Commit graph

4742 commits

Author SHA1 Message Date
Vamsi Krishna
2e06cef80a MBO/OCE: Work around misbehaving MBO/OCE APs that use RSN without PMF
The MBO and OCE specification require the station to mandate use of PMF
when connecting to an MBO/OCE AP that uses WPA2. The earlier
implementation prevented such misbehaving APs from being selected for
connection completely. This looks like the safest approach to take, but
unfortunately, there are deployed APs that are not compliant with the
MBO/OCE requirements and this strict interpretation of the station
requirements results in interoperability issues by preventing the
association completely.

Relax the approach by allowing noncompliant MBO/OCE APs to be selected
for RSN connection without PMF to avoid the main impact of this
interoperability issue. However, disable MBO/OCE functionality when PMF
cannot be negotiated to try to be as compliant as practical with the
MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the
duration of such workaround association). Also disable support for BTM
in this workaround state since MBO would expect all BTM frames to be
protected.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-21 00:58:33 +03:00
Jouni Malinen
8f8c423a51 DPP: Add bandSupport JSON array into config request
Indicate supported global operating classes when wpa_supplicant is
operating as an Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
5a5639b068 DPP: Allow name and mudurl to be configured for Config Request
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
16ef233bf1 DPP2: Connection status result (Enrollee)
Add support for reporting connection status after provisioning if the
Configurator requests this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-16 17:25:34 +03:00
Jouni Malinen
b10e01a795 DPP2: Connection status result (Configurator)
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.

Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-16 17:13:46 +03:00
Sujay Patwardhan
21dc1627f6 wpa_supplicant: Don't return an error when successfully parsing WMM rules
The config file parser previously would fall through into an error if
CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add
a return to prevent incorrectly printing an error message and returning
a non-zero exit code.

Signed-off-by: Sujay Patwardhan <sujay@eero.com>
2019-09-13 16:35:16 +03:00
Hu Wang
8214b45ba0 P2P: Use latest BSS entry if multiple P2P Device Addr matches found
If an AP (P2P GO) has changed its operating channel or SSID recently,
the BSS table may have multiple entries for the same BSSID.

Commit 702621e6dd ('WPS: Use latest updated BSS entry if multiple
BSSID matches found') fetches latest updated BSS entry based on
BSSID. Do the same when fetching an entry based on the P2P Device
Address.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-13 16:22:05 +03:00
Alexei Avshalom Lazar
dc6c3be4e2 wpa_supplicant: Add support for 60 GHz band channels 5 and 6
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-09-13 16:14:17 +03:00
Mikael Kanstrup
8788a314d7 WPS: Update MAC address on address changes
The WPS component keeps a copy of the network interface MAC address.
When MAC address is changed the WPS copy was not updated so WPS M1
message contained the old address. Some devices check this field
and fail connection attempts.

Update the WPS MAC address on interface MAC address changes.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2019-09-09 16:49:34 +03:00
Jouni Malinen
a69742c2f8 wpa_cli: Do not pick p2p-dev-* interfaces by default
These are the driver-specific interface for the non-netdev P2P Device
interface and not something that useful for most use cases. Skip them to
allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-09 16:37:46 +03:00
Ankita Bajaj
a8bfc6fff2 FILS: Update connect params after sending connection notification
Update connect params will update auth_alg and fils_hlp_req in
wpa_supplicant structure before calling function
wpas_notify_state_changed(). This could have resulted in triggering
inconsistent state change events and messages in the Android framework.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-08 17:50:23 +03:00
Jouni Malinen
1eff2e7bf1 DPP2: Fix wpa_supplicant build dependencies for CONFIG_AP=y build
Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed
dependencies were not pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:44:07 +03:00
Jouni Malinen
d2bae5763d DPP: Fix wpa_supplicant build dependencies for DPP-only build
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:39:43 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
6816182461 EAP-TEAP peer: Add support for machine credentials using certificates
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
ebee8232d3 Do not try to include net/ethernet.h in MinGW/Windows builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
bf15b15598 Fix Windows error code definition workaround
ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of
MinGW, so make this workaround conditional on what is defined in the
header files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:43 +03:00
Jouni Malinen
043de65f1c EAP peer config: Move ocsp param to phase1/phase2
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:35 +03:00
Jouni Malinen
b99c4cadb7 EAP peer: Move certificate configuration params into shared struct
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:31 +03:00
Sven Eckelmann
6e711e7ab3 mesh: Do not enable HE on 5 GHz without VHT
The commit ad9a1bfe78 ("nl80211: Share VHT channel configuration for
HE") always enforced that VHT is enabled when HE was enabled. This broke
the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq()
isn't setting up the VHT parameters for 2.4 GHz.

