Commit graph

14792 commits

Author SHA1 Message Date
Mathy Vanhoef
3e34cfdff6 WPA: Ignore unauthenticated encrypted EAPOL-Key data
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-08 16:51:35 +03:00
Jouni Malinen
2133a7cd7d tests: Check both FT and non-FT connections in ap_hs20_ft
Verify that the automatically generated network profile is able to
connect to a non-FT network automatically after having used FT for the
first connection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-03 00:40:51 +03:00
Jouni Malinen
c06cd3e0ac HS 2.0: Fix hs20-osu-client handling of HomeSP/HomeOIList/<X+>/HomeOI
This node was mapped to a SET_CRED roaming_consortium command with
quotation marks even though this is a hexdump of the OI. Remove the
quotation marks to allow this to be set correctly in the wpa_supplicant
credential.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-02 16:15:14 +03:00
Jouni Malinen
0a3742950e tests: Extend eap_proto_aka_prime to cover additional AT_KDF cases
Verify that EAP-AKA' client rejects Challenge with an appended AT_KDF
and a modified AT_KDF value during KDF negotiation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-02 15:36:24 +03:00
Jouni Malinen
63add34eb0 tests: sigma_dut with various AP KeyMgnt values
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-01 18:45:53 +03:00
Jouni Malinen
ecec4878b7 Provide more details of WPA3 modes in wpa_supplicant.conf
Clarify that proto=RSN is used for WPA3 and add the WPA3-Personal name
for SAE and include OWE as a possible key_mgmt value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-01 17:55:50 +03:00
Jouni Malinen
e7d73c378d Provide more details of WPA3 modes in hostapd.conf
Clarify that wpa=2 (i.e., RSN) is used for WPA3 and list previously
undocumented wpa_key_mgmt values.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-01 17:51:42 +03:00
Kiran Kumar Lokere
cbdf5a49c8 Define test config vendor attribute to override MU EDCA
Add a new test config QCA vendor attribute to override the MU EDCA
parameters to default values in the driver for test configuration. This
is used for configuring the testbed device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-01 17:38:47 +03:00
Jouni Malinen
f5dd150aac tests: OSEN with two group ciphers allowed on client side
This verifies the new default behavior for OSEN in Single SSID capable
devices.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:33:08 +03:00
Jouni Malinen
c1721f05a0 HS 2.0: Allow CCMP as group cipher for OSEN single SSID case
When OSEN is used in the BSS that is shared both for production data and
OSU uses, the group cipher might be either GTK_NOT_USED (like in Rel 2
OSEN) or CCMP. Modify hs20-osu-client to allow both these group ciphers
to be used when requesting OSEN connection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:32:53 +03:00
Jouni Malinen
686ca5c45b tests: Verify T&C Server URL generation result
Check that the @1@ macro gets replaced correctly both when in the middle
and when in the end of the URL template.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:21:59 +03:00
Jouni Malinen
5ca1196577 HS 2.0: Fix Terms and Conditions Server URL macro replacement
The last character of the STA MAC address got replaced with 0x00 due to
truncation if the @1@ macro was used at the end of the URL. Fix this
case by allocating larger buffer for the URL.

Fixes: d4e39c51f8 ("HS 2.0: Move Terms and Conditions Server URL generation from AP to AS")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:07:36 +03:00
Kiran Kumar Lokere
420b5dd814 Define test config QCA vendor attribute for HE MAC padding duration
Add a new wifi test config QCA vendor attribute to configure HE
trigger frame MAC padding duration value in the driver.
This is used for testbed configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-06 21:27:01 +03:00
Hu Wang
8a9950f7b6 nl80211: Indicate interface up only for the main netdev
ifname is checked for interface down event in commit
106fa1e97e ("nl80211: Indicate
interface-down event only for the main netdev"). Do the same for
interface up event to avoid unexpected notifications when the master
interface (e.g., a bridge interface) is set up while then WLAN interface
remains down.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-05 13:41:46 +03:00
Sathishkumar Muruganandam
c809756f9f nl80211: Allocate nl_sock for NETLINK_ROUTE when already_in_bridge
When we start hostapd having Hotspot 2.0 configuration with interface
already added to bridge interface, addition and deletion of new neighbor
to bridge ip neighbor table fails.

