receiving the response clearer
since that is not really an error case.
Jouni Malinen [Fri, 15 May 2020 11:17:40 +0000 (14:17 +0300)]
dpp-nfc: Do not indicate a single channel 1 by default
Allow any channel to be used by not including a specific single channel
in the handover request without a need (for AP mode, use the current
operating channel). When sending out the handover select, pick a single
channel if no specific channel has been negotiated.
Jouni Malinen [Fri, 15 May 2020 09:03:53 +0000 (12:03 +0300)]
dpp-nfc: Write debug info to summary log
Convert most print() calls to use the summary() helper so that the
printed information gets written into a log file as well. In addition,
start using a mutex lock to synchronize debug prints between threads to
avoid merging of messages from different contexts.
Jouni Malinen [Thu, 14 May 2020 22:21:01 +0000 (01:21 +0300)]
dpp-nfc: Start handover server regardless of init-on-touch setting
The previous version was trying to force the handover roles based on the
--init-on-touch parameter on both sides. That is fine for some test
scenarios, but not appropriate for more normal use cases. Change this
design to enable handover server in all cases and only control starting
of the handover client based on --init-on-touch.
Jouni Malinen [Thu, 14 May 2020 18:46:50 +0000 (21:46 +0300)]
dpp-nfc: Use Configurator/Enrollee parameters with tag reading
This was previously done only for the negotiated connection handover
case, but the same parameters are useful for the tag reading cases (URI
record and static handover).
Jouni Malinen [Wed, 13 May 2020 14:11:40 +0000 (17:11 +0300)]
DPP2: Chirping in hostapd Enrollee
Add a new hostapd control interface command "DPP_CHIRP own=<BI ID>
iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started. This follows the model of similar
wpa_supplicant functionality from commit 562f77144cd2 ("DPP2: Chirping
in wpa_supplicant Enrollee"). The hostapd case requires the AP to be
started without beaconing, i.e., with start_disabled=1 in hostapd
configuration, to allow iteration of channels needed for chirping.
Jouni Malinen [Wed, 13 May 2020 14:36:40 +0000 (17:36 +0300)]
Handle hostapd_for_each_interface() at the process termination
Clean struct hapd_interfaces pointers and interface count during
deinitialization at the end of theh ostapd process termination so that a
call to hostapd_for_each_interface() after this does not end up
dereferencing freed memory. Such cases do not exist before this commit,
but can be added after this, e.g., for DPP needs.
Jouni Malinen [Wed, 13 May 2020 14:09:52 +0000 (17:09 +0300)]
nl80211: Disable offchannel-ok in AP mode only if beaconing
When hostapd is started without beaconing (start_disabled=1), Public
Action frame transmission command through nl80211 needs to allow
offchannel operations regardless of the operating channel configuration.
Use per-interface type driver key_mgmt capabilities when possible
Use key_mgmt_iftype instead of key_mgmt when the specific interface type
is known by the context of the operation.
Use per interface type AKM capabilities in capa.key_mgmt_iftype array
based on the wpa_supplicant context instead of using capa.key_mgmt to
determine the driver AKM capability.
nl80211: Fetch information on supported AKMs from the driver
The driver can advertise supported AKMs per wiphy and/or per interface.
Populate per interface supported AKMs based on the driver advertisement
in the following order of preference:
1. AKM suites advertised by NL80211_ATTR_IFTYPE_AKM_SUITES
2. AKM suites advertised by NL80211_ATTR_AKM_SUITES
If neither of these is available:
3. AKMs support is assumed as per legacy behavior.
In addition, extend other driver interface wrappers to set the
per-interface values based on the global capability indication.
nl80211: Remove QCA vendor specific AKM capability handling
Since this functionality was not used for anything in practice, it is
easier to simply remove this functionality completely to avoid potential
conflicts in using the kernel tree upstream commit ab4dfa20534e
("cfg80211: Allow drivers to advertise supported AKM suites").
This is practically reverting the commit 8ec7c99ee4c6 ("nl80211: Fetch
supported AKM list from the driver").
Jouni Malinen [Tue, 12 May 2020 11:25:15 +0000 (14:25 +0300)]
DPP2: Extend TCP encapsulation case to support Configurator as Initiator
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.
Jouni Malinen [Mon, 11 May 2020 21:57:44 +0000 (00:57 +0300)]
DPP: Extend NFC bootstrapping script for more control by caller
Add more parameters to dpp-nfc.py to allow it to be used with more
detailed control by the caller. This allows Enrollee/Configurator roles
to be selected and Configurator parameters to be specified on the
command line.
