Commit graph

4758 commits

Author SHA1 Message Date
Jouni Malinen
447cd5f2df SAE: Collect list of rejected groups for H2E in STA
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
05a2fb0d11 SAE: Derive H2E PT in STA before connection
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
146889e3ca RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4
If the AP advertises RSN Extension element, it has to be advertised
consistently in the unprotected (Beacon and Probe Response) and
protected (EAPOL-Key msg 3/4) frames. Verify that this is the case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
293a01f3b3 SAE: Handle BSS membership selector indication for H2E-only in STA mode
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
85e64e634d SAE: Add sae_pwe configuration parameter for wpa_supplicant
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
86f6084862 SAE: Tell sae_parse_commit() whether H2E is used
This will be needed to help parsing the received SAE commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-14 19:38:41 +03:00
Jouni Malinen
d6a7de60c8 wpa_cli: Clean up unnecessarily complex CONFIG_MESH use
There is no need for #ifdef/#else/#endif construction in
network_fields[] to cover "mode" (which is completely independent of
CONFIG_MESH) or two separate conditional blocks for mesh related network
fields, so move these into a single conditionally included block.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
8b426ab1e7 wpa_supplicant: Pass AP mode EDMG config to hostapd struct
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
a82aee1f40 wpa_supplicant: Add support for EDMG channels
As part of a connection request, set EDMG parameters for the driver to
use in the association. The EDMG parameters are based on EDMG IE
received from the AP's Probe Response frames, the driver's EDMG
capability, and the EDMG configuration from the configuration.

As part of starting an AP, set EDMG parameters for the driver to use for
AP operation. The EDMG parameters are based on the driver's EDMG
capability and the EDMG configuration from the configuration.

This implementation is limited to CB2 (channel bonding of 2 channels)
and the bonded channels must be adjacent, i.e., the supported values for
edmg_channel are 9..13.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
35aed771f9 Indicate EDMG in scan results
Add [EDMG] flag to scan results.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
bebd91e9c4 Add EDMG parameters to set_freq functions
This updates the frequency parameter setting functions to include
argument for EDMG.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 16:59:23 +03:00
Alexei Avshalom Lazar
e8ff22f471 wpa_supplicant: Add EDMG channel configuration parameters
Add two new configuration parameters for wpa_supplicant:
enable_edmg: Enable EDMG capability for STA/AP mode
edmg_channel: Configure channel bonding. In AP mode it defines the EDMG
channel to start the AP on. In STA mode it defines the EDMG channel to
use for connection.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 16:50:06 +03:00
Ankita Bajaj
c349174035 MBO/OCE: Update disable_mbo_oce flag after association
After roaming to an AP, update disable_mbo_oce flag based on the current
BSS capabilities. This flag is used to check whether STA should support
MBO/OCE features and process BTM request received from the current
connected AP.

When a STA roams from a WPA2 MBO/OCE AP with PMF enabled to a
misbehaving WPA2 MBO/OCE AP without PMF, or if the driver chooses a BSS
in which PMF is not enabled for the initial connection, BTM requests
from such APs should not be processed by STA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-01 16:45:15 +03:00
Jouni Malinen
52d469de11 DPP2: Support multiple Config Objects in Enrollee
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-01 14:21:51 +03:00
Jouni Malinen
d0a4ed6a1b Allow SAE to be used in wpa_supplicant AP mode
SAE password configuration for AP mode requires additional steps
compared to PSK cases. Previous implementation allowed SAE to be
configured, but all authentication attempts would fail due to no
password being available. Now both psk and sae_password/sae_password_id
parameters are translated properly to the hostapd configuration
structures to fix this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-21 16:30:35 +03:00
Roy Marples
7846e8d608 NetBSD: Fix compile
On NetBSD the ethernet header is net/if_ether.h

This also pulls in net/if.h which defines if_type, which in turn
conflicts with an enum in wpa_supplicant. As such we need to
include this at the bottom rather than at the top.

Signed-off-by: Roy Marples <roy@marples.name>
2019-09-21 13:38:32 +03:00
Vamsi Krishna
2e06cef80a MBO/OCE: Work around misbehaving MBO/OCE APs that use RSN without PMF
The MBO and OCE specification require the station to mandate use of PMF
when connecting to an MBO/OCE AP that uses WPA2. The earlier
implementation prevented such misbehaving APs from being selected for
connection completely. This looks like the safest approach to take, but
unfortunately, there are deployed APs that are not compliant with the
MBO/OCE requirements and this strict interpretation of the station
requirements results in interoperability issues by preventing the
association completely.

