Commit graph

16229 commits

Author SHA1 Message Date
Jouni Malinen
ace3723d98 DPP2: Enterprise provisioning (Enrollee)
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:06 +03:00
Jouni Malinen
6568e5d203 DPP2: Enterprise provisioning (Configurator)
Add Configurator functionality for provisioning enterprise (EAP-TLS)
configuration object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
4643b2feec DPP2: Enterprise provisioning definitions for dot1x AKM
Add shared AKM definitions for provisioning enterprise (EAP-TLS)
credentials.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
812d52ae27 OpenSSL: Support EC key from private_key blob
Try to parse the private_key blob as an ECPrivateKey in addition to the
previously supported RSA and DSA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
4b834df5e0 OpenSSL: Support PEM encoded chain from client_cert blob
Allow a chain of certificates to be configured through a client_cert
blob.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
68ac45d53c GAS server: Support comeback delay from the request handler
Allow GAS request handler function to request comeback delay before
providing the response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 23:56:06 +03:00
Jouni Malinen
608adae5ba JSON: Add base64 helper functions
These functions are similar to the base64url helpers but with the base64
(not url) alphabet.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 20:19:19 +03:00
Jouni Malinen
c7e6dbdad8 base64: Add no-LF variant for encoding
base64_encode_no_lf() is otherwise identical to base64_encode(), but it
does not add line-feeds to split the output.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 20:18:12 +03:00
Jouni Malinen
6dc2c0118a Update DFS terminology in attribute value documentation
Use "client device" as the term for the device that operates under a
guidance of the device responsible for enforcing DFS rules.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-11 21:53:24 +03:00
Muna Sinada
621745917f Allow HE-without-VHT to add the Channel Switch Wrapper element
Modify the check for VHT to include an option for HE in
hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel
Switch Wrapper element with the Wide Bandwidth Channel Switch subelement
to be included in Beacon and Probe Response frames when AP is operating
in HE mode without VHT.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2020-06-11 00:56:45 +03:00
Muna Sinada
d51b1b7a66 Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific file
Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to
ieee802_11.c since this can be used for both HE and VHT. This commit
does not change any functionality to enable the HE use case, i.e., the
function is just moved as-is.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2020-06-11 00:53:26 +03:00
Rajkumar Manoharan
1f72bbbefb AP: Reject association request upon invalid HE capabilities
Operation in the 6 GHz band mandates valid HE capabilities element in
station negotiation. Reject association request upon receiving invalid
or missing HE elements.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:34:38 +03:00
Rajkumar Manoharan
088bef1786 AP: Restrict Vendor VHT to 2.4 GHz only
Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of
vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user
configuration will not impact beacon data in other than the 2.4 GHz
band.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:30:50 +03:00
Rajkumar Manoharan
6a34bd3007 HE: Use device HE capability instead of HT/VHT for 6 GHz IEs
Previously, 6 GHz Band Capability element was derived from HT and VHT
capabilities of the device. Removes such unnecessary dependency by
relying directly on the HE capability.

In addition, clean up the struct ieee80211_he_6ghz_band_cap definition
to use a 16-bit little endian field instead of two 8-bit fields to match
the definition in P802.11ax.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:23:24 +03:00
Rajkumar Manoharan
9272ebae83 nl80211: Fetch HE 6 GHz capability from the driver
Read mode specific HE 6 GHz capability from phy info. This is needed
for futher user config validation and IE construction.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:14:56 +03:00
Jouni Malinen
f25c51a9f4 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-05-31.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-10 21:12:44 +03:00
Brian Norris
1ce2a4fbea tests: Add all-blacklist test
Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-06-10 21:12:44 +03:00
Brian Norris
ddd821365a tests: Skip malformed SAE authentication frames
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-06-10 21:12:44 +03:00
Johannes Berg
2f9e2f9044 tests: Check for mac80211_hwsim module before loading it
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Johannes Berg
4dd712bd36 tests: Use bytes in a few places
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Johannes Berg
db294952bb tests: Set VHT160 or VHT160-80PLUS80 capability
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Jouni Malinen
518be614f1 SAE-PK: Advertise RSNXE capability bit in STA mode
Set the SAE-PK capability bit in RSNXE when sending out (Re)Association
Request frame for a network profile that allows use of SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
de36f6b7b3 tests: SAE-PK with group 21
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
a77d6d2203 SAE-PK: Update SAE confirm IE design
Move the FILS Public Key element and the FILS Key Confirmation element
to be separate IEs instead of being encapsulated within the SAE-PK
element. This is also removing the unnecessary length field for the
fixed-length EncryptedModifier.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
f0704e7273 tests: Clean up SAE-PK parameter use
Use the global variables instead of copies of same values.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
cad9ae1dc4 tests: SAE-PK with different SAE group combinations
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
363dbf1ece SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:46:49 +03:00
Jouni Malinen
2e80aeae4a WPS UPnP: Support build on OS X
Define MAC address fetching for OS X (by reusing the existing FreeBSD
implementation) to allow full compile testing of the WPS implementation
on a more BSD-like platform.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 12:48:13 +03:00
Jouni Malinen
f119f8a04a WPS UPnP: Fix FreeBSD build
struct ifreq does not include the ifr_netmask alternative on FreeBSD, so
replace that more specific name with ifr_addr that works with both Linux
and FreeBSD.

