Commit graph

4584 commits

Author SHA1 Message Date
Lubomir Rintel
98251c6f21 dbus: Document more possible BSS/RSA/KeyMgmt values
This is probably not ideal, since it would be better if it ended up
being autogenerated somehow, but at least it's somewhat of an
improvement.

Also added a comment that encourages keeping the docs in sync.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-24 00:24:09 +02:00
Lior David
1e591df063 Check supported types in wpas_mac_addr_rand_scan_set()
When setting scan with randomized MAC, check the requested scan type
against supported types, to ensure callers will not set an unsupported
type, since this can cause scan/connect failures later. It is better to
do this in wpas_mac_addr_rand_scan_set() instead of control interface
specific code to apply the constraint on all possible interfaces using
this setting.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-01-24 00:21:34 +02:00
Lior David
c85249aa15 Fix test compilation error related to sme_event_unprot_disconnect()
sme_event_unprot_disconnect() is only defined with CONFIG_IEEE80211W, so
the CONFIG_TESTING_OPTIONS command UNPROT_DEAUTH can be defined only
with builds that enable IEEE 802.11w support.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-01-24 00:21:28 +02:00
Jouni Malinen
13a200a92a FILS: Remove notes about experimental implementation
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-22 13:33:48 +02:00
Lubomir Rintel
86d4e05374 dbus: Expose support of SAE key management in BSS properties
This is going to be useful for NetworkManager and likely others.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-22 13:26:12 +02:00
Masashi Honma
3e949655cc Revert "mesh: Apply channel attributes before setup interface"
This reverts commit 2564184440.

Commit 2564184440 ("mesh: Apply channel attributes before setup
interface") triggers some channel configurations to result in leaking
memory. This seems to be caused by hapd->started not getting set when
going through a callback to start hostapd operation (e.g., when using
HT40 coex scan) due to hostapd_setup_bss() not getting called. This
results in hostapd_free_hapd_data() not clearing allocated
hapd->wpa_auth. This can be reproduced with the hwsim test case
mesh_secure_ocv_mix_legacy.

A more complete cleanup of the pending mesh patch for DFS support seems
to be needed to fix this properly, so the best approach for now is to
revert this patch and bring it back once rest of the mesh changes are
ready to be applied.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-21 23:43:12 +02:00
Amit Khatri
cc0f24196b D-Bus: Fix P2P Flush method to clear pending Action frames
If we call p2p_flush from ctrl_iface, before calling p2p_flush() it
calls wpas_p2p_stop_find(). Add the same call to the matching D-Bus
method to clear all pending operations.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-01-21 12:30:17 +02:00
Jimmy Chen
a95906f938 P2P: support random interface address
To enhance privacy, generate a random interface for each group.

There are two configurations are introduced:
* p2p_interface_random_mac_addr
  enable interface random MAC address feature, default disable.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2019-01-12 17:58:30 +02:00
Jimmy Chen
9359cc8483 P2P: Support random device address
To enhance privacy, generate a random device address for P2P interface.
If there is no saved persistent group, it generate a new random MAC
address on bringing up p2p0. If there is saved persistent group, it will
use last MAC address to avoid breaking group reinvoke behavior.

There are two configurations are introduced:
* p2p_device_random_mac_addr
  enable device random MAC address feature, default disable.
* p2p_device_persistent_mac_addr
  store last used random MAC address.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2019-01-12 17:55:42 +02:00
Peng Xu
5a3319ab1b P2P: Add 802.11ax support for P2P GO
An optional parameter "he" is added to p2p_connect, p2p_group_add, and
p2p_invite to enable 11ax HE support. The new p2p_go_he=1 configuration
parameter can be used to request this to be enabled by default.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-01-12 13:09:39 +02:00
Martin Stanislav
cfb01f58a6 eapol_test: Start the identifier at an initial random value
Start the (EAP request) identifier at an initial random value
as recommended by RFC 3748 in section 4.1 Request and Response
on page 21.

