Commit graph

8280 commits

Author SHA1 Message Date
Kiran Kumar Lokere
800fb69970 QCA vendor attribute to allow 6 GHz connection with all security types
Add a QCA vendor attribute to configure the driver to allow the 6 GHz
connection with all security types. This attribute is used for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:05:06 +02:00
Kiran Kumar Lokere
1a60099f26 QCA vendor attribute to ignore SAE H2E requirement mismatch
Add a QCA vendor attribute to ignore SAE H2E requirement mismatch for 6
GHz connection. This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:04:07 +02:00
Jouni Malinen
b5e3d92ee4 OCV: Fix OCV-FAILURE event address for FT Reassociation Response frame
sm->bssid is still the BSSID of the previous AP at this point in the FT
protocol, so need to show the target AP's BSSID instead in the failure
message.

Fixes: 8c1f61e820 ("OCV: Report OCI validation failures with OCV-FAILURE messages (STA)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
4a5f6e88b2 SAE: Use more explicit IE payload validation steps
This is an attempt of making the code easier to understand for static
analyzers. The helper functions were already verifying that these IEs
are fully within the memory buffer, but that may not have been clear
enough for automated analysis.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:39:49 +02:00
Jouni Malinen
57fec19dab Use more consistent iface->conf checks
Commit f1df4fbfc7 ("mesh: Use setup completion callback to complete
mesh join") added a check for iface->conf being NULL into a debug print.
However, it is not clear how that could be NULL here. In any case,
setup_interface() could end up dereferencing iface->conf in the call to
hostapd_validate_bssid_configuration(), so better be consistent with the
checks and not get warnings from static analyzers regardless of whether
this can happen in practice.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:51:16 +02:00
Jouni Malinen
b8211e1e75 PASN: Avoid unreachable code with CONFIG_NO_RADIUS
There is no point in trying to build in rest of this function if in the
middle of it the CONFIG_NO_RADIUS case would unconditionally fail.
Simply make all of this be conditional on that build parameter not being
set to make things easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:37:47 +02:00
Jouni Malinen
9a1136b7f1 FILS: Fix RSN info in FD frame for no-group-addressed
The value from the initial RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED check
ended up getting overridden with the following if. This was supposed to
be a single if statement to avoid that.

Fixes: 9c02a0f5a6 ("FILS: Add generation of FILS Discovery frame template")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:27:42 +02:00
Jouni Malinen
6035969e0e Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 23:42:21 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Jouni Malinen
205c35ceff nl80211: Allow compilation with both vendor do_acs() handlers
Use a helper function as the do_acs() callback to allow builds to pull
in all the vendor specific operations into a single binary.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 17:57:08 +02:00
Xinrui Sun
61a258e784 nl80211: Add ACS support for Broadcom device
BRCM vendor command used to trigger ACS scan. After ACS finished,
DHD driver will send results by event BRCM_VENDOR_EVENT_ACS.

Signed-off-by: Xinrui Sun <xinrui.sun@broadcom.com>
2021-02-27 12:14:09 +02:00
Ben Greear
827b43b3ca RADIUS client: Support SO_BINDTODEVICE
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
2021-02-27 10:51:15 +02:00
Sunil Dutt
3a05f89edc Android: Add DRIVER command support on hostapd and hostapd_cli
Add DRIVER command support on hostapd and hostapd_cli on Android
similarly to the way this previously enabled in wpa_supplicant and
wpa_cli.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-26 20:22:41 +02:00
Sreeramya Soratkal
50baf345b4 TDLS: Support TDLS operations in HE mode
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-02-26 20:16:48 +02:00
Jouni Malinen
184c824689 P2P: Add device address to the debug entry on oldest peer removal
This makes it easier to understand debug logs with large number of peer
entries.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:58 +02:00
Jouni Malinen
8460e32309 P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

Fixes: 17bef1e97a ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:46 +02:00
Kiran Kumar Lokere
59e9794c7d QCA vendor attribute to configure Punctured Preamble Rx in HE cap
Add a QCA vendor attribute to enable/disable the Punctured Preamble Rx
support in HE PHY capabilities.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:37 +02:00
Kiran Kumar Lokere
875d7be38c QCA vendor attribute to disable data and management frame Tx
Add a QCA vendor attribute to configure the driver to disable data and
management response frame transmission to test the BSS max idle period
feature.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:31 +02:00
Kiran Kumar Lokere
ecb7590f34 QCA vendor attribute to configure RU 242 tone for data Tx
Add a QCA vendor attribute to configure the driver/firmware to use only
RU 242 tone for data frame transmission.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:27 +02:00
Kiran Kumar Lokere
8d23297128 QCA vendor attribute to configure BSS max idle period
Add a QCA vendor attribute to configure the driver with a specific BSS
max idle period value to advertise in (Re)Association Request frames.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:21 +02:00
Jouni Malinen
dc72854fe2 Fix handle_auth_cb() message length check regression
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:30:09 +02:00
Jouni Malinen
976c3c161f DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.

Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:44:33 +02:00
Jouni Malinen
10502ad59f radiotap: Fix compiler issues with packed structures
Replace the Radiotap parser platform.h file with use of helper functions
from utils/common.h to avoid compiler issues with the updated design and
getting pointers to members of packet structs.

Silence the warning about _next_bitmap assignment. This pointer is
dereferenced only with operations that are safe for unaligned access, so
the compiler warning is not helpful here.

__packed might not be defined in this context, so use STRUCT_PACKED from
utils/common.h.

Fixes: e6ac269433 ("radiotap: Update radiotap parser")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:40:58 +02:00
Alexander Clouter
0dee287c84 EAP server: Extend EAP-TLS Commitment Message use to PEAP and EAP-TTLS
Use the explicit Commitment Message per draft-ietf-emu-eap-tls13-13
Section 2.5 and extend this functionality to PEAP and EAP-TTLS when
using TLS 1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:53:52 +02:00
Alexander Clouter
fae4eafe4a EAP-TTLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:41 +02:00
Alexander Clouter
155125b02a EAP-TLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:39 +02:00
Alexander Clouter
3a457509db EAP: Extend Session-Id derivation with TLS 1.3 to PEAP and EAP-TTLS
This newer Session-Id/Method-Id derivation is used with PEAP and
EAP-TTLS when using TLS 1.3 per draft-ietf-emu-tls-eap-types-00, so do
not limit this to only EAP-TLS.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:36:57 +02:00
Alexander Clouter
647db6a6b5 EAP-TTLS: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
c74f230200 EAP-PEAP: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
872609c151 EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.

There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.

The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.

[1] https://www.spinics.net/lists/hostap/msg05376.html

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:02:35 +02:00
Andrei Otcheretianski
8265f84531 nl80211: Unconditionally clear nl_msg
Previously nl80211_nlmsg_clear() would be called under a special
condition when valid_handler is NULL and valid_data is -1. Such API is
not very convenient as it forces the handler to be NULL. Change the
send_and_recv() function to always clear the nl_msg, which will simplify
all this logic.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:34:42 +02:00
Ilan Peer
6c7b0a9657 PASN: Correctly set RSNXE bits from AP
The capability bit index should not be shifted here as the shifting is
handled later below when building the RSNXE octets.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:26:21 +02:00
Anusha Datar
8f248d1aca Check for message truncation in RADIUS client
The RADIUS client currently determines if a radius message is longer
than the supported maximum length by checking whether the size of the
received buffer and the length of the buffer (as returned by recv()) is
equal. This method fails to detect if the buffer has actually been
truncated. This change modifies the RADIUS client to instead use the
recvmsg() call and then check the message header flags to determine
whether or not the received message has been truncated and drop the
message if that is the case.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:15:15 +02:00
Anusha Datar
5cb25307e4 Set RADIUS message length to reflect RFC 2865
The current RADIUS server message maximum length limits the length of
each RADIUS message to 3000 bytes. As specified in RFC 2865 section 3
("Packet Format"), the RADIUS standard's maximum message size is 4096
bytes, so this change increases the RADIUS server's maximum message
size from 3000 to 4096 to match the standard.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:11:17 +02:00
Anusha Datar
7df089b567 Create RADIUS_MAX_MSG_LEN param in the shared radius.h
The RADIUS client currently uses a hardcoded value of 3000 for the
maximum length of a RADIUS message, and the RADIUS server currently
defines a constant value for the maximum length of the RADIUS message
within its source. The client and the server should use the same
maximum length value, so this change creates a shared parameter
RADIUS_MAX_MSG_LEN within the header file radius.h and modifies
both the client and the server to use that parameter instead of
a locally set value.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:08:17 +02:00
Sachin Ahuja
98a52b09ca Add new attributes in get_sta_info QCA vendor command
Add additional attributes for the QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO to get finer details on roaming
behavior, TSF out of sync count, and the latest TX rate, Rate Index used
for the transmission.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
6f92f81dac AP: Check driver's capability to enable OCV when driver SME is used
When the driver SME is used, offloaded handshakes which need Operating
Channel Validation (OCV) such as SA Query procedure, etc. would fail if
hostapd enables OCV based on configuration but the driver doesn't
support OCV. To avoid this when driver SME is used, enable OCV from
hostapd only when the driver indicates support for OCV.