This problem was resolved for 2.4 GHz by commit df4f959988 ("nl80211:
Don't force VHT channel definition with HE"), but it is still possible
to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would
result in the same problem as seen on 2.4 GHz.

The code enabling HE for IBSS/mesh must now make sure that it doesn't
enable HE when VHT could be enforced by the nl80211 driver code but
disabled by the user.

Fixes: 3459c54ac7 ("mesh: Add support for HE mode")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-08-30 16:02:23 +03:00
Jouni Malinen
c724a0a16c EAP peer: Add a concept of a separate machine credential
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.

This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 13:24:14 +03:00
Jouni Malinen
52069c7eff Add TLS-PRF using HMAC with P_SHA384 for TEAP
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-16 21:16:37 +03:00
Jouni Malinen
a647a0ad75 Extend server certificate TOD policy reporting to include TOD-TOFU
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 16:40:31 +03:00
Sunil Dutt
346d10cf82 SAE: Conditionally set PMKID while notifying the external auth status
This is needed for the drivers implementing SME to include the PMKID in
the Association Request frame directly following SAE authentication.

This commit extends the commit d2b2083843 ("SAE: Allow PMKID to be
added into Association Request frame following SAE") for drivers with
internal SME that use the external authentication mechanism.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:37:36 +03:00
Sunil Dutt
b7cd64876d SAE: Use BSSID stored in ext_auth_bssid for set_pmk
pending_bssid is cleared in the connected state and thus is not valid if
SAE authentication is done to a new BSSID when in the connected state.
Hence use the BSSID from ext_auth_bssid while configuring the PMK for
the external authentication case. This is required for roaming to a new
BSSID with driver-based-SME while the SAE processing happens with
wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:32:55 +03:00
Sunil Dutt
e0b331d896 OWE: Update connect params with new DH attributes to the driver
A new DH public key is sent through this interface to the driver after
every successful connection/roam to a BSS. This helps to do OWE roaming
to a new BSS with drivers that implement SME/MLME operations during
roaming.

This updated DH IEs are added in the subsequent (Re)Association Request
frame sent by the station when roaming. The DH IE from the roamed AP is
given to wpa_supplicant in the roam result event. wpa_supplicant shall
further process these DH IEs to generate the PMK for the 4-way
handshake.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 15:31:10 +03:00
Jouni Malinen
ae05b6a215 RSN: Do not allow connection to proceed without MFPC=1 if PMF required
PMF capability check is done as part of BSS selection routines, but
those are not used when going through the enforced roaming operation
("ROAM <BSSID>" control interface command). While that mechanism is
mainly for testing purposes, extend it to do the same check for PMF to
prevent cases where forced roaming could end up disabling PMF against
the local profile requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 13:48:16 +03:00
Ankita Bajaj
0028d627c8 OCE: Mandate PMF for WPA2 association with OCE AP
An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-15 19:06:53 +03:00
Purushottam Kushwaha
84ebc759a0 HS 2.0: Match credentials based on required_roaming_consortium
When required_roaming_consortium is set in a credential, station
should match this against Roaming Consortium(s) for a BSS similar
to how it is matching for roaming_consortiums during Interworking
credentials availability check for roaming_consortium.

In the context of Hotspot 2.0 PPS MO, this means addressing matching
part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of
how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required
part is used as an independent check for the AP advertising the needed
information while the "credential can be used here and this is a home
network" part is shared).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-15 16:51:02 +03:00
Jouni Malinen
d2b2083843 SAE: Allow PMKID to be added into Association Request frame following SAE
IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-14 17:49:23 +03:00
Matthew Wang
dd0153fced Check for LEAP before doing FT
According to https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Cisco does not support EAP-LEAP with Fast Transition. Here,
we check for LEAP before selecting FT 802.1X key management
suite.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2019-08-11 18:04:24 +03:00
Jouni Malinen
b0b25c5bbc Clear external eapSuccess setting in driver-authorized cases
The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not
cover the case where eapol_sm_notify_eap_success(TRUE) had been called
based on offloaded 4-way handshake and driver notification of
authorization in wpa_supplicant_event_port_authorized(). This could
result in eapSuccess and altSuccess state machine variables being left
TRUE when roaming to another BSS and that results in EAP failure if the
following roaming case does not get fully authorized through the driver
offload.

