Commit graph

17059 commits

Author SHA1 Message Date
Jouni Malinen
d675d3b15b Add helper functions for parsing RSNXE capabilities
Simplify the implementation by using shared functions for parsing the
capabilities instead of using various similar but not exactly identical
checks throughout the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-04-10 12:43:38 +03:00
Jouni Malinen
663e190b72 SAE: Remove now unused password identifier argument from non-H2E case
IEEE Std 802.11-2020 mandates H2E to be used whenever an SAE password
identifier is used. While this was already covered in the
implementation, the sae_prepare_commit() function still included an
argument for specifying the password identifier since that was used in
an old test vector. Now that that test vector has been updated, there is
no more need for this argument anymore. Simplify the older non-H2E case
to not pass through a pointer to the (not really used) password
identifier.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-10 12:12:54 +03:00
Ilan Peer
79f87f4734 PASN: Change PASN flows to use SAE H2E only
Do so for both wpa_supplicant and hostapd. While this was not explicitly
required in IEEE P802.11az/D3.0, likely direction for the draft is to
start requiring use of H2E for all cases where SAE is used with PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 12:12:22 +03:00
Ilan Peer
d9c566b1b8 tests: Update PASN tests with SAE to use sae_pwe=2
As a preparation for changing wpa_supplicant and hostapd
implementation to use SAE H2E only.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 12:12:22 +03:00
Ilan Peer
09ca9851b3 tests: Use the correct SSID in PASN SAE tests
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Ilan Peer
ab7109f007 tests: Add coverage for PASN authentication with KDK derivation
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Ilan Peer
8c786e0687 PASN: Derive KDK only when required
When a PTK derivation is done as part of PASN authentication flow, a KDK
derivation should be done if and only if the higher layer protocol is
supported by both parties.

Fix the code accordingly, so KDK would be derived if and only if both
sides support Secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Kiran Kumar Lokere
655edc19cf Vendor attributes to configure broadcast TWT parameters
Define the new TWT attributes for configuring the broadcast TWT
parameters in enum qca_wlan_vendor_attr_twt_setup.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Mohammad Asaad Akram
49ad86b0cf Add vendor reason codes for TWT setup reject on roaming/channel switch
The firmware rejects the TWT setup request when roaming and channel
switch is in progress. Extend enum qca_wlan_vendor_twt_status to
represent new reason codes for these cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Sunil Dutt
0bae161229 Set last_eapol_matches_bssid=1 on a roam+auth indication from driver
Commit 3ab35a6603 ("Extend EAPOL frames processing workaround for
roaming cases") added a work around to address the issue of EAPOL frame
reception after reassociation replied to with an incorrect destination
address (the BSSID of the old AP). This is due to association events and
EAPOL RX events being reordered for the roaming cases with drivers that
perform BSS selection internally.

This mechanism relies on the fact that the driver always forwards the
EAPOL handshake to wpa_supplicant after the roaming (sets
last_eapol_matches_bssid during the EAPOL processing and resets on the
assoc/reassoc indication).

The above approach does not address the case where the driver does the
EAPOL handshake on the roam, indicating the authorized status to
wpa_supplicant but also forwards the EAPOL handshake to wpa_supplicant
for few other roam attempts. This is because the flag
last_eapol_matches_bssid is not set with the roam+authorized event from
the driver. Thus, the next reorder of roam and EAPOL RX events would
miss this workaround.

Address this by setting last_eapol_matches_bssid=1 on a roam+authorized
event from the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Jouni Malinen
527be9ce72 SAE: Increment the Sc counter before generating each Confirm
This changes the Send-Confirm value for the first SAE Confirm message to
be 1 instead of 0 for all cases to match the design shown in IEEE Std
802.11-2020, Figure 12-4 (SAE finite state machine).