This commit also adds a capability flag to indicate whether driver SME
is used in AP mode.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
73ebd58fc8 STA: Check driver capability to enable OCV when driver SME is used
When the driver SME is used, offloaded RSN handshakes like SA Query, GTK
rekeying, FT authentication, etc. would fail if wpa_supplicant enables
OCV in initial connection based on configuration but the driver doesn't
support OCV. To avoid such failures check the driver's capability for
enabling OCV when the driver SME used.

This commit also adds a capability flag for indicating OCV support
by the driver.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
d36d4209fd Enable beacon protection only when driver indicates support
Enabling beacon protection will cause STA connection/AP setup failures
if the driver doesn't support beacon protection. To avoid this, check
the driver capability before enabling beacon protection.

This commit also adds a capability flag to indicate beacon protection
support in client mode only.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e680a51e94 ext_password: Implement new file-based backend
It was not easily possible to separate configuration of an interface and
credentials when using the configuration file instead of the control
interface or D-Bus interface for setting up the network profiles. This
makes it hard to distribute configuration across a set of nodes which
use wpa_supplicant without also having to store credentials in the same
file. While this can be solved via scripting, having a native way to
achieve this would be preferable.

Turns out there already is a framework to have external password
storages. It only had a single "test" backend though, which is kind of
an in-memory store which gets initialized with all passwords up front
and is mainly for testing purposes. This isn't really suitable for the
above use case: the backend cannot be initialized as part of the central
configuration given that it needs the credentials, and we want to avoid
scripting.

This commit thus extends the infrastructure to implement a new backend,
which instead uses a simple configuration file containing key-value
pairs. The file follows the format which wpa_supplicant.conf(5) uses:
empty lines and comments are ignored, while passwords can be specified
with simple `password-name=password-value` assignments.

With this new backend, splitting up credentials and configuration
becomes trivial:

    # /etc/wpa_supplicant/wpa_supplicant.conf
    ext_password_backend=file:/etc/wpa_supplicant/psk.conf

    network={
        ssid="foobar"
        psk=ext:foobar
    }

    # /etc/wpa_supplicant/psk.conf
    foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b

Alternative approaches would be to support including other configuration
files in the main configuration, such that common configuration and
network declarations including credentials are split up into separate
files. But the implementation would probably have been more complex
compared to reusing the already-existing framework for external password
backends.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e9f449ba59 wpa_supplicant: Move wpa_config_get_line() into utils
The function wpa_config_get_line() is used by the wpa_supplicant config
file parser to retrieve the next non-comment non-blank line. We'll need
the same kind of functionality to implement the file-based external
password backend, so as a preparatory step this commit extracts the
function into its own standalone file in the utils package.

No functional changes are expected from this commit.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Jouni Malinen
b1c23d3f25 HE: Fall back to 20 MHz on 2.4 GHz if 40 MHz is not supported
At least the ACS case of an attempt to pick a 40 MHz channel on the 2.4
GHz band could fail if HE was enabled and the driver did not include
support for 40 MHz channel bandwidth on the 2.4 GHz band in HE
capabilities. This resulted in "40 MHz channel width is not supported in
2.4 GHz" message when trying to configure the channel and failure to
start the AP.

Avoid this by automatically falling back to using 20 MHz bandwidth as
part of channel parameter determination at the end of the ACS procedure.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-15 18:27:10 +02:00
Aloka Dixit
f1c6c9d3eb ACS: Allow downgrading to 20 MHz based on OBSS results
When auto channel selection (ACS) is used for HE 40 MHz in the 2.4 GHz
band, AP sets center frequency after finding a 40 MHz channel and then
runs a scan for overlapping BSSes in neighboring channels. Upon OBSS
detection, AP should downgrade to 20 MHz bandwidth.

This was broken because allowed_ht40_channel_pair() returns true in this
case and the steps to reset center frequency are not executed causing
failure to bring interface up.

Fix the condition to allow rollback to 20 MHz.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-15 18:16:33 +02:00
Jouni Malinen
9bb2f75298 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2021-02-12.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-15 17:36:20 +02:00
Aloka Dixit
cfc45a98d2 nl80211: Unsolicited broadcast Probe Response configuration
Unsolicited broadcast Probe Response transmission is used for in-band
discovery in the 6 GHz band (IEEE P802.11ax/D8.0 26.17.2.3.2, AP
behavior for fast passive scanning). Add support for configuring the
parameters for such frames.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 23:04:26 +02:00
Aloka Dixit
024b4b2a29 AP: Unsolicited broadcast Probe Response configuration
Add hostapd configuration options for unsolicited broadcast
Probe Response transmission for in-band discovery in 6 GHz.
Maximum allowed packet interval is 20 TUs (IEEE P802.11ax/D8.0
26.17.2.3.2, AP behavior for fast passive scanning).
Setting value to 0 disables the transmission.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 23:04:26 +02:00
Jouni Malinen
6b59e63f0e Include secondary channel config in no-hw-channel-found message
This makes the error message easier to understand if the AP mode setup
failure is caused by invalid secondary channel configuration while the
primary channel is valid.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-14 19:31:14 +02:00
Aloka Dixit
d76ba2b316 nl80211: Add FILS Discovery frame configuration
Add support for setting the parameters for FILS Discovery frame
transmission.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 18:18:18 +02:00
Aloka Dixit
9c02a0f5a6 FILS: Add generation of FILS Discovery frame template
Add hostapd configuration parameters for FILS Discovery frame
transmission interval and prepare a template for FILS Discovery frame
for the driver interface. The actual driver interface changes are not
included in this commit.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 18:03:49 +02:00
Jouni Malinen
c4c529e9cb Add a helper function for determining RSN capabilities field value
This information is needed in more than one place, so add a helper
function to avoid need to duplicate this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-14 18:03:38 +02:00
Aloka Dixit
272466518f Define FILS Discovery frame subfields
Add definitions from IEEE Std 802.11ai-2016, 9.6.8.36 FILS discovery
frame format and extensions for the 6 GHz band from IEEE P802.11ax/D8.0.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 11:13:20 +02:00
Jouni Malinen
3eb5f7128e Do not include VHT elements in Beacon frames on the 6 GHz band
A similar change was previously done for Probe Response frames, but the
Beacon frame case was missed. Fix this to remove the VHT elements also
from Beacon frames on the 6 GHz since the relevant information is
included only in the HE elements on that band.

Fixes: 49e95ee1ee ("AP: Publish only HE capabilities and operation IEs on 6 GHz band")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-14 00:33:08 +02:00
Shay Bar
2c2b6d265b Add Transmit Power Envelope also for 6 GHz HE AP
According to IEEE P802.11ax/D8.0, add Transmit Power Envelope element
into Beacon and Probe Response frames when operating HE AP on the 6 GHz
band.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-02-14 00:29:31 +02:00
Shay Bar
6c2b729de0 Use hostapd_get_oper_chwidth() when build Transmit Power Envelope element
hostapd_get_oper_chwidth(iconf) instead of direct access to
iface->conf->vht_oper_chwidth is needed here to be able to use this with
HE in cases where VHT is not enabled.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-02-14 00:24:53 +02:00
Shay Bar
5d3c4496fb Make VHT Transmit Power Envelope element helper more generic
According to latest IEEE 802.11 standard, Transmit Power Envelope
element is also relevant to IEEE 802.11ax and is no longer called VHT
Transmit Power Envelope. Remove the VHT naming from the element and move
hostapd_eid_txpower_envelope() from ieee802_11_vht.c to ieee802_11.c in
preparation of using it with HE.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-02-14 00:22:52 +02:00
Jouni Malinen
58bbbb5981 nl80211: Ignore 4addr mode enabling error if it was already enabled
nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
an interface that is in a bridge and has 4addr mode already enabled.
This operation would not have been necessary in the first place and this
failure results in disconnecting, e.g., when roaming from one backhaul
BSS to another BSS with Multi AP.