Relax the approach by allowing noncompliant MBO/OCE APs to be selected
for RSN connection without PMF to avoid the main impact of this
interoperability issue. However, disable MBO/OCE functionality when PMF
cannot be negotiated to try to be as compliant as practical with the
MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the
duration of such workaround association). Also disable support for BTM
in this workaround state since MBO would expect all BTM frames to be
protected.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-21 00:58:33 +03:00
Jouni Malinen
8f8c423a51 DPP: Add bandSupport JSON array into config request
Indicate supported global operating classes when wpa_supplicant is
operating as an Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
5a5639b068 DPP: Allow name and mudurl to be configured for Config Request
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
16ef233bf1 DPP2: Connection status result (Enrollee)
Add support for reporting connection status after provisioning if the
Configurator requests this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-16 17:25:34 +03:00
Jouni Malinen
b10e01a795 DPP2: Connection status result (Configurator)
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.

Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-16 17:13:46 +03:00
Sujay Patwardhan
21dc1627f6 wpa_supplicant: Don't return an error when successfully parsing WMM rules
The config file parser previously would fall through into an error if
CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add
a return to prevent incorrectly printing an error message and returning
a non-zero exit code.

Signed-off-by: Sujay Patwardhan <sujay@eero.com>
2019-09-13 16:35:16 +03:00
Hu Wang
8214b45ba0 P2P: Use latest BSS entry if multiple P2P Device Addr matches found
If an AP (P2P GO) has changed its operating channel or SSID recently,
the BSS table may have multiple entries for the same BSSID.

Commit 702621e6dd ('WPS: Use latest updated BSS entry if multiple
BSSID matches found') fetches latest updated BSS entry based on
BSSID. Do the same when fetching an entry based on the P2P Device
Address.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-13 16:22:05 +03:00
Alexei Avshalom Lazar
dc6c3be4e2 wpa_supplicant: Add support for 60 GHz band channels 5 and 6
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-09-13 16:14:17 +03:00
Mikael Kanstrup
8788a314d7 WPS: Update MAC address on address changes
The WPS component keeps a copy of the network interface MAC address.
When MAC address is changed the WPS copy was not updated so WPS M1
message contained the old address. Some devices check this field
and fail connection attempts.

Update the WPS MAC address on interface MAC address changes.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2019-09-09 16:49:34 +03:00
Jouni Malinen
a69742c2f8 wpa_cli: Do not pick p2p-dev-* interfaces by default
These are the driver-specific interface for the non-netdev P2P Device
interface and not something that useful for most use cases. Skip them to
allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-09 16:37:46 +03:00
Ankita Bajaj
a8bfc6fff2 FILS: Update connect params after sending connection notification
Update connect params will update auth_alg and fils_hlp_req in
wpa_supplicant structure before calling function
wpas_notify_state_changed(). This could have resulted in triggering
inconsistent state change events and messages in the Android framework.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-08 17:50:23 +03:00
Jouni Malinen
1eff2e7bf1 DPP2: Fix wpa_supplicant build dependencies for CONFIG_AP=y build
Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed
dependencies were not pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:44:07 +03:00
Jouni Malinen
d2bae5763d DPP: Fix wpa_supplicant build dependencies for DPP-only build
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:39:43 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
6816182461 EAP-TEAP peer: Add support for machine credentials using certificates
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
ebee8232d3 Do not try to include net/ethernet.h in MinGW/Windows builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
bf15b15598 Fix Windows error code definition workaround
ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of
MinGW, so make this workaround conditional on what is defined in the
header files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
043de65f1c EAP peer config: Move ocsp param to phase1/phase2
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:35 +03:00
Jouni Malinen
b99c4cadb7 EAP peer: Move certificate configuration params into shared struct
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:31 +03:00
Sven Eckelmann
6e711e7ab3 mesh: Do not enable HE on 5 GHz without VHT
The commit ad9a1bfe78 ("nl80211: Share VHT channel configuration for
HE") always enforced that VHT is enabled when HE was enabled. This broke
the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq()
isn't setting up the VHT parameters for 2.4 GHz.

This problem was resolved for 2.4 GHz by commit df4f959988 ("nl80211:
Don't force VHT channel definition with HE"), but it is still possible
to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would
result in the same problem as seen on 2.4 GHz.

The code enabling HE for IBSS/mesh must now make sure that it doesn't
enable HE when VHT could be enforced by the nl80211 driver code but
disabled by the user.

