Commit graph

7919 commits

Author SHA1 Message Date
Jouni Malinen
db59827a3c DPP2: Extend TCP encapsulation case to support Configurator as Initiator
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 14:48:49 +03:00
Jouni Malinen
890ae336c0 DPP2: Clean up CONFIG_DPP2 use with configurator connectivity IE
Avoid duplicated return statement in CONFIG_DPP2=y builds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:30:26 +03:00
Jouni Malinen
7f20a3ebda DPP2: Reconfiguration support in Controller
Add handling of Reconfiguration messages in Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
6dcb8aaf13 DPP2: Reconfig Announcement relaying from AP to Controller
Recognize the Reconfig Announcement message type and handle it similarly
to the Presence Announcement in the Relay, i.e., send it to the first
Controller if the local Configurator does not have matching C-sign-key.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3b4f7dfaa1 DPP2: Fix Presence Announcement processing in Controller
Use the new struct dpp_authentication instance when setting Configurator
parameters for authentication exchange triggered by Presence
Announcement. conn->auth is NULL here and would cause dereferencing of a
NULL pointer if dpp_configurator_params is set.

Fixes: fa5143feb3 ("DPP2: Presence Announcement processing in Controller")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
5e2d877cc4 DPP: Mark internal-to-file functions static
These functions are not used outside dpp_crypto.c anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3aaf269f67 DPP: Move TCP encapsulation into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
21c612017b DPP: Move configurator backup into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
fdbbb74064 DPP: Move authentication functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3e48c5d4b4 DPP2: Reconfig Authentication Confirm processing
Extend Enrollee functionality to process Reconfig Authentication
Confirm message and start GAS client.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
24b01c706b DPP2: Reconfig Authentication Response processing and Confirm generation
Extend Configurator functionality to process Reconfig Authentication
Response message, derive the needed keys, and generate Reconfig
Authentication Confirm message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:09 +03:00
Jouni Malinen
65e94351dc DPP2: Reconfig Authentication Request processing and Response generation
Extend Enrollee functionality to process Reconfig Authentication Request
message, derive the needed keys, and generate Reconfig Authentication
Response message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
3774b6bd03 DPP2: Reconfig Authentication Request generation and transmission
Extend Configurator functionality to sign a special Connector for
reconfiguration and reply with Reconfig Authentication Request frame
when Reconfig Announcement frame is received with a matching C-sign key
hash value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
66ac616cdb DPP2: Process received Reconfig Announcement frame
Check if there is a matching Configurator and be ready to initiate
Reconfig Authentication (which itself is not included in this commit).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
0c043d9de7 DPP2: Reconfig Announcement transmission
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
92492dd3ac DPP2: Extend connector matching for reconfiguration
Allow the same helper functions to be used with reconfiguration
connector.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
961435097b DPP2: Move connStatus object building into a helper function
Allow the same helper function to be used for reconfiguration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
94f73f90ef DPP: Move signed connector checking into a helper function
This can be reused for similar need with reconfiguration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
94a28a4940 DPP: Move parsing of own connector into a helper function
This can be used for reconfiguration as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
d4ae12355a DPP: Move PKEX functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
87b6572616 DPP: Move crypto routines into a separate source code file
This is an initial step in splitting the overly long dpp.c into smaller
pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 12:09:24 +03:00
Jouni Malinen
16626dff9b DPP2: Derive bk ("base key")
Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-10 15:55:30 +03:00
Jouni Malinen
76029c6e11 DPP: Use EVP_PKEY_get0_EC_KEY() when a const reference is sufficient
This removes unnecessary allocations and simplifies the implementation
by not having to remember to free the cloned reference.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-10 15:55:30 +03:00
Jouni Malinen
481fdfc462 DPP2: Fix URI version parser
Fix a copy-paste error in parsing the version info.

Fixes: 7dd768c3ca ("DPP2: Version information in bootstrapping info URI")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-06 11:58:56 +03:00
Jouni Malinen
7dd768c3ca DPP2: Version information in bootstrapping info URI
Add the local supported version information into the bootstrapping
information (V=2 in the URI) and parse this from received URI.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-05 20:48:23 +03:00
Jouni Malinen
5a0718a19c DPP2: Report MUD URL and bandSupport in control interface events
Report MUD URL and bandSupport from config request if those optional
nodes are included. For now, these are mainly for testing purposes since
there is no mechanism to delay sending of config response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 15:33:03 +03:00
Jouni Malinen
769139c490 DPP2: Do not include Protocol Version in Auth Req when testing v1
When DPP v2 implementation is hardcoded to behave as v1 for testing
purposes, leave out the Protocol Version attribute form Authentication
Request instead of including it there with indication for v1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 13:12:21 +03:00
Jouni Malinen
fad64b4168 DPP: Move dppCon signing to a set of helper functions
This simplifies dpp_build_conf_obj_dpp() and makes it easier to share
the signing functionality for other purposes like reconfiguration where
the Configurator needs to sign a dppCon object for itself without
generating the encapsulating config object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:39:19 +03:00
Jouni Malinen
12c8eacf73 DPP: Allow version number to be overridden for testing purposes
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:45 +03:00
Jouni Malinen
c3c38bc8b9 DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 3/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
9561925b4d DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 2/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
68422fedbf DPP2: Parse DPP KDE in EAPOL-Key Key Data field
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
143e3d8bc5 DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
b11a12401a DPP2: Add DPP KDE into EAPOL-Key msg 3/4 when using DPP AKM
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
85d5456997 DPP2: Indicate if PFS was used in control interface STATUS
The new "dpp_pfs=1" entry can be used to determine whether PFS was used
during derivation of PTK when DPP AKM is negotiated for an association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
1f5f000086 DPP2: Try to negotiate PFS only if AP supports version 2 or newer
Check AP's DPP Protocol Version during network introduction and mark the
PMKSA cache as suitable for PFS use with version 2 or newer. This avoids
unnecessary attempt of negotiating PFS with version 1 APs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
42acf1292d DPP2: Add Protocol Version attribute to network introduction messages
This can be used to determine whether to try to negotiate PFS (only
available with version 2 or higher).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
a7d6098fb4 Add PRINTF_FORMAT for printf wrapper functions
This avoids compiler format-nonliteral warnings ("format string is not a
string literal").