Avoid this issue by ignoring the nl80211 command failure in the case
where 4addr mode is being enabled while it has already been enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-13 23:59:28 +02:00
Pradeep Kumar Chitrapu
b1c3e4d071 nl80211: Send HE 6 GHz capability parameters to the driver
The HE 6 GHz capability was not being sent to the kernel causing 6 GHz
support being unidentifiable in the kernel driver for added stations.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-02-10 00:06:21 +02:00
Juliusz Sosinowicz
8d10831dcf wolfSSL: wolfSSL_use_PrivateKey_* correct return codes
The wolfSSL_use_PrivateKey_* APIs return 1 on success. 0 is also an
error.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2021-02-09 20:54:34 +02:00
Jouni Malinen
ad59639ed8 DPP2: Fix Authentication Request destination in the chirping case
The Authentication Request frames triggered by the reception of a
Presence Announcement frame were sent to the broadcast address. This is
not correct behavior since the source MAC address of the Presence
Announcement frame was supposed to override the Responder MAC address.
Fix this by using that source MAC address to avoid unnecessary use of
broadcast frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-09 20:41:08 +02:00
Aloka Dixit
598f671321 SAE: Avoid driver STA entry removal unnecessarily when using H2E/PK
The new status code values for SAE H2E and PK resulted in the
sta->added_unassoc cases incorrectly removing the STA entry after
successful SAE commit messages. Fix this by using sae_status_success()
instead of direct check for WLAN_STATUS_SUCCESS when processing SAE
commit messages before removing station entry.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-02-08 23:56:59 +02:00
Ilan Peer
99cd453720 hw_feature: Correctly select mode in case of the 6 GHz band
There are 2 HW modes with IEEE80211_MODE_A: one for the 5 GHz channels
and one for 6 GHz channels. Since hw_get_chan() checks all the
compatible hw modes, eventually, an incorrect hw mode is selected.

To fix this, add a function that checks if a specific mode supports
the requested frequency and if so use it as the current mode.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-08 00:54:10 +02:00
Rajkumar Manoharan
f728c867e3 AP: Extend Spatial Reuse Parameter Set
Extend SPR element to support following fields and pass all
information to kernel for driver use.
 * Non-SRG OBSS PD Max Offset
 * SRG BSS Color Bitmap
 * SRG Partial BSSID Bitmap

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2021-02-08 00:41:52 +02:00
Rajkumar Manoharan
9f9d3d3625 Allow HE MCS rate selection for Beacon frames
Allow HE MCS rate to be used for beacon transmission when the driver
advertises the support. The rate is specified with a new beacon_rate
option "he:<HE MCS>" in hostapd configuration.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2021-02-08 00:26:38 +02:00
Rajkumar Manoharan
7f2f262e6d nl80211: Support the 6 GHz band for beacon rate configuration
Use the correct enum nl80211_band value when configuring the beacon rate
for the 6 GHz band.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2021-02-08 00:26:38 +02:00
Rajkumar Manoharan
c3d557b4df hostapd: Add HE 6 GHz band capability configuration
Enable user to configure Maximum MPDU Length, Maximum A-MPDU Length
Exponent, Rx Antenna Pattern Consistency, and Tx Antenna Pattern
Consistency of 6 GHz capability through config file.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2021-02-08 00:09:45 +02:00
Jouni Malinen
bd8b170302 EAP-AKA: Check that ID message storing succeeds
This could fail in theory if running out of memory, so better check for
this explicitly instead of allowing the exchange to continue and fail
later due to checkcode mismatch.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 23:40:20 +02:00
Jouni Malinen
b58ac90c38 Rename INTERWORKING_BLACKLISTED define
Use more accurate INTERWORKING_EXCLUDED for this. The actual event
prefix is not changed to remains compatible with external components
using this control interface event message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 16:43:54 +02:00
Jouni Malinen
e6ac269433 radiotap: Update radiotap parser
Update the radiotap parser to the latest version of the
http://git.sipsolutions.net/radiotap.git/ library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:25:13 +02:00
Jouni Malinen
136bbf15c3 wlantest: Add more details about protected FTM frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:11:34 +02:00
Jouni Malinen
f56eec7c1a wlantest: Process Action No Ack frames like Action frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 12:00:12 +02:00
Janusz Dziedzic
ef26fc19fa DFS: Allow switch to an available channel
For EU, where preCAC is allowed, we should allow switch to DFS available
channels, instead of restarting BSS.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2021-02-07 10:30:09 +02:00
Raphaël Mélotte
f95ccc102a WPS: Reconfigure credentials on hostapd config reload
When new credentials are configured and hostapd is reconfigured using
SIGHUP (or RELOAD on the ctrl_iface), also update the WPS credentials.

Before these changes, when WPS is triggered the Registar always serves
the credentials that were configured when hostapd started.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-06 17:15:31 +02:00
Raphaël Mélotte
2fd90eb095 WPS: Use helper variables to clean up code
This is in preparation of larger changes in hostapd_update_wps() to keep
the commits more readable.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-06 17:12:24 +02:00
Michal Kazior
3a00a86bb9 hostapd: Fix dpp_listen in DPP responder scenario
Some time ago it was found some drivers are setting their hw/ucode RX
filters restrictively enough to prevent broadcast DPP Action frames from
being received at upper layers in the stack.

A set of patches was introduced to the kernel and
ath9k driver as well as wpa_supplicant, e.g.,

  a39e9af90 ("nl80211: DPP listen mode callback")
  4d2ec436e ("DPP: Add driver operation for enabling/disabling listen mode")

However, the hostapd code itself was not calling the new multicast
registration. As such the AP side of things wasn't working as expected
in some scenarios. I've found this while trying to get ath9k working as
an AP Responder/Configurator.

The problem wasn't seen on, e.g., mac80211 hwsim driver.

Extend the wpa_supplicant mechanism to work with hostapd as well.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-06 16:06:15 +02:00
Raphaël Mélotte
4a7e0ac268 hostapd: Add an option to notify management frames on ctrl_iface
In some contexts (e.g., Multi-AP) it can be useful to have access to
some of the management frames in upper layers (e.g., to be able to
process the content of association requests externally).

Add 'notify_mgmt_frames'. When enabled, it will notify the ctrl_iface
when a management frame arrives using the AP-MGMT-FRAME-RECEIVED event
message.

Note that to avoid completely flooding the ctrl_iface, not all
management frames are included (e.g., Beacon and Probe Request frames
are excluded).

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-06 13:56:18 +02:00
Ircama
e79febb3f5 P2P: Adding option to manage device drivers creating random MAC addresses
Add option 2 to the p2p_device_random_mac_addr configuration option to
support device drivers which use by default random MAC adresses when
creating a new P2P Device interface (for instance, the BCM2711 80211
wireless device driver included in Raspberry Pi 4 Model B). In such
case, this option allows to create the P2P Device interface correctly
when using P2P permanent groups, enabling wpa_supplicant to reuse the
same MAC address when re-invoking a P2P permanent group.

update_config=1 is required.

Signed-off-by: Ircama <amacri@tiscali.it>
2021-02-06 13:40:29 +02:00
Roy Marples
a579642bc3 BSD: If route socket overflows, sync drivers to system interfaces
Messages such as RTM_IFNFO or RTM_IFANNOUNCE could have been lost.
As such, sync the state of our internal driver to the state of the
system interfaces as reports by getifaddrs(2).

This change requires the routing socket be placed in non-blocking
mode. While here, set the routing and inet sockets to close on exec.

BSDs that support SO_RERROR include NetBSD and DragonFly.
There is a review underway to add this to FreeBSD.

Signed-off-by: Roy Marples <roy@marples.name>
2021-02-06 13:27:24 +02:00
Andrei Otcheretianski
fa859ebb19 RSN+WPA: Fix RSNE removing in EAPOL-Key msg 3/4 when RSNXE is included
When the AP advertised RSNE, RSNXE, and WPA IE, hostapd incorrectly
removed the RSNE in the EAPOL-Key msg 3/4 if the STA associates with
WPA, leaving only RSNXE instead of WPA IE. WPA STA fails to connect to
such AP as the WPA IE is missing.

