Commit graph

12421 commits

Author SHA1 Message Date
Vidyullatha Kanchanapally
8696e61702 eap_proxy: Add support for deriving ERP information
This commit adds support for deriving ERP key information in EAP Proxy
based EAP method implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:52 +03:00
Vidyullatha Kanchanapally
115d5e2221 hostapd: Fix handling a 20/40 BSS Coexistence Management frame
hostapd processes a received 20/40 BSS Coexistence management frame, but
if no separate callbacks are registered for handling Public Action
frames it eventually sends a reply with MSB of category code set to 1
thinking that the received frame is an invalid frame. This could happen
based on whether hostapd was built and enabled with functionality using
the callback functions.

Fix this by explicitly returning 1 from the function when the 20/40 BSS
Coexistence Management frame is processed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:44 +03:00
Sunil Dutt
2d18ab4082 Add a config parameter to exclude DFS channels from ACS
The new acs_exclude_dfs=1 parameter can be used to request hostapd to
exclude all DFS channels from ACS consideration. This is mainly of use
for cases where the driver supports DFS channels, but for some reason a
non-DFS channel is desired when using automatic channel selection.
Previously, the chanlist parameter could have been used for this, but
that required listing all the acceptable channels. The new parameter
allows this to be done without such a list.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-27 11:50:21 +03:00
Sunil Dutt
3c2bd55f03 P2P: wpas_p2p_select_go_freq() to check for supported pref_freq
This commit is similar to the commit
783c2920cc ('P2P: Check if the pref_freq
reported by the driver supports P2P') but extends the check for
supported pref_freq to wpas_p2p_select_go_freq().

This avoids issues with P2P_GROUP_ADD ending up selecting an unexpected
channel when get_pref_freq_list() (i.e.,
QCA_NL80211_VENDOR_SUBCMD_GET_PREFERRED_FREQ_LIST) is used. Filter the
list by removing channels that do not allow P2P operation at all.
Previously, only the explicitly disallowed channels were removed and
that could have resulted in selecting an operating channel that is not
allowed for P2P and failing to complete the operation to start the
group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-27 11:41:02 +03:00
Jouni Malinen
c01de21932 tests: Avoid unexpected roam in wnm_bss_tm
It was possible for the BTM Request with no matching BSSIDs to cause
wpa_supplicant-initated roam to a better BSS (5 GHz band preferred) when
finding the second AP in a scan started by that BTM Request. This could
make the following step in the test case fail. Fix this by asking
another channel to be scanned to postpone discovery of the other AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-27 11:19:00 +03:00
Jouni Malinen
8171d70406 tests: Write TEST-START and TEST-STOP into kernel logs with timestamps
This makes it easier to synchronize log entries in the kernel log
(seconds from boot) and wpa_supplicant/hostapd (UNIX timestamp).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-27 11:08:16 +03:00
Peng Xu
8d968351a0 Interworking: Add NULL checking for EAP name in phase2/autheap parameter
Add NULL checking for EAP name. If it is NULL, do not add the phase2
parameter autheap. This should not happen in practice due to earlier
checks for credential matching, but if there is a code path that would
allow this to be set, it is better to skip setting of the invalid value
and allow automatic selection of the Phase 2 parameters.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-26 13:20:52 +03:00
Sunil Dutt
9ddba3a309 Rename vendor attribute DISABLE_OFFCHANNEL to RESTRICT_OFFCHANNEL
This commit renames the vendor attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_DISABLE_OFFCHANNEL to
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL as intended by the
original commit d506c35efc ('Set Wi-Fi
Configuration attribute to restrict offchannel operations').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-26 13:18:06 +03:00
Sunil Dutt
d506c35efc Set Wi-Fi Configuration attribute to restrict offchannel operations
This commit defines an attribute to
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION -
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL which can be used to
restrict offchannel operations on the AP/GO interface.

