Commit graph

6117 commits

Author SHA1 Message Date
Jouni Malinen
8c99e6264a DPP: Report Config Request/Response failure reasons on control interface
This provides more details of failures to upper layer components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 21:04:17 +02:00
Jouni Malinen
f411ad1b86 DPP: Protocol testing to remove attributes from Config Req/Resp
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 21:04:17 +02:00
Jouni Malinen
7e0ebe21b0 DPP: Protocol testing - invalid I/R-Auth value in PKEX Commit-Reveal
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 20:18:24 +02:00
Jouni Malinen
89d0bf6783 DPP: Protocol testing - invalid Bootstrap Key value in PKEX Commit-Reveal
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:47 +02:00
Jouni Malinen
f31ef96dc3 DPP: Protocol testing - invalid Status value in PKEX Exchange Response
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:47 +02:00
Jouni Malinen
d05c82c4d0 DPP: Move PKEX z derivation on Responder to earlier phase
K and z can be derived already based on information available at the
time the PKEX Exchange Request is being processed, so move these there
from the PKEX Commit-Reveal Request processing since that matches the
DPP tech spec description close and allows PKEX exchange to be aborted
earlier if anything unexpected happens.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:47 +02:00
Jouni Malinen
578c9ea1ab DPP: Fix a typo in a debug print
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:47 +02:00
Jouni Malinen
5f5fff4363 DPP: Explicitly check that PKEX Qr is not the point-at-infinity
This was already done for Qi, but the same needs to be done for Qr as
well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:47 +02:00
Jouni Malinen
29ab69e4b0 DPP: PKEX counter t
Add limit on number of failed attempts that could have used PKEX code.
If the limit (5) is reached, drop the PKEX state (including the code)
and report this on the control interface to indicate that a new code
needs to be entered due to possible attack.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
039b8e7369 DPP: Terminate PKEX exchange on detection of a mismatching code
Clean up the pending PKEX exchange if Commit-Reveal Request processing
indicates a mismatch in the PKEX code. Previously, the this case was
silently ignored and the session was left in pending state that
prevented new PKEX exchanges from getting initated. Now, a new attempt
is allowed to be initiated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
fc0efa2a1e DPP: Use dpp_bn2bin_pad() helper to simplify code
Number of places writing BIGNUM values with left-padding were open
coding this helper functionality unnecessarily.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
e0247e7983 DPP: PKEX and STATUS_BAD_GROUP
Report mismatching finite cyclic group with PKEX Exchange Response using
STATUS_BAD_GROUP and provide more detailed error report over the control
interface on the peer device when this happens.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
2265353a4f DPP: Remove obsolete TODO comment on discovery object
The optional channel information was removed from the discovery object
in the DPP tech spec, so no need to maintain this TODO note anymore.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
fe12ae777f Fix Status Code in TKIP countermeasures case
The previously used WLAN_REASON_MICHAEL_MIC_FAILURE (14) value as a
response to Authentication frame or (Re)Association Request frame is not
correct since the resp value is encoded in the Status Code (not Reason
Code) field. Status Code 14 is WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION
which is really what this value would have meant in the response frames.