Fix this by clearing eapSuccess/altSuccess when processing a new
association (including roaming) event and also when disconnecting from
the network.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-07 19:24:06 +03:00
Jouni Malinen
ca8c2bd28a Preparations for v2.8 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-07 16:25:25 +03:00
Sunil Dutt
3263fca289 Set the default scan IEs on interface restart
Previously, these default scan IEs were set only when parameter values
changed and during the interface initialization, which can get lost in
the driver on an interface restart. Hence, also set these IEs on an
interface restart notification even when there has been no change in the
values since the last update to the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-07 11:43:12 +03:00
Jouni Malinen
422e73d623 DPP: Indicate authentication success on ConfReqRX if needed
It is possible to receive the Configuration Request frame before having
seen TX status for the Authentication Confirm. In that sequence, the
DPP-AUTH-SUCCESS event would not be indicated before processing the
configuration step and that could confuse upper layers that follow the
details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS
when receiving the Configuration Request since the Enrollee/Responser
has clearly receive the Authentication Confirm even if the TX status for
it has not been received.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-05 13:31:14 +03:00
Arend van Spriel
cb28bd52e1 nl80211: Use separate flag for 4-way handshake offload
Commit d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload
in connect") used the req_key_mgmt_offload flag to indicate to the
driver that it should offload the 802.1X handshake. However, this field
was existing and used for a different offload API. This causes
wpa_supplicant to send a connect request without the WANT_1X_HS flag and
the subsequent set-pmk is rejected causing the connection to fail. Fix
that by introducing a new flag req_handshake_offload so the offloads are
no longer entangled.

Fixes: d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload in connect")
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-08-01 15:52:48 +03:00
Brian Norris
cc2fd94258 D-Bus: Demote timeout/flush messages to MSG_MSGDUMP
We intentionally don't emit property-changed signals on every property
update -- for "less timing critical" messages we delay up to 5
milliseconds waiting to see if we can batch them together. When the
timer hits, we emit the signal anyway and (potentially) log this
message. This amounts to effectively tracing every property update,
which can be quite excessive.

Lower this to MSGDUMP, so MSG_DEBUG can remain slightly more sane.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2019-07-31 22:06:33 +03:00
Yu Wang
0136864032 P2P: Pass HE flag to GO negotiation result
In order to set up P2P connection with HE capability,
the 'he' flag should be passed to GO negotiation result.

Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
2019-07-29 11:48:09 +03:00
Disha Das
5a511924b1 wpa_cli: Add support to process DPP action events in action script
Signed-off-by: Disha Das <dishad@codeaurora.org>
2019-07-24 20:16:02 +03:00
Jouni Malinen
64e37be945 Avoid nested enum wpas_mode declaration to allow C++ compilation
Move enum wpas_mode declaration to the global scope to avoid issues with
the recently added inline function wpas_mode_to_ieee80211_mode() using
it as an argument. This fixes C++ compilation issues with cases that
include wpa_supplicant_i.h.

Fixes: 3459c54ac7 ("mesh: Add support for HE mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-07-24 19:49:24 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Jouni Malinen
d3a035169b Remove useless NULL comparison for an array
Now that the TLS peer_cert information is provided as a full struct to
handler functions, the altsubject pointer shows up as an array and
causes static analyzers to warn about unnecessary NULL comparison. Get
rid of that comparison now that it is clearly not needed anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-07 10:00:49 +03:00
Eric Caruso
91b6eba773 Move MAC address randomization enable/disable to helper functions
This makes it easier to share this for D-Bus implementation.

Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
2019-06-26 20:56:01 +03:00
Sven Eckelmann
3459c54ac7 mesh: Add support for HE mode
Mesh points can partially support HE features (when requiring no
controlling STA/AP) as long as hardware supports it. The kernel just
requires support for HE mesh and wpa_supplicant can forward the peer
capabilities to the kernel for further processing.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Sven Eckelmann
f74618cb92 wpa_supplicant: Fix type for ssid->mode comparisons
The ssid->mode is from type enum wpas_mode and all its constants start
with WPAS_MODE_*. Still some of the code sections used the
IEEE80211_MODE_* defines instead of WPAS_MODE_*.

This should have no impact on the actual code because the constants for
INFRA, IBSS, AP and MESH had the same values.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Amit Khatri
30bbff142d DPP: Fix documentation to include operating class for URI
As per code dpp_parse_uri_chan_list() function checks "/" as separator
for operating class and operating channel. Update readme accordingly.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-06-22 20:39:39 +03:00
Purushottam Kushwaha
dcc31e7957 HS 2.0: Skip credential without EAP method for roaming consortium match
EAP method is required for a credential that matches configured
roaming_consortium with an Interworking AP. Hence skip credentials which
do not have EAP method specified for this match. This fixes an issue
where a credential that cannot work without EAP method from NAI Realms
information is selected first based on roaming consortium.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Ankita Bajaj
ef59f98729 WNM: Provide option to disable/enable BTM support in STA
Add support to disable/enable BTM support using configuration and
wpa_cli command. This is useful mainly for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Jouni Malinen
21f1a1e66c Report TOD policy in peer certificate events
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Jouni Malinen
bc0634da4a Pass full struct to peer certificate callbacks
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00