Signed-off-by: Martin Stanislav <ms@uakom.sk>
2019-01-08 13:40:33 +02:00
Arend van Spriel
d896874f86 nl80211: Indicate 802.1X 4-way handshake offload in connect
Upon issuing a connect request we need to indicate that we want the
driver to offload the 802.1X 4-way handshake for us. Indicate it if
the driver capability supports the offload.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-01-08 01:12:02 +02:00
Arend van Spriel
436ee2fd93 drivers: Add separate driver flags for 802.1X and PSK 4-way HS offloads
Allow drivers to indicate support for offloading 4-way handshake for
either IEEE 802.1X (WPA2-Enterprise; EAP) and/or WPA/WPA2-PSK
(WPA2-Personal) by splitting the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag
into two separate flags.

Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-01-08 01:12:02 +02:00
Ben Greear
b06d60a902 Use freq_list to constrain supported operating class information
If a station is configured to allow only a subset of frequencies for an
association, the supported operating classes may need to be more limited
than what the hardware supports.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-08 00:20:04 +02:00
Ben Greear
cb828507f5 Use disable_ht/vht to constrain supported operating class information
If user has disabled HT or VHT, those related operating classes
should not be advertised as supported.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-08 00:19:07 +02:00
Peter Oh
e5a9b1e8a3 mesh: Implement use of VHT20 config in mesh mode
Mesh in VHT mode is supposed to be able to use any bandwidth that VHT
supports, but there was no way to set VHT20 although there are
parameters that are supposed to be used. This commit along then previous
commit for VHT_CHANWIDTH_USE_HT makes mesh configuration available to
use any bandwidth with combinations of existing parameters like shown
below.

VHT80:
  default
  do not set any parameters
VHT40:
  max_oper_chwidth = 0
VHT20:
  max_oper_chwidth = 0
  disable_ht40 = 1
HT40:
  disable_vht = 1
HT20:
  disable_ht40 = 1
disable HT:
  disable_ht = 1

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-06 23:49:40 +02:00
Peter Oh
806db174fd mesh: Add VHT_CHANWIDTH_USE_HT to max_oper_chwidth
Channel width in VHT mode refers HT capability when the width goes down
to below 80 MHz, hence add checking HT channel width to its max
operation channel width. So that mesh has capability to select bandwidth
below 80 MHz.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-06 23:43:40 +02:00
Ben Greear
fd83a80815 wpa_supplicant: Allow disabling VHT SGI capability
This provides similar features to what was already available for HT
overrides. Probe Request frames look correct, and VHT capabilities shown
in debugfs look as expected.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-01-06 20:59:36 +02:00
Jouni Malinen
02f52ab6f5 Use lchown() instead of chown() for self-created files
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-06 20:28:04 +02:00
Jouni Malinen
441ba1a3e3 dbus: Fix build without CONFIG_WNM=y
wpa_s->bss_tm_status is within #ifdef CONFIG_WNM, so need to access it
through matching condition.

Fixes: 80d06d0ca9 ("dbus: Export BSS Transition Management status")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 18:44:17 +02:00
Jouni Malinen
cc9c4feccc OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.

Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.

In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.

In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 17:14:26 +02:00
Jouni Malinen
f808bd59e8 FT: Do not try to use FT-over-air if reassociation cannot be used
There is no point in going through FT authentication if the next step
would have to use association exchange which will be rejected by the AP
for FT, so only allow FT-over-air if previous BSSID is set, i.e., if
reassociation can be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-04 23:22:46 +02:00
Jouni Malinen
19c3a9a88d P2PS: Notify D-Bus about removal of a stale/empty persistent group
During P2PS PD Request processing wpa_supplicant removes stale and empty
persistent groups, but it did not notify D-Bus to unregister object. Fix
this by adding the missing notifications.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-04 13:19:20 +02:00
Amit Khatri
69dc9cabcc P2PS: Notify D-Bus about removal of a stale persistent group
During P2PS PD Request processing wpa_supplicant removes stale
persistent groups, but it did not notify D-Bus to unregister object.
This can result in leaving behind objects pointing to freed memory and
memory leaks. Sometime it can cause a crash in wpa_config_get_all()
function and DBUS_ERROR_OBJECT_PATH_IN_USE errors.