Since RSNXE is not really used in non-RSN connection, just remove it
here with RSNE.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-06 12:09:30 +02:00
Jouni Malinen
dc19779592 RSN: Validate RSNXE match in EAPOL-Key msg 3/4 only when RSN is used
This is needed to avoid the corner case of local RSNXE aware station
being configured to behave as WPA(v1)-only STA when the AP might not
include RSNXE in EAPOL-Key msg 3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-06 12:09:30 +02:00
Andrei Otcheretianski
0b7895750b DPP: Silence compiler warning about signed/unsigned comparison
Old gcc versions complain about signed/unsigned comparison in
dpp_rx_gas_resp(). Hide it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-06 12:09:30 +02:00
Shay Bar
a287c20789 Disable HE capabilities when using unacceptable security config
Add HE configuration check similar to HT/VHT.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-02-06 11:41:09 +02:00
Johannes Berg
56c192c5ee nl80211: Skip frame filter config for P2P-Device
There's no point in attempting to configure frame filters on
a P2P-Devices that doesn't even have a netdev (nor passes any
data traffic), that just results in error messages. Skip it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-02-06 11:41:09 +02:00
Muna Sinada
9416b5f323 Add HE in ieee80211_freq_to_channel_ext() documentation
This function covers HE cases, so include that in the comment.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2021-02-06 11:41:09 +02:00
Muna Sinada
2acfd15a2a hostapd: Generalize channel switch methods to incorperated HE mode
Remove the VHT specific naming on methods that are utilized in both VHT
and HE modes.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2021-02-06 11:41:09 +02:00
Muna Sinada
2908dc91c1 hostapd: Enable HE for channel switch commmand
Add HE as an accepted option ("he") in the CHAN_SWITCH command similarly
to the way VHT is addressed.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2021-02-06 11:41:09 +02:00
Jouni Malinen
1c3e71d149 P2P: Add a maximum length limit for peer vendor IEs
This is mainly to help with fuzz testing that could generate overly long
test data that would not be possible in real use cases due to MMPDU size
limits. The implementation for storing vendor IEs with such
unrealisticly long IE buffers can result in huge number of memory
reallozations and analyzing those can be very heavy.

While the maximum length of the fuzzing test input could be limited, it
seems nicer to limit this IE storage limit instead to avoid timeouts
from fuzz test runs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-05 01:39:29 +02:00
Jouni Malinen
947272febe P2P: Fix copying of secondary device types for P2P group client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19e ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-04 00:25:40 +02:00
Jouni Malinen
25df656a8a Remove pointless defines for ext capab bits
These were copy-pasted templates that were forgotten to be removed when
defining the bits.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-04 00:23:14 +02:00
Aloka Dixit
630b1fdba8 AP: Add 6 GHz security constraints
Add security constraints for the 6 GHz band as given in IEEE
P802.11ax/D8.0, 12.12.2.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-02 23:39:31 +02:00
Ilan Peer
24f0507af4 WPA: Support deriving KDK based on capabilities (Authenticator)
Derive the KDK as part of PMK to PTK derivation if forced by
configuration or in case both the local AP and the peer station declare
support for secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:09:39 +02:00
Ilan Peer
dccb6cde03 WPA: Support deriving KDK based on capabilities
Derive the KDK as part of PMK to PTK derivation if forced by
configuration or in case both the local station and the AP declare
support for secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:09:39 +02:00
Ilan Peer
9e7b980d65 PASN: Include RSNXE in the PASN negotiation
IEEE P802.11az/D2.6 added definitions to include RSNXE in the PASN
negotiation. Implement the new functionality in both wpa_supplicant and
hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:09:36 +02:00
Ilan Peer
d8cd20e37b RSN: Add RSNXE new definitions
IEEE P802.11az/D2.6 defines the following additional capabilities to
RSNXE:

- Secure LTF support
- Secure RTT support
- Protection of range negotiation and measurement management frames.

Add support for advertising the new capabilities.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:08:27 +02:00
Ilan Peer
2eb2fb8bd4 AP: Support PASN with FT key derivation
Note that the implementation is not complete as it is missing support
for the FT wrapped data which is optional for the station, but must be
supported by the AP in case the station included it.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 17:49:00 +02:00
Ilan Peer
5c65ad6c0b PASN: Support PASN with FT key derivation
Add support for PASN authentication with FT key derivation:

- As IEEE P802.11az/D2.6 states that wrapped data is optional and
  is only needed for further validation of the FT security parameters,
  do not include them in the first PASN frame.

- PASN with FT key derivation requires knowledge of the PMK-R1 and
  PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1,
  etc. only for the currently associated AP, store the mapping of
  BSSID to R1KH-ID for each previous association, so the R1KH-ID
  could be used to derive PMK-R1 and PMK-R1-Name. Do so instead
  of storing the PMK-R1 to avoid maintaining keys that might not
  be used.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 17:38:30 +02:00
Ilan Peer
62edb79a0c AP: Support PASN with FILS key derivation
As the PASN FILS authentication is only defined for FILS SK without PFS,
and to support PASN authentication with FILS, implement the PASN with
FILS processing as part of the PASN handling and not as part of the WPA
Authenticator state machine.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:28:33 +02:00
Ilan Peer
da35e1214d AP: Support PASN with SAE key derivation
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:27:14 +02:00
Ilan Peer
a93ec28d10 PASN: Support PASN with SAE key derivation
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:27:14 +02:00
Ilan Peer
3040c8a2da AP: Add support for PASN processing to the SME
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:27:12 +02:00
Ilan Peer
f2f8e4f458 Add PTKSA cache to hostapd
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:47 +02:00
Ilan Peer
2c963a117a AP: Add support for configuring PASN
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:47 +02:00
Ilan Peer
363768c8ac PASN: Add support for PASN processing to wpa_supplicant
Add PASN implementation to wpa_supplicant

1. Add functions to initialize and clear PASN data.
2. Add functions to construct PASN Authentication frames.
3. Add function to process PASN Authentication frame.
4. Add function to handle PASN frame TX status.
5. Implement the station side flow processing for PASN.

The implementation is missing support for wrapped data and PMKSA
establishment for base AKMs, and only supports PASN authentication or
base AKM with PMKSA caching.

The missing parts will be added in later patches.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:44 +02:00
Ilan Peer
d70060f966 WPA: Add PTKSA cache to wpa_supplicant for PASN
PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.

Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
a4e3691616 WPA: Add PTKSA cache implementation
In order to be able to perform secure LTF measurements, both the
initiator and the responder need to first derive TK and KDK and store
them, so they would later be available for the secure LTF negotiation.

Add a basic implementation of a PTKSA cache that stores derived TK/KDK
which can later be used for secure LTF negotiation, and add it to the
build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
a84ba92fa0 WPA: Add a function to get PMKSA cache entry
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
6709b4ceb8 common: Add PASN parsing to ieee802_11_parse_extension()
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
46bfc3a849 tests: Add module tests for PASN PTK derivation
Based on tests vectors taken from IEEE P802.11az/D2.6.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
9ce123cdbf PASN: Add common Authentication frame build/validation functions
Add helper functions to construct a PASN Authentication frame and
validate its content, which are common to both wpa_supplicant and
hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
c6d1a33bb0 PASN: Add functions to compute PTK, MIC and hash
1. Add a function to derive the PTK from a PMK and additional data.
2. Add a function to calculate the MIC for a PASN frames.
3. Add a function to compute the hash of an authentication frame body.

The above are built only in case that CONFIG_PASN is enabled at build
time.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
d87f4aea11 FILS: Extend the fils_pmk_to_ptk() function to also derive KDK
Extend the fils_pmk_to_ptk() to also derive Key Derivation
Key (KDK) which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
6e834db74e FT: Extend the wpa_pmk_r1_to_ptk() function to also derive KDK
Extend the wpa_pmk_r1_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
46c232eb76 WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
019507e10e common: Allow WPA_CIPHER_GTK_NOT_USED as a valid group management cipher
PASN authentication requires that group management cipher suite
would be set to 00-0F-AC:7 in the RSNE, so consider it as a valid
group management cipher and adjust the code accordingly.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Ilan Peer
2447212214 nl80211: Always register for RX authentication frames with PASN
Register a filter that only requests PASN Authentication frames
to be passed to user space.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Ilan Peer
a728449a04 nl80211: Allow off-channel of PASN authentication frames in send_mlme()
As part of the support needed for PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Ilan Peer
367e79231c PASN: Add some specification definitions
Based on IEEE P802.11az/D2.6.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Sreeramya Soratkal
833cdbe97d Add support for new 5 GHz channels 173 and 177
Add support for new channels 173 and 177 in the operating classes 125 to
130 as defined in draft IEEE P802.11ax/D8.0.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-01-22 19:18:10 +02:00
Sreeramya Soratkal
21fdb454df P2P: Fix channel selection for operating class 129
The operating class 129 includes channels with a maximum bandwidth of
160 MHz with center frequency index 50 and 114. The previous definition
of operating class 129 considered the center frequency index as actual
channels resulting in incorrect channel setup for the operating class.

