Commit graph

16848 commits

Author SHA1 Message Date
Jouni Malinen
8460e32309 P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

Fixes: 17bef1e97a ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:46 +02:00
Kiran Kumar Lokere
59e9794c7d QCA vendor attribute to configure Punctured Preamble Rx in HE cap
Add a QCA vendor attribute to enable/disable the Punctured Preamble Rx
support in HE PHY capabilities.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:37 +02:00
Kiran Kumar Lokere
875d7be38c QCA vendor attribute to disable data and management frame Tx
Add a QCA vendor attribute to configure the driver to disable data and
management response frame transmission to test the BSS max idle period
feature.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:31 +02:00
Kiran Kumar Lokere
ecb7590f34 QCA vendor attribute to configure RU 242 tone for data Tx
Add a QCA vendor attribute to configure the driver/firmware to use only
RU 242 tone for data frame transmission.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:27 +02:00
Kiran Kumar Lokere
8d23297128 QCA vendor attribute to configure BSS max idle period
Add a QCA vendor attribute to configure the driver with a specific BSS
max idle period value to advertise in (Re)Association Request frames.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:21 +02:00
Jouni Malinen
dc72854fe2 Fix handle_auth_cb() message length check regression
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:30:09 +02:00
Jouni Malinen
f03580e319 Restore permanent MAC address on the FLUSH command
Clear previously used random MAC address on the FLUSH command if
mac_addr setting has been disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 17:22:37 +02:00
Jouni Malinen
39fac5abd1 tests: Fix clean at the end of sigma_dut_client_privacy
These commands were being issues to incorrect wpa_supplicant instance
and were missing clearing of the MAC_RAND_SCAN parameter.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 17:21:48 +02:00
Jouni Malinen
c210aed4b6 tests: Fix the cleanup at the end of scan_setband
The iteration of WpaSupplicant instances used incorrect variable and
ended up cleaning up only the wlan5 interface. This left unexpected
setband parameter for wlan0/wlan1/wlan2 which could result in
consecutive test cases failing due to scan not finding the expected
BSSs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:58:33 +02:00
Jouni Malinen
976c3c161f DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.

Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:44:33 +02:00
Jouni Malinen
6518c72b02 Multi-AP: Fix backhaul SSID printing condition
ssid->ssid is an array so comparison against NULL is pointless; check
ssid->ssid_len instead.

Fixes: 871d6648f5 ("hostapd: Add multi_ap settings to get_config() output")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:50:34 +02:00
Jouni Malinen
1ba8a315cd Avoid use of C++ keyword in a header file
Don't use 'protected' as the name of the variable in bss.h since this
might be used in control interfaces that use C++.

Fixes: 1c77f3d3f9 ("Indicate whether additional ANQP elements were protected")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:48:13 +02:00
Jouni Malinen
10502ad59f radiotap: Fix compiler issues with packed structures
Replace the Radiotap parser platform.h file with use of helper functions
from utils/common.h to avoid compiler issues with the updated design and
getting pointers to members of packet structs.

Silence the warning about _next_bitmap assignment. This pointer is
dereferenced only with operations that are safe for unaligned access, so
the compiler warning is not helpful here.

__packed might not be defined in this context, so use STRUCT_PACKED from
utils/common.h.

Fixes: e6ac269433 ("radiotap: Update radiotap parser")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:40:58 +02:00
Jouni Malinen
fcdf5d93ea tests: EAP-TTLS and PEAP with TLS 1.3
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-20 18:00:54 +02:00
Alexander Clouter
0dee287c84 EAP server: Extend EAP-TLS Commitment Message use to PEAP and EAP-TTLS
Use the explicit Commitment Message per draft-ietf-emu-eap-tls13-13
Section 2.5 and extend this functionality to PEAP and EAP-TTLS when
using TLS 1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:53:52 +02:00
Alexander Clouter
fae4eafe4a EAP-TTLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:41 +02:00
Alexander Clouter
155125b02a EAP-TLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:39 +02:00
Alexander Clouter
3a457509db EAP: Extend Session-Id derivation with TLS 1.3 to PEAP and EAP-TTLS
This newer Session-Id/Method-Id derivation is used with PEAP and
EAP-TTLS when using TLS 1.3 per draft-ietf-emu-tls-eap-types-00, so do
not limit this to only EAP-TLS.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:36:57 +02:00
Alexander Clouter
647db6a6b5 EAP-TTLS: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
c74f230200 EAP-PEAP: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
872609c151 EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.