There is no Michael MIC failure status code, so have to use the generic
"Unspecified failure" (1) reason code for these cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
1cfcbd32ac DPP: Testing capability to generate invalid PKEX encrypted key (M and N)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
d7e7b7122e DPP: Report PKEX failure reasons over control interface
This provides more information to upper layer software to report failure
reasons on the UI.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-03 19:59:46 +02:00
Jouni Malinen
61f9f27f80 DPP: Extend protocol testing to cover missing attributes in PKEX
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 23:53:55 +02:00
Jouni Malinen
b3e4cc5cbb DPP: Move PKEX Commit-Reveal Response building to a helper function
This cleans up dpp_pkex_rx_commit_reveal_req() a bit and makes it easier
to add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 21:34:51 +02:00
Jouni Malinen
b0626c2a6b DPP: Move PKEX Commit-Reveal Request building to a helper function
This cleans up dpp_pkex_rx_exchange_resp() a bit and makes it easier to
add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 21:34:50 +02:00
Jouni Malinen
a5c3b41b2f DPP: Move PKEX Exchange Response building to a helper function
This cleans up dpp_pkex_rx_exchange_req() a bit and makes it easier to
add protocol testing functionality to PKEX exchange similarly to the
previously added DPP Authentication case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 21:34:17 +02:00
Jouni Malinen
60b9dd86fd DPP: Fix couple of typos in debug messages
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 21:34:03 +02:00
Jouni Malinen
06f2df0693 DPP: Fix hostapd control interface events for initiator case
Incorrect msg_ctx was registered for the wpa_msg() calls from the DPP
module.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 12:25:35 +02:00
Jouni Malinen
219d4c9fcb DPP: Report possible PKEX code mismatch in control interface
Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV
decryption fails. That is a likely sign of the PKEX code mismatch
between the devices.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-02 12:25:35 +02:00
Lior David
0c3bc1be09 Fix test build breakage when not compiling with ieee80211w support
Build breakage was introduced by commit
d8afdb210e ('Allow EAPOL-Key messages 1/4
and 3/4 to be retransmitted for testing') for some
CONFIG_TESTING_OPTIONS=y builds without CONFIG_IEEE80211W=y.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2017-11-01 12:50:20 +02:00
bhagavathi perumal s
ea4ace9c76 hostapd: Add max_txpower into STATUS command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 11:49:41 +02:00
bhagavathi perumal s
bf6c65afce hostapd: Add Beacon interval and DTIM period into STATUS command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 11:45:29 +02:00
bhagavathi perumal s
c7ae2b3104 hostapd: Add HT/VHT capability info into STATUS command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 11:41:38 +02:00
bhagavathi perumal s
1f91a8bdea hostapd: Add HT/VHT capability info into STA command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 11:37:20 +02:00
bhagavathi perumal s
65f9db6bc2 hostapd: Add extended capabilities into STA command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 00:31:31 +02:00
bhagavathi perumal s
d1f3a81446 hostapd: Add [HT] flag into STA command
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 00:28:46 +02:00
bhagavathi perumal s
ba72b4b126 hostapd: Add Min/Max Transmit Power Capability into STA command
This provides access to the Minimum/Maximum Transmit Power Capabilitie
fileds (the nominal minimum/maximum transmit power with which the STA
is capable of transmitting in the current channel; signed integer in
units of decibels relative to 1 mW).

Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-10-31 00:22:58 +02:00
Ashok Kumar Ponnaiah
33c8bbd8ca OWE: Add AP mode handling of OWE with drivers that implement SME
Handle OWE DH exchange and key setup when processing the association
event from a driver that implements AP SME.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-30 23:24:42 +02:00
Ashok Kumar Ponnaiah
28d1264131 Check hostapd current_mode before dereferencing it in additional places
While most places using this should be for cases where the hw_features
functionality is required, there seem to be some paths that are getting
exposed in new OWE related operations where that might not be the case.
Add explicit NULL pointer checks to avoid dereferencing the pointer if
it is not set when operating with driver wrappers that do not provide
sufficient information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-30 23:20:25 +02:00
Jouni Malinen
348c93847a AP-side workaround for WNM-Sleep Mode GTK/IGTK reinstallation issues
Normally, WNM-Sleep Mode exit with management frame protection
negotiated would result in the current GTK/IGTK getting added into the
WNM-Sleep Mode Response frame. Some station implementations may have a
vulnerability that results in GTK/IGTK reinstallation based on this
frame being replayed. Add a new hostapd configuration parameter that can
be used to disable that behavior and use EAPOL-Key frames for GTK/IGTK
update instead. This would likely be only used with
wpa_disable_eapol_key_retries=1 that enables a workaround for similar
issues with EAPOL-Key. This is related to station side vulnerabilities
CVE-2017-13087 and CVE-2017-13088. To enable this AP-side workaround,
set wnm_sleep_mode_no_keys=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-29 17:13:54 +02:00
Johannes Berg
3f5a1860a8 wpa_auth: Deplete group rekey eloop handler for strict rekeying
When strict group rekeying is in effect, every station that leaves will
cause a rekeying to happen 0.5 s after leaving. However, if a lot of
stations join/leave, the previous code could postpone this rekeying
forever, since it always re-registers the handling with a 0.5 s timeout.