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-02 21:04:17 +03:00
Jouni Malinen
a803ba4f9d Use more specific reason codes for 4-way handshake timeouts
IEEE 802.11 defines reason codes for indicating 4-way handshake and
group key handshake timeouts. Use those reason codes instead of the more
generic one for these particular cases in the Authenticator state
machine.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-29 13:00:53 +03:00
Jouni Malinen
ff0b87304c nl80211: Process unprotected Beacon frame RX events
Convert driver indications to internal events to allow invalid Beacon
frames to be reported to the AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:10:09 +03:00
Jouni Malinen
a39e9af908 nl80211: DPP listen mode callback
Update frame processing registration for DPP Public Action frames to
include multicast reception when in DPP listen mode and the driver
indicates support for this type of explicit request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:07:01 +03:00
Jouni Malinen
e81e2091b3 Remove now unused Boolean/TRUE/FALSE definitions
The previous users were converted to C99 bool.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
71140cd5b1 RADIUS: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
2c55e67aaf airtime_policy: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
f75a0339d5 state_machine: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
0365458eb8 HE: Replace Boolean with C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
5e5eb5a312 MACsec: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
d15e109e29 EAP peer: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
c9d70dd329 RSN supp: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
da8478a1ab EAPOL supp: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
37e3501bf7 FST: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
3dc69721e8 EAPOL auth: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
56024a233a WPA auth: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
4d9c313f2a WPA: Fix wpa_parse_kde_ies() handling with vendor specific elements
Documentation of the return values for wpa_parse_vendor_specific() and
wpa_parse_generic() were not accurate and the parsing results from these
were not really handled appropriately. There is no point in calling
wpa_parse_vendor_specific() if wpa_parse_generic() recognizes a KDE. Not
that this would break anything in practice, but still, it looks
confusing.

The part about handling wpa_parse_vendor_specific() return value can, at
least in theory, break some cases where an unexpectedly short KDE/vendor
specific element were present and something would need to be recognized
after it. That does not really happen with any standard compliant
implementation and this is unlikely to cause any real harm, but it is
clearer to handle this more appropriately even for any theoretical case,
including misbehavior of a peer device.

Instead of stopping parsing on too short vendor specific element,
continue parsing the following KDEs/IEs. Skip the
wpa_parse_vendor_specific() call when a KDE has been recognized. Also
fix the return value documentation for wpa_parse_generic() and remove
the useless return value from wpa_parse_vendor_specific().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
1025a9052c Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-24.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-24 17:06:36 +03:00
Jouni Malinen
60a2de5683 EAP server: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-21 17:39:07 +03:00
Jouni Malinen
4d2ec436e3 DPP: Add driver operation for enabling/disabling listen mode
This can be used to configure RX filter to be able to receive broadcast
DPP Public Action frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-20 23:52:04 +03:00
Jouni Malinen
99cf895553 Include stdbool.h to allow C99 bool to be used
We have practically started requiring some C99 features, so might as
well finally go ahead and bring in the C99 bool as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-20 20:29:31 +03:00
Jouni Malinen
3e6383f31a DPP2: Silence compiler warning with no-CONFIG_DPP2 and OpenSSL 1.0.2
EVP_PKEY_get0_EC_KEY() compatibility wrapper is used only within
CONFIG_DPP2 blocks, so define it with matching condition.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
0115268743 nl80211: Move nl80211_init_connect_handle() to avoid forward declaration
This has no changes to the function itself, i.e., it is just moved to a
location that is above the first caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
7a880b129d l2_packet: Allow initialization without RX handling
This can be used to minimize resource use when receive path is not
needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
95cbf45090 nl80211: Do not open EAPOL RX socket when using control port for RX (AP)
drv->eapol_sock is used only for receiving EAPOL frames in AP mode, so
it is not needed when using control port for EAPOL frame RX.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
c1bc0dd80d nl80211: Disable EAPOL TX over control port in AP mode by default
Since this nl80211 mechanism for sending EAPOL frames does not currently
support TX status notification, disable it by default of AP mode where
the Authenticator state machine uses those notifications to optimize
retransmission. The control port TX can be enabled for AP mode with
driver param control_port_ap=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 16:50:56 +03:00
Markus Theil
12ea7dee31 nl80211: Use nl80211 control port for receiving EAPOL frames
Use and/or set socker owner where necessary to allow EAPOL frames to be
received using the nl80211 control port. This is done when the driver
indicates support for the control port without previous hardcoded
reception of RSN preauth frames.

Use methods which set or use the connection owner nl_sock * where
necessary. Initial operations need to register with the SOCKET_OWNER
attribute set (e.g., connect for STA mode). Final operations need to use
the socket which holds the owner attribute (e.g., disconnect for STA
mode).

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 16:49:03 +03:00
Markus Theil
8609aa5ba3 nl80211: Tie connect handle to bss init/destroy
This commit creates a connect nl_sock * for every bss unconditionally.
It is used in the next commit for nl80211 control port RX.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Markus Theil
b4a70018ee nl80211: Handle control port frame in bss events
In order to work in AP mode, handle control port frame RX as per bss
event.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Markus Theil
6f70fcd986 nl80211: Check ethertype for control port RX
nl80211 control port event handling previously did not differentiate
between EAPOL and RSN preauth ethertypes. Add checking of the ethertype
and report unexpected frames (only EAPOL frames are supposed to be
delivered through this path).

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Jouni Malinen
932546ac28 nl80211: Add a separate driver capability for control port RX
This is needed since the initial implementation of the control port
mechanism in the kernel mixed in RSN pre-authentication ethertype
unconditionally (and IMHO, incorrectly) into the control port.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 15:53:02 +03:00
Jouni Malinen
bb9e3935dd driver: Add second driver capability flags bitmap
All 64 bits of the capability flags bitmap are used, so add a new
variable to hold future capability bits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 15:53:02 +03:00
Disha Das
6b1c590ebb Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-17 23:51:58 +03:00
Jouni Malinen
a6c689d354 FT: Testing override for RSNXE Used subfield in FTE (AP)
Allow hostapd to be requested to override the RSNXE Used subfield in FT
reassociation case for testing purposes with "ft_rsnxe_used=<0/1/2>"
where 0 = no override, 1 = override to 1, and 2 = override to 0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-16 23:39:57 +03:00
Jouni Malinen
9b222b6130 nl80211: Remove unnecessary inclusion of l2_packet.h
The only l2_packet use within this file was removed by commit
d12dab4c6f ("nl80211: Use non-receiving socket for EAPOL TX").

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 19:28:05 +03:00
Jouni Malinen
b2d8dc59f4 FT: Testing override for RSNXE Used subfield in FTE
Allow wpa_supplicant to be requested to override the RSNXE Used subfield
in FT reassociation case for testing purposes with "SET ft_rsnxe_used
<0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to
0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 16:37:35 +03:00
Jouni Malinen
5344af7d22 FT: Discard ReassocReq with mismatching RSNXE Used value
Discard the FT Reassociation Request frame instead of rejecting it
(i.e., do not send Reassociation Response frame) if RSNXE Used is
indicated in FTE, but no RSNXE is included even though the AP is
advertising RSNXE.