There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.

The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.

[1] https://www.spinics.net/lists/hostap/msg05376.html

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:02:35 +02:00
Jouni Malinen
9acf8da223 tests: Use a longer timeout for connection in sigma_dut DPP test cases
It was possible for these test cases to fail if the first scan iteration
did not find the AP since the 10 second timeout was small enough to
terminate the second attempt before fetching the scan results. Increase
this timeout to allow at least two full scan iterations to be completed
before declaring failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-20 16:10:47 +02:00
Jouni Malinen
6ef749ce15 tests: Clear scan results at the end of scan-ssid-list tests
These test cases use hidden SSIDs and left behind a BSS entry with no
SSID. That can cause issues for consecutive test cases where the BSSID
can be used as the key for finding a BSS entry. That could end up
picking the old hidden SSID BSS instead of the one that was meant to be
used in the test case.

Flush the scan cache at the end of the scan-ssid-list test cases to
reduce invalid test failures for the consecutive test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-20 16:01:32 +02:00
Jouni Malinen
751ce086aa tests: Make PASN tests more robust
The PASN_START command can fail if there is an old BSS entry for the
same BSSID from an earlier test case. Try to avoid this by flushing the
scan results before running these test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-20 15:45:54 +02:00
Andrei Otcheretianski
8265f84531 nl80211: Unconditionally clear nl_msg
Previously nl80211_nlmsg_clear() would be called under a special
condition when valid_handler is NULL and valid_data is -1. Such API is
not very convenient as it forces the handler to be NULL. Change the
send_and_recv() function to always clear the nl_msg, which will simplify
all this logic.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:34:42 +02:00
Ilan Peer
6c7b0a9657 PASN: Correctly set RSNXE bits from AP
The capability bit index should not be shifted here as the shifting is
handled later below when building the RSNXE octets.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:26:21 +02:00
Ilan Peer
85eb47e3a9 PASN: Correctly set RSNXE bits from STA
These defines are for the capability bit number, not the binary value
from the bit index. As such, need to use BIT() here to set the bitmap
appropriately.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:25:10 +02:00
Andrei Otcheretianski
be5f7f3746 wpa_supplicant: Fix potential memleak on an error path
extra_buf allocation was missed in one of the error cases.

Fixes: 170775232d ("ANQP: Add support to specify frequency in ANQP_GET command")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:18:45 +02:00
Andrei Otcheretianski
fb83e4fbc3 tests: Replace deprecated thread isAlive function
The isAlive() function is deprecated in newer versions of Python
so replace it with the is_alive() instead.