The goal is to restrict any operations which would cause the AP/GO to
leave its operating channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-23 00:10:01 +03:00
Vidyullatha Kanchanapally
4aa329298d ERP: Do not generate ERP keys when domain name is not specified
This commit adds changes to not generate ERP information if the domain
name is not specified in the EAP identity. keyName-NAI needs the realm
part and as such, it is reasonable to require the main EAP configuration
to provide that realm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:23 +03:00
Jouni Malinen
0a0c4dc1d7 tests: Use a domain name in the identity for get_emsk OOM tests
These test cases depend on ERP processing to reach the get_emsk handler
function. Since ERP really needs the realm to derive a proper
keyName-NAI, modify these test cases to pass the realm part in the
identity to allow error checking to be introduced for rejecting ERP
cases where the realm is not available.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:07 +03:00
Purushottam Kushwaha
34ee12c559 Do not flush PMKSA on bssid_hint change
Change in any network configuration at runtime will cause flush to
PMKSA cache. For most of the network parameters if there is no change
in value, PMKSA flush is not performed except 'bssid' and 'priority'.

Add 'bssid_hint' to exemption list of avoiding PMKSA flush on change.
This is needed to complete change in commit
43a356b268 ('Provide option to configure
BSSID hint for a network').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:25:49 +03:00
Beniamino Galvani
290834df69 nl80211: Fix race condition in detecting MAC change
Commit 3e0272ca00 ('nl80211: Re-read MAC
address on RTM_NEWLINK') added the detection of external changes to MAC
address when the interface is brought up.

If the interface state is changed quickly enough, wpa_supplicant may
receive the netlink message for the !IFF_UP event when the interface
has already been brought up and would ignore the next netlink IFF_UP
message, missing the MAC change.

Fix this by also reloading the MAC address when a !IFF_UP event is
received with the interface up, because this implies that the
interface went down and up again, possibly changing the address.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-05-13 20:01:44 +03:00
Vasanthakumar Thiagarajan
04f667fcdd DFS: Allow switch to DFS channel after radar detection in ETSI
This is to comply with uniform spreading requirement for ETSI domain
(section 4.7.2.7 in EN 301 893 - V1.8.1). ETSI uniform spreading
requires equal probability for the usable channels. The previous channel
selection logic after a radar detection did not fully comply with the
uniform spreading requirement for the domain by ignoring DFS channels.
Consider DFS channels also during channel selection when the current DFS
domain is ETSI.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-05-13 20:01:44 +03:00
Vasanthakumar Thiagarajan
aa56e36d66 driver: Make DFS domain information available to core
Current DFS domain information of the driver can be used in ap/dfs
to comply with DFS domain specific requirements like uniform spreading
for ETSI domain.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-05-13 20:01:44 +03:00
Jouni Malinen
9cd52ac356 tests: Verify DFS channel switch both in and outside ETSI
The behavior will be different based on the uniform spreading
requirement.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-13 20:01:44 +03:00
Vidyullatha Kanchanapally
e8e430fe7a Vendor attributes to retain connection on a roam request failure
This commit introduces the following two attributes to
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH events:

QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_STATUS - Indicates the status of
	re-association requested by user space
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_RETAIN_CONNECTION - Indicates whether
	the old association was maintained when a re-association
	is requested by user space and that re-association attempt
	fails (i.e., cannot connect to the requested BSS, but can
	remain associated with the BSS with which the association was
	in place when being requested to roam).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-12 00:39:00 +03:00
Jouni Malinen
3ed72148b0 tests: cfg80211 connect command with bssid_hint
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-12 00:33:06 +03:00
Purushottam Kushwaha
43a356b268 Provide option to configure BSSID hint for a network
This exposes user configurable option to set bssid_hint for a network.
bssid_hint indicates which BSS has been found a suitable candidate for
initial association for drivers that use driver/firmware-based BSS
selection. Unlike the bssid parameter, bssid_hint does not limit the
driver from selecting other BSSs in the ESS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-12 00:20:59 +03:00
Sunil Dutt
33117656e6 Define a QCA vendor attribute to update the listen interval
This commit defines an attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_LISTEN_INTERVAL which allows the currently
used listen interval to be updated using
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION. This update applies
only during the association and is done without updating the AP about
the change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-10 23:58:46 +03:00
Jouni Malinen
b7288e5d32 tests: OCSP test coverage with SHA-1 hash
The previous fix to the OCSP request construction ended up finally
moving from SHA-1 -based hash to SHA-256 for OCSP test cases. To
maintain coverage for SHA-1, add cloned versions of the two test cases
so that both SHA-256 and SHA-1 cases get covered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:41:50 +03:00
Johannes Berg
d40d959e48 tests: Fix openssl ocsp command and check for errors
Fix the openssl ocsp command line and check if it returns an error - so
that instead of having something unusable later we error out
immediately. Moving the -sha256 argument earlier fixes hash function use
for the OCSP request generation (the old version used SHA-1).

