Commit graph

15954 commits

Author SHA1 Message Date
Brian Norris
7a9c367225 DBus: Add "sae" to interface key_mgmt capabilities
This will be present when the driver supports SAE and it's included in
the wpa_supplicant build.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-02-29 18:01:23 +02:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
bca44f4e4e WPS: Remove static-WEP-only workaround
WEP provisioning was removed from WPS v2, so this workaround
functionality has not been applicable. Remove it completely.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 16:56:44 +02:00
Jouni Malinen
886ee6775f tests: Automatic channel selection with hw_mode=any
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 11:23:03 +02:00
Neo Jou
b7f1d4f4d6 ACS: Allow hw_mode=any to be used with internal ACS algorithm
This was already supported in the offload ACS case and this commit
completes support for this with the internal ACS algorithm.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
d07f1ade90 ACS: Determine mode when using hw_mode=any
Set iface->current_mode and iface->conf->hw_mode when completing ACS
based on the selected channel in the hw_mode=any case.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
c60362e6e8 ACS: Extend acs_find_ideal_chan() to support multiple modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
141a8815e7 ACS: Extend acs_request_scan() to support multiple modes
Add suitable channel frequencies from all modes into the scan parameters
when a single mode is not specified for ACS. This is preparation for
being able to support hw_mode=any to select the best channel from any
supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
f3c44a196f ACS: Extend interference factor calculation for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
070522e5b2 ACS: Extend acs_find_chan() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
4c1ffb45e4 ACS: Extend acs_surveys_are_sufficient() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
3d09be41a8 ACS: Clear all modes in acs_cleanup()
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
499c37b729 ACS: Extend hostapd_get_mode_channel() to find from any mode
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Jouni Malinen
a62d761856 ACS: Fix spelling of "interference"
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 11:23:03 +02:00
Jouni Malinen
9551930f1e tests: Initialize wlantest with passphrase for ap_wpa2_ptk_rekey
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 23:19:52 +02:00
Jouni Malinen
f5f7286ba5 wlantest: Try to decrypt frame with zero TK
If none of the known PTKs have a working TK, check whether an encrypted
frame is encrypted with all zeros TK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 23:18:59 +02:00
Jouni Malinen
167205d455 os_unix: Seed random() for os_random()
While the users of os_random() do not really need strong pseudo random
numebrs, there is no significant harm in seeding random() with data from
os_get_random(), i.e., /dev/urandom, to get different sequence of not so
strong pseudo random values from os_random() for each time the process
is started.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 22:59:32 +02:00
Jouni Malinen
54bc5db16e tests: sigma_dut controlled AP with SAE H2E and anti-clogging token
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 19:53:45 +02:00
Jouni Malinen
fd1892885b tests: SAE and opportunistic key caching and PMK lifetime
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
74db49d74c SAE: Do not use PMKSA entry after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for
caching after the reauthentication threshold has been reached. This
allows the PMK to be updated without having to force a disassociation
when the PMK expires if the station roams between the reauthentication
threshold and expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
bb93ea234e SAE: Do not clone PMKSA entry for OKC after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for OKC
after the reauthentication threshold has been reached. This allows the
PMK to be updated without having to force a disassociation when the PMK
expires if the station roams between the reauthentication threshold and
expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
114d124186 SAE: Fix PMKID derivation for OKC
SAE authentication derives PMKID differently from the EAP cases. The
value comes from information exchanged during SAE authentication and
does not bind in the MAC addresses of the STAs. As such, the same PMKID
is used with different BSSIDs. Fix both the hostapd and wpa_supplicant
to use the previous PMKID as is for OKC instead of deriving a new PMKID
using an incorrect derivation method when using an SAE AKM.

This fixes use of opportunistic key caching with SAE.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:20 +02:00
Andrej Shadura
3f10f716af common: Provide the BIT() macro locally
wpa_ctrl.h can be installed separately with libwpa_client, so
utils/common.h won't be available to its users.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2020-02-28 11:03:05 +02:00
Jouni Malinen
f5849f1c7c wlantest: Add more notes about decryption into pcapng
Note the used TK/GTK and KeyID in frame notes when writing decrypted
frames to a PCAPNG file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 01:30:00 +02:00
Jouni Malinen
0e3e3a9ab5 wlantest: Update BSS IEs based on EAPOL-Key msg 3/4
If no Beacon or Probe Response frame has been seen in the capture, use
the IEs from EAPOL-Key msg 3/4 to set up BSS information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 00:51:07 +02:00
Jouni Malinen
a8a277c169 wlantest: Get STA IEs based on EAPOL-Key msg 2/4 before PTK derivation
The previous implementation tried to update STA IE information based on
EAPOL-Key msg 2/4 to be able to handle captures that do not include the
(Re)Association Request frame. This was not sufficient (OSEN was not
included) and was done too late (the parsed information is needed for
PMK-to-PTK derivation).

