Commit graph

11976 commits

Author SHA1 Message Date
Jouni Malinen
da24c5aa1c FILS: Set TK after association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
07e0117d21 FILS: Mark connection fully authorized after FILS Association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:20:04 +03:00
Jouni Malinen
706df4291b FILS: Association Response processing (STA)
Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and
configure keys to the driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:20:04 +03:00
Jouni Malinen
e73ffa0925 FILS: Add Association Response frame elements and encrypt them (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:42:52 +03:00
Jouni Malinen
78815f3dde FILS: Decrypt Association Request elements and check Key-Auth (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:42:52 +03:00
Jouni Malinen
86cd6928e0 FILS: Add elements to FILS Association Request frame
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:01:06 +03:00
Jouni Malinen
ac56c39532 driver: Add option to pass FILS KEK/AAD to the driver for association
This allows the FILS KEK and AAD data (nonces) to be configured to the
driver for association so that the driver can encrypt the
(Re)Association Request frame and decrypt the (Re)Association Response
frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-24 23:07:56 +03:00
Sunil Dutt
783c2920cc P2P: Check if the pref_freq reported by the driver supports P2P
Filter out get_pref_freq_list() (i.e.,
QCA_NL80211_VENDOR_SUBCMD_GET_PREFERRED_FREQ_LIST) output in case of
channel negotiation by removing channels that do not allow P2P operation
at all. Previously, only the explicitly disallowed channels were removed
and that could have resulted in selecting an operating channel that is
not allowed for P2P and failing to complete the operation to start the
group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-24 18:37:27 +03:00
Jouni Malinen
a660993772 FILS: Authentication frame processing (STA)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:28:36 +03:00
Jouni Malinen
c4fd6d8aa8 FILS: Process FILS Authentication frame (AP)
This implements processing of FILS Authentication frame for FILS shared
key authentication with ERP and PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:27:01 +03:00
Jouni Malinen
ffb62f2272 FILS: Add a helper function for status code conversion
This will allow the existing code to be reused for FILS needs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:27:01 +03:00
Jouni Malinen
c1bd4bac5f FILS: Extend wpa_auth_pmksa_get() to support PMKID matching
This is needed for FILS processing to enable PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
c30bd28b14 FILS: Export IEEE 802.1X helper functions
ieee802_1x_encapsulate_radius() and ieee802_1x_alloc_eapol_sm() need to
be called from FILS processing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
a6228b8ed6 ERP: Update client identity based on EAP-Initiate/Re-auth
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
f00b9b8864 FILS: Try to use FILS authentication if PMKSA or ERP entry is available
If a PMKSA cache entry for the target AP is available, try to use FILS
with PMKSA caching.

If an ERP key for the target AP is available, try to use FILS with
EAP-Initiate/Re-auth added as Wrapper Data element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
2c2c557917 SME: Clear possibly used WPA/RSN IE for new connection
This was already done in the case SME in the driver is used, but the SME
code path was resetting the local WPA/RSN IE only for association. While
that was fine for existing use cases, FILS needs a new RSN IE to be set
for PMKSA caching case in Authentication frames, so clear the local IE
before starting new authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 22:55:27 +03:00
Jouni Malinen
0866ed004d WPA: Add debug print for not-update-own-IEs case
This makes it easier to understand debug logs related to own WPA/RSN IE
selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 22:55:27 +03:00
Jouni Malinen
14de9e31c4 FILS: Include wpa_insert_pmkid() in non-FT builds
This function is needed for FILS as well as FT.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 22:55:27 +03:00
Jouni Malinen
de57d87353 ERP: Make eap_peer_finish() callable
This is needed for FILS to process EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:26:00 +03:00
Jouni Malinen
c28767e11c ERP: Make eap_peer_erp_reauth_start() available
This needs to be callable through the EAPOL supplicant wrappers to allow
FILS implementation to use ERP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:25:50 +03:00
Jouni Malinen
5b092fb63f nl80211: Make full (Re)Association Response frame available
This is needed for FILS processing since AAD includes data before the
first element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:12:11 +03:00
Jouni Malinen
2aa1e48a45 FILS: Do not clear PTK on FILS Auth/Assoc (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:11:14 +03:00
Jouni Malinen
a852ab4c72 FILS: Key-Auth derivation function for FILS SK
This implements Key-Auth derivation for (Re)Association Request frames
(see P802.11ai/D11.0 12.12.2.6.2) and (Re)Association Response frames
(see P802.11ai/D11.0 12.12.2.6.3).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 17:51:43 +03:00
Jouni Malinen
c089bc5725 FILS: PMK-to-PTK key derivation for FILS authentication
This is the PTKSA key derivation used as part of the FILS authentication
exchange. See P802.11ai/D11.0 12.12.2.5.3.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 17:51:43 +03:00
Jouni Malinen
ce16c489d8 Rename sae_data to more generic auth_data
This makes it cleaner for the FILS implementation to use the same design
for setting Authentication frame elements as was already done with SAE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 17:51:43 +03:00
Lior David
6eb1a569ca Add QCA vendor command/attr for low level DMG(11ad) RF sector control
Add operations to allow low level control over RF sectors in QCA DMG
(11ad) chipsets. Operations include getting/setting the configuration of
a specific sector, as well as getting/setting the selected sector which
the HW uses to communicate with a specific station.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-10-17 11:43:57 +03:00
Jouni Malinen
a2675b3232 wpa_cli: Mark number of char *cmd constant
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-10-16 12:30:32 +03:00
Jouni Malinen
e097556eef hostapd_cli: Mark number of char *cmd constant
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-10-16 12:30:32 +03:00
Mikael Kanstrup
c43cf332c0 wpa_cli: Add completion for ssid config commands
Add network id command completion support for identity, password,
new_password, pin, otp, passphrase, sim and bssid commands.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:29:39 +03:00
Mikael Kanstrup
624259d4b7 wpa_cli: Add completion for sta, deauthenticate and disassociate
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:28:42 +03:00
Mikael Kanstrup
4c43f44b29 cli: Add list_sta command
Add list_sta command to print addresses of all stations. Command
added to both wpa_cli and hostapd_cli.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:28:02 +03:00
Mikael Kanstrup
85bab32522 hostapd_cli: Process events received following control iface commands
Events received as an immediate result of control interface commands
end up on the control request message callback function instead of
the registered read socket. This makes for example the station list
used for complete functions for disassociate and deauthenticate out
of sync. Process events in the message callback function too to ensure
no events are missed.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:26:52 +03:00
Mikael Kanstrup
e054a4333e hostapd_cli: Refactor control iface reconnects with common helper
Code for connecting/reconnecting to the hostapd control interface
is found duplicated a number of times. Create a common reconnect
helper function to avoid code duplication.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:26:42 +03:00
Mikael Kanstrup
aa2ab916ef hostapd_cli: Refresh stations list on control interface reconnect
Whenever reconnecting the control interface the hostapd station list
is unknown as stations might have dropped or connected. Refresh the
list of stations used for command completion on cli connect, reconnect
and interface change.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:13:07 +03:00
Mikael Kanstrup
839e4a8a98 hostapd_cli: Add completion for sta command
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 11:55:02 +03:00
Mikael Kanstrup
bc4b680c22 hostapd_cli: Enable command completion and history for Android
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 11:55:02 +03:00
Mikael Kanstrup
cf296a23d5 hostapd_cli: Add support for cli history file
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 11:55:02 +03:00
Mikael Kanstrup
c650f92916 hostapd: Add CONFIG_WPA_CLI_EDIT to defconfig
As hostapd_cli now supports command completion add documentation
of the config option to defconfig. Disabled per default.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 11:55:02 +03:00
Benjamin Richter
5d30f927ea wpa_supplicant: Restore permanent MAC address on reassociation
With mac_addr=0 and preassoc_mac_addr=1, the permanent MAC address
should be restored for association. Previously this did not happen when
reassociating to the same ESS.