Use eloop_deplete_timeout() to address that, only registering the
timeout from scratch if it wasn't pending.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-10-29 17:04:14 +02:00
Johannes Berg
92662fb281 Allow forcing group rekeying for testing purposes
In order to test the WoWLAN GTK rekeying KRACK mitigation, add a
REKEY_GTK hostapd control interface command that can be used at certain
points of the test.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-10-29 16:58:55 +02:00
Jouni Malinen
d270920692 DPP: Negotiation channel change request from Initiator
Allow the Initiator to request a different channel to be used for DPP
Authentication and DPP Configuration exchanges. This commit adds support
for this in wpa_supplicant with the optional neg_freq=<freq in MHz>
parameter in DPP_AUTH_INIT.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-29 16:08:02 +02:00
Jouni Malinen
e85b660129 DPP: Add DPP Status attribute into Peer Discovery Response
This was added in DPP tech spec v0.2.7 to allow result of network
introduction to be reported.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-29 12:16:15 +02:00
Jouni Malinen
19ef4289ca DPP: Process Authentication Confirm failure cases
Process Authentication Confirm with the two failure cases defined in the
spec: STATUS_NOT_COMPATIBLE and STATUS_AUTH_FAILURE. This verifies the
{R-nonce}k2 part and reports more detailed failure reason if the message
is valid.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-28 17:44:14 +03:00
Jouni Malinen
7d917ab048 DPP: Send Authentication Confirm failure reports
If Authentication Response processing fails due to R-capab
incompatibility or R-auth mismatch, send Authentication Confirm with
error status.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-28 17:44:14 +03:00
Jouni Malinen
978bc3f2af DPP: Auth Resp/Conf incorrect attribute values for protocol testing
This extends the dpp_test mechanism to allow I-nonce, R-capab, R-auth,
and I-auth values in Authentication Response/Confirm to use incorrect
values.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-28 17:44:10 +03:00
Jouni Malinen
9b51112031 DPP: Allow Responder to decide not to use mutual authentication
Previously, Initiator decided whether to use mutual authentication on
its own based on having own and peer bootstrapping info. This prevented
Responder from selecting not to use mutual authentication in such a
case. Fix this by allowed Initiator to fall back to non-mutual
authentication based on Responder choice if the bootstrapping mechanism
allows this (PKEX does not; it mandates use of mutual authentication).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-27 16:09:51 +03:00
Jouni Malinen
dcdaeab79c DPP: Report Auth Conf failures in control interface
This is useful for protocol testing purposes and UI needs to display
more detailed information about DPP exchanges.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-27 16:09:51 +03:00
Jouni Malinen
f9c7d77029 DPP: Omission of Auth Conf attributes for protocol testing
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Confirm to be omitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-27 16:09:51 +03:00
Jouni Malinen
26806abe85 DPP: Report invalid messages and failure conditions in control interface
This is useful for protocol testing purposes and UI needs to display
more detailed information about DPP exchanges.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 22:45:17 +03:00
Jouni Malinen
ce9acce006 DPP: Omission of Auth Resp attributes for protocol testing
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Response to be omitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 22:38:59 +03:00
Jouni Malinen
a03406dbe2 DPP: Move Authentication Response building into a separate function
This cleans up old dpp_auth_build_resp() (now dpp_auth_build_resp_ok())
a bit by separating initialization steps for a DPP authentication
session from the code needed to build the frame. This allows
dpp_auth_build_resp_status() to share the helper function instead of
having to maintain a duplicated message construction implementation. In
addition, this makes it easier to remove some of the attributes for
protocol testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 19:05:06 +03:00
Jouni Malinen
0e7cb8c6c1 DPP: Omission of Auth Req attributes for protocol testing
This extends the dpp_test mechanism to allow each of the required
attributes in Authentication Request to be omitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 18:27:53 +03:00
Jouni Malinen
606a8e8d57 DPP: Move Authentication Request building into a separate function
This cleans up dpp_auth_init() a bit by separating initialization steps
for a DPP authentication session from the code needed to build the
frame. In addition, this makes it easier to remove some of the
attributes for protocol testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 18:25:30 +03:00
Jouni Malinen
3749ad0e1d DPP: Explicitly check and reject 0x00 and 0x03 I/R-capab role
0x00 and 0x03 are not valid I/R-capabilities role values.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-22 17:21:57 +03:00