Commit graph

287 commits

Author SHA1 Message Date
Mathy Vanhoef
f9da7505bf OCV: Include and verify OCI in SA Query frames
Include an OCI element in SA Query Request and Response frames if OCV
has been negotiated.

On Linux, a kernel patch is needed to let clients correctly handle SA
Query Requests that contain an OCI element. Without this patch, the
kernel will reply to the SA Query Request itself, without verifying the
included OCI. Additionally, the SA Query Response sent by the kernel
will not include an OCI element. The correct operation of the AP does
not require a kernel patch.

Without the corresponding kernel patch, SA Query Requests sent by the
client are still valid, meaning they do include an OCI element.
Note that an AP does not require any kernel patches. In other words, SA
Query frames sent and received by the AP are properly handled, even
without a kernel patch.

As a result, the kernel patch is only required to make the client properly
process and respond to a SA Query Request from the AP. Without this
patch, the client will send a SA Query Response without an OCI element,
causing the AP to silently ignore the response and eventually disconnect
the client from the network if OCV has been negotiated to be used.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:42:23 +02:00
Mathy Vanhoef
ad20a1367f Store the VHT Operation element of an associated STA
APs and mesh peers use the VHT Operation element to advertise certain
channel properties (e.g., the bandwidth of the channel). Save this
information element so we can later access this information.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Jouni Malinen
f3784a6b94 HS 2.0: Reject Hotspot 2.0 Rel 2 or newer association without PMF
Hotspot 2.0 Rel 2 requires PMF to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
17adac9ef9 FILS: Do not process FILS HLP request again while previous one is pending
It is better not to process a new (most likely repeated) FILS HLP
request if a station retransmits (Re)Association Request frame before
the previous HLP response has either been received or timed out. The
previous implementation ended up doing this and also ended up
rescheduling the fils_hlp_timeout timer in a manner that prevented the
initial timeout from being reached if the STA continued retransmitting
the frame. This could result in failed association due to a timeout on
the station side.

Make this more robust by processing (and relaying to the server) the HLP
request once and then ignoring any new HLP request while the response
for the relayed request is still pending. The new (Re)Association
Request frames are otherwise processed, but they do not result in actual
state change on the AP side before the HLP process from the first
pending request is completed.

This fixes hwsim test case fils_sk_hlp_oom failures with unmodified
mac80211 implementation (i.e., with a relatively short retransmission
timeout for (Re)Association Request frame).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 16:03:40 +02:00
Jouni Malinen
8fc6d88465 OWE: Fix association rejection behavior
If association failed for any non-OWE specific reason, the previous
implementation tried to add the OWE related IEs into the (Re)Association
Response frame. This is not needed and could actually result in
dereferencing a NULL pointer. Fix this by adding those OWE related IEs
only for successful association and only if the RSN state machine has
been initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-02 20:21:21 +02:00
Jouni Malinen
e0785ebbbd Use more consistent Action frame RX handling in both AP mode paths
Both handle_action() and hostapd_action_rx() are used for processing
received Action frames depending on what type of driver architecture is
used (MLME in hostapd vs. driver) and which build options were used to
build hostapd. These functions had a bit different sequence for checking
the frame and printing debug prints. Make those more consistent by
checking that the frame includes the category-specific action field and
some payload. Add a debug print for both functions to make it easier to
see which path various Action frames use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-01 20:30:09 +02:00
Ashok Kumar
edb28006c4 PMF: Do not start SA Query procedure if there is no association
Previous implementation ended up triggering PMF check for previous
association and SA Query procedure incorrectly in cases where there is a
STA entry in hostapd, but that STA is not in associated state. This
resulted in undesired temporary rejection of the association with status
code 30.

This ended up breaking OWE group negotiation when PMF is in use since
the check for the OWE group would have happened only after this earlier
PMF check and rejection (i.e., the station got status code 30 instead of
the expected 77).

For example, when the AP is configured with OWE group 21 and a station
tries groups 19, 20, and 21 (in this sequence), the first two
Association Request frames should be rejected with status code 77.
However, only the first one got that status code while the second one
got status code 30 due to that issue with PMF existing association
check.

Furthermore, hostapd was continuing with SA Query procedure with
unencrypted Action frames in this type of case even though there was no
existing association (and obviously, not an encryption key either).

Fix this by checking that the STA entry is in associated state before
initiating SA Query procedure based on the PMF rules.

Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
2018-10-16 00:33:20 +03:00
Jouni Malinen
dc1b1c8db7 Drop logging priority for handle_auth_cb no-STA-match messages
This message was printed and MSG_INFO level which would be more
reasonable for error cases where hostapd has accepted authentication.
However, this is not really an error case for the cases where
authentication was rejected (e.g., due to MAC ACL). Drop this to use
MSG_DEBUG level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 20:03:55 +03:00
Jouni Malinen
6588f71222 Reduce undesired logging of ACL rejection events from AP mode
When Probe Request frame handling was extended to use MAC ACL through
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
<addr> not allowed to authenticate") from that function ended up getting
printed even for Probe Request frames. That was not by design and it can
result in excessive logging and MSG_INFO level if MAC ACL is used.

Fix this by printing this log entry only for authentication and
association frames. In addition, drop the priority of that log entry to
MSG_DEBUG since this is not really an unexpected behavior in most MAC
ACL use cases.

Fixes: 92eb00aec2 ("Extend ACL check for Probe Request frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-10-14 19:57:22 +03:00
Andreas Tobler
b5ebe5dd5b hostapd: Send an event before throwing a station on re-authentication
If you modify the WLAN-STA-AUTHORIZED bit in sta->flags, you have to
call the ap_sta_set_authorized() function to make sure the corresponding
event is sent over the control interface. Otherwise we leak entries in
the event history.

Signed-off-by: Andreas Tobler <andreas.tobler@cloudguard.ch>
2018-09-02 12:48:32 +03:00
Jouni Malinen
3a8dd390c9 SAE: Allow authentication restart on AP
In the infrastructure BSS case, the AP needs to clear pending SAE state
if a new Commit message is received when already in Committed state.
This allows the non-AP STA to negotiate a new group if it ends up trying
to go through SAE authentication again before the AP side has removed
the previous STA entry.

This fixes an issue where a kernel update changed something in SAE
timing or authentication sequence and started failing the
sae_bignum_failure hwsim test case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-20 13:04:31 +03:00
Jouni Malinen
e8d08cf378 SAE: Do not drop STA entry on reauthentication in infrastructure BSS
A new SAE Commit message should not be allowed to drop an existing STA
entry since the sender of that Commit message cannot be authenticated
before receiving the Confirm message. This is important in particular
when PMF is used since this would provide a potential new path for
forcing a connection to be dropped.

Fix this by allowing a new SAE Authentication instance to be started
when the old instance is in Accepted state and the new Commit message
does not use the same peer-scalar value (checked in
sae_parse_commit_scalar()). When PMF is used, the AP will use SA Query
procedure when receiving the (Re)Association Request frame. In theory,
that step could be skipped in case of SAE Authentication since the
non-AP STA is demonstrating knowledge of the password. Anyway, there is
no allowance for that exception in the IEEE 802.11 standard, so at least
for now, leave this using SA Query procedure just like any other PMF
case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 01:22:01 +03:00
Jouni Malinen
2cf36d6085 FT: Handle AssocResp generation failures as fatal errors
Instead of sending out a partially completed frame, abort the
association process if something unexpected happens and remove the STA
entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
a7968ea568 FT: FTE generation for SHA384-based AKM on AP
The MIC field is now a variable length field, so make FTE generation in
hostapd aware of the two different field lengths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
9be19d0b9c SAE: Add support for using the optional Password Identifier
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-19 17:30:29 +03:00
Jouni Malinen
67cca34645 HS 2.0: Copy Roaming Consortium OI from (Re)AssocReq to Access-Request
This extends hostapd processing of (Re)Association Request frames to
store a local copy of the Consortium OI within the Roaming Consortium
Selection element, if present, and then add that in HS 2.0 Roaming
Consortium attribute into RADIUS Access-Request messages.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Michael Braun
13f118dc59 Convert STA session_timeout to os_reltime
This is needed to allow the remaining session time to be computed for FT
(when sending PMK-R1 to another AP).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:48:11 +03:00
Michael Braun
17a8a9893f Fix potential memory leak with identity/radius_cui
ieee802_11_set_radius_info() might be called with a STA entry that has
already stored identity and/or radius_cui information, so make sure the
old values get freed before being replaced by the new ones.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:01:16 +03:00
Ben Greear
c6b5b9a33b hostapd: Add more authentication error case debugging
This can help one understand better why stations are failing
to authenticate.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-04-02 16:53:10 +03:00
Ben Greear
e2fc13d0ab hostapd: Add logging around Michael MIC related failures
This can help one understand better why stations are failing
to authentication/associate.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-04-02 16:51:29 +03:00
Ben Greear
e7525a2954 hostapd: Add send_auth_reply() caller info in debug logging
This can help one understand better what happens during the
authentication exchange.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-04-02 16:47:26 +03:00
Jouni Malinen
9d94e4bb6b SAE: Fix PMKID in EAPOL-Key msg 1/4
Previously, the association that used SAE authentication ended up
recalculating the PMKID for EAPOL-Key msg 1/4 using incorrect
PMK-to-PMKID derivation instead of using the previously derived PMKID
from SAE. The correct PMKID was used only when going through PMKSA
caching exchange with a previously derived PMKSA from SAE.