Fixes: 5b78c8f961 ("WPS UPnP: Do not allow event subscriptions with URLs to other networks")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 12:43:53 +03:00
Jouni Malinen
892ac42bdc tests: wpa_supplicant global pmf parameter
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 00:59:26 +03:00
Jouni Malinen
cc2d03601b HS 2.0: Use global pmf=2 for the created network block
Previously, PMF support was enabled in optional mode (ieee80211w=1) for
Hotspot 2.0 network blocks automatically. This did not consider the
global PMF parameter and unconditionally changed that value to optional.
Since the newly added network block had an explicit ieee80211w
parameter, this overrode the global parameter. To make this less
surprising, use the global pmf parameter value to select whether to add
network blocks for Hotspot 2.0 with PMF being optionally enabled (pmf=0
or pmf=1) or required (pmf=2).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 00:55:13 +03:00
Subrat Dash
790026c3da Allow TX queue parameters to be configured for wpa_supplicant AP/P2P GO
Allow user to configure the TX queue parameters through the
wpa_supplicant configuration file similarly to the way these can be set
in hostapd.

Parse the tx_queue_* parameters in the wpa_supplicant configuration file
and update the TX queue configuration to the AP/P2P GO interface in the
function wpa_supplicant_create_ap().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 00:29:42 +03:00
Jouni Malinen
c7cb42d531 Remove unused enum values
The last user of these was removed in commit 17fbb751e1 ("Remove user
space client MLME") and there is no need to maintain these unused values
anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 00:21:06 +03:00
Subrat Dash
411e42673f Move local TX queue parameter parser into a common file
This allows the same implementation to be used for wpa_supplicant as
well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-09 00:17:39 +03:00
Jouni Malinen
78c1cb8868 tests: OWE transition mode BSSID mismatches
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 21:43:41 +03:00
Jouni Malinen
fcef598ea2 Do not try to connect with zero-length SSID
It was possible to find a BSS to local network profile match for a BSS
entry that has no known SSID when going through some of the SSID
wildcard cases. At leas the OWE transition mode case without BSSID match
could result in hitting this. Zero-length SSID (i.e., wildcard SSID) is
not valid in (Re)Association Request frame, so such an association will
fail. Skip such a BSS to avoid known-to-be-failing association attempts.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 21:40:56 +03:00
Jouni Malinen
9a0807ce36 tests: sigma_dut controlled AP using SAE-PK misbehavior
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 20:00:14 +03:00
Jouni Malinen
5a8b366233 tests: Make SAE-PK test cases more robust
Clear scan results explicitly in test cases that check BSS entry flags
to avoid incorrect failures based on results from earlier test cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:48:57 +03:00
Jouni Malinen
85aac526af WPS UPnP: Handle HTTP initiation failures for events more properly
While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.

These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:14:45 +03:00
Jouni Malinen
f7d268864a WPS UPnP: Fix event message generation using a long URL path
More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:12:20 +03:00
Jouni Malinen
5b78c8f961 WPS UPnP: Do not allow event subscriptions with URLs to other networks
The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:12:20 +03:00
Jouni Malinen
e30dcda3b1 SAE-PK: Fix FILS Public Key element Key Type for ECDSA
Use value 2 to point to RFC 5480 which describes the explicit
indicatiotion of the public key being in compressed form.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:11:06 +03:00
Jouni Malinen
4c3fbb2346 SAE-PK: Check minimum password length more accurate
Get the Sec value from the password to check the minimum length based on
the used Sec.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:11:06 +03:00
Jouni Malinen
43a191b890 tests: Remove too short SAE-PK passwords
This is in preparation of implementation changes to check SAE-PK
password length more accurately based on the Sec value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 17:11:06 +03:00
Jouni Malinen
232705e3c4 tests: SAE-PK AP misbehavior
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 15:21:18 +03:00
Jouni Malinen
4ff0df39eb SAE-PK: Testing functionality to allow behavior overrides
The new sae_commit_status and sae_pk_omit configuration parameters and
an extra key at the end of sae_password pk argument can be used to
override SAE-PK behavior for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-08 15:21:18 +03:00
Jouni Malinen
3a6e674adf tests: sigma_dut controlled AP and transition disabled indication change
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-07 17:07:57 +03:00
Jouni Malinen
0c4ffce464 Allow transition_disable updates during the lifetime of a BSS
This is mainly for testing purposes to allow more convenient checking of
station behavior when a transition mode is disabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-07 17:06:52 +03:00
Jouni Malinen
6d72833236 tests: SAE-PK mixed deployment
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-07 16:50:09 +03:00
Jouni Malinen
5f48d36b4a SAE-PK: Select SAE-PK network over SAE without PK
If there is an acceptable BSS with SAE-PK enabled in the same ESS,
select that over a BSS that does not enable SAE-PK when the network
profile uses automatic SAE-PK selection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-07 16:49:07 +03:00