Update these comments based on IEEE Std 802.11-2016 to get rid of the
already resolved TODO comment regarding duplicated N_KEY use. The
implementation does not need any changes since it was already following
the fixed version in the current standard.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add checking for NULL req_ies when FILS processing a driver ASSOC event
in hostapd_notif_assoc(). This was already done in number of old code
paths, but the newer FILS path did not handle this. Though, it is
unlikely that this code path would be reachable in practice since this
is all within sta->auth_alg == WLAN_AUTH_FILS_* check.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Reject a DHE handshake if the server uses a DH prime that does not have
sufficient length to meet the Suite B 192-bit level requirement (<= 3k
(3072) bits).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Reject a peer certificate chain if it includes an RSA public key that
does not use sufficient key length to meet the Suite B 192-bit level
requirement (<= 3k (3072) bits).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new psk=<hexdump> can be used as an alternative to pass=<passphrase>
when configuring the DPP Configurator with a legacy network parameters.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These control interface event messages can be used to allow hostapd AP
to be configured for legacy WPA2-Personal configuration with DPP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While the Suite B AKM is not really going to be used with CCMP-128 or
GCMP-128 cipher, this corner case could be fixed if it is useful for
some testing purposes. Allow that special case to skip the HMAC-SHA1
check based on CCMP/GCMP cipher and use the following AKM-defined check
instead.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss
here means there would not be proper PFS for the case where PMKSA
caching is used with FILS SK+PFS authentication. This was not really the
intent of the FILS design and that issue was fixed during REVmd work
with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that add DHss into FILS-Key-Data (and PTK, in practice) derivation for
the PMKSA caching case so that a unique ICK, KEK, and TK are derived
even when using the same PMK.
Note: This is not backwards compatible, i.e., this breaks PMKSA caching
with FILS SK+PFS if only STA or AP side implementation is updated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11ai-2016 had missed a change in the Pairwise key hierarchy
clause (12.7.1.3 in IEEE Std 802.11-2016) and due to that, the previous
implementation ended up using HMAC-SHA-1 -based PMKID derivation. This
was not really the intent of the FILS design and that issue was fixed
during REVmd work with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that change FILS cases to use HMAC-SHA-256 and HMAC-SHA-384 based on the
negotiated AKM.
Update the implementation to match the new design. This changes the
rsn_pmkid() function to take in the more generic AKMP identifier instead
of a boolean identifying whether SHA256 is used.
Note: This is not backwards compatible, i.e., this breaks PMKSA caching
based on the initial ERP key hierarchy setup if only STA or AP side
implementation is updated. PMKSA caching based on FILS authentication
exchange is not impacted by this, though.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
secy_init_macsec() can fail (if ->macsec_init fails), and
ieee802_1x_kay_init() should handle this and not let MKA run any
further, because nothing is going to work anyway.
On failure, ieee802_1x_kay_init() must deinit its kay, which will free
kay->ctx, so ieee802_1x_kay_init callers (only ieee802_1x_alloc_kay_sm)
must not do it. Before this patch there is a double-free of the ctx
argument when ieee802_1x_kay_deinit() was called.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Removing interface from bridge in_br
linux_br_del_if(drv->global->ioctl_sock, in_br, ifname)
but in case of failure, the error print is incorrect:
it should show error for "in_br" instead of the wrong bridge name
"brname".
Signed-off-by: Rohit Pratap Singh <rohit.s@samsung.com>
Signed-off-by: Amit Khatri <amit.khatri@samsung.com>
ubsan reported:
../src/crypto/random.c:69:30: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'
Explicitly check for the ROL32(x, 0) case which is supposed to be a
no-op.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
After KDF negotiation, must check only requested change occurred in the
list of AT_KDF attributes. If there are any other changes, the peer must
behave like the case that AT_MAC had been incorrect and authentication
is failed. These are defined in EAP-AKA' specification RFC 5448, Section
3.2.
Add a complete check of AT_KDF attributes and send Client-Error if a
change which is not requested is included in it.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
AT_KDF attributes need to be included in Synchronization-Failure
according to EAP-AKA' specification RFC 5448.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.
Signed-off-by: Andrew Elble <aweits@rit.edu>
The "FILS: No pending HLP DHCP exchange with hw_addr" debug message was
missing a space before the following MAC address, so add that there to
make the message more readable.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like these parameters related to FT have never been used, so
remove them from causing confusion. The separate update_ft_ies()
callback is used to provide the FT elements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new sae_commit_override=<hexdump> parameter can be used to force
hostapd to override SAE commit message fields for testing purposes. This
is included only in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow hostapd to be configured to perform SAE reflection attack for SAE
testing purposes with sae_reflection_attack=1 configuration parameter.
This is included only in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add PMKID into EAPOL-Key 1/4 when using SAE and fix the PMK-from-PMKSA
selection in some cases where PSK (from passphrase) could have been
used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously defined inconsistently (H() vs. SHA256()), but it is
now clarified in the draft tech spec to use SHA256(), so update
implementation to do that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_ATTR_AUTH_TYPE needs to be skipped if multiple auth_alg options
are included. The previous list missed the new FILS auth_alg here and
ended up not doing so if OPEN and FILS were included.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
DPP tech spec changed the contents of these frames by replacing the
public key hash attributes with a Transaction ID attribute that gets
copied from the request to the response to identify the transaction in a
simpler manner.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use the SSL_get_SSL_CTX() helper instead of dereferencing SSL* since
struct ssl_st is not exposed in public header files anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is an event indicating to the user space that the driver has
detected an internal failure. The driver is expected to recover from
such a failure automatically, e.g., by resetting the device. This event
carries the information indicating the reason that triggered this
detection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation was able to parse arrays of objects, but not
arrays of other types of items.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The two channel width bits in the VHT capability field can be decoded in
following values (IEEE Std 802.11ac-2013 8.4.2.160.2 VHT Capabilities
Info field):
* 0: no 160 or 80+80 MHz support
* 1: 160 MHz support
* 2: 160 and 80+80 MHz support
* 3: (reserved)
The check must therefore not be done bitwise but instead it must checked
whether the capabilities announced by the driver are at least the ones
requested by the user.