Jouni Malinen [Mon, 11 May 2020 13:02:51 +0000 (16:02 +0300)]
DPP2: Reconfig Announcement relaying from AP to Controller
Recognize the Reconfig Announcement message type and handle it similarly
to the Presence Announcement in the Relay, i.e., send it to the first
Controller if the local Configurator does not have matching C-sign-key.
Jouni Malinen [Mon, 11 May 2020 12:59:12 +0000 (15:59 +0300)]
DPP2: Fix Presence Announcement processing in Controller
Use the new struct dpp_authentication instance when setting Configurator
parameters for authentication exchange triggered by Presence
Announcement. conn->auth is NULL here and would cause dereferencing of a
NULL pointer if dpp_configurator_params is set.
Jouni Malinen [Sun, 10 May 2020 09:55:43 +0000 (12:55 +0300)]
DPP2: Reconfig Authentication Response processing and Confirm generation
Extend Configurator functionality to process Reconfig Authentication
Response message, derive the needed keys, and generate Reconfig
Authentication Confirm message.
Jouni Malinen [Sat, 9 May 2020 13:30:09 +0000 (16:30 +0300)]
DPP2: Reconfig Authentication Request processing and Response generation
Extend Enrollee functionality to process Reconfig Authentication Request
message, derive the needed keys, and generate Reconfig Authentication
Response message.
Jouni Malinen [Sat, 2 May 2020 17:10:12 +0000 (20:10 +0300)]
DPP2: Reconfig Authentication Request generation and transmission
Extend Configurator functionality to sign a special Connector for
reconfiguration and reply with Reconfig Authentication Request frame
when Reconfig Announcement frame is received with a matching C-sign key
hash value.
Jouni Malinen [Fri, 1 May 2020 21:02:15 +0000 (00:02 +0300)]
DPP2: Reconfig Announcement transmission
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.
Jouni Malinen [Fri, 8 May 2020 18:13:32 +0000 (21:13 +0300)]
DPP2: Derive bk ("base key")
Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.
Jouni Malinen [Mon, 4 May 2020 12:31:14 +0000 (15:31 +0300)]
DPP2: Report MUD URL and bandSupport in control interface events
Report MUD URL and bandSupport from config request if those optional
nodes are included. For now, these are mainly for testing purposes since
there is no mechanism to delay sending of config response.
Jouni Malinen [Mon, 4 May 2020 10:11:00 +0000 (13:11 +0300)]
DPP2: Do not include Protocol Version in Auth Req when testing v1
When DPP v2 implementation is hardcoded to behave as v1 for testing
purposes, leave out the Protocol Version attribute form Authentication
Request instead of including it there with indication for v1.
Jouni Malinen [Sat, 2 May 2020 16:43:10 +0000 (19:43 +0300)]
DPP: Move dppCon signing to a set of helper functions
This simplifies dpp_build_conf_obj_dpp() and makes it easier to share
the signing functionality for other purposes like reconfiguration where
the Configurator needs to sign a dppCon object for itself without
generating the encapsulating config object.
Jouni Malinen [Fri, 1 May 2020 20:02:33 +0000 (23:02 +0300)]
tests: Disable power saving explicitly for pmksa_cache_ap_expiration
This test case seems to be failing every now and then due to the AP not
getting out the Deauthentication frame after PMKSA expiration if the STA
is in power save mode.
Jouni Malinen [Fri, 1 May 2020 18:07:42 +0000 (21:07 +0300)]
DPP: Allow version number to be overridden for testing purposes
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.
Jouni Malinen [Fri, 1 May 2020 17:06:57 +0000 (20:06 +0300)]
DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 3/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.
Jouni Malinen [Fri, 1 May 2020 17:02:48 +0000 (20:02 +0300)]
DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 2/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.
Jouni Malinen [Fri, 1 May 2020 17:51:49 +0000 (20:51 +0300)]
tests: Disable PFS in dpp_akm_sha*
These test cases are using externally generated PMKSA cache entry which
does not support use of PFS. This will start failing if the station
claims to support PFS in such cases, so explicitly disable PFS
functionality in these test cases for now.
Jouni Malinen [Fri, 1 May 2020 14:30:03 +0000 (17:30 +0300)]
DPP2: Try to negotiate PFS only if AP supports version 2 or newer
Check AP's DPP Protocol Version during network introduction and mark the
PMKSA cache as suitable for PFS use with version 2 or newer. This avoids
unnecessary attempt of negotiating PFS with version 1 APs.
Thomas Pedersen [Fri, 1 May 2020 21:02:10 +0000 (14:02 -0700)]
tests: Skip proxyarp tests properly if ebtables rule install fails
Otherwise the test will continue on and fail later due to unexpected
foreign ARP request. The try/except design here did not work properly to
detect this.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
projects / thirdparty / hostap.git / log
