Commit graph

14520 commits

Author SHA1 Message Date
Mathy Vanhoef
1e93e4239f OCV: Track STA OCV capability in AP mode
Check and store OCV capability indication for each STA.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:49:13 +02:00
Mathy Vanhoef
875ab60d73 OCV: Advertise OCV capability in RSN capabilities (AP)
Set the OCV bit in RSN capabilities (RSNE) based on AP mode
configuration. Do the same for OSEN since it follows the RSNE field
definitions.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:48:48 +02:00
Mathy Vanhoef
ce6829c284 OCV: Add wpa_supplicant config parameter
Add wpa_supplicant network profile parameter ocv to disable or enable
Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Mathy Vanhoef
9c55fdb023 OCV: Add hostapd config parameter
Add hostapd.conf parameter ocv to disable or enable Operating Channel
Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Mathy Vanhoef
138205d600 OCV: Add build configuration for channel validation support
Add compilation flags for Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Mathy Vanhoef
b1d05aee8b OCV: Protocol definitions
Define protocol identifiers for Operating Channel Verification (OCV)
based on IEEE P802.11-REVmd/D2.0.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Mathy Vanhoef
ad20a1367f Store the VHT Operation element of an associated STA
APs and mesh peers use the VHT Operation element to advertise certain
channel properties (e.g., the bandwidth of the channel). Save this
information element so we can later access this information.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Mathy Vanhoef
d706e0d7a3 Add functions to convert channel bandwidth to an integer
This adds two utility functions to convert both operating classes and
and the chan_width enum to an integer representing the channel
bandwidth. This can then be used to compare bandwidth parameters in an
uniform manner.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Mathy Vanhoef
dbe473fd22 Add utility function to derive operating class and channel
This function can be used to easily convert the parameters returned
by the channel_info driver API, into their corresponding operating
class and channel number.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Mathy Vanhoef
bef4d07a28 Make channel_info available to authenticator
This adds the necessary functions and callbacks to make the channel_info
driver API available to the authenticator state machine that implements
the 4-way and group key handshake. This is needed for OCV.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Mathy Vanhoef
4b62b52e5e Make channel_info available to the supplicant state machine
This adds the necessary functions and callbacks to make the channel_info
driver API available to the supplicant state machine that implements the
4-way and group key handshake. This is needed for OCV.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Mathy Vanhoef
7f00dc6e15 Add driver API to get current channel parameters
This adds driver API functions to get the current operating channel
parameters. This encompasses the center frequency, channel bandwidth,
frequency segment 1 index (for 80+80 channels), and so on.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Jouni Malinen
183a6c93cd HS 2.0 server: Allow policy to be set for SIM provisioning
A new osu_config field "sim_policy" can now be used to specify the
policy template for SIM provisioning.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-16 18:33:11 +02:00
Jouni Malinen
89ae35833b HS 2.0 server: SIM provisioning exchange
Support SIM provisioning exchange with SPP. This uses the
hotspot2dot0-mobile-identifier-hash value from the AAA server to allow
subscription registration through subscription remediation exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-15 18:15:01 +02:00
Jouni Malinen
4992582187 tests: Hotspot 2.0 AAA server behavior for SIM provisioning
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-15 18:01:38 +02:00
Jouni Malinen
7bd8c76a4f HS 2.0 server: RADIUS server support for SIM provisioning
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-15 18:01:38 +02:00
Jouni Malinen
79fec6a92d EAP: Make method and IMSI available from server structures
Expose EAP method and IMSI from the completed (or ongoing) EAP
authentication session. These are needed for implementing Hotspot 2.0
SIM provisioning.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-14 15:56:16 +02:00
Jouni Malinen
fb2dc898d6 WMM AC: Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 16:50:42 +02:00
Jouni Malinen
22d8bb04d9 WMM AC: Do not write ERROR level log entries when WMM AC is not in use
These two wpa_printf() calls with MSG_ERROR level could be reached when
connecting without (Re)Association Response frame elements being
available. That would be the case for wired connections and IBSS. Those
cases are not supposed to use WMM AC in the first place, so do not
confuse logs with ERROR messages in them for normal conditions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 16:48:33 +02:00
Jouni Malinen
30810f5d97 tests: wpa_supplicant config file writing and key_mgmt values
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 16:27:26 +02:00
Jouni Malinen
06c00e6d93 OWE: Fix OWE network profile saving
key_mgmt=OWE did not have a config parameter writer and wpa_supplicant
was unable to save such a network profile correctly. Fix this by adding
the needed parameter writer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 16:27:26 +02:00
Damodaran, Rohit (Contractor)
ad6a92472d DPP: Support DPP key_mgmt saving to wpa_supplicant configuration
In the existing code, there was no "DPP" string available to the DPP key
management type for configuration parser of wpa supplicant. When the
configuration is saved, the key management string was left out from the
config file. Fix this by adding support for writing key_mgmt=DPP option.

Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
2018-12-08 16:17:48 +02:00
Jouni Malinen
3a80672e22 tests: Remove parallel-vm.sh
parallel-vm.py has obsoleted this a long time ago and there is no need
to maintain two scripts for doing more or less the same thing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 15:35:47 +02:00
Jouni Malinen
e4ce86f98b tests: Add dfs_etsi to the long_tests list
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-08 15:33:31 +02:00
Jouni Malinen
3ce48c440e HS 2.0: Fix PMF-in-use check for ANQP Venue URL processing
The previous implementation did not check that we are associated with
the sender of the GAS response before checking for PMF status. This
could have accepted Venue URL when not in associated state. Fix this by
explicitly checking for association with the responder first.

This fixes an issue that was detected, e.g., with these hwsim test case
sequences:
gas_anqp_venue_url_pmf gas_anqp_venue_url
gas_prot_vs_not_prot gas_anqp_venue_url

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
842c29c173 tests: Hotspot 2.0 connection attempt without PMF
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
f44d760cf0 HS 2.0: Enable PMF automatically for Hotspot 2.0 network profiles
Hotspot 2.0 Release 2 requires PMF to be negotiated, so enable this by
default in the network profiles created from cred blocks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
f3784a6b94 HS 2.0: Reject Hotspot 2.0 Rel 2 or newer association without PMF
Hotspot 2.0 Rel 2 requires PMF to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
c8f7a83c65 tests: Fix ap_hs20_deauth_req_without_pmf
Now that hostapd starts mandating PMF for Hotspot 2.0 Release 2
association, this test case needs some more tweaks to work. Hardcode
Hotspot 2.0 Release 1 to be used and disable PMF explicitly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
647c0ed679 tests: Fix ap_hs20_ft with PMF enabled
The Beacon loss event was not reported anymore, so remove that as an
unnecessary step in the test case. In addition, check the key_mgmt
values explicitly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
f40f8860d2 tests: Enable PMF in ap_hs20_unexpected configuration
This is needed to meet the Hotspot 2.0 Release 2 requirement for the
third station that is actually using RSN.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
ea57b0bcfe tests: Enable PMF in ap_hs20_external_selection network profile
This is required for Hotspot 2.0 Release 2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
9ce2015a97 HS 2.0: Allocate enough buffer for HS 2.0 Indication element for scan
The HS 2.0 Indication element can be up to 9 octets in length, so add
two more octets to the minimum extra_ie buffer size for scanning.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
dfd1b69de2 tests: Hotspot 2.0 release number indication
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
7436cd366e tests: Update Hotspot 2.0 release number expectation to 3
Match the implementation change to fix the test cases that verified a
specific Hotspot 2.0 release number indication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
2205ca0dfe HS 2.0: Update supported release number to 3
Release 3 functionality is included, so start advertising support for
that release.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
ec2cf403b8 HS 2.0: As a STA, do not indicate release number greater than the AP
Hotspot 2.0 tech spec mandates mobile device to not indicate a release
number that is greater than the release number advertised by the AP. Add
this constraint to the HS 2.0 Indication element when adding this into
(Re)Association Request frame. The element in the Probe Request frame
continues to show the station's latest supported release number.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00
Jouni Malinen
6ae04d7b34 HS 2.0: Allow Hotspot 2.0 release number to be configured
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:54 +02:00
Jouni Malinen
17adac9ef9 FILS: Do not process FILS HLP request again while previous one is pending
It is better not to process a new (most likely repeated) FILS HLP
request if a station retransmits (Re)Association Request frame before
the previous HLP response has either been received or timed out. The
previous implementation ended up doing this and also ended up
rescheduling the fils_hlp_timeout timer in a manner that prevented the
initial timeout from being reached if the STA continued retransmitting
the frame. This could result in failed association due to a timeout on
the station side.