Fixes: 3459c54ac7 ("mesh: Add support for HE mode")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-08-30 16:02:23 +03:00
Jouni Malinen
c724a0a16c EAP peer: Add a concept of a separate machine credential
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.

This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 13:24:14 +03:00
Jouni Malinen
52069c7eff Add TLS-PRF using HMAC with P_SHA384 for TEAP
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-16 21:16:37 +03:00
Jouni Malinen
a647a0ad75 Extend server certificate TOD policy reporting to include TOD-TOFU
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 16:40:31 +03:00
Sunil Dutt
346d10cf82 SAE: Conditionally set PMKID while notifying the external auth status
This is needed for the drivers implementing SME to include the PMKID in
the Association Request frame directly following SAE authentication.

This commit extends the commit d2b2083843 ("SAE: Allow PMKID to be
added into Association Request frame following SAE") for drivers with
internal SME that use the external authentication mechanism.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:37:36 +03:00
Sunil Dutt
b7cd64876d SAE: Use BSSID stored in ext_auth_bssid for set_pmk
pending_bssid is cleared in the connected state and thus is not valid if
SAE authentication is done to a new BSSID when in the connected state.
Hence use the BSSID from ext_auth_bssid while configuring the PMK for
the external authentication case. This is required for roaming to a new
BSSID with driver-based-SME while the SAE processing happens with
wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:32:55 +03:00
Sunil Dutt
e0b331d896 OWE: Update connect params with new DH attributes to the driver
A new DH public key is sent through this interface to the driver after
every successful connection/roam to a BSS. This helps to do OWE roaming
to a new BSS with drivers that implement SME/MLME operations during
roaming.

This updated DH IEs are added in the subsequent (Re)Association Request
frame sent by the station when roaming. The DH IE from the roamed AP is
given to wpa_supplicant in the roam result event. wpa_supplicant shall
further process these DH IEs to generate the PMK for the 4-way
handshake.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:31:10 +03:00
Jouni Malinen
ae05b6a215 RSN: Do not allow connection to proceed without MFPC=1 if PMF required
PMF capability check is done as part of BSS selection routines, but
those are not used when going through the enforced roaming operation
("ROAM <BSSID>" control interface command). While that mechanism is
mainly for testing purposes, extend it to do the same check for PMF to
prevent cases where forced roaming could end up disabling PMF against
the local profile requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 13:48:16 +03:00
Ankita Bajaj
0028d627c8 OCE: Mandate PMF for WPA2 association with OCE AP
An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-15 19:06:53 +03:00
Purushottam Kushwaha
84ebc759a0 HS 2.0: Match credentials based on required_roaming_consortium
When required_roaming_consortium is set in a credential, station
should match this against Roaming Consortium(s) for a BSS similar
to how it is matching for roaming_consortiums during Interworking
credentials availability check for roaming_consortium.

In the context of Hotspot 2.0 PPS MO, this means addressing matching
part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of
how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required
part is used as an independent check for the AP advertising the needed
information while the "credential can be used here and this is a home
network" part is shared).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-15 16:51:02 +03:00
Jouni Malinen
d2b2083843 SAE: Allow PMKID to be added into Association Request frame following SAE
IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-14 17:49:23 +03:00
Matthew Wang
dd0153fced Check for LEAP before doing FT
According to https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Cisco does not support EAP-LEAP with Fast Transition. Here,
we check for LEAP before selecting FT 802.1X key management
suite.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2019-08-11 18:04:24 +03:00
Jouni Malinen
b0b25c5bbc Clear external eapSuccess setting in driver-authorized cases
The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not
cover the case where eapol_sm_notify_eap_success(TRUE) had been called
based on offloaded 4-way handshake and driver notification of
authorization in wpa_supplicant_event_port_authorized(). This could
result in eapSuccess and altSuccess state machine variables being left
TRUE when roaming to another BSS and that results in EAP failure if the
following roaming case does not get fully authorized through the driver
offload.

Fix this by clearing eapSuccess/altSuccess when processing a new
association (including roaming) event and also when disconnecting from
the network.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-07 19:24:06 +03:00
Jouni Malinen
ca8c2bd28a Preparations for v2.8 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-07 16:25:25 +03:00
Sunil Dutt
3263fca289 Set the default scan IEs on interface restart
Previously, these default scan IEs were set only when parameter values
changed and during the interface initialization, which can get lost in
the driver on an interface restart. Hence, also set these IEs on an
interface restart notification even when there has been no change in the
values since the last update to the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-07 11:43:12 +03:00