Commit graph

13358 commits

Author SHA1 Message Date
Jouni Malinen
2598e69303 FILS: Enable SHA256 KDF even without PMF/SAE in the build
While it is unlikely that FILS would be used without PMF or SAE in the
build, it is possible to generate such a build and as such, it would be
good for the KDF selection to work properly. Add CONFIG_FILS as an
independent condition for the SHA256-based KDF. Previously, this
combination would have resulted in failure to derive keys and terminated
key management exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
1baa130bd0 nl80211: Print NL80211_CMD_SET_POWER_SAVE errors in debug log
This makes it easier to understand what happened with PS configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
24b5b786e6 tests: WPA2-PSK/GCMP/CCMP ciphers
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
72b6e5d1e2 Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabled
CCMP group cipher was removed if CCMP was not allowed as a pairwise
cipher when loading a configuration file (but not actually when changing
configuration during runtime). This is needed to avoid issues with
configurations that use the default group cipher (TKIP CCMP) while
modifying pairwise cipher from the default CCMP TKIP) to TKIP. However,
there is not really a need to remove the CCMP group cipher if any GCMP
or CCMP cipher is enabled as a pairwise cipher.

Change the network profile validation routine to not remove CCMP as
group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise
cipher even if CCMP is not.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:43 +03:00
Andrei Otcheretianski
440e9f0bbe tests: Async. AP setup failure with wpa_supplicant
Verify that the AP initialization failure is reported back to
wpa_supplicant also when the initialization is complete in a callback.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-04-20 00:50:25 +03:00
Tova Mussai
c4315e6620 AP: Handle AP initalization failure in async flow
When AP initialization is completed in a callback (e.g., OBSS scan),
wpa_supplicant_deinit_ap() is not called in case of failure. Fix this by
calling setup_complete_cb in case of failure, too, which in turn calls
wpa_supplicant_deinit_ap() if needed.

Signed-off-by: Tova Mussai <tova.mussai@intel.com>
2018-04-20 00:48:49 +03:00
Ahmad Masri
86c998d37a FT: Add FT auth algorithm to connect params when roaming
Add WPA FT auth to connect params in case of a re-connection to ESS
supporting FT when FT was used in the first connect.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-20 00:35:41 +03:00
Ahmad Masri
3dc3afe298 FT: Add MDE to assoc request IEs in connect params
Add MDE (mobility domain element) to Association Request frame IEs in
the driver assoc params. wpa_supplicant will add MDE only if the network
profile allows FT, the selected AP supports FT, and the mobility domain
ID matches.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-20 00:32:49 +03:00
Bhagavathi Perumal S
b55c623e4c Make CENTER_FRQ1 available independently in SIGNAL_POLL
This allows user to get center frequency and find secondary channel
offset.

Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
2018-04-20 00:10:45 +03:00
Jouni Malinen
4204669c69 HS 2.0: Add Roaming Consortium Selection element into AssocReq
This makes wpa_supplicant add Hotspot 2.0 Roaming Consortium Selection
element into (Re)Association Request frames if the network profile
includes roaming_consortium_selection parameter.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-18 01:12:25 +03:00
Jouni Malinen
ad5704631a tests: roaming_consortium_selection
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-18 01:12:23 +03:00
Jouni Malinen
6311547e7b HS 2.0: Add Roaming Consortium Selection network profile parameter
This adds new roaming_consortium_selection network profile parameter
into wpa_supplicant. This is used to store the OI that was used for
network selection (INTERWORKING_SELECT) based on matching against the
Roaming Consortium OIs advertised by the AP. This can also be used when
using an external component to perform selection.