Fixes: c781eb8428 ("hostapd: Verify VHT capabilities are supported by driver")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.
Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
X509_ALGOR_get0() was modified to use const ** pointer as the first
argument in OpenSSL 1.1.0, so need to use different type here to avoid
compilation issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add OCE IE in Beacon, Probe Response, and (Re)Association Response
frames if OCE is enabled in the configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Check if device supports OCE STA/STA-CFON/AP specific mandatory
features. This commit includes checking based on the QCA vendor
attributes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This request ID was wrongly referred from the REQUEST_ID in
enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
Hence define a different attribute to represent the request ID
for PNO Config.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In case of incorrect HT40 configuration as part of an attempt to create
a 80 MHz AP, iface->conf->vht_oper_centr_freq_seg0_idx and
iface->conf->vht_oper_centr_freq_seg1_idx are zero'ed, but
iface->conf->vht_oper_chwidth remains VHT_CHANWIDTH_80MHZ. This causes
the logic in dfs_get_start_chan_idx to fail.
Fix this by setting iface->conf->vht_oper_chwidth to
VHT_CHANWIDTH_USE_HT when zero'ing the center frequency parameters.
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
dpp.h file requires openssl in order to compile, which breaks
compilation on systems without it.
Move DPP_OUI_TYPE to ieee802_11_defs.h and don't include dpp.h when
not really needed.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add changes to control interface command get_capability to advertize
FILS capability, FILS AKMs suites, and FILS Authentication algorithms
based on the driver capabilities.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The attribute is QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SAR_ENABLE, not
QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SELECT.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The EAP message included in FILS Wrapped Data from the non-AP STA to the
AP is EAP-Initiate/Re-auth.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The DPP Configurator can use this new command to generate its own signed
connector for the network that it manages.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the hostapd control interface to support the
DPP_BOOTSTRAP_INFO command that was recently added for wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This updates the previously copied implementation to be up-to-date with
the more recent wpa_supplicant changes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow hostapd to initiate and respond with PKEX bootstrapping similarly
to how this was implemented in wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be compatible for the JWS protected header signing to be
valid, so add an explicit check to confirm this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of trying to share the existing definitions for NIST curves,
start using unique strings for Brainpool curves.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This implements genric PKEX functionality in src/common/dpp.c and glue
code to use this in wpa_supplicant (i.e, hostapd DPP implementation does
not yet support PKEX).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use helper functions to cover all three different hash algorithm options
for DPP operations instead of having separate calls to each function at
every location a hash operation based on the curve is needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to notice a reason for failure in cases a connector
string has been truncated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function is used for parsing both the C-sign-key and netAccessKey,
so better not imply that all cases are C-sign-key in the debug prints.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Set temporary disallowed BSSID list to the driver so that the driver
doesn't try to connect to any of the blacklisted BSSIDs during
driver-based roaming operation. This commit includes support only for
the nl80211 driver interface using a QCA vendor command for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ERP key was previously derived immediately after the availability of
EMSK and Session-Id and the ERP key hierarchy was saved even if the
authentication resulted in failure eventually. Instead, derive the ERP
key only after a successful EAP authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit introduces QCA_NL80211_VENDOR_SUBCMD_ACTIVE_TOS to specify
the active Type Of Service on the specific interface. This can be used
to modify some of the low level scan parameters (off channel dwell time,
home channel time) in the driver/firmware.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
New AKM suites like FILS-SHA256 do not use KCK and hence KCK length can
be zero. Add changes to include KCK attribute in rekey data only if the
length is non-zero.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant can now be configured to generate a network profile
automatically based on DPP configuration. The following
dpp_config_processing values can be used to specify the behavior:
0 = report received configuration to an external program for
processing; do not generate any network profile internally (default)
1 = report received configuration to an external program and generate
a network profile internally, but do not automatically connect
to the created (disabled) profile; the network profile id is
reported to external programs
2 = report received configuration to an external program, generate
a network profile internally, try to connect to the created
profile automatically
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend hostapd configuration to include parameters needed for the DPP
AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows external programs to generate and add PMKSA cache entries
into hostapd. The main use for this is to run external DPP processing
(network introduction) and testing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds DPP bootstrapping, authentication, and configuration into
hostapd similarly to how the design was integrated in wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for DPP Configuration Protocol using GAS. Full
generation and processing of the configuration object is not included in
this commit.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add wpa_supplicant control interface commands for parsing the bootstrap
info URI from a QR Code (get peer public key) and to generate a new
bootstrap info with private key for local use. The optional
key=<hexdump> argument to the DPP_BOOTSTRAP_GEN command can be used to
specify the bootstrapping private key in OpenSSL ECPrivateKey DER
encoding format. This results in the local bootstrapping information
entry being created with the specified key instead of generating a new
random one.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Introduction of the new base64 helper function changed the backtraces
for these OOM test cases and resulted in test failures. Update the test
scripts to work with the new implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