While there is not really much of a difference between discarding and
rejecting the frame, this discarding behavior is what the standard says
for this type of an error case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 16:37:35 +03:00
Edayilliam Jayadev
af0178c75b Add vendor attributes indicating number of spectral detectors
Add per bandwidth capability attributes which indicate the number of
spectral detectors used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-07 23:05:26 +03:00
Edayilliam Jayadev
7a510a97ba Add an attribute for secondary 80 MHz span of agile spectral scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY_2
for describing the secondary 80 MHz span of agile spectral scan.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-07 23:03:30 +03:00
Jouni Malinen
24a6bca704 PKCS#1: Debug dump invalid Signature EB
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 20:13:26 +03:00
Jouni Malinen
eac6eb7024 X509: Use unique debug prints for unused bits entries
This makes it easier to understand which X.509 BIT STRING value has the
unused bits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 19:59:47 +03:00
Jouni Malinen
153333ef6b FT RRB: Remove confusing debug print about extra data
The "FT: Ignore extra data in end" hexdump is quite confusing since it
shows all the IEs that were actually either processed or forwarded.
There is no code path that could reach this debug print with actual real
extra data. Remove it and the dead increment of pos to avoid warnings
from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 23:42:05 +03:00
Jouni Malinen
d867e11811 FT: Remove and re-add STA entry after FT protocol success with PMF
Allow STA entry to be removed and re-added to the driver with PMF is
used with FT. Previously, this case resulted in cfg80211 rejecting STA
entry update after successful FT protocol use if the association had not
been dropped and it could not be dropped for the PMF case in
handle_auth().

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 21:53:10 +03:00
Jouni Malinen
512b6c02e0 DPP: Mandate mutual auth with NFC negotiated connection handover
Mark own bootstrap information as having been used in NFC negotiated
connection handover and do not accept non-mutual authentication when
processing Authentication Response from the peer when such bootstrapping
information is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 16:27:52 +03:00
Jouni Malinen
872299f4b3 DPP2: Store netAccessKey in psk/sae credentials for reconfig
Connector alone is not sufficient for authentication during
reconfiguration, so store the netAccessKey as well.

Fixes: e4eb009d98 ("DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 12:43:48 +03:00
Jouni Malinen
bf9f49396b OWE: Remove check for unexpected DH Parameter IE use with other AKMs
While the Diffie-Hellman Parameter element is defined in RFC 8110
explicitly for use witht he OWE AKM, it has now been proposed to be used
with another AKM (DPP). Should any other AKM be extended in similar
manner in the future, the check against unexpected use could result in
additional interoperability issues. Remove that and instead, ignore the
unexpected Diffie-Hellman Parameter element if it is included in
(Re)Association Request frame when any other AKM is negotiated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 12:18:11 +03:00
Jouni Malinen
e4eb009d98 DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig
If the Enrollee indicates support for DPP R2 or newer, add Connector and
C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not
enabled) for reconfiguration. Extend processing of such credentials in
wpa_supplicant network profile addition to handle this new case
correctly by not setting key_mgmt=DPP based on Connector being present,
but by looking at the actual akm value in the config object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-02 21:34:49 +03:00
Jouni Malinen
a371164f88 Process received WNM Notification Request for beacon protection failures
Report received notifications for beacon protection failures in syslog
and control interface.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 16:30:12 +03:00
Jouni Malinen
0e794989e5 Beacon frame protection event for incorrect protection
Define a driver interface event for Beacon frame protection failures.
Report such events over the control interface and send a
WNM-Notification Request frame to the AP as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 16:22:48 +03:00
P Praneesh
7c8f540ee0 wpa_supplicant: Add HE override support
Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y.
The disable_he=1 network profile parameter can be used to disable HE.
This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4
GHz band.

There is no nl80211 support for configuring the driver to disable HE, so
for now, this applies only to IBSS and mesh cases.

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
2020-03-30 12:55:01 +03:00
Sergey Matyukevich
91498a1225 hostapd: DFS for channel switch in repeater mode
In repeater mode remote AP may request channel switch to a new channel.
Check if DFS is required for the new channel before proceeding with
normal AP operations. Start CAC procedure if radar detection is required
and channel is not yet marked as available.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Sergey Matyukevich
683e7c7559 DFS: Add new hostapd_is_dfs_overlap() helper
Add a new hostapd_is_dfs_overlap() helper function to DFS module. This
function tells whether the selected frequency range overlaps with DFS
channels in the current hostapd configuration. Selected frequency reange
is specified by its center frequency and bandwidth.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Sergey Matyukevich
7988767393 DFS: Rename and export hostapd_config_dfs_chan_available helper
Rename DFS helper hostapd_config_dfs_chan_available() to
hostapd_is_dfs_chan_available(). Enable access to this helper function
from other hostapd components.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Alexander Wetzel
3f88d2ba0d AP: Drop not needed condition to delete PTK ID 1
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-29 21:15:16 +03:00
Jouni Malinen
80914e9eb2 DPP2: Fix build with OpenSSL 1.0.2 (EVP_PKEY_get0_EC_KEY() wrapper)
EVP_PKEY_get0_EC_KEY() was added in OpenSSL 1.1.0, so add a
compatibility wrapper for it when building with OpenSSL 1.0.2.

Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Fixes: 7d9e320054 ("DPP: Received Configurator backup processing")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-29 21:15:16 +03:00
Jouni Malinen
54e2961f80 Add a hostapd testing option for skipping association pruning
The new skip_prune_assoc=1 parameter can be used to configure hostapd
not to prune associations from other BSSs operated by the same process
when a station associates with another BSS. This can be helpful in
testing roaming cases where association and authorization state is
maintained in an AP when the stations returns.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 20:39:19 +02:00
Jouni Malinen
1a18f8df63 nl80211: Allow full AP client state capability to be disabled
The new driver param full_ap_client_state=0 can be used to test
functionality with the driver capability for full AP client state being
forced to be disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 20:38:11 +02:00
Jouni Malinen
7b156a3c5a wpa_auth: Use printf format %zu instead of type casts
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:54:10 +02:00
Jouni Malinen
f83d3491b9 wpa_auth: Do not split strings into multiple lines
Avoid unnecessary splitting of long string constants into multiple
lines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:48:32 +02:00
Jouni Malinen
9385f03feb wpa_auth: Coding style cleanup for pointer is NULL comparisons
Use !ptr instead of ptr == NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:36:00 +02:00
Jouni Malinen
62e12afcf1 wpa_auth: Clean up pointer dereferences
Use local variables to avoid sm->wpa_auth->conf type of dereferences
where multiple instances within a function can be cleaned up.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:29:12 +02:00
Veerendranath Jakkam
bbf94a0958 nl80211: Configure PMKSA lifetime and reauth threshold timer to driver
Drivers that trigger roaming need to know the lifetime and reauth
threshold time of configured PMKSA so that they can trigger full
authentication to avoid unnecessary disconnection. To support this, send
dot11RSNAConfigPMKLifetime and dot11RSNAConfigPMKReauthThreshold values
configured in wpa_supplicant to the driver while configuring a PMKSA.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-03-28 17:27:42 +02:00
Jouni Malinen
1f4e9946bc Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-20.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 17:27:42 +02:00
Jouni Malinen
7c021dec3a DPP2: Allow AP to require or reject PFS
The new hostapd configuration parameter dpp_pfs can be used to specify
how PFS is applied to associations. The default behavior (dpp_pfs=0)
remains same as it was previously, i.e., allow the station to decide
whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected
(dpp_pfs=2).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-28 12:33:48 +02:00
Jouni Malinen
ca57d5f553 Return an enum from wpa_validate_wpa_ie()
This is more specific then returning a generic int and also allows the
compiler to do more checks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-28 12:30:46 +02:00
Sathishkumar Muruganandam
2b4f9ce287 hostapd: Add HE bit in BSSID Information field of own Neighbor Report
Add definition for HE bit in neighbor report BSSID Information field
from IEEE P802.11ax/D6.0, 9.4.2.36 Neighbor Report element.

Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2020-03-27 23:52:24 +02:00
Jouni Malinen
80d0e50dc5 DPP2: Use a helper function for encapsulating TCP message
This functionality was repeated for multiple different frames. Use a
shared helper function to avoid such duplication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
fa5143feb3 DPP2: Presence Announcement processing in Controller
Process the received Presence Announcement frames in Controller. If a
matching bootstrapping entry for the peer is found, initiate DPP
authentication to complete provisioning of the Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
db1ef82538 DPP2: Presence Announcement processing in AP/Relay
Process the received Presence Announcement frames in AP/Relay. If a
matching bootstrapping entry for the peer is found in a local
Configurator, that Configurator is used. Otherwise, the frame is relayed
to the first configured Controller (if available).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
06dd32903d DPP2: Presence Announcement processing at Configurator
Process received Presence Announcement frames and initiate
Authentication exchange if matching information is available on the
Configurator.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
6f5bc15bec DPP2: Configurator Connectivity indication
Add a new hostapd configuration parameter
dpp_configurator_connectivity=1 to request Configurator connectivity to
be advertised for chirping Enrollees.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
562f77144c DPP2: Chirping in wpa_supplicant Enrollee
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
1f0226770c DPP2: Add a helper function for building Presence Announcement frame
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
7cba35b0ed DPP2: New identifier definitions
Add new identifier definitions for presence announcement,
reconfiguration, and certificate enrollment.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
547dc7eaa3 DPP: Add DPP_BOOTSTRAP_SET command
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
804fc268af DPP: Allow per-peer configurator parameters to be set
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
514cc49ba5 DPP: Store global pointers in struct dpp_authentication
Set the global pointer and msg_ctx when allocating struct
dpp_authentication instead of needing to pass these to
dpp_set_configurator().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
b7275a8142 Update STA flags to the driver immediately on disconnection
hostapd (and wpa_supplicant in AP mode) was internally updating the STA
flags on disconnection cases to remove authorization and association.
However, some cases did not result in immediate update of the driver STA
entry. Update all such cases to send out the update to the driver as
well to reduce risk of race conditions where new frames might be
accepted for TX or RX after the port authorization or association has
been lost and configured keys are removed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 17:51:03 +02:00
Jouni Malinen
9d1857cf35 Process Transition Disable KDE in station mode
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:13:14 +02:00
Jouni Malinen
82cc0b0cc2 Allow hostapd AP to advertise Transition Disable KDE
The new hostapd configuration parameter transition_disable can now be
used to configure the AP to advertise that use of a transition mode is
disabled. This allows stations to automatically disable transition mode
by disabling less secure network profile parameters.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:12:41 +02:00
Jouni Malinen
3eb9ddc658 Transition Disable KDE definitions
Define the OUI Type and bitmap values for Transition Disable KDE. These
will be shared by both the AP and STA implementations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:12:39 +02:00
Wu Gao
a72ec4c221 Add addition CFR capture type to filter all NDPA NDP frames
Add QCA_WLAN_VENDOR_CFR_NDPA_NDP_ALL in enum
qca_wlan_vendor_cfr_capture_type. This capture type requests all NDPA
NDP frames to be filtered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 12:05:14 +02:00
Wu Gao
a163bfe2bc Change CFR attributes from required to optional
Some CFR attributes are used frequently with conditions, so change them
from required to optional.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 12:04:37 +02:00
Noam Shaked
e520de8dbe Add ACS support for 60 GHz channel bonding
hostapd will trigger EDMG auto channel selection by setting
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED. The 60 GHz driver will be
called to start an auto channel selection and will return the
primary channel and the EDMG channel.

Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-24 22:15:32 +02:00
Noam Shaked
00f6a27628 nl80211: Fix offloaded ACS regression for the 60 GHz band
Addition of chan_2ghz_or_5ghz_to_freq() broke 60 GHz ACS, because it
assumes reported ACS channel is on either 2.4 or 5 GHz band. Fix this
by converting chan_2ghz_or_5ghz_to_freq() to a more generic
chan_to_freq(). The new function uses hw_mode to support 60 GHz.

Fixes: 41cac481a8 ("ACS: Use frequency params in ACS (offload) completed event interface")
Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-23 22:29:04 +02:00
John Crispin
1e8ea0833d HE: Add HE support to hostapd_set_freq_params()
The parameters that need to be applied are symmetric to those of VHT,
however the validation code needs to be tweaked to check the HE
capabilities.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2020-03-23 18:08:50 +02:00
Wu Gao
bb08be757f Extend vendor attributes to support enhanced CFR capture
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-23 15:39:36 +02:00
Noam Shaked
30ac8ddaf6 Add QCA vendor attributes for ACS over EDMG (IEEE 802.11ay)
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED, conduct ACS for EDMG.
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_CHANNEL, return the EDMG channel.

Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-23 13:19:51 +02:00
Jouni Malinen
8b63a58166 Use a shared helper function for RSN supplicant capabilities
Avoid practically copy-pasted code for determining local RSN
capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-23 11:47:31 +02:00
Alexander Wetzel
b17b7a8e53 STA: Support Extended Key ID
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.

Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-23 11:47:31 +02:00
Alexander Wetzel
862aac1fcd AP: Support Extended Key ID
Support Extended Key ID in hostapd according to IEEE Std 802.11-2016.

Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing an AP to serve STAs with and without Extended Key
ID support in the same BSS.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-23 11:43:10 +02:00
Jouni Malinen
9f9a148af6 Convert int_array to use size_t instead of int as the length
This extends this to allow longer lists with LP32 data model to avoid
limit of 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
749add5c64 Limit freq_range_list_parse() result to UINT_MAX entries
This addresses a theoretical integer overflow with configuration
parameters with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
2f06008564 loop: Use size_t for eloop.count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets/signals/events be registered.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
7858f493f3 eloop: Use size_t for socket table->count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets be registered (which is not really going to happen in practice).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
3f45b8daeb hs20-osu-client: Use size_t for certificate components
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
913220cbb8 eloop: Use size_t for signal_count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int (not that there would ever
be more that 32767 signal handlers getting registered).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
ae7193611f Limit maximum number of pending SA Queries
There is no point in starting a huge number of pending SA Queries, so
limit the number of pending queries to 1000 to have an explicit limit
for how large sa_query_count can grow.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
02b43c557c RADIUS: Use size_t instead of int for message attributes
While RADIUS messages are limited to 4 kB, use size_t to avoid even a
theoretical overflow issue with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Ouden
7546c489a9 nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length
If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.

Fix the condition when IFNAME reach maximum size.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-03-21 17:12:29 +02:00
Sourav Mohapatra
22547c3148 More details to the vendor specific driver internal failure reporting
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
51e8f5d63c Ignore duplicated SSID element when parsing
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:29 +02:00
Veerendranath Jakkam
5a296129fc Set beacon protection config irrespective of macro CONFIG_FILS
This was not supposed to be conditional on CONFIG_FILS.

Fixes: ecbf59e693 ("wpa_supplicant configuration for Beacon protection")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
cc79eb725f Check against integer overflow in int_array functions
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.

All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.

It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:17 +02:00
Jouni Malinen
a55ecfeabe Allow RSNXE to be removed from Beacon frames for testing purposes
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
b7366a942a FT: Omit RSNXE from FT protocol Reassociation Response when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
6140cca819 FT: Omit RSNXE from FT protocol Reassociation Request when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
35936cd2cf FT: Verify that RSNXE is used consistently in Reassociation Response
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
497ae9f004 FT: Verify that RSNXE is used consistently in Reassociation Request
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:33:02 +02:00
Jouni Malinen
51d1924bd8 FT: Set the new RSNXE Used subfield in FT reassociation
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:23:48 +02:00
Jouni Malinen
796253a65f nl80211: Debug print set_key() command names
This makes it easier to understand the debug log for various set_key()
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:42:21 +02:00
Alexander Wetzel
ac22241532 nl80211: Extended Key ID support
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:39:57 +02:00
Jouni Malinen
a1afa2df8a Remove unnecessary and confusing length check from the PMKID KDE case
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:24:18 +02:00
Alexander Wetzel
094c9cdc7e Add parsing of Key ID KDE for Extended Key ID
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:17:56 +02:00
Alexander Wetzel
f5c0104f3b Add KEY_FLAG_MODIFY for Extended Key ID support
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").

Add it again and update check_key_flag() accordingly.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:00:10 +02:00
Jouni Malinen
9e30180a30 nl80211: Allow scanning in wpa_supplicant AP mode
If the driver supports this, request cfg80211 to allow the explicitly
requested scan to go through in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:21:35 +02:00
Jouni Malinen
037e004c16 nl80211: Remove extraneous space from send_mlme debug print
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:09:27 +02:00
Jouni Malinen
81fa7730d3 nl80211: Add more TX status details in debug log in AP mode
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:06:35 +02:00
Jouni Malinen
46e147fcdc Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frame
This can be used to test station side behavior for FT protocol
validation steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
1a8e9334c0 FT: Check RSNE/RSNXE match in FT protocol Reassociation Response frame
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
839bab785b nl80211: Debug print driver capabilities
This can be helpful in understanding driver behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:03:14 +02:00
Hrishikesh Vidwans
d9a7b71a78 AP: Fix regression in frequency check for a usable EDMG channel
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.

Fix the frequency calculation so that EDMG channel 9 works again.

Fixes: 5f9b4afdfa ("Use frequency in HT/VHT validation steps done before starting AP")
Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
2020-03-11 17:54:13 +02:00
Jouni Malinen
10223b501b SAE: Expose sae_write_commit() error cases to callers
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:59:42 +02:00
Jouni Malinen
7f1f69e897 SAE: Check hmac_sha256() result in sae_token_hash()
In theory, hmac_sha256() might fail, so check for that possibility
instead of continuing with undetermined index value that could point to
an arbitrary token entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:51:30 +02:00
Jouni Malinen
b0927e5d06 nl80211: Fix error print for hapd_send_eapol()
The return value from nl80211_send_monitor() is not suitable for use
with strerror(). Furthermore, nl80211_send_monitor() itself is printing
out a more detailed error reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:48:00 +02:00
Jouni Malinen
a17cbcd698 os_unix: Call srandom() only if os_get_random() succeeds
Don't use uninitialized stack memory if /dev/urandom is not available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:43:09 +02:00
Jouni Malinen
17ba51b14d nl80211: Fix tx_control_port error print
send_and_recv_msgs() returns a negative number as the error code and
that needs to be negated for strerror().

Fixes: 8759e9116a ("nl80211: Control port over nl80211 helpers")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:38:57 +02:00
Jouni Malinen
bb2ea8e5e3 DPP: Remove unreachable return statement
This was forgotten from an earlier development version.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:35:45 +02:00
Jouni Malinen
7dcc5f7feb SAE: Check sta pointer more consistently in testing code
send_auth_reply() could be called with sta == NULL in certain error
conditions. While that is not applicable for this special test
functionality for SAE, the inconsistent checks for the sta pointer could
result in warnings from static analyzers. Address this by explicitly
checking the sta pointer here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:32:47 +02:00
Jouni Malinen
15d63c6043 Clean up hostapd_get_he_twt_responder() processing
mode->he_capab is an array and as such, there is no point in checking
whether it is NULL since that cannot be the case. Check for the
he_supported flag instead. In addition, convert the TWT responder
capability bit into a fixed value 1 to avoid any surprising to the
callers. In practice, neither of these changes results in different
behavior in the current implementation, but this is more robust.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:28:03 +02:00
Jouni Malinen
7aa47fe5fc DPP: Fix connectorTemplate addition
There was a copy-paste error in this code that would be adding the
connectorTemplate once that becomes available. In practice, this was not
reachable code, but anyway, this should be ready for potential addition
of connectorTemplate in the future.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:18:22 +02:00
Jouni Malinen
c7d293024b RSN: Stop 4-way handshake if scan results are not available
While there may have initially been cases where the RSNE from
Beacon/Probe Response frames was not available from some drivers, it is
now more valuable to notice if such a case were to be hit with drivers
that are always expected to have such information available. As such,
make it a fatal error if the scan results for the current AP are not
available to check the RSNE/RSNXE in EAPOL-Key msg 3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:16:11 +02:00
Jouni Malinen
785f99b680 FT: Silence debug prints when FT is not actually used
Avoid printing confusing FT debug entries from wpa_sm_set_ft_params()
when FT is not actually used for the connection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:43:27 +02:00
Jouni Malinen
33a28170a3 Recognize OWE Transition Mode element in IE parser
This silences the debug log entry on unknown WFA IE being ignored.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:27:32 +02:00
Jouni Malinen
fad0449438 Report RSNXE mismatch in EAPOL-Key msg 3/4 more consistently with RSNE
Use the same reason code to indicate that IE different in 4-way
handshake and also print a hexdump of RSNXE in both Beacon/ProbeResp and
EAPOL-Key msg 3/4 in the log.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:05:01 +02:00
Jouni Malinen
4d64fd37b7 Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposes
The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:45:52 +02:00
Jouni Malinen
9128b67269 Extend hostapd rsnxe_override_eapol to allow IE removal
Previous implementation was determining whether the override value was
set based on its length being larger than zero. Replace this with an
explicit indication of whether the parameter is set to allow zero length
replacement, i.e., remove of RSNXE from EAPOL-Key msg 3/4.