Signed-off-by: Oren Givon <oren.givon@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:16:33 +02:00
Anusha Datar
8f248d1aca Check for message truncation in RADIUS client
The RADIUS client currently determines if a radius message is longer
than the supported maximum length by checking whether the size of the
received buffer and the length of the buffer (as returned by recv()) is
equal. This method fails to detect if the buffer has actually been
truncated. This change modifies the RADIUS client to instead use the
recvmsg() call and then check the message header flags to determine
whether or not the received message has been truncated and drop the
message if that is the case.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:15:15 +02:00
Anusha Datar
5cb25307e4 Set RADIUS message length to reflect RFC 2865
The current RADIUS server message maximum length limits the length of
each RADIUS message to 3000 bytes. As specified in RFC 2865 section 3
("Packet Format"), the RADIUS standard's maximum message size is 4096
bytes, so this change increases the RADIUS server's maximum message
size from 3000 to 4096 to match the standard.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:11:17 +02:00
Anusha Datar
7df089b567 Create RADIUS_MAX_MSG_LEN param in the shared radius.h
The RADIUS client currently uses a hardcoded value of 3000 for the
maximum length of a RADIUS message, and the RADIUS server currently
defines a constant value for the maximum length of the RADIUS message
within its source. The client and the server should use the same
maximum length value, so this change creates a shared parameter
RADIUS_MAX_MSG_LEN within the header file radius.h and modifies
both the client and the server to use that parameter instead of
a locally set value.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:08:17 +02:00
Jouni Malinen
3811645e99 tests: P2P device discovery with invalid group client info
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-19 23:34:11 +02:00
Sachin Ahuja
98a52b09ca Add new attributes in get_sta_info QCA vendor command
Add additional attributes for the QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO to get finer details on roaming
behavior, TSF out of sync count, and the latest TX rate, Rate Index used
for the transmission.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
8f204f69ac Show OCV and beacon protection capabilities in control interface
Indicate local support for Operating Channel Validation (OCV) and beacon
protection.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
6f92f81dac AP: Check driver's capability to enable OCV when driver SME is used
When the driver SME is used, offloaded handshakes which need Operating
Channel Validation (OCV) such as SA Query procedure, etc. would fail if
hostapd enables OCV based on configuration but the driver doesn't
support OCV. To avoid this when driver SME is used, enable OCV from
hostapd only when the driver indicates support for OCV.

This commit also adds a capability flag to indicate whether driver SME
is used in AP mode.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
73ebd58fc8 STA: Check driver capability to enable OCV when driver SME is used
When the driver SME is used, offloaded RSN handshakes like SA Query, GTK
rekeying, FT authentication, etc. would fail if wpa_supplicant enables
OCV in initial connection based on configuration but the driver doesn't
support OCV. To avoid such failures check the driver's capability for
enabling OCV when the driver SME used.

This commit also adds a capability flag for indicating OCV support
by the driver.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Jouni Malinen
f3dfe42c7e Clean up RSN parameter setting for PASN
Set conf.force_kdk_derivation within the same if block as all the other
parameters. This is used only if ssid is not NULL, so no need to have
any special handling for this parameter.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
d36d4209fd Enable beacon protection only when driver indicates support
Enabling beacon protection will cause STA connection/AP setup failures
if the driver doesn't support beacon protection. To avoid this, check
the driver capability before enabling beacon protection.

This commit also adds a capability flag to indicate beacon protection
support in client mode only.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Hu Keping
9d99814e22 Update sgml to generate reproducible manpages
Prior to this patch, we failed to recreate bit-by-bit identical
copies of wpa_supplicant because it doesn't generate reproducible manpages.

Since the latest version(0.6.14-3 or new) of docbook-utils have already
support getting the date from sgml file [1], it is possible to make some
progress on the "reproducible builds" effort [2].

[1]: https://sources.debian.org/patches/docbook-utils/0.6.14-3
[2]: https://reproducible-builds.org

Signed-off-by: Hu Keping <hukeping@huawei.com>
2021-02-16 00:47:43 +02:00
Jouni Malinen
7eb222aa89 tests: EXT PW file backend
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e680a51e94 ext_password: Implement new file-based backend
It was not easily possible to separate configuration of an interface and
credentials when using the configuration file instead of the control
interface or D-Bus interface for setting up the network profiles. This
makes it hard to distribute configuration across a set of nodes which
use wpa_supplicant without also having to store credentials in the same
file. While this can be solved via scripting, having a native way to
achieve this would be preferable.

Turns out there already is a framework to have external password
storages. It only had a single "test" backend though, which is kind of
an in-memory store which gets initialized with all passwords up front
and is mainly for testing purposes. This isn't really suitable for the
above use case: the backend cannot be initialized as part of the central
configuration given that it needs the credentials, and we want to avoid
scripting.