Signed-off-by: Benjamin Richter <br@waldteufel.eu>
2016-10-16 11:44:34 +03:00
Avraham Stern
e3e2fe3a42 Always propagate scan results to all interfaces
Scan results were not propagated to all interfaces if scan results
started a new operation, in order to prevent concurrent operations. But
this can cause other interfaces to trigger a new scan when scan results
are already available. Instead, always notify other interfaces of the
scan results, but note that new operations are not allowed.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2016-10-15 19:13:30 +03:00
Joel Cunningham
33111c910b Check for NULL qsort() base pointers
There are a couple of places in wpa_supplicant/hostapd where qsort() can
be called with a NULL base pointer. This results in undefined behavior
according to the C standard and with some standard C libraries (ARM RVCT
2.2) results in a data abort/memory exception. Fix this by skipping such
calls since there is nothing needing to be sorted.

Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
2016-10-15 18:58:27 +03:00
Jouni Malinen
74b23fafe9 tests: WPS PBC with two APs advertising same SSID
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-11 00:30:15 +03:00
Jouni Malinen
4b5b8a53a1 WPS: Force BSSID for WPS provisioning step connection
This was already done for most driver cases, but it is possible that the
BSSID/frequency is not forced if the driver reports BSS selection
capability (e.g., NL80211_ATTR_ROAM_SUPPORT). That could potentially
result in the driver ignoring the BSSID/frequency hint and associating
with another (incorrect) AP for the WPS provisioning step if that
another AP in the same ESS is more preferred (e.g., better signal
strength) by the driver and only one of the APs (the not preferred one)
is in active WPS registrar state.

While most drivers follow the BSSID hint for the initial connection to
an ESS, not doing it here for the WPS provisioning would break the
protocol. Fix this by enforcing a single BSSID/frequency to disallow the
driver from selecting an incorrect AP for the WPS provisioning
association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-11 00:25:20 +03:00
Jouni Malinen
bf07e05349 ERP: Do not pass full EAP header to eap_peer_erp_reauth_start()
That function does not need the full EAP header -- it only needs to know
which EAP identifier to use in the message. Make this usable for cases
where the previous EAP message may not exist (FILS).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
2449791b8e FILS: Update EAPOL-Key Descriptor Version RX rules (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
16eb485806 FILS: Handle Group Key msg 1/2 without MIC when using AEAD cipher (STA)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
75c8563e05 FILS: Perform AEAD processing after PTK has been confirmed
This covers EAPOL-Key frames other than 2/4 that needed special handling
to confirm PTK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
0ab1dd0106 FILS: Use AEAD cipher to check received EAPOL-Key frames (STA)
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
b729fd8df9 FILS: Use AEAD cipher to protect EAPOL-Key frames (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
3b5b7aa8fb FILS: Use AEAD cipher to check received EAPOL-Key frames (AP)
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used. This needs to move the EAPOL-Key msg
2/4 RSN element processing to happen only after the PTK has been derived
and validated. That is done for all AKMs to avoid extra complexity with
having to maintain two code paths for this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00