Fix the definition of operating class 129 to consider channels with the
center frequency index of 50 and 114.

Also update the comment that describes the channel selection for
operating 128, 129, and 130 which mentions wpas_p2p_allow_channel()
verifies the channels while wpas_p2p_verify_channel() takes care of it.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-01-22 19:18:10 +02:00
Purushottam Kushwaha
959af4f576 DPP: Abort authentication if no Auth Confirm is received within a second
After sending DPP Auth Response, the Responder might not receive the
Auth Confirm either due to the Initiator not sending it or the reception
of the frame failing for some reason (e.g., Responder having already
left the negotiation channel). If this happens, following initiation
attempts would fail since the consecutive Auth Request would get
discarded since the previous authentication is still in progress.

Terminate DPP authentication on Responder, if no Auth Confirm is
received within one second of successfully sending Auth Response. This
allows the Responder to accept start of a new exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-01-22 19:18:10 +02:00
hongwang.li
41fae6e0bb nl80211: Add missing WPA3-SAE auth_data in auth retry case
When wpa_supplicant sends NL80211_CMD_AUTHENTICATE to kernel, it is
possible that the cfg80211 in kernel has expired the BSS entry that
we are trying to auth with. Then cfg80211 will reject the auth cmd.
In this case, wpa_supplicant will trigger a single channel scan to
refresh cfg80211 BSS entry, and retry the auth when scan is finished.

When this case happens, wpa_supplicant makes a copy of auth params,
such as frequency, bssid, ssid, ie and so on. So when we retry auth,
the copy of these params will be used. The problem is, a param named
auth_data is missed when making the copy. The auth_data is used by
NL80211_ATTR_SAE_DATA which is a mandatory field for WPA3-SAE auth.
In WPA3-SAE case the auth retry will always fail because auth_data is
missing. This patch fixes the issue.

Signed-off-by: hongwang.li <hongwang.li@sonos.com>
2021-01-15 12:14:17 +02:00
Sunil Dutt
b6947f01a1 Android: Pass the vendor events to $(BOARD_WPA_SUPPLICANT_PRIVATE_LIB)
Android has a mechanism to extend the driver interface in vendor
specific ways. This implementation of the vendor interface is done in
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB). Extend this to allow the vendor
events to be provided to this library to facilitate the event
processing.

Introduce a new board configuration via
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB_EVENT) rather than reusing
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB) to enable this event handling in the
private library. This is to avoid compilation issues for
wpa_driver_nl80211_driver_event() with the already existing private
library implementations defined with
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 23:22:56 +02:00
Purushottam Kushwaha
7b121af26a P2P: Delay P2P scan when an external scan is in progress
When an external scan is in progress on the same radio, delay the P2P
search operation based on configuration parameter p2p_search_delay. The
"search_delay" configuration done through p2p_find always takes
precedence over this delay value set due to an external scan trigger.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 23:22:51 +02:00
Purushottam Kushwaha
74818ca63f Process QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH after NL80211_CMD_ROAM
NL80211_CMD_ROAM indication is scheduled via a kernel work queue, while
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH is a vendor event from the
driver. Thus, a race condition can exist wherein the vendor event is
received prior to the NL80211_CMD_ROAM indication.

The processing of this vendor event depends on the NL80211_CMD_ROAM
indication to update the roamed BSS/BSSID information and thus the out
of sequence processing of these events would result in not updating the
right BSS information.

This commit adds a workaround to hold the pending
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH event for up to 100 ms in
case NL80211_CMD_ROAM is not received first.

Signed-off-by: Purushottam Kushwaha <pkushwah@codeaurora.org>
2020-12-21 22:57:42 +02:00
Vamsi Krishna
b4a41abad4 nl80211: Do not ignore disconnection event after a connection event
After a disconnect command is issued, wpa_supplicant generates a
disconnection event to self and ignores the next disconnection event
coming from the driver.  In a race condition in which the driver
generates a connected event due to roaming just before receiving the
disconnect command from userspace, wpa_supplicant processes the
connected event after processing the self-generated disconnection event
and enters WPA_COMPLETED state. The driver sends a disconnection event
after processing the disconnect command sent by wpa_supplicant but the
disconnection event is ignored by wpa_supplicant as the disconnection
event is considered to be a result of locally generated disconnect
command. Thus, wpa_supplicant continues to be in the connected
(WPA_COMPLETED) state though the driver is in disconnected state.

Fix this out-of-sync behavior between the driver and wpa_supplicant by
not ignoring the disconnection event from the driver because of the
locally generated disconnect command sent to the driver if there is a
connection event received after issuing the disconnect command to the
driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 15:51:32 +02:00
Sunil Dutt
73c7c2da99 Vendor feature capability to notify TWT asynchronous response support
The response for the respective TWT operations can either be synchronous
or asynchronous (wherever specified). If synchronous, the response to
this operation is obtained in the corresponding vendor command reply to
the user space. For asynchronous case, the response is obtained as an
event with the same operation type.

Drivers shall support either of these modes but not both simultaneously.
The support for asynchronous mode is advertised through the new flag
QCA_WLAN_VENDOR_FEATURE_TWT_ASYNC_SUPPORT. If the driver does not
include this flag, it shall support synchronous mode.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 13:09:30 +02:00
Sunil Dutt
a337c1d7c9 New TWT operations and attributes to TWT Setup and Nudge
Define the following additional TWT operations:
QCA_WLAN_TWT_GET_STATS, QCA_WLAN_TWT_CLEAR_STATS,
QCA_WLAN_TWT_GET_CAPABILITIES, QCA_WLAN_TWT_SETUP_READY_NOTIFY.

Also define new attributes to qca_wlan_vendor_attr_twt_setup
and qca_wlan_vendor_attr_twt_nudge.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-16 18:04:15 +02:00
Jouni Malinen
6ead8b897f Use bool for is_6ghz variables and functions
Replace the implicit boolean checks that used int variables with use of
a more explicit bool variable type.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-11 19:56:14 +02:00
Veerendranath Jakkam
7131fede34 Extend the setband support for 6 GHz and band combinations
Support possible band combinations of 2.4 GHz, 5 GHz, and 6 GHz with
QCA_WLAN_VENDOR_ATTR_SETBAND_MASK attribute. Ensure backwards
compatibility with old drivers that are using
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE attribute and supporting only 2.4 GHz
and 5 GHz bands.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-12-11 19:56:14 +02:00
Jouni Malinen
bba926350a Fix gcc-10 build with -Werror=array-bounds and dl_list_for_each()
The earlier workaround for UBSAN issues in commit 3b6b3ae581 ("Modify
dl_list_for_each() to not use unaligned access with WPA_TRACE") ended up
using a construction in which the type cast to the containing structure
was compared instead of the struct dl_list pointers. While that worked
around the UBSAN issue, it resulted in a comparison that gcc-10
interprets as being out of bounds for struct dl_list (which it obviously
is since this is to find the start of the containing structure).

Revert that workaround and instead, mark the struct dl_list used within
struct os_alloc_trace to have matching 16 octet alignment as the
containing structure. This is also restoring consistent design for
dl_list_for_each*().

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-12-04 13:59:37 +02:00
Juliusz Sosinowicz
0225301fde wolfSSL: Client cert loading API fix
Client cert loading API should check equality to SSL_SUCCESS for
success.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2020-12-04 12:42:17 +02:00
Avraham Stern
297050b460 nl80211: Report invalid signal and noise when info is unavailable
When the driver sends a CQM RSSI threshold event, wpa_supplicant queries
the driver for the signal and noise values. However, it is possible that
by that time the station has already disconnected from the AP, so these
values are no longer valid. In this case, indicate that these values are
invalid by setting them to WPA_INVALID_NOISE.

Previously a value of 0 would be reported, which may be confusing as
this is a valid value.

