Commit graph

15728 commits

Author SHA1 Message Date
Jouni Malinen
f5e0a3324b SAE: Fix potential infinite loop in mismatching PMK case on AP
Commit e61fea6b46 ('SAE: Fix PMKSA caching
behavior in AP mode') modified the PSK fetching loop to not override PMK
in case of SAE with PMKSA caching. However, that commit missed the error
path cases where there is need to break from the loop with exact
negative of the check in the beginning of the loop. This could result in
hitting an infinite loop in hostapd if a station derived a different PMK
value from otherwise successfully completed SAE authentication or if a
STA used a different PMK with a PMKSA caching attempt after a previously
completed successful authentication.

Fix this by adding the matching break condition on SAE AKM within the
loops.

Fixes: e61fea6b46 ("SAE: Fix PMKSA caching behavior in AP mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-02 21:27:18 +02:00
Jouni Malinen
427729ee67 Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=y
This provides an explicit error report if runtime configuration is not
valid and ERP server functionality cannot be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-28 13:09:07 +02:00
Jouni Malinen
ba5498d207 wpadebug: Improve QR Code scanning with zxing
Set SCAN_MODE to accept only QR Codes and close the scanner more
reliably after a successfully scanned QR Code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-23 16:29:05 +02:00
Anurag Das
be97da671c wpadebug: Add activity to select method for QR Code scanning
Add QrCodeReadActivity that makes a decision to select between InputUri
and QrCodeScannerActivity depending on the availability of the camera in
the device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-23 15:37:49 +02:00
Jouni Malinen
c7d89a87d8 wpadebug: Close InputUri activity automatically on DPP URI completion
Check the entered text and stop automatically at the end of full DPP
URI.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-22 14:55:03 +02:00
Jouni Malinen
83565fd21e wpadebug: Add main screen buttons for QR Code operations
These can be used for manual testing of the DPP QR Code functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-22 14:55:00 +02:00
Anurag Das
8b244b0009 wpadebug: A dialog activity to input the URI from QR Code Scanner
This should help to read the URI from the QR Code Scanner's (USB HID
devices instead of USB video device) that decodes the QR Code.
This dialog box provisions the mechanism to enter the decoded
URI code from such hardware devices.

This dialog can be used with:
am start -n w1.fi.wpadebug/w1.fi.wpadebug.InputUri

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-22 14:42:05 +02:00
Jouni Malinen
0b851ec752 wpadebug: Update default project target to android-22
This matches the current zxing target level and as such, is more likely
to be installed on devices that build wpadebug.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-22 14:04:40 +02:00
Jouni Malinen
adc5e37a02 tests: Suite B tests with BoringSSL
Enable appropriate Suite B test cases with BoringSSL. Currently, this
means enabling only the 192-bit level ECDSA and ECDHE-RSA since
BoringSSL has removed support for DHE and there is no need to support
128-bit level ECDSA anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 17:38:40 +02:00
Jouni Malinen
c54cc8bb1d BoringSSL: Set appropriate sigalgs for Suite B RSA 3K cases
This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017 to
address the functionality that was already there with OpenSSL using
SSL_set1_sigalgs_list().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 17:38:37 +02:00
Jouni Malinen
aa6de8e6b6 BoringSSL: Map OpenSSL SUITEB192 cipher into appropriate sigalgs
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.

This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 16:27:05 +02:00
Jouni Malinen
7a47f34b1a BoringSSL: Map OpenSSL SUITEB192 cipher into appropriate parameters
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.

This commit takes care of the ciphersuite and curve configuration.
sigalg change is in a separate commit since it requires a newer
BoringSSL API function that may not be available in all builds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 16:26:48 +02:00
Jouni Malinen
3552502344 OpenSSL: Replace SSL_set1_curves_list() with SSL_set1_curves()
In practice, this does the same thing (i.e., allows only the P-384 curve
to be used), but using an older API function that happens to be
available in some BoringSSL builds while the newer one is not.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 16:02:31 +02:00
Jouni Malinen
007bf37e4b tests: Processing of truncated RSNE fields
Verify that truncated RSN Capabilities field and PMKIDCount field get
ignored.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-19 12:26:26 +02:00
Masashi Honma
ede4f68e0a tests: Fix Permission denied on Fedora
On Fedora 26, start.sh fails with these error messages.

