Commit graph

12217 commits

Author SHA1 Message Date
Masashi Honma
4d77d80edd mesh: Add MESH_PMKSA_GET/ADD commands
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.

The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.

The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>

The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180

This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-14 18:07:46 +02:00
Jouni Malinen
117875db33 D-Bus: Add GroupMgmt entry into the interface Capabilities dict
This can be used to determine whether the driver supports PMF and if so,
with which group management cipher suites. In addition, add the missing
pairwise and group cipher suite values to the documentation while adding
this new entry there as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 17:41:20 +02:00
Stijn Tintel
3cdb4ac074 D-Bus: Add pmf to global capabilities
This indicates that the wpa_supplicant binary has been compiled with PMF
support.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:29:22 +02:00
Jouni Malinen
76055b4c61 tests: D-Bus Get/Set Pmf
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 17:28:25 +02:00
Stijn Tintel
adf8f45f8a D-Bus: Implement Pmf property
The Pmf property is documented in doc/dbus.doxygen, but does not exist,
so implement it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:28:00 +02:00
Jouni Malinen
b98706c14b RSN IBSS: Fix TK clearing on Authentication frame RX
When wpa_supplicant was processing a received Authentication frame (seq
1) from a peer STA for which there was already a TK configured to the
driver, debug log claimed that the PTK gets cleared, but the actual
call to clear the key was actually dropped due to AUTH vs. SUPP set_key
selection. Fix this by explicitly clearing the TK in case it was set
and an Authentication frame (seq 1) is received.

This fixes some cases where EAPOL-Key frames were sent encrypted using
the old key when a peer STA restarted itself and lost the key and had to
re-join the IBSS. Previously, that state required timing out the 4-way
handshake and Deauthentication frame exchange to recover.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 13:56:18 +02:00
Jouni Malinen
c5420f9c92 tests: Disable HT in ibss_rsn to avoid a strange issue with mac80211
When fixing the TK clearing on Authentication frame RX, an issue in
getting unicast frames through after re-joining the IBSS was hit. It is
not exactly clear why this happens, but the unicast frame from the STA
that re-joined the network gets lost in the frame reorder buffer of the
STA that remains in the network.

For now, this disables HT to avoid a strange issue with mac80211
frame reordering during the final test_connectivity() call. Once that is
figured out, these disable_ht=1 calls should be removed from the test
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 13:54:02 +02:00
Jouni Malinen
f38de833e1 tests: AP dropping duplicate management frames
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-14 01:10:32 +02:00
Jouni Malinen
fa67debf4c Fix duplicate Reassociation Request frame dropping
Relational operators (==) have higher precedence than the ternary
conditional in C. The last_subtype check for association/reassociation
was broken due to incorrect assumption about the precedence. Fix this by
adding parenthesis around the ternary conditional.