In addition, move IE replacement into a more generic helper function to
allow this to be used with other IEs as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:39:36 +02:00
Jouni Malinen
43ededa9c7 Do not override WDS VLAN assignment for STA
The 4-address frames WDS design in mac80211 uses VLAN interfaces
similarly to the way VLAN interfaces based on VLAN IDs are used. The EAP
authentication case ended up overriding the WDS specific assignment even
when the RADIUS server did not assign any specific VLAN for the STA.
This broke WDS traffic.

Fix this by skipping VLAN assignment to VLAN ID 0 for STAs that have
been detected to use 4-address frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 13:56:56 +02:00
Jouni Malinen
ca8a51c4bb webkit2: Fix http://localhost:12345/ redirect handling
The resource-load-started cannot be used to replace the older
resource-request-starting signal and as such, the final redirect to the
special http://localhost:12345/ URL did not work. Use the decide-policy
signal for navigation action instead.

Also remove the attempt to modify the request URI from
resource-load-started since that is not going to work either. This is
not really critical for functionality, but could eventually be replaced
with a handler for the WebKitWebPage send-request signal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 11:51:23 +02:00
Alexander Wetzel
be15f33d07 Replace WPA_ALG_PMK with KEY_FLAG_PMK
Drop the no longer needed internal alg WPA_ALG_PMK and use KEY_FLAG_PMK
as replacement.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-06 21:44:31 +02:00
Alexander Wetzel
11b1fcd6ca nl80211: Drop outdated TDLS set_key() hack
wpa_tdls_set_key() did set the key_id to -1 to avoid a useless
NL80211_CMD_SET_KEY call that the updated nl80211 driver no longer
carries out. Remove the no longer required workaround.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-06 21:44:31 +02:00
Pravas Kumar Panda
f64b601c47 DFS: Add support for 80+80 MHz when going through channel switch
After a radar signal is detected, the AP should switch to another
channel, but in the case of 80+80 MHz, channel switch failed because
hostapd did not select the secondary channel in the process. Fix this by
selecting a secondary channel in the case of 80+80 MHz.

Signed-off-by: Xin Wang <xwangw@codeaurora.org>
Signed-off-by: Pravas Kumar Panda <kumarpan@codeaurora.org>
2020-03-06 21:44:31 +02:00
Hu Wang
0a76a0b965 OWE: Fix PTK derivation workaround for interoperability
The initial implementation of the PTK derivation workaround for
interoperability with older OWE implementations forced
WPA_KEY_MGMT_PSK_SHA256 to be used for all of PTK derivation. While that
is needed for selecting which hash algorithm to use, this was also
changing the length of the PTK components and by doing so, did not
actually address the backwards compatibility issue.

Fix this by forcing SHA256 as the hash algorithm in PTK derivation
without changing the PTK length calculation for OWE when
owe_ptk_workaround is enabled.

Fixes: 65a44e849a ("OWE: PTK derivation workaround in AP mode")
Fixes: 8b138d2826 ("OWE: PTK derivation workaround in STA mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-06 21:44:31 +02:00
Alexander Wetzel
81621eab7c nl80211: Migrate from set_tx to key_flag API
Migrate nl80211 driver to key_flag API and add additional sanity checks.

I'm still not sure why we install unicast WEP keys also as default
unicast keys. Based on how I understand how mac80211 handles that it
should be pointless. I just stuck to how we do things prior to the patch
for WEP keys to not break anything. After all other drivers may need it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:52:31 +02:00
Alexander Wetzel
9757f18db4 nl80211: Don't ignore when SET_KEY returns ENOENT
Always report an error when NL80211_CMD_SET_KEY can't set a key to
default.

The old ioctl-based design used a single command to add, set, and delete
a key and had to ignore ENOENT for key deletions. It looks like that
special handling was also ported for NL80211_CMD_NEW_KEY and
NL80211_CMD_SET_KEY instead only for NL80211_CMD_DEL_KEY.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:38:30 +02:00
Alexander Wetzel
98b8275d92 nl80211: Remove not needed netlink key attribute
Calling NL80211_CMD_NEW_KEY with NL80211_KEY_DEFAULT_TYPES attributes is
pointless. The information is not expected and therefore the kernel
never forwards it to the drivers. That attribute is used with
NL80211_CMD_SET_KEY.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:36:00 +02:00
Alexander Wetzel
8563f6f564 nl80211: Fix wrong return code in set_key error path
Allow to abort key installations with different error codes and fix one
misleading return code.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:28:50 +02:00
Alexander Wetzel
adf550ee4b nl80211: Ignore seq number for key deletion
Turns out we are sometime providing a seq when deleting the key. Since
that makes no sense on key deletion let's stop forwarding that to the
driver at least.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:27:48 +02:00
Alexander Wetzel
e9e69221c1 Validity checking function for key_flag API
Add masks for each key type to define which flags can be combined and
add a helper function to validate key_flag values.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:25:47 +02:00
Alexander Wetzel
5eb1632569 nl80211: Add a missing key_flag for WEP shared key authentication
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:24:55 +02:00
Alexander Wetzel
82eaa3e688 Remove the not yet needed KEY_FLAG_MODIFY
I decided to drop KEY_FLAG_MODIFY instead of allowing flag combinations not
yet used in the code and will simply recreate it with the Extended Key
ID patches once we get there. For that reason I also did not renumber
the flags.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:17:23 +02:00
Alexander Wetzel
982b9cf029 Fix a wrong key_flag when deleting 802.1X WEP keys
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:13:20 +02:00
Alexander Wetzel
d37c05e5b5 AP: Don't try to set NULL WEP default key
hostapd_broadcast_wep_set() can be called without a WEP key set.
Don't try to install a default key in that case.