This is since 'bss->added_if_into_bridge' is not set which only allows
'drv->rtnl_sk' (nl_sock for NETLINK_ROUTE) allocation needed for bridge
ip neighbor table.

Add a new bit 'already_in_bridge' and set it when interface is already
added to bridge by some external component. Check this bit in addition
to 'bss->added_if_into_bridge' for 'drv->rtnl_sk' allocation done in
i802_init().

Now 'drv->rtnl_sk' is closed in wpa_driver_nl80211_deinit() regardless of
'bss->added_if_into_bridge' since when we have 'bss->already_in_bridge'
case too, this need to be removed.

brctl show

bridge name     bridge id               STP enabled     interfaces
br0             8000.8efdf006b050       no              ap

hostapd_cli raw STATUS-DRIVER

Selected interface 'ap'
ifindex=15
ifname=ap
brname=br0
addr=8e:fd:f0:06:b0:50
freq=5180
beacon_set=1
already_in_bridge=1
..

Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2018-07-05 13:36:27 +03:00
Peng Xu
946e35eace nl80211: Skip vendor specific DFS offload if upstream mechanism is used
Since the generic DFS offload support flag is added as
NL80211_EXT_FEATURE_DFS_OFFLOAD, only use the vendor command to check
DFS capablity if the flag is not already set.

Signed-off-by: Peng Xu <pxu@codeaurora.org>
2018-07-05 13:18:28 +03:00
Kiran Kumar Lokere
7bf86e4416 Define test config QCA vendor attribute for HE MU EDCA params
Add a new wifi test config QCA vendor attributes to configure
HE MU EDCA parameters value in the driver.
This is used for testbed configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-03 18:12:44 +03:00
Kiran Kumar Lokere
6cc77193c6 Define test config QCA vendor attribute for Tx beamformee NSTS
Add a new wifi test config QCA vendor attribute to configure Tx
beamformee number of space-time streams value in the driver.
This is used for testbed configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-28 18:37:01 +03:00
Jouni Malinen
73d3f88418 HS 2.0: CoA-Request from Terms and Conditions server
This extends the terms.php implementation of Hotspot 2.0 Terms and
Conditions server to allow it to interact with hostapd(AS) to clear the
filtering rules from the AP. After requesting hostapd to send out the
CoA-Request, terms.php waits for up to 10 seconds to see whether the
current_sessions table gets an update to indicate that filtering has
been successfully disabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 20:22:40 +03:00
Jouni Malinen
6ccab679c2 tests: ap_hs20_terms_and_conditions_sql to test DAC_REQUEST
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 19:37:18 +03:00
Jouni Malinen
abed6136ae RADIUS: Add DAC implementation in hostapd(AS)
The new DAC_REQUEST control interface command can now be used to request
hostapd to send out Disconnect-Request and CoA-Request packets for an
existing session.

DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear]