This commit adds the network profile parameter, but does not yet include
it in (Re)Association Request frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 17:26:56 +03:00
Jouni Malinen
ce952ebda0 tests: Hotspot 2.0 connection based on roaming_consortiums match
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 17:26:56 +03:00
Jouni Malinen
5b7695275c HS 2.0: Use roaming_consortiums list to match OIs for access
This extends Hotspot 2.0 credential matching to consider the
roaming_consortiums parameter when determining whether the cred block
matches the information advertised by an AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 17:26:53 +03:00
Jouni Malinen
2e88032f1b HS 2.0: OSU client to send HomeSP/RoamingConsortiumOI to wpa_supplicant
This adds mapping of the PPS MO HomeSP/RoamingConsortiumOI leaf node
value into the wpa_supplicant cred block parameter roaming_consortiums.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
53fa04e197 tests: wpa_supplicant cred roaming_consortiums parsing/writing
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
909a948b0f HS 2.0: Add a new cred block parameter roaming_consortiums
This new string parameter contains a comma delimited list of OIs
(hexdump) in a string. This is used to store Hotspot 2.0
PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit
includes the configuration changes to parse and write the parameter. The
actual values are not yet used in Interworking network selection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
9b6f93e4d6 HS 2.0: Document credential parameter required_roaming_consortium
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
67cca34645 HS 2.0: Copy Roaming Consortium OI from (Re)AssocReq to Access-Request
This extends hostapd processing of (Re)Association Request frames to
store a local copy of the Consortium OI within the Roaming Consortium
Selection element, if present, and then add that in HS 2.0 Roaming
Consortium attribute into RADIUS Access-Request messages.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
be5acc3884 tests: Hotspot 2.0 operator icons
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
0e450db285 HS 2.0: Allow configuration of operator icons
This extends hostapd Hotspot 2.0 implementation to allow operator icons
to be made available. The existing hs20_icon parameter is used to define
the icons and the new operator_icon parameter (zero or more entries) is
used to specify which of the available icons are operator icons. The
operator icons are advertised in the Operator Icon Metadata ANQP-element
while the icon data can be fetched using the same mechanism (icon
request/binary file) that was added for the OSU Providers icons.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Jouni Malinen
6a8a04d742 HS 2.0: Add fetching of Operator Icon Metadata ANQP-element
This extends wpa_supplicant Hotspot 2.0 ANQP routines to allow the
Operator Icon Metadata ANQP-element to be fetched with "ANQP_GET <bssid>
hs20:12". The result is available in the new hs20_operator_icon_metadata
entry in the "BSS <bssid>" output.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:42 +03:00
Dmitry Lebed
37547ad63c wpa_supplicant: Increase authentication timeout if CAC is started
Timeout is increased by dfs_cac_ms from channel data, or by max CAC time
(10 minutes) if dfs_cac_ms is not defined. This is needed for some more
complex cases, e.g., when STA is acting as an active slave with DFS
offload enabled and decided to start CAC after receiving CONNECT
command, in such a case the 10 second timeout is too small and
wpa_supplicant need to wait for CAC completion or CAC timeout (up to 10
minutes).

Without such timeout modification wpa_supplicant will be unable to
connect to an AP on DFS channel, since the default authentication
timeout (10 s) is smaller than the minimum CAC time (60 s).

Tested with nl80211 DFS offload implementation.

Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
2018-04-15 22:20:49 +03:00
Dmitry Lebed
2dd5fbbff8 wpa_supplicant: Rename wpas_event_*() to wpas_ap_event_*()
Rename DFS event handling functions, since they are located in ap.c and
refer to AP-mode only. Needed to add some STA-mode DFS event handling.

Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
2018-04-15 22:07:09 +03:00
Ben Greear
f875da0448 nl80211: Add MLME auth work-around for -EEXIST errno
The Linux 4.9 kernel, at least, can return EEXIST when trying to auth a
station that already exists.

We have seen this bug in multiple places, but it is difficult to
reproduce. Here is a link to someone else that appears to have hit this
issue: https://github.com/greearb/ath10k-ct/issues/18

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-04-15 21:58:53 +03:00
Andrey Utkin
4449efeb1d Fix building nt_password_hash with gnutls
Even with

    CONFIG_TLS=gnutls
    CONFIG_CRYPTO=gnutls

in .config, nt_password_hash was linked with libcrypto instead of
libgcrypt, which caused linkage failure.

Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
2018-04-15 21:55:06 +03:00
Jouni Malinen
5ecdf06c8c DPP: Fix build with LibreSSL v2.5
The ECDSA_SIG_{set,get}0() wrappers are needed with LibreSSL v2.5 (but
not v2.7.2).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-15 00:01:35 +03:00
Jouni Malinen
4b603f01de DPP: Fix X509_ALGOR_get0() use with LibreSSL
At least LibreSSL v2.7.2 indicates support for OpenSSL API 1.1.0, but it
does not apparently use const ASN1_OBJECT * with X509_ALGOR_get0(). Use
the older non-const version here with LibreSSL to fix compilation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-15 00:01:35 +03:00
Jouni Malinen
dee566d98e OpenSSL: Skip SSL_OP_NO_TLSv1_3 if not defined to fix LibreSSL build
LibreSSL v2.7 claims an OPENSSL_VERSION_NUMBER value that would indicate
that SSL_OP_NO_TLSv1_3 is available, but that does not seem to be the
case with LibreSSL. As such, skip this step based on whether
SSL_OP_NO_TLSv1_3 is defined to avoid build issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-15 00:01:35 +03:00
Bernard Spil
ba3658cfff Fix build with LibreSSL 2.7
LibreSSL 2.7 adds (most of) the OpenSSL 1.1 API.

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-04-15 00:01:33 +03:00
Jouni Malinen
a2ab37308a Fix sae_password documentation in wpa_supplicant to refer correct field
sae_password replaces psk, not passphrase, parameter in wpa_supplicant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-13 12:09:33 +03:00
Jouni Malinen
f75ed521a5 tests: wpa_supplicant secure mesh using sae_password
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-13 12:09:33 +03:00
Daniel Golle
d5906fbb72 mesh: Properly handle sae_password
The recently introduced sae_password parameter was only handled properly
in wpa_supplicant/sme.c while wpa_supplicant/mesh.c assumed that
ssid->passphrase exclusively holds the secret.