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-05-09 23:36:36 +03:00
Jouni Malinen
85cff4b0d8 OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:36:36 +03:00
Jouni Malinen
d264c2e390 HTTP (curl): Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:36:36 +03:00
Jouni Malinen
95818ec174 Fix compiler warning with CONFIG_IEEE80211R no-CONFIG_FILS build
Addition of remove_ies() handled the CONFIG_IEEE80211R dependency, but
missed the caller being within CONFIG_FILS as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:36:36 +03:00
Jaap Keuter
6136394545 Make CONFIG_MACSEC depend on IEEE8021X_EAPOL
When reducing the configuration for MACsec/MKA to the bare minimum, so
no EAP authentication, just MACsec/MKA SA use with preshared key/name,
the EAPOL engine is still needed to run the protocol for MKA. Without
any EAP authentication options the IEEE8021X_EAPOL option is not set,
resulting in a non-working Key Agreement Entity.

Therefore the CONFIG_MACSEC block needs to move up and set the
IEEE8021X_EAPOL option.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2017-05-08 16:28:27 +03:00
Masashi Honma
704e9d0f21 tests: Add mesh RSSI threshold test
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-05-08 16:26:06 +03:00
Masashi Honma
31a856a127 mesh: Make NL80211_MESHCONF_RSSI_THRESHOLD configurable
In some practical cases, it is useful to suppress joining to node in the
distance. The new field mesh_rssi_threshold could be used as RSSI
threshold for joining.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-05-08 16:23:02 +03:00
Jouni Malinen
481fecefec tests: BSS TM request with 160 MHz opclass 129
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-07 22:08:43 +03:00
Jouni Malinen
1f3c49d418 Fix 160 MHz opclass channel to frequency conversion
This needs to allow all 20 MHz channel numbers to be converted even
though the Annex E table lists only channel _center_ frequencies 50 and
114. Neighbor Report (see IEEE Std 802.11-2016, 9.4.2.37 Neighbor Report
element) uses Channel Number field with "last known primary channel of
the AP" which refers to the 20 MHz channel and not the channel center
frequency.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-07 22:08:43 +03:00
Jouni Malinen
82aea622e8 tests: D-Bus methods for setting TDLS channel switching
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:43 +03:00
Nishant Chaprana
9f49474669 dbus: Add method to disable channel switching with a TDLS peer
This patch adds "TDLSCancelChannelSwitch" dbus method on
"fi.w1.wpa_supplicant1.Interface" interface to disable channel switching
with a TDLS peer.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2017-05-07 22:08:43 +03:00
Nishant Chaprana
2a57b4b821 dbus: Add method to enable channel switching with a TDLS peer
This patch adds "TDLSChannelSwitch" dbus method on
"fi.w1.wpa_supplicant1.Interface" interface to enable channel switching
with a TDLS peer.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2017-05-07 22:08:43 +03:00
Jouni Malinen
0238e8ba4c tests: D-Bus scan trigger and abort
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:43 +03:00
Saurav Babu
1939505419 dbus: Add AbortScan method to abort ongoing scan
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-05-07 22:08:43 +03:00
Jouni Malinen
13d36cce89 tests: FILS SK using ERP and FT initial mobility domain association
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:43 +03:00
Jouni Malinen
8fed47e013 FILS: Derive FT key hierarchy on authenticator side for FILS+FT
Derive PMK-R0 and the relevant key names when using FILS authentication
for initial FT mobility domain association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:43 +03:00
Jouni Malinen
7d440a3bc4 FILS: Derive FT key hierarchy on supplicant side for FILS+FT
Derive PMK-R0 and the relevant key names when using FILS authentication
for initial FT mobility domain association. Fill in the FT IEs in
(Re)Association Request frame for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:41 +03:00
Jouni Malinen
215eaa748b FILS: Implement FILS-FT derivation
This extends fils_pmk_to_ptk() to allow FILS-FT to be derived. The
callers do not yet use that capability; i.e., actual use will be added
in separate commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Jouni Malinen
80ddf5d995 FILS: Fix Key-Auth derivation for SK+PFS for authenticator side
The conditional gSTA and gAP (DH public keys) were not previously
included in Key-Auth derivation, but they are needed for the PFS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Jouni Malinen
e6b6231338 FILS: Fix Key-Auth derivation for SK+PFS for supplicant side
The conditional gSTA and gAP (DH public keys) were not previously
included in Key-Auth derivation, but they are needed for the PFS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Jouni Malinen
4d0a61c501 FILS: Debug print inputs to Key-Auth derivation
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Dmitry Shmidt
be1ece46f5 wpa_supplicant: Add GET_CAPABILITY for P2P redirection
It will give capability to check channel list before P2P group is
created.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-05-05 00:43:23 +03:00
Jonas Larsson
853cfa8738 Detect endianness when building for RTEMS
This adds endianness detection and byte swap
definitions for the RTEMS RTOS.