This patch is not critical for the new API. With key_flag we just would
report an (ignored) error and do nothing. With the patch we simply do
nothing.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:03:56 +02:00
Alexander Wetzel
fa1a6aff22 Fix unicast argument for set_wep_key() from EAPOL supplicant
The unicast parameter in set_wep_key() is only expected to be set to 0
or 1. Without this patch we set unicast to 0x80 instead of 1. Since
unicast is used as boolean that is working fine but violates the
documented API.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-04 23:59:49 +02:00
Jouni Malinen
11dab0f37f WPS: Remove expired PINs on Selected Registrar timeout
This clears the AuthorizedMACs advertisement immediately when the
Selected Registrar timeout is hit and no more active PINs are present.
Previously, the AuthorizedMACs advertisement could remain in place
indefinitely since expired PINs were removed only when actually trying
to find a PIN for a new WPS exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-04 23:26:02 +02:00
Jouni Malinen
8f89e57ab5 DFS: More debug prints on channel selection after radar detection
This makes it easier to understand what is happening when a new channel
needs to be selected based on a radar detection event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-03 18:58:08 +02:00
Seevalamuthu Mariappan
4b37d24285 hostapd: Fix to downgrade bandwidth in radar detection
Upon radar detection we used to search channels with the same bandwidth.
This way we might not find any other channels. If there are no channels
available with that bandwidth the AP service will be stopped. To avoid
this problem, also search a suitable channel by downgrading the
bandwidth. This scenario is applicable during CAC as well.

Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
2020-03-03 18:37:16 +02:00
Seevalamuthu Mariappan
7242087d1c DFS: Do not process radar event while disabling an interface
In the normal case hostapd_disable_iface() and hostapd_enable_iface()
will be done while switching to another DFS channel upon radar
detection. In certain scenarios radar detected event can come while
hostapd_disable_iface() is in progress and iface->current_mode will be
NULL in that scenario. Previously, we did not check for this scenario
and proceeded with the radar detection logic which can trigger a
segmentation fault. To fix this, avoid proceeding the radar detection
event if iface->current_mode is NULL.

Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
2020-03-03 17:10:31 +02:00
Sachin Shelke
21f835e640 SAE: Allow SAE-only network profile with sae_password to be written
The commit a34ca59e (SAE: Allow SAE password to be configured separately
(STA)) added sae_password configuration option. We should also consider
sae_password in the wpa_config_write() function which stores the valid
network block details to an external database.

Fixes: a34ca59e4d ("SAE: Allow SAE password to be configured separately (STA)")
Signed-off-by: Sachin Shelke <sachin.shelke@nxp.com>
Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com>
Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
2020-03-02 11:49:19 +02:00
Jouni Malinen
5bad300565 privsep: Mask out control port capability flag
There is no support for using the control port for sending out EAPOL
frames through privsep yet, so mask out this capability to fall back to
the l2_packet based design.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-01 21:31:07 +02:00
Alexander Wetzel
c1a6b1e47e privsep: Add key_flag to set_key()
Pass through the new key_flag to wpa_priv.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-01 21:11:07 +02:00
Ilan Peer
101da59aa2 common: Add support for element defragmentation
Add support for element defragmentation as defined in IEEE
P802.11-REVmd/D3.0, 10.28.12 (Element defragmentation).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:56:15 +02:00
Ilan Peer
e636bc855f WPA: Rename FILS wrapped data
IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element,
removing the FILS prefix. Change the code accordingly.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:30:55 +02:00
Ilan Peer
94773d40fa crypto: Add a function to get the ECDH prime length
crypto_ecdh_prime_len() can now be used to fetch the length (in octets)
of the prime used in ECDH.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:26:26 +02:00
Ilan Peer
e8ae97aebe nl80211: Allow TX status for Authentication frames
To support PASN authentication flow, where Authentication frames are
sent by wpa_supplicant using the send_mlme() callback, modify the logic
to also send EVENT_TX_STATUS for Authentication frames.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:18:28 +02:00
Ilan Peer
c4988e73c0 driver: Extend send_mlme() with wait option
PASN authentication can be performed while a station interface is
connected to an AP. To allow sending PASN frames while connected, extend
the send_mlme() driver callback to also allow a wait option. Update the
relevant drivers and wpa_supplicant accordingly.

hostapd calls for send_mlme() are left unchanged, since the wait option
is not required there.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:03:20 +02:00
Andrei Otcheretianski
d046f2a9f9 nl80211: Register for SAE Authentication frames more strictly
If the driver requires external SAE authentication, it would result in
registration for all Authentication frames, so even non-SAE
Authentication frames might be forwarded to user space instead of being
handled internally. Fix this by using a more strict match pattern,
limiting the registration to the SAE authentication algorithm only.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-02-29 22:55:55 +02:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
bca44f4e4e WPS: Remove static-WEP-only workaround
WEP provisioning was removed from WPS v2, so this workaround
functionality has not been applicable. Remove it completely.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 16:56:44 +02:00
Neo Jou
b7f1d4f4d6 ACS: Allow hw_mode=any to be used with internal ACS algorithm
This was already supported in the offload ACS case and this commit
completes support for this with the internal ACS algorithm.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
d07f1ade90 ACS: Determine mode when using hw_mode=any
Set iface->current_mode and iface->conf->hw_mode when completing ACS
based on the selected channel in the hw_mode=any case.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
c60362e6e8 ACS: Extend acs_find_ideal_chan() to support multiple modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
141a8815e7 ACS: Extend acs_request_scan() to support multiple modes
Add suitable channel frequencies from all modes into the scan parameters
when a single mode is not specified for ACS. This is preparation for
being able to support hw_mode=any to select the best channel from any
supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
f3c44a196f ACS: Extend interference factor calculation for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
070522e5b2 ACS: Extend acs_find_chan() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
4c1ffb45e4 ACS: Extend acs_surveys_are_sufficient() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
3d09be41a8 ACS: Clear all modes in acs_cleanup()
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
499c37b729 ACS: Extend hostapd_get_mode_channel() to find from any mode
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Jouni Malinen
a62d761856 ACS: Fix spelling of "interference"
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 11:23:03 +02:00
Jouni Malinen
167205d455 os_unix: Seed random() for os_random()
While the users of os_random() do not really need strong pseudo random
numebrs, there is no significant harm in seeding random() with data from
os_get_random(), i.e., /dev/urandom, to get different sequence of not so
strong pseudo random values from os_random() for each time the process
is started.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 22:59:32 +02:00
Jouni Malinen
74db49d74c SAE: Do not use PMKSA entry after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for
caching after the reauthentication threshold has been reached. This
allows the PMK to be updated without having to force a disassociation
when the PMK expires if the station roams between the reauthentication
threshold and expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
bb93ea234e SAE: Do not clone PMKSA entry for OKC after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for OKC
after the reauthentication threshold has been reached. This allows the
PMK to be updated without having to force a disassociation when the PMK
expires if the station roams between the reauthentication threshold and
expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
114d124186 SAE: Fix PMKID derivation for OKC
SAE authentication derives PMKID differently from the EAP cases. The
value comes from information exchanged during SAE authentication and
does not bind in the MAC addresses of the STAs. As such, the same PMKID
is used with different BSSIDs. Fix both the hostapd and wpa_supplicant
to use the previous PMKID as is for OKC instead of deriving a new PMKID
using an incorrect derivation method when using an SAE AKM.