Import the logic from sme.c to mesh.c to allow having only sae_password
set which otherwise throws this error:
AP-ENABLED
mesh: Passphrase for SAE not configured

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 12:09:33 +03:00
Daniel Golle
d6d7debb5d Fix wpa_supplicant build with CONFIG_NO_WPA
pmksa_cache stubs have not been updated when function prototypes have
been modified in commit 852b2f2738 (SAE: Only allow SAE AKMP for PMKSA
caching attempts). Add new function parameter int akmp to stubs of
pmksa_cache_get() and pmksa_cache_set_current() as well to fix build.

Fixes: 852b2f2738 ("SAE: Only allow SAE AKMP for PMKSA caching attempts")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 11:43:57 +03:00
Jouni Malinen
e5b0b58bfa tests: DPP and SAE AKMs
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-12 21:14:33 +03:00
Jouni Malinen
3dfccf7c09 tests: sigma_dut DPP/QR initiator as Enrollee (SAE)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-10 21:41:58 +03:00
Jouni Malinen
fa617ee6a0 tests: SAE and PSK enabled in wpa_supplicant network profile
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-09 19:34:44 +03:00
Jouni Malinen
852b2f2738 SAE: Only allow SAE AKMP for PMKSA caching attempts
Explicitly check the PMKSA cache entry to have matching SAE AKMP for the
case where determining whether to use PMKSA caching instead of new SAE
authentication. Previously, only the network context was checked, but a
single network configuration profile could be used with both WPA2-PSK
and SAE, so should check the AKMP as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-09 19:34:44 +03:00
Jouni Malinen
06b1a10434 SAE: Fix default PMK configuration for PMKSA caching case
The RSN supplicant state machine PMK was set based on WPA PSK even for
the cases where SAE would be used. If the AP allows PMKSA caching to be
used with SAE, but does not indicate the selected PMKID explicitly in
EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of
SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE
network profiles and instead, configuring the PMK explicitly from the
found PMKSA cache entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-09 13:10:08 +03:00
Jouni Malinen
8e402d1657 WPA: Fix a typo in a debug message
"PT derivation" was supposed to be saying "PTK derivation".

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:44:53 +03:00
Jouni Malinen
1bd131105b Clear pmk_len more consistently for extra protection
This gives more protection against unexpected behavior if RSN supplicant
code ends up trying to use sm->pmk[] with a stale value. Couple of the
code paths did not clear sm->pmk_len explicitly in cases where the old
PMK is being removed, so cover those cases as well to make sure these
will result in PMK-to-PTK derivation failures rather than use of
incorrect PMK value if such a code path could be reached somehow.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:44:05 +03:00
Jouni Malinen
66dbc8d9c3 Add more debug prints for wpa_sm_set_pmk() calls
Couple of these were not preceded by wpa_hexdump_key(PSK) which made it
more difficult to interpret the debug log.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:11:07 +03:00
Kiran Kumar Lokere
26e0ada47f Define new test config attribute for HE LTF configuration
Add a new wifi test config attribute to configure HE LTF in the
driver. This is used for testbed configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-06 23:41:06 +03:00
Jouni Malinen
9a0c472feb tests: Extend hostapd reload config test to cover wmm_enabled behavior
This is a regression test for default behavior for wmm_enabled on the
config reload path.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-06 23:32:31 +03:00
Jouni Malinen
4d6eb9f2e2 Fix hostapd wmm_enabled setup on config reload path
If there is no explicit wmm_enabled parameter in the configuration
(i.e., conf->wmm_enabled == -1), the configuration reload path needs to
initialize conf->wmm_enabled based on iconf->ieee80211n in
hostapd_reload_bss() similarly to what is done in the initial startup
case in hostapd_setup_bss().

This fixes issues with RSN capabilities being set incorrectly when WMM
is supposed to get enabled and unexpectedly enabling WMM when it is not
supposed to be enabled (HT disabled). Either of these issues could show
up when asking hostapd to reload the configuration file (and when that
file does not set wmm_enabled explicitly).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-06 23:29:11 +03:00
Michael Braun
a6509e850e FT: Add session_timeout to push/resp
This ensures a session timeout configured on R0KH either using
RADIUS-based ACL or 802.1X authentication is copied over to the new
R1KH.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:57:53 +03:00
Michael Braun
3cb286ca49 FT: Add set/get session_timeout callback functions
These are needed to allow wpa_auth_ft.c to control session_timeout
values for STAs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:48:15 +03:00
Michael Braun
13f118dc59 Convert STA session_timeout to os_reltime
This is needed to allow the remaining session time to be computed for FT
(when sending PMK-R1 to another AP).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:48:11 +03:00
Michael Braun
d269740a3e tests: FT with CUI
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:09:16 +03:00
Michael Braun
069b4e3048 FT: Include identity and radius_cui in pull/resp frames
This allows APs using FT to get the EAP session information from R0KH to
R1KHs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:09:16 +03:00