Fix this by adding the missed notification to D-Bus code to unregister
the object.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-01-04 13:19:12 +02:00
Peter Oh
0332c27e32 mesh: Consider mesh interface on DFS event handler
Once mesh starts supporting DFS channels, it has to handle DFS related
events from drivers, hence add mesh interface to the check list.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-03 13:31:55 +02:00
Peter Oh
fed51174d6 mesh: Reflect country setting to mesh configuration for DFS
wpa_supplicant configuration has country parameter that is supposed to
be used in AP mode to indicate supporting IEEE 802.11h and 802.11d.
Reflect this configuration to Mesh also since Mesh is required to
support 802.11h and 802.11d to use DFS channels.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:26:47 +02:00
Peter Oh
2564184440 mesh: Apply channel attributes before setup interface
This helps mesh interface initialization with correct channel
parameters.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:13:07 +02:00
Peter Oh
3ba4a25e5d mesh: Set interface type to mesh before setting interface
Correct interface type is required to start DFS CAC that can be
triggered during interface setup.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 13:02:56 +02:00
Peter Oh
c95619c211 mesh: Set mesh VHT center frequency
VHT center frequency value is required to compose the correct channel
info.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 12:59:25 +02:00
Peter Oh
4b5453cedd mesh: Relocate RSN initialization
RSN initialization should work together with mesh join when it's used.
Since mesh join could be called at a different stage if DFS channel is
used, relocate the RSN initialization call to mesh join. It is still the
same call flow of mesh join before this if non-DFS channels are used,
hence no significant side effect will occur.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 12:36:34 +02:00
Peter Oh
0daa7b75fa mesh: Factor out mesh join function
Mesh join function consists of two parts which are preparing
configurations and sending join event to the driver. Since physical mesh
join event could happen either right after mesh configuration is done or
after CAC is done in case of DFS channel is used, factor out the
function into two parts to reduce redundant calls.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 12:35:56 +02:00
Peter Oh
1877842904 mesh: Factor out RSN initialization
RSN initialization can be used in different phases if mesh
initialization and mesh join don't happen in sequence such as DFS CAC is
done in between, hence factor it out to help convering the case. This
can also get rid of unnecessary indentation by handling the
mconf->security != MESH_CONF_SEC_NONE functionality in a helper
function.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2019-01-03 12:04:23 +02:00
Hagai Moshe
b9eb717f85 wpa_cli: Add command for setting PSK_PASSPHRASE
Setting mem_only_psk=1 in the wpa_supplicant configuration prevents the
passphrase from being stored in the configuration file. wpa_supplicant
will request the PSK passphrase over the control interface in such case
and this new wpa_cli command can be used to set the psk_passphrase.

usage:
psk_passphrase <network id> <psk_passphrase>

Signed-off-by: Hagai Moshe <hagai.moshe@tandemg.com>
Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
2019-01-03 00:52:51 +02:00
Alex Khouderchah
38b405c8f0 dbus: Expose authentication status to D-Bus
wpa_supplicant currently logs CTRL-EVENT-AUTH-FAILED errors when
authentication fails, but doesn't expose any property to the D-Bus
interface related to this.

This change adds the "AuthStatusCode" property to the interface, which
contains the IEEE 802.11 status code of the last authentication.

Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
2019-01-03 00:39:12 +02:00
Matthew Wang
80d06d0ca9 dbus: Export BSS Transition Management status
Add new Interface properties "BSSTMStatus", which carries the status of
the most recent BSS Transition Management request. This property will be
logged in UMA to measure 802.11v success.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2019-01-03 00:27:01 +02:00
Matthew Wang
2bbad1c7c9 dbus: Export roam time, roam complete, and session length
Add new Interface properties "RoamTime", "RoamComplete", and
"SessionLength". "RoamTime" carries the roam time of the most recent
roam in milliseconds. "RoamComplete" carries True or False corresponding
to the success status of the most recent roam. "SessionLength" carries
the number of milliseconds corresponding to how long the connection to
the last AP was before a roam or disconnect happened.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2019-01-03 00:20:34 +02:00
Jouni Malinen
ed87f6a80e Use a helper function for checking Extended Capabilities field
The new ieee802_11_ext_capab() and wpa_bss_ext_capab() functions can be
used to check whether a specific extended capability bit is set instead
of having to implement bit parsing separately for each need.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 18:13:19 +02:00
Jouni Malinen
e6b0898da3 Add [FST] and [UTF-8] flags to BSS command output
These flags were used in SCAN_RESULTS command output, but not BSS. Make
these consistent by adding the flags to BSS as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-02 17:58:31 +02:00
Jouke Witteveen
1f2c42cc7f Show [UTF-8] flag if the SSID is reported as UTF-8
Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
2019-01-02 17:58:05 +02:00
Avraham Stern
ecef0687dc RRM: Support for Last Beacon Report Indication subelement
IEEE P802.11-REVmd/D2.0, 9.4.2.20.7 (Beacon request) and 9.4.2.21.7
(Beacon report) add the Last Beacon Report Indication subelement to
Beacon Request and Beacon Report elements.

Add the Last Beacon Report Indication subelement to all Beacon Report
elements if the Beacon Request indicated that this subelement is
requested.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 16:26:11 +02:00
Avraham Stern
3ec118780a RRM: Add support for beacon report fragmentation
When the frame body subelement would cause the measurement report
element to exceed the maximum element size, the frame body subelement
used to be truncated. In addition, some elements were always truncated
in order to keep the reported frame body short (e.g. RSN IE).

Alternatively, IEEE P802.11-REVmd/D2.0, 9.4.2.21.7 extension to Beacon
reporting can be used: The frame body subelement is fragmented across
multiple beacon report elements, and the reported frame body fragment ID
subelement is added.

Use beacon report fragmentation instead of truncating the frame body
as this method gives the AP a more complete information about the
reported APs.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-01-02 15:54:55 +02:00
Nishant Chaprana
46efa3dae0 dbus: Add vendor specific information element in peer properties
Make vendor specific information elements (VSIE) available in peer
properties, so that VSIE of a specific peer can be retrieved using
peer's object path.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2019-01-02 13:00:57 +02:00
Lubomir Rintel
89a7cdd690 crypto: Add option to use getrandom()
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:

"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."

An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.

It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-02 01:24:18 +02:00
Jouni Malinen
cc58a35735 Update copyright notices for the new year 2019
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 23:38:56 +02:00
Beni Lev
19677b77c3 OCE: Add RSSI based association rejection support (STA)
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.

Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 17:56:25 +02:00
Aloni, Adiel
dc9b7d217c P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdev
When a dedicated P2P device interface is used, the
global->p2p_group_formation was not set in wpas_p2p_join_start() if no
separate group interface is used. This would cause that in case of a
failure in group formation, the cleaning of p2p_in_provisioning is done
on the wrong interface. Furthermore, P2P_CANCEL command could not be
used to stop such a group-join operation. Fix this by setting the
global->p2p_group_formation correctly in case that the group interface
is reusing wpa_s->parent.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
2019-01-01 16:56:22 +02:00
Jouni Malinen
32bb47faa1 Update wpa_supplicant channel list on FLUSH
Try to make sure the driver channel list state is synchronized with
wpa_supplicant whenever explicitly clearing state (e.g., between hwsim
test cases).

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 15:58:46 +02:00
Ben Greear
3518e3623f wpa_cli: Allow reconnect to global interface
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-12-31 12:32:14 +02:00
Michal Privoznik
1b8ed2cac1 wpa_supplicant: Fix build with !CONFIG_AP and CONFIG_CTRL_IFACE_DBUS_NEW
If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is
disabled the build fails. This is because dbus getters try to
access ap_iface member of wpa_supplicant struct which is defined
if and only if CONFIG_AP is enabled.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2018-12-31 11:41:26 +02:00
Jouni Malinen
948ba8c294 mka: MIB information
Provide MKA information through the wpa_supplicant control interface MIB
command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 16:52:31 +02:00