Make this more robust by processing (and relaying to the server) the HLP
request once and then ignoring any new HLP request while the response
for the relayed request is still pending. The new (Re)Association
Request frames are otherwise processed, but they do not result in actual
state change on the AP side before the HLP process from the first
pending request is completed.

This fixes hwsim test case fils_sk_hlp_oom failures with unmodified
mac80211 implementation (i.e., with a relatively short retransmission
timeout for (Re)Association Request frame).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 16:03:40 +02:00
Peng Xu
891e1668c0 hostapd: Update HE Capabilities and Operation element definition
Update HE Capabilities/Operation element definition based on IEEE
P802.11ax/D3.0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 15:17:02 +02:00
Jouni Malinen
678d8410af Move send_probe_response parameter to BSS specific items
This can be more convenient for testing Multiple BSSID functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 15:03:11 +02:00
Edayilliam Jayadev
4c02242d04 Define spectral scaling parameters as QCA vendor specific attributes
Add spectral scaling parameters as vendor attributes to the
QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_GET_CAP_INFO vendor subcommand.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 20:57:32 +02:00
Jouni Malinen
4b1ae27974 tests: Connect to WPS AP with NFC connection handover (local failure)
This is a regression test case for a potential NULL pointer
dereferencing fixed in the previous commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 20:55:20 +02:00
Yu Ouyang
f81e65510c WPS NFC: Fix potential NULL pointer dereference on an error path
The NFC connection handover specific case of WPS public key generation
did not verify whether the two wpabuf_dup() calls succeed. Those may
return NULL due to an allocation failure and that would result in a NULL
pointer dereference in dh5_init_fixed().

Fix this by checking memory allocation results explicitly. If either of
the allocations fail, do not try to initialize wps->dh_ctx and instead,
report the failure through the existing error case handler below.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org
2018-12-04 20:52:34 +02:00
Jouni Malinen
0e1ab324cc HS 2.0 server: Fix couple of memory leaks
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 14:12:44 +02:00
Jouni Malinen
718346775d HS 2.0 server: Client certificate reenrollment
This adds support for the SPP server to request certificate reenrollment
and for the EST server to support the simplereenroll version.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 14:11:39 +02:00
Jouni Malinen
d726f4da54 HS 2.0 server: Document client certificate related Apache configuration
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 00:34:10 +02:00
Jouni Malinen
2166651b0c HS 2.0 server: Clear remediation requirement for certificate credentials
Previous implementation updated user database only for username/password
credentials. While client certificates do not need the updated password
to be written, they do need the remediation requirement to be cleared,
so fix that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 00:34:10 +02:00
Jouni Malinen
34341b09b4 HS 2.0 server: Do not set phase2=1 for certificate-based users
These are not really using Phase 2, so use more appropriate
configuration when going through online signup for client certificates.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-04 00:34:00 +02:00
Jouni Malinen
6ff4241797 HS 2.0 server: Include phase2=0 users for TLS in the user list
EAP-TLS users are not really using phase2, so do not require the
database to be set in a way that claim that inaccurately.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-03 23:38:20 +02:00