Sc is defined to be "the number of SAE Confirm messages that have been
sent" which is a bit vague on whether the current frame is included in
the count or not. However, the state machine is showing inc(Sc)
operation in all cases before the "2" event to build the Confirm.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Jouni Malinen
47f51c8ba4 tests: Update SAE test vector to IEEE Std 802.11-2020
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Yu Wang
5f082c158c nl80211: Support larger number of MAC ACL entries
If the maximum size of MAC ACL entries is large enough, the
configuration message may exceed the default buffer size of a netlink
message which is allocated with nlmsg_alloc(), and result in a failure
when putting the attributes into the message.

To fix this, calculate the required buffer size of the netlink message
according to MAC ACL size and allocate a sufficiently large buffer with
nlmsg_alloc_size().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-31 00:30:11 +03:00
Yu Wang
f1fc9cf74e nl80211: Fix the size of the maximum MAC ACL size
NL80211_ATTR_MAC_ACL_MAX is a u32 attribute to advertise the maximum
number of MAC addresses that a device can support for MAC ACL. This was
incorrectly used as a u8 attribute which would not work with any values
larger than 255 or on big endian CPUs. Fix this by moving from
nla_get_u8() to nla_get_u32().

Fixes: 3c4ca36330 ("hostapd: Support MAC address based access control list")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-31 00:30:05 +03:00
Jouni Malinen
f9ca4e3107 tests: Multi-AP and WPS parameter update
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:43:47 +03:00
Jouni Malinen
838a5aa95a tests: WPS Registrar init errors
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:35:46 +03:00
Jouni Malinen
93576264bc WPS: Share a single error handling path in wps_set_ie()
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:26:19 +03:00
Jouni Malinen
7ed1cb8933 tests: WPS PBC session overlap workaround
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:23:41 +03:00
Jouni Malinen
3f3e77133d tests: WPS ER and UNSUBSCRIBE errors
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:15:25 +03:00
Jouni Malinen
57de28b94a tests: WPS ER and HTTP client timeout
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 18:05:47 +03:00
Jouni Malinen
2445e18b6f tests: assoc+auth driver event
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 13:33:40 +03:00
Jouni Malinen
00bec7b5be tests: IEEE 802.1X and FORCE_UNAUTH state
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 12:36:18 +03:00
Lavanya Suresh
e72e322539 hostapd: Enable WMM automatically when HE is configured
If WMM is not set explicitly in the configuration, it can be set based
on HT/HE config. As HE can be used without HT/VHT (which was introduced
as a special behavior for the 6 GHz band), add a similar automatic
enabling of WMM for HE without HT.

Signed-off-by: Lavanya Suresh <lavaks@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
43a65b40b9 tests: P2P peer table limit
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
1a47e2ff8f tests: INTERFACE_ADD behavior on driver init failure
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
8ca330bd70 Flush pending control interface message for an interface to be removed
wpa_supplicant_ctrl_iface_deinit() was executed only if the
per-interface control interface initialization had been completed. This
is not the case if driver initialization fails and that could result in
leaving behind references to the freed wpa_s instance in a corner case
where control interface messages ended up getting queued.

Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to
cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with
the reference to the wpa_s pointer. In addition, flush any pending
message from the global queue for this interface since such a message
cannot be of use after this and there is no need to leave them in the
queue until the global control interface gets deinitialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
6bcd4abdc1 tests: FT with beacon protection
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
df197713c9 tests: OCV testing with AP special functionality set after ENABLE
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
30f8b912df tests: WPA2-PSK AP and GTK rekey failure
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
174433fa04 tests: WNM-Sleep Mode exit with PMF and beacon protection
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
4a841a218b Fix WNM-Sleep Mode exit debug print of BIGTK
Previous debug print used IGTK instead of BIGTK, so fix that to use the
correct key. Actual generation of the BIGTK subelement itself was using
the correct key, though, so this is only needed to fix the debug print.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
14d31cd978 tests: Re-enable op class 118-120 tests with new regdb
Move from RS to PA country code to allow these test cases to work since
regdb was updated to require DFS for these operating classes in RS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:06 +02:00
Jouni Malinen
c705d8421a tests: hostapd configuration with op_class
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-24 00:46:57 +02:00
Jouni Malinen
e6510056db tests: DPP PFS error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-24 00:05:05 +02:00
Jouni Malinen
1aa2bc46f7 tests: MSCS
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
354f87e2e3 MSCS: Fix MSCS Response frame Status field parsing
This is a 2 octet field, so need to use WPA_GET_LE16() here instead of
using only the first octet of the value.