Since nl80211_get_link_signal() and nl80211_get_link_noise() already set
invalid values for a case of failure, just use the value set by these
functions even if they fail.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
2020-12-04 12:42:15 +02:00
Thomas Pedersen
be96f4e8d2 wlantest: Allow missing RSNE in S1G beacon
S1G beacons save a few bytes by not requiring the RSNE in beacon if RSN
BSS is configured. Handle this in wlantest by only clearing RSNE from
the BSS info if frame is a Probe Response frame.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-12-04 12:01:54 +02:00
John Crispin
d83eaa351e Add option to ignore Probe Request frames when RSSI is too low
Add a new hostapd configuration parameters rssi_ignore_probe_request to
ignore Probe Request frames received with too low RSSI.

Signed-off-by: John Crispin <john@phrozen.org>
2020-12-02 17:14:39 +02:00
David Bauer
4683b72183 DFS: Enter DFS state if no available channel is found
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.

Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-12-02 16:49:29 +02:00
Shay Bar
eee0d242bb hostapd: Add ability to disable HT/VHT/HE per BSS
Add the ability to disable HT/VHT/HE for specific BSS from hostapd.conf.

- Add disable_11ax boolean to hostapd_bss_config.
- Change disable_11n and disable_11ac to bool in hostapd_bss_config.
- Add configuration option to set these disable_11* parameters
  (which were previously used only automatically based on incompatible
  security parameters to disable HT/VHT).

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2020-12-02 13:41:18 +02:00
Markus Theil
7c2cad969a mesh: Fix DFS deinit/init
The hostapd DFS code deinitializes and initializes the AP interface, if
a clean channel switch is not possible. In this case the AP code paths
would deinit the driver, for example nl80211, without wpa_supplicant
code paths getting notice of this.

Therefore add callbacks for wpa_supplicant mesh methods, which are
called on init/deinit of the AP BSS. These callbacks are then used to
handle the reset in the mesh code.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:31:56 +02:00
Peter Oh
12ae3e3dba mesh: Inform kernel driver about DFS handler in userspace
The kernel requires indication of DFS handler residing in user space
(NL80211_ATTR_HANDLE_DFS) to enable DFS channels.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-12-01 00:14:07 +02:00
Peter Oh
8725909789 nl80211: Do not set offchanok on DFS channels in non-ETSI for mesh
mac80211 does not allow mgmt tx to use off channel on
DFS channels in non-ETSI domain, because it will invalidate
CAC result on current operating channel.
(mac80211 commit: 34373d12f3cbb74960a73431138ef619d857996f)
Hence don't set offchanok for mgmt tx in case of DFS channels
in non-ETSI.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-11-30 20:12:08 +02:00
Peter Oh
f1df4fbfc7 mesh: Use setup completion callback to complete mesh join
Mesh join function is the last function to be called during mesh join
process, but it's been called a bit earlier than it's supposed to be, so
that some mesh parameter values such as VHT capabilities were not
applied correct when mesh join is in process. Moreover, the current
design of mesh join that is called directly after mesh initialization
isn't suitable for DFS channels to use, since mesh join process should
be paused until DFS CAC is done and resumed after it's done.

The callback will be called by hostapd_setup_interface_complete_sync().
There is a possibility that completing mesh init fails, so add error
handling codes for that.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-11-30 11:57:37 +02:00
Sachin Ahuja
3c9abc7858 QCA vendor attributes to configure TX and RX NSS
Define QCA vendor attributes to dynamically configure TX NSS and RX NSS
to be used with QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION commands.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-27 19:34:26 +02:00
Arun Kumar Khandavalli
5b782ff620 Add bus failure reason code to vendor indication
Add bus failure hang reason code in enum qca_wlan_vendor_hang_reason.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-23 20:37:44 +02:00
Srinivas Girigowda
90ca804e47 Add vendor attributes for TWT nudge request
TWT nudge is a combination of suspend and resume in a single request.
Add TWT nudge operation and QCA vendor attributes to support
the TWT nudge request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-17 19:49:23 +02:00
Hai Shalom
2a7023ba6f Change list arguments to const where possible
Change struct dl_list pointer argument to const in list functions that
do not manipulate the list: dl_list_len() and dl_list_empty().

Signed-off-by: Hai Shalom <haishalom@google.com>
2020-11-16 15:50:44 +02:00
Rohan Dutta
fdf114641f nl80211: Send the sae_pwe value to the driver
Use NL80211_ATTR_SAE_PWE attribute to indicate the sae_pwe value
to the driver during the NL80211_CMD_START_AP and NL80211_CMD_CONNECT
in WPA3-Personal networks which are using SAE authentication.

Signed-off-by: Rohan Dutta <drohan@codeaurora.org>
2020-11-16 15:50:44 +02:00
Vamsi Krishna
2576f27e04 P2P: Disable P2P in the 6 GHz band for now
P2P usage in the 6 GHz band is not standardized yet by WFA. Disable P2P
operations in the 6 GHz band to avoid potential interop issues with
existing P2P devices in production. P2P operations in the 6 GHz band can
be reenabled later after defining standard ways to address potential
interop issues with existing P2P devices.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Sreeramya Soratkal
2ffd3bb4b6 P2P: Include p2p_6ghz_disable in global configuration
Previously, the configuration to disable the 6 GHz band remained local
to the P2P interface. With this there is a possibility of 6 GHz channels
being included in the channel list when the channel list needs to be
updated if the state changes on one of the interfaces.

Include the configuration to disable the 6 GHz band for P2P as a global
configuration value to prevent the inclusion of 6 GHz channels in the
channel list for P2P when the channel list needs to be updated during
the state change in one of the interfaces.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2020-11-16 13:15:28 +02:00
Vinita S. Maloo
60c902f408 Add connect fail reason code from the driver to assoc reject event
Add support to report a vendor specific connect fail reason code fetched
from the driver to users by adding the reason code to the event
CTRL-EVENT-ASSOC-REJECT. Fetch the connect fail reason code when the
driver sends a failure connection result and append the reason code, if
available, to assoc reject event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Sunil Dutt
7423fa6e8f Vendor feature capability to support concurrent sessions on Wi-Fi bands
Introduces a vendor specific feature capability
QCA_WLAN_VENDOR_FEATURE_CONCURRENT_BAND_SESSIONS to know if the device
supports concurrent network sessions on different Wi-Fi bands. This feature
capability is attributed to the hardware's capability to support the same
(e.g., DBS).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Nandha Kishore Easwaran
1934ad9b23 Add extra parameters to vendor command GPIO attribute
Add extra parameters mux_config, drive, and init_enable
to the GPIO config command.

Signed-off-by: Nandha Kishore Easwaran <nandhaki@codeaurora.org>
2020-11-16 13:15:28 +02:00
Jouni Malinen
d0e0d2283e Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-11-11.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-11-16 13:15:21 +02:00
Vinita S. Maloo
c2c4686228 Set NLA_F_NESTED flag with NL80211_ATTR_VENDOR_DATA conditionally
The newer kernel versions enforce strict netlink attribute policy
validation and will cause cfg80211 to reject vendor commands with
NL80211_ATTR_VENDOR_DATA if NLA_F_NESTED attribute is not set but
if the vendor command is expecting nested data within
NL80211_ATTR_VENDOR_DATA attribute.

Most of the earlier instances were addressed by adding NLA_F_NESTED
flag in nla_nest_start(). This commit addresses the remaining
instance in which NL80211_ATTR_VENDOR_DATA is populated using data
set by user through the control interface.

Enhance the control interface VENDOR command to indicate whether the
vendor subcommand uses nested attributes within NL80211_ATTR_VENDOR_DATA
attribute or not.

