Commit graph

16434 commits

Author SHA1 Message Date
Johannes Berg
7f508ff968 tests: Reset the correct key's PN for group key handshake testing
While adding support for IGTK and BIGTK here, I tested this without
protections (i.e., with protections removed from both wpa_supplicant and
the driver), and while I got some bad resets on the debugfs values, it
should have failed with "unexpected connectivity".

Fix this to be correct - we need to reset the GTK PN, not the PTK PN in
this test.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-05-17 01:31:19 +03:00
Johannes Berg
889218c14a tests: Extend debugfs key state reading for IGTK/BIGTK
Extend the debugfs read helpers to work with IGTK and BIGTK.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-05-17 01:31:19 +03:00
Jouni Malinen
4ae3f39720 Add a helper function for recognizing BIP enum wpa_alg values
Use a shared wpa_alg_bip() function for this and fix the case in
nl_add_key() to cover all BIP algorithms. That fix does not change any
behavior since the function is not currently used with any BIP
algorithm, but it is better to avoid surprises should it ever be needed
with IGTK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-17 01:31:19 +03:00
Jouni Malinen
d3cab56c04 Rename WPA_ALG_IGTK to use the correct cipher name for BIP
IGTK is the key that is used a BIP cipher. WPA_ALG_IGTK was the
historical name used for this enum value when only the AES-128-CMAC
based BIP algorithm was supported. Rename this to match the style used
with the other BIP options.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-17 01:31:19 +03:00
Johannes Berg
bd1aebbd08 hostapd: Extend RESET_PN for BIGTK
Extend the RESET_PN command to allow resetting the BIGTK PN
for testing.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-05-17 01:31:16 +03:00
Johannes Berg
4a0b27c62f tests: Replace gtk boolean by keytype in cipher suite tests
Replace the gtk boolean by a keytype value indicating
GTK or PTK, to be able to extend to other types later.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-05-17 00:02:18 +03:00
Jouni Malinen
df49c53f4a Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 22:12:46 +03:00
Jouni Malinen
f636bc3abc tests: Skip TOD-TOFU/STRICT tests if build does not support this
This functionality is currently available only with OpenSSL and internal
TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:58:10 +03:00
Jouni Malinen
4294d221d3 D-Bus: Increase introspection buffer size
It was apparently possible to hit the 20000 octet limit in some cases,
so increase the limit to avoid process termination due to insufficient
room for preparing a response to Introspect calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:46:24 +03:00
Jouni Malinen
79488da576 wolfssl: Do not hardcode include directory in wpa_supplicant build
This is not really appropriate for any kind of cross compilations and is
not really needed in general since system specific values can be set in
.config.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:07:45 +03:00
Jouni Malinen
eb595b3e3a wolfssl: Fix crypto_bignum_rand() implementation
The previous implementation used mp_rand_prime() to generate a random
value in range 0..m. That is insanely slow way of generating a random
value since mp_rand_prime() is for generating a random _prime_ which is
not what is needed here. Replace that implementation with generationg of
a random value in the requested range without doing any kind of prime
number checks or loops to reject values that are not primes.

This speeds up SAE and EAP-pwd routines by couple of orders of
magnitude..

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:02:17 +03:00
Jouni Malinen
6a28c4dbc1 wolfssl: Fix compiler warnings on size_t printf format use
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:01:51 +03:00
Jouni Malinen
f2dbaa8ace SAE: Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:01:32 +03:00
Thomas Pedersen
692bbd25b4 tests: Flush scan results before checking alloc failure
When run after other tests, It was likely that the target
bss was already present in scan_fail, so the
scan_for_bss() wouldn't trip the allocation failure in
wpa_bss_add(). Flush the scan results before the scan to
ensure wpa_bss_add() is called and consistently pass
scan_fail.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-05-16 17:32:01 +03:00
Thomas Pedersen
0218bf05d6 tests: sigma_dut: set regulatory inside try/except
If sigma_dut is not installed, start_sigma_dut() will
throw an exception. Call start_sigma_dut() inside the
try/except to correctly reset the regulatory domain.

This fixes several seemingly random failures due to
regulatory domain not being reset.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-05-16 17:30:16 +03:00
Jan Tojnar
0388992905 wpa_gui: Fix build with Inkscape 1.0
Inkscape 1.0 revamped their CLI flags, breaking the icon build.

https://wiki.inkscape.org/wiki/index.php?title=Using_the_Command_Line#Background

Signed-off-by: Jan Tojnar <jtojnar@gmail.com>
2020-05-16 16:13:33 +03:00
Petr Štetiar
3e1a130107 nl80211: Change AKM suite limit from warning to debug print
Commit dd74ddd0df ("nl80211: Handle AKM suite selectors for AP
configuration") added warning log message "nl80211: Not enough room for
all AKM suites (num_suites=X > NL80211_MAX_NR_AKM_SUITES)" which in some
cases fills logs every 3 seconds, so fix this by increasing the log
message level to debug.

Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Ref: https://patchwork.ozlabs.org/project/openwrt/patch/20200504130757.12736-1-ynezz@true.cz/#2429246
Fixes: dd74ddd0df ("nl80211: Handle AKM suite selectors for AP configuration")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2020-05-16 15:51:11 +03:00
Jouni Malinen
72e10af9ca tests: Automatic channel selection and RX during ACS
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 12:18:42 +03:00
Jouni Malinen
5a04a76aa2 Ignore Management frames while AP interface is not fully enabled
It is possible for drivers to report received Management frames while AP
is going through initial setup (e.g., during ACS or DFS CAC). hostapd
and the driver is not yet ready for actually sending out responses to
such frames at this point and as such, it is better to explicitly ignore
such received frames rather than try to process them and have the
response (e.g., a Probe Response frame) getting dropped by the driver as
an invalid or getting out with some incorrect information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 12:16:34 +03:00
Jouni Malinen
c82535edd6 Move deauthentication at AP start to be after beacon configuration
This allows nl80211-based drivers to get the frame out. The old earlier
location resulted in the driver operation getting rejected before the
kernel was not ready to transmit the frame in the BSS context of the AP
interface that has not yet been started.

While getting this broadcast Deauthentication frame transmitted at the
BSS start is not critical, it is one more chance of getting any
previously associated station notified of their previous association not
being valid anymore had they missed previous notifications in cases
where the AP is stopped and restarted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 11:38:09 +03:00
Jouni Malinen
094c8a6218 Remove unnecessary key clearing at AP start with nl80211
cfg80211 takes care of key removal when link/association is lost, so
there is no need to explicitly clear old keys when starting AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 11:28:03 +03:00
Jouni Malinen
04030e8c0d nl80211: Remove AP mode interface from bridge for STA-mode-scan
Linux bridging code does not allow a station mode WLAN interface in a
bridge and this prevents the AP mode scan workaround from working if the
AP interface is in a bridge and scanning can be only done by moving to
STA mode. Extend this workaround to remove the interface from the bridge
temporarily for the duration of the scan, i.e., for the same duration as
the interface needs to be moved into the station.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 21:23:50 +03:00
Jouni Malinen
7adea21d2f dpp-nfc: Enable hostapd beaconing for listen state
This is needed to be able to receive Public Action frames when hostapd
was initially started with start_disabled=1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 14:46:41 +03:00
Jouni Malinen
134ad50b0e dpp-nfc: Clean up debug prints when handover select is received
If the local device becomes the handover selector, make the debug log
entries about client functionality not receiving the response clearer
since that is not really an error case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 14:20:26 +03:00
Jouni Malinen
5d49c1bf7c dpp-nfc: Do not indicate a single channel 1 by default
Allow any channel to be used by not including a specific single channel
in the handover request without a need (for AP mode, use the current
operating channel). When sending out the handover select, pick a single
channel if no specific channel has been negotiated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 14:17:40 +03:00
Jouni Malinen
d0e2d8091f dpp-nfc: Make handover request collision detection more robust
Wait up to 100 ms for own handover request transmission to succeed if
peer handover request is received, but own crn is not yet available.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 12:10:59 +03:00
Jouni Malinen
8791e7461c dpp-nfc: Write debug info to summary log
Convert most print() calls to use the summary() helper so that the
printed information gets written into a log file as well. In addition,
start using a mutex lock to synchronize debug prints between threads to
avoid merging of messages from different contexts.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 12:03:53 +03:00
Jouni Malinen
1e0bc897ab dpp-nfc: Collision detection for handover request
Address possible handover request collisions for cases where both
devices try to initiate handover simultaneously.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 02:26:01 +03:00
Jouni Malinen
9ad3fe9343 dpp-nfc: Start handover server regardless of init-on-touch setting
The previous version was trying to force the handover roles based on the
--init-on-touch parameter on both sides. That is fine for some test
scenarios, but not appropriate for more normal use cases. Change this
design to enable handover server in all cases and only control starting
of the handover client based on --init-on-touch.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 01:21:01 +03:00
Jouni Malinen
24efcdf74d dpp-nfc: Own MAC address fetching from hostapd
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 00:44:27 +03:00
Jouni Malinen
8f96f2c3b1 dpp-nfc: Be more graceful when wpa_supplicant is not available
Do not try to proceed with negotiated connection handover if
wpa_supplicant control interface is not available.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 00:31:32 +03:00
Jouni Malinen
0b04d3c578 dpp-nfc: Allow wpa_supplicant control interface directory to be set
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-14 21:52:09 +03:00
Jouni Malinen
69dfbe6a93 dpp-nfc: Use Configurator/Enrollee parameters with tag reading
This was previously done only for the negotiated connection handover
case, but the same parameters are useful for the tag reading cases (URI
record and static handover).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-14 21:46:50 +03:00
Jouni Malinen
f85fb349fd dpp-nfc: More robust determination of the script directory
Make it more robust to import wpaspy regardless of how dpp-nfc.py is
being executed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-14 21:29:25 +03:00
Jouni Malinen
47323a6f50 tests: sigma_dut DPP/QR AP as chirping Enrollee
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:59:05 +03:00
Jouni Malinen
d5b596996e tests: DPP chirp by an AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:59:05 +03:00
Jouni Malinen
98e4b38403 DPP2: Chirping in hostapd Enrollee
Add a new hostapd control interface command "DPP_CHIRP own=<BI ID>
iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started. This follows the model of similar
wpa_supplicant functionality from commit 562f77144c ("DPP2: Chirping
in wpa_supplicant Enrollee"). The hostapd case requires the AP to be
started without beaconing, i.e., with start_disabled=1 in hostapd
configuration, to allow iteration of channels needed for chirping.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:59:05 +03:00
Jouni Malinen
95471fc3e8 Handle hostapd_for_each_interface() at the process termination
Clean struct hapd_interfaces pointers and interface count during
deinitialization at the end of theh ostapd process termination so that a
call to hostapd_for_each_interface() after this does not end up
dereferencing freed memory. Such cases do not exist before this commit,
but can be added after this, e.g., for DPP needs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:39:01 +03:00
Jouni Malinen
99809c7a44 nl80211: Disable offchannel-ok in AP mode only if beaconing
When hostapd is started without beaconing (start_disabled=1), Public
Action frame transmission command through nl80211 needs to allow
offchannel operations regardless of the operating channel configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:09:52 +03:00
Jouni Malinen
0f58c88fc3 DPP2: Fix CONFIG_DPP2=y build with OpenSSL 1.0.2
This file needs the EVP_PKEY_get0_EC_KEY() compatibility wrapper just
like other DPP source code files using this function.