Failed to connect to wpa_supplicant global interface: /tmp/wpas-wlan0  error: Permission denied
Failed to connect to wpa_supplicant global interface: /tmp/wpas-wlan0  error: Permission denied
...

This is because Fedora 26 uses "wheel" group as administrative group.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2018-02-17 18:56:38 +02:00
Ben Greear
4ab0f11b80 Allow HT40 on 5 GHz channels 165 and 169
India supports 5 GHz channels 169 and 173 now. Enable HT40 across
channels 165 and 169. Leave channel 173 to remain HT20 only.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-02-17 18:52:01 +02:00
Emmanuel Grumbach
299d21e8e2 nl80211: Use the new NL80211_MFP_OPTIONAL option
Now we can configure the network block so that it allows MFP setting for
the NL80211_CMD_CONNECT command. If the kernel finds an AP that requires
MFP, it'll be able to connect to it.

Note that since NL80211_MFP_OPTIONAL isn't supported for
NL80211_CMD_ASSOCIATE, we need to take the MFP configuration outside
nl80211_connect_common(). In addition, check that
NL80211_EXT_FEATURE_MFP_OPTIONAL is supported, to be backward compatible
with older kernels.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2018-02-17 18:50:28 +02:00
Avraham Stern
b8e88d357a wpa_supplicant: Handle port authorized event
When the driver indicates that the connection is authorized (i.e., the
4-way handshake was completed by the driver), cancel the EAP
authentication timeout and set the EAP state machine to success state.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2018-02-17 18:45:26 +02:00
Avraham Stern
a8c45d47d3 nl80211: Handle port authorized event
Indicate that the connection is authorized when receiving a port
authorized event from the driver.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2018-02-17 18:44:08 +02:00
Avraham Stern
0a20bd7d91 driver: Add port authorized event
Add an event that indicates that the 4 way handshake was completed by
the driver.

This event is useful for networks that require 802.1X authentication.
The driver can use this event that a new connection is already
authorized (e.g. when the driver used PMKSA caching) and 802.1X
authentication is not required.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2018-02-17 18:39:41 +02:00
Avraham Stern
05fc7c68f6 nl80211: Add API to set the PMK to the driver
Add support for setting the PMK to the driver. This is used for
drivers that support 4-way handshake offload.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2018-02-17 18:36:16 +02:00
Eliad Peller
0ff08f9636 nl80211: Check 4-way handshake offload support
Set the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag if the driver indicates
both 4-way handshake PSK and 802.1X support. Currently wpa_supplicant
doesn't distinguish between 4-way handshake for 802.1X and PSK, but
nl80211 API has different capabilities for each one.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-02-17 18:31:05 +02:00
Eliad Peller
730c5a1d09 nl80211: Support passing PSK on connect
If the driver advertises WPA_DRIVER_FLAGS_4WAY_HANDSHAKE support, pass
the PSK on connect.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2018-02-17 18:31:05 +02:00
Vasyl Vavrychuk
2494bcef24 tests: Add option --dbus for logging D-Bus messages
Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
2018-02-17 18:21:47 +02:00
Vasyl Vavrychuk
2e4707a0a7 tests: Document building of hostapd_cli for hwsim builds
This is used in the tests, too, and was already covered by the build.sh
script, but not this README file.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
2018-02-17 18:15:31 +02:00
Arkadiusz Drabczyk
14dcb22a5b wpa_passphrase: Include $(LIBS) for linking
wpa_passphrase requires libcrypto from OpenSSL (or another selected
library). User can set an alternative path to OpenSSL libraries by
defining LIBS at the top of .config but if $(LIBS) is not actually used
wrong libcrypto is used or compilation fails if there is no libcrypto in
the default locations cc is looking for it. It's especially bad for
cross-compilers that fail with 'cannot find -lcrypto' message.