The previous implementation worked for Association Request frames by
accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when
the last receive frame was an Association Request frame, the
sta->last_subtype == reassoc check was true and non-zero
WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was
broken for Reassociation Request frame. reassoc == 1 in that case could
have matched received Association Response frame (subtype == 1), but
those are not received in AP mode and as such, this did not break other
behavior apart from not being able to drop duplicated Reassociation
Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-14 01:04:31 +02:00
Slava Monich
6ff92677a1 wext: Cancel send_rfkill timeout in deinit
Signed-off-by: Slava Monich <slava.monich@jolla.com>
2017-01-14 00:07:45 +02:00
Jouni Malinen
1e40cf22f4 tests: Fix peerkey_sniffer_check with tshark 1.10.6
It looks like the previous mechanism for catching older tshark versions
for EAPOL-Key key info field was not sufficient. Fix that to cover the
version used in Ubuntu 14.04.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-14 00:05:47 +02:00
Jouni Malinen
7f2905e0da tests: Mesh with two stations that can't reach each other directly (RSN)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 23:26:20 +02:00
Jouni Malinen
fcd3d6ce32 FILS: Fix PMK and PMKID derivation from ERP
This adds helper functions for deriving PMK and PMKID from ERP exchange
in FILS shared key authentication as defined in IEEE Std 802.11ai-2016,
12.12.2.5.2 (PMKSA key derivation with FILS authentication). These
functions is used to fix PMK and PMKID derivation which were previously
using the rMSK directly as PMK instead of following the FILS protocol to
derive PMK with HMAC from nonces and rMSK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:07:40 +02:00
Jouni Malinen
ef495c78dd OpenSSL: Implement sha384_vector()
This was forgotten from the addition of SHA384 support and is now needed
for FILS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:05:19 +02:00
Dedy Lansky
a70cd0db87 nl80211: Don't register for Beacon frames for IEEE 802.11ad AP
Beacon frames are not supported in IEEE 802.11ad network (DMG-beacons
used instead). To allow hostapd to manage IEEE 802.11ad AP with
device_ap_sme disabled, skip nl80211_register_beacons() for IEEE
802.11ad AP.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-13 15:58:01 +02:00
Jouni Malinen
a2aa21a3bf Assign additional vendor specific elements for early HE testing
These elements can be used for pre-standard publication testing of HE
before P802.11ax draft assigns the element ID extension. The payload of
these vendor specific elements is defined by the latest P802.11ax draft.
Please note that the draft is still work in progress and the element
payload is subject to change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 15:05:26 +02:00
Johannes Berg
f5a270b5dc tests: Add a test for mesh forwarding
Add a new test that tests connectivity between two stations that
can't reach each other directly in the mesh, but need forwarding
on another station to talk to each other.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-13 15:05:26 +02:00
Johannes Berg
f09095d57b wpa_supplicant: Clarify group_rekey documentation
This is also used in mesh and AP modes.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
c85dfc6f84 nl80211: Set NL80211_ATTR_IFACE_SOCKET_OWNER for connect and associate
This allows kernel to force disconnection if something kills the
wpa_supplicant process in a manner that does not allow proper cleanup to
be performed. The association is not supposed to be allowed to continue
after process has ended since there are number of operations that
wpa_supplicant may need to do during the association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
d07f450da9 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2017-01-06.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-13 15:05:26 +02:00
Jouni Malinen
8f315d0505 Fix country code in wpa_supplicant AP mode Country element
country[2] needs to be set to ' ' instead of left to '\0' for the case
where wpa_supplicant sets up AP mode operations and includes the Country
element. Currently, this would be only for DFS channels. Without this,
the Beacon frames would go out with incorrect third octet in the country
code.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
e437a5aba1 tests: Scan result parsing
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:54:36 +02:00
Jouni Malinen
e4a3e1d076 tests: Add DRIVER_EVENT SCAN_RES for scan result testing
This control interface command can be used to inject scan results from
test scripts to make it easier to test various scan result processing
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
29065686ac D-Bus: Fix BSS Mode getter for invalid DMG BSS
Previous version could have used uninitialized char* when a DMG with
invalid capabilities were added to BSS table from scan results.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
cc5bf65f29 tests: WPS_AP_PIN failure
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:36:57 +02:00
Jouni Malinen
35320d7a44 tests: WPS_PIN start failure
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:28:15 +02:00
Jouni Malinen
3381d324c9 tests: PIN generation failure
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:24:12 +02:00
Jouni Malinen
765c15d503 tests: Invalid WMM_AC_ADDTS parameter
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:20:02 +02:00
Jouni Malinen
f241a2604a tests: TDLS_CHAN_SWITCH error case
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:16:01 +02:00
Jouni Malinen
c1c938335e tests: TDLS and tdls_external_control
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:12:55 +02:00
Jouni Malinen
b2442f2568 nl80211: Debug prints for TDLS_OPER command and result
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 17:12:24 +02:00
Jouni Malinen
d85b1aa6de tests: More GET wifi_display coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 16:52:56 +02:00
Jouni Malinen
74582acc14 tests: wpa_supplicant SET tdls_trigger_control
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 16:48:59 +02:00
Jouni Malinen
35b023b79a tests: wpa_supplicant SET radio_disabled
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:54:01 +02:00
Jouni Malinen
22e0dade9a tests: wpa_supplicant SET lci error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:51:09 +02:00
Jouni Malinen
479c05b067 tests: Additional bgscan test coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:44:35 +02:00
Jouni Malinen
2901bc2725 bgscan: Remove unnecessary NULL check
The name argument to bgscan_init() cannot be NULL since the only caller
already checks this before the call.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:44:34 +02:00
Jouni Malinen
9d6eaad6b8 bgscan: Remove unnecessary NULL check
bgscan_init() is the only caller for the init() function and the
parameters argument is never NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:43:33 +02:00
Jouni Malinen
0f9b4a0f1d bgscan: Deliver beacon loss event to bgscan modules
This adds a call to the notify_beacon_loss() callback functions when
beacon loss is detected. In addition, a new CTRL-EVENT-BEACON-LOSS event
is made available through the wpa_supplicant control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:17:58 +02:00
Jouni Malinen
688556722c nl80211: More complete processing of connection quality monitor events
This adds processing of beacon loss events and generation of an internal
EVENT_BEACON_LOSS event based on them for wpa_supplicant processing. In
addition, number of consecutively lost (not acknowledged) packets is now
reported and TXE events are noted in the debug log.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:11:14 +02:00
Jouni Malinen
fadaa7b613 tests: Add more wpas_config_file variable coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
ddff4f3c5e tests: Use logdir for config file in wpas_config_file
This reduces use of /tmp for test case specific dynamically created
files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
54736d8358 Store FST parameters to configuration file
This was forgotten when the parameters were added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
35c78f7b97 Store osu_dir to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1f539c78f4 Store autoscan to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
58ed9e31d1 Store filter_rssi to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1fb1bf99d6 Write sec_device_type to configuration file
This is more consistent with other global configuration parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
b4bdeadfaf Make "SET" behavior more consistent for dot11RSNA parameters
These parameters are global configuration parameters for wpa_supplicant
and the special control interface SET command handlers for them were
preventing the configuration update. Make this more consistent by
updating the configuration parameter as well since that is what all the
other SET <global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
e3394c0e2c Make "SET non_pref_chan .." behavior more consistent
non_pref_chan is a global configuration parameter for wpa_supplicant and
the special control interface SET command handler for it was preventing
the configuration update. Make this more consistent by updating the
configuration parameter as well since that is what all the other SET
<global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
f8c201862e Fix cert_in_cb parsing in wpa_supplicant.conf
Commit 483dd6a5e0 ('Include peer
certificate always in EAP events') added this wpa_supplicant global
configuration parameter, but forgot to add the actual parsing of it, so
there was no way of setting the value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00