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 19:37:18 +03:00
Jouni Malinen
72aad113c2 RADIUS: Allow 0.0.0.0 to be used as wildard radius_das_client
This allows hostapd DAS to be configured to allow any DAC (with the
matching shared secret) to send Disconnect-Request and CoA-Request
packets.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 19:37:18 +03:00
Jouni Malinen
d7b60f7a9e tests: Check current_sessions in ap_hs20_terms_and_conditions_sql
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 19:37:10 +03:00
Jouni Malinen
2122fc83aa RADIUS server: Add current_sessions SQLite table
This can be used to track active sessions, e.g., for the purpose of
issuing RADIUS DAS commands (Disconnect-Request or CoA-Request).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 19:37:03 +03:00
Jouni Malinen
ed83029c29 tests: Move hs20_t_c_server_url parameter from AP to AS
This is needed with the modified hostapd implementation to fix the
ap_hs20_terms_and_conditions* test cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 20:52:54 +03:00
Jouni Malinen
d4e39c51f8 HS 2.0: Move Terms and Conditions Server URL generation from AP to AS
This makes it more convenient to generate the URL in a way that
interoperates between different vendors. The AP is simply copying the
already constructed URL as-is from Access-Accept to WNM-Notification.
This means that the HO AAA can generate the URL in a manner that works
for the associated T&C Server without having to coordinate with each AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 20:50:54 +03:00
Jouni Malinen
e6f8042d17 tests: hs20-osu-client testing for PPS MO parsing
This adds a mechanism to allow hs20-osu-client set_pps command to be
tested with PPS MO files.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 19:18:54 +03:00
Jouni Malinen
de3885fcc7 HS 2.0: Process Credential/UsernamePassword/EAPMethod nodes in PPS MO
This allows hs20-osu-client to configure wpa_supplicant credential with
a specific EAP method so that roaming consortium OI -based matching can
be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 19:16:26 +03:00
Jouni Malinen
db856f47ef tests: Fix mbo_supp_oper_classes with new regdb
Change country code KZ to SY for the 2.4 GHz only case since 5 GHz rules
were added for KZ.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-20 15:23:50 +03:00
Jouni Malinen
e96fa19753 tests: Add more details on sae_bignum_failure logs
It is easier to understand the hostapd debug log here if each step is
noted there before starting the wpa_supplicant operation. In addition,
it looks safer to process all pending event messages between each step
to avoid running out of any buffer limits.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-20 13:07:38 +03:00
Jouni Malinen
3a8dd390c9 SAE: Allow authentication restart on AP
In the infrastructure BSS case, the AP needs to clear pending SAE state
if a new Commit message is received when already in Committed state.
This allows the non-AP STA to negotiate a new group if it ends up trying
to go through SAE authentication again before the AP side has removed
the previous STA entry.

This fixes an issue where a kernel update changed something in SAE
timing or authentication sequence and started failing the
sae_bignum_failure hwsim test case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-20 13:04:31 +03:00
Jouni Malinen
b1e1187744 tests: sigma_dut controlled AP with EAP+OSEN
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-19 00:39:42 +03:00
Jouni Malinen
a10f5714cc HS 2.0: Allow Hotspot 2.0 version number to be overridden for build
This can be used for testing and development purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-18 20:11:52 +03:00
Jouni Malinen
2403edb8fd tests: P2P and avoid frequencies driver event on 5 GHz
This test case verifies that wpa_supplicant is able to perform CSA to a
VHT80 channel when having to move the GO due to an avoid-frequencies
driver event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-18 20:11:52 +03:00
Jouni Malinen
e8cf9fc33f P2P: Use more compact debug print of common group frequencies
Print the list of frequencies on a single line instead of one line per
frequency.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-15 22:28:05 +03:00
Jouni Malinen
26eac0a998 P2P: Improve common group channel selection if GO needs to be moved
Prefer channels that support VHT80 (and secondarily, HT40 on the same
band) over other common group channels. If no such channel is found,
prefer any channel that uses the same band so that CSA can be used. This
improves the case where a P2P GO needs to move to another channel and
there is no other reason (e.g., preferred channel from the driver or an
already used channel from a virtual interface sharing the same radio) to
pick a specific channel.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-15 22:28:05 +03:00
Jouni Malinen
616178a2ad P2P/AP: More detailed debug prints on HT/VHT parameter selection
This makes it easier to debug why wpa_supplicant selects particular
HT/VHT parameters for AP/P2P GO mode.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-15 21:40:43 +03:00
Jouni Malinen
c6f01fbf26 nl80211: Add more command/event names to debug prints
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-15 21:40:08 +03:00
Jouni Malinen
25bd4e7beb tests: Associated STA indicating 40 MHz intolerant and hostapd deinit
This is a regression test for a forgotten ap_ht2040_timeout() eloop
timer callback on AP interface removal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-12 21:47:43 +03:00
Martin Willi
4a0e011560 AP: Fix HT 20/40 co-ex transition timer cancellation on iface removal
When removing an interface, hostapd_bss_deinit() frees all associated
STAs. If any of the stations is 40MHz intolerant, the cleanup invokes
ht40_intolerant_remove(), that in turn registers a 20->40MHz transition
timer for the last station (ap_ht2040_timeout() function). That timer is
never canceled; once it executes, the interface is gone, most likely
resulting in a segfault when referencing it.