Signed-off-by: Arkadiusz Drabczyk <arkadiusz@drabczyk.org>
2018-02-17 18:11:40 +02:00
Jouni Malinen
4b07484c3d DPP: Do not include common/dpp.h without CONFIG_DPP=y
This header file pulls in an OpenSSL header file and as such, should not
be included without CONFIG_DPP=y to avoid bringing in an unnecessary
build dependency on OpenSSL header files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 18:07:43 +02:00
Jouni Malinen
9ec0dfa31f Define host_to_le64() for Windows builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 18:04:54 +02:00
Jouni Malinen
6e3726c09e Fix a typo in disassoc_low_ack documentation
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 17:59:27 +02:00
Jouni Malinen
57dc90e386 tests: wpa_supplicant AP mode - open network with client isolation
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 17:57:45 +02:00
Danilo Ravotto
19e20c14fb Add ap_isolate configuration option for wpa_supplicant AP mode
Allow client isolation to be configured with ap_isolate inside
wpa_supplicant configuration file.

Signed-off-by: Danilo Ravotto <danilo.ravotto@zirak.it>
2018-02-17 17:48:31 +02:00
Jouni Malinen
e51e49fccc tests: Fix dbus_set_global_properties failure if run twice
Clear the model_name parameter back to the default (empty string) at the
beginning and the end of dbus_set_global_properties to avoid failures if
the test case is run multiple times.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 17:41:57 +02:00
Jouni Malinen
50d7cdedae tests: Make dbus_p2p_discovery more robust
Ignore any unexpected deviceLost event before the peer devices has been
discovered. This works around issues where the previous test case
terminates before the D-Bus events have been fully delivered. This could
happen, e.g., when running dbus_p2p_discovery twice in a row.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-17 17:21:05 +02:00
Vamsi Krishna
a4016163e8 Extend APF interface for read/write and enable/disable ops
Enhance QCA vendor specific APF interface to support write/read program
and/or data and to enable/disable APF feature.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-15 00:26:06 +02:00
Jouni Malinen
b2e4074ca3 OpenSSL: Fix EAP-FAST with OpenSSL 1.1.1-pre1
TLS v1.3 needs to be explicitly disabled to allow cipher suite selection
for EAP-FAST to work with OpenSSL builds that include TLS v1.3 support.
Without this, OpenSSL refuses to generate ClientHello due to the cipher
suite list including only ciphers allowed with older versions than TLS
v1.3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-14 12:40:33 +02:00
Jouni Malinen
a8ec0b8ccc tests: sigma_dut controlled STA as DPP PKEX responder and error case
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-13 00:24:50 +02:00
Ashok Ponnaiah
a22e235fd0 OWE: Add testing RSNE for OWE assoc response with driver SME/MLME
Allow RSNE to be overwritten for testing purposes also in the
driver-based SME/MLME case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-12 21:31:04 +02:00
Jouni Malinen
aca4d84e3d DPP: Use wildcard BSSID in GAS query frames
Force use of the wildcard BSSID address in GAS query frames with DPP
regardless of how the gas_address3 configuration parameter is set. DPP
specification mandates this and the use of GAS here is really outside
the context of a BSS, so using the wildcard BSSID makes sense even for
the corner case of Configurator running on a known AP (where IEEE 802.11
standard would allow the BSSID of the AP to be used).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-10 12:42:00 +02:00
Jouni Malinen
0887215d94 nl80211: Do not try to add too large NL80211_ATTR_PMK for set/del PMKSA
The current cfg80211 limit for the maximum NL80211_ATTR_PMK length is
48, so anything larger than that will result in the operation completely
failing. Since the PMKSA entries can be used without the PMK for most
purposes (the main use case for PMK currently is offloaded FILS
authentication), try to go ahead by configuring only the PMKID for the
case where 64-octet PMK is needed (which is currently limited to only
DPP with NIST P-521 and brainpoolP512r1 curves). This can fix DPP
connections with drivers that expect to get the PMKID through this
interface while still leaving the actual 4-way handshake for user space.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-10 12:16:53 +02:00
Jouni Malinen
e7f6e6ee1b nl80211: Print NL80211_CMD_{SET,DEL}_PMKSA failures in debug log
This makes it easier to notice if the driver operation to manage PMKSA
cache information fails unexpectedly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-10 12:10:07 +02:00
Purushottam Kushwaha
717f236dce wpadebug: Add support for QR Code scanning and display via zxing
Enhance wpadebug application to support scanning and displaying of QR
codes. This depends on a third-party source: zxing
(https://github.com/zxing/zxing).

