Commit graph

7014 commits

Author SHA1 Message Date
John Crispin
ad9a1bfe78 nl80211: Share VHT channel configuration for HE
Set operating channel bandwidth and center frequencies using the same
attributes for VHT and HE.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:03:39 +03:00
John Crispin
78d35b16de HE: Add AP mode MLME/SME handling for HE stations
Process HE information in (Re)Association Request frames and add HE
elements into (Re)Association Response frames when HE is enabled in the
BSS.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:40:48 +03:00
John Crispin
8f5fc369e2 HE: Fix HE Capabilities element variable length encoding
The HE Capibilities element has dynamic size due to the variable length
and optional fields at the end. Mask out the channel width capabilities
that are less than the configured. Only add the MCS/NSS sets for the
announced channel widths and also add the PPET elements.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:23 +03:00
John Crispin
0dbc894f46 HE: Fix HE Capabilities indication from driver
The PPE Thresholds information in the end of the HE Capabilities element
is optional and of variable length. struct he_ppe_threshold was not
really used correctly for encoding this, so remove it and just reserve
enough space for the information.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:23 +03:00
John Crispin
05b28306f5 HE: Add HE channel management configuration options
These are symmetric with the VHT ones.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
c6b7ac077f HE: Add helpers for getting the channel width parameters
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
39b9d059cd HE: Remove vht_ prefix from acs_adjust_vht_center_freq()
This is used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
7118a697f4 HE: Remove vht_ prefix from seg0/seg1_idx in DFS
These are used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
f428332d32 HE: Remove vht_ prefix from bw/seg0/seg1_idx in CSA fallback
These are used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
f200631c35 HE: Remove vht_ prefix from CSA/bandwidth
Bandwidth is used for both VHT and HE here.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
b04e43086b HE: Remove vht_ prefix from shared set_freq argument
oper_chwidth is used for both VHT and HE here.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
464dcfd030 HE: Remove VHT_ prefix from CHANWITDH_* define
The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:49 +03:00
John Crispin
846e8396ab HE: Mask out the beamforming capabilities if they are not configured
These bits might be set by the capabilities read from the kernel, so
mask them out if beamforming is not enabled in the local configuration.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:41 +03:00
John Crispin
59d9c3a145 nl80211: Allow HE Capability to be set for a STA
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:41 +03:00
John Crispin
289a9cf7ae HE: Add HE Operation element to element parser
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:41 +03:00
Jouni Malinen
d70776098d VHT: Remove copying of VHT Operation element from (Re)Assoc Req
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 18:03:40 +03:00
Jouni Malinen
ce362f885f FILS: Explicitly clear plaintext buffer for Assoc Resp
This buffer may contain GTK and IGTK, so better clear it explicitly from
heap memory before freeing the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
31bc66e4d1 More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
7d43c7b2d6 nl80211: Write event name in debug log for ignored events
This makes it easier to understand debug logs from systems that have
multiple interfaces.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 21:37:23 +03:00
Jouni Malinen
baf8ab8cec RADIUS server: Do not close fd=0 in error cases
Initialize auth_sock and acct_sock to -1 to avoid radius_server_deinit()
attempting to close fd=0 if anything fails in setting up the RADIUS
server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 19:10:08 +03:00
Mohit Sethi
5eefa8115b EAP-AKA: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.

This patch now exports the Session-Id for EAP-AKA during fast
reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC
construction.

Also documented by Alan Dekok in draft-dekok-emu-eap-session-id.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 17:17:00 +03:00
Mohit Sethi
1c16b257a0 EAP-SIM: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.

This patch now exports the Session-Id for EAP-SIM during fast
reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC
construction.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 17:05:03 +03:00
Jouni Malinen
312ec34e40 UBSan: Avoid dependency on undefined behavior in internal AES operation
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-25 01:51:12 +03:00
Jouni Malinen
5bad612311 WNM: Fix bounds checking in SSID List element matching
The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49 ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-25 01:29:47 +03:00
Jouni Malinen
b1aee7a622 DPP: Fix bootstrapping URI parser to handle channel list for an opclass
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).

Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-23 01:34:24 +03:00
Jouni Malinen
69afb6b395 FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.

For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-23 00:34:43 +03:00
Jouni Malinen
831d8c9cf5 FILS: Add RSNE into (Re)Association Response frame
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-23 00:34:43 +03:00
Jouni Malinen
e3b39e62c2 OpenSSL: Fix a memory leak in OCSP handling
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 21:08:53 +03:00
Jouni Malinen
6602d9e3a6 DPP: Fix a memory leak in testing sequence
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 20:38:10 +03:00
Jouni Malinen
c5622b43cd DPP: Fix a memory leak on duplicate Authentication Response
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 20:25:10 +03:00
Jouni Malinen
1cdfe8d23f DPP: Fix a memory leak in PKEX Qi/Qr derivation
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 19:59:21 +03:00
Jouni Malinen
51dc146f3e EAP-PAX server: Avoid debug prints of uninitialized memory in error cases
Use a separate error case handler for eap_pax_mac() failures and memcmp
to avoid wpa_hexdump() calls for the (mainly theoretical) local error
cases in deriving the MAC.

Fixes: b3c2b5d9f7 ("EAP-PAX server: Check hash function results")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 19:02:19 +03:00
Jouni Malinen
677e120181 dragonfly: Fix a memory leak on error path
This is mostly a theoretical case, but since crypto_bignum_rand() could
fail, need to free the allocated struct crypto_bignum *tmp in such a
case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 18:55:57 +03:00
Jouni Malinen
8925d2010d OpenSSL: Fix memory leak in crypto_dh_derive_secret()
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.

Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 18:53:32 +03:00
Jouni Malinen
57ec74ea9b DPP: Fix memory leak in EC_GROUP handling
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 18:32:29 +03:00
Jouni Malinen
7a9ddba6f5 DPP: Fix a memory leak in key pair generation
ec_params needs to be free within dpp_gen_keypair() to avoid leaking the
allocated memory.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 18:27:06 +03:00
Jouni Malinen
f9cd1327ad OpenSSL: Fix memory leak in crypto_ecdh_init()
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").

Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 12:16:03 +03:00
Paul Zhang
fb10f3bb65 Add subcmd QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP
In practice, some APs have interop issues with the DUT. This sub command
is used to transfer the AP info between the driver and user space. This
works both as a command and event. As a command, it configures the
stored list of APs from user space to firmware; as an event, it
indicates the AP info detected by the firmware to user space for
persistent storage. The attributes defined in enum
qca_vendor_attr_interop_issues_ap are used to deliver the parameters.

Signed-off-by: Paul Zhang <paulz@codeaurora.org>
2019-05-07 13:03:51 +03:00
John Crispin
b505ef7e96 HE: Do not add SPR IE if sr_control is set to 0
If none of the sr_control bits are set, we do not neet to add the IE to
the Beacon frame.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-05 00:58:25 +03:00
Jouni Malinen
de94be0acd Enforce that IEEE 802.1X EAPOL-Key Replay Counter increases
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-05 00:57:37 +03:00
Jeff Johnson
fd1c2ca521 Add QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX
Update enum qca_wlan_vendor_attr_get_wifi_info to add support for
attribute QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX. In addition
update the documentation for qca_wlan_vendor_attr_get_wifi_info and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO to fully describe the
operation of the command and the format of the attributes.

Signed-off-by: Jeff Johnson <jjohnson@codeaurora.org>
2019-05-02 17:13:46 +03:00
Vamsi Krishna
ae21cffb2c Add QCA vendor command to support beacon reporting feature
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING
to implement beacon reporting feature. Different operations required to
implement this feature can be specified in
QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.

Userspace requests the driver/firmware to periodically report received
Beacon frames whose BSSID matches the current connected BSS's MAC
address. If userspace requests the driver/firmware to send beacon
reports actively, the driver encapsulates the details of the beacon in
an event and sends it to userspace asynchronously. Otherwise, the driver
will only update the beacon in cfg80211 scan cache but will not send any
event to userspace.

If this command is not issued, the current behavior of the
driver/firmware is to update the cfg80211 scan cache only when there is
a scan issued by the host in progress or whenever there is a change in
IEs of the Beacon frames from the current connected BSS.

The userspace requests the driver/firmware to stop reporting beacons
when reporting is not required anymore. If the driver/firmware is not
able to receive Beacon frames because of other Wi-Fi operations such as
off-channel activities, etc., the driver/firmware sends a pause event to
userspace and stops reporting Beacon frames. The driver/firmware
indicates whether the beacon reporting automatically resumes later by
using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES flag. If
userspace doesn't want the beacon reporting to be resumed automatically,
userspace can send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP command to
the driver to stop beacon reporting.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-02 15:08:31 +03:00
Toke Høiland-Jørgensen
ef7217518b hostapd: Add airtime policy configuration support
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439

The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.

The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.

In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 14:57:43 +03:00
Toke Høiland-Jørgensen
6720b9482f nl80211: Station airtime weight configuration
This provides a mechanism for configuring per-STA airtime weight for
airtime policy configuration.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 13:28:17 +03:00
Toke Høiland-Jørgensen
58d4c23615 nl80211: Fetch STA TX/RX duration statistics
This makes per-STA TX/RX duration statistics available for airtime policy
configuration.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-04-30 12:34:58 +03:00
Toke Høiland-Jørgensen
1d6f63854e nl80211: Fetch STA TXQ backlog statistics
This makes per-STA TXQ backlog statistics available for airtime policy
configuration.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-04-30 12:34:58 +03:00
David Woodhouse
6326fa0c40 Fix ENGINE support with OpenSSL 1.1+
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.

That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.

Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.

Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2019-04-30 12:10:40 +03:00
Jouni Malinen
099224c18e nl80211: Simplify if_indices tracking
Maintain a single array (of struct with two int variables) instead of
two independent arrays (of int) for tracking know ifindexes and reasons
for having added them. The previous implementation tried to maintain two
independent arrays even though they were always required to be of
exactly same length and order. That had resulted in a bug earlier and
the code was not exactly easy to understand either, so replace this with
a single array.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-28 21:05:54 +03:00
Jouni Malinen
e6ca2f1139 nl80211: Fix handling of if_indices reallocation failure
Addition of a separate if_indices_reason array broke reallocation
failure checking. drv->if_indices or drv->if_indices_reason could not be
NULL in the place where this check was moved to. Fix that by maintaining
knowledge of reallocation failure in a separate local variable.

Fixes: 732b1d20ec ("nl80211: Clean up ifidx properly if interface in a bridge is removed")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-28 20:52:10 +03:00
Jouni Malinen
b93a0ce7bd DPP2: Check conn->ctrl more consistently
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-28 20:28:46 +03:00