Signed-off-by: Jonas Larsson <ljonas@google.com>
2017-05-05 00:41:12 +03:00
Vamsi Krishna
35bb8a9a57 Android: Define CONFIG_TESTING_OPTIONS if enabled in config
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-05 00:26:06 +03:00
Vamsi Krishna
178553b709 MBO: Add support to set ignore assoc disallow to driver
Add support to set ignore assoc disallow to the driver so that the
driver ignores assoc disallowed bit set by APs while connecting. This is
used by drivers that handle BSS selection and roaming internally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-05 00:26:05 +03:00
Michael Braun
942b52a8f6 tests: FT with AP-to-AP broadcast messages
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00
Michael Braun
3a46cf93d0 FT: Add support for wildcard R0KH/R1KH
Enable use of FT RRB without configuring each other AP locally. Instead,
broadcast messages are exchanged to discover APs within the local
network.

When an R0KH or R1KH is discovered, it is cached for one day.

When a station uses an invalid or offline r0kh_id, requests are always
broadcast. In order to avoid this, if r0kh does not reply, a temporary
blacklist entry is added to r0kh_list.

To avoid blocking a valid r0kh when a non-existing pmk_r0_name is
requested, r0kh is required to always reply using a NAK. Resend requests
a few times to ensure blacklisting does not happen due to small packet
loss.

To free newly created stations later, the r*kh_list start pointer in
conf needs to be updateable from wpa_auth_ft.c, where only wconf is
accessed.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00
Michael Braun
ba88dd65e7 tests: Update FT RRB function OOM paths
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00
Michael Braun
eefe863015 FT RRB: Add msg replay and msg delay protection
This adds a counter and adds sequence numbering to FT RRB packets. The
sequence number is checked against r0kh/r1kh sequence number cache.

Special attention is needed in case the remote AP reboots and thus loses
its state. I prefer it to recover automatically even without synchronized
clocks. Therefore an identifier called dom is generated randomly along the
initial sequence number. If the dom transmitted does not match or the
sequence number is not in the range currently expected, the sender is asked
for a fresh confirmation of its currently used sequence numbers. The packet
that triggered this is cached and processed again later.

Additionally, in order to ensure freshness, the remote AP includes an
timestamp with its messages. It is then verified that the received
messages are indeed fresh by comparing it to the older timestamps
received and the time elapsed since then. Therefore FT_RRB_TIMESTAMP is
no longer needed.

This assigns new OUI 00:13:74 vendor-specific subtype 0x0001 subtypes:
4 (SEQ_REQ) and 5 (SEQ_RESP).

This breaks backward compatibility, i.e., hostapd needs to be updated
on all APs at the same time to allow FT to remain functional.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00