This fixes use of opportunistic key caching with SAE.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:20 +02:00
Andrej Shadura
3f10f716af common: Provide the BIT() macro locally
wpa_ctrl.h can be installed separately with libwpa_client, so
utils/common.h won't be available to its users.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2020-02-28 11:03:05 +02:00
Krishna Rao
b8f6b0713a Add attribute for dwell time in QCA vendor scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SCAN_DWELL_TIME for specifying
dwell time in the QCA vendor scan command. This is a common value which
applies across all frequencies requested in the scan.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-26 23:47:37 +02:00
Sunil Dutt
ec303e2cb1 Introduce QCA_WLAN_VENDOR_ATTR_CONFIG_ROAM_REASON
This attribute enables/disables the host driver to send roam reason
information in the Reassociation Request frame to the AP in the same
ESS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:17:00 +02:00
Sunil Dutt
34640a88d8 Fix enum qca_wlan_vendor_attr_config value prefix
Couple of the attributes were defined with inconsistent prefix in the
name (missing "CONFIG_"). Fix these to use the common prefix for all
enum qca_wlan_vendor_attr_config values. Add defined values for the
incorrect names to avoid issues with existing users.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:16:56 +02:00
Jouni Malinen
f1d3856090 nl80211: Beacon protection capability flag and default key type
Add a new capability flag based on the nl80211 feature advertisement and
start using the new default key type for Beacon protection. This enables
AP mode functionality to allow Beacon protection to be enabled. This is
also enabling the previously added ap_pmf_beacon_protection_* hwsim test
cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 12:20:38 +02:00
Jouni Malinen
2e34f6a53f Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-24.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-24 12:20:05 +02:00
Alexander Wetzel
8a1660b607 common: Add missing driver flag strings
Add SAFE_PTK0_REKEYS and some other missing strings.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:53:29 +02:00
Janusz Dziedzic
4b04223f24 hostapd: Replace UDP ctrl_iface global cookies with per-instance ones
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
    hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
    hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')

hapd1->ping() did not work.

Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:48:34 +02:00
Alexander Wetzel
1f90a49d02 STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 13:05:19 +02:00
Alexander Wetzel
1a7963e36f AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:22:49 +02:00
Alexander Wetzel
35da7c20ac nl80211: Add driver capability flag for CAN_REPLACE_PTK0
The CAN_REPLACE_PTK0 flag provided by nl80211 can be used to detect if
the card/driver is explicitly indicating capability to rekey STA PTK
keys using only keyid 0 correctly.

Check if the card/driver supports it and make the status available as a
driver flag.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:00:23 +02:00
Jouni Malinen
7b26238d46 Do not skip MBO PMF check with the WPS special case WPA check exception
The MBO PMF check for AP SME in the driver case was added into a
location that is skipped for WPS processing. That was not really the
correct place for this since the skip_wpa_check label was supposed to
remain immediately following the WPA checks. While this does not really
have much of a practical impact, move the check around so that the
skip_wpa_check label remains where it is supposed to be.

Fixes: 4c572281ed ("MBO: Mandate use of PMF for WPA2+MBO association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Ouden
fae7e64aa3 Save RM enabled capability of station with AP SME
Save RM enabled capability element of an associating station when
hostapd use the device AP SME similarly to how this information is saved
with SME-on-hostapd cases. This allows radio measurement operations
(e.g., REQ_BEACON) to be used.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-02-22 19:20:44 +02:00
Jouni Malinen
1074d42416 Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
8fe7ec6640 Remove Secondary Channel Offset element from Beacon/Probe Response frames
This element is not used in Beacon or Probe Response frames (which is
the reason why the standard does not indicate where exactly it would be
in those frames..); HT Operation element has this information and so
does Extended CSA element.

In practice, this reverts the functionality added in commit 76aab0305c
("Add secondary channel IE for CSA").

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
7f1529d2a5 Fix HE element order in Beacon and Probe Response frames
Spatial Reuse Parameter Set element is before MU EDCA Parameter Set
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
640d59942b Fix location of MDE and RSNXE in Beacon and Probe Response frames
Split the IEs from WPA authenticator state machine into separately added
IEs so that the exact location between these and other elements can be
controlled. This fixes the location of MDE and RSNXE in Beacon and Probe
Response frames. In addition, this swaps the order of BSS Load and RM
Enabled Capabilities elements in Beacon frames to get them into the
correct order (which was already used for Probe Response frames).
Furthermore, this fixes the buffer end checks for couple of elements to
make the implementation more consistent (though, in practice, there is
no impact from this since the old size limit was smaller than needed,
but still sufficiently large to have room for these).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
2d4c78aef7 Configure received BIGTK on station/supplicant side
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
ecbf59e693 wpa_supplicant configuration for Beacon protection
Add a new wpa_supplicant network profile configuration parameter
beacon_prot=<0/1> to allow Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
16889aff40 Add BIGTK KDE and subelement similarly to IGTK
This provides the BIGTK updates to associated stations similarly to
IGTK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
555dcd75ce Generate BIGTK and rekey it with IGTK
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
323d06187a Parsing of BIGTK KDE in EAPOL-Key frames
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
3937378abe Parsing of BIGTK subelement in FTE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
d2e77310dc driver: Document use of set_key() for BIGTK
Also update the comment to match the current IGTK KeyID range.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
c1df321b6c AP mode indication of Beacon protection being enabled
Add the new Extended Capability bit for indicating Beacon protection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
92d407dbd6 hostapd configuration for Beacon protection
Add a new hostapd configuration parameter beacon_prot=<0/1> to allow
Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
cb86e8bac8 nl80211: Remove an extra closing parenthesis from a debug message
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
46cb046500 nl80211: Check nla_nest_start() result for NL80211_ATTR_HE_OBSS_PD
nla_nest_start() might fail, so need to check its return value similarly
to all the other callers.

Fixes: a84bf44388 ("HE: Send the AP's OBSS PD settings to the kernel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 19:30:47 +02:00
John Crispin
0b0ee0f15e HE: Propagate BSS color settings to nl80211
Add the code required to send the BSS color settings to the kernel.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-17 19:28:39 +02:00