This commit thus extends the infrastructure to implement a new backend,
which instead uses a simple configuration file containing key-value
pairs. The file follows the format which wpa_supplicant.conf(5) uses:
empty lines and comments are ignored, while passwords can be specified
with simple `password-name=password-value` assignments.

With this new backend, splitting up credentials and configuration
becomes trivial:

    # /etc/wpa_supplicant/wpa_supplicant.conf
    ext_password_backend=file:/etc/wpa_supplicant/psk.conf

    network={
        ssid="foobar"
        psk=ext:foobar
    }

    # /etc/wpa_supplicant/psk.conf
    foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b

Alternative approaches would be to support including other configuration
files in the main configuration, such that common configuration and
network declarations including credentials are split up into separate
files. But the implementation would probably have been more complex
compared to reusing the already-existing framework for external password
backends.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e9f449ba59 wpa_supplicant: Move wpa_config_get_line() into utils
The function wpa_config_get_line() is used by the wpa_supplicant config
file parser to retrieve the next non-comment non-blank line. We'll need
the same kind of functionality to implement the file-based external
password backend, so as a preparatory step this commit extracts the
function into its own standalone file in the utils package.

No functional changes are expected from this commit.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Jouni Malinen
fd78ab8270 tests: ACS for HE 40 MHz channel in 2.4 GHz
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-15 18:27:10 +02:00
Jouni Malinen
b1c23d3f25 HE: Fall back to 20 MHz on 2.4 GHz if 40 MHz is not supported
At least the ACS case of an attempt to pick a 40 MHz channel on the 2.4
GHz band could fail if HE was enabled and the driver did not include
support for 40 MHz channel bandwidth on the 2.4 GHz band in HE
capabilities. This resulted in "40 MHz channel width is not supported in
2.4 GHz" message when trying to configure the channel and failure to
start the AP.

Avoid this by automatically falling back to using 20 MHz bandwidth as
part of channel parameter determination at the end of the ACS procedure.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-15 18:27:10 +02:00
Aloka Dixit
f1c6c9d3eb ACS: Allow downgrading to 20 MHz based on OBSS results
When auto channel selection (ACS) is used for HE 40 MHz in the 2.4 GHz
band, AP sets center frequency after finding a 40 MHz channel and then
runs a scan for overlapping BSSes in neighboring channels. Upon OBSS
detection, AP should downgrade to 20 MHz bandwidth.

This was broken because allowed_ht40_channel_pair() returns true in this
case and the steps to reset center frequency are not executed causing
failure to bring interface up.

Fix the condition to allow rollback to 20 MHz.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-15 18:16:33 +02:00
Jouni Malinen
9bb2f75298 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2021-02-12.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-15 17:36:20 +02:00
Aloka Dixit
cfc45a98d2 nl80211: Unsolicited broadcast Probe Response configuration
Unsolicited broadcast Probe Response transmission is used for in-band
discovery in the 6 GHz band (IEEE P802.11ax/D8.0 26.17.2.3.2, AP
behavior for fast passive scanning). Add support for configuring the
parameters for such frames.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 23:04:26 +02:00
Aloka Dixit
024b4b2a29 AP: Unsolicited broadcast Probe Response configuration
Add hostapd configuration options for unsolicited broadcast
Probe Response transmission for in-band discovery in 6 GHz.
Maximum allowed packet interval is 20 TUs (IEEE P802.11ax/D8.0
26.17.2.3.2, AP behavior for fast passive scanning).
Setting value to 0 disables the transmission.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 23:04:26 +02:00
Jouni Malinen
11736a1a78 tests: Make ap_sae_tdls more robust
Need to clear sae_groups parameter before using SAE in this test case to
avoid issues if previous test cases have left a specific group
configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-14 20:16:18 +02:00