Move the IE update step to happen before trying to derive the PTK if no
(Re)Association Request frame has been seen.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 00:35:23 +02:00
Krishna Rao
b8f6b0713a Add attribute for dwell time in QCA vendor scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SCAN_DWELL_TIME for specifying
dwell time in the QCA vendor scan command. This is a common value which
applies across all frequencies requested in the scan.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-26 23:47:37 +02:00
Jouni Malinen
5f11739d58 tests/fuzzing: Update WPA set_key() handler prototype
Update the fizzing test tools to use the new set_key() prototype, i.e.,
add the new key_flag argument, to get rid of compiler warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-25 13:13:06 +02:00
Jouni Malinen
e55dedbf6e tests/fuzzing: Fix build after CONFIG_IEEE80211N=y removal
Commit f3bcd69603 ("Remove CONFIG_IEEE80211N build option") broke
couple of fuzzing test tools due to missing wpa_scan_results_free(). Fix
that by pulling in driver_common.o.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-25 13:08:00 +02:00
Sunil Dutt
ec303e2cb1 Introduce QCA_WLAN_VENDOR_ATTR_CONFIG_ROAM_REASON
This attribute enables/disables the host driver to send roam reason
information in the Reassociation Request frame to the AP in the same
ESS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:17:00 +02:00
Sunil Dutt
34640a88d8 Fix enum qca_wlan_vendor_attr_config value prefix
Couple of the attributes were defined with inconsistent prefix in the
name (missing "CONFIG_"). Fix these to use the common prefix for all
enum qca_wlan_vendor_attr_config values. Add defined values for the
incorrect names to avoid issues with existing users.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:16:56 +02:00
Jouni Malinen
ae750570b6 tests: WPS PBC session overlap detection with single BSSID selected
Update grpform_pbc_overlap not to require PBC session overlap to be
detected since in this sequence a single BSSID is specified and other
APs can be ignored while checking for session overlap. Add other test
cases to explicitly check for the PBC session overlap detection in
non-P2P and P2P cases when the BSSID is specified.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:04:21 +02:00
Jouni Malinen
3fadb1dcc0 WPS: Ignore other APs if PBC is used with a specific BSSID
While the WSC specification requires the Enrollee to stop PBC
provisioning if the scan sees multiple APs in active PBC mode, this is
problematic due to some deployed devices continuing to advertise PBC
mode for extended duration (or even permanently). Such an environment
will still need to prevent wildcard AP selection with PBC since an
incorrect device could be selected. However, if the Enrollee device has
been explicitly requested to connect to a specific AP based on its
BSSID, the other APs in scan results can be ignored without affecting
which AP would be selected (only the one matching the specified BSSID is
acceptable).

Start filtering scan results for PBC session overlap check based on the
locally specified constraint on the BSSID, if one is set. This allows
PBC to be used with "WPS_PBC <BSSID>" command in environment where
another AP device is claiming to be in active PBC mode while "WPS_PBC"
command will still continue to reject provisioning since the correct AP
cannot be selected.

This will also cover the P2P cases where P2P_CONNECT is used to start or
authorize GO Negotiation and joining-a-GO with a specific P2P GO
Interface Address (BSSID).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 19:53:49 +02:00
Jouni Malinen
f1d3856090 nl80211: Beacon protection capability flag and default key type
Add a new capability flag based on the nl80211 feature advertisement and
start using the new default key type for Beacon protection. This enables
AP mode functionality to allow Beacon protection to be enabled. This is
also enabling the previously added ap_pmf_beacon_protection_* hwsim test
cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 12:20:38 +02:00
Jouni Malinen
2e34f6a53f Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-24.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-24 12:20:05 +02:00
Jouni Malinen
0f84a93f65 Fix a type in wpa_supplicant defconfig
ap_mode=1 explanation in CONFIG_NO_SCAN_PROCESSING=y was really supposed
to be talking about ap_scan=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-24 00:05:20 +02:00
Alexander Wetzel
0e05e8781a Simplify wpa_deny_ptk0_rekey documentation
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:59:58 +02:00
Alexander Wetzel
a5944db04a Add wpa_deny_ptk0_rekey to AP get_config() output
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:58:19 +02:00
Alexander Wetzel
8a1660b607 common: Add missing driver flag strings
Add SAFE_PTK0_REKEYS and some other missing strings.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:53:29 +02:00
Jouni Malinen
af9d8c758d tests: Use proper temp files for dynamically created config
Replace the hardcoded /tmp filenames for generated ACL and BSS
configuration files with proper temporary files from tempfile.mkstemp()
to avoid conflicts with existing files or with parallel uses. Remove ACL
files from the local directory at the end of each test case. BSS files
are currently left behind, but can be cleaned up separately if needed
for non-VM testing (VM testing has those on ramdrive so they get dropped
automatically at the end) and for remote devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 18:20:50 +02:00
Jouni Malinen
6998ef48c8 tests: Remove unused BSS configuration files
These are now generated dynamically.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:52:56 +02:00
Jouni Malinen
92f08a3ccd tests: Generate BSS config files in ap_bss_add_remove_during_ht_scan
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:52:53 +02:00
Jouni Malinen
a066644fcb tests: Generate BSS configuration files in ap_bss_add_out_of_memory
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Jouni Malinen
791acc676c tests: Generate BSS configuration files in ap_bss_config_file
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Jouni Malinen
387d96f7c5 tests: remove: Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
bdff1be152 tests: Extend wpas_ctrl_bssid_filter for remote testing
When this test case is ran in remote test environment, there could be
additional APs in scan results after bssid_filter has been disabled.
That breaks the check on SCAN_RESULTS output. Extend this to cover the
remote testing case by using bssid_filter with both known APs listed
instead of full wildcard.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
e206c93f31 tests: Fix multi_check() for remote testing
Don't use hardcoded BSSID; instead use the real BSSID from the device.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
ba1ff57ad2 tests: remote: Generate and send BSS configuration files
Instead of hardcoded bss-[1-6]*.conf files, generate them using the
correct BSSID for each AP device and send/install them on the remote
client as well if needed.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
4b04223f24 hostapd: Replace UDP ctrl_iface global cookies with per-instance ones
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
    hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
    hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')

hapd1->ping() did not work.

Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:48:34 +02:00
Janusz Dziedzic
4d14838421 tests: Generate ACL files
Generate ACL files instead of using files with hardcoded values for the
STA MAC addresses. Send the generated files also to the remote client if
required.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 16:38:23 +02:00