Fixes: 21c612017b ("DPP: Move configurator backup into a separate source code file")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 21:02:39 +03:00
Jouni Malinen
dff67270b5 tests: iftype parameter with GET_CAPABILITY key_mgmt
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 17:33:54 +03:00
Jouni Malinen
44f7866784 Clean up GET_CAPABILITY handling of 'strict' argument
There is no need to maintain a pointer to the substring "strict"; use a
bool instead.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 17:33:54 +03:00
Veerendranath Jakkam
3790f3a6ee Use per-interface type driver key_mgmt capabilities when possible
Use key_mgmt_iftype instead of key_mgmt when the specific interface type
is known by the context of the operation.

Use per interface type AKM capabilities in capa.key_mgmt_iftype array
based on the wpa_supplicant context instead of using capa.key_mgmt to
determine the driver AKM capability.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 17:33:54 +03:00
Veerendranath Jakkam
8d7502809c Allow per interface type AKM capabilities to be fetched
Add support to query per interface type AKM capabilities through the
control interface. For example, "GET_CAPABILITY key_mgmt
iftype=STATION".

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 17:33:54 +03:00
Veerendranath Jakkam
b67bedf2e3 nl80211: Fetch information on supported AKMs from the driver
The driver can advertise supported AKMs per wiphy and/or per interface.
Populate per interface supported AKMs based on the driver advertisement
in the following order of preference:
1. AKM suites advertised by NL80211_ATTR_IFTYPE_AKM_SUITES
2. AKM suites advertised by NL80211_ATTR_AKM_SUITES
If neither of these is available:
3. AKMs support is assumed as per legacy behavior.

In addition, extend other driver interface wrappers to set the
per-interface values based on the global capability indication.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 16:57:17 +03:00
Veerendranath Jakkam
6fffb320fc nl80211: Remove QCA vendor specific AKM capability handling
Since this functionality was not used for anything in practice, it is
easier to simply remove this functionality completely to avoid potential
conflicts in using the kernel tree upstream commit ab4dfa20534e
("cfg80211: Allow drivers to advertise supported AKM suites").

This is practically reverting the commit 8ec7c99ee4 ("nl80211: Fetch
supported AKM list from the driver").

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 16:41:22 +03:00
Jouni Malinen
644638819a tests: Additional sigma_dut DPP over TCP coverage
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 14:48:49 +03:00
Jouni Malinen
b37a1ec24f tests: DPP over TCP (Configurator initiates)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 14:48:49 +03:00
Jouni Malinen
db59827a3c DPP2: Extend TCP encapsulation case to support Configurator as Initiator
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 14:48:49 +03:00
Jouni Malinen
0086c14528 DPP: Extend NFC bootstrapping script for more control by caller
Add more parameters to dpp-nfc.py to allow it to be used with more
detailed control by the caller. This allows Enrollee/Configurator roles
to be selected and Configurator parameters to be specified on the
command line.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 00:57:44 +03:00