While hostapd_interface_deinit() cancels the transition timer, it does
so before cleaning up STAs. Move the cancellation after STA cleanup to
cancel any timer that was registered during that operation.

Signed-off-by: Martin Willi <martin@strongswan.org>
2018-06-12 21:45:10 +03:00
Peng Xu
b915f2cdf2 nl80211: Handle NL80211_CMD_WIPHY_REG_CHANGE event
Handle NL80211_CMD_WIPHY_REG_CHANGE the same way as the
NL80211_CMD_REG_CHANGE event. The wiphy-specific event is generated by
the cfg80211 reg_process_self_managed_hints() function, e.g., when going
through regulatory_set_wiphy_regd_sync_rtnl(). Previously, such events
were ignored completely in hostapd/wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-07 00:05:39 +03:00
Jouni Malinen
c3e4f40cd6 FT: Derive PMKR0Name/PMKR1Name using SHA-384 with AKM 00-0F-AC:13
The AKM 00-0F-AC:13 is supposed to use cryptographic algorithms
consistently, but the current IEEE 802.11 standard is not doing so for
the key names: PMKID (uses SHA-1), PMKR0Name/PMKR1Name (uses SHA-256).
The PMKID case was already implemented with SHA-384 and this commit
replaces use of SHA-256 with SHA-384 for PMKR0Name/PMKR1Name derivation
to be consistent in SHA-384. While this is not compliant with the
current IEEE 802.11 standard, this is clearly needed to meet CNSA Suite
requirements. Matching change is being proposed in REVmd to get the IEEE
802.11 standard to meet the use case requirements.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 23:59:46 +03:00
Jouni Malinen
fe102801f6 tests: SAE reauthentication
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 23:59:46 +03:00
Jouni Malinen
e8d08cf378 SAE: Do not drop STA entry on reauthentication in infrastructure BSS
A new SAE Commit message should not be allowed to drop an existing STA
entry since the sender of that Commit message cannot be authenticated
before receiving the Confirm message. This is important in particular
when PMF is used since this would provide a potential new path for
forcing a connection to be dropped.

Fix this by allowing a new SAE Authentication instance to be started
when the old instance is in Accepted state and the new Commit message
does not use the same peer-scalar value (checked in
sae_parse_commit_scalar()). When PMF is used, the AP will use SA Query
procedure when receiving the (Re)Association Request frame. In theory,
that step could be skipped in case of SAE Authentication since the
non-AP STA is demonstrating knowledge of the password. Anyway, there is
no allowance for that exception in the IEEE 802.11 standard, so at least
for now, leave this using SA Query procedure just like any other PMF
case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 01:22:01 +03:00
Jouni Malinen
ffcaca68d3 tests: FT with different BIP algorithms
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
ef13b33afc FT: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in STA case
wpa_supplicant was hardcoded to use BIP-CMAC-128 in FT protocol if PMF
was enabled. Extend that to allow the other BIP algorithms to be used as
well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
ff168f8c23 FT: Support 256-bit IGTK in AP case
hostapd was hardcoded to use 128-bit IGTK in FT protocol (IGTK
subelement in FTE). Extend that to allow 256-bit IGTK (i.e.,
BIP-CMAC-256 and BIP-GMAC-256) to be used as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
2842987879 tests: FILS+FT with SHA384
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
2cf36d6085 FT: Handle AssocResp generation failures as fatal errors
Instead of sending out a partially completed frame, abort the
association process if something unexpected happens and remove the STA
entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
c52626489a tests: Split ap_ft_ap_oom7 into separate test cases
The implementation changes in hostapd FT error path handling in the
follow commit would result in ap_ft_ap_oom7 test case failing. This is
triggered partially by PMF protections and SA Query attempts, so it
looks like it is easier to split each failure case into a separate test
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:01 +03:00