Set NLA_F_NESTED flag for existing QCA vendor commands which use nested
attributes within the NL80211_ATTR_VENDOR_DATA attributes so that the
old frameworks implementations for already existing commands work
without any issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-10 23:48:00 +02:00
Srinivas Girigowda
cd3aa54a37 Add test configuration attr to enable/disable full bandwidth UL MU-MIMO
Define a QCA vendor attribute
QCA_WLAN_VENDOR_ATTR_WIFI_TEST_CONFIG_FULL_BW_UL_MU_MIMO to
enable/disable full bandwidth UL MU-MIMO subfield in the HE PHY
capabilities information field for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-10 20:10:59 +02:00
Jouni Malinen
ec1f4f3c81 Make GTK length validation for RSN Group 1/2 easier to analyze
This extends the changes in commit c397eff828 ("Make GTK length
validation easier to analyze") to cover the RSN case as well as the WPA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:10:01 +02:00
Jouni Malinen
c42d41bf35 EAP-IKEv2: Try to make transform parser simpler to understand
Use a local variable to try to make ikev2_parse_proposal() easier for
static analyzers to understand. Bounds checking in the loop is really
done by the ikev2_parse_transform() function, so the p->num_transforms
value itself is of no importance for that part and even that was already
implicitly limited in range.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:03:30 +02:00
Jouni Malinen
05962099c3 TDLS: Fix error path for TPK M1 send failure in testing functionality
The previous fix did not actually address this testing functionality
case correctly. Clear the peer pointer to avoid double freeing.

Fixes: a86078c876 ("TDLS: Fix error path handling for TPK M1 send failures")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:45:36 +02:00
Jouni Malinen
a9fed5f5b5 Avoid undefined behavior with memcpy PMK/PSK update
When SAE is used, the local pointer pmk may point to sm->PMK. Skip the
memcpy operation in such a case since it is not really needed and use of
overlapping memory buffers is undefined behavior for memcpy().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 18:46:35 +02:00
Jouni Malinen
c643c39287 nl80211: Fix filtering of unsupported bands/modes
The loop for removing unsupported bands was assuming there is always
exactly one band/mode following the removed band. That was not at all
correct, so fix this by dynamically determining how many (if any) bands
need to be moved.

Fixes: 106d67a93c ("nl80211: Filter out unsupported bands")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 18:38:41 +02:00
Jouni Malinen
a86078c876 TDLS: Fix error path handling for TPK M1 send failures
Local allocation error or failure to get a random number could have
resulted in the peer entry getting freed and couple of the error path
cases in callers could have tried to reference or delete the peer after
that. Fix this by tracking the errors where the peer is freed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 17:26:04 +02:00
Jouni Malinen
3d490296bc DPP2: Fix error path handling in enterprise provisioning
The allocated memory pointed by the pem pointer was freed on an error
path without clearing the pointer to NULL before returning it from the
function. This could have resulted in use of freed memory in an error
case. Fix this by clearing the pointer so that the function returns NULL
properly in the case of this error.

Fixes: ace3723d98 ("DPP2: Enterprise provisioning (Enrollee)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 16:52:01 +02:00
Jouni Malinen
589bf1f7a9 DPP2: Fix ppkey parsing
DPP_CONFIGURATOR_ADD processing of the new ppkey parameter had a
copy-paste error in determining the correct length of this parameter.
Fix that by referencing the correct pointer.

Fixes: 9c1fbff074 ("DPP2: Generate a privacy protection key for Configurator")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 16:31:02 +02:00
Veerendranath Jakkam
79e3f08d3c 6 GHz: Add support for missing 6 GHz operating classes
Add support for missing 6 GHz operating classes as defined in
IEEE P802.11ax/D7.0.

This is needed to avoid OCV failures on the 6 GHz band when the channel
width is larger than 20 MHz.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-10-30 22:52:47 +02:00
Veerendranath Jakkam
66bed14b22 6 GHz: Fix opclasses mapping in ieee80211_freq_to_channel_ext()
Previously only primary channel number used to calculate 6GHz operating
class in ieee80211_freq_to_channel_ext() and it is always giving 131
operating class. Fix this by mapping operating class using chanwidth and
sec_channel also.

This is needed to avoid OCV failures on the 6 GHz band when the channel
width is larger than 20 MHz.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-10-30 14:20:50 +02:00
Hai Shalom
5e779873ed EAP-SIM peer: Send AT_IDENTITY first
For EAP-SIM connections, reorder the order of the attributes in
EAP-Response/SIM/Start message: Send AT_IDENTITY first, then
AT_NONCE and AT_VERSION instead of AT_IDENTITY last. Even though there
is no order requirements in the RFC, some implementations expect the
order of the attributes to be exactly as described in the RFC figures.

Peer                                      Authenticator
|                                                 |
|                      +------------------------------+
|                      | Server does not have a       |
|                      | Subscriber identity available|
|                      | When starting EAP-SIM        |
|                      +------------------------------+
|                                                 |
|          EAP-Request/SIM/Start                  |
|          (AT_ANY_ID_REQ, AT_VERSION_LIST)       |
|<------------------------------------------------|
|                                                 |
|                                                 |
| EAP-Response/SIM/Start                          |
| (AT_IDENTITY, AT_NONCE_MT,                      |
|  AT_SELECTED_VERSION)                           |
|------------------------------------------------>|
|                                                 |

Signed-off-by: Hai Shalom <haishalom@google.com>
2020-10-30 13:59:49 +02:00
Pooventhiran G
0577e8e679 nl80211: Check for proper nlmsg allocation in send_and_recv_msgs_owner()
When nlmsg allocation fails, nl80211_drv_msg() returns NULL and the call
to send_and_recv_msgs_owner() from nl80211_leave_ibss() could have ended
up dereferencing a NULL pointer. Fix this by make
send_and_recv_msgs_owner() more consistent with other send_and_recv*()
cases that check msg == NULL internally.

Fixes: 12ea7dee31 ("nl80211: Use nl80211 control port for receiving EAPOL frames")
Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
2020-10-27 11:39:45 +02:00
Disha Das
02289ab537 DPP2: Explicitly check EC_KEY before dereferencing it
In theory, the EVP_PKEY_get0_EC_KEY() could fail, so verify that it
succeeds before using the pointer to get the group.

Fixes: 65e94351dc ("DPP2: Reconfig Authentication Request processing and Response generation")
Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-10-27 11:33:15 +02:00
Jouni Malinen
106d67a93c nl80211: Filter out unsupported bands
If the driver indicates capability for a band that
hostapd/wpa_supplicant does not support, the struct hostapd_hw_modes
array of bands got an empty entry for that with NUM_HOSTAPD_MODES as the
mode. This resulted in various issues, e.g., with fst_hw_mode_to_band()
hitting a WPA_ASSERT(0).

Fix this by filtering out unsupported bands from the internal data
structures.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-26 22:34:07 +02:00
Sunil Dutt
8f0ed71ffe Vendor specific feature capability for Adaptive 11r
Add feature capability indication for Adaptive 11r for the drivers
to advertize support for this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-22 23:51:34 +03:00
Arun Kumar Khandavalli
45ae6ae8e1 Add additional vendor specific hang reason codes
Add additional hang reason codes in enum qca_wlan_vendor_hang_reason to
address potential internal failure cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-22 23:47:12 +03:00
Jouni Malinen
d2190cdc65 DPP2: Update the default port number for DPP-over-TCP
IANA assigned the TCP port 8908 for DPP, so update the implementation to
match the formal assignment.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-21 00:29:38 +03:00
Jouni Malinen
5d988b4a5b Fix couple more typos
Couple of similar cases that were not included in the previous commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Jouni Malinen
183e72ae13 SAE-PK: Do not accept SAE-PK status code when no PK is configured
Make sae_status_success() more explicit by rejecting SAE-PK status code
when the AP is not configured with PK.

Fixes: 20ccf97b3d ("SAE-PK: AP functionality")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Andrei Otcheretianski
80662accb5 SAE: Don't use potentially uninitialized keys
If SAE_CONFIG_PK is not defined and sae->pk isn't zero (which is
possible as it is controlled by the commit message status code),
sae_derive_keys() may end up deriving PMK and KCK from an
uninitialized array. Fix that.

Fixes: 6b9e99e571 ("SAE-PK: Extend SAE functionality for AP validation")
Fixes: 20ccf97b3d ("SAE-PK: AP functionality")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-10-20 00:37:01 +03:00
Pooventhiran G
e364a34c69 OpenSSL: Make openssl_debug_dump_certificate() more robust
SSL_CTX_get0_certificate() returns NULL if no certificate is installed.
While this should not be the case here due to the loop in
openssl_debug_dump_certificate_chains() proceeding only if the
SSL_CTX_set_current_cert() returns success, it is safer to make
openssl_debug_dump_certificate() explicitly check against NULL before
trying to dump details about the certificate.

Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
2020-10-19 22:57:24 +03:00
Johannes Berg
d68c0dd4d4 build: lib.rules: Add common-clean
During the build reshuffling, I missed this, so doing
'make clean' in a certain src/lib folder doesn't clean
up everything anymore. Fix that.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-16 12:51:12 +03:00
Johannes Berg
4c66894fab eap_peer: Add .gitignore with *.so
If wpa_supplicant is built with dynamic EAP methods,
the *.so files land here. Add them to .gitignore.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-16 12:34:16 +03:00
Hu Wang
13256b8cf3 P2P: Stop old listen radio work before go to WAIT_PEER_IDLE state
P2P goes to Listen state while waiting for the peer to become ready for
GO Negotiation. If old listen radio work has not been completed, P2P
fails to go to listen state. This could happen in cases where P2P Action
frame transmission reused ongoing p2p-listen radio work.

p2p0: Add radio work 'p2p-listen'@0x
P2P-FIND-STOPPED
p2p0: Starting radio work 'p2p-listen'@0x after 0.010644 second wait
P2P: Use ongoing radio work for Action frame TX
P2P: Use ongoing radio work for Action frame TX
P2P: State CONNECT -> CONNECT
P2P: State CONNECT -> WAIT_PEER_IDLE
P2P: State WAIT_PEER_IDLE -> WAIT_PEER_CONNECT
P2P: Reject start_listen since p2p_listen_work already exists
P2P: Failed to start listen mode

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-14 23:16:16 +03:00
Vamsi Krishna
cc3d6efa8b Add QCA interface for driver to report various connect fail reason codes
The connection process fails for several reasons and the status codes
defined in IEEE Std 802.11 do not cover the locally generated reason
codes. Add an attribute to QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO vendor
sub command which can be used by the driver/firmware to report various
additional reason codes for connection failures.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-14 23:06:47 +03:00
Jouni Malinen
39748963d7 build: Fix libeap_peer.a build
The install target at the beginning of src/eap_peer/Makefile was
confusing make about the build rules for libeap_peer.a and overriding of
the install target between src/eap_peer/Makefile and src/lib.rules was
breaking installation of dynamic EAP peer *.so files.

Fix this by lib.rules defining a default for the install target so that
src/*/Makefile can override that and by moving the install target for
eap_peer to the end of the Makefile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-14 22:57:04 +03:00
Markus Theil
c3f37c35f0 DFS: Use helper functions for VHT/HE parameters
This is needed to cover the HE-specific conf->he_oper_chwidth value in
addition to conf->vht_oper_chwidth.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-10-14 13:05:11 +03:00
Markus Theil
a72599b319 hw_features: Better debug messages for some error cases
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-10-14 13:05:11 +03:00
Markus Theil
7f8ac02e85 HE/VHT: Fix frequency setup with HE enabled
Some places in the code base were not using the wrappers like
hostapd_set_oper_centr_freq_seg0_idx and friends. This could lead to
errors, for example when joining 80 MHz mesh networks. Fix this, by
enforcing usage of these wrappers.

wpa_supplicant_conf_ap_ht() now checks for HE capability before dealing
with VHT in order for these wrappers to work, as they first check HE
support in the config.

While doing these changes, I've noticed that the extra channel setup
code for mesh networks in wpa_supplicant/mesh.c should not be necessary
anymore and dropped it. wpa_supplicant_conf_ap_ht() should handle this
setup already.

Acked-by: John Crispin <john@phrozen.org>
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-10-14 12:44:09 +03:00
Jouni Malinen
0f07230eb9 DPP2: Add privacyProtectionKey into Configurator backup/restore
This allows the privacyProtectionKey to be transferred to a new
Configurator similarly to the way c-sign-key is transferred.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
a0ccc4017f DPP2: Use ppKey to decrypt E'-id on Configurator
Use the new privacy protection key to decrypt E'-id from Reconfig
Announcement frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
99d7bf2348 DPP2: Use the new privacy protection key to protect E-id on Enrollee
Use ppKey instead of C-sign-key to encrypted E-id to E'-id into Reconfig
Announcement frame on the Enrollee side.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
37df40845a DPP2: Copy received ppKey into wpa_supplicant network profile
Store the received privacy protection key from Connector into
wpa_supplicant network profile and indicate it through the control
interface similarly to C-sign-key.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
a8ee2292bd DPP2: Parse ppKey from Connector
This will be used to protect E-id in Reconfig Announcement frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
2a8c928871 DPP2: Add ppKey into Connector
This provides the new privacy protection key to the Enrollee so that
this can be used to protect E-id in Reconfig Announcement frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 23:38:47 +03:00
Jouni Malinen
9c1fbff074 DPP2: Generate a privacy protection key for Configurator
Generate a new key for Configurator. This is either generated
automatically for the specified curve or provided from external source
with the new ppkey=<val> argument similarly to the way c-sign-key was
previously generated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 19:59:29 +03:00
Jouni Malinen
1d14758450 DPP: Make dpp_keygen_configurator() a static function
This was not used anywhere outside dpp.c.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-13 19:48:29 +03:00
Johannes Berg
1d0d8888af build: Make more library things common
We don't really need to duplicate more of this, so just
move the lib.rules include to the end and do more of the
stuff that's common anyway there.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-12 20:20:35 +03:00
Johannes Berg
f4b3d14e97 build: Make a common library build
Derive the library name from the directory name, and let each
library Makefile only declare the objects that are needed.

This reduces duplicate code for the ar call. While at it, also
pretty-print that call.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-12 20:20:20 +03:00
Johannes Berg
ac1447ae9d build: Rebuild libs all the time
When files change that go into a static library such as libutils.a, then
libutils.a doesn't get rebuilt from, e.g., wlantest because the
top-level Makefile just calls the library make if the library doesn't
exist yet.

Change that by making the library depend on a phony target (cannot make
it itself phony due to the pattern) so that the build will always
recurse into the library build, and check there if the library needs to
be rebuilt.

While at it, remove the (actually unnecessary) mkdir so it doesn't get
done each and every time you do 'make'.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-12 20:18:02 +03:00
Johannes Berg
154b18d950 build: Fix dependency file inclusion
The objs.mk include changes for archive files broke things
completely and none of the dependency files (*.d) ever got
included, as the expansion there ended up empty.

Clearly, my mistake, I should've tested that better. As we
don't need the %.a files in the list there use filter-out
to remove them, rather than what I had lazily wanted to do,
which was trying to read %.d files for them. The filter-out
actually works, and avoids looking up files that can never
exist in the first place.

Fixes: 87098d3324 ("build: Put archive files into build/ folder too")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-12 11:05:16 +03:00
Ze Gan
79db311e89 macsec_linux: Fix receive-lowest-PN setting
Setting of the PN for the receive SA failed because the SCI wasn't
provided. Fix this by adding the needed attribute to the command.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2020-10-11 20:35:35 +03:00
Johannes Berg
283eee8eed gitignore: Clean up a bit
Now that we no longer leave build artifacts outside the build folder, we
can clean up the gitignore a bit. Also move more things to per-folder
files that we mostly had already anyway.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 19:32:50 +03:00
Johannes Berg
87098d3324 build: Put archive files into build/ folder too
This is something I hadn't previously done, but there are
cases where it's needed, e.g., building 'wlantest' and then
one of the tests/fuzzing/*/ projects, they use a different
configuration (fuzzing vs. not fuzzing).

Perhaps more importantly, this gets rid of the last thing
that was dumped into the source directories, apart from
the binaries themselves.

Note that due to the use of thin archives, this required
building with absolute paths.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 11:16:00 +03:00
Johannes Berg
00b5e99b65 build: Use the new build system for fuzz tests
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 11:15:16 +03:00
Juliusz Sosinowicz
a49f628845 wolfSSL: Fix wrong types in tls_wolfssl.c
wolfSSL_X509_get_ext_d2i() returns STACK_OF(GENERAL_NAME)* for
ALT_NAMES_OID therefore wolfSSL_sk_value needs to expect a
WOLFSSL_GENERAL_NAME*.

In addition, explicitly check for NULL return from wolfSSL_sk_value().

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2020-10-11 10:56:47 +03:00
Thomas Pedersen
52a1b28345 nl80211: Unbreak mode processing due to presence of S1G band
If kernel advertises a band with channels < 2.4 GHz
hostapd/wpa_supplicant gets confused and assumes this is an IEEE
802.11b, corrupting the real IEEE 802.11b band info.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-10-10 20:49:59 +03:00
Johannes Berg
ce963433bd build: Allow overriding BUILDDIR from command line
You can now specify BUILDDIR= on the make command line,
e.g., in order to put that into a tmpfs or similar.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 13:06:53 +03:00