Fixes: bbd3178af4 ("MSCS: Add support to process MSCS Response frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
b8673baeab Add REGISTER_FRAME hostapd control interface command for testing purposes
This can be used to register reception of new types of Management frames
through nl80211.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
60974eb3f6 Allow AP mode extended capabilities to be overridden
The new hostapd configuration parameters ext_capa_mask and ext_capa can
now be used to mask out or add extended capability bits. While this is
not without CONFIG_TESTING_OPTIONS, the main use case for this is for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-22 11:58:21 +02:00
Jouni Malinen
7365eb43ea Make hostapd_config_fill() easier to auto indent
The conditional compilation block with only the opening brace included
in two variants was messing up auto indentation in emacs. Work around
this by defining the maximum value conditionally while leave the if
block outside any conditional building rules.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-22 11:52:51 +02:00
Jouni Malinen
8ca09293ea Simplify extended capability determination in AP mode
There is no need to determine the exact length of the element before
filling in the octets since this function is already capable of
truncated the fields based on what the actual values are.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-22 11:12:39 +02:00
Jouni Malinen
37306a0042 PASN: Use a helper function to free radio work data
This is safer in avoiding memory leaks now that there is a dynamically
allocated member within the data struct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:33:17 +02:00
Jouni Malinen
349e9eafbb PASN: Mark pubkey/comeback arguments constant for frame construction
These parameters are only copied to the frame, so mark them as constant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:30:52 +02:00
Ilan Peer
93ef7e8c91 tests: Add PASN tests with comeback flow
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:28:34 +02:00
Ilan Peer
67014b3f74 PASN: Add support for comeback flow to wpa_supplicant
Process the received comeback cookie and retry automatically if the AP
allows this. Otherwise, provide the cookie to upper layers to allow a
later attempt with the cookie.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:28:34 +02:00
Ilan Peer
ab623ac750 PASN: Add support for comeback flow in AP mode
Reuse the SAE anti-clogging token implementation to support similar
design with the PASN comeback cookie.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:01:27 +02:00
Jouni Malinen
4871df4bf7 tests: DPP NFC operation failures in hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 16:55:44 +02:00
Jouni Malinen
9c809b2aaa tests: DPP bootstrapping via NFC URI record (hostapd reading tag)
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 16:39:46 +02:00
Jouni Malinen
c4b2d6f566 tests: DPP GAS Query error cases with hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 16:33:41 +02:00
Jouni Malinen
4ed10754e8 DPP: Fix GAS client error case handling in hostapd
The GAS client processing of the response callback for DPP did not
properly check for GAS query success. This could result in trying to
check the Advertisement Protocol information in failure cases where that
information is not available and that would have resulted in
dereferencing a NULL pointer. Fix this by checking the GAS query result
before processing with processing of the response.

This is similar to the earlier wpa_supplicant fix in commit 931f7ff656
("DPP: Fix GAS client error case handling").

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 11:47:39 +02:00
Jouni Malinen
3ae18d4bd7 EAP-SIM/AKA: Fix check for anonymous decorated identity
eap_sim_anonymous_username() gets called with an argument that is not a
null terminated C string and as such, os_strrchr() and os_strlen()
cannot be used with it. The previous implementation resulted in use of
uninitialized values and a potential read beyond the end of the buffer.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32277
Fixes: 73d9891bd7 ("EAP-SIM/AKA peer: Support decorated anonymous identity prefix")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-20 16:28:44 +02:00