Shell command to launch scanner/viewer via wpadebug is:
>adb root
>adb shell

Scanner:
>am start -n w1.fi.wpadebug/w1.fi.wpadebug.QrCodeScannerActivity
Viewer:
>am start -n w1.fi.wpadebug/w1.fi.wpadebug.QrCodeDisplayActivity

QR code string input/output file would be generated in
'/sdcard/wpadebug_qrdata.txt' in the device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-08 18:39:41 +02:00
Jouni Malinen
8f7a50a63e tests: MAC ACL accept/deny management
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-07 19:45:32 +02:00
Tamizh chelvam
3988046de5 hostapd: Dynamic MAC ACL management over control interface
Previously, MAC ACL could be modified only through file operations
(modify accept/deny_mac_file and reload it to hostapd). Extend this to
allow MAC ACL to be modified and displayed through new control interface
commands:

ACCEPT_ACL <subcmd> [argument]
DENY_ACL <subcmd> [argument]

subcmd: ADD_MAC <addr>[ VLAN_ID=<id>]|DEL_MAC <addr>|SHOW|CLEAR

Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
2018-02-07 19:45:21 +02:00
Jouni Malinen
6a252ece24 DPP: Fix GAS query removal race condition on DPP_STOP_LISTEN
If a DPP_STOP_LISTEN call happens to be received when there is a pending
gas-query radio work that has not yet been started, it was possible for
gas_query_stop() to go through gas_query_done() processing with
gas->work == NULL and that ended up with the pending GAS query getting
freed without removing the pending radio work that hold a reference to
the now freed memory. Fix this by removing the pending non-started radio
work for the GAS query in this specific corner case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-07 18:03:58 +02:00
Jouni Malinen
27a8d93b07 tests: Make dpp_qr_code_curve_select more robust
Wait for the configuration exchange to complete before issuing the
DPP_STOP_LISTEN command to avoid confusing sequence of operation between
the ongoing and immediately following DPP exchanges.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-07 17:09:20 +02:00
Jouni Malinen
4370ffc0c4 tests: DPP and PKEX on 5 GHz
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-07 16:58:52 +02:00
Jouni Malinen
3b50f8a460 DPP: PKEX initiation on other bands
Add support for wpa_supplicant to try to initiate PKEX on 5 GHz and 60
GHz bands in addition to the previously available 2.4 GHz case. If no
response from a peer device is seen on the 2.4 GHz band (channel 6) for
the five attempts, try the other PKEX channels (5 GHz channels 44 and
149; and 60 GHz channel 2) if they are supported and allowed for
initiating radiation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-07 16:56:43 +02:00
Jouni Malinen
fc031b7ea7 tests: Make owe_transition_mode_multi_bss more robust
Fix bssid2 value to make scanning more reliable for the second OWE BSS.
In addition, reorder the STA status checks to happen before the data
connectivity check to get more accurate failure reason into the log if
the test case fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-07 13:45:48 +02:00
Jouni Malinen
659ac96d7f ieee802_11_mgmt: Handle frame info more consistently
Check for the fi parameter to be non-NULL before trying to fetch the
ssi_signal information similarly to how the fi->freq was already
handled. While the meta information is supposed to be available, it
looks like there is at least one corner case where fi == NULL could be
used (Authentication frame reprocessing after RADIUS-based ACL).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-07 12:34:41 +02:00
Ashok Ponnaiah
458d8984de SAE: Reject request with mismatching PMKID (no PMKSA cache entry)
Reject SAE association request when PMKID is included in the RSNE, but
the corresponding PMKSA is not available in the AP.

Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
2018-02-07 12:24:36 +02:00