Fix this by storing the SAE PMKID into the state machine entry for the
initial SAE authentication case when there is no explicit PMKSA entry
attached to the station.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-23 18:44:48 +02:00
Jouni Malinen
8aa599d45a Add more debug prints for 20/40 BSS Coexistence Management frame Rx
This makes it easier to understand what kind of information a STA is
reporting about 20/40 MHz coexistence requirements.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-21 16:32:35 +02:00
Ashok Ponnaiah
f5701cc66e OWE: Clean up pointer check in a testing code path
Check wpa_auth_write_assoc_resp_owe() return value to keep static
analyzers happier. The code path where this could happen is not really
reachable due to the separate hapd->conf->own_ie_override check and
wpa_auth_write_assoc_resp_owe() returning NULL only in an error case in
the override path. Furthermore, clean up the pointer return value to use
a proper pointer (NULL vs. 0).

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-03-19 19:08:34 +02:00
Tamizh chelvam
92eb00aec2 Extend ACL check for Probe Request frames
Extend ACL check to deny Probe Request frames for the client which does
not pass ACL check. Skip this check for the case where RADIUS ACL is
used to avoid excessive load on the RADIUS authentication server due to
Probe Request frames. This patch add wpa_msg event for auth and assoc
rejection due to acl reject.

Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
2018-03-03 00:42:16 +02:00
Ashok Ponnaiah
a22e235fd0 OWE: Add testing RSNE for OWE assoc response with driver SME/MLME
Allow RSNE to be overwritten for testing purposes also in the
driver-based SME/MLME case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-12 21:31:04 +02:00
Jouni Malinen
659ac96d7f ieee802_11_mgmt: Handle frame info more consistently
Check for the fi parameter to be non-NULL before trying to fetch the
ssi_signal information similarly to how the fi->freq was already
handled. While the meta information is supposed to be available, it
looks like there is at least one corner case where fi == NULL could be
used (Authentication frame reprocessing after RADIUS-based ACL).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-07 12:34:41 +02:00
Ashok Ponnaiah
79ce2d519b OWE: Rename function to match use (driver-SME/MLME)
This function is used to process a (Re)Association Request frame, so
rename it appropriately to mention assoc_req instead of auth_req.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-06 20:27:41 +02:00
Ashok Ponnaiah
759da93a89 OWE: Check for ECDH availability before use (driver-SME/MLME)
Verify that the STA has ECDH data available before trying to use this
data to add the OWE DH Params element.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-06 20:25:41 +02:00
Ashok Ponnaiah
af65ef28f4 OWE: Add RSNE when not using PMKSA caching (driver-SME/MLME)
RSNE needs to be added both with and without use of PMKSA caching.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-06 20:22:53 +02:00
Ashok Ponnaiah
5850cba384 OWE: Support DH groups 20 and 21 with driver-SME/MLME
This was already the case with the hostapd-based SME/MLME
implementation, but the OWE DH Param element construction for the
driver-based SME/MLME needed a matching change to set the group
properly.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-06 20:20:22 +02:00
Ashok Ponnaiah
cd483be252 OWE: Use PMKSA caching if available with driver AP MLME
If a matching PMKSA cache entry is present for an OWE client, use it and
do not go through DH while processing Association Rquest frame.
Association Response frame will identify the PMKID in such a case and DH
parameters won't be present.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-01 23:58:46 +02:00
Jouni Malinen
feba5848be Replace RSNE group key management mismatch status/reason codes
Use "cipher out of policy" value instead of invalid group cipher (which
is for the group data frame cipher) and management frame policy
violation (which is used for MFPC/MFPR mismatch).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 01:12:00 +02:00
Jouni Malinen
c5cc7a59ac Report offchannel RX frame frequency to hostapd
Not all code paths for management frame RX reporting delivered the
correct frequency for offchannel RX cases. This is needed mainly for
Public Action frame processing in some special cases where AP is
operating, but an exchange is done on a non-operational channel. For
example, DPP Initiator role may need to do this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-08 03:37:48 +02:00
Jouni Malinen
c4fc7e31c7 SAE: Set special Sc value when moving to Accepted state
Set Sc to 2^16-1 when moving to Accepted state per IEEE Std 802.11-2016,
12.4.8.6.5 (Protocol instance behavior - Confirmed state). This allows
the peer in Accepted state to silently ignore unnecessary
retransmissions of the Confirm message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 12:19:08 +02:00
Jouni Malinen
abcbd0604c SAE: Add Rc variable and peer send-confirm validation
This implements the behavior described in IEEE Std 802.11-2016,
12.4.8.6.6 (Protocol instance behavior - Accepted state) to silently
discard received Confirm message in the Accepted state if the new
message does not use an incremented send-confirm value or if the special
2^16-1 value is used. This avoids unnecessary processing of
retransmitted Confirm messages.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 12:19:08 +02:00
Jouni Malinen
9249afc8e1 SAE: Print state changes in debug log
This makes it easier to follow state changes in SAE protocol instances.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 00:07:42 +02:00
Jouni Malinen
d8b841eba8 SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-26 12:46:22 +02:00
Jouni Malinen
1489fcf87d FILS: Do not leave error value in left counter
If fils_decrypt_assoc() were to fail on the AP side, the previous
implementation could have continued through the response generation
using left = -1. That could have resulted in unexpected processing if
this value were to be used as the length of the remaining (unencrypted)
IEs. Fix this by not updating left in the failure case.

Fixes: 78815f3dde ("FILS: Decrypt Association Request elements and check Key-Auth (AP)")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-24 12:26:38 +02:00
Jouni Malinen
fe12ae777f Fix Status Code in TKIP countermeasures case
The previously used WLAN_REASON_MICHAEL_MIC_FAILURE (14) value as a
response to Authentication frame or (Re)Association Request frame is not
correct since the resp value is encoded in the Status Code (not Reason
Code) field. Status Code 14 is WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION
which is really what this value would have meant in the response frames.

There is no Michael MIC failure status code, so have to use the generic
"Unspecified failure" (1) reason code for these cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
bhagavathi perumal s
65f9db6bc2 hostapd: Add extended capabilities into STA command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 00:31:31 +02:00
bhagavathi perumal s
ba72b4b126 hostapd: Add Min/Max Transmit Power Capability into STA command
This provides access to the Minimum/Maximum Transmit Power Capabilitie
fileds (the nominal minimum/maximum transmit power with which the STA
is capable of transmitting in the current channel; signed integer in
units of decibels relative to 1 mW).

Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 00:22:58 +02:00
Ashok Kumar Ponnaiah
33c8bbd8ca OWE: Add AP mode handling of OWE with drivers that implement SME
Handle OWE DH exchange and key setup when processing the association
event from a driver that implements AP SME.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-30 23:24:42 +02:00
Ashok Kumar Ponnaiah
28d1264131 Check hostapd current_mode before dereferencing it in additional places
While most places using this should be for cases where the hw_features
functionality is required, there seem to be some paths that are getting
exposed in new OWE related operations where that might not be the case.
Add explicit NULL pointer checks to avoid dereferencing the pointer if
it is not set when operating with driver wrappers that do not provide
sufficient information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-30 23:20:25 +02:00
Jouni Malinen
dc4d271c6d DPP: Update AES-SIV AD for DPP Authentication frames
The protocol design was updated to protect the six octets in the header
before the attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-18 22:51:30 +03:00
Jouni Malinen
2f1357fb62 FILS: Accept another (Re)Association Request frame during an association
The previous implementation ended up starting a new EAPOL-Key 4-way
handshake if the STA were to attempt to perform another association.
This resulted in immediate disconnection since the PTK was not ready for
configuring FILS TK at the point when EAPOL-Key msg 1/4 is sent out.
This is better than alloing the association to continue with the same TK
reconfigured, but not really ideal.

Address this potential sequence by not starting a new 4-way handshake on
the additional association attempt. Instead, allow the association to
complete, but do so without reconfiguring the TK to avoid potential
issues with PN reuse with the same TK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
df94906201 Add MGMT_TX_STATUS_PROCESS command for testing purposes
This allows ext_mgmt_frame_handling=1 cases with hostapd to process TX
status events based on external processing. This is useful for increased
test coverage of management frame processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Mathy Vanhoef
0e3bd7ac68 hostapd: Avoid key reinstallation in FT handshake
Do not reinstall TK to the driver during Reassociation Response frame
processing if the first attempt of setting the TK succeeded. This avoids
issues related to clearing the TX/RX PN that could result in reusing
same PN values for transmitted frames (e.g., due to CCM nonce reuse and
also hitting replay protection on the receiver) and accepting replayed
frames on RX side.

This issue was introduced by the commit
0e84c25434 ('FT: Fix PTK configuration in
authenticator') which allowed wpa_ft_install_ptk() to be called multiple
times with the same PTK. While the second configuration attempt is
needed with some drivers, it must be done only if the first attempt
failed.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-16 02:03:47 +03:00
Jouni Malinen
2377c1caef SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:10:19 +03:00
Jouni Malinen
91cc34bf32 OWE: Allow set of enabled DH groups to be limited